AWS Certified Serucity Spacaility - SCS-C02 Study notes

From Cramsession
Revision as of 18:52, 13 July 2024 by Mflavell (talk | contribs)
Jump to navigationJump to search
✍️ Verified Author: MflavellClick to view professional profile & credentials

Lambda

  • Setup one role per Lambda function; don't reuse roles
  • Use a function via an API gateway
  • Don't store passwords - use AWS secrets manager

Route 53

  • Most important features
    • Registration
    • DNS Service
    • Health Checks

Domain vs Hosted Zone

  • Domain is a construct of DNS servers that associates a name with a resource
  • Domains have zone files
    • Zone files are a text mapping of different resources.

Route 53 health checks

  • Allows the checking of application health.
  • Can be used to reroute traffic if a resource is unhealthy

Cheking Health of an endpoint

  • Create a check from Route 53
  • Checks can be done on an IP address or domain name
      • Can also be a URL that contains data from services
      • These can mirror the actions a user would normally perform
  • Calculated health checks act as a root health check
      • Monitor other health checks
      • Can fail before the origin is considered unhealthy
      • This will fail if any of it's alarms go off.

Route 53 Security Considerations

  • Use Route 53 health checks with CloudWatch to monitor services
  • Make sure DNS Entries have auto-renew enabled
  • Enable DNS query logging

RDS Servicess

  • Removes the overhead of having a DBA on staff.
  • Read replicas are easy to provision with RDS.
    • These are read-only and will not allow writes.
  • An instance can be made HA replicating to another region or AZ.
    • A replicated primary cannot serve any other function.
      • It cannot work as a read replica.
  • Read replicas can be promoted to a standalone database
    • If promoted, they will no longer stay in sync with the master.

RDS Security Considerations

  • Don't use the AWS root user to create and manage resources.
  • Using security groups to control what IPs and services can connect to RDS services
    • Remember Least privilege
  • Use encryption to protect RDS data and snapshots
  • Use least privilege when granting permissions to the database
  • USE AWS backup service to back up data via cross-account backups.

Amazon Aurora

  • This is an alternative to Oracle and MS SQL without licensing problems.
  • IS compatible with MySQL and PostgreSQL
  • It can be run serverless or as a cluster.

Key Value Databases

  • An example is Dynamo DB
  • They store key value pairs
  • Designed for performance and scalability
  • Each key is a UID that pulls a value from the database.

In Memory Databases

  • All data is stored in RAM
  • Uses specialized hardware
  • Offers fast performance and very low latency
  • More expensive due to the use of RAM
  • Can be used as a caching layer to reduce application latency.
  • AWS offers the service as Elasicashce
    • Two different engines:
    • Redis and Memcached
    • Clusters use SSDs that enable encryption at rest.
    • Other memory databases may just run in RAM.

Document Databases

  • Non Relational database that stores documents
  • Allows data to be stored in a JSON type format
  • No Fixed Schema
  • Documents can be nested inside each other
  • AWS has DocumentDB - Compatible with Mongo DB as a managed document database
  • Good if you don't want the admin aspects of a database.

Message and Queuing systems

  • Used to decouple components
  • Increases resiliency

SNS - Simple Notification Service

  • Alows services to send notifications SMS / EMAIL / Push to end users
  • No complex programming required
  • AWS services (such as Coudwatch) can use SNS.
  • SNS is a Publisher and a Consumer system
    • Publishers push a message to a topic
    • Consumers subscribe to a topic
    • The topic is a Chanel sending the message to multiple consumers
    • Publisher only sends the message once

Security Considerations for SNS

  • Only apply the minimum permissions necessary to perform the work least privilege
  • An application sending or receiving messages does not need administrative permissions for the topic.
  • Enforce encryption for data in transit
    • HTTPS instead of HTTP when sending messages to a topic.
  • Use VPC endpoints to access SNS
    • Route requests from hosts VPC endpoints rather than the public internet. Keep data off internet

SQS Simple Queue Service

  • Requests can be held until they are ready to be processed.
  • Allows decoupling of services


Two Flavors:

  • FIFO Queues
    • FIFO - Exactly one message is delivered (No multiple)
    • Messages are processed in the order they are received.
  • Standard Queues
    • At least one message delivery - you could have multiple messages.
    • Multiple messages could happen due to technical issues or high loads.
    • Best effort to preserve the ordering.
  • SQS is a distributed queuing system
    • Spread across different regional nodes
    • This gives it high scalability, reliability, and availability
  • SQS allows for server-side encryption
    • Use AWS KMS or a Custom Key
  • Access to SQS can be controlled via access control policies.
    • Controls who can produce and consume messages
  • Producers place messages
  • Distributed for redundancy
    • Distributed to different AZ in the region for redundancy
    • Each message is stored at least twice on different nodes

Consuming of messages

  • Can be a long or short poll
  • Consumers detect and pull down messages
  • The messages are flagged once they are pulled down
    • A timeout visibility begins when messages are pulled down
    • While it is flagged no other consumers can pull the message
  • Once a consumer has processed a message, it deletes the message
    • This deletes it from all nodes of the distributed queue.
    • IF the message is not processed before the timeout expires (IE it still exists), then the flag is cleared and another consumer can pull it.

Securing SQS

  • Least privilege when granting access to SQS Queues.
  • Create a role for admins that do not need to consume or publish messages. Change but no touchy.
  • Implement server-side encryption
  • Use VPC endpoints to access SQS Dont route over internet
  • Make sure SQS Queues are not publically available.
  • Don't use a wildcard * in access policies; call the queue out directly.

SQS or SNS

Ask a simple question...

  • SQS - Messages will only be consumed by my application.
  • SNS - Multiple sources will consume messages.
    • SQS is a Queue - You are waiting for one thing in one line
    • SNS is a notification - You don't care who services you; it is a notification of availability.
Retrieved from "https://cramsession.net/index.php?title=AWS_Certified_Serucity_Spacaility_-_SCS-C02_Study_notes&oldid=212"