AWS CodePipeline is a continuous delivery service for fast and reliable application updates. CodePipeline builds, tests, and deploys your code every time there is a code change, based on the release process models you define.
Build, test, and deploy code based on commits
Not covered as exam topic currently
Resource or Operation
Default Limit
Number of pipelines per AWS account:
20
Number of stages in a pipeline:
Minimum of 2, maximum of 10
Number of actions in a stage:
Minimum of 1, maximum of 20
Number of parallel actions in a stage:
5
Number of sequential actions in a stage:
5
Number of custom actions per AWS account:
20
Maximum number of revisions running across all pipelines:
20
Maximum size of source artifacts:
500 megabytes (MB)
Maximum number of times an action can be run per month:
AWS Mobile Hub lets you easily add and configure features for your mobile apps, including user authentication, data storage, backend logic, push notifications, content delivery, and analytics. After you build your app, AWS Mobile Hub gives you easy access to testing on real devices, as well as analytics dashboards to track usage of your app – all from a single, integrated console.
Build, run, and test usage of your mobile applications
Amazon Cognito lets you easily add user sign-up and sign-in to your mobile and web apps. With Amazon Cognito, you also have the options to authenticate users through social identity providers such as Facebook, Twitter, or Amazon, with SAML identity solutions, or by using your own identity system. In addition, Amazon Cognito enables you to save data locally on users devices, allowing your applications to work even when the devices are offline. You can then synchronize data across users devices so that their app experience remains consistent regardless of the device they use.
AWS Device Farm is an app testing service that lets you test and interact with your Android, iOS, and web apps on many devices at once, or reproduce issues on a device in real time. View video, screenshots, logs, and performance data to pinpoint and fix issues before shipping your app.
Enables customers to test their mobile applications against real smart phones in the cloud
Not covered as exam topic currently
Resource or Operation
Default Limit
App file size you can upload:
4 GB
Number of devices AWS Device Farm can test during a run:
With Amazon Mobile Analytics, you can measure app usage and app revenue. By tracking key trends such as new vs. returning users, app revenue, user retention, and custom in-app behavior events, you can make data-driven decisions to increase engagement and monetization for your app.
Measure mobile application usage, revenue and track new/returning users, etc..
Simple Notification Service is a web service that makes it easy to set up, operate, and send notifications from the cloud. It provides developers with a highly scalable, flexible, and cost-effective capability to publish messages from an application and immediately deliver them to subscribers or other applications.
Web service that allows customers to setup, operate, and send notifications from the cloud
Can push to Apple, Google, FireOS, and Windows devices, as well as Android devices in China with Baidu cloud push
Follows the publish-subscribe (pub-sub) messaging paradigm, with notifications being delivered to clients using a push mechanism that eliminates the need to poll for updates
Can deliver notifications by SMS, email, SQS queues, or any HTTP endpoint
SNS notifications can be used to trigger lambda functions
When a message is published to an SNS topic that has a lambda function subscribed to it, the function is invoked with the payload of the published message. The lambda function would receive the message payload as an input parameter, and can manipulate the info in the message, publish the message to other SNS topics or send the message to other AWS services
Allows you to group multiple recipients using topics
Topics are access points for allowing recipients to dynamically subscribe for copies of the notification
One topic can support deliveries to multiple endpoint types, for example, IOS, Android, and SMS recipients can be grouped together
When message is published, SNS delivers appropriately formatted copies of your message to each subscriber
Email notifications will be JSON formated not XML
Subscriptions have to be confirmed
Subscription expire after 3 days if they are not confirmed
TTL is the number of seconds since the message was published
If the message is not delivered within the TTL time, then the message will expire
To prevent messages from being lost, all messages published to SNS are stored redundantly across multiple AZ's
Instantaneous, PUSH based delivery (No Polling) --> SQS requires polling
Simple API and easy integration with applications
Flexible message deliver over multiple transport protocols
Inexpensive, pay as you go model
Web based AWS management console offers simplicity of point and click interface
$.50 per million SNS requests
$.06 per 100,000 notification deliveries over HTTP
$0.75 per 100 notifications over SMS
$2.00 per 100,000 notification deliveries over email
Can be used in conjunction with SQS to fan a single message out to multiple SQS queues
Remember:
SNS - PUSH
SQS - PULL (poll)
Subscribers:
HTTP
HTTPS
Email
Email-JSON
SQS
Application
Lambda
Messages can be customized for each of the available protocols
Amazon WorkSpaces is a fully managed, secure desktop computing service which runs on the AWS cloud. Amazon WorkSpaces allows you to easily provision cloud-based virtual desktops and provide your users access to the documents, applications, and resources they need from any supported device, including Windows and Mac computers, Chromebooks, iPads, Fire tablets, and Android tablets.
Virtual Desktop Infrastructure (VDI) that provides a bundle of compute resources, storage space, and software application access that allow a user to interact with just as a traditional desktop
Users can connect to a WorkSpace from any supported device (PC, Mac, Chrome-book, iPad, Kindle Fire, or Android) using a free Workspace Client application
Can be integrated into Active Directory using federated services
Runs Windows 7 provided by Windows Server 2008 R2
Users can personalize their workspace with their favorite settings for items such as wallpaper, icons, shortcuts, etc. This can be locked down by an administrator
By default you will be given local admin access so you can install your own applications
Workspaces are persistent
All data on the D:\ is backed up every 12 hours
Resource or Operation
Default Limit
Comments
WorkSpaces:
5
To prevent denial of service attacks, accounts new to the Amazon WorkSpaces service are limited to five WorkSpaces.
Amazon WorkDocs is a fully managed, secure enterprise storage and sharing service with strong administrative controls and feedback capabilities that improve user productivity.
AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. AWS IoT can support billions of devices and trillions of messages, and can process and route those messages to AWS endpoints and to other devices reliably and securely.
Not covered as exam topic currently
Resource or Operation
Default Limit
Topic length limit:
The topic passed to the message broker when publishing a message cannot exceed 256 bytes encoded in UTF-8.
Restricted topic prefix:
Topics beginning with '$' are considered reserved and are not supported for publishing and subscribing except when working with the Thing Shadows service.
Maximum number of slashes in topic and topic filter:
A topic provided while publishing a message or a topic filter provided while subscribing can have no more than eight forward slashes (/).
Client ID size limit:
128 bytes encoded in UTF-8.
Restricted client ID prefix:
'$' is reserved for internally generated client IDs.
Message size limit:
The payload for every publish message is limited to 128 KB. The AWS IoT service will reject messages larger than this size.
Throughput per connection:
AWS IoT limits the ingress and egress rate on each client connection to 512 KB/s. Data sent or received at a higher rate will be throttled to this throughput.
Maximum subscriptions per subscribe call:
A single subscribe call is limited to request a maximum of eight subscriptions.
Subscriptions per session:
The message broker limits each client session to subscribe to up to 50 subscriptions. A subscribe request that pushes the total number of subscriptions past 50 will result in the connection being disconnected.
Connection inactivity (keep-alive) limits:
By default, an MQTT client connection is disconnected after 30 minutes of inactivity. When the client sends a PUBLISH, SUBSCRIBE, PING, or PUBACK message, the inactivity timer is reset. A client can request a shorter keep-alive interval by specifying a keep-alive value between 5-1,200 seconds in the MQTT CONNECT message sent to the server. If a keep-alive value is specified, the server will disconnect the client if it does not receive a PUBLISH, SUBSCRIBE, PINGREQ, or PUBACK message within a period 1.5 times the requested interval. The keep-alive timer starts after the sender sends a CONNACK. If a client sends a keep-alive value of zero, the default keep-alive behavior will remain in place. If a client request a keep-alive shorter than 5 seconds, the server will treat the client as though it requested a keep-alive interval of 5 seconds. The keep-alive timer begins immediately after the server returns a CONNACK to the client. There may be a brief delay between the client's sending of a CONNECT message and the start of keep-alive behavior.
Maximum inbound unacknowledged messages:
The message broker allows 100 in-flight unacknowledged messages (limit is across all messages requiring ACK). When this limit is reached, no new messages will be accepted until an ACK is returned by the server.
Maximum outbound unacknowledged messages:
The message broker only allows 100 in-flight unacknowledged messages (limit is across all messages requiring ACK). When this limit is reached, no new messages will be sent to the client until the client acknowledges the in-flight messages.
Maximum retry interval for delivering QoS 1 messages:
If a connected client is unable to receive an ACK on a QoS 1 message for one hour, the message broker will drop the message. The client may be unable to receive the message if it has 100 in-flight messages, it is being throttled due to large payloads, or other errors.
WebSocket connection duration:
WebSocket connections are limited to 24 hours. If the limit is exceeded, the WebSocket connection will automatically be closed when an attempt is made to send a message by the client or server. If you need to maintain an active WebSocket connection for longer than 5 minutes, simply close and re-open the WebSocket connection from the client side before the 5 minutes elapses.
IoT rules per AWS account
1000
The following limits apply to thing shadows:
Resource or Operation
Default Limit
Maximum size of a JSON state document:
The maximum size of a JSON state document is 8 KB.
Maximum number of JSON objects per AWS account:
There is no limit on the number of JSON objects per AWS account.
Shadow lifetime:
A thing shadow is deleted by AWS IoT if it has not been updated or retrieved in more than 1 year.
Maximum number of in-flight, unacknowledged messages:
The Thing Shadows service supports up to 10 in-flight unacknowledged messages. When this limit is reached, all new shadow requests will be rejected with a 429 error code.
Maximum depth of JSON device state documents:
The maximum number of levels in the "desired" or "reported" section of the JSON device state document is 5.
The following limits apply to security:
Resource or Operation
Default Limit
Policies that can be applied to an AWS IoT certificate:
10
Number of versions of a named policy:
5
Policy document size limit:
2048 characters
Throttling Limits:
Resource or Operation
Default Limit
AcceptCertificateTransfer:
10
AttachThingPrincipal:
15
CancelCertificateTransfer:
10
CreateCertificateFromCsr:
15
CreatePolicy:
10
CreatePolicyVersion:
10
CreateThing:
15
DeleteCertificate:
10
DeleteCACertificate:
10
DeletePolicy:
10
DeletePolicyVersion:
10
DeleteThing:
10
DescribeCertificate:
10
DescribeCACertificate:
10
DescribeThing:
10
DetachThingPrincipal:
10
DetachPrincipalPolicy:
15
DeleteRegistrationCode:
10
GetPolicy:
10
GetPolicyVersion:
15
GetRegistrationCode:
10
ListCertificates:
10
ListCertificatesByCA:
10
ListPolicies:
10
ListPolicyVersions:
10
ListPrincipalPolicies:
15
ListPrincipalThings:
10
ListThings:
10
ListThingPrincipals:
10
RegisterCertificate:
10
RegisterCACertificate:
10
RejectCertificateTransfer:
10
SetDefaultPolicyVersion:
10
TransferCertificate:
10
UpdateCertificate:
10
UpdateCACertificate:
10
UpdateThing:
10
Well Architected Framework:
Consists of 4 pillars:
Security
Apply security at all layers
Enable Traceability
Automate response to security events
Focus on securing your system
Automate security best practices
Encrypt your data both in transit and at rest using ELB, EBS, S3 and RDS
Use IAM and MFA for privilege management
Security in the cloud has 4 areas:
Data Protection
Organize and classify your data into segments such as public, available only to org/dept/user
Implement a least privilege access system so people can only access what they need
Encrypt everything where possible, whether it be at rest or in transit
Customers maintain full control of your data
AWS makes it easy to manage keys using KMS or KMS-C
Detailed logging is available that contains important content such as file access and changes
Designed storage systems for exceptional resiliency.
S3 is designed for 11 nines durability. If you store 10K objects on S3, you can on average expect to incur a loss of a single object once every 10,000,000 years.
Versioning which can protect against accidental overwrites, deletes, and similar harm
AWS never initiates the movement of data between regions. Content placed in a region will remain in that region, unless manually moved.
Privilege Management
Ensures that only authorized and authenticated users are able to access your resources
Mechanisms in place such as ACLs, Role based access controls, Password management such as password rotation policies
Infrastructure Protection
How do you protect your data center
RFID controls
Security
Lockable cabinets
CCTV
Amazon handles all of the physical, really customer is responsible for VPC protection.
Enforce network and host level boundary protection
Enforce the integrity of the OS, updates, patches, and anti-virus
Detective Controls
Detect or identify a security breach, tools available to help with this are:
CloudTrail
CloudWatch
AWS Config
S3
Glacier
Reliability
Ability of a system to recover from a service or infrastructure outage/disruptions
Ability to dynamically acquire computing resources to meet demand
Test recovery procedures
Automatically recover from failure
Scale horizontally to increase aggregate system availability
Stop guessing capacity
Consists of 3 areas:
Foundations:
Make sure you have the prerequisite foundations in place
Consider the size of communication links between HQ and data centers
Mis-provisioning connections could result in 3-6 upgrade time-frames
AWS handles most of the foundations for you. The cloud is designed to be essentially limitless meaning that AWs handles the networking, and compute requirements themselves. They set service limits to limit accidental spin up of too many resources.
Change Management:
Be aware of how change affects a system so you can plan pro-actively around it.
Monitoring allows you to detect any changes to your environment and react.
Traditionally change control is done manually and carefully co-ordinated with auditing
CloudWatch can be configured to monitor your environment and services such as auto-scaling, to automate change in response to changes in your prod environment.
Failure Management:
Always architect your system with the assumption that failure will occur
Become aware of these failures, how they occurred, how to respond to them and then plan on how to prevent them in the future.
Performance Efficiency:
Focuses on how to use computing resources efficiently to meet requirements
How to maintain that efficiency as demand changes and technology evolves
Democratize advanced technologies (Consume as service vs setup and maintain)
Go Global in minutes
Use server-less architectures
Experiment more often
Consists of 4 areas:
Compute:
Choose the right kind of server
AWS servers are virtualized and at the click of a button you can change server types
You can even switch to running with no servers, and use Lambda
Storage:
Optimal storage solutions for your environment depend on access methods (block, file or object), patterns of access, throughput, frequency of access, frequency of update, availabilty constraints, and durability constraints.
S3 has 11x9's durability and cross region replication
EBS has different mediums such as magnetic, SSD, or provisioned IOPS SSD
Can easily switch between different mediums
Databases:
Optimal database solution depends on number of factors, do you need database consistency, high availability, No-SQL, DR, Relational tables?
Lots of options, RDS, DynamoDB, Redshift, etc..
Space Time Trade off:
Using services such as RDS to add read replicas reduces the load of your database and creates multiple copies of the data to help lower latency
Can use Direct Connect to provide predictable latency between HQ and AWS
Use the global infrastructure to have copies of environment in regions closest to where your customer base is located.
Caching services such as Elasticache or CloudFront to reduce latency
Cost Optimization
Reduce cost to minimum and use those saving for other parts of your business
Allows you pay the lowest price possible while still achieving your business objectives
Transparently attribute expenditure
Use managed services to reduce the cost of ownership
Trade capital expense for operating expense
Benefit from economies of scale (AWS buys servers by the thousands)
Stop spending money on data center operations
Design Principles:
Stop guessing your capacity needs
Test systems at production scale
Lower the risk of architecture change
Automate to make architectural experimentation easier
Allow for evolutionary architectures
Comprised of 4 different areas:
Matched Supply and demand
Align supply with demand
Don't over or under provision, instead expand as demand grows
Auto-scaling or lambda execute or respond when a request comes in
Services such as CloudWatch can help you keep track as to what your demand is.
Cost-Effective resources
Use correct instance type
Well architected system will use the most cost efficient resources to reach the end business goal
Expenditure awareness
No longer need to get quotes for physical servers, choosing a supplier, have resources delivered, installed, manufactured, etc..
Can provision things within seconds
Be aware of what each team is spending and where is crucial to any well architected system
Use cost allocation tags to track this, billing alerts as well as consolidated billing.
Optimizing over time
A service that you chose yesterday man not be the best service to be using today
Constantly re-evaluate your existing architecture
Subscribe to the AWS blog
Use Trusted Advisor
White Paper Review:
6 Advantages of Cloud
Trade capital expense for variable expense
Benefit from massive economies of scale
Stop guessing about capacity
Increase speed and agility
Stop spending money running and maintaining data centers
Go Global in minutes
14 Regions, each with different number of AZ's
Storage devices uses DoD 5220.22-M or NIST 800-88 to destroy data when a device has reached the end of its useful life. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry standard practices
VPC provides a private subnet within the cloud and the ability to use an IPsec VPN to provide an encrypted tunnel between the VPC and your data center
AWS prod is segregated from the AWS Corporate network by means of a complex set of network security / segregation devices
Provides protection against DDoS, Man in the middle attacks, IP spoofing, Port Scanning, and Packet Sniffing by other tenants
AWS has a host based firewall infrastructure that will not permit an instance to send traffic with a source IP or MAC address other than its own, which prevents IP Spoofing
Unauthorized port scans by EC2 customers are a violation of the Acceptable use policy
You may request permission to conduct vulnerability scans as required to meet your specific compliance requirements
Any pre-approved vulnerability scans must be limited to your own instances and must not violate the Acceptable use policy; You MUST request a vulnerability scan in advance
Password for root or IAM user accounts into the console should be protected by MFA
Use access keys to access AWS APIs (using AWS SDK, CLI, REST/Query APIs)
Use SSH Key Paris to login to EC2 instances, or CloudFront signed URLS
Use x.509 Certs to tighten security of your applications/cloudfront via HTTPS
Trusted Advisor inspects your environment and makes recommendations when opportunities exist to save money, improve system performance, or close security gaps
Different instances running on the same physical machine are isolated from each other via the Xen hypervisor
AWS firewall resides within the hypervisor layer, between the physical network and the the instances virtual interface.
ALL packets must pass through this layer. Any instance's neighbors have no more access to the instance than any other host on the Internet and can be treated as if they are separate hosts
Physical RAM is separated using similar mechanisms
Customer instances have no access to raw disk devices, but instead are presented with virtualized disks
AWS proprietary disk virtualization layer automatically resets every block of storage used by the customer, so that one customers data is never unintentionally exposed to another
Memory allocated to guests is scrubbed (set to 0) by the hypervisor when it is unallocated to a guest
Memory is not returned to the pool of free memory available for new allocations until th memory scrub process has completed
Virtual instances are completely controlled by you, the customer. You have full root access or administrative control over accounts, services, and applications. AWS does not have any access rights to any instance or guest OS
EC2 provides a complete firewall solution. The inbound firewall is configured in a default deny any any mode and EC2 customers must explicitly open the ports needed to allow inbound traffic
Encryption of sensitive data is generally a good practice and AWS provides the ability to encrypt EBS volumes and their snapshots with AES-256. The encryption occurs on the servers that host the EC2 instances and EBS storage
EBS encryption feature is only available on EC2's more powerful instance types (M3, C3, R3, G2)
SSL termination on ELB is supported and recommended
X- forwarded for headers enabled, passes real IP from LB's to web servers
You can procure rack space within the facility housing the AWS direct connect location and deploy your equipment nearby. Once deployed, you can connect to this equipment to AWS direct connect using cross-connect
Using 802.1q VLANs dedicated connections can be partitioned into multiple virtual interfaces. This allows you to use the connection to access public resources such as objects stored in S3 using public IP address space and private resources such as EC2 instances running within the VPC private IP space, while maintaining network separation between public and private environments
AWS management re-evaluates the strategic business plan at least bi-annually
AWS security regularly scans all Internet facing service endpoint IP addresses for vulnerabilities. These do NOT include customer instances
External vulnerability threat assessments are performed regularly by independent security firms, and their findings are passed to management
Data Center Security:
State of the art electronic surveillance and MF access control
Staffed 24x7 by security guards
Access is authorized on a least privilege basis
Compliance:
SOC 1/SSAE 16/ISAE 3402 (formally SAS 70 Type II)
SOC2
SOC3
FISMA, DIACAP, and FedRAMP
PCI DSS Level 1
ISO 27001
ISO 9001
HIPAA
Cloud Security Alliance (CSA)
Motion Picture Association of America (MPAA)
ITAR
FIPS 140-2
DSS 1.0
Data Security:
Shared security model
AWS:
Responsible for securing the underlying infrastructure
Responsible for protecting the global infrastructure that runs all of the services offered on the AWS cloud.
Infrastructure comprised of hardware, software, networking, and facilities that run AWS services
Responsible for the security configuration of its products that are considered managed services, such as DynamoDB, RDS, Redshift, Elastic MapReduce, lambda, and Workspaces.
User:
Responsible for anything put on the cloud
EC2, VPC, S3 security configuration and management tasks
