AWS SOA C02考试笔记

 

• immutable：不变的。
• ephemeral：短暂的；瞬息的。
• DNS记录类型：

1.A记录：域名与IP v4地址之间的映射。

2.NS记录：如果一个域名由多个DNS服务器负责解析，那么就在这里记录下域名与多个DNS服务器的映射。

3.SOA记录：如果NS中记录多个服务器，那么这里就会记录域名与主服务器之间的映射。

4.CNAME记录：给域名起的别名。

5.MX记录：邮件交换记录。

6.PRT记录：是A记录的逆向查询记录，作用是把IP地址解析成域名。

7.AAAA记录：域名与IP v6之间的映射。

The alias record is used to route the domains top node i.e zone apex.

• Placement groups can't cross regions.
• A spread placement group is a logical grouping of instances that are placed on distinct underlying hardware to reduce the risk of simultaneous failures due to hardware issues,this ensures high availability.
• AWS CloudFormation StackSets extends the capability of stacks by enabling you to create,update,or delete stacks across multiple accounts and AWS regions.
• The procstat plugin enables you to collect metrics from individual processes.
• The number of Trusted Advisor checks available to an account depends on the AWS Support plan that is associated with the account.
• Scale to millions of requests each second - Network Load Balancer can scale this much.
• EventBridge（CloudWatch Events）provides a reliable way to schedule events and to invoke AWS services on a schedule.
• When you share a portfolio using account-to-account sharing or AWS Organizations, you allow a AWS Service Catalog administrator of another AWS account to import your portfolio into their account and distribute the products to end users in that account.

        The administrator of the second account be able to add a product from the imported portfolio to a local portfolio.

• AWS Compute Optimizer provides Amazon EC2 instance recommendations to help you improve performance, save money, or both. You can use these recommendations to decide whether to move to a new instance type.
• If you have an account, we recommend that you sign in to your AWS Personal Health Dashboard to get deeper insights into events and upcoming changes that might affect your services and resources.
• InsufficientInstanceCapacity:If you get this error when you try to launch an instance or restart a stopped instance, AWS does not currently have enough available On-Demand capacity to fulfill your request.
• Create a primary failover routing policy record.Configure the value to be the ALB.Associate the record with Route 53 health check.

        Create a secondary failover routing policy record.Configure the value to be the static website.

• RDP端口：3389

• PrivateDnsName is CloudFormation return value,not a parameter.

  The private DNS name of the specified instance. For example: ip-10-24-34-0.ec2.internal.

• Encryption at rest 指的是服务端（Server Side）加密。

• Encryption at rest can't be enabled after the EFS volume has been created.So need create new volume and encrypt new one,then copy data from the original volume.

• To create new cryptographic material for your customer managed keys, you can create new KMS keys, and then change your applications or aliases to use the new KMS keys.

• The S3 bucket name must match the record set name in Route 53.

• To keep a resource when its stack is deleted,specify Retain for that resourse.

• system status check failing - stop and restart.

• instance status check failing - reboot.

• By default,AWS Systems Manager doesn't have permission to perform actions on your instances.Grant access by using an AWS IAM instance profile.

• The AWS CLI allows you to detect the following types of changes:

1.Modification or deletion of CloudTrail log files.

2.Modification or deletion of CloudTrail digest files.

• When a scale-in event occurs, a lifecycle hook pauses the instance before it is terminated and sends you a notification using Amazon EventBridge. While the instance is in the wait state, you can invoke an AWS Lambda function or connect to the instance to download logs or other data before the instance is fully terminated.

• Geolocation(地理位置) routing policy:Use when you want to route traffic based on the location of your users.

• Geoproximity(地理邻近度) routing policy:Use when you want to route traffic based on the location of your respurces.

• s3 cp command automatically perform multipart uploading and downloading based on the file size.

• Elastic Beanstalk - Immutable deployments perform an immutable update to launch a full set of new instances running the new version of the application.

• Elastic Beanstalk - To maintain full capacity during deployments,the option is known as a rolling deployment with an additional batch.

• Server-side encryption in Amazon S3 exist and it is used to
  protect data at rest using Amazon S3-managed encryption keys (SSE-S3).

• If a sysops admin must make sure that users can access the S3 bucket only through requests from the CloudFront endpoint.

Solution：Create an origin access identity（OAI）.Assign the OAI to the CloudFront distribution.Update the S3 bucket policy to restrict access to the OAI.

• CloudWatch supports 7 metrics and 1 dimension for auto scaling
  instances plus one additional metric for the aggregated CPU usage, summing up to 8 metrics and 1 dimension.
• CloudFormation limitation:

1.One account by default is limited to 100 templates.

2.The usesr can use 60 parameters and 60 outputs in a single template.

3.The template,parameter,output,and resource description fields are limited to 4096 characters.

4.By default,AWS CloudFormation limits the total number of stacks that you can create in an AWS region in each AWS account to 200.

• In IAM, a policy has to include information about who (user) can access

  a resource is known as the 'principal'.
• Auto-Scaling compensates for potential performance issues by

  temporarily exceeding the specified maximum capacity of a group by a 20 percent margin (or a 2- instance margin, whichever is greater) during rebalancing activity. This temporarily boosts capacity to accommodate the rebalancing process.
• The 'elb-add-zones-for-lb' command is used to add more zones to an

  existing Load balancer in AWS.
• The AWS Storage Gateway's Virtual Tape Library (VTL) interface is what allows you to cost-effectively and durably archive backup data in Amazon Glacier.
• AWS Cloud Hardware Security Modules (HSMs) are primarily designed
  for the safe custody and utilization of cryptographic(密码的) key material without exposing it outside the cryptographic boundary of the appliance.
• Amazon EBS Provisioned IOPS volumes automatically send one-minute metrics to Amazon CloudWatch.
• S3 Client-side encryption allows you to create and manage your own encryption keys for sending data.
• Any additional instance store volume attached to the instance cannot be included in the AMI.
• AWS IAM permissions can be assigned in two ways: as identity-based or as resource-based.
• To find out the reason for termination of instance,the user can get information from the AWS console, by checking the Instance description under the State transition reason label.
• A subnet within a VPC can only be associated with one route table at a time.
• Amazon EMR customers can choose to send data to Amazon S3 using the HTTPS protocol for secure transmission.
• When an EC2 instance fails the health check in an Application Load Balancer setup, the instance is not terminated or rebooted. Instead, the load balancer continues to perform health checks on the EC2 instance and stops sending new traffic to it.
• Amazon EC2 supports two types of block devices: instance store volumes and EBS volumes.
• A SysOps administrator could ensure more consistent I/O performance by 'restoring the EBS volume from the snapshot with fast snapshot restore enabled' and by 'restoring the EBS volume from the snapshot and warming up the volume by reading all of the blocks'.
• The prerequisite for registering targets using IP addresses in Network Load Balancer requires that the targets must be within specific CIDR blocks.
• The possible states for a CloudWatch alarm are: OK, INSUFFICIENT_DATA, and ALARM.
• Both AWS Elastic Beanstalk and Amazon Elastic Map Reduce provide the customer with administrative privileges on the underlying EC2 instances.
• Configure an Amazon CloudWatch alarm to trigger an AWS Lambda function that disables keys older than xxx days.
• Amazon S3 Object Lock in compliance mode with S3 Versioning enabled is exactly designed for this model where objects cannot be deleted or changed after they are stored.
• In the member account, add the group Amazon Resource Name (ARN) to the role's trust policy. In the identity account, add an inline policy to the group with sts:AssumeRole permissions.
• When a stack is rolled back, AWS CloudFormation deletes all resources that were created during the stack update. The state of the stack is set to ROLLBACK_COMPLETE. Hence, the Admin should relaunch the template to create a new stack.
• The data stored in Glacier is automatically encrypted with AES-256 server-side encryption.
• In a Multi AZ, AWS runs two DBs in parallel and copies the data synchronously to the replica
  cop.
• Amazon allows users to create up to 15 VPCs per Region by default.
• Amazon RDS does support SSL encryption for all supported SQL Server editions, regardless of the region.
• These are the metrics that Amazon CloudWatch can collect from your instances and custom metrics without installing additional software: CPU Utilization, Disk Read Operations, and Network Packets In.
• The AWS Personal Health Dashboard only reports events from the single account it is configured on, not from any linked accounts.
• Application Load Balancer(ALB) doesn't provide static IP address.
• Scale to million of requests each second —— network load balancer(NLB).
• Point-in-time recovery is used to create a new DB cluster,not restore for the existing cluster.
• Use backtracking to rewind the existing DB cluster to the desired recovery point.
• Primary instance associate with health check,secondary no need health check.
• Another region used for disaster recovery and redundancy.If just for HA,a second AZ in same region is ok,because cross region may latency.
• stateful application —— sticky session/cookie.
• too many DB connections —— RDS proxy.
• distinct underlying hardware —— spread placement group.placement group can't cross region.
• AWS CloudFormation StackSets can cross account in AWS orgnization to deploy the template in each of the account.
• VPN requires public IP address for the customer gateway as it establishes a connection over the internet.
• When configuring a customer gateway for an AWS managed VPN connection,we should use the public IP address of the NAT device sits in the front of the customer gateway device.
• breakdown of charges by environment/department/... —— key word in answer：tag for cost alllocation.
• performance is degrading when user is searching for information/report. —— key word in answer：read replica.
• whenever the question mentions orgnizations and ask where you have to restrict somthing.—— key word in answer：SCP（Service Control Policy）
• whenever the question asks operationally efficient. —— key word in answer：eliminate anything that use EC2 instance.
• private certificates in AWS Certificate Manager（ACM）is used for internal services within a VPC or an internal network.
• Application Load Balancer（ALB）is required public certificates for https termination.
• improve throughput and upload speed to S3. —— key word in answer：Transfer Acceleration.
• send request from on-premises to VPC - inbound.
• send request from VPC to on-premises - outbound.
• Application Load Balancer is support http/https traffic.
• Network Load Balancer is support tcp/udp traffic.
• encrypt the existing database —— take a snapshot of the RDS instance,copy and encrypt the snapshot,and then restore the new RDS instance.
• EFS is for linux,not for windows.FSx for windows File Server file share is used for windows.
• CloudFormation template CreatePolicy:can set timeout.
• S3 object lock in governance mode is used for S3 bucket,not for S3 Glacier.
• Can't edit the existing VPC flow logs.
• Use AWS Control Tower to create a template in Account Factory and use the template to provision new accounts.
• CloudFormation doesn't delete the stack by default.
• 当internet 不能访问vpc,vpc可以访问internet时。

——如果是ipv4，那么就用NAT gateway。

——如果是ipv6，那么就用egress-only internet gateway。

• Route 0.0.0.0/0是用于ipv4，Route ::/0用于ipv6。
• security group only allow traffic,can't create deny rule.
• network ACL can create allow and deny rule.
• AWS CloudFormation stack delete,will delete the nested stack automatically.
• AWS orgnization内置的没有支持third-party登陆验证account的机制，所以这个时候不能用orgnization。
• Unauthorized users must be restricted from access.——这种情况下需要使用OAI(origin access identity.)
• Add a permission to the Lambda function so that it can be invoked by the EventBridge rule.
• One S3 bucket only match one domain or subdomain.
• Spread placement group has high avaliability but will has high network latency.
• Cluster placement group put the nodes closer to each other,will has minimize network latency and maximize network throughput.
• Free(Avaliable) space is not CloufWatch built-in metrics,need CloudWatch agent.
• If the monitoring solution encounters an error while processing the event,the event will automatically be sent to the dead-letter queue.
• S3 Object Lock provides two retention modes that apply different levels of protection to your objects:Compliance mode / Governance mode.
• In compliance mode,a protected object version can't be overwritten or deleted by any user,including the root user in the AWS account.When an object is locked in compliance mode,its retention mode can't be changed,and its retention period can't be shortened.Compliance mode helps ensure that an object version can't be overwritten or deleted for the duration of the retention.
• In governance mode,users can't overwrite or delete an object version or alter its lock settings unless they have special permissions.With governance mode,you protect objects against being deleted by most users,but you can still grant some users permission to alter the retention settings or delete the objects if necessary.
• If you want to create dedicated templates that have their own parameters and conditions for the common components,you can use CloudFormation nested stacks.
• EC2 instance access S3 need public internet,if instance is in private subnet,then need S3 gateway endpoinnt.
• AWS Global Accelerator can improve the network performance,but not used for large  files upload.（但是如果是和region相关的，即使是large file，也要考虑Global Accelerator）
• To increase upload speed into the S3 bucket:

1. Use Amazon S3 Transfer Accelerator for file uploads into the destination S3 bucket.
2. Use multipart uploads for file uploads into the destination S3 bucket.

• Security group is stateful,have allow rule.If you allow one inbound connection,then the outbound connection is also allowed by default.(It's stateful,so it will remember the inbound traffic.)
• Network ACL is stateless,have allow&deny rule,it need define the inbound rule also outbound rule.
• Amazon Route 53 Resolver inbound endpoint is to send DNS queries from on-premises to VPC resources,no need conditional forwardinng rule.
• If DNS is on on-premises,then we should use Route53 outbound endpoint.
• If DNS is on AWS,then we should use Route53 inbound endpoint.
• If DNS is inside the VPC,then use inbound.

可以理解为以AWS/VPC为基准，on AWS/VPC 就是inbound。

• The avaliable disk space metrics are not avaliability by default in CloudWatch.If you want to get disk space metric,you need install CloudFormation agent.
• If question is focus on monitor the settings,then the answer focous on AWS Config.
• Use AWS Trusted Advisor to find security groups that allow unrestricted access on port xxx.
• If the Auto Scaling Group need use a wide range of instance types,the configured  fleet should come from pools that have the most avaliability for the number of instances that are luanched.—— Luanch the Spot Instances by using the capacity optimized strategy.
• If you want to use the same AMI in other region,then you need copy the AMI to the additional Regions.
• AWS KMS provides the detailed logs of key usage including who use the key and when.
• AWS CloudFormation StackSet is used to create stacks across multiple accounts and regions.
• A record is not used for ALB(Application Load Balancer),because the IP in ALB is dynamatic.
• Alias record is used for AWS Resources with dynamic IP address,not for on-premises resources.
• S3 select can only search from a single object,can't search from multiple objects.
• AWS Backup can be used for EC2 backup and RDS backup,but Amazon Data Lifecycle Manager can used for EC2,not used for RDS.
• DynamoDB+another region+disaster recovery——>答案优先考虑global table.