[AWS] SAA

[AWS SAA-03] CheatSheat 1차

BobandTim 2024. 4. 8. 00:01
  • EC2
     비용
    • ondemand - 약정ㅇ없이 쓴만 큼 지불, 예측 어려운 경우 사용
      On-Demand Capacity Reservation, you can specify the Region and Availability Zones where you want to reserve capacity, and the number of EC2 instances you want to reserve.
    • reserved - 1, 3년, 항상 사용중인 안정화된 서버 자원을 위한 요금제
    • spot - 단기적으로 수요가 많을 때 유리, uses spare ec2 capacity that is available for less than the onedemand price
      • enable you to request unused ec2 instances
      • cost effective when you can be flexible about when your application run and if your applications can be interrupted
    •  
  • IAM Role vs Policy
    - Always remember that you should associate IAM roles to EC2 instances
    - IAM policy is used to define permissions for an IAM user or group, not for an EC2 instance
  • [S3] S3 Transfer Acceleration is designed to optimize transfer speeds from across the world into S3 buckets.
    - Using S3 Transfer acceleration together with multipart upload, aggregate the data from all these global sites as quickly as possible in a single Amazon S3 bucket
  • [S3] Enabling versioning on S3 ensures multiple versions of object are stored in bucket.
  • [S3] Amazon s3 file gateway is a solution to transfer data from storage on prem to storage in cloud and it supports SMB, ISCSI and NFS protocols
    - AWS Storage Gateway AWS S3, AWS S3 Glacier, AWS S3 Glacier Deep Archive, AWS EBS, AWS Backup과 같이 다양한 스토리지에 대한 연결을 지원
  • [S3] MFA delete to require multi-factor authentication (MFA) when deleting an object version
  • EFS 
    • both high availability and durability; "catalog"
  • [S3 + Analyze] Amazon Athena is an interactive query service that makes it easy to analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL
    • Athena is good option to query data in S3
  • aws:PrincipalOrgID Validates if the principal accessing the resource belongs to an account in your organization.
    - the condition key aws:PrincipalOrgID can prevent the members who don't belong to your organization to access the resource
  • EBS volumes that are created using EBS fast snapshot restore instantly deliver all of their provisioned performance
  • EBS volumes must be in the same AZ as the instances they are attached to. So you cannot share an EBS across AZs, but EFS does 
  • [Migration] Snowball Edge Device
    1. company wants to migrate the data as early as possible
    2.Don't want to use the network bandwidth
    3. Side of the data is 70 TB. AWS suggest to use Snowball Edge Device if the data is more than 10TB.
  • Decouple and increase scalability are clear use cases for SNS and SQS.
  • SQS
    • The visibility timeout is the duration during which SQS prevents other consumers from receiving and processing the same message. By increasing the visibility timeout, you allow more time for the processing of a message to complete before it becomes visible to other consumers.
  • Amazon AppFlow is a fully managed integration service that helps you securely transfer data between software as a service (SaaS) applications such as Salesforce, SAP, Google Analytics, Facebook Ads, and ServiceNow, and AWS services such as Amazon Simple Storage Service (S3) and Amazon Redshift in just a few clicks
  • Amazon Macie is a data security and data privacy service that uses machine learning (ML) and pattern matching to discover and protect your sensitive data
    - Macie automatically detects a large and growing list of sensitive data types, including personally identifiable information (PII)

 

머신러닝 관련

  • Amazon Rekognition for content moderation is a cost-effective and efficient solution that reduces the need for developing and training custom machine learning models, making it the best option in terms of minimizing development effort.
  • Amazon SageMaker is a comprehensive machine learning service that allows you to build, train, and deploy custom machine learning models. It requires significant development effort to build and train a custom model. In addition, utilizing ground truth to label low-confidence predictions would further add to the development complexity and maintenance overhead.
  • AWS Fargate a serverless, pay-as-you-go compute engine that lets you focus on building applications without having to manage servers. AWS Fargate is compatible with Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS).
    • to deploy a custom machine learning model requires significant development effort.
    • 컨테이너를 지원하는 서버리스 컴퓨팅 엔진으로 서버를 관리하지 않고 사용한 만큼만 비용을 지불할 수 있습니다.
  • Amazon Comprehend is a natural language processing service provided by AWS, primarily focused on text analysis rather than image analysis.

 

 

 

 

 

  • AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
    - Encrypt credential for RDS, DocumentDb, Redshift, other DBs and key/value secret.
    - multi-region replication.
    - Remote base on schedule
    e.g. "rotate the credentials for its Amazon RDS for MySQL databases across multiple AWS Regions" #13
    e.g.  "Store the database credentials as a secret in AWS Secrets Manager. Turn on automatic rotation for the secret. Attach the required permission to the EC2 role to grant access to the secret." #61
  • AWS Systems Manager Parameter Store store does not support auto rotation, unless the customer writes it themselves
  • AWS Systems Manager Run Command allows the company to run commands or scripts on multiple EC2 instances. By using Run Command, the company can quickly and easily apply the patch to all 1,000 EC2 instances
  • AWS Systems Manager Patch Manager primarily focuses on operating system patches and does not directly support third-party software patching on Linux instances
  • AWS Global Accelerator vs CloudFront
    • They both use the AWS global network and its edge locations around the world
    • Both services integrate with AWS Shield for DDoS protection.
    CloudFront Global Accelerator
    Improves performance for both cacheable content (such as images and videos) + Dynamic content Improves performance for a wide range of applications over TCP or UDP 
    Content is served at the edge not include content caching
  • AWS Aurora is 5x performance improvement over MySQL on RDS and handles more read requests than write
    - Aurora Multi-AZ deployments automatically maintain a synchronous standby replica in a different Availability Zone to provide high availability.

 

  • Gateway VPC
    • "Deploy a gateway VPC endpoint for Amazon S3" :Gateway VPC allows direct access to S3 without going through public internet.
  • AWS Direct Connect is a network service that allows you to establish a dedicated network connection from your on-premises data center to AWS. This connection bypasses the public Internet and can provide more reliable, lower-latency communication between your on-premises application and Amazon S3
  • AWS Network Firewall is a managed firewall service that provides filtering for both inbound and outbound network traffic. It allows you to create rules for traffic inspection and filtering, which can help protect your production VPC.
    - traffic flow inspection and traffic filtering
  • Amazon GuardDuty is a threat detection service, not a traffic inspection or filtering service
  • AWS Firewall Manager is a security management service that helps you to centrally configure and manage firewalls across your accounts
  • AWS Shield Advanced provides expanded DDoS attack protection for your Amazon EC2 instances, Elastic Load Balancing load balancers, CloudFront distributions, Route 53 hosted zones, and AWS Global Accelerator standard accelerators.
    • AWS Shield Standard cannot protect DDoS attak for EC2

 

 

  • QuickSight is used to created dashboard from S3, RDS, Redshift, Aurora, Athena, OpenSearch, Timestream
    - only support users(standard version) and groups (enterprise version)
    - don't support IAM
  • Gateway Load Balancer routes traffic to third-party virtual appliances. It is ideal for incorporating a third-party appliance, such as a network firewall, into your network traffic in a scalable and easy-to-manage way.v
  • Kinesis Datastream : highly customizable and best suited for developers building custom applications or streaming data for specialized needs. "real-time"
  • Kinesis Data Firehose handles loading data streams directly into AWS products for processing (but cannot connect to dynamodb)
  • AWS Config = CONFIG
  • CloudTrail =  RECORD API CALLS
  • CloudWatch = primarily used for “monitoring” and alerting on performance metrics rather than tracking configuration changes
    • Share the dashboard from the CloudWatch console. Enter the product manager's email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager. For someone who does not have aws account

[analyze data]

  • Amazon Redshift is a fully managed, petabyte-scale data warehouse service that allows you to quickly and efficiently analyze data using SQL and your existing business intelligence tools

 

 

 

 

 

 

 

 

 

 

#12, 13

 

Multi-AZ deployment = maintaining high availability

 

Warehouse = 창고