AWS Certified Developer -

Associate
By Cloud Mentor Pro
Updated: 11/10/2024

© Copyright by Cloud Mentor Pro | Confidential

 Table of Contents
• Section 1
• Getting started with AWS
• IAM & AWS CLI
• EC2 Fundamentals
• Section 2
• EC2 Instance Storage
• High Availability & Scalability: ELB & ASG
• Section 3
• RDS, Aurora & ElastiCache
• Route53
• Section 4
• Amazon S3
• Amazon S3 – Advanced
• Amazon S3 – Security
© Copyright by Cloud Mentor Pro | Confidential 2
 Table of Contents
• Section 5
• Amazon VPC
• Section 6
• CloudFront
• ECS, ECR & Fargate - Docker in AWS
• Section 7
• AWS Elastic Beanstalk
• Section 8
• AWS CloudFormation
• Section 9
• AWS Integration & Messaging: SQS, SNS & Kinesis
© Copyright by Cloud Mentor Pro | Confidential 3
 Table of Contents
• Section 10
• AWS Monitoring, Troubleshooting & Audit
• Section 11
• AWS Lambda
• Section 12
• AWS DynamoDB
• Section 13
• API Gateway

© Copyright by Cloud Mentor Pro | Confidential 4

 Table of Contents
• Section 14
• AWS Serverless: SAM - Serverless Application Model
• Cloud Development Kit (CDK)
• Cognito: Cognito User Pools, Cognito Identity Pools & Cognito Sync
• Other Serverless: Step Functions & AppSync
• Section 15
• AWS CICD: CodeCommit, CodePipeline, CodeBuild, CodeDeploy
• Section 16
• Advanced Identity
• AWS Security & Encryption: KMS, SSM Parameter Store, IAM & STS
• AWS Other Services
© Copyright by Cloud Mentor Pro | Confidential 5
 What we’ll learn in this course

© Copyright by Cloud Mentor Pro | Confidential 6

 Section 1
• Getting started with AWS
• IAM & AWS CLI
• EC2 Fundamentals

© Copyright by Cloud Mentor Pro | Confidential

Getting started with AWS
AWS Global Infrastructure

© Copyright by Cloud Mentor Pro | Confidential 8

 AWS - The leading cloud

© Copyright by Cloud Mentor Pro | Confidential 9

 AWS Global Infrastructure
• AWS Regions
• AWS Availability Zone
• AWS Data Centers
• AWS Edge Locations/
Points of Presence

https://aws.amazon.com/about-aws/global-infrastructure/?pg=WIAWS

© Copyright by Cloud Mentor Pro | Confidential 10

 AWS Regions
• A region is a cluster of data centers
• Choose an AWS Region
• Compliance with data governance and legal requirements:
data never leaves a region without your explicit permission
• Proximity to customers: reduced latency
• Available services within a Region: new services and new
features aren’t available in every Region
• Pricing: pricing varies region to region and is transparent in
the service pricing page

© Copyright by Cloud Mentor Pro | Confidential 11

 AWS Availability Zones
• Each region has many availability zones (usually 3, min
is 3, max is 6). Example:
• ap-southeast-2a
• ap-southeast-2b
• ap-southeast-2c
• Each availability zone (AZ) is one or more discrete data
centers with redundant power, networking,
connectivity
• They’re separate from each other, so that they’re
isolated from disasters
• They’re connected with high bandwidth, ultra-low
latency networking
© Copyright by Cloud Mentor Pro | Confidential 12
 AWS Edge Locations (Points of Presence )
• The global edge network
currently including 400+ Edge
Locations, and 13 Regional Caches
in 90+ cities across 48+ countries

• Content is delivered to end users

with lower latency

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/points-of-presence.html 13

IAM & AWS CLI
AWS Identity and Access Management (AWS IAM)

© Copyright by Cloud Mentor Pro | Confidential 14

 IAM: Users & Groups
• IAM = Identity and Access Management, Global service
• Root account created by default, shouldn’t be used or shared
• Users are people within your organization, and can be grouped
• Groups only contain users, not other groups
• Users don’t have to belong to a group, and user can belong to multiple groups

© Copyright by Cloud Mentor Pro | Confidential 15

 IAM: Permissions
• Users or Groups can be assigned
JSON documents called policies

• These policies define the permissions

of the users

• In AWS you apply the least privilege

principle: don’t give more
permissions than a user needs

© Copyright by Cloud Mentor Pro | Confidential 16

 IAM Policies inheritance

© Copyright by Cloud Mentor Pro | Confidential 17

 IAM Policies Structure
• Consists of
• Version: policy language version
• Id: an identifier for the policy (optional)
• Statement: one or more individual statements (required)

• Statements consists of
• Sid: an identifier for the statement (optional)
• Effect: Allow, Deny
• Principal: account/user/role
• Action: list of actions this policy allows or denies
• Resource: list of resources to which the actions applied
to
• Condition: conditions for when this policy is in effect
(optional)
© Copyright by Cloud Mentor Pro | Confidential 18
 IAM – Password Policy
• Strong passwords = higher security
• In AWS, you can setup a password
policy:
• Set a minimum password length
• Require specific character types
• Allow all IAM users to change their
own passwords
• Require users to change their
password after some time (password
expiration)
• Prevent password re-use
© Copyright by Cloud Mentor Pro | Confidential 19
 Multi Factor Authentication - MFA
• Protect your Root Accounts and IAM users
• MFA = password you know + security device you own

© Copyright by Cloud Mentor Pro | Confidential 20

 MFA devices options in AWS
Virtual MFA device Universal 2nd Factor (U2F) Security Key

Google Authenticator Authy YubiKey by Yubico (3rd party)

(phone only) (phone only)

© Copyright by Cloud Mentor Pro | Confidential 21

 How can users access AWS ?
• To access AWS, you have three options:
• AWS Management Console (protected by password + MFA)
• AWS Command Line Interface (CLI): protected by access keys
• AWS Software Developer Kit (SDK) - for code: protected by access keys

• Access Keys are generated through the AWS Console

• Access Keys are secret, just like a password. Don’t share them
• Access Key ID ~= username
• Secret Access Key ~= password

© Copyright by Cloud Mentor Pro | Confidential 22

 What’s the AWS CLI?
• A tool that enables you to interact with AWS services using commands in
your command-line shell
• Direct access to the public APIs of AWS services
• It’s open-source https://github.com/aws/aws-cli

© Copyright by Cloud Mentor Pro | Confidential 23

 AWS SDK
• AWS Software Development Kit (AWS SDK)
• Language-specific APIs (set of libraries)
• Enables you to access and manage AWS services
programmatically
• Embedded within your application
• Supports
• SDKs (JS, Python, PHP, .NET, Ruby, Java,
Go, Node.js, , C++)
• Mobile SDKs (Android, iOS, …)
• IoT Device SDKs (Embedded C, Arduino, …)
• Example: AWS CLI is built on AWS SDK for Python
© Copyright by Cloud Mentor Pro | Confidential 24
 IAM Roles for Services
• Some AWS service will need to perform
actions on your behalf
• To do so, we will assign permissions to
AWS services with IAM Roles

• Common roles:
• EC2 Instance Roles
• Lambda Function Roles
• Roles for CloudFormation

© Copyright by Cloud Mentor Pro | Confidential 25

 IAM Security Tools
• IAM Credentials Report (account-level)
• a report that lists all your account's users and the status of their
various credentials

• IAM Access Advisor (user-level)

• Access advisor shows the service permissions granted to a user and
when those services were last accessed.
• You can use this information to revise your policies.

© Copyright by Cloud Mentor Pro | Confidential 26

 IAM Guidelines & Best Practices
• Don’t use the root account except for AWS account setup
• One physical user = One AWS user
• Assign users to groups and assign permissions to groups
• Create a strong password policy
• Use and enforce the use of Multi Factor Authentication (MFA)
• Create and use Roles for giving permissions to AWS services
• Use Access Keys for Programmatic Access (CLI / SDK)
• Audit permissions of your account using IAM Credentials Report & IAM
Access Advisor
• Never share IAM users & Access Keys
© Copyright by Cloud Mentor Pro | Confidential 27
 Shared Responsibility Model for IAM
You

• Infrastructure (global network • Users, Groups, Roles, Policies

security) management and monitoring
• Configuration and vulnerability • Enable MFA on all accounts
analysis • Rotate all your keys often
• Compliance validation • Use IAM tools to apply appropriate
permissions
• Analyze access patterns & review
permissions
© Copyright by Cloud Mentor Pro | Confidential 28
 IAM Section – Summary
• Users: mapped to a physical user, has a password for AWS Console
• Groups: contains users only
• Policies: JSON document that outlines permissions for users or groups
• Roles: for EC2 instances or AWS services
• Security: MFA + Password Policy
• AWS CLI: manage your AWS services using the command-line
• AWS SDK: manage your AWS services using a programming language
• Access Keys: access AWS using the CLI or SDK
• Audit: IAM Credential Reports & IAM Access Advisor
© Copyright by Cloud Mentor Pro | Confidential 29
EC2 Fundamentals Part 1 (Basic)
Amazon EC2 – Basics

© Copyright by Cloud Mentor Pro | Confidential 30

 Amazon EC2
• EC2 is one of the most popular of AWS’ offering
• EC2 = Elastic Compute Cloud = Infrastructure as a Service
• It mainly consists in the capability of :
• Renting virtual machines (EC2)
• Storing data on virtual drives (EBS)
• Distributing load across machines (ELB)
• Scaling the services using an auto-scaling group (ASG)

• Knowing EC2 is fundamental to understand how the Cloud works

© Copyright by Cloud Mentor Pro | Confidential 31

 EC2 - Sizing & configuration options
• Operating System (OS): Linux, Windows or Mac OS
• How much compute power & cores (CPU)
• How much random-access memory (RAM)
• How much storage space:
• Network-attached (EBS & EFS)
• hardware (EC2 Instance Store)
• Network card: speed of the card, Public IP address
• Firewall rules: security group
• Bootstrap script (configure at first launch): EC2 User Data
© Copyright by Cloud Mentor Pro | Confidential 32
 EC2 - User Data
• It is possible to bootstrap our instances using an EC2 User data script.
• bootstrapping means launching commands when a machine starts
• That script is only run once at the instance first start
• EC2 user data is used to automate boot tasks such as:
• Installing updates
• Installing software
• Downloading common files from the internet
• Anything you can think of
• The EC2 User Data Script runs with the root user
© Copyright by Cloud Mentor Pro | Confidential 33
 Hands-On: Launching an EC2 Instance running
Linux

© Copyright by Cloud Mentor Pro | Confidential 34

 EC2 - Instance Types
• You can use different types of EC2 instances that are optimised for
different use cases (https://aws.amazon.com/ec2/instance-types/)
• AWS has the following naming convention:

• m: instance class
• 5: generation (AWS improves them over time)
• 2xlarge: size within the instance class

© Copyright by Cloud Mentor Pro | Confidential 35

 EC2 Instance Types - General Purpose
• General purpose instances provide a balance of
• Compute
• Memory
• Networking
• Great for
• web servers
• code repositories

© Copyright by Cloud Mentor Pro | Confidential https://aws.amazon.com/ec2/instance-types/ 36

 EC2 Instance Types - Compute Optimized
• Ideal for compute bound applications that benefit from high
performance processors. Great for:
• Compute intensive applications
• Batch processing workloads
• Media transcoding
• High performance web servers, computing (HPC)
• Scientific modeling, machine learning
• Dedicated gaming servers and ad server engines

© Copyright by Cloud Mentor Pro | Confidential https://aws.amazon.com/ec2/instance-types/ 37

 EC2 Instance Types - Memory Optimized
• Fast performance for workloads that process large data sets in memory.
• Great for
• Relational/non-relational databases
• Distributed web scale cache stores
• In-memory databases optimized for BI (business intelligence)
• Applications performing real-time processing of big unstructured data

© Copyright by Cloud Mentor Pro | Confidential https://aws.amazon.com/ec2/instance-types/ 38

 EC2 Instance Types - Storage Optimized
• High, sequential read and write access to very large data sets on local
storage.
• Great for
• High frequency online transaction processing (OLTP) systems
• Relational & NoSQL databases
• Cache for in-memory databases (for example, Redis)
• Data warehousing applications
• Distributed file systems

© Copyright by Cloud Mentor Pro | Confidential https://aws.amazon.com/ec2/instance-types/ 39

 EC2 - Security Groups
• Control how traffic is allowed into or out of our EC2( firewall )
• Can be attached to multiple instances
• All inbound traffic is blocked by default
• All outbound traffic is authorised by default
• Security groups only contain allow rules
• Security groups rules can reference by IP or by security group

© Copyright by Cloud Mentor Pro | Confidential 40

 EC2 - Security Groups

Bastion SG Web server SG

Inbound

Outbound
© Copyright by Cloud Mentor Pro | Confidential 41
 Classic Ports to know
• 22 = SSH (Secure Shell) - log into a Linux instance
• 21 = FTP (File Transfer Protocol) – upload files into a file share
• 22 = SFTP (Secure File Transfer Protocol) – upload files using SSH
• 80 = HTTP – access unsecured websites
• 443 = HTTPS – access secured websites
• 3389 = RDP (Remote Desktop Protocol) – log into a Windows instance

© Copyright by Cloud Mentor Pro | Confidential 42

 EC2 - Connect to your EC2 instance

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect.html 43

 EC2 Instance Connect
• Connect to your EC2 instance
within your browser
• No need to use your key file
• Need to make sure the port 22 is
still opened!
• Works only Amazon Linux or
Ubuntu

© Copyright by Cloud Mentor Pro | Confidential 44

 EC2 Instances Purchasing Options
• On-Demand Instances – short workload, predictable pricing, pay by second
• Reserved (1 & 3 years)
• Reserved Instances – long workloads
• Convertible Reserved Instances – long workloads with flexible instances
• Savings Plans (1 & 3 years) –commitment to an amount of usage, long
workload
• Spot Instances – short workloads, cheap, can lose instances (less reliable)
• Dedicated Hosts – book an entire physical server, control instance placement
• Dedicated Instances – no other customers will share your hardware
• Capacity Reservations – reserve capacity in a specific AZ for any duration
© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-purchasing-options.html 45
 EC2 On Demand
• Has the highest cost but no upfront payment
• Short-term and un-interrupted workloads
• Pay for what you use
• No long-term commitment
• Use case:
• Dev/stg/test environment
• Critical batch job
• System that runs only in business hour (ex: 8am – 17 pm)
• System that scales frequently

© Copyright by Cloud Mentor Pro | Confidential 46

 EC2 Reserved Instances
• Up to 72% discount compared to On-demand
• Reserved Instances – reserve instance configuration (Type, Region, Tenancy,
OS)
• Reservation Period – 1 year (+discount) or 3 years (+++discount)
• Payment Options – No Upfront (+), Partial Upfront (++), All Upfront (+++)
• Reserved Instance’s Scope – Regional or Zonal (reserve capacity in an AZ)
• Recommended for steady-state usage applications (think database)
• Convertible Reserved Instances – flexible instances
• Can change the type, family, OS,..
• Up to 66% discount
© Copyright by Cloud Mentor Pro | Confidential 47
 EC2 Reserved Instances
• Use case:
• System that runs 24/7 for a long time
• Workload does not change for a long time

© Copyright by Cloud Mentor Pro | Confidential 48

 EC2 Savings Plans
• Commit to a consistent amount of usage, in USD per hour ($10/hour for
1 or 3 years)
• Up to 72% discount compared to On-demand
• Locked to a specific instance family & AWS region (e.g., M5 in us-east-1)
• Flexible across:
• Instance Size (e.g., m5.xlarge, m5.2xlarge)
• OS (e.g., Linux, Windows)
• Tenancy (Host, Dedicated, Default)

© Copyright by Cloud Mentor Pro | Confidential 49

 EC2 Savings Plans
• Use case:
• Same as for RI, system that runs 24/7 for a long time
• Workload need to change INSTANCE TYPE in a long run

© Copyright by Cloud Mentor Pro | Confidential 50

 EC2 Spot Instances
• Discount of up to 90% compared to On-demand
• If the current spot price > your max price you can choose to stop or
terminate your instance within a 2 minutes grace period.
• The MOST cost-efficient instances in AWS
• Spot Block: “block” spot instance during 1 to 6 hours without
interruptions
• Useful for workloads that can be interrupted
• Batch jobs
• Data analysis
• Workloads with a flexible start and end time
© Copyright by Cloud Mentor Pro | Confidential 51
 EC2 Dedicated Hosts
• A physical server with EC2 instance capacity fully dedicated to your use
• Use your existing server- bound software licenses (per-socket, per-core,
pe—VM software licenses)

© Copyright by Cloud Mentor Pro | Confidential 52

 EC2 Dedicated Instances
• Instances run on hardware that’s dedicated to you
• May share hardware with other instances in same account
• No control over instance placement (can move hardware after Stop /
Start)
• Use case:
• System that requires strict policy which needs to run in an isolated environment
(Ex: Bank system, Hospital system)

© Copyright by Cloud Mentor Pro | Confidential 53

 Understanding AWS Tenancy

© Copyright by Cloud Mentor Pro | Confidential 54

 EC2 Capacity Reservations
• Reserve On-Demand instances capacity in a specific AZ for any duration
• You always have access to EC2 capacity when you need it
• No time commitment (create/cancel anytime), no billing discounts
• You’re charged at On-Demand rate whether you run instances or not
• Suitable for short-term, uninterrupted workloads that needs to be in a
specific AZ

© Copyright by Cloud Mentor Pro | Confidential 55

 Which purchasing option is right for me?
• On demand: coming and staying in resort whenever we like,
we pay the full price
• Reserved: like planning ahead and if we plan to stay for a
long time, we may get a good discount.
• Savings Plans: pay a certain amount per hour for certain
period and stay in any room type (e.g., King, Suite, Sea View,
…)
• Spot instances: the hotel allows people to bid for the empty
rooms and the highest bidder keeps the rooms. You can get
kicked out at any time
• Dedicated Hosts: We book an entire building of the resort
• Capacity Reservations: you book a room for a period with full
price even you don’t stay in it
© Copyright by Cloud Mentor Pro | Confidential 56
 Exercise
• EC2 Basic

© Copyright by Cloud Mentor Pro | Confidential

 Section 2
• EC2 Instance Storage
• High Availability & Scalability: ELB & ASG

© Copyright by Cloud Mentor Pro | Confidential

5
EC2 Instance Storage
EBS Volume, EC2 Instance Store, Elastic File System(EFS)

© Copyright by Cloud Mentor Pro | Confidential 59

 What’s an EBS Volume?
• An EBS (Elastic Block Store) Volume is a network drive you can attach to
your instances while they run
• It allows your instances to persist data, even after their termination
• They can only be mounted to one instance at a time (except: io1/io2)
• It’s locked to an Availability Zone (AZ)

• Free tier: 30 GB of free EBS storage of type General Purpose (SSD) or

Magnetic per month

© Copyright by Cloud Mentor Pro | Confidential

https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volumes.html 60
 What’s an EBS Volume?
• By default, when you create an EC2 Instance, it will automatically attach
an EBS Volume, this is called Root EBS Volume.
• This volume contains OS and system files.
• You can add additional volumes if you want to. See example in the next
slide.

© Copyright by Cloud Mentor Pro | Confidential

https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volumes.html 61
 EBS Volume - Example
• Example: You have an EC2 Windows instance, and you want to add
additional volume for D and E Drive

© Copyright by Cloud Mentor Pro | Confidential 62

 EBS Volume - Example

EBS Multi-Attach ( io1/io2 family only ) -

Up to 16 EC2 Instances at a time

© Copyright by Cloud Mentor Pro | Confidential 63

 EBS – Delete on Termination attribute
• By default, the root EBS volume is deleted (attribute enabled)
• By default, Non-root EBS volume is not deleted (attribute disabled)
• Use case: preserve root volume when instance is terminated

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/preserving-volumes-
© Copyright by Cloud Mentor Pro | Confidential 64
on-termination.html
 EBS Snapshots
• Make a backup snapshot of your EBS volume at a point in time
• Not necessary to detach volume to do snapshot, but recommended
• Can copy snapshots across AZ or Region

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/ebs/latest/userguide/ebs-snapshots.html 65

 AMI Overview
• AMI = Amazon Machine Image
• AMI are a customization of an EC2 instance
• You add your own software, configuration, operating system, monitoring…
• Faster boot / configuration time because all your software is pre-packaged
• AMI are built for a specific region (and can be copied across regions)
• You can launch EC2 instances from:
• A Public AMI: AWS provided
• Your own AMI: you make and maintain them yourself
• An AWS Marketplace AMI: an AMI someone else made (and potentially sells)

© Copyright by Cloud Mentor Pro | Confidential 66

 AMI Process (from an EC2 instance)
• Start an EC2 instance and customize it
• Stop the instance (for data integrity)
• Build an AMI – this will also create EBS snapshots
• Launch instances from other AMIs

© Copyright by Cloud Mentor Pro | Confidential 67

 EBS Snapshots vs AMI
• EBS Snapshot is an copy of a
particular volume only.
• You cannot launch an EC2
instance from an EBS Snapshot.
• Use case:
• Backup data for a particular
volume, for example: D Drive, E
Drive, etc…

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/ebs/latest/userguide/ebs-snapshots.html 68

 EBS Snapshots vs AMI
• AMI is a backup of your whole
EC2 instance, including EBS
snapshot.
• You can launch an EC2 instance
from an AMI.
• Use case:
• Backup your ec2 instance
• When your system scales, you need
multiple ec2 to handle the load

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/ebs/latest/userguide/ebs-snapshots.html 69

 EBS Snapshots Features
• EBS Snapshot Archive
• Move a Snapshot to an ”archive tier” that is 75%
cheaper
• Takes within 24 to 72 hours for restoring the archive
• Recycle Bin for EBS Snapshots
• Setup rules to retain deleted snapshots so you can
recover them after an accidental deletion
• Specify retention (from 1 day to 1 year)
• Fast Snapshot Restore (FSR)
• Force full initialization of snapshot to have no
latency on the first use ($$$)

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/ebs/latest/userguide/ebs-snapshots.html 70

 EBS Volume Types
• EBS Volumes come in 6 types
• gp2 / gp3 (SSD)
• io1 / io2 Block Express (SSD
• st1 (HDD):
• sc1 (HDD):
• EBS Volumes are characterized in Size | Throughput | IOPS (I/O Ops Per
Sec)
• Only gp2/gp3 and io1/io2 Block Express can be used as boot volumes

© Copyright by Cloud Mentor Pro | Confidential 71

 General Purpose SSD
• General purpose SSD volume that balances price and performance
• Cost effective storage, low-latency

• gp3:
• Baseline of 3,000 IOPS and throughput of 125 MiB/s
• Can increase IOPS up to 16,000 and throughput up to 1000 MiB/s independently
• gp2:
• Small gp2 volumes can burst IOPS to 3,000
• Size of the volume and IOPS are linked, max IOPS is 16,000
• 3 IOPS per GB, means at 5,334 GB we are at the max IOPS

© Copyright by Cloud Mentor Pro | Confidential 72

 Provisioned IOPS (PIOPS) SSD
• Highest-performance SSD volume for mission-critical low-latency or high-
throughput workloads
• Or applications that need more than 16,000 IOPS
• Great for databases workloads
• io1 (4 GiB - 16 TiB):
• Max PIOPS: 64,000 for Nitro EC2 instances & 32,000 for other
• Can increase PIOPS independently from storage size
• io2 Block Express (4 GiB – 64 TiB):
• Sub-millisecond latency
• Max PIOPS: 256,000 with an IOPS:GiB ratio of 1,000:1
• Supports EBS Multi-attach
© Copyright by Cloud Mentor Pro | Confidential 73
 Hard Disk Drives (HDD)
• Throughput Optimized HDD (st1)
• Big Data, Data Warehouses, Log Processing
• Max throughput 500 MiB/s – max IOPS 500

• Cold HDD (sc1):

• For data that is infrequently accessed
• Scenarios where lowest cost is important
• Max throughput 250 MiB/s – max IOPS 250

© Copyright by Cloud Mentor Pro | Confidential 74

 EBS - Volume Types Summary - SSD
Solid state drive (SSD) volumes

General Purpose SSD volumes Provisioned IOPS SSD volumes

Volume type gp3 gp2 io2 Block Express 3 io1

99.8% - 99.9% durability 99.999% durability 99.8% - 99.9% durability

Durability
(0.1% - 0.2% annual failure rate) (0.001% annual failure rate) (0.1% - 0.2% annual failure rate)

Transactional workloads Sub-millisecond latency

Sustained IOPS performance or
Virtual desktops
more than 16,000 IOPS
Medium-sized, single-instance databases Sustained IOPS performance
Use cases
Low-latency interactive applications
I/O-intensive database
Boot volumes More than 64,000 IOPS or
workloads
Development and test environments 1,000 MiB/s of throughput

Volume size 1 GiB - 16 TiB 4 GiB - 64 TiB 4 GiB - 16 TiB

Max IOPS per volume 16,000 (64 KiB I/O) 16,000 (16 KiB I/O) 256,000 (16 KiB I/O) 64,000 (16 KiB I/O)
Max throughput per volume 1,000 MiB/s 250 MiB/s 4,000 MiB/s 1,000 MiB/s
Amazon EBS Multi-attach Not supported Supported
NVMe reservations Not supported Supported Not supported
Boot volume Supported

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html 75

 EBS - Volume Types Summary - HDD
Hard disk drive (HDD) volumes
Throughput Optimized
Cold HDD volumes
HDD volumes
Volume type st1 sc1

Durability 99.8% - 99.9% durability (0.1% - 0.2% annual failure rate)

Big data Throughput-oriented storage

for data that is infrequently
Data warehouses accessed
Use cases
Log processing Scenarios where the lowest
storage cost is important

Volume size 125 GiB - 16 TiB

Max IOPS per volume (1 MiB I/O) 500 250
Max throughput per volume 500 MiB/s 250 MiB/s
Amazon EBS Multi-attach Not supported
Boot volume Not supported

© Copyright by Cloud Mentor Pro | Confidential 76

 EBS Multi-Attach – io1/io2 family
• Attach the same EBS volume to multiple EC2
instances in the same AZ
• Use case:
• Achieve higher application availability in clustered
Linux applications (ex: Teradata)
• Applications must manage concurrent write
operations
• Up to 16 EC2 Instances at a time

© Copyright by Cloud Mentor Pro | Confidential 77

 EBS Encryption
• When you create an encrypted EBS volume, you get the following:
• Data at rest is encrypted inside the volume
• All the data in flight moving between the instance and the volume is encrypted
• All snapshots are encrypted
• All volumes created from the snapshot
• Encryption has a minimal impact on latency
• EBS Encryption leverages keys from KMS (AES-256)
• Copying an unencrypted snapshot allows encryption
• Snapshots of encrypted volumes are encrypted
© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/ebs/latest/userguide/encryption-examples.html 78
 Encryption: encrypt an unencrypted EBS volume
• Create an EBS snapshot of the volume
• Encrypt the EBS snapshot ( using copy )
• Create new ebs volume from the snapshot ( the volume will also be
encrypted )
• Now you can attach the encrypted volume to the original instance

© Copyright by Cloud Mentor Pro | Confidential 79

 EC2 Instance Store
• EC2 Instance Store is high-performance
hardware disk
• Better I/O performance
• Risk of data loss when EC2 are stopped
(ephemeral)
• Good for buffer / cache / scratch data /
temporary content
• Some instance types do not support
instance store volumes
© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html 80
 Amazon EFS – Elastic File System
• Managed NFS (network file system)
• Can be mounted on many EC2
• EFS works with EC2 instances in Multi-AZ
• Highly available, scalable, expensive (3x gp2)
• Use cases:
• Content management, web serving, data sharing
• Uses NFSv4.1 protocol
• Compatible with Linux based AMI (not
Windows)
• POSIX file system (~Linux)

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/efs/latest/ug/whatisefs.html 81

 Amazon EFS – Storage Classes
Minimum Minimum
First byte read
Storage class Designed for Durability billing charge storage
latency
per file duration

Active data requiring

EFS Standard fast sub-millisecond Sub-millisecond Not applicable Not applicable
latency performance

Inactive data that is

EFS IA Tens of
accessed only a few 99.999999999% 128 KiB Not applicable
Infrequent Access milliseconds
times each quarter

Inactive data that is

Tens of
EFS Archive accessed a few times 128 KiB 90 days
milliseconds
each year or less

© Copyright by Cloud Mentor Pro | Confidential https://aws.amazon.com/efs/storage-classes/ 82

 EBS vs EFS vs Instance store

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Storage.html 83

High Availability & Scalability
ELB & ASG

© Copyright by Cloud Mentor Pro | Confidential 84

 Scalability & High Availability
• Scalability means that an application / system can handle greater loads
by adapting.
• There are two kinds of scalability:
• Vertical Scalability
• Horizontal Scalability (= elasticity)

• Scalability is linked but different to High Availability

© Copyright by Cloud Mentor Pro | Confidential 85

 Vertical Scalability
• Vertically scalability (= scale up / down) means
increasing the size of the instance
• Vertical scalability is very common for non EC2 Instance
M5.large
distributed systems, such as a database. 2 vCPUs/8 GB memory

• RDS, ElastiCache are services that can scale vertically.

EC2 Instance
T2.micro
1 vCPUs/1 GB memory

© Copyright by Cloud Mentor Pro | Confidential 86

 Horizontal Scalability
• Horizontal Scalability (= scale out / in) means increasing the number of
instances / systems for your application
• Horizontal scaling implies distributed systems.
• This is very common for web applications / modern applications

Auto Scaling group

EC2 Instance EC2 Instance EC2 Instance EC2 Instance

T2.micro T2.micro T2.micro T2.micro

© Copyright by Cloud Mentor Pro | Confidential 87

 High Availability
• High Availability usually goes hand in hand with
horizontal scaling
• High availability means running your application /
system in at least 2 data centers (== Availability
Zones)
• The goal of high availability is to survive a data
center loss
• The high availability can be passive (for RDS Multi
AZ for example)
• The high availability can be active (for horizontal
scaling)
© Copyright by Cloud Mentor Pro | Confidential 88
 High Availability & Scalability For EC2
• Vertical Scaling: Increase instance size (= scale up / down)
• From: t2.nano - 0.5G of RAM, 1 vCPU
• To: u-12tb1.metal – 12.3 TB of RAM, 448 vCPUs

• Horizontal Scaling: Increase number of instances (= scale out / in)

• Auto Scaling Group
• Load Balancer

• High Availability: Run instances for the same application across multi AZ
• Auto Scaling Group multi AZ
• Load Balancer multi AZ
© Copyright by Cloud Mentor Pro | Confidential 89
 High Availability & Scalability For EC2

© Copyright by Cloud Mentor Pro | Confidential 90

 What is load balancing?
• Load Balances are servers that forward traffic to multiple servers (e.g.,
EC2 instances) downstream

© Copyright by Cloud Mentor Pro | Confidential 91

 Why use a load balancer?
• Spread load across multiple downstream instances
• Expose a single point of access (DNS) to your application
• Seamlessly handle failures of downstream instances
• Do regular health checks to your instances
• Provide SSL termination (HTTPS) for your websites
• Enforce stickiness with cookies
• High availability across zones
• Separate public traffic from private traffic

© Copyright by Cloud Mentor Pro | Confidential 92

 Why use an Elastic Load Balancer?
• An Elastic Load Balancer is a managed load balancer
• AWS guarantees that it will be working
• AWS takes care of upgrades, maintenance, high availability
• AWS provides only a few configuration knobs

• It is integrated with many AWS offerings / services

• EC2, EC2 Auto Scaling Groups, Amazon ECS
• AWS Certificate Manager (ACM), CloudWatch
• Route 53, AWS WAF, AWS Global Accelerator

© Copyright by Cloud Mentor Pro | Confidential 93

 Health Checks
• Health Checks are crucial for Load Balancers
• They enable the load balancer to know if instances it forwards traffic to
are available to reply to requests
• The health check is done on a port and a route (/health is common)
• If the response is not 200 (OK), then the instance is unhealthy

© Copyright by Cloud Mentor Pro | Confidential 94

 Load Balancer Security Groups

Load Balancer Security Group:

Application Security Group: Allow traffic only from Load Balancer

© Copyright by Cloud Mentor Pro | Confidential 95

 Types of load balancer on AWS

Application Load Network Load Gateway Load Classic Load

Feature
Balancer Balancer Balancer Balancer
Layer 3 Gateway +
Load Balancer type Layer 7 Layer 4 Layer 4 Load Layer 4/7
Balancing
IP, Instance,
IP, Instance,
Target type Application Load IP, Instance
Lambda
Balancer
TCP, SSL/TLS, HTTP,
Protocol listeners HTTP, HTTPS, gRPC TCP, UDP, TLS IP
HTTPS

© Copyright by Cloud Mentor Pro | Confidential https://aws.amazon.com/elasticloadbalancing/features/#Product_comparisons 96

 Application Load Balancer (v2)
• Application load balancers is Layer 7 (HTTP) of OSI model (support
HTTP/HTTPS)

• Load balancing to multiple HTTP applications across machines (target

groups)
• Load balancing to multiple applications on the same machine (ex:
containers)
• Support for HTTP/2 and WebSocket
• Support redirects (from HTTP to HTTPS for example)

© Copyright by Cloud Mentor Pro | Confidential 97

 Application Load Balancer (v2)
• Routing tables to different target groups:
• Routing based on path in URL (example.com/users & example.com/posts)
• Routing based on hostname in URL (one.example.com & other.example.com)
• Routing based on Query String, Headers
(example.com/users?id=123&order=false)

• ALB are a great fit for micro services & container-based application
(example: Docker & Amazon ECS)
• Has a port mapping feature to redirect to a dynamic port in ECS

© Copyright by Cloud Mentor Pro | Confidential 98

 Application Load Balancer (v2)
Target Groups
• EC2 instances (can be managed by an Auto Scaling Group) – HTTP
• ECS tasks (managed by ECS itself) – HTTP
• Lambda functions – HTTP request is translated into a JSON event
• IP Addresses – must be private IPs

• ALB can route to multiple target groups

• Health checks are at the target group level

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html 99

 Application Load Balancer (v2)
HTTP Based Traffic

© Copyright by Cloud Mentor Pro | Confidential 100

 Application Load Balancer (v2)
Query Strings/Parameters Routing

© Copyright by Cloud Mentor Pro | Confidential 101

 Application Load Balancer (v2)
Good to Know
• Fixed hostname (XXX.region.elb.amazonaws.com)
• The application servers don’t see the IP of the client directly
• The true IP of the client is inserted in the header X-Forwarded-For

© Copyright by Cloud Mentor Pro | Confidential 102

 Network Load Balancer (v2)
• Network load balancers (Layer 4) allow to:
• Forward TCP & UDP traffic to your instances
• Handle millions of request per seconds
• Less latency ~100 ms (vs 400 ms for ALB)

• NLB has one static IP per AZ, and supports assigning Elastic IP
(helpful for whitelisting specific IP)

• NLB are used for extreme performance, TCP or UDP traffic

• Not included in the AWS free tier
© Copyright by Cloud Mentor Pro | Confidential 103
 Network Load Balancer –Target Groups
• EC2 instances
• IP Addresses – must be private IPs
• Application Load Balancer
• Health Checks support the TCP, HTTP and HTTPS Protocols

© Copyright by Cloud Mentor Pro | Confidential 104

 Network Load Balancer (v2)
TCP (Layer 4) Based Traffic

© Copyright by Cloud Mentor Pro | Confidential 105

 Gateway Load Balancer
• Deploy, scale, and manage a fleet of 3rd party
network virtual appliances in AWS
• Example: Firewalls, Intrusion Detection and
Prevention Systems, Deep Packet Inspection Systems,
payload manipulation, …

• Operates at Layer 3 (Network Layer) – IP Packets

• Combines the following functions:
• Transparent Network Gateway – single entry/exit for all
traffic
• Load Balancer – distributes traffic to your virtual appliances
• Uses the GENEVE protocol on port 6081
© Copyright by Cloud Mentor Pro | Confidential 106
 Gateway Load Balancer –Target Groups
• EC2 instances
• IP Addresses – must be private IPs

© Copyright by Cloud Mentor Pro | Confidential 107

 Sticky Sessions (Session Affinity)
• It is possible to implement stickiness so that the same
client is always redirected to the same instance behind
a load balancer
• This works for Classic Load Balancer, Application Load
Balancer, and Network Load Balancer
• For both CLB & ALB, the “cookie” used for stickiness
has an expiration date you control
• Use case: make sure the user doesn’t lose his session
data
• Enabling stickiness may bring imbalance to the load
over the backend EC2 instances
© Copyright by Cloud Mentor Pro | Confidential 108
 Cross-Zone Load Balancing
With Cross Zone Load Balancing: Without Cross Zone Load Balancing:
each load balancer instance distributes evenly Requests are distributed in the instances of
across all registered instances in all AZ the node of the Elastic Load Balancer

© Copyright by Cloud Mentor Pro | Confidential 109

 Cross -Zone Load Balancing
• Application Load Balancer
• Enabled by default (can be disabled at the Target Group level)
• No charges for inter AZ data

• Network Load Balancer & Gateway Load Balancer

• Disabled by default
• You pay charges ($) for inter AZ data if enabled

© Copyright by Cloud Mentor Pro | Confidential 110

 SSL/TLS - Basics
• An SSL Certificate allows traffic between your clients and your load
balancer to be encrypted in transit (in-flight encryption)

• SSL refers to Secure Sockets Layer, used to encrypt connections

• TLS refers to Transport Layer Security, which is a newer version
• Nowadays, TLS certificates are mainly used, but people still refer as SSL

• Public SSL certificates are issued by Certificate Authorities (CA)

• Comodo, Symantec, GoDaddy, GlobalSign, Digicert, Letsencrypt, etc…

• SSL certificates have an expiration date (you set) and must be renewed
© Copyright by Cloud Mentor Pro | Confidential 111
 Load Balancer - SSL Certificates

• The load balancer uses an X.509 certificate (SSL/TLS server certificate)

• You can manage certificates using ACM (AWS Certificate Manager)
• You can create upload your own certificates alternatively
• HTTPS listener:
• You must specify a default certificate
• You can add an optional list of certs to support multiple domains
• Clients can use SNI (Server Name Indication) to specify the hostname they reach

© Copyright by Cloud Mentor Pro | Confidential 112

 SSL – Server Name Indication (SNI)
• SNI solves the problem of loading multiple
SSL certificates onto one web server (to
serve multiple websites)
• Note:
• Only works for ALB & NLB (newer
generation), CloudFront
• Does not work for CLB (older gen)

© Copyright by Cloud Mentor Pro | Confidential 113

 Connection Draining
• Feature naming
• Connection Draining – for CLB
• Deregistration Delay – for ALB & NLB

• Time to complete “in-flight requests” while the

instance is de-registering or unhealthy
• Stops sending new requests to the EC2 instance
which is de-registering
• Between 1 to 3600 seconds (default: 300
seconds)
• Can be disabled (set value to 0)
• Set to a low value if your requests are short
© Copyright by Cloud Mentor Pro | Confidential 114
 What’s an Auto Scaling Group?
• In real-life, the load on your websites and application can change

• The goal of an Auto Scaling Group (ASG) is to:

• Scale out (add EC2 instances) to match an increased load
• Scale in (remove EC2 instances) to match a decreased load
• Ensure we have a minimum and a maximum number of EC2 instances running
• Automatically register new instances to a load balancer
• Re-create an EC2 instance in case a previous one is terminated (ex: if unhealthy)

• ASG are free (you only pay for the underlying EC2 instances)
© Copyright by Cloud Mentor Pro | Confidential 115
 Auto Scaling Group in AWS

© Copyright by Cloud Mentor Pro | Confidential 116

 Auto Scaling Group in AWS With Load Balancer

© Copyright by Cloud Mentor Pro | Confidential 117

 Auto Scaling Group Attributes
• A Launch Template (older “Launch Configurations” are deprecated)
• AMI + Instance Type
• EC2 User Data
• EBS Volumes
• Security Groups
• SSH Key Pair
• IAM Roles for your EC2 Instances
• Network + Subnets Information
• Load Balancer Information
• Min Size / Max Size / Initial Capacity
• Scaling Policies
© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/autoscaling/ec2/userguide/launch-templates.html 118
 Auto Scaling - CloudWatch Alarms & Scaling
• It is possible to scale an ASG based on CloudWatch alarms
• An alarm monitors a metric (such as Average CPU, or a custom metric)
• Metrics such as Average CPU are computed for the overall ASG instances
• Based on the alarm:
• We can create scale-out policies (increase the number of instances)
• We can create scale-in policies (decrease the number of instances)

© Copyright by Cloud Mentor Pro | Confidential 119

 Auto Scaling Groups – Scaling Policies
• Dynamic Scaling
• Target Tracking Scaling (strongly recommend)
• Scale a resource based on a target value for a specific CloudWatch metric
• Example: I want the average ASG CPU to stay at around 40%
• Simple / Step Scaling
• When a CloudWatch alarm is triggered (example CPU > 70%), then add 2 units
• When a CloudWatch alarm is triggered (example CPU < 30%), then remove 1
• Scheduled Scaling
• Scale based on known usage patterns
• Example: increase the min capacity to 10 at 5 pm on Fridays

© Copyright by Cloud Mentor Pro | Confidential 120

 Auto Scaling Groups – Scaling Policies
• Predictive scaling:
• Uses machine learning to predict capacity requirements based on historical data
from CloudWatch

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/autoscaling/plans/userguide/how-it-works.html 121

 Good metrics to scale on
• CPUUtilization: Average CPU utilization
across your instances
• RequestCountPerTarget: to make sure the
number of requests per EC2 instances is
stable
• Average Network In / Out (if you’re
application is network bound)
• Any custom metric (that you push using
CloudWatch)

© Copyright by Cloud Mentor Pro | Confidential 122

 Auto Scaling Groups - Scaling Cooldowns
• After a scaling activity happens, you are in
the cooldown period (default 300 seconds)
• During the cooldown period, the ASG will
not launch or terminate additional instances
(to allow for metrics to stabilize)

• Advice: Use a ready-to-use AMI to reduce

configuration time in order to be serving
request fasters and reduce the cooldown
period
© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-scaling-cooldowns.html 123
 Auto Scaling – Instance Refresh
• Goal: update launch template and
then re-creating all EC2 instances
• For this we can use the native
feature of Instance Refresh
• Setting of minimum healthy
percentage
• Specify warm-up time (how long
until the instance is ready to use)

© Copyright by Cloud Mentor Pro | Confidential 124

 Exercise
• Application Load Balancer
• Application Load Balancer
and EC2 Auto Scaling Group

© Copyright by Cloud Mentor Pro | Confidential

1
 Section 3
• RDS, Aurora & ElastiCache
• Route53

© Copyright by Cloud Mentor Pro | Confidential

RDS, Aurora & ElastiCache

© Copyright by Cloud Mentor Pro | Confidential 127

 Amazon RDS Overview
• RDS stands for Relational Database Service
• It’s a managed DB service for DB use SQL as a query language
• It allows you to create databases in the cloud that are managed by AWS
• Postgres
• MySQL
• MariaDB
• Oracle
• Microsoft SQL Server
• IBM DB2
• Aurora (AWS Proprietary database)
© Copyright by Cloud Mentor Pro | Confidential 128
 Advantage over using RDS versus deploying
DB on EC2
• RDS is a managed service:
• Automated provisioning, OS patching
• Continuous backups and restore to specific timestamp (Point in Time Restore)!
• Monitoring dashboards
• Read replicas for improved read performance
• Multi AZ setup for DR (Disaster Recovery)
• Maintenance windows for upgrades
• Scaling capability (vertical and horizontal)
• Storage backed by EBS (gp2 or io1)

© Copyright by Cloud Mentor Pro | Confidential 129

 RDS – Storage Auto Scaling
• Helps you increase storage on your RDS DB instance dynamically
• When RDS detects you are running out of free database storage,
it scales automatically
• Avoid manually scaling your database storage
• You have to set Maximum Storage Threshold (maximum limit for
DB storage)
• Automatically modify storage if:
• Free storage is less than 10% of allocated storage
• Low-storage lasts at least 5 minutes
• 6 hours have passed since last modification
• Useful for applications with unpredictable workloads
• Suppor ts all RDS database engines
© Copyright by Cloud Mentor Pro | Confidential 130
 RDS Read Replicas for read scalability
• Up to 15 Read Replicas
• Within AZ, Cross AZ or Cross Region
• Replication is ASYNC, so reads are
eventually consistent
• Replicas can be promoted to their own
DB
• Applications must update the
connection string to leverage read
replicas

© Copyright by Cloud Mentor Pro | Confidential 131

 RDS Read Replicas – Use Cases
• You have a production database
that is taking on normal load
• You want to run a reporting
application to run some analytics
• You create a Read Replica to run
the new workload there
• The production application is
unaffected
• Read replicas are used for SELECT
(=read) only kind of statements
(not INSERT, UPDATE, DELETE)

© Copyright by Cloud Mentor Pro | Confidential 132

 RDS Read Replicas – Network Cost
• In AWS there’s a network cost when data goes from one AZ to another
• For RDS Read Replicas within the same region, you don’t pay that fee

© Copyright by Cloud Mentor Pro | Confidential 133

 RDS Multi AZ (Disaster Recovery)
• SYNC replication
• One DNS name – automatic app
failover to standby
• Increase availability
• Failover in case of loss of AZ, loss of
network, instance or storage failure
• No manual intervention in apps
• Not used for scaling

• Note: The Read Replicas be setup as

Multi AZ for Disaster Recovery (DR)
© Copyright by Cloud Mentor Pro | Confidential 134
 RDS – From Single-AZ to Multi-AZ
• Zero downtime operation (no
need to stop the DB)
• Just click on “modify” for the
database
• The following happens internally:
• A snapshot is taken
• A new DB is restored from the
snapshot in a new AZ
• Synchronization is established
between the two databases
© Copyright by Cloud Mentor Pro | Confidential 135
 Amazon Aurora
• Aurora is a proprietary technology from AWS (not open sourced)
• Postgres and MySQL are both supported as Aurora DB
• Aurora is “AWS cloud optimized” and claims 5x performance improvement over
MySQL on RDS, over 3x the performance of Postgres on RDS
• Aurora storage automatically grows in increments of 10GB, up to 128 TB.
• Aurora can have up to 15 replicas and the replication process is faster than MySQL
(sub 10 ms replica lag)
• Failover in Aurora is instantaneous. It’s HA (High Availability) native.
• Aurora costs more than RDS (20% more) – but is more efficient

© Copyright by Cloud Mentor Pro | Confidential 136

 Aurora High Availability and Read Scaling
• 6 copies of your data across 3 AZ:
• 4 copies out of 6 needed for writes
• 3 copies out of 6 need for reads
• Self healing with peer-to-peer replication
• Storage is striped across 100s of volumes
• One Aurora Instance takes writes (master)
• Automated failover for master in less than
30 seconds
• Master + up to 15 Aurora Read Replicas
serve reads
• Support for Cross Region Replication
© Copyright by Cloud Mentor Pro | Confidential 137
 Aurora DB Cluster

© Copyright by Cloud Mentor Pro | Confidential 138

 Features of Aurora
• Automatic fail-over
• Backup and Recovery
• Isolation and security
• Industry compliance
• Push-button scaling
• Automated Patching with Zero Downtime
• Advanced Monitoring
• Routine Maintenance
• Backtrack: restore data at any point of time without using backups
© Copyright by Cloud Mentor Pro | Confidential 139
 RDS & Aurora Security
• At-rest encryption:
• Database master & replicas encryption using AWS KMS – must be defined as launch time
• If the master is not encrypted, the read replicas cannot be encrypted
• To encrypt an un-encrypted database, go through a DB snapshot & restore as encrypted
• In-flight encryption: TLS-ready by default, use the AWS TLS root certificates client-side
• IAM Authentication: IAM roles to connect to your database (instead of username/pw)
• Security Groups: Control Network access to your RDS / Aurora DB
• No SSH available except on RDS Custom
• Audit Logs can be enabled and sent to CloudWatch Logs for longer retention

© Copyright by Cloud Mentor Pro | Confidential 140

 Amazon RDS Proxy
• Fully managed database proxy for RDS
• Allows apps to pool and share DB connections established with the
database
• Improving database efficiency by reducing the stress on database
resources (e.g., CPU, RAM) and minimize open connections (and
timeouts)
• Serverless, autoscaling, highly available (multi-AZ)
• Reduced RDS & Aurora failover time by up 66%
• Supports RDS (MySQL, PostgreSQL, MariaDB, MS SQL Server) and
Aurora (MySQL, PostgreSQL)
• No code changes required for most apps
• Enforce IAM Authentication for DB, and securely store credentials in
AWS Secrets Manager
• RDS Proxy is never publicly accessible (must be accessed from VPC)
© Copyright by Cloud Mentor Pro | Confidential 141
 Amazon ElastiCache Overview
• The same way RDS is to get managed Relational Databases…
• ElastiCache is to get managed Redis or Memcached
• Caches are in-memory databases with really high performance, low
latency
• Helps reduce load off of databases for read intensive workloads
• Helps make your application stateless
• AWS takes care of OS maintenance / patching, optimizations, setup,
configuration, monitoring, failure recovery and backups
• Using ElastiCache involves heavy application code changes

© Copyright by Cloud Mentor Pro | Confidential 142

 ElastiCache Solution Architecture - DB Cache
• Applications queries
ElastiCache, if not
available, get from RDS
and store in ElastiCache.
• Helps relieve load in RDS
• Cache must have an
invalidation strategy to
make sure only the most
current data is used in
there.
© Copyright by Cloud Mentor Pro | Confidential 143
 ElastiCache
Solution Architecture – User Session Store
• User logs into any of the
application
• The application writes the
session data into ElastiCache
• The user hits another
instance of our application
• The instance retrieves the
data and the user is already
logged in
© Copyright by Cloud Mentor Pro | Confidential 144
 ElastiCache – Redis vs Memcached
REDIS MEMCACHED
• Multi AZ with Auto-Failover • Multi-node for partitioning of data
• Read Replicas to scale reads and have (sharding)
high availability • No high availability (replication)
• Data Durability using AOF persistence • Non persistent
• Backup and restore features • No backup and restore
• Supports Sets and Sorted Sets • Multi-threaded architecture

Replication

sharding
© Copyright by Cloud Mentor Pro | Confidential 145
 Caching Implementation Considerations
• Read more at: https://aws.amazon.com/caching/implementation-
considerations/

• Is it safe to cache data? Data may be out of date, eventually consistent

• Is caching effective for that data?
• Pattern: data changing slowly, few keys are frequently needed
• Anti patterns: data changing rapidly, all large key space frequently needed
• Is data structured well for caching?
• example: key value caching, or caching of aggregations results
• Which caching design pattern is the most appropriate?
© Copyright by Cloud Mentor Pro | Confidential 146
 Lazy Loading / Cache-Aside / Lazy Population
• Pros
• Only requested data is
cached (the cache isn’t
filled up with unused data)
• Node failures are not fatal
(just increased latency to
warm the cache)
• Cons
• Cache miss penalty that
results in 3 round trips,
noticeable delay for that
request
• Stale data: data can be
updated in the database
and outdated in the cache
© Copyright by Cloud Mentor Pro | Confidential 147
 Lazy Loading / Cache-Aside / Lazy Population
Python Pseudocode

© Copyright by Cloud Mentor Pro | Confidential 148

 Write Through – Add or Update cache when
database is updated
• Pros:
• Data in cache is never
stale, reads are quick
• Write penalty vs Read
penalty (each write
requires 2 calls)
• Cons:
• Missing Data until it is
added / updated in the DB.
Mitigation is to implement
Lazy Loading strategy as
well
• Cache churn – a lot of the
data will never be read
© Copyright by Cloud Mentor Pro | Confidential 149
 Write –Through
Python Pseudocode

© Copyright by Cloud Mentor Pro | Confidential 150

 Cache Evictions and Time-to-live (TTL)
• Cache eviction can occur in three ways:
• You delete the item explicitly in the cache
• Item is evicted because the memory is full and it’s not recently used (LRU)
• You set an item time-to-live (or TTL)
• TTL are helpful for any kind of data:
• Leaderboards
• Comments
• Activity streams
• TTL can range from few seconds to hours or days
• If too many evictions happen due to memory, you should scale up or out
© Copyright by Cloud Mentor Pro | Confidential 151
 Final words of wisdom
• Lazy Loading / Cache aside is easy to implement and works for many
situations as a foundation, especially on the read side
• Write-through is usually combined with Lazy Loading as targeted for the
queries or workloads that benefit from this optimization
• Setting a TTL is usually not a bad idea, except when you’re using Write-
through. Set it to a sensible value for your application
• Only cache the data that makes sense (user profiles, blogs, etc…)

© Copyright by Cloud Mentor Pro | Confidential 152

Amazon Route 53
DNS, Records, Hosted Zones, Routing Policies, Health Checks

© Copyright by Cloud Mentor Pro | Confidential 153

 What is DNS?
• Domain Name System which translates the human friendly hostnames
into the machine IP addresses
• www.google.com => 172.217.18.36
• DNS is the backbone of the Internet
• DNS uses hierarchical naming structure

.com
example.com
www.example.com
api.example.com
© Copyright by Cloud Mentor Pro | Confidential 154
 DNS Terminologies
• Domain Registrar: Amazon Route 53, GoDaddy, …
• DNS Records: A, AAAA, CNAME, NS, …
• Zone File: contains DNS records
• Name Server: resolves DNS queries (Authoritative or Non-Authoritative)
• Top Level Domain (TLD): .com, .us, .in, .gov, .org, …
• Second Level Domain (SLD): amazon.com, google.com, …

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/welcome-dns-service.html 155

 How DNS Works

© Copyright by Cloud Mentor Pro | Confidential 156

 Amazon Route 53
• A highly available, scalable, fully
managed and Authoritative DNS
• Authoritative = the customer (you)
can update the DNS records
• Route 53 is also a Domain Registrar
• Ability to check the health of your
resources
• The only AWS service which provides
100% availability SLA

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/welcome-dns-service.html 157

 Route 53 – Records
• How you want to route traffic for a domain
• Each record contains:
• Domain/subdomain Name – e.g., example.com
• Record Type – e.g., A or AAAA
• Value – e.g., 12.34.56.78
• Routing Policy – how Route 53 responds to queries
• TTL – amount of time the record cached at DNS Resolvers
• Route 53 supports the following DNS record types:
• (must know) A / AAAA / CNAME / NS
• (advanced) CAA / DS / MX / NAPTR / PTR / SOA / TXT / SPF / SRV
© Copyright by Cloud Mentor Pro | Confidential 158
 Route 53 – Record Types
• A – maps a hostname to IPv4
• AAAA – maps a hostname to IPv6
• CNAME – maps a hostname to another hostname
• The target is a domain name which must have an A or AAAA record
• Can’t create a CNAME record for the top node of a DNS namespace (Zone Apex)
• Example: you can’t create for example.com, but you can create for
www.example.com
• NS – Name Servers for the Hosted Zone
• Control how traffic is routed for a domain
• Define which organization manages your domain
© Copyright by Cloud Mentor Pro | Confidential 159
 Route 53 – Hosted Zones
• A container for records that define how to route traffic to a domain and its
subdomains

• Public Hosted Zones – contains records that specify how to route traffic on the
Internet (public domain names) application1.mypublicdomain.com
• Private Hosted Zones – contain records that specify how you route traffic
within one or more VPCs (private domain names)
application1.company.internal

• You pay $0.50 per month per hosted zone

© Copyright by Cloud Mentor Pro | Confidential 160
 Route 53 – Public vs. Private Hosted Zones
Public Hosted Private Hosted Zones

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html 161

 Route 53 – Records TTL (Time To Live)
• High TTL – e.g., 24 hr
• Less traffic on Route 53
• Possibly outdated records
• Low TTL – e.g., 60 sec.
• More traffic on Route 53 ($$)
• Records are outdated for less time
• Easy to change records

• Except for Alias records, TTL is

mandatory for each DNS record
© Copyright by Cloud Mentor Pro | Confidential 162
 CNAME vs Alias
• AWS Resources (Load Balancer, CloudFront...) expose an AWS hostname:
• lb1-1234.us-east-2.elb.amazonaws.com and you want to route your domain
myapp.mydomain.com to that host name
• CNAME:
• Points a hostname to any other hostname. (app.mydomain.com => blabla.anything.com)
• ONLY FOR NON ROOT DOMAIN (aka. something.mydomain.com)
• Alias:
• Points a hostname to an AWS Resource (app.mydomain.com => blabla.amazonaws.com)
• Works for ROOT DOMAIN and NON ROOT DOMAIN (aka mydomain.com)
• Free of charge
• Native health check
© Copyright by Cloud Mentor Pro | Confidential 163
 Route 53 – Alias Records
Alias Records Targets
• Maps a hostname to an AWS resource
• Automatically recognizes changes in the
resource’s IP addresses
• Unlike CNAME, it can be used for the
top node e.g.: example.com (ROOT
DOMAIN)
• Alias Record is always of type A/AAAA
for AWS resources (IPv4 / IPv6)
• You can’t set the TTL

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values-alias.html 164

 Route 53 – Routing Policies
• Define how Route 53 responds to DNS queries
• Don’t get confused by the word “Routing”
• It’s not the same as Load balancer routing which routes the traffic
• DNS does not route any traffic, it only responds to the DNS queries
• Route 53 Supports the following Routing Policies
• Simple
• Weighted
• Failover
• Latency based
• Geolocation
• Multi-Value Answer
• Geoproximity (using Route 53 Traffic Flow feature)
© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html 165
 Routing Policies – Simple
• Typically, route traffic to a single
resource
• Can specify multiple values in the
same record
• If multiple values are returned, a
random one is chosen by the client
• When Alias enabled, specify only one
AWS resource
• No health checks
© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-simple.html 166
 Routing Policies – Weighted
• Control the % of the requests that go to each
specific resource
• DNS records must have the same name and type
• Can be associated with Health Checks
• Use cases: load balancing between regions,
testing new application versions…
• Assign a weight of 0 to a record to stop sending
traffic to a resource
• If all records have weight of 0, then all records
will be returned equally
© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-weighted.html 167
 Routing Policies – Latency-based
• Redirect to the resource that
has the least latency close to us
• Super helpful when latency for
users is a priority
• Latency is based on traffic
between users and AWS
Regions
• Associated with Health Checks
(has a failover capability)

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-latency.html 168

 Route 53 – Health Checks
• HTTP Health Checks are only for public
resources
• Health Check => Automated DNS Failover:
1. Health checks that monitor an endpoint
(application, server, other AWS resource)
2. Health checks that monitor other health checks
(Calculated Health Checks)
3. Health checks that monitor CloudWatch Alarms
(full control) – e.g., throttles of DynamoDB,
alarms on RDS, custom metrics, … (helpful for
private resources)
© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/health-checks-types.html 169
 Health Checks - Monitor CloudWatch Alarms

• Route 53 health checkers are outside the

VPC
• They can’t access private endpoints
(private VPC or on-premises resource)

• You can create a CloudWatch Metric and

associate a CloudWatch Alarm, then
create a Health Check that checks the
alarm itself
© Copyright by Cloud Mentor Pro | Confidential 170
 Routing Policies – Failover (Active-Passive)

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-failover.html 171

 Routing Policies – Geolocation
• Different from Latency-based!
• This routing is based on user location
• Specify location by Country or by US
State
• Should create a “Default” record (in
case there’s no match on location)
• Use cases: website localization, restrict
content distribution, load balancing, …
• Can be associated with Health Checks
© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-geo.html 172
 Routing Policies – Geoproximity
• Route traffic to your resources based on the geographic location of users
and resources
• Ability to shift more traffic to resources based on the defined bias
• To change the size of the geographic region, specify bias values:
• To expand (1 to 99) – more traffic to the resource
• To shrink (-1 to -99) – less traffic to the resource
• Resources can be:
• AWS resources (specify AWS region)
• Non-AWS resources (specify Latitude and Longitude)
• You must use Route 53 Traffic Flow to use this feature
© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-geoproximity.html 173
 Routing Policies – Geoproximity

© Copyright by Cloud Mentor Pro | Confidential 174

 Routing Policies – Geoproximity

© Copyright by Cloud Mentor Pro | Confidential 175

 Route 53 –Traffic flow
• Simplify the process of creating and
maintaining records in large and
complex configurations
• Visual editor to manage complex
routing decision trees
• Configurations can be saved as
Traffic Flow Policy
• Can be applied to different Route 53
Hosted Zones (different domain names)
• Supports versioning
© Copyright by Cloud Mentor Pro | Confidential 176
 Routing Policies – IP-based Routing
• Routing is based on clients’ IP addresses
• You provide a list of CIDRs for your clients and
the corresponding endpoints/locations
(user-IP-to-endpoint mappings)
• Use cases: Optimize performance, reduce
network costs…
• Example: route end users from a particular
ISP to a specific endpoint

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-ipbased.html 177

 Routing Policies – Multi-Value
• Use when routing traffic to multiple resources
• Up to 8 healthy records are returned for each Multi-Value query
• It’s very similar to simple routing, but with two differences:
• Routing traffic to multiple resources
• You can have health checks

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-multivalue.html
© Copyright by Cloud Mentor Pro | Confidential 178
https://repost.aws/knowledge-center/multivalue-versus-simple-policies
 Domain Registar vs. DNS Service
• You buy or register your domain name with a Domain Registrar typically by
paying annual charges (e.g., GoDaddy, Amazon Registrar Inc., …)
• The Domain Registrar usually provides you with a DNS service to manage
your DNS records
• But you can use another DNS service to manage your DNS records
• Example: purchase the domain from GoDaddy and use Route 53 to manage
your DNS records

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html 179

 GoDaddy as Registrar & Route 53 as DNS Service

© Copyright by Cloud Mentor Pro | Confidential 180

 3rd Party Registrar with Amazon Route 53
If you buy your domain on a 3rd party registrar, you can still use Route 53
as the DNS Service provider

1. Create a Hosted Zone in Route 53 2.

2. Update NS Records on 3rd party website to use Route 53 Name
Servers

• Domain Registrar != DNS Service

• But every Domain Registrar usually comes with some DNS features

© Copyright by Cloud Mentor Pro | Confidential 181

 3rd Party Registrar with Amazon Route 53
Before
• Domain Management: GoDaddy
• DNS Management : GoDaddy

After
• Domain Management : GoDaddy
• DNS Management : Route53

© Copyright by Cloud Mentor Pro | Confidential https://blog.cloudmentor.pro/blog/aws/huong-dan-chuyen-doi-dns-tu-ben-thu-3-sang-route-53 182

 Exercise
• Create Amazon RDS for MySQL

© Copyright by Cloud Mentor Pro | Confidential

 Section 4
• Amazon S3
• Amazon S3 – Advanced
• Amazon S3 – Security

© Copyright by Cloud Mentor Pro | Confidential 184

Amazon S3

© Copyright by Cloud Mentor Pro | Confidential 185

 Section introduction
• Amazon S3 is one of the main building blocks of AWS
• It’s advertised as ”infinitely scaling” storage
• Benefits
• Scalability
• S3 provides the most durable storage in the cloud and industry leading availability.
• S3 is secure, private, and encrypted by default
• Multiple storage classes with the best price performance for any workload and
automated data lifecycle management
• Resiliency, flexibility, latency, and throughput, to ensure never limits performance

© Copyright by Cloud Mentor Pro | Confidential 186

 Amazon S3 Use cases
• Backup and storage
• Disaster Recovery
• Archive
• Hybrid Cloud storage
• Application hosting
• Media hosting
• Data lakes & big data analytics
• Software delivery
• Static website
© Copyright by Cloud Mentor Pro | Confidential 187
 Amazon S3 - Buckets
• Amazon S3 allows people to store objects (files) in “buckets” (directories)
• Buckets must have a globally unique name (across all regions all accounts)
• Buckets are defined at the region level
• S3 looks like a global service but buckets are created in a region
• Naming convention
• No uppercase, No underscore
• 3-63 characters long
• Not an IP
• Must start with lowercase letter or number
• Must NOT start with the prefix xn– S3 Bucket
• Must NOT end with the suffix -s3alias
© Copyright by Cloud Mentor Pro | Confidential 188
 Amazon S3 - Objects
• Objects (files) have a Key
• The key is the FULL path:
• s3://my-bucket/my_file.txt
• s3://my-bucket/my_folder1/another_folder/my_file.txt S3 Bucket with
objects
• The key is composed of prefix + object name
• s3://my-bucket/my_folder1/another_folder/my_file.txt
• Max Object Size is 5TB (5000GB)
• Metadata：A set of name-value pairs, information regarding the object
• Tags (Unicode key / value pair – up to 10) – useful for security / lifecycle
• Version ID (if versioning is enabled)
© Copyright by Cloud Mentor Pro | Confidential 189
 Amazon S3 – Security
• User-Based
• IAM Policies –allowed for a specific user from IAM

• Resource-Based
• Bucket Policies – bucket wide rules from the S3 console - allows cross account
• Object Access Control List (ACL) – finer grain (can be disabled)
• Bucket Access Control List (ACL) – less common (can be disabled)

• Note: an IAM principal can access an S3 object if

• The user IAM permissions ALLOW it OR the resource policy ALLOWS it
• AND there’s no explicit DENY

• Encryption: encrypt objects in Amazon S3 using encryption keys

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/AmazonS3/latest/userguide/security.html 190
 S3 Bucket Policies
• JSON based policies
• Effect: Allow / Deny
• Principal: The account or user to apply the policy
to
• Actions: Set of API to Allow or Deny
• Resources: buckets and objects

• Use S3 bucket for policy to:

• Grant public access to the bucket
• Force objects to be encrypted at upload
• Grant access to another account (Cross Account)

© Copyright by Cloud Mentor Pro | Confidential 191

 Example: Public Access - Use Bucket Policy

© Copyright by Cloud Mentor Pro | Confidential 192

 Example: User Access to S3 – IAM permissions

© Copyright by Cloud Mentor Pro | Confidential 193

 Example: EC2 instance access - Use IAM Roles

© Copyright by Cloud Mentor Pro | Confidential 194

 Advanced: Cross-Account Access –
Use Bucket Policy

© Copyright by Cloud Mentor Pro | Confidential 195

 Bucket settings for Block Public Access

• These settings were created to prevent company data leaks

• If you know your bucket should never be public, leave these on
• Can be set at the account level
© Copyright by Cloud Mentor Pro | Confidential 196
 Amazon S3 – Static Website Hosting
• S3 can host static websites and have them
accessible on the Internet http://bucket-name.s3-website-aws-region.amazonaws.com
http://bucket-name.s3-website.aws-region.amazonaws.com
• If you get a 403 Forbidden error, make
sure the bucket policy allows public reads!
• Block all Public Access: Off (disabled)
• Bucket policy allows public reads!

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/AmazonS3/latest/userguide/EnableWebsiteHosting.html 197

 Amazon S3 -Versioning
• You can version your files in Amazon S3
• It is enabled at the bucket level
• Same key overwrite will change the “version”: 1, 2, 3….
• It is best practice to version your buckets
• Preserve, retrieve, and restore every version of every object
• Help you recover objects from accidental deletion or overwrite
• Notes:
• Any file that is not versioned prior to enabling versioning will
have version “null”
• Suspending versioning does not delete the previous versions
© Copyright by Cloud Mentor Pro | Confidential 198
 Amazon S3 – Replication (CRR & SRR)
• Must enable Versioning in source and destination buckets
• Cross-Region Replication (CRR)
• Same-Region Replication (SRR)
• Buckets can be in different AWS accounts
• Copying is asynchronous
• Must give proper IAM permissions to S3

• Use cases:
• CRR – compliance, lower latency access, replication across
accounts
• SRR – log aggregation, live replication between production and test
accounts

© Copyright by Cloud Mentor Pro | Confidential 199

 Amazon S3 – Replication (Notes)
• After you enable Replication, only new objects are replicated
• Optionally, you can replicate existing objects using S3 Batch Replication
• Replicates existing objects and objects that failed replication

• For DELETE operations

• Can replicate delete markers from source to target (optional setting)
• Deletions with a version ID are not replicated (to avoid malicious deletes)

• There is no “chaining” of replication

• If bucket 1 has replication into bucket 2, which has replication into bucket 3
• Then objects created in bucket 1 are not replicated to bucket 3
© Copyright by Cloud Mentor Pro | Confidential 200
 S3 Storage Classes
• Amazon S3 Standard - General Purpose
• Amazon S3 Standard-Infrequent Access (IA)
• Amazon S3 One Zone-Infrequent Access
• Amazon S3 Glacier Instant Retrieval
• Amazon S3 Glacier Flexible Retrieval
• Amazon S3 Glacier Deep Archive
• Amazon S3 Intelligent Tiering

• Can move between classes manually or using S3 Lifecycle configurations

© Copyright by Cloud Mentor Pro | Confidential 201
 S3 Durability and Availability
• Durability:
• High durability (99.999999999%, 11 9’s) of objects across multiple AZ
• If you store 10,000,000 objects with Amazon S3, you can on average expect to
incur a loss of a single object once every 10,000 years
• Same for all storage classes

• Availability:
• Measures how readily available a service is
• Varies depending on storage class
• Example: S3 standard has 99.99% availability = not available 53 minutes a year

© Copyright by Cloud Mentor Pro | Confidential 202

 S3 Standard – General Purpose
• 99.99% Availability
• Used for frequently accessed data
• Low latency and high throughput
• Sustain 2 concurrent facility failures

• Use Cases: Big Data analytics, mobile & gaming applications, content
distribution…

© Copyright by Cloud Mentor Pro | Confidential 203

 S3 Storage Classes – Infrequent Access
• For data that is less frequently accessed, but requires rapid access when needed
• Lower cost than S3 Standard

• Amazon S3 Standard-Infrequent Access (S3 Standard-IA)

• 99.9% Availability
• Use cases: Disaster Recovery, backups

• Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)

• High durability (99.999999999%) in a single AZ; data lost when AZ is destroyed
• 99.5% Availability
• Use Cases: Storing secondary backup copies of on-premises data, or data you can recreate

© Copyright by Cloud Mentor Pro | Confidential 204

 Amazon S3 Glacier Storage Classes
• Low-cost object storage meant for archiving / backup
• Pricing: price for storage + object retrieval cost

• Amazon S3 Glacier Instant Retrieval

• Millisecond retrieval, great for data accessed once a quarter
• Minimum storage duration of 90 days
• Amazon S3 Glacier Flexible Retrieval (formerly Amazon S3 Glacier):
• Expedited (1 to 5 minutes), Standard (3 to 5 hours), Bulk (5 to 12 hours) – free
• Minimum storage duration of 90 days
• Amazon S3 Glacier Deep Archive – for long term storage:
• Standard (12 hours), Bulk (48 hours)
• Minimum storage duration of 180 days
© Copyright by Cloud Mentor Pro | Confidential 205
 S3 Intelligent-Tiering
• Small monthly monitoring and auto-tiering fee
• Moves objects automatically between Access Tiers based on usage
• There are no retrieval charges in S3 Intelligent-Tiering

• Frequent Access tier (automatic): default tier

• Infrequent Access tier (automatic): objects not accessed for 30 days
• Archive Instant Access tier (automatic): objects not accessed for 90 days
• Archive Access tier (optional): configurable from 90 days to 700+ days
• Deep Archive Access tier (optional): config. from 180 days to 700+ days
© Copyright by Cloud Mentor Pro | Confidential 206
 S3 - Storage Classes Min
Min storage
Storage class Designed for AZs billable Other considerations
duration
object size

Frequently accessed data (more than once Big Data analytics, mobile & gaming applications,
S3 Standard >= 3 None None
a month) with millisecond access content distribution…

Long-lived, infrequently accessed data Per-GB retrieval fees apply.

S3 Standard-IA >= 3 30 days 128 KB
(once a month) with millisecond access Disaster Recovery, backups

Monitoring and automation fees per object apply. No

Data with unknown, changing, or retrieval fees.
S3 Intelligent-Tiering >= 3 None None
unpredictable access patterns Moves objects automatically between Access Tiers
based on usage
Per-GB retrieval fees apply.
Recreatable, infrequently accessed data
S3 One Zone-IA 1 30 days 128 KB Not resilient to the loss of the Availability Zone.
(once a month) with millisecond access
Backup copies of on-premises data

Long-lived, archive data accessed once a

S3 Glacier Instant Retrieval >= 3 90 days 128 KB
quarter with millisecond access

Long-lived archive data accessed once a

year with
retrieval times:
S3 Glacier Flexible Retrieval >= 3 90 days NA*
.Expedited (1 – 5 mins)
Pricing: price for storage + object retrieval cost
.Standard (3 – 5 hours)
Low-cost object storage for archiving / backup
.Bulk (5 – 12 hours)

Long-lived archive data accessed less than

once a year
S3 Glacier Deep Archive retrieval times: >= 3 180 days NA**
.Standard (12 hours)
.Bulk (48 hours)

© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html 207

Amazon S3 – Advanced

© Copyright by Cloud Mentor Pro | Confidential 208

 Amazon S3 – Moving between Storage Classes
• You can transition objects between
storage classes

• For infrequently accessed object,

move them to Standard IA
• For archive objects that you don’t
need fast access to, move them to
Glacier or Glacier Deep Archive

• Moving objects can be automated

using a Lifecycle Rules

© Copyright by Cloud Mentor Pro | Confidential 209

 Amazon S3 – Lifecycle Rules
• Transition Actions – configure objects to transition to another storage class
• Move objects to Standard IA class 60 days after creation
• Move to Glacier for archiving after 6 months

• Expiration actions – configure objects to expire (delete) after some time

• Access log files can be set to delete after a 365 days
• Can be used to delete old versions of files (if versioning is enabled)
• Can be used to delete incomplete Multi-Part uploads

• Rules can be created for a certain prefix (example: s3://mybucket/mp3/*)

• Rules can be created for certain objects Tags (example: Department: Finance)

© Copyright by Cloud Mentor Pro | Confidential 210

 Amazon S3 – Lifecycle Rules (Scenario 1)
• Your application on EC2 creates images thumbnails after profile photos
are uploaded to Amazon S3. These thumbnails can be easily recreated,
and only need to be kept for 60 days. The source images should be able
to be immediately retrieved for these 60 days, and afterwards, the user
can wait up to 6 hours. How would you design this?

• S3 source images can be on Standard, with a lifecycle configuration to

transition them to Glacier after 60 days
• S3 thumbnails can be on One-Zone IA, with a lifecycle configuration to
expire them (delete them) after 60 days

© Copyright by Cloud Mentor Pro | Confidential 211

 Amazon S3 – Lifecycle Rules (Scenario 2)
• A rule in your company states that you should be able to recover your
deleted S3 objects immediately for 30 days, although this may happen
rarely. After this time, and for up to 365 days, deleted objects should be
recoverable within 48 hours.

• Enable S3 Versioning in order to have object versions, so that “deleted

objects” are in fact hidden by a “delete marker” and can be recovered
• Transition the “noncurrent versions” of the object to Standard IA
• Transition afterwards the “noncurrent versions” to Glacier Deep Archive

© Copyright by Cloud Mentor Pro | Confidential 212

 S3 – Requester Pays
• In general, bucket owners pay for all
Amazon S3 storage and data transfer
costs associated with their bucket
• With Requester Pays buckets, the
requester instead of the bucket owner
pays the cost of the request and the
data download from the bucket
• Helpful when you want to share large
datasets with other accounts
• The requester must be authenticated in
AWS (cannot be anonymous)
© Copyright by Cloud Mentor Pro | Confidential 213
 S3 Event Notifications
• S3:ObjectCreated, S3:ObjectRemoved,
S3:ObjectRestore, S3:Replication…
• Object name filtering possible (*.jpg)
• Use case: generate thumbnails of images
uploaded to S3
• Can create as many “S3 events” as desired

• S3 event notifications typically deliver events

in seconds but can sometimes take a minute
or longer
© Copyright by Cloud Mentor Pro | Confidential 214
 S3 Event Notifications – IAM Permissions

© Copyright by Cloud Mentor Pro | Confidential 215

 S3 Event Notifications
with Amazon EventBridge

• Advanced filtering options with JSON rules (metadata, object size,

name...)
• Multiple Destinations – ex Step Functions, Kinesis Streams / Firehose…
• EventBridge Capabilities – Archive, Replay Events, Reliable delivery

© Copyright by Cloud Mentor Pro | Confidential 216

 S3 – Baseline Performance
• Amazon S3 automatically scales to high request rates, latency 100-200 ms
• Your application can achieve at least 3,500 PUT/COPY/POST/DELETE or 5,500
GET/HEAD requests per second per prefix in a bucket.
• There are no limits to the number of prefixes in a bucket.
• Example (object path => prefix):
• bucket/folder1/sub1/file => /folder1/sub1/
• bucket/folder1/sub2/file => /folder1/sub2/
• bucket/1/file => /1/
• bucket/2/file . => /2/
• If you spread reads across all four prefixes evenly, you can achieve 22,000
requests per second for GET and HEAD
© Copyright by Cloud Mentor Pro | Confidential 217
 S3 Performance
• Multi-Part upload: • S3 Transfer Acceleration
• recommended for files > 100MB, • Increase transfer speed by transferring
must use for files > 5GB file to an AWS edge location which will
• Can help parallelize uploads (speed forward the data to the S3 bucket in the
up transfers) target region
• Compatible with multi-part upload

© Copyright by Cloud Mentor Pro | Confidential 218

 S3 Batch Operations
• Perform bulk operations on existing S3 objects with a
single request, example:
• Modify object metadata & properties
• Copy objects between S3 buckets
• Encrypt un-encrypted objects
• Modify ACLs, tags
• Restore objects from S3 Glacier
• Invoke Lambda function to perform custom action on each
object

• S3 Batch Operations manages retries, tracks progress,

sends completion notifications, generate reports …
• You can use S3 Inventory to get object list and use S3
Select to filter your objects
© Copyright by Cloud Mentor Pro | Confidential 219
 S3 – Storage Lens
• Understand, analyze, and optimize storage across entire AWS Organization
• Discover anomalies, identify cost efficiencies, and apply data protection best
practices across entire AWS Organization (30 days usage & activity metrics)
• Aggregate data for Organization, specific accounts, regions, buckets, or prefixes
• Default dashboard or create your own dashboards
• Can be configured to export metrics daily to an S3 bucket (CSV, Parquet)

© Copyright by Cloud Mentor Pro | Confidential 220

 Storage Lens – Default Dashboard
• Visualize summarized insights and trends for both free and advanced metrics
• Default dashboard shows Multi-Region and Multi-Account data
• Preconfigured by Amazon S3
• Can’t be deleted, but can be disabled

https://aws.amazon.com/blogs/aws/s3-storage-lens/
https://aws.amazon.com/blogs/aws/s3-storage-lens/

© Copyright by Cloud Mentor Pro | Confidential 221

 Storage Lens – Metrics
• Summary Metrics
• General insights about your S3 storage
• StorageBytes, ObjectCount…
• Use cases: identify the fastest-growing (or not used) buckets and prefixes

• Cost-Optimization Metrics
• Provide insights to manage and optimize your storage costs
• NonCurrentVersionStorageBytes, IncompleteMultipartUploadStorageBytes…
• Use cases: identify buckets with incomplete multipart uploaded older than 7
days, Identify which objects could be transitioned to lower-cost storage class

© Copyright by Cloud Mentor Pro | Confidential 222

 Storage Lens – Metrics
• Data-Protection Metrics
• Provide insights for data protection features
• VersioningEnabledBucketCount, MFADeleteEnabledBucketCount, SSEKMSEnabledBucketCount,
CrossRegionReplicationRuleCount…
• Use cases: identify buckets that aren’t following data-protection best practices

• Access-management Metrics
• Provide insights for S3 Object Ownership
• ObjectOwnershipBucketOwnerEnforcedBucketCount…
• Use cases: identify which Object Ownership settings your buckets use

• Event Metrics
• Provide insights for S3 Event Notifications
• EventNotificationEnabledBucketCount (identify which buckets have S3 Event Notifications
configured)
© Copyright by Cloud Mentor Pro | Confidential 223
 Storage Lens – Metrics
• Performance Metrics
• Provide insights for S3 Transfer Acceleration
• TransferAccelerationEnabledBucketCount (identify which buckets have S3
Transfer Acceleration enabled)

• Activity Metrics
• Provide insights about how your storage is requested
• AllRequests, GetRequests, PutRequests, ListRequests, BytesDownloaded…

• Detailed Status Code Metrics

• Provide insights for HTTP status codes
• 200OKStatusCount, 403ForbiddenErrorCount, 404NotFoundErrorCount…
© Copyright by Cloud Mentor Pro | Confidential 224
 Storage Lens – Free vs . Paid
• Free Metrics
• Automatically available for all customers
• Contains around 28 usage metrics
• Data is available for queries for 14 days

• Advanced Metrics and Recommendations

• Additional paid metrics and features
• Advanced Metrics – Activity, Advanced Cost
Optimization, Advanced Data Protection, Status
Code
• CloudWatch Publishing – Access metrics in
CloudWatch without additional charges
• Prefix Aggregation – Collect metrics at the prefix
level
• Data is available for queries for 15 months
© Copyright by Cloud Mentor Pro | Confidential 225
Amazon S3 – Security

© Copyright by Cloud Mentor Pro | Confidential 226

 Amazon S3 – Object Encryption
• You can encrypt objects in S3 buckets using one of 4 methods

• Server-Side Encryption (SSE)

• Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – Enabled by Default
• Encrypts S3 objects using keys handled, managed, and owned by AWS
• Server-Side Encryption with KMS Keys stored in AWS KMS (SSE-KMS)
• Leverage AWS Key Management Service (AWS KMS) to manage encryption keys
• Server-Side Encryption with Customer-Provided Keys (SSE-C)
• When you want to manage your own encryption keys

• Client-Side Encryption

© Copyright by Cloud Mentor Pro | Confidential 227

 Amazon S3 Encryption – SSE -S3
• Encryption using keys handled, managed, and owned by AWS
• Object is encrypted server-side
• Encryption type is AES-256
• Must set header "x-amz-server-side-encryption": "AES256"
• Enabled by default for new buckets & new objects

© Copyright by Cloud Mentor Pro | Confidential 228

 Amazon S3 Encryption – SSE-KMS
• Encryption using keys handled and managed by AWS KMS (Key
Management Service)
• KMS advantages: user control + audit key usage using CloudTrail
• Object is encrypted server side
• Must set header "x-amz-server-side-encryption": "aws:kms"

© Copyright by Cloud Mentor Pro | Confidential 229

 Amazon S3 Encryption – SSE-C
• Server-Side Encryption using keys fully managed by the customer outside of
AWS
• Amazon S3 does NOT store the encryption key you provide
• HTTPS must be used
• Encryption key must provided in HTTP headers, for every HTTP request made

© Copyright by Cloud Mentor Pro | Confidential 230

 Amazon S3 Encryption – Client-Side Encryption
• Use client libraries such as Amazon S3 Client-Side Encryption Library
• Clients must encrypt data themselves before sending to Amazon S3
• Clients must decrypt data themselves when retrieving from Amazon S3
• Customer fully manages the keys and encryption cycle

© Copyright by Cloud Mentor Pro | Confidential 231

 Amazon S3 – Encryption in transit (SSL/TLS)
• Encryption in flight is also called SSL/TLS

• Amazon S3 exposes two endpoints:

• HTTP Endpoint – non encrypted
• HTTPS Endpoint – encryption in flight

• HTTPS is recommended
• HTTPS is mandatory for SSE-C
• Most clients would use the HTTPS endpoint by default
© Copyright by Cloud Mentor Pro | Confidential 232
 Amazon S3 – Force Encryption in Transit
aws:SecureTransport

© Copyright by Cloud Mentor Pro | Confidential 233

 Amazon S3 – Default Encryption vs. Bucket Policies
• SSE-S3 encryption is automatically applied to new objects stored in S3 bucket
• Optionally, you can “force encryption” using a bucket policy and refuse any API
call to PUT an S3 object without encryption headers (SSE-KMS or SSE-C)

• Note: Bucket Policies are evaluated before “Default Encryption”

© Copyright by Cloud Mentor Pro | Confidential 234
 What is CORS?
• Cross-Origin Resource Sharing (CORS)
• Origin = scheme (protocol) + host (domain) + port
• example: https://www.example.com (implied port is 443 for HTTPS, 80 for HTTP)
• Web Browser based mechanism to allow requests to other origins while
visiting the main origin
• Same origin: http://example.com/app1 & http://example.com/app2
• Different origins: http://www.example.com & http://other.example.com
• The requests won’t be fulfilled unless the other origin allows for the
requests, using CORS Headers (example: Access-Control-Allow-Origin)
© Copyright by Cloud Mentor Pro | Confidential 235
 What is CORS?

© Copyright by Cloud Mentor Pro | Confidential 236

 Amazon S3 – CORS
• If a client makes a cross-origin request on our S3 bucket, we need to
enable the correct CORS headers
• It’s a popular exam question
• You can allow for a specific origin or for * (all origins)

© Copyright by Cloud Mentor Pro | Confidential 237

 Amazon S3 – MFA Delete
• MFA (Multi-Factor Authentication) – force users to generate a code on a
device (usually a mobile phone or hardware) before doing important
operations on S3
• MFA will be required to:
• Permanently delete an object version
• Suspend Versioning on the bucket
• MFA won’t be required to:
• Enable Versioning
• List deleted versions
• To use MFA Delete, Versioning must be enabled on the bucket
• Only the bucket owner (root account) can enable/disable MFA Delete
© Copyright by Cloud Mentor Pro | Confidential 238
 S3 Access Logs
• For audit purpose, you may want to log all access to S3 buckets
• Any request made to S3, from any account, authorized or denied, will
be logged into another S3 bucket
• That data can be analyzed using data analysis tools…
• The target logging bucket must be in the same AWS region

• The log format is at:

https://docs.aws.amazon.com/AmazonS3/latest/dev/LogFormat.html

© Copyright by Cloud Mentor Pro | Confidential 239

 S3 Access Logs: Warning
• Do not set your logging bucket to be the monitored bucket
• It will create a logging loop, and your bucket will grow exponentially

© Copyright by Cloud Mentor Pro | Confidential 240

 Amazon S3 – Pre-Signed URLs
• Generate pre-signed URLs using the S3 Console, AWS CLI or SDK
• URL Expiration
• S3 Console – 1 min up to 720 mins (12 hours)
• AWS CLI – configure expiration with --expires-in parameter in seconds (default
3600 secs, max. 604800 secs ~ 168 hours)
• Users given a pre-signed URL inherit the permissions of the user that
generated the URL for GET / PUT
• Examples:
• Allow only logged-in users to download a premium video from your S3 bucket
• Allow an ever-changing list of users to download files by generating URLs
dynamically
• Allow temporarily a user to upload a file to a precise location in your S3 bucket
© Copyright by Cloud Mentor Pro | Confidential 241
 S3 Glacier Vault Lock
• Adopt a WORM (Write Once Read
Many) model
• Create a Vault Lock Policy
• Lock the policy for future edits (can
no longer be changed or deleted)
• Helpful for compliance and data
retention

© Copyright by Cloud Mentor Pro | Confidential 242

 S3 Object Lock (versioning must be enabled)
• Adopt a WORM (Write Once Read Many) model
• Block an object version deletion for a specified amount of time
• Retention mode - Compliance:
• Object versions can't be overwritten or deleted by any user, including the root user
• Objects retention modes can't be changed, and retention periods can't be shortened
• Retention mode - Governance:
• Most users can't overwrite or delete an object version or alter its lock settings
• Some users have special permissions to change the retention or delete the object
• Retention Period: protect the object for a fixed period, it can be extended
• Legal Hold:
• protect the object indefinitely, independent from retention period
• can be freely placed and removed using the s3:PutObjectLegalHold IAM permission
© Copyright by Cloud Mentor Pro | Confidential 243
 S3 – Access Points

• Access Points simplify security management for S3 Buckets

• Each Access Point has:
• its own DNS name (Internet Origin or VPC Origin)
• an access point policy (similar to bucket policy) – manage security at scale
© Copyright by Cloud Mentor Pro | Confidential 244
 S3 Object Lambda
• Use AWS Lambda Functions to
change the object before it is
retrieved by the caller application

• Use Cases:
• Redacting personally identifiable
information for analytics
• Converting across data formats,
such as converting XML to JSON.
• Resizing and watermarking

© Copyright by Cloud Mentor Pro | Confidential 245

 Exercise
• How to Create a static
website using Amazon S3

© Copyright by Cloud Mentor Pro | Confidential 246

 Section 5
• Networking - Amazon VPC

© Copyright by Cloud Mentor Pro | Confidential

Amazon VPC

© Copyright by Cloud Mentor Pro | Confidential 248

 VPC Components Diagram
DynamoDB

Region VPC Flow Logs

CloudWatch
VPC NACL NACL
internet
Corporate
data center
www Public subnet Private subnet

Internet Route Security group

Gateway
S3
NAT Gateway
Private EC2 Server
Instance
Route Route
Table Table VPC Customer
Security group Security group Endpoint Gateway
S2S VPN
Connection
Public EC2 Private EC2
VPC Peering Instance Instance
Connection VPN
Gateway Direct Connect
Availability Zone Connection
DX Location
© Copyright by Cloud Mentor Pro | Confidential 249
 Understanding CIDR – IPv4
Classless Inter-Domain Routing – IP Range
VPC
172.22.241.128/25
Public subnet Private subnet
172.22.241.128/27 172.22.241.160/27

Availability Zone
© Copyright by Cloud Mentor Pro | Confidential 250
 Understanding CIDR – IPv4
CIDR: 172.22.241.128/25

172 22 241 128

Octet 1 Octet 2 Octet 3 Octet 4

1 0 1 0 1 1 0 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0 1 1 0 0 0 0 0 0 0

128 64 32 16 8 4 2 1

27 26 25 24 23 22 21 20 27 26 25 24 23 22 21 20 27 26 25 24 23 22 21 20 27 26 25 24 23 22 21 20

Network address (25 bits) Host address(7 bits)

© Copyright by Cloud Mentor Pro | Confidential 251

 Understanding CIDR – IPv4
Number of host address
Network address (25 bits) Host address(7 bits)

1 0 1 0 1 1 0 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0 1 1 0 0 0 0 0 0 0

Host address: 172.22.241.128 ~ 172.22.241.255 (128 IPs)

1 0 1 0 1 1 0 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0 1 1 0 0 0 0 0 0 0

1 0 1 0 1 1 0 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1

© Copyright by Cloud Mentor Pro | Confidential 252

 Understanding CIDR – Subnet Mask

© Copyright by Cloud Mentor Pro | Confidential 253

 Split 4 subnets CIDR: 172.22.241.128/25
1 0 1 0 1 1 0 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0 1 1 0 0 0 0 0 0 0

1 0 1 0 1 1 0 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0 1 1 0 0 0 0 0 0 0 172.22.241.128/27

1 0 1 0 1 1 0 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0 1 1 0 1 0 0 0 0 0 172.22.241.160/27

1 0 1 0 1 1 0 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0 1 1 1 0 0 0 0 0 0 172.22.241.192/27

1 0 1 0 1 1 0 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0 1 1 1 1 0 0 0 0 0 172.22.241.224/27

Network address (27 bits) Host address(5 bits)

172.22.241.128/27 172.22.241.128 172.22.241.159

172.22.241.160/27 172.22.241.160 172.22.241.191

172.22.241.192/27 172.22.241.192 172.22.241.223

172.22.241.224/27 172.22.241.224 172.22.241.255

© Copyright by Cloud Mentor Pro | Confidential https://visualsubnetcalc.com/ 254

 Default VPC Walkthrough
• All new AWS accounts have a default VPC
• New EC2 instances are launched into the default VPC if no subnet is
specified
• Default VPC has Internet connectivity and all EC2 instances inside it
have public IPv4 addresses

© Copyright by Cloud Mentor Pro | Confidential 255

 VPC in AWS – IPv4
• VPC = Virtual Private Cloud
• You can have multiple VPCs in an AWS region (max. 5 per region – soft limit)
• Max. CIDR per VPC is 5, for each CIDR:
• Min. size is /28 (16 IP addresses)
• Max. size is /16 (65536 IP addresses)
• We recommend that you specify a CIDR block from the private IPv4 address ranges as
specified in RFC 1918

• Your VPC CIDR should NOT overlap with your other networks (e.g.,corporate)
© Copyright by Cloud Mentor Pro | Confidential 256
 State of Hands-on
Region

VPC

© Copyright by Cloud Mentor Pro | Confidential 257

 Adding Subnets
Region

VPC

Public subnet Private subnet

Availability Zone
© Copyright by Cloud Mentor Pro | Confidential 258
 VPC – Subnet (IPv4)
• AWS reserves 5 IP addresses (first 4 & last 1) in each subnet
• These 5 IP addresses are not available for use and can’t be assigned to an EC2
instance
• Example: if CIDR block 10.0.0.0/24, then reserved IP addresses are:
• 10.0.0.0 – Network Address
• 10.0.0.1 – reserved by AWS for the VPC router
• 10.0.0.2 – reserved by AWS for mapping to Amazon-provided DNS
• 10.0.0.3 – reserved by AWS for future use
• 10.0.0.255 – Network Broadcast Address. AWS does not support broadcast in a VPC, therefore the
address is reserved
• Exam Tip, if you need 29 IP addresses for EC2 instances:
• You can’t choose a subnet of size /27 (32 IP addresses, 32 – 5 = 27 < 29)
• You need to choose a subnet of size /26 (64 IP addresses, 64 – 5 = 59 > 29)
© Copyright by Cloud Mentor Pro | Confidential 259
 Adding Internet Gateway
Region

VPC

Public subnet Private subnet

Internet
Gateway

Availability Zone
© Copyright by Cloud Mentor Pro | Confidential 260
 Internet Gateway (IGW)
• Allows resources (e.g., EC2 instances) in a VPC connect to the Internet
• Must be created separately from a VPC
• One VPC can only be attached to one IGW and vice versa

• Internet Gateways on their own do not allow Internet access…

• Route tables must also be edited!

© Copyright by Cloud Mentor Pro | Confidential 261

 Editing Route Tables
Region

VPC
internet

www Public subnet Private subnet

Internet Route
Gateway

Route
Table
Security group

Public EC2
Instance

Availability Zone
© Copyright by Cloud Mentor Pro | Confidential 262
 Bastion Hosts
• We can use a Bastion Host to SSH into our
private EC2 instances
• The bastion is in the public subnet which is
then connected to all other private subnets
• Bastion Host security group must allow
inbound from the internet on port 22 from
restricted CIDR, for example the public CIDR
of your corporation
• Security Group of the EC2 Instances must
allow the Security Group of the Bastion Host,
or the private IP of the Bastion host
© Copyright by Cloud Mentor Pro | Confidential 263
 NAT Gateway
Region

VPC
internet

www Public subnet Private subnet

Internet Route Security group

Gateway
NAT Gateway
Private EC2
Instance
Route Route
Table Table
Security group

Public EC2
Instance

Availability Zone
© Copyright by Cloud Mentor Pro | Confidential 264
 NAT Gateway
• AWS-managed NAT, higher bandwidth, high availability, no administration
• Pay per hour for usage and bandwidth
• NATGW is created in a specific Availability Zone, uses an Elastic IP
• Requires an IGW (Private Subnet => NATGW => IGW)
• 5 Gbps of bandwidth with automatic scaling up to 100 Gbps
• No Security Groups to manage / required

© Copyright by Cloud Mentor Pro | Confidential 265

 Network Access Control List (NACL)
• NACL are like a firewall which control traffic from
and to subnets
• One NACL per subnet, new subnets are assigned
the Default NACL
• Can have ALLOW and DENY rules
• Rules only include IP addresses
• NACL are a great way of blocking a specific IP
address at the subnet level

© Copyright by Cloud Mentor Pro | Confidential 266

 NACLs
Region

VPC NACL NACL

internet

www Public subnet Private subnet

Internet Route Security group

Gateway
NAT Gateway
Private EC2
Instance
Route Route
Table Table
Security group

Public EC2
Instance

Availability Zone
© Copyright by Cloud Mentor Pro | Confidential 267
 Default NACL
• Accepts everything inbound/outbound with the subnets it’s associated
with
• Do NOT modify the Default NACL, instead create custom NACLs

© Copyright by Cloud Mentor Pro | Confidential 268

 Security Group vs. NACLs
Security Group NACL
Operates at the instance level Operates at the subnet level
Supports allow rules only Supports allow rules and deny rules
Stateful: return traffic is automatically allowed, Stateless: return traffic must be explicitly allowed by
regardless of any rules rules (think of ephemeral ports)
All rules are evaluated before deciding whether Rules are evaluated in order (lowest to highest) when
to allow traffic deciding whether to allow traffic, first match wins

Applies to an EC2 instance when specified by Automatically applies to all EC2 instances in the
someone subnet that it’s associated with

You usually only need a security group to establish connectivity to your AWS resources.
In most cases, a NACL isn‘t necessary, it’s only required when your system has strict
security requirements.
© Copyright by Cloud Mentor Pro | Confidential https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html 269
 VPC Peering
• Privately connect two VPCs using AWS’network VPC - A
• Make them behave as if they were in the same
network VPC Peering
(A - B)
• Must not have overlapping CIDRs
VPC Peering
• VPC Peering connection is NOT transitive (must (A - C)
VPC - B
be established for each VPC that need to
communicate with one another)
VPC Peering
• You must update route tables in each VPC’s (B - C)
subnets to ensure EC2 instances can
communicate with each other VPC - C
© Copyright by Cloud Mentor Pro | Confidential 270
 VPC Peering
Region

VPC NACL NACL

internet

www Public subnet Private subnet

Internet Route Security group

Gateway
NAT Gateway
Private EC2
Instance
Route Route
Table Table
Security group

Public EC2
VPC Peering Instance
Connection

Availability Zone
© Copyright by Cloud Mentor Pro | Confidential 271
 VPC Endpoints DynamoDB

Region
CloudWatch
VPC NACL NACL
internet

www Public subnet Private subnet

Internet Route Security group

Gateway
S3
NAT Gateway
Private EC2
Instance
Route Route
Table Table VPC
Security group Endpoint

Public EC2
VPC Peering Instance
Connection

Availability Zone
© Copyright by Cloud Mentor Pro | Confidential 272
 VPC Endpoints
Amazon SNS
• Every AWS service is publicly exposed (public
URL)
• VPC Endpoints (powered by AWS PrivateLink)
allows you to connect to AWS services using a
private network instead of using the public
Internet
• They’re redundant and scale horizontally
• They remove the need of IGW, NATGW, … to
access AWS Services
• In case of issues:
• Check DNS Setting Resolution in your VPC
• Check Route Tables

© Copyright by Cloud Mentor Pro | Confidential 273

 Types of Endpoints Region

VPC
• Interface Endpoints (powered by Private subnet VPC Endpoint
PrivateLink) EC2 Instance
(Interface)

• Provisions an ENI (private IP address) as an ENI

entry point (must attach a Security Group)

• Supports most AWS services Amazon SNS

• $ per hour + $ per GB of data processed

• Gateway Endpoints Region

• Provisions a gateway and must be used as VPC

a target in a route table (does not use Private subnet
security groups) VPC Endpoint
(Gateway)
EC2 Instance
• Supports both S3 and DynamoDB
• Free
S3 OR DynamoDB
© Copyright by Cloud Mentor Pro | Confidential 274
 VPC Flow Logs
• Capture information about IP traffic going into your interfaces:
• VPC Flow Logs
• Subnet Flow Logs
• Elastic Network Interface (ENI) Flow Logs
• Helps to monitor & troubleshoot connectivity issues
• Flow logs data can go to S3, CloudWatch Logs, and Kinesis Data Firehose
• Captures network information from AWS managed interfaces too: ELB,
• RDS, ElastiCache, Redshift, WorkSpaces, NATGW, Transit Gateway…

© Copyright by Cloud Mentor Pro | Confidential 275

 VPC Flow Logs DynamoDB

Region VPC Flow Logs

CloudWatch
VPC NACL NACL
internet

www Public subnet Private subnet

Internet Route Security group

Gateway
S3
NAT Gateway
Private EC2
Instance
Route Route
Table Table VPC
Security group Endpoint

Public EC2
VPC Peering Instance
Connection

Availability Zone
© Copyright by Cloud Mentor Pro | Confidential 276
 VPC Flow Logs Syntax

• srcaddr & dstaddr – help identify problematic IP

• srcport & dstport – help identity problematic ports
• Action – success or failure of the request due to Security Group / NACL
• Can be used for analytics on usage patterns, or malicious behavior
• Query VPC flow logs using Athena on S3 or CloudWatch Logs Insights
• Flow Logs examples: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-
records-examples.html
© Copyright by Cloud Mentor Pro | Confidential 277
 VPC Flow Logs – Architectures

© Copyright by Cloud Mentor Pro | Confidential 278

 AWS Site-to-Site VPN
DynamoDB

Region VPC Flow Logs

CloudWatch
VPC NACL NACL
internet
Corporate
data center
www Public subnet Private subnet

Internet Route Security group

Gateway
S3
NAT Gateway
Private EC2 Server
Instance
Route Route
Table Table VPC Customer
Security group Security group Endpoint Gateway
S2S VPN
Connection
Public EC2 Private EC2
VPC Peering Instance Instance
Connection VPN
Gateway
Availability Zone
© Copyright by Cloud Mentor Pro | Confidential 279
 Site to Site VPN & Direct Connect
• Site to Site VPN
• Connect an on-premises VPN to AWS
• The connection is automatically encrypted
• Goes over the public internet
• Direct Connect (DX)
• Establish a physical connection between on-
premises and AWS
• The connection is private, secure and fast
• Goes over a private network
• Takes at least a month to establish
© Copyright by Cloud Mentor Pro | Confidential 280
 Site-to-Site VPN connection as a backup
• In case Direct Connect fails, you can set up a backup Direct Connect
connection (expensive), or a Site-to-Site VPN connection

© Copyright by Cloud Mentor Pro | Confidential 281

 VPC Section Summary (1/2)
• CIDR – IP Range
• VPC – Virtual Private Cloud
• Subnets – tied to an AZ, we define a CIDR
• Internet Gateway – at the VPC level, provide IPv4 & IPv6 Internet Access
• Route Tables – must be edited to add routes from subnets to the IGW, VPC Peering
Connections, VPC Endpoints, …
• Bastion Host – public EC2 instance to SSH into, that has SSH connectivity to EC2
instances in private subnets
• NAT Gateway – managed by AWS, provides scalable Internet access to private EC2
instances, when the target is an IPv4 address
© Copyright by Cloud Mentor Pro | Confidential 282
 VPC Section Summary (2/2)
• NACL – stateless, subnet rules for inbound and outbound, don’t forget Ephemeral
Ports
• Security Groups – stateful, operate at the EC2 instance level
• VPC Peering – connect two VPCs with non overlapping CIDR, non-transitive
• VPC Endpoints – provide private access to AWS Services (S3, DynamoDB,
CloudFormation, SSM) within a VPC
• VPC Flow Logs – can be setup at the VPC / Subnet / ENI Level, for ACCEPT and REJECT
traffic, helps identifying attacks, analyze using Athena or CloudWatch Logs Insights
• Site-to-Site VPN – VPN over public internet between on-premises DC and AWS
• Direct Connect – establish a direct private connection from On-premise to AWS

© Copyright by Cloud Mentor Pro | Confidential 283

 S3 Data Transfer Pricing

https://blog.cloudmentor.pro/blog/aws/common-data-transfer-cost

© Copyright by Cloud Mentor Pro | Confidential 284

 Exercise
• Networking - VPC

© Copyright by Cloud Mentor Pro | Confidential

 Section 6
• CloudFront
• ECS, ECR & Fargate - Docker in AWS

© Copyright by Cloud Mentor Pro | Confidential

Amazon CloudFront

© Copyright by Cloud Mentor Pro | Confidential 287

 Amazon CloudFront
• Content Delivery Network (CDN)
• Improves read performance, content
is cached at the edge
• Improves users experience
• 600+ Point of Presence globally
(edge locations)
• DDoS protection (because Source: https://aws.amazon.com/cloudfront/features/?nc=sn&loc=2

worldwide), integration with Shield,

AWS Web Application Firewall
© Copyright by Cloud Mentor Pro | Confidential 288
 CloudFront – Origins
• S3 bucket
• For distributing files and caching them at the edge
• Enhanced security with CloudFront Origin Access Control (OAC)
• OAC is replacing Origin Access Identity (OAI)
• CloudFront can be used as an ingress (to upload files to S3)
• Custom Origin (HTTP)
• Application Load Balancer
• EC2 instance
• S3 website (must first enable the bucket as a static S3 website)
• Any HTTP backend you want
© Copyright by Cloud Mentor Pro | Confidential 289
 CloudFront at a high level

© Copyright by Cloud Mentor Pro | Confidential 290

 CloudFront – S3 as an Origin

© Copyright by Cloud Mentor Pro | Confidential 291

 CloudFront vs S3 Cross Region Replication
• CloudFront:
• Global Edge network
• Files are cached for a TTL (maybe a day)
• Great for static content that must be available everywhere

• S3 Cross Region Replication:

• Must be setup for each region you want replication to happen
• Files are updated in near real-time
• Read only
• Great for dynamic content that needs to be available at low-latency in few
regions

© Copyright by Cloud Mentor Pro | Confidential 292

 CloudFront Caching
• The cache lives at each CloudFront Edge
Location
• CloudFront identifies each object in the
cache using the Cache Key (see next slide)
• You want to maximize the Cache Hit ratio
to minimize requests to the origin
• You can invalidate part of the cache using
the CreateInvalidation API

© Copyright by Cloud Mentor Pro | Confidential 293

 What is CloudFront Cache Key?
GET /content/stories/example-story.html?ref=123abc&split-pages=false HTTP/1.1
• A unique identifier for every object in Host: mywebsite.com
User-Agent: Mozilla/5.0 (Mac OS X 10_15_2….)
the cache Date: Tue, 28 Jan 2021 17:01:57 GMT
Authorization: SAPISIDHASH fdd00ecee39fe….
Keep-Alive: 300
• By default, consists of hostname + Accept-Ranges: bytes
Cookie: session_id=12344321
resource portion of the URL
• If you have an application that serves
up content that varies based on user,
device, language, location…
• You can add other elements (HTTP
headers, cookies, query strings) to the
Cache Key using CloudFront Cache
Policies
© Copyright by Cloud Mentor Pro | Confidential 294
 CloudFront – Cache Invalidations
• In case you update the back-end origin,
CloudFront doesn’t know about it and
will only get the refreshed content
after the TTL has expired
• However, you can force an entire or
partial cache refresh (thus bypassing
the TTL) by performing a CloudFront
Invalidation
• You can invalidate all files (*) or a
special path (/images/*
© Copyright by Cloud Mentor Pro | Confidential 295
 CloudFront – Cache Behaviors
• Configure different settings for a given URL path
pattern
• Example: one specific cache behavior to
images/*.jpg files on your origin web server
• Route to different kind of origins/origin groups
based on the content type or path pattern
• /images/*
• /api/*
• /* (default cache behavior)
• When adding additional Cache Behaviors, the
Default Cache Behavior is always the last to be
processed and is always /*
© Copyright by Cloud Mentor Pro | Confidential 296
 CloudFront – ALB or EC2 as an origin

© Copyright by Cloud Mentor Pro | Confidential 297

 CloudFront Geo Restriction
• You can restrict who can access your distribution
• Allowlist: Allow your users to access your content only if they're in one of the
countries on a list of approved countries.
• Blocklist: Prevent your users from accessing your content if they're in one of the
countries on a list of banned countries.

• The “country” is determined using a 3rd party Geo-IP database

• Use case: Copyright Laws to control access to content

© Copyright by Cloud Mentor Pro | Confidential 298

 CloudFront Signed URL / Signed Cookies
• You want to distribute paid shared content to premium users
• We can use CloudFront Signed URL / Cookie. We attach a policy with:
• Includes URL expiration
• Includes IP ranges to access the data from
• Trusted signers (which AWS accounts can create signed URLs)
• How long should the URL be valid for?
• Shared content (movie, music): make it short (a few minutes)
• Private content (private to the user): you can make it last for years
• Signed URL = access to individual files (one signed URL per file)
• Signed Cookies = access to multiple files (one signed cookie for many files)
© Copyright by Cloud Mentor Pro | Confidential 299
 CloudFront Signed URL Diagram

© Copyright by Cloud Mentor Pro | Confidential 300

 CloudFront - Pricing
• CloudFront Edge locations are all around the world
• The cost of data out per edge location varies

© Copyright by Cloud Mentor Pro | Confidential 301

 CloudFront – Price Classes
• You can reduce the number of edge locations for cost reduction
• Three price classes:
1. Price Class All: all regions – best performance
2. Price Class 200: most regions, but excludes the most expensive regions
3. Price Class 100: only the least expensive regions

© Copyright by Cloud Mentor Pro | Confidential 302

 CloudFront - Price Class
Prices Class 100
Prices Class 100
Prices Class All

© Copyright by Cloud Mentor Pro | Confidential 303

Containers on AWS
ECS, Fargate, ECR & EKS

© Copyright by Cloud Mentor Pro | Confidential 304

 What is Docker?
• Docker is a software development platform to deploy apps
• Apps are packaged in containers that can be run on any OS
• Apps run the same, regardless of where they’re run
• Any machine
• No compatibility issues
• Predictable behavior
• Less work
• Easier to maintain and deploy
• Works with any language, any OS, any technology
• Use cases: microservices architecture, lift-and-shift apps from on-
premises to the AWS cloud, …
© Copyright by Cloud Mentor Pro | Confidential 305
 Docker on an OS

© Copyright by Cloud Mentor Pro | Confidential 306

 Where are Docker images stored?
• Docker images are stored in Docker Repositories

• Docker Hub (https://hub.docker.com)

• Public repository
• Find base images for many technologies or OS (e.g., Ubuntu, MySQL, …)

• Amazon ECR (Amazon Elastic Container Registry)

• Private repository
• Public repository (Amazon ECR Public Gallery https://gallery.ecr.aws)

© Copyright by Cloud Mentor Pro | Confidential 307

 Docker vs. Virtual Machines
• Docker is “sort of“ a virtualization technology, but not exactly
• Resources are shared with the host => many containers on one server

© Copyright by Cloud Mentor Pro | Confidential 308

 Getting Started with Docker

© Copyright by Cloud Mentor Pro | Confidential 309

 Docker Containers Management on AWS
• Amazon Elastic Container Service (Amazon ECS)
Amazon ECS
• Amazon’s own container platform
• Amazon Elastic Kubernetes Service (Amazon EKS)
• Amazon’s managed Kubernetes (open source) Amazon EKS

• AWS Fargate
AWS Fargate
• Amazon’s own Serverless container platform
• Works with ECS and with EKS
• Amazon ECR: Amazon ECR

• Store container images

© Copyright by Cloud Mentor Pro | Confidential 310
 ECS Use Cases
• Microservices
• Advantages of deploying on ECS
• Crash isolation
• Increased security profile
• Independent scaling
• Easy to roll back

© Copyright by Cloud Mentor Pro | Confidential 311

 ECS Use Cases
• Batch jobs

© Copyright by Cloud Mentor Pro | Confidential 312

 ECS Cluster
• A Cluster is a group of services and tasks.
• You MUST create a cluster first!

© Copyright by Cloud Mentor Pro | Confidential 313

 ECS Task
• Basic unit of work in ECS
• One or more containers per Task
• Running container with settings VPC
specified by Task Definition S3
run Task
• Sidecar container
App Firelens
CloudWatch
Logs

Task
Task Definition run

App Firelens

© Copyright by Cloud Mentor Pro | Confidential 314

 ECS Task in comparison to EC2

EC2 ECS

© Copyright by Cloud Mentor Pro | Confidential 315

 Amazon ECS –Task Definitions
• The task definition is a text file, in JSON
format that describes one or more
containers to run in a task.
• It contains crucial information, such as:
• Image Name
• Port Binding for Container and Host
• Memory and CPU required
• Environment variables
• Networking information
• IAM Role
• Logging configuration (ex CloudWatch)
• Up to 10 containers in a Task Definition
© Copyright by Cloud Mentor Pro | Confidential 316
 Amazon ECS
One IAM Role per Task Definition

© Copyright by Cloud Mentor Pro | Confidential 317

 Amazon ECS – Platform for running task
• ECS currently offers 3 ways to run your
task:
• EC2 launch type
• Fargate launch type
• External launch type

© Copyright by Cloud Mentor Pro | Confidential 318

 Amazon ECS - EC2 Launch Type
• ECS tasks are launched in your EC2
instances
• You must provision & maintain the
infrastructure (the EC2 instances), as
ECS cannot create task when running
out of EC2 resource capacity
• Each EC2 Instance must run the ECS
Agent to register in the ECS Cluster
• AWS takes care of starting / stopping
containers

© Copyright by Cloud Mentor Pro | Confidential 319

 ECS Agent
• ECS agent is installed on each of ECS
EC2(Container) Instances
ECR
• ECS agent handles incoming
requests for container deployment CloudWatch
Logs
• ECS agent handles the lifecycle of
container
Amazon S3
• ECS agent is installed by default when
using ECS AMI
DynamoDB

© Copyright by Cloud Mentor Pro | Confidential 320

 Amazon ECS – IAM Roles for ECS
• EC2 Instance Profile (EC2 Launch Type ECS
only):
• Used by the ECS agent ECR
• Makes API calls to ECS service
• Send container logs to CloudWatch Logs CloudWatch
• Pull Docker image from ECR Logs

• Reference sensitive data in Secrets Manager

or SSM Parameter Store
Amazon S3
• ECS Task Role:
• Allows each task to have a specific role
• Use different roles for the different ECS
Services you run DynamoDB
• Task Role is defined in the task definition
© Copyright by Cloud Mentor Pro | Confidential 321
 Amazon ECS – Fargate Launch Type
• ECS tasks are launched to Fargate
(Managed by AWS)
• You do not provision the infrastructure
(no EC2 instances to manage)
• It’s all Serverless!
• You just create task definitions
• AWS just runs ECS Tasks for you based on
the CPU / RAM you need
• To scale, just increase the number of
tasks. Simple - no more EC2 instances
© Copyright by Cloud Mentor Pro | Confidential 322
 Amazon ECS – External Launch Type
• ECS tasks are launched to your external instances (ex: on-premise)
• You are responsible for provisioning & maintaining your external
instances
• AWS takes care of managing your tasks

© Copyright by Cloud Mentor Pro | Confidential 323

 ECS Service
• Service supervise task. Its
job is keep task running
• Launch instance to
maintain scheduling
strategy
• Expose tasks to outside
world
• Direct network traffic to
the correct host and port

© Copyright by Cloud Mentor Pro | Confidential 324

 Amazon ECS – Load Balancer Integrations
• Application Load Balancer supported
and works for most use cases

• Network Load Balancer recommended

only for high throughput / high
performance use cases, or to pair it with
AWS Private Link

• Classic Load Balancer supported but not

recommended (no advanced features –
no Fargate)
© Copyright by Cloud Mentor Pro | Confidential 325
 Amazon ECS – Data Volumes (EFS)
• Mount EFS file systems onto ECS tasks
• Works for both EC2 and Fargate launch types
• Tasks running in any AZ will share the same
data in the EFS file system
• Fargate + EFS = Serverless

• Use cases: persistent multi-AZ shared storage

for your containers
• Note:
• Amazon S3 cannot be mounted as a file system
© Copyright by Cloud Mentor Pro | Confidential 326
 ECS Service Auto Scaling
• Automatically increase/decrease the desired number of ECS tasks
• Amazon ECS Auto Scaling uses AWS Application Auto Scaling
• ECS Service Average CPU Utilization
• ECS Service Average Memory Utilization - Scale on RAM
• ALB Request Count Per Target – metric coming from the ALB

• Target Tracking – scale based on target value for a specific CloudWatch metric
• Step Scaling – scale based on a specified CloudWatch Alarm
• Scheduled Scaling – scale based on a specified date/time (predictable changes)

• ECS Service Auto Scaling (task level) ≠ EC2 Auto Scaling (EC2 instance level)
• Fargate Auto Scaling is much easier to setup (because Serverless)
© Copyright by Cloud Mentor Pro | Confidential 327
 EC2 Launch Type – Auto Scaling EC2 Instances
• Accommodate ECS Service Scaling by adding underlying EC2 Instances

• Auto Scaling Group Scaling

• Scale your ASG based on CPU Utilization
• Add EC2 instances over time

• ECS Cluster Capacity Provider

• Used to automatically provision and scale the infrastructure for your ECS Tasks
• Capacity Provider paired with an Auto Scaling Group
• Add EC2 Instances when you’re missing capacity (CPU, RAM…)

© Copyright by Cloud Mentor Pro | Confidential 328

 ECS Scaling – Service CPU Usage Example

© Copyright by Cloud Mentor Pro | Confidential 329

 ECS Rolling Updates
• When updating from v1 to v2, we can
control how many tasks can be started
and stopped, and in which order

© Copyright by Cloud Mentor Pro | Confidential 330

 ECS Rolling Update – Min 50%, Max 100%
• Starting number of tasks: 4

V1 V2 V2 V2

V1 V2 V2 V2

V1 V1 V1 V2

V1 V1 V1 V2

© Copyright by Cloud Mentor Pro | Confidential 331

 ECS Rolling Update – Min 100%, Max 150%
• Starting number of tasks: 4
V1 V1 V2 V2

V1 V1 V2 V2

V1 V1 V1 V1

V1 V1 V1 V1

V2 V2 V2 V2

V2 V2 V2 V2
© Copyright by Cloud Mentor Pro | Confidential 332
 ECS tasks invoked by Event Bridge

© Copyright by Cloud Mentor Pro | Confidential 333

 ECS tasks invoked by Event Bridge Schedule

© Copyright by Cloud Mentor Pro | Confidential 334

 ECS – SQS Queue Example

© Copyright by Cloud Mentor Pro | Confidential 335

 ECS – Intercept Stopped Tasks using EventBridge

© Copyright by Cloud Mentor Pro | Confidential 336

 Amazon ECS – Load Balancing (EC2 Launch Type)
• We get a Dynamic Host Port
Mapping if you define only
the container port in the task
definition
• The ALB finds the right port
on your EC2 Instances
• You must allow on the EC2
instance’s Security Group any
port from the ALB’s Security
Group

© Copyright by Cloud Mentor Pro | Confidential 337

 Amazon ECS – Load Balancing (Fargate)
• Each task has a unique
private IP
• Only define the container
port (host port is not
applicable)
• Example
• ECS ENI Security Group
• Allow port 80 from the ALB
• ALB Security Group
• Allow port 80/443 from web
© Copyright by Cloud Mentor Pro | Confidential 338
 Amazon ECS – Environment Variables
• Environment Variable
• Hardcoded – e.g., URLs
• SSM Parameter Store – sensitive variables (e.g., API keys, shared configs)
• Secrets Manager – sensitive variables (e.g., DB passwords)
• Environment Files (bulk) – Amazon S3
Fetch values
SSM Parameter Store

Fetch values
Secret Manager

Task Definition
Fetch values
S3 Bucket
© Copyright by Cloud Mentor Pro | Confidential 339
 Amazon ECR
• ECR = Elastic Container Registry
• Store and manage Docker images on AWS
• Private and Public repository (Amazon ECR Public
Gallery https://gallery.ecr.aws)
• Fully integrated with ECS, backed by Amazon S3
• Access is controlled through IAM (permission
errors => policy)
• Supports image vulnerability scanning, versioning,
image tags, image lifecycle, …
© Copyright by Cloud Mentor Pro | Confidential 340
 Amazon ECR – Using AWS CLI
• Login Command
• AWS CLI v2
aws ecr get-login-password --region region | docker login --username AWS
--password-stdin aws_account_id.dkr.ecr.region.amazonaws.com

• Docker Commands
• Push
docker push aws_account_id.dkr.ecr.region.amazonaws.com/demo:latest

• Pull
docker pull aws_account_id.dkr.ecr.region.amazonaws.com/demo:latest

• In case an EC2 instance (or you) can’t pull a Docker image, check IAM
permissions
© Copyright by Cloud Mentor Pro | Confidential 341
 Amazon EKS Overview
• Amazon EKS = Amazon Elastic Kubernetes Service
• It is a way to launch managed Kubernetes clusters on AWS
• Kubernetes is an open-source system for automatic deployment, scaling and
management of containerized (usually Docker) application
• It’s an alternative to ECS, similar goal but different API
• EKS supports EC2 if you want to deploy worker nodes or Fargate to deploy serverless
containers
• Use case: if your company is already using Kubernetes on-premises or in another
cloud, and wants to migrate to AWS using Kubernetes
• Kubernetes is cloud-agnostic (can be used in any cloud – Azure, GCP…)
• For multiple regions, deploy one EKS cluster per region
• Collect logs and metrics using CloudWatch Container Insights
© Copyright by Cloud Mentor Pro | Confidential 342
 Amazon EKS - Diagram

© Copyright by Cloud Mentor Pro | Confidential 343

 Amazon EKS – Node Types
• Managed Node Groups
• Creates and manages Nodes (EC2 instances) for you
• Nodes are part of an ASG managed by EKS
• Supports On-Demand or Spot Instances

• Self-Managed Nodes
• Nodes created by you and registered to the EKS cluster and managed by an ASG
• You can use prebuilt AMI - Amazon EKS Optimized AMI
• Supports On-Demand or Spot Instances

• AWS Fargate
• No maintenance required; no nodes managed
© Copyright by Cloud Mentor Pro | Confidential 344
 Amazon EKS – Data Volumes
• Need to specify Storage Class manifest on your EKS cluster
• Leverages a Container Storage Interface (CSI) compliant driver

• Support for…
• Amazon EBS
• Amazon EFS (works with Fargate)
• Amazon FSx for Lustre
• Amazon FSx for NetApp ONTAP

© Copyright by Cloud Mentor Pro | Confidential 345

 AWS App Runner
• Fully managed service that makes it easy to deploy web
applications and APIs at scale
• No infrastructure experience required
• Start with your source code or container image
• Automatically builds and deploy the web app
• Automatic scaling, highly available, load balancer, encryption
• VPC access support
• Connect to database, cache, and message queue services

• Use cases: web apps, APIs, microservices, rapid production

deployments
© Copyright by Cloud Mentor Pro | Confidential 346
 DEMO
• How to Run a Application on
AWS ECS: A Step-by-Step Guide

© Copyright by Cloud Mentor Pro | Confidential

Architecture Diagram
User

AWS Cloud
ECR
Route 53
push AZ 1 AZ 2

VPC

Public subnet Public subnet

ssh

Bastion NAT GW

Task ALB
Private subnet Private subnet
Definition
EC2 instance EC2 instance

Service
ECS Task Task Task Task

© Copyright by Cloud Mentor Pro | Confidential 348

1. Create VPC

AWS Cloud

Route 53
AZ 1 AZ 2

VPC

Public subnet Public subnet

NAT GW

Private subnet Private subnet

© Copyright by Cloud Mentor Pro | Confidential 349

2. Create Bastion host

AWS Cloud

Route 53
AZ 1 AZ 2

VPC

Public subnet Public subnet

Bastion NAT GW

Private subnet Private subnet

© Copyright by Cloud Mentor Pro | Confidential 350

3. Create ECR and Build Docker image

AWS Cloud
ECR
Route 53
push AZ 1 AZ 2

VPC

Public subnet Public subnet

ssh

Bastion NAT GW

Private subnet Private subnet

© Copyright by Cloud Mentor Pro | Confidential 351

4. Create ECS Cluster

AWS Cloud
ECR
Route 53
push AZ 1 AZ 2

VPC

Public subnet Public subnet

ssh

Bastion NAT GW

Private subnet Private subnet

EC2 instance EC2 instance

ECS

© Copyright by Cloud Mentor Pro | Confidential 352

5. Create Task definition

AWS Cloud
ECR
Route 53
push AZ 1 AZ 2

VPC

Public subnet Public subnet

ssh

Bastion NAT GW

Task
Private subnet Private subnet
Definition
EC2 instance EC2 instance

ECS

© Copyright by Cloud Mentor Pro | Confidential 353

6-7. Create TG and ALB

AWS Cloud
ECR
Route 53
push AZ 1 AZ 2

VPC

Public subnet Public subnet

ssh

Bastion NAT GW

Task ALB
Private subnet Private subnet
Definition
EC2 instance EC2 instance

ECS

© Copyright by Cloud Mentor Pro | Confidential 354

8. Create ECS Service

AWS Cloud
ECR
Route 53
push AZ 1 AZ 2

VPC

Public subnet Public subnet

ssh

Bastion NAT GW

Task ALB
Private subnet Private subnet
Definition
EC2 instance EC2 instance

Service
ECS Task Task Task Task

© Copyright by Cloud Mentor Pro | Confidential 355

9. Test app
User

AWS Cloud
ECR
Route 53
push AZ 1 AZ 2

VPC

Public subnet Public subnet

ssh

Bastion NAT GW

Task ALB
Private subnet Private subnet
Definition
EC2 instance EC2 instance

Service
ECS Task Task Task Task

© Copyright by Cloud Mentor Pro | Confidential 356

10. Setting Route 53
User

AWS Cloud
ECR
Route 53
push AZ 1 AZ 2

VPC

Public subnet Public subnet

ssh

Bastion NAT GW

Task ALB
Private subnet Private subnet
Definition
EC2 instance EC2 instance

Service
ECS Task Task Task Task

© Copyright by Cloud Mentor Pro | Confidential 357

 Exercise
• How to Run a Application on
AWS ECS: A Step-by-Step Guide

© Copyright by Cloud Mentor Pro | Confidential

 Section 7
• AWS Elastic Beanstalk

© Copyright by Cloud Mentor Pro | Confidential

AWS Elastic Beanstalk
Deploying applications in AWS safely and predictably

© Copyright by Cloud Mentor Pro | Confidential 360

 Typical architecture: Web App 3-tier

© Copyright by Cloud Mentor Pro | Confidential 361

 Developer problems on AWS
• Managing infrastructure
• Deploying Code
• Configuring all the databases, load balancers, etc
• Scaling concerns

• Most web apps have the same architecture (ALB + ASG)

• All the developers want is for their code to run!
• Possibly, consistently across different applications and environments

© Copyright by Cloud Mentor Pro | Confidential 362

 Elastic Beanstalk – Overview
• Elastic Beanstalk is a developer centric view of deploying an application
on AWS
• It uses all the component’s we’ve seen before: EC2, ASG, ELB, RDS, …
• Managed service
• Automatically handles capacity provisioning, load balancing, scaling, application
health monitoring, instance configuration, …
• Just the application code is the responsibility of the developer
• We still have full control over the configuration
• Beanstalk is free but you pay for the underlying instances

© Copyright by Cloud Mentor Pro | Confidential 363

 Elastic Beanstalk – Components
• Application: collection of Elastic Beanstalk components (environments, versions,
configurations, …)
• Application Version: an iteration of your application code
• Environment
• Collection of AWS resources running an application version (only one application version at a
time)
• Tiers: Web Server Environment Tier & Worker Environment Tier
• You can create multiple environments (dev, test, prod, …)

© Copyright by Cloud Mentor Pro | Confidential 364

 Elastic Beanstalk – Supported Platforms
• Go • Ruby
• Java SE • Packer Builder
• Java with Tomcat • Single Container Docker
• .NET Core on Linux • Multi-container Docker
• .NET on Windows Server • Preconfigured Docker
• Node.js
• PHP
• Python

© Copyright by Cloud Mentor Pro | Confidential 365

 Web Server Tier vs. Worker Tier

© Copyright by Cloud Mentor Pro | Confidential 366

 Elastic Beanstalk Deployment Modes

© Copyright by Cloud Mentor Pro | Confidential 367

 Beanstalk Deployment Options for Updates
• All at once (deploy all in one go) – fastest, but instances aren’t available to serve
traffic for a bit (downtime)
• Rolling: update a few instances at a time (bucket), and then move onto the next
bucket once the first bucket is healthy
• Rolling with additional batches: like rolling, but spins up new instances to move the
batch (so that the old application is still available)
• Immutable: spins up new instances in a new ASG, deploys version to these instances,
and then swaps all the instances when everything is healthy
• Blue Green: create a new environment and switch over when ready
• Traffic Splitting: canary testing – send a small % of traffic to new deployment

© Copyright by Cloud Mentor Pro | Confidential 368

 Elastic Beanstalk Deployment
All at once
• Fastest deployment
• Application has downtime
• Great for quick iterations in
development environment
• No additional cost

© Copyright by Cloud Mentor Pro | Confidential 369

 Elastic Beanstalk Deployment
Rolling
• Application is running below capacity
• Can set the bucket size
• Application is running both versions simultaneously
• No additional cost
• Long deployment

© Copyright by Cloud Mentor Pro | Confidential 370

 Elastic Beanstalk Deployment
Rolling with additional batches
• Application is running at
capacity
• Can set the bucket size
• Application is running both
versions simultaneously
• Small additional cost
• Additional batch is removed at
the end of the deployment
• Longer deployment
• Good for prod
© Copyright by Cloud Mentor Pro | Confidential 371
 Elastic Beanstalk Deployment
Immutable
• Zero downtime
• New Code is deployed to new
instances on a temporary ASG
• High cost, double capacity
• Longest deployment
• Quick rollback in case of failures
(just terminate new ASG)
• Great for prod

© Copyright by Cloud Mentor Pro | Confidential 372

 Elastic Beanstalk Deployment
Blue / Green
• Not a “direct feature” of Elastic Beanstalk
• Zero downtime and release facility
• Create a new “stage” environment and
deploy v2 there
• The new environment (green) can be
validated independently and roll back if
issues
• Route 53 can be setup using weighted
policies to redirect a little bit of traffic to
the stage environment
• Using Beanstalk, “swap URLs” when
done with the environment test
© Copyright by Cloud Mentor Pro | Confidential 373
 Elastic Beanstalk -Traffic Splitting
• Canary Testing
• New application version is deployed to a
temporary ASG with the same capacity
• A small % of traffic is sent to the temporary
ASG for a configurable amount of time
• Deployment health is monitored
• If there’s a deployment failure, this triggers
an automated rollback (very quick)
• Zero downtime
• New instances are migrated from the
temporary to the original ASG
• Old application version is then terminated
© Copyright by Cloud Mentor Pro | Confidential 374
 Elastic Beanstalk Deployment Summary
from AWS Doc
• https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-
features.deploy-existing-version.html

© Copyright by Cloud Mentor Pro | Confidential 375

 Elastic Beanstalk CLI
• We can install an additional CLI called the “EB cli” which makes working
with Beanstalk from the CLI easier
• Basic commands are:
• eb create
• eb status
• eb health
• eb events
• eb logs
• eb open
• eb deploy
• eb config
• eb terminate
• It’s helpful for your automated deployment pipelines!
© Copyright by Cloud Mentor Pro | Confidential 376
 Elastic Beanstalk Deployment Process
• Describe dependencies
(requirements.txt for Python, package.json for Node.js)
• Package code as zip, and describe dependencies
• Python: requirements.txt
• Node.js: package.json
• Console: upload zip file (creates new app version), and then deploy
• CLI: create new app version using CLI (uploads zip), and then deploy

• Elastic Beanstalk will deploy the zip file on each EC2 instance, resolve
dependencies and start the application
© Copyright by Cloud Mentor Pro | Confidential 377
 Beanstalk Lifecycle Policy
• Elastic Beanstalk can store at most 1000 application versions
• If you don’t remove old versions, you won’t be able to deploy anymore
• To phase out old application versions, use a lifecycle policy
• Based on time (old versions are removed)
• Based on space (when you have too many versions)
• Versions that are currently used won’t be deleted
• Option not to delete the source bundle in S3 to prevent data loss

© Copyright by Cloud Mentor Pro | Confidential 378

 Elastic Beanstalk Extensions
• A zip file containing our code must be deployed to Elastic Beanstalk
• All the parameters set in the UI can be configured with code using files
• Requirements:
• in the .ebextensions/ directory in the root of source code
• YAML / JSON format
• .config extensions (example: logging.config)
• Able to modify some default settings using: option_settings
• Ability to add resources such as RDS, ElastiCache, DynamoDB, etc…

• Resources managed by .ebextensions get deleted if the environment goes away

© Copyright by Cloud Mentor Pro | Confidential 379
 Elastic Beanstalk Under the Hood
• Under the hood, Elastic Beanstalk relies on CloudFormation
• CloudFormation is used to provision other AWS services (we’ll see later)

• Use case: you can define CloudFormation resources in your

.ebextensions to provision ElastiCache, an S3 bucket, anything you want!

© Copyright by Cloud Mentor Pro | Confidential 380

 Elastic Beanstalk Cloning
• Clone an environment with the exact same configuration
• Useful for deploying a “test” version of your application

• All resources and configuration are preserved:

• Load Balancer type and configuration
• RDS database type (but the data is not preserved)
• Environment variables

• After cloning an environment, you can change settings

© Copyright by Cloud Mentor Pro | Confidential 381

 Elastic Beanstalk Migration: Load Balancer
• After creating an Elastic Beanstalk
environment, you cannot change
the Elastic Load Balancer type (only
the configuration)
• To migrate:
1. create a new environment with the
same configuration except LB
(can’t clone)
2. deploy your application onto the
new environment
3. perform a CNAME swap or Route
53 update
© Copyright by Cloud Mentor Pro | Confidential 382
 RDS with Elastic Beanstalk
• RDS can be provisioned with Beanstalk, which is great for dev / test
• This is not great for prod as the database lifecycle is tied to the Beanstalk
environment lifecycle
• The best for prod is to separately create an RDS database and provide
our EB application with the connection string

© Copyright by Cloud Mentor Pro | Confidential 383

 Elastic Beanstalk Migration: Decouple RDS
1. Create a snapshot of RDS DB (as a
safeguard)
2. Go to the RDS console and protect
the RDS database from deletion
3. Create a new Elastic Beanstalk
environment, without RDS, point your
application to existing RDS
4. perform a CNAME swap (blue/green)
or Route 53 update, confirm working
5. Terminate the old environment (RDS
won’t be deleted)
6. Delete CloudFormation stack (in
DELETE_FAILED state)
© Copyright by Cloud Mentor Pro | Confidential 384
 Exercise
• Blue/Green Deployments
with Elastic Beanstalk

© Copyright by Cloud Mentor Pro | Confidential

 Section 8
• AWS CloudFormation

© Copyright by Cloud Mentor Pro | Confidential

AWS CloudFormation
Managing your infrastructure as code

© Copyright by Cloud Mentor Pro | Confidential 387

 AWS CloudFormation
• CloudFormation is a declarative way of outlining your AWS
Infrastructure, for any resources (most of them are supported)
• For example, within a CloudFormation template, you say:
• I want a security group
• I want two EC2 instances using this security group
• I want two Elastic IPs for these EC2 instances
• I want an S3 bucket
• I want a load balancer (ELB) in front of these EC2 instances

• Then CloudFormation creates those for you, in the right order, with the
exact configuration that you specify
© Copyright by Cloud Mentor Pro | Confidential 388
 CloudFormation –Template Example

© Copyright by Cloud Mentor Pro | Confidential 389

 Benefits of AWS CloudFormation (1/2)
• Infrastructure as code
• No resources are manually created, which is excellent for control
• The code can be version controlled for example using Git
• Changes to the infrastructure are reviewed through code

• Cost
• Each resources within the stack is tagged with an identifier so you can easily see
how much a stack costs you
• You can estimate the costs of your resources using the CloudFormation template
• Savings strategy: In Dev, you could automation deletion of templates at 5 PM and
recreated at 8 AM, safely
© Copyright by Cloud Mentor Pro | Confidential 390
 Benefits of AWS CloudFormation (2/2)
• Productivity
• Ability to destroy and re-create an infrastructure on the cloud on the fly
• Automated generation of Diagram for your templates!
• Declarative programming (no need to figure out ordering and orchestration)

• Separation of concern: create many stacks for many apps, and many layers. Ex:
• VPC stacks
• Network stacks
• App stacks

• Don’t re-invent the wheel

• Leverage existing templates on the web!
• Leverage the documentation
© Copyright by Cloud Mentor Pro | Confidential 391
 How CloudFormation Works
• Templates must be uploaded in S3 and then referenced in
CloudFormation
• To update a template, we can’t edit previous ones. We have to re-
upload a new version of the template to AWS
• Stacks are identified by a name
• Deleting a stack deletes every single artifact that was created by
CloudFormation.

© Copyright by Cloud Mentor Pro | Confidential 392

 Deploying CloudFormation Templates
• Manual way
• Editing templates in Application Composer or code editor
• Using the console to input parameters, etc…
• We’ll mostly do this way in the course for learning
purposes
• Automated way
• Editing templates in a YAML file
• Using the AWS CLI (Command Line Interface) to deploy
the templates, or using a Continuous Delivery (CD) tool
• Recommended way when you fully want to automate CloudFormation
your flow

© Copyright by Cloud Mentor Pro | Confidential 393

 CloudFormation – Building Blocks
• Template’s Components
• AWSTemplateFormatVersion – identifies the capabilities of the template “2010-09-09”
• Description – comments about the template
• Resources (MANDATORY) – your AWS resources declared in the template
• Parameters – the dynamic inputs for your template
• Mappings – the static variables for your template
• Outputs – references to what has been created
• Conditionals – list of conditions to perform resource creation

• Template’s Helpers
• References
• Functions
© Copyright by Cloud Mentor Pro | Confidential 394
 Introductory Example
• We’re going to create a simple EC2 instance
• And we’re going to add security group to it
• For now, forget about the code syntax
• We’ll look at the structure of the files later

• We’ll see how in no-time, we are able to get started

with CloudFormation!

© Copyright by Cloud Mentor Pro | Confidential https://github.com/phongaws/aws-dva-code-2023/blob/main/cloudformation/Exercise/1.simple.ec2.yaml 395

 YAML Crash Course
• YAML and JSON are the languages you can
use for CloudFormation
• JSON is horrible for CF
• YAML is great in so many ways
• Let’s learn a bit about it!

• Key value Pairs

• Nested objects
• Support Arrays
• Multi line strings
• Can include comments
© Copyright by Cloud Mentor Pro | Confidential 396
 CloudFormation – Resources
• Resources are the core of your CloudFormation template (MANDATORY)
• They represent the different AWS Components that will be created and
configured
• Resources are declared and can reference each other
• AWS figures out creation, updates and deletes of resources for us
• There are over 700 types of resources (!)
• Resource types identifiers are of the form:
s e r vi ce - provi der : : s er vi ce - name : : data - ty pe - name

© Copyright by Cloud Mentor Pro | Confidential 397

 How do I find
Resources documentation?
• I can’t teach you all the 700+ resources, but I can teach you how to learn
how to use them
• All the resources can be found here:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/a
ws-template-resource-type-ref.html
• Then, we just read the docs
• Example here (for an EC2 instance):
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/a
ws-resource-ec2-instance.html
© Copyright by Cloud Mentor Pro | Confidential 398
 Analysis of CloudFormation Template
• Going back to the example of the introductory lecture, let’s learn why it
was written this way.
• Relevant documentation can be found here:
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsresour
ce-ec2-instance.html
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsresour
ce-ec2-securitygroup.html
• http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/awsresourc
e-ec2-eip.html

© Copyright by Cloud Mentor Pro | Confidential 399

 CloudFormation – Resources FAQ
• Can I create a dynamic number of resources?
➢ Yes, you can by using CloudFormation Macros and Transform
➢ It is not in the scope of this course

• Is every AWS Service supported?

➢ Almost. Only a select few niches are not there yet
➢ You can work around that using CloudFormation Custom Resources

© Copyright by Cloud Mentor Pro | Confidential 400

 CloudFormation – Parameters
• Parameters are a way to provide inputs to your
AWS CloudFormation template

• They’re important to know about if:

• You want to reuse your templates across the company
• Some inputs can not be determined ahead of time

• Parameters are extremely powerful, controlled,

and can prevent errors from happening in your
templates, thanks to types
© Copyright by Cloud Mentor Pro | Confidential 401
 When should you use a Parameter?

• Ask yourself this:

• Is this CloudFormation resource configuration likely to change in the future?
• If so, make it a parameter

• You won’t have to re-upload a template to change its content

© Copyright by Cloud Mentor Pro | Confidential 402

 CloudFormation – Parameters Settings
• Parameters can be controlled by all these settings:
• Type: • Description
• String • ConstraintDescription (String)
• Number • Min/MaxLength
• CommaDelimitedList
• Min/MaxValue
• List<Number>
• AWS-Specific Parameter (to help
• Default
catch invalid values – match • AllowedValues (array)
against existing values in the AWS • AllowedPattern (regex)
account)
• List<AWS-Specific Parameter>
• NoEcho (Boolean)
• SSM Parameter (get parameter
value from SSM Parameter store)
© Copyright by Cloud Mentor Pro | Confidential 403
 CloudFormation – Parameters Example

© Copyright by Cloud Mentor Pro | Confidential 404

 How to Reference a Parameter?

• The Fn::Ref function can be leveraged to reference parameters

• Parameters can be used anywhere in a template
• The shorthand for this in YAML is !Ref
• The function can also reference other elements within the template

© Copyright by Cloud Mentor Pro | Confidential 405

 CloudFormation – Pseudo Parameters
• AWS offers us Pseudo Parameters in any CloudFormation template
• These can be used at any time and are enabled by default
• Important pseudo parameters:

© Copyright by Cloud Mentor Pro | Confidential 406

 CloudFormation – Mappings
• Mappings are fixed variables within your CloudFormation template
• They’re very handy to differentiate between different environments (dev
vs prod), regions (AWS regions), AMI types…
• All the values are hardcoded within the template

© Copyright by Cloud Mentor Pro | Confidential 407

 Accessing Mapping Values (Fn::FindInMap)
• We use Fn::FindInMap to return a named value from a specific key
• !FindInMap [ MapName, TopLevelKey, SecondLevelKey ]

Mappings work great for AMIs Because

AMIs are region-specific!

© Copyright by Cloud Mentor Pro | Confidential 408

 When would you use Mappings vs. Parameters?
• Mappings are great when you know in advance all the values that can be
taken and that they can be deduced from variables such as
• Region
• Availability Zone
• AWS Account
• Environment (dev vs prod)
• etc…
• They allow safer control over the template

• Use parameters when the values are really user specific

© Copyright by Cloud Mentor Pro | Confidential 409

 CloudFormation – Outputs
• The Outputs section declares optional outputs values
that we can import into other stacks (if you export
them first)!
• You can also view the outputs in the AWS Console or
in using the AWS CLI
• They’re very useful for example if you define a
network CloudFormation, and output the variables
such as VPC ID and your Subnet IDs
• It’s the best way to perform some collaboration cross
stack, as you let expert handle their own part of the
stack
© Copyright by Cloud Mentor Pro | Confidential 410
 CloudFormation – Outputs
• Creating a SSH Security Group as part of one template
• We create an output that references that security group

© Copyright by Cloud Mentor Pro | Confidential 411

 CloudFormation – Outputs Cross-Stack
Reference
• We then create a second template that leverages that security group
• For this, we use the Fn::ImportValue function
• You can’t delete the underlying stack until all the references are deleted

© Copyright by Cloud Mentor Pro | Confidential 412

 CloudFormation – Conditions
• Conditions are used to control the creation of
resources or outputs based on a condition
• Conditions can be whatever you want them to
be, but common ones are:
• Environment (dev / test / prod)
• AWS Region
• Any parameter value
• Each condition can reference another condition,
parameter value or mapping

© Copyright by Cloud Mentor Pro | Confidential 413

 How to define a Condition

• The logical ID is for you to choose. It’s how you name condition
• The intrinsic function (logical) can be any of the following:
• Fn::And
• Fn::Equals
• Fn::If
• Fn::Not
• Fn::Or

© Copyright by Cloud Mentor Pro | Confidential 414

 How to use a Condition
• Conditions can be applied to resources / outputs / etc…

© Copyright by Cloud Mentor Pro | Confidential 415

 CloudFormation – Intrinsic Functions Pink = must know

• Ref • Fn::Base64
• Fn::GetAtt • Fn::Cidr
• Fn::FindInMap • Fn::GetAZs
• Fn::ImportValue • Fn::Select
• Fn::Join • Fn::Split
• Fn::Sub • Fn::Transform
• Fn::ForEach • Fn::Length
• Fn::ToJsonString
• Condition Functions (Fn::If, Fn::Not, Fn::Equals, etc…)
© Copyright by Cloud Mentor Pro | Confidential 416
 Intrinsic Functions – Fn::Ref
• The Fn::Ref function can be leveraged to reference
• Parameters – returns the value of the parameter
• Resources – returns the physical ID of the underlying resource (e.g., EC2 ID)
• The shorthand for this in YAML is !Ref

© Copyright by Cloud Mentor Pro | Confidential 417

 Intrinsic Functions – Fn::GetAtt
• Attributes are attached to any resources you create
• To know the attributes of your resources, the best place to look at is the
documentation
• Example: the AZ of an EC2 instance!

© Copyright by Cloud Mentor Pro | Confidential 418

 Intrinsic Functions – Fn::FindInMap
• We use Fn::FindInMap to return a named value from a specific key
• !FindInMap [ MapName, TopLevelKey, SecondLevelKey ]

© Copyright by Cloud Mentor Pro | Confidential 419

 Intrinsic Functions – Fn::ImportValue
• Import values that are exported in other stacks
• For this, we use the Fn::ImportValue function

© Copyright by Cloud Mentor Pro | Confidential 420

 Intrinsic Functions – Fn::Base64
• Convert String to it’s Base64 representation

• Example: pass encoded data to EC2 Instance’s UserData property

© Copyright by Cloud Mentor Pro | Confidential 421

 Intrinsic Functions – Condition Functions

• The logical ID is for you to choose. It’s how you name condition
• The intrinsic function (logical) can be any of the following:
• Fn::And
• Fn::Equals
• Fn::If
• Fn::Not
• Fn::Or
© Copyright by Cloud Mentor Pro | Confidential 422
 CloudFormation – Rollbacks
• Stack Creation Fails:
• Default: everything rolls back (gets deleted). We can look at the log
• Option to disable rollback and troubleshoot what happened

• Stack Update Fails:

• The stack automatically rolls back to the previous known working state
• Ability to see in the log what happened and error messages

• Rollback Failure? Fix resources manually then issue

ContinueUpdateRollback API from Console
• Or from the CLI using continue-update-rollback API call
© Copyright by Cloud Mentor Pro | Confidential 423
 CloudFormation – Service Role
• IAM role that allows CloudFormation to
create/update/delete stack resources on your
behalf
• Give ability to users to create/update/delete the
stack resources even if they don’t have
permissions to work with the resources in the
stack
• Use cases:
• You want to achieve the least privilege principle
• But you don’t want to give the user all the required
permissions to create the stack resources
• User must have iam:PassRole permissions
© Copyright by Cloud Mentor Pro | Confidential 424
 CloudFormation – DeletionPolicy Delete
• DeletionPolicy:
• Control what happens when the
CloudFormation template is
deleted or when a resource is
removed from a CloudFormation
template
• Extra safety measure to preserve
and backup resources
• Default DeletionPolicy=Delete
• ⚠ Delete won’t work on an S3 ⚠
bucket if the bucket is not empty

© Copyright by Cloud Mentor Pro | Confidential 425

 CloudFormation – DeletionPolicy Retain
• DeletionPolicy=Retain:
• Specify on resources to preserve
in case of CloudFormation
deletes
• Works with any resources

© Copyright by Cloud Mentor Pro | Confidential 426

 CloudFormation – DeletionPolicy Snapshot
• DeletionPolicy=Snapshot
• Create one final snapshot before
deleting the resource
• Examples of supported resources:
• EBS Volume, ElastiCache Cluster,
ElastiCache ReplicationGroup
• RDS DBInstance, RDS DBCluster,
Redshift Cluster, Neptune DBCluster,
DocumentDB DBCluster

© Copyright by Cloud Mentor Pro | Confidential 427

 CloudFormation – Stack Policies
• During a CloudFormation Stack update, all update
actions are allowed on all resources (default)

• A Stack Policy is a JSON document that defines the

update actions that are allowed on specific resources
during Stack updates
• Protect resources from unintentional updates
• When you set a Stack Policy, all resources in the
Stack are protected by default
• Specify an explicit ALLOW for the resources you want
to be allowed to be updated

© Copyright by Cloud Mentor Pro | Confidential 428

 CloudFormation –Termination Protection
• To prevent accidental deletes of CloudFormation Stacks, use
TerminationProtection

© Copyright by Cloud Mentor Pro | Confidential 429

 CloudFormation – Custom Resources
• Used to
• define resources not yet supported by CloudFormation
• define custom provisioning logic for resources can that be outside of
CloudFormation (on-premises resources, 3rd party resources…)
• have custom scripts run during create / update / delete through Lambda
functions (running a Lambda function to empty an S3 bucket before being
deleted)
• Defined in the template using
AWS::CloudFormation::CustomResource or
Custom::MyCustomResourceTypeName (recommended)
• Backed by a Lambda function (most common) or an SNS topic
© Copyright by Cloud Mentor Pro | Confidential 430
 How to define a Custom Resource?
• ServiceToken specifies where CloudFormation sends requests to, such as
Lambda ARN or SNS ARN (required & must be in the same region)
• Input data parameters (optional)

© Copyright by Cloud Mentor Pro | Confidential 431

 Use Case – Delete content from an S3 bucket
• You can’t delete a non-empty
S3 bucket
• To delete a non-empty S3
bucket, you must first delete all
the objects inside it
• We can use a custom resource
to empty an S3 bucket before
it gets deleted by
CloudFormation

© Copyright by Cloud Mentor Pro | Confidential 432

 CloudFormation – StackSets
• Create, update, or delete stacks across
multiple accounts and regions with a
single operation/template
• Target accounts to create, update, delete
stack instances from StackSets
• When you update a stack set, all
associated stack instances are updated
throughout all accounts and regions
• Can be applied into all accounts of an AWS
Organization
• Only Administrator account (or Delegated
Administrator) can create StackSets

© Copyright by Cloud Mentor Pro | Confidential 433

 Exercise
Create CloudFormation Stack
with VPC, Subnet, ALB, EC2, etc...

© Copyright by Cloud Mentor Pro | Confidential

 Section 9
• AWS Integration & Messaging: SQS, SNS & Kinesis

© Copyright by Cloud Mentor Pro | Confidential

AWS Integration & Messaging
SQS, SNS & Kinesis

© Copyright by Cloud Mentor Pro | Confidential 436

 Section Introduction
• When we start deploying multiple applications, they will inevitably need
to communicate with one another
• There are two patterns of application communication

© Copyright by Cloud Mentor Pro | Confidential 437

 Section Introduction
• Synchronous between applications can be problematic if there are
sudden spikes of traffic
• What if you need to suddenly encode 1000 videos but usually it’s 10?

• In that case, it’s better to decouple your applications,

• using SQS: queue model
• using SNS: pub/sub model
• using Kinesis: real-time streaming model
• These services can scale independently from our application!
© Copyright by Cloud Mentor Pro | Confidential 438
 Amazon SQS - What’s a queue?

© Copyright by Cloud Mentor Pro | Confidential 439

 Amazon SQS – Standard Queue
• Oldest offering (over 10 years old)
• Fully managed service, used to decouple applications

• Attributes:
• Unlimited throughput, unlimited number of messages in queue
• Default retention of messages: 4 days, maximum of 14 days
• Low latency (<10 ms on publish and receive)
• Limitation of 256KB per message sent

• Can have duplicate messages (at least once delivery, occasionally)

• Can have out of order messages (best effort ordering)
© Copyright by Cloud Mentor Pro | Confidential 440
 SQS – Producing Messages
• Produced to SQS using the SDK (SendMessage API)
• The message is persisted in SQS until a consumer deletes it
• Message retention: default 4 days, up to 14 days
• Example: send an order to be processed

• Order id Sent to SQS

• Customer id
• Any attributes you want
Message
Up to 256 kb
• SQS standard: unlimited throughput
© Copyright by Cloud Mentor Pro | Confidential 441
 SQS – Consuming Messages
• Consumers (running on EC2 instances, servers, or AWS Lambda)…
• Poll SQS for messages (receive up to 10 messages at a time)
• Process the messages (example: insert the message into an RDS
database)
• Delete the messages using the DeleteMessage API

© Copyright by Cloud Mentor Pro | Confidential 442

 SQS – Multiple EC2 Instances Consumers
• Consumers receive and process
messages in parallel
• At least once delivery
• Best-effort message ordering
• Consumers delete messages
after processing them
• We can scale consumers
horizontally to improve
throughput of processing
© Copyright by Cloud Mentor Pro | Confidential 443
 SQS with Auto Scaling Group (ASG)

© Copyright by Cloud Mentor Pro | Confidential 444

 SQS to decouple between application tiers

© Copyright by Cloud Mentor Pro | Confidential 445

 Amazon SQS - Security
• Encryption:
• In-flight encryption using HTTPS API
• At-rest encryption using KMS keys
• Client-side encryption if the client wants to perform encryption/decryption itself

• Access Controls: IAM policies to regulate access to the SQS API

• SQS Access Policies (similar to S3 bucket policies)

• Useful for cross-account access to SQS queues
• Useful for allowing other services (SNS, S3…) to write to an SQS queue

© Copyright by Cloud Mentor Pro | Confidential 446

 SQS – Message Visibility Timeout
• After a message is polled by a consumer, it becomes invisible to other consumers
• By default, the “message visibility timeout” is 30 seconds
• That means the message has 30 seconds to be processed
• After the message visibility timeout is over, the message is “visible” in SQS

© Copyright by Cloud Mentor Pro | Confidential 447

 SQS – Message Visibility Timeout

• If a message is not processed within the visibility timeout, it will be processed twice
• A consumer could call the ChangeMessageVisibility API to get more time
• If visibility timeout is high (hours), and consumer crashes, re-processing will take time
• If visibility timeout is too low (seconds), we may get duplicates
© Copyright by Cloud Mentor Pro | Confidential 448
 Amazon SQS – Dead Letter Queue (DLQ)
• If a consumer fails to process a message within the
Visibility Timeout… the message goes back to the queue!
• We can set a threshold of how many times a message
can go back to the queue
• After the MaximumReceives threshold is exceeded, the
message goes into a Dead Letter Queue (DLQ)
• Useful for debugging!
• DLQ of a FIFO queue must also be a FIFO queue
• DLQ of a Standard queue must also be a Standard queue
• Make sure to process the messages in the DLQ before
they expire:
• Good to set a retention of 14 days in the DLQ

© Copyright by Cloud Mentor Pro | Confidential 449

 SQS DLQ – Redrive to Source
• Feature to help consume messages
in the DLQ to understand what is
wrong with them
• When our code is fixed, we can
redrive the messages from the DLQ
back into the source queue (or any
other queue) in batches without
writing custom code

© Copyright by Cloud Mentor Pro | Confidential 450

 Amazon SQS – Delay Queue
• Delay a message (consumers don’t see it immediately) up to 15 minutes
• Default is 0 seconds (message is available right away)
• Can set a default at queue level
• Can override the default on send using the DelaySeconds parameter

© Copyright by Cloud Mentor Pro | Confidential 451

 Amazon SQS - Long Polling
• When a consumer requests messages from the queue, it can
optionally “wait” for messages to arrive if there are none in the
queue
• This is called Long Polling
• LongPolling decreases the number of API calls made to SQS
while increasing the efficiency and reducing latency of your
application
• The wait time can be between 1 sec to 20 sec (20 sec
preferable)
• Long Polling is preferable to Short Polling
• Long polling can be enabled at the queue level or at the API
level using WaitTimeSeconds
© Copyright by Cloud Mentor Pro | Confidential 452
 SQS Extended Client
• Message size limit is 256KB, how to send large messages, e.g. 1GB?
• Using the SQS Extended Client (Java Library)

© Copyright by Cloud Mentor Pro | Confidential 453

 SQS – Must know API
• CreateQueue (MessageRetentionPeriod), DeleteQueue
• PurgeQueue: delete all the messages in queue
• SendMessage (DelaySeconds), ReceiveMessage, DeleteMessage
• MaxNumberOfMessages: default 1, max 10 (for ReceiveMessage API)
• ReceiveMessageWaitTimeSeconds: Long Polling
• ChangeMessageVisibility: change the message timeout

• Batch APIs for SendMessage, DeleteMessage, ChangeMessageVisibility

helps decrease your costs
© Copyright by Cloud Mentor Pro | Confidential 454
 Amazon SQS – FIFO Queue
• FIFO = First In First Out (ordering of messages in the queue)

• Limited throughput: 300 msg/s without batching, 3000 msg/s with batching
• Exactly-once send capability (by removing duplicates)
• Messages are processed in order by the consumer

© Copyright by Cloud Mentor Pro | Confidential 455

 SQS FIFO – Deduplication
• De-duplication interval is 5 minutes
• Two de-duplication methods:
• Content-based deduplication: will do a SHA-256 hash of the message body
• Explicitly provide a Message Deduplication ID

© Copyright by Cloud Mentor Pro | Confidential 456

 SQS FIFO – Message Grouping
• If you specify the same value of MessageGroupID in an SQS FIFO queue, you can only
have one consumer, and all the messages are in order
• To get ordering at the level of a subset of messages, specify different values for
MessageGroupID
• Messages that share a common Message Group ID will be in order within the group
• Each Group ID can have a different consumer (parallel processing!)
• Ordering across groups is not guaranteed

© Copyright by Cloud Mentor Pro | Confidential 457

 Amazon SNS
• What if you want to send one message to many receivers?

© Copyright by Cloud Mentor Pro | Confidential 458

 Amazon SNS
• The “event producer” only sends message to one SNS topic
• As many “event receivers” (subscriptions) as we want to listen to the SNS topic
notifications
• Each subscriber to the topic will get all the messages (note: new feature to filter
messages)
• Up to 12,500,000 subscriptions per topic Subscribers
• 100,000 topics limit

publish SQS Lambda Kinesis Data

Firehose

SNS
Emails SMS & HTTP(S)
© Copyright by Cloud Mentor Pro | Confidential Mobile Notifications Endpoints 459
 SNS integrates with a lot of AWS services
• Many AWS services can send data directly to SNS for notifications

・・・

CloudWatch Alarms AWS Budgets Lambda

・・・ publish
Auto Scaling Group S3 Bucket DynamoDB
(Notifications) (Events)
SNS

・・・

CloudFormation AWS DMS RDS Events

(State Changes) (New Replic)
460
© Copyright by Cloud Mentor Pro | Confidential
 Amazon SNS – How to publish
• Topic Publish (using the SDK)
• Create a topic
• Create a subscription (or many)
• Publish to the topic

• Direct Publish (for mobile apps SDK)

• Create a platform application
• Create a platform endpoint
• Publish to the platform endpoint
• Works with Google GCM, Apple APNS, Amazon ADM…

© Copyright by Cloud Mentor Pro | Confidential 461

 Amazon SNS – Security
• Encryption:
• In-flight encryption using HTTPS API
• At-rest encryption using KMS keys
• Client-side encryption if the client wants to perform encryption/decryption itself

• Access Controls: IAM policies to regulate access to the SNS API

• SNS Access Policies (similar to S3 bucket policies)

• Useful for cross-account access to SNS topics
• Useful for allowing other services ( S3…) to write to an SNS topic

© Copyright by Cloud Mentor Pro | Confidential 462

 SNS + SQS: Fan Out

• Push once in SNS, receive in all SQS queues that are subscribers
• Fully decoupled, no data loss
• SQS allows for: data persistence, delayed processing and retries of work
• Ability to add more SQS subscribers over time
• Make sure your SQS queue access policy allows for SNS to write
• Cross-Region Delivery: works with SQS Queues in other regions
© Copyright by Cloud Mentor Pro | Confidential 463
 Application: S3 Events to multiple queues
• For the same combination of: event type (e.g. object create) and prefix
(e.g. images/) you can only have one S3 Event rule
• If you want to send the same S3 event to many SQS queues, use fan-out

© Copyright by Cloud Mentor Pro | Confidential 464

 Application: SNS to Amazon S3 through Kinesis
Data Firehose
• SNS can send to Kinesis and therefore we can have the following
solutions architecture:

© Copyright by Cloud Mentor Pro | Confidential 465

 Amazon SNS – FIFO Topic
• FIFO = First In First Out (ordering of messages in the topic)

• Similar features as SQS FIFO:

• Ordering by Message Group ID (all messages in the same group are ordered)
• Deduplication using a Deduplication ID or Content Based Deduplication
• Can have SQS Standard and FIFO queues as subscribers
• Limited throughput (same throughput as SQS FIFO)
© Copyright by Cloud Mentor Pro | Confidential 466
 SNS FIFO + SQS FIFO: Fan Out
• In case you need fan out + ordering + deduplication

© Copyright by Cloud Mentor Pro | Confidential 467

 SNS – Message Filtering
• JSON policy used to filter messages sent to SNS topic’s subscriptions
• If a subscription doesn’t have a filter policy, it receives every message

© Copyright by Cloud Mentor Pro | Confidential 468

 Kinesis Overview
• Makes it easy to collect, process, and analyze streaming data in real-time
• Ingest real-time data such as: Application logs, Metrics, Website
clickstreams, IoT telemetry data…

• Kinesis Data Streams: capture, process, and store data streams

• Kinesis Data Firehose: load data streams into AWS data stores
• Kinesis Video Streams: capture, process, and store video streams
© Copyright by Cloud Mentor Pro | Confidential 469
 Kinesis Data Streams

© Copyright by Cloud Mentor Pro | Confidential 470

 Kinesis Data Streams
• Retention between 1 day to 365 days
• Ability to reprocess (replay) data
• Once data is inserted in Kinesis, it can’t be deleted (immutability)
• Data that shares the same partition goes to the same shard (ordering)
• Producers: AWS SDK, Kinesis Producer Library (KPL), Kinesis Agent
• Consumers:
• Write your own: Kinesis Client Library (KCL), AWS SDK
• Managed: AWS Lambda, Kinesis Data Firehose, Kinesis Data Analytics,

© Copyright by Cloud Mentor Pro | Confidential 471

 Kinesis Data Streams – Capacity Modes
• Provisioned mode:
• You choose the number of shards provisioned, scale manually or using API
• Each shard gets 1MB/s in (or 1000 records per second)
• Each shard gets 2MB/s out (classic or enhanced fan-out consumer)
• You pay per shard provisioned per hour

• On-demand mode:
• No need to provision or manage the capacity
• Default capacity provisioned (4 MB/s in or 4000 records per second)
• Scales automatically based on observed throughput peak during the last 30 days
• Pay per stream per hour & data in/out per GB
© Copyright by Cloud Mentor Pro | Confidential 472
 Kinesis Data Streams Security
• Control access / authorization using
• IAM policies
• Encryption in flight using HTTPS
endpoints
• Encryption at rest using KMS
• You can implement
encryption/decryption of data on client
side (harder)
• VPC Endpoints available for Kinesis to
access within VPC
• Monitor API calls using CloudTrail
© Copyright by Cloud Mentor Pro | Confidential 473
 Kinesis Producers
• Puts data records into data streams
• Data record consists of:
• Sequence number (unique per partition-key within shard)
• Partition key (must specify while put records into stream)
• Data blob (up to 1 MB)
• Producers:
• AWS SDK: simple producer
• Kinesis Producer Library (KPL): C++, Java, batch, compression, retries
• Kinesis Agent: monitor log files
• Write throughput: 1 MB/sec or 1000 records/sec per shard
• PutRecord API
• Use batching with PutRecords API to reduce costs & increase throughput
© Copyright by Cloud Mentor Pro | Confidential 474
 Kinesis - ProvisionedThroughputExceeded

© Copyright by Cloud Mentor Pro | Confidential 475

 Kinesis Data Streams Consumers
• Get data records from data streams and process them

• AWS Lambda
• Kinesis Data Analytics
• Kinesis Data Firehose
• Custom Consumer (AWS SDK) – Classic or Enhanced Fan-Out
• Kinesis Client Library (KCL): library to simplify reading from data stream

© Copyright by Cloud Mentor Pro | Confidential 476

 Kinesis Consumers – Custom Consumer

© Copyright by Cloud Mentor Pro | Confidential 477

 Kinesis Consumers Types
Shared (Classic) Fan-out Consumer – pull Enhanced Fan-out Consumer - push
• Low number of consuming applications • Multiple consuming applications for the
• Read throughput: 2 MB/sec per shard across same stream
all consumers • 2 MB/sec per consumer per shard
• Max. 5 GetRecords API calls/sec • Latency ~70 ms
• Latency ~200 ms • Higher costs ($$$)
• Minimize cost ($) • Kinesis pushes data to consumers over
• Consumers poll data from Kinesis using HTTP/2 (SubscribeToShard API)
GetRecords API call • Soft limit of 5 consumer applications (KCL)
• Returns up to 10 MB (then throttle for 5 per data stream (default)
seconds) or up to 10000 records
© Copyright by Cloud Mentor Pro | Confidential 478
 Kinesis Consumers – AWS Lambda
• Supports Classic & Enhanced
fan-out consumers
• Read records in batches
• Can configure batch size and
batch window
• If error occurs, Lambda retries
until succeeds or data expired
• Can process up to 10 batches
per shard simultaneously

© Copyright by Cloud Mentor Pro | Confidential 479

 Kinesis Client Library (KCL)
• A Java library that helps read record from a Kinesis Data Stream with
distributed applications sharing the read workload
• Each shard is to be read by only one KCL instance
• 4 shards = max. 4 KCL instances
• 6 shards = max. 6 KCL instances
• KCL can run on EC2, Elastic Beanstalk, and on-premises
• Records are read in order at the shard level

© Copyright by Cloud Mentor Pro | Confidential 480

 KCL Example: 4 shards

© Copyright by Cloud Mentor Pro | Confidential 481

 KCL Example: 4 shards, Scaling KCL App

© Copyright by Cloud Mentor Pro | Confidential 482

 KCL Example: 6 shards, Scaling Kinesis

© Copyright by Cloud Mentor Pro | Confidential 483

 KCL Example: 6 shards, Scaling KCL App

© Copyright by Cloud Mentor Pro | Confidential 484

 Kinesis Operation – Shard Splitting
• Used to increase the Stream capacity
(1 MB/s data in per shard)
• Used to divide a “hot shard”
• The old shard is closed and will be
deleted once the data is expired
• No automatic scaling (manually
increase/decrease capacity)
• Can’t split into more than two shards
in a single operation
© Copyright by Cloud Mentor Pro | Confidential 485
 Kinesis Operation – Merging Shards
• Decrease the Stream capacity and
save costs
• Can be used to group two shards with
low traffic (cold shards)
• Old shards are closed and will be
deleted once the data is expired
• Can’t merge more than two shards in
a single operation

© Copyright by Cloud Mentor Pro | Confidential 486

 Kinesis Data Firehose

© Copyright by Cloud Mentor Pro | Confidential 487

 Kinesis Data Firehose
• Fully Managed Service, no administration, automatic scaling, serverless
• AWS: Redshift / Amazon S3 / OpenSearch
• 3rd party partner: Splunk / MongoDB / DataDog / NewRelic / …
• Custom: send to any HTTP endpoint
• Pay for data going through Firehose
• Near Real Time
• Buffer interval: 0 seconds (no buffering) to 900 seconds
• Buffer size: minimum 1MB
• Supports many data formats, conversions, transformations, compression
• Supports custom data transformations using AWS Lambda
• Can send failed or all data to a backup S3 bucket
© Copyright by Cloud Mentor Pro | Confidential 488
 Kinesis Data Streams vs Firehose
Kinesis Data Streams Kinesis Data Firehose

• Streaming service for ingest at scale • Load streaming data into S3 / Redshift /
• Write custom code (producer / OpenSearch / 3rd party / custom HTTP
consumer) • Fully managed
• Real-time (~200 ms) • Near real-time
• Manage scaling (shard splitting / • Automatic scaling
merging) • No data storage
• Data storage for 1 to 365 days • Doesn’t support replay capability
• Supports replay capability

© Copyright by Cloud Mentor Pro | Confidential 489

 SQS vs SNS vs Kinesis

© Copyright by Cloud Mentor Pro | Confidential 490

 Exercise
Creating and Subscribing
to SNS Topics, Adding
SNS event for S3 bucket

© Copyright by Cloud Mentor Pro | Confidential

 Section 10
• AWS Monitoring, Troubleshooting & Audit

© Copyright by Cloud Mentor Pro | Confidential 492

AWS Monitoring, Troubleshooting &
Audit
CloudWatch, X-Ray, Cloudtrail

© Copyright by Cloud Mentor Pro | Confidential 493

 Monitoring in AWS
• AWS CloudWatch:
• Metrics: Collect and track key metrics
• Logs: Collect, monitor, analyze and store log files
• Events: Send notifications when certain events happen in your AWS
• Alarms: React in real-time to metrics / events
• AWS X-Ray:
• Troubleshooting application performance and errors
• Distributed tracing of microservices
• AWS CloudTrail:
• Internal monitoring of API calls being made
• Audit changes to AWS Resources by your users
© Copyright by Cloud Mentor Pro | Confidential 494
 Amazon CloudWatch Metrics
• CloudWatch provides metrics for every services in AWS
• Metric is a variable to monitor (CPUUtilization, NetworkIn…)
• Metrics belong to namespaces. This namespaces should be equivalent to
service name (ex: EC2, RDS, etc…)
• Dimension is an attribute of a metric (instance id, environment, etc…).
• Up to 30 dimensions per metric
• Metrics have timestamps
• Can create CloudWatch dashboards of metrics

© Copyright by Cloud Mentor Pro | Confidential 495

 Amazon CloudWatch Metrics
• Amazon CloudWatch supports two types of metrics
• Standard (supported by EC2 and most other services)
• Custom (typically used for EC2 and on-premises instances)
• With EC2 standard metrics, you can monitor
• Overall CPU utilization (usually for scaling)
• Disk Performance (IOPS, Read/Write bytes per second)
• And much more… but you CAN’T monitor memory usage (RAM) and disk used percentage
• With EC2 custom metrics, you can monitor:
• Memory usage & Disk used percentage
• Application metric (running status, number of active user, error count, etc…)
• Anything else defined in the configuration file

© Copyright by Cloud Mentor Pro | Confidential 496

 Amazon CloudWatch Metrics

© Copyright by Cloud Mentor Pro | Confidential Cloudwatch Dashboard example 497

 EC2 Detailed monitoring
• EC2 export STANDARD metrics every 5 minutes by default.
• With detailed monitoring, export frequency becomes 1 minute!
• Use detailed monitoring if you want to scale faster for your ASG!

• The AWS Free Tier allows us to have 10 detailed monitoring metrics

© Copyright by Cloud Mentor Pro | Confidential 498

 CloudWatch Custom Metrics
• You can define your own metric and send it to CloudWatch
• Two ways to create CUSTOM metrics
• PutMetricData API (using AWS SDK, CLI or calling AWS API directly)
• Cloudwatch Agent (recommended way for EC2 instance)

• You can add custom dimensions to metrics, such as

• Environment name
• System name

• Metric resolution (StorageResolution APl parameter - two possible value):

• Standard: 1 minute (60 seconds)
• High Resolution: 1/5/10/30 second(s) - Higher cost
© Copyright by Cloud Mentor Pro | Confidential 499
 CloudWatch Logs
• A service that allows you to collect,
monitor, and store log files from AWS
resources and on-premise systems.
• It helps track application and system
performance, troubleshoot issues,
and retain logs for auditing and
compliance.

© Copyright by Cloud Mentor Pro | Confidential 500

 CloudWatch Logs - Concepts
• Log groups: container for log data. It contains all the related logs from a particular
service or application
• Log stream: individual sequences of log events inside a log group.
• Can define log expiration policies (never expire, 1 day to 10 years…)
• CloudWatch Logs can send logs to:
• Amazon S3 (exports)
• Kinesis Data Streams
• Kinesis Data Firehose
• AWS Lambda
• OpenSearch
• Logs are encrypted by default
• Can setup KMS-based encryption with your own keys
© Copyright by Cloud Mentor Pro | Confidential 501
 CloudWatch Logs - Sources
• SDK, CloudWatch Logs Agent, CloudWatch Unified Agent
• Elastic Beanstalk: collection of logs from application
• ECS: collection from containers
• AWS Lambda: collection from function logs
• VPC Flow Logs: VPC specific logs
• API Gateway
• CloudTrail based on filter
• Route53: Log DNS queries

© Copyright by Cloud Mentor Pro | Confidential 502

 CloudWatch Logs Insights

© Copyright by Cloud Mentor Pro | Confidential https://mng.workshop.aws/operations-2022/detect/cwlogs.html 503

 CloudWatch Logs Insights
• Search and analyze log data stored in CloudWatch Logs
• Example: find a specific IP inside a log, count occurrences of
“ERROR” in your logs…
• Provides a purpose -built query language
• Automatically discovers fields from AWS services and JSON log
events
• Fetch desired event fields, filter based on conditions, calculate
aggregate statistics, sort events, limit number of events…
• Can save queries and add them to CloudWatch Dashboards
• Can query multiple Log Groups in different AWS accounts
• It’s a query engine, not a real-time engine
© Copyright by Cloud Mentor Pro | Confidential 504
 CloudWatch Logs – S3 Export

• Log data can take up to 12 hours to

become available for export
• The API call is CreateExportTask

• Not near-real time or real-time… use

Logs Subscriptions instead

© Copyright by Cloud Mentor Pro | Confidential 505

 CloudWatch Logs Subscriptions
• Get a real-time log events from CloudWatch Logs for processing and analysis
• Send to Kinesis Data Streams, Kinesis Data Firehose, or Lambda
• Subscription Filter – filter which logs are events delivered to your destination

© Copyright by Cloud Mentor Pro | Confidential 506

 CloudWatch Logs Aggregation
Multi-Account & Multi Region

© Copyright by Cloud Mentor Pro | Confidential 507

 CloudWatch Logs Subscriptions
• Cross-Account Subscription – send log events to resources in a different
AWS account (KDS, KDF)

© Copyright by Cloud Mentor Pro | Confidential 508

 CloudWatch Logs for EC2
• By default, no logs from your EC2
machine will go to CloudWatch
• You need to run a CloudWatch
agent on EC2 to push the log files
you want
• Make sure IAM permissions are
correct
• The CloudWatch agent can be setup
on-premises too

© Copyright by Cloud Mentor Pro | Confidential 509

 CloudWatch Agent (Unified Agent)
• A tool that collects & sends CUSTOM METRICS and LOGS from your EC2
or on-premise instance to CloudWatch.
• It helps you monitor both EC2 and on-premises systems more effectively
• Requirement to use CloudWatch Agent:
• Must be installed and setup correctly
• IAM Role / Access key with minimum policy CloudWatchAgentServerPolicy
• Connectivity to CloudWatch (via internet or VPC Endpoints)
• A valid configuration file (defined metrics and logs to be collected)

© Copyright by Cloud Mentor Pro | Confidential 510

 CloudWatch Agent – Metrics
• Collected directly on your Linux server / EC2 instance

• CPU (active, guest, idle, system, user, steal)

• Disk metrics (free, used, total), Disk IO (writes, reads, bytes, iops)
• RAM (free, inactive, used, total, cached)
• Netstat (number of TCP and UDP connections, net packets, bytes)
• Processes (total, dead, bloqued, idle, running, sleep)
• Swap Space (free, used, used %)

• Reminder: out-of-the box metrics for EC2 – disk, CPU, network (high level)
© Copyright by Cloud Mentor Pro | Confidential 511
 CloudWatch Logs Metric Filter
• CloudWatch Logs can use filter expressions
• For example, find a specific IP inside of a log
• Or count occurrences of"ERROR" in your logs
• Metric filters can be used to trigger alarms
• Filters do not retroactively filter data. Filters only publish the metric data
points for events that happen after the filter was created.
• Ability to specify up to 3 Dimensions for the Metric Filter (optional)

© Copyright by Cloud Mentor Pro | Confidential 512

 CloudWatch Alarms
• Alarms are used to trigger notifications for any metric
• Various options (sampling, %, max, min, etc…)
• Alarm States:
• OK
• INSUFFICIENT_DATA
• ALARM
• Period:
• Length of time in seconds to evaluate the metric
• High resolution custom metrics: 10 sec, 30 sec or multiples of 60 sec

© Copyright by Cloud Mentor Pro | Confidential 513

 CloudWatch Alarm Targets
• Stop, Terminate, Reboot, or Recover an EC2 Instance
• Trigger Auto Scaling Action
• Send notification to SNS (from which you can do pretty much anything)

© Copyright by Cloud Mentor Pro | Confidential 514

 CloudWatch Alarms – Composite Alarms
• CloudWatch Alarms are on a single metric
• Composite Alarms are monitoring the states of multiple other alarms
• AND and OR conditions
• Helpful to reduce “alarm noise” by creating complex composite alarms

© Copyright by Cloud Mentor Pro | Confidential 515

 EC2 Instance Recovery
• CloudWatch alarm has Recovery action which helps restoring your ec2
• Status Check:
• Instance status = check the EC2 VM
• System status = check the underlying hardware

• Recovery: Same Private, Public, Elastic IP, metadata, placement group

© Copyright by Cloud Mentor Pro | Confidential 516
 CloudWatch Alarm: good to know
• Alarms can be created based on CloudWatch Logs Metrics Filters

• To test alarms and notifications, set the alarm state to Alarm using CLI
aws cloudwatch set-alarm-state --alarm-name "myalarm" --state-value
ALARM --state-reason "testing purposes"
© Copyright by Cloud Mentor Pro | Confidential 517
 CloudWatch Synthetics Canary
• Configurable script that monitor your APls, URLs,
Websites, ...
• Reproduce what your customers do programmatically
to find issues before customers are impacted
• Checks the availability and latency of your endpoints
and can store load time data and screenshots of the Ul
• Integration with CloudWatch Alarms
• Scripts written in Node.js or Python
• Programmatic access to a headless Google Chrome
browser
• Can run once or on a regular schedule

© Copyright by Cloud Mentor Pro | Confidential 518

 Amazon EventBridge
(formerly CloudWatch Events)
• Schedule: Cron jobs (scheduled scripts)

• Event Pattern: Event rules to react to a service doing something

• Trigger Lambda functions, send SQS/SNS messages…

© Copyright by Cloud Mentor Pro | Confidential 519

 Amazon EventBridge Rules

© Copyright by Cloud Mentor Pro | Confidential 520

 Amazon EventBridge

• Event buses can be accessed by other AWS accounts using Resource-based Policies

• You can archive events (all/filter) sent to an event bus (indefinitely or set period)
• Ability to replay archived events

© Copyright by Cloud Mentor Pro | Confidential 521

 Amazon EventBridge – Schema Registry
• EventBridge can analyze the events in
your bus and infer the schema

• The Schema Registry allows you to

generate code for your application,
that will know in advance how data is
structured in the event bus

• Schema can be versioned

© Copyright by Cloud Mentor Pro | Confidential 522
 Amazon EventBridge – Resource-based Policy
• Manage permissions for a specific Event Bus
• Example: allow/deny events from another AWS account or AWS region
• Use case: aggregate all events from your AWS Organization in a single
AWS account or AWS region

© Copyright by Cloud Mentor Pro | Confidential 523

 AWS X-Ray

• Trace & analyze requests traveling in through your application

• Visualize request flow across different services, identify bottlenecks,

troubleshoot performance issues in distributed application

© Copyright by Cloud Mentor Pro | Confidential 524

 AWS X-Ray - Visual analysis of our applications

© Copyright by Cloud Mentor Pro | Confidential 525

 AWS X-Ray advantages
• Troubleshooting performance (bottlenecks)
• Understand dependencies in a microservice architecture
• Pinpoint service issues
• Review request behavior
• Find errors and exceptions
• Are we meeting time SLA?
• Where I am throttled?
• Identify users that are impacted

© Copyright by Cloud Mentor Pro | Confidential 526

 X-Ray compatibility
• AWS Lambda
• Elastic Beanstalk
• ECS
• ELB
• API Gateway
• EC2 Instances or any application server (even on premise)

© Copyright by Cloud Mentor Pro | Confidential 527

 AWS X-Ray Leverages Tracing
• Tracing is an end to end way to following a "request"
• Each component dealing with the request adds its own "trace"
• Tracing is made of segments (+ sub segments)
• Annotations can be added to traces to provide extra-information
• Ability to trace:
• Every request
• Sample request (as a % for example or a rate per minute)
• X-Ray Security:
• IAM for authorization
• KMS for encryption at rest
© Copyright by Cloud Mentor Pro | Confidential 528
 AWS X-Ray - How to enable it?
• 1) Your code (lava, Python, Go, Node.is, NET) must import the
AWS X-Ray SDK
• Very little code modification needed
• The application SDK will then capture:
• Calls to AWS services
• НТТР / HTTPS requests
• Database Calls (MySQL, PostgreSQL, DynamoDB)
• Queue calls (SQS)

• 2) Install the X-Ray daemon or enable X-Ray AWS Integration

• X-Ray daemon works as a low level UDP packet interceptor (Linux /
Windows / Mac...)
• AWS Lambda / other AWS services already run the X-Ray
• Each application must have the IAM rights to write data to X-Ray
© Copyright by Cloud Mentor Pro | Confidential 529
 The X-Ray magic
• X-Ray service collects data from all the different services
• Service map is computed from all the segments and traces
• X-Ray is graphical, so even non technical people can help troubleshoot

© Copyright by Cloud Mentor Pro | Confidential 530

 AWS X-Ray Troubleshooting
• If X-Ray is not working on EC2
• Ensure the EC2 IAM Role has the proper permissions
• Ensure the EC2 instance is running the X-Ray Daemon

• To enable on AWS Lambda:

• Ensure it has an IAM execution role with proper policy
(AWSX-Ray WriteOnlyAccess)
• Ensure that X-Ray is imported in the code
• Enable Lambda X-Ray Active Tracing

© Copyright by Cloud Mentor Pro | Confidential 531

 X-Ray Instrumentation in your code
• Instrumentation means the measure of
product's performance, diagnose errors,
and to write trace information.
• To instrument your application code, you
use the X-Ray SDK
• Many SDK require only configuration
changes
• You can modify your application code to
customize and annotation the data that the
SDK sends to X- Ray, using interceptors,
filters, handlers, middleware...
© Copyright by Cloud Mentor Pro | Confidential 532
 X-Ray Concepts
• Segments: each application / service will send them
• Subsegments: if you need more details in your segment
• Trace: segments collected together to form an end-to-end trace
• Sampling: decrease the amount of requests sent to X-Ray, reduce cost
• Annotations: Key Value pairs used to index traces and use with filters
• Metadata: Key Value pairs, not indexed, not used for searching

• The X-Ray daemon / agent has a config to send traces cross account:
• Make sure the lAM permissions are correct - the agent will assume the role
• This allows to have a central account for all your application tracing
© Copyright by Cloud Mentor Pro | Confidential 533
 X-Ray Sampling Rules
• With sampling rules, you control the amount of data that you record
• You can modify sampling rules without changing your code

• By default, the X-Ray SDK records the first request each second, and five
percent of any additional requests.
• One request per second is the reservoir, which ensures that at least one
trace is recorded each second as long the service is serving requests.
• Five percent is the rate at which additional requests beyond the reservoir
size are sampled.

© Copyright by Cloud Mentor Pro | Confidential 534

 X-Ray Custom Sampling Rules
• You can create your own rules with the reservoir and rate

© Copyright by Cloud Mentor Pro | Confidential 535

 X-Ray Write APls (used by the X-Ray daemon)
• PutTraceSegments: Uploads segment
documents to AWS X-Ray
• PutTelemetryRecords: Used by the AWS X-
Ray daemon to upload telemetry.
• SegmentsReceivedCount,
• SegmentsRejectedCounts,
• BackendConnectionErrors...
• GetSamplingRules: Retrieve all sampling
rules (to know what/when to send)
• GetSamplingTargets &
GetSamplingStatisticSummaries: advanced
• The X-Ray daemon needs to have an IAM
policy authorizing the correct APl calls to
function correctly
© Copyright by Cloud Mentor Pro | Confidential 536
 X-Ray Read APls — continued
• GetServiceGraph: main graph
• BatchGetTraces: Retrieves a list of traces
specified by ID. Each trace is a collection of
segment documents that originates from a
single request.
• GetTraceSummaries: Retrieves IDs and
annotations for traces available for a
specified time frame using an optional filter.
To get the full traces, pass the trace IDs to
BatchGetTraces.
• GetTraceGraph: Retrieves a service graph
for one or more specific trace

© Copyright by Cloud Mentor Pro | Confidential 537

 X-Ray with Elastic Beanstalk
• AWS Elastic Beanstalk platforms include the X-Ray daemon
• You can run the daemon by setting an option in the Elastic Beanstalk console
or with a configuration file (in.ebextensions/xray-daemon.config)

• Make sure to give your instance profile the correct IAM permissions so that
the X-Ray daemon can function correctly
• Then make sure your application code is instrumented with the X-Ray SDK
• Note: The X-Ray daemon is not provided for Multicontainer Docker
© Copyright by Cloud Mentor Pro | Confidential 538
 ECS + X-Ray integration options

© Copyright by Cloud Mentor Pro | Confidential 539

 ECS + X-Ray: Example Task Definition

© Copyright by Cloud Mentor Pro | Confidential 540

 AWS Distro for Open Telemetry
• Secure, production-ready AWS-supported distribution of the open-source project Open
Telemetry project
• Provides a single set of APls, libraries, agents, and collector services
• Collects distributed traces and metrics from your apps
• Collects metadata from your AWS resources and services
• Auto-instrumentation Agents to collect traces without changing your code
• Send traces and metrics to multiple AWS services and partner solutions
• X-Ray, CloudWatch, Prometheus...
• Instrument your apps running on AWS (e.g., EC2, ECS, EKS, Fargate, Lambda) as well as on-
premises
• Migrate from X-Ray to AWS Distro for Temeletry if you want to standardize with open-source
APls from Telemetry or send traces to multiple destinations simultaneously
© Copyright by Cloud Mentor Pro | Confidential 541
 AWS Distro for Open Telemetry

© Copyright by Cloud Mentor Pro | Confidential 542

 AWS CloudTrail
• Provides governance, compliance and audit for your AWS Account
• CloudTrail is enabled by default!
• Get an history of events / API calls made within your AWS Account by:
• Console
• SDK
• CLI
• AWS Services
• Can put logs from CloudTrail into CloudWatch Logs or S3
• A trail can be applied to All Regions (default) or a single Region.
• If a resource is deleted in AWS, investigate CloudTrail first!
© Copyright by Cloud Mentor Pro | Confidential 543
 CloudTrail Diagram

© Copyright by Cloud Mentor Pro | Confidential 544

 CloudTrail Events
• Management Events:
• Operations that are performed on resources in your AWS account
• Examples:
• Configuring security (IAM AttachRolePolicy)
• Configuring rules for routing data (Amazon EC2 CreateSubnet)
• Setting up logging (AWS CloudTrail CreateTrail)
• By default, trails are configured to log management events.
• Can separate Read Events (that don’t modify resources) from Write Events (that may modify resources)
• Data Events:
• By default, data events are not logged (because high volume operations)
• Amazon S3 object-level activity (ex: GetObject, DeleteObject, PutObject): can separate Read and Write Events
• AWS Lambda function execution activity (the Invoke API)
• CloudTrail Insights Events:
• See next slide
© Copyright by Cloud Mentor Pro | Confidential 545
 CloudTrail Insights
• Enable CloudTrail Insights to detect unusual activity in your account:
• inaccurate resource provisioning
• hitting service limits
• Bursts of AWS IAM actions
• Gaps in periodic maintenance activity
• CloudTrail Insights analyzes normal management events to create a baseline
• And then continuously analyzes write events to detect unusual patterns
• Anomalies appear in the CloudTrail console
• Event is sent to Amazon S3
• An EventBridge event is generated (for automation needs)

© Copyright by Cloud Mentor Pro | Confidential 546

 CloudTrail Events Retention
• Events are stored for 90 days in CloudTrail
• To keep events beyond this period, log them to S3 and use Athena

© Copyright by Cloud Mentor Pro | Confidential 547

 Amazon EventBridge – Intercept API Calls

© Copyright by Cloud Mentor Pro | Confidential 548

 Amazon EventBridge + CloudTrail

© Copyright by Cloud Mentor Pro | Confidential 549

 Cloud Trail vs CloudWatch vs X-Ray
• CloudTrail
• Audit API calls made by users / services / AWS console
• Useful to detect unauthorized calls or root cause of changes
• CloudWatch
• Cloud Watch Metrics over time for monitoring
• Cloud Watch Logs for storing application log
• CloudWatch Alarms to send notifications in case of unexpected metrics
• X-Ray
• Automated Trace Analysis & Central Service Map Visualization
• Latency, Errors and Fault analysis
• Request tracking across distributed systems

© Copyright by Cloud Mentor Pro | Confidential 550

 Exercise
• Monitor CPU Utilization of
EC2 via CloudWatch
Alarms

• Create an EventBridge
Rule to get notified on EC2
Instance state change

© Copyright by Cloud Mentor Pro | Confidential 551

 Section 11
• AWS Lambda

© Copyright by Cloud Mentor Pro | Confidential

AWS Lambda
It’s a serverless world

© Copyright by Cloud Mentor Pro | Confidential 553

 What’s serverless?
• Serverless is a new paradigm in which the developers don’t have to
manage servers anymore…
• They just deploy code
• They just deploy… functions !
• Initially... Serverless == FaaS (Function as a Service)
• Serverless was pioneered by AWS Lambda but now also includes
anything that’s managed: “databases, messaging, storage, etc.”
• Serverless does not mean there are no servers…
it means you just don’t manage / provision / see them

© Copyright by Cloud Mentor Pro | Confidential 554

 Serverless in AWS
• AWS Lambda
• DynamoDB
• AWS Cognito
• AWS API Gateway
• Amazon S3
• AWS SNS & SQS
• AWS Kinesis Data Firehose
• Aurora Serverless
• Step Functions
• Fargate

© Copyright by Cloud Mentor Pro | Confidential 555

 Why AWS Lambda
• Virtual Servers in the Cloud
• Limited by RAM and CPU
• Continuously running
Amazon EC2
• Scaling means intervention to add / remove servers

• Virtual functions – no servers to manage!

• Limited by time - short executions
• Run on-demand
Amazon Lambda
• Scaling is automated!
© Copyright by Cloud Mentor Pro | Confidential 556
 Benefits of AWS Lambda
• Easy Pricing:
• Pay per request and compute time
• Free tier of 1,000,000 AWS Lambda requests and 400,000 GBs of compute time

• Integrated with the whole AWS suite of services

• Integrated with many programming languages
• Easy monitoring through AWS CloudWatch
• Easy to get more resources per functions (up to 10GB of RAM!)
• Increasing RAM will also improve CPU and network!

© Copyright by Cloud Mentor Pro | Confidential 557

 AWS Lambda language support
• Node.js (JavaScript)
• Python
• Java
• C# (.NET Core) / Powershell
• Ruby
• Custom Runtime API (community supported, example Rust or Golang)

• Lambda Container Image

• The container image must implement the Lambda Runtime API
• ECS / Fargate is preferred for running arbitrary Docker images
© Copyright by Cloud Mentor Pro | Confidential 558
 AWS Lambda Integrations Main ones

© Copyright by Cloud Mentor Pro | Confidential 559

 Example: Serverless Thumbnail creation

© Copyright by Cloud Mentor Pro | Confidential 560

 Example: Serverless CRON Job

Trigger
Every 1 hour

CloudWatch Events AWS Lambda Function

EventBridge Perform a task

© Copyright by Cloud Mentor Pro | Confidential 561

 AWS Lambda Pricing: example
• You can find overall pricing information here:
https://aws.amazon.com/lambda/pricing/
• Pay per calls :
• First 1,000,000 requests are free
• $0.20 per 1 million requests thereafter ($0.0000002 per request)
• Pay per duration: (in increment of 1 ms )
• 400,000 GB -seconds of compute time per month for FREE
• == 400,000 seconds if function is 1GB RAM
• == 3,200,000 seconds if function is 128 MB RAM
• After that $1.00 for 600,000 GB-seconds
• It is usually very cheap to run AWS Lambda so it’s very popular
© Copyright by Cloud Mentor Pro | Confidential 562
 Lambda – Synchronous Invocations
• Synchronous: CLI, SDK, API Gateway, Application Load Balancer
• Results is returned right away
• Error handling must happen client side (retries, exponential backoff, etc…)

© Copyright by Cloud Mentor Pro | Confidential 563

 Lambda - Synchronous Invocations - Services
• User Invoked:
• Elastic Load Balancing (Application Load Balancer)
• Amazon API Gateway
• Amazon CloudFront (Lambda@Edge)
• Amazon S3 Batch
• Service Invoked:
• Amazon Cognito
• AWS Step Functions
• Other Services:
• Amazon Lex
• Amazon Alexa
• Amazon Kinesis Data Firehose
© Copyright by Cloud Mentor Pro | Confidential 564
 Lambda Integration with ALB
• To expose a Lambda function as an HTTP(S) endpoint…
• You can use the Application Load Balancer (or an API Gateway)
• The Lambda function must be registered in a target group

© Copyright by Cloud Mentor Pro | Confidential 565

 ALB to Lambda: HTTP to JSON

© Copyright by Cloud Mentor Pro | Confidential 566

 Lambda to ALB conversions: JSON to HTTP

© Copyright by Cloud Mentor Pro | Confidential 567

 ALB Multi-Header Values
• ALB can support multi header
values (ALB setting)
• When you enable multi-value
headers, HTTP headers and
query string parameters that
are sent with multiple values
are shown as arrays within the
AWS Lambda event and
response objects.

© Copyright by Cloud Mentor Pro | Confidential 568

 ALB + Lambda – Permissions

© Copyright by Cloud Mentor Pro | Confidential 569

 Lambda – Asynchronous Invocations
• S3, SNS, CloudWatch Events…
• The events are placed in an Event Queue
• Lambda attempts to retry on errors
• 3 tries total
• 1 minute wait after 1st , then 2 minutes wait
• Make sure the processing is idempotent (in
case of retries)
• If the function is retried, you will see duplicate
logs entries in CloudWatch Logs
• Can define a DLQ (dead-letter queue) – SNS or
SQS – for failed processing (need correct IAM
permissions)
• Asynchronous invocations allow you to speed
up the processing if you don’t need to wait for
the result (ex: you need 1000 files processed)
© Copyright by Cloud Mentor Pro | Confidential 570
 Lambda - Asynchronous Invocations - Services
• Amazon Simple Storage Service (S3)
• Amazon Simple Notification Service (SNS)
• Amazon CloudWatch Events / EventBridge
• AWS CodeCommit (CodeCommitTrigger: new branch, new tag, new push)
• AWS CodePipeline (invoke a Lambda function during the pipeline, Lambda must callback)
----- other -----
• Amazon CloudWatch Logs (log processing)
• Amazon Simple Email Service
• AWS CloudFormation
• AWS Config
• AWS IoT
• AWS IoT Events
© Copyright by Cloud Mentor Pro | Confidential 571
 CloudWatch Events / EventBridge

© Copyright by Cloud Mentor Pro | Confidential 572

 S3 Events Notifications
• S3:ObjectCreated, S3:ObjectRemoved,
S3:ObjectRestore, S3:Replication…
• Object name filtering possible (*.jpg)
• Use case: generate thumbnails of images uploaded
to S3

• S3 event notifications typically deliver events in

seconds but can sometimes take a minute or
longer
• If two writes are made to a single non- versioned
object at the same time, it is possible that only a
single event notification will be sent
• If you want to ensure that an event notification is
sent for every successful write, you can enable
versioning on your bucket.
© Copyright by Cloud Mentor Pro | Confidential 573
 Simple S3 Event Pattern – Metadata Sync

© Copyright by Cloud Mentor Pro | Confidential 574

 Lambda – Event Source Mapping
• Kinesis Data Streams
• SQS & SQS FIFO queue
• DynamoDB Streams

• Common denominator:
records need to be polled
from the source
• Your Lambda function is
invoked synchronously

© Copyright by Cloud Mentor Pro | Confidential 575

 Lambda – Event and Context Objects

© Copyright by Cloud Mentor Pro | Confidential 576

 Lambda – Event and Context Objects
• Event Object
• JSON-formatted document contains data for the function to process
• Contains information from the invoking service (e.g., EventBridge, custom, …)
• Lambda runtime converts the event to an object (e.g., dict type in Python)
• Example: input arguments, invoking service arguments, …

• Context Object
• Provides methods and properties that provide information about the invocation,
function, and runtime environment
• Passed to your function by Lambda at runtime
• Example: aws_request_id, function_name, memory_limit_in_mb, …
© Copyright by Cloud Mentor Pro | Confidential 577
 Lambda – Event and Context Objects
Access Event & Context Objects using Python

© Copyright by Cloud Mentor Pro | Confidential 578

 Lambda – Destinations
• Nov 2019: Can configure to send result to a destination
• Asynchronous invocations - can define destinations for
successful and failed event:
• Amazon SQS
• Amazon SNS
https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html
• AWS Lambda
• Amazon EventBridge bus
• Note: AWS recommends you use destinations instead of
DLQ now (but both can be used at the same time)
• Event Source mapping: for discarded event batches
• Amazon SQS
• Amazon SNS
• Note: you can send events to a DLQ directly from SQS
https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html

© Copyright by Cloud Mentor Pro | Confidential 579

 Lambda Execution Role (IAM Role)
• Grants the Lambda function permissions to AWS services / resources
• Sample managed policies for Lambda:
• AWSLambdaBasicExecutionRole – Upload logs to CloudWatch.
• AWSLambdaKinesisExecutionRole – Read from Kinesis
• AWSLambdaDynamoDBExecutionRole – Read from DynamoDB Streams
• AWSLambdaSQSQueueExecutionRole – Read from SQS
• AWSLambdaVPCAccessExecutionRole – Deploy Lambda function in VPC
• AWSXRayDaemonWriteAccess – Upload trace data to X-Ray.

• When you use an event source mapping to invoke your function, Lambda
uses the execution role to read event data.
• Best practice: create one Lambda Execution Role per function
© Copyright by Cloud Mentor Pro | Confidential 580
 Lambda Resource Based Policies
• Use resource-based policies to give other accounts and AWS services
permission to use your Lambda resources
• Similar to S3 bucket policies for S3 bucket
• An IAM principal can access Lambda:
• if the IAM policy attached to the principal authorizes it (e.g. user access)
• OR if the resource-based policy authorizes (e.g. service access)

• When an AWS service like Amazon S3 calls your Lambda function, the
resource-based policy gives it access.

© Copyright by Cloud Mentor Pro | Confidential 581

 Lambda Environment Variables
• Environment variable = key / value pair in “String” form
• Adjust the function behavior without updating code
• The environment variables are available to your code
• Lambda Service adds its own system environment variables as well

• Helpful to store secrets (encrypted by KMS)

• Secrets can be encrypted by the Lambda service key, or your own CMK

© Copyright by Cloud Mentor Pro | Confidential 582

 Lambda Logging & Monitoring
• CloudWatch Logs:
• AWS Lambda execution logs are stored in AWS CloudWatch Logs
• Make sure your AWS Lambda function has an execution role with an IAM policy
that authorizes writes to CloudWatch Logs
• CloudWatch Metrics:
• AWS Lambda metrics are displayed in AWS CloudWatch Metrics
• Invocations, Durations, Concurrent Executions
• Error count, Success Rates, Throttles
• Async Delivery Failures
• Iterator Age (Kinesis & DynamoDB Streams)

© Copyright by Cloud Mentor Pro | Confidential 583

 Lambda Tracing with X-Ray
• Enable in Lambda configuration (Active Tracing)
• Runs the X-Ray daemon for you
• Use AWS X-Ray SDK in Code
• Ensure Lambda Function has a correct IAM Execution Role
• The managed policy is called AWSXRayDaemonWriteAccess
• Environment variables to communicate with X-Ray
• _X_AMZN_TRACE_ID: contains the tracing header
• AWS_XRAY_CONTEXT_MISSING: by default, LOG_ERROR
• AWS_XRAY_DAEMON_ADDRESS: the X-Ray Daemon IP_ADDRESS:PORT

© Copyright by Cloud Mentor Pro | Confidential 584

 Customization At The Edge
• Many modern applications execute some form of the logic at the edge
• Edge Function:
• A code that you write and attach to CloudFront distributions
• Runs close to your users to minimize latency
• CloudFront provides two types: CloudFront Functions & Lambda@Edge
• You don’t have to manage any servers, deployed globally

• Use case: customize the CDN content

• Pay only for what you use
• Fully serverless
© Copyright by Cloud Mentor Pro | Confidential 585
 CloudFront Functions & Lambda@Edge
Use Cases
• Website Security and Privacy
• Dynamic Web Application at the Edge
• Search Engine Optimization (SEO)
• Intelligently Route Across Origins and Data Centers
• Bot Mitigation at the Edge
• Real-time Image Transformation
• A/B Testing
• User Authentication and Authorization
• User Prioritization
• User Tracking and Analytics
© Copyright by Cloud Mentor Pro | Confidential 586
 CloudFront Functions
• Lightweight functions written in JavaScript
• For high-scale, latency-sensitive CDN customizations
• Sub-ms startup times, millions of requests/second
• Used to change Viewer requests and responses:
• Viewer Request: after CloudFront receives a request from a
viewer
• Viewer Response: before CloudFront forwards the response
to the viewer
• Native feature of CloudFront (manage code entirely
within CloudFront)

© Copyright by Cloud Mentor Pro | Confidential 587

 Lambda@Edge
• Lambda functions written in NodeJS or Python
• Scales to 1000s of requests/second
• Used to change CloudFront requests and responses:
• Viewer Request – after CloudFront receives a request from a
viewer
• Origin Request – before CloudFront forwards the request to the
origin
• Origin Response – after CloudFront receives the response from
the origin
• Viewer Response – before CloudFront forwards the response to
the viewer
• Author your functions in one AWS Region (us-east-1), then
CloudFront replicates to its locations
© Copyright by Cloud Mentor Pro | Confidential 588
 CloudFront Functions vs. Lambda@Edge

© Copyright by Cloud Mentor Pro | Confidential 589

 CloudFront Functions vs. Lambda@Edge - Use Cases
CloudFront Functions Lambda@Edge
• Cache key normalization • Longer execution time (several ms)
• Transform request attributes (headers,
cookies, query strings, URL) to create an
• Adjustable CPU or memory
optimal Cache Key • Your code depends on a 3rd
• Header manipulation libraries (e.g., AWS SDK to access
• Insert/modify/delete HTTP headers in the other AWS services)
request or response
• Network access to use external
• URL rewrites or redirects services for processing
• Request authentication & • File system access or access to the
authorization body of HTTP requests
• Create and validate user-generated
tokens (e.g., JWT) to allow/deny requests

© Copyright by Cloud Mentor Pro | Confidential 590

 Lambda by default
• By default, your Lambda function is
launched outside your own VPC (in
an AWS -owned VPC)
• Therefore it cannot access resources
in your VPC (RDS, ElastiCache,
internal ELB…)

© Copyright by Cloud Mentor Pro | Confidential 591

 Lambda in VPC
• You must define the VPC ID, the
Subnets and the Security Groups
• Lambda will create an ENI (Elastic
Network Interface) in your subnets
• AWSLambdaVPCAccessExecutionRole

© Copyright by Cloud Mentor Pro | Confidential 592

 Lambda in VPC – Internet Access
• A Lambda function in your VPC
does not have internet access
• Deploying a Lambda function in a
public subnet does not give it
internet access or a public IP
• Deploying a Lambda function in
a private subnet gives it internet
access if you have a NAT Gateway
/ Instance
• You can use VPC endpoints to
privately access AWS services
without a NAT
Note: Lambda - CloudWatch Logs works even
© Copyright by Cloud Mentor Pro | Confidential without endpoint or NAT Gateway 593
 Lambda Function Configuration
• RAM:
• From 128MB to 10GB in 1MB increments
• The more RAM you add, the more vCPU credits you get
• At 1,792 MB, a function has the equivalent of one full vCPU
• After 1,792 MB, you get more than one CPU, and need to use multi-threading in
your code to benefit from it (up to 6 vCPU)
• If your application is CPU-bound (computation heavy), increase RAM

• Timeout: default 3 seconds, maximum is 900 seconds (15 minutes)

© Copyright by Cloud Mentor Pro | Confidential 594

 Lambda Execution Context
• The execution context is a temporary runtime environment that
initializes any external dependencies of your lambda code
• Great for database connections, HTTP clients, SDK clients…
• The execution context is maintained for some time in anticipation of
another Lambda function invocation
• The next function invocation can “re-use” the context to execution time
and save time in initializing connections objects
• The execution context includes the /tmp directory

© Copyright by Cloud Mentor Pro | Confidential 595

 Initialize outside the handler

© Copyright by Cloud Mentor Pro | Confidential 596

 Lambda Functions /tmp space
• If your Lambda function needs to download a big file to work…
• If your Lambda function needs disk space to perform operations…
• You can use the /tmp directory
• Max size is 10GB
• The directory content remains when the execution context is frozen,
providing transient cache that can be used for multiple invocations
(helpful to checkpoint your work)
• For permanent persistence of object (non temporary), use S3
• To encrypt content on /tmp, you must generate KMS Data Keys

© Copyright by Cloud Mentor Pro | Confidential 597

 Lambda Layers
• Custom Runtimes
• Ex: C++ https://github.com/awslabs/aws-lambda-cpp
• Ex: Rust https://github.com/awslabs/aws-lambda-rust-runtime
• Externalize Dependencies to re-use them:

© Copyright by Cloud Mentor Pro | Confidential 598

 Lambda – File Systems Mounting
• Lambda functions can access EFS file
systems if they are running in a VPC
• Configure Lambda to mount EFS file
systems to local directory during
initialization
• Must leverage EFS Access Points
• Limitations: watch out for the EFS
connection limits (one function instance =
one connection) and connection burst
limits

© Copyright by Cloud Mentor Pro | Confidential 599

 Lambda – Storage Options

© Copyright by Cloud Mentor Pro | Confidential 600

 Lambda Concurrency and Throttling
• Concurrency limit: up to 1000 concurrent executions

• Can set a “reserved concurrency” at the function level (=limit)

• Each invocation over the concurrency limit will trigger a “Throttle”
• Throttle behavior:
• If synchronous invocation => return ThrottleError - 429
• If asynchronous invocation => retry automatically and then go to DLQ
• If you need a higher limit, open a support ticket
© Copyright by Cloud Mentor Pro | Confidential 601
 Lambda Concurrency Issue
• If you don’t reserve (=limit) concurrency, the following can happen:

© Copyright by Cloud Mentor Pro | Confidential 602

 Concurrency and Asynchronous Invocations
• If the function doesn't have enough
concurrency available to process all events,
additional requests are throttled.
• For throttling errors (429) and system
errors (500-series), Lambda returns the
event to the queue and attempts to run
the function again for up to 6 hours.
• The retry interval increases exponentially
from 1 second after the first attempt to a
maximum of 5 minutes.

© Copyright by Cloud Mentor Pro | Confidential 603

 Cold Starts & Provisioned Concurrency
• Cold Start:
• New instance => code is loaded and code outside the handler run (init)
• If the init is large (code, dependencies, SDK…) this process can take some time.
• First request served by new instances has higher latency than the rest
• Provisioned Concurrency:
• Concurrency is allocated before the function is invoked (in advance)
• So the cold start never happens and all invocations have low latency
• Application Auto Scaling can manage concurrency (schedule or target utilization)
• Note:
• Note: cold starts in VPC have been dramatically reduced in Oct & Nov 2019
• https://aws.amazon.com/blogs/compute/announcing-improved-vpc-networking-for-aws-lambda-functions/

© Copyright by Cloud Mentor Pro | Confidential 604

 Reserved and Provisioned Concurrency

https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html
© Copyright by Cloud Mentor Pro | Confidential 605
 Lambda Function Dependencies
• If your Lambda function depends on external libraries:
for example AWS X-Ray SDK, Database Clients, etc…
• You need to install the packages alongside your code and zip it together
• For Node.js, use npm & “node_modules” directory
• For Python, use pip --target options
• For Java, include the relevant .jar files
• Upload the zip straight to Lambda if less than 50MB, else to S3 first
• Native libraries work: they need to be compiled on Amazon Linux
• AWS SDK comes by default with every Lambda function

© Copyright by Cloud Mentor Pro | Confidential 606

 Lambda and CloudFormation – inline
• Inline functions are very
simple
• Use the Code.ZipFile
property
• You cannot include function
dependencies with inline
functions

© Copyright by Cloud Mentor Pro | Confidential 607

 Lambda and CloudFormation – through S3
• You must store the Lambda zip in S3
• You must refer the S3 zip location in
the CloudFormation code
• S3Bucket
• S3Key: full path to zip
• S3ObjectVersion: if versioned bucket
• If you update the code in S3, but
don’t update S3Bucket, S3Key or
S3ObjectVersion, CloudFormation
won’t update your function

© Copyright by Cloud Mentor Pro | Confidential 608

 Lambda and CloudFormation – through S3
Multiple accounts

© Copyright by Cloud Mentor Pro | Confidential 609

 Lambda Container Images
• Deploy Lambda function as container
images of up to 10GB from ECR
• Pack complex dependencies, large
dependencies in a container
• Base images are available for Python,
Node.js, Java, .NET, Go, Ruby
• Can create your own image as long as
it implements the Lambda Runtime API
• Test the containers locally using the
Lambda Runtime Interface Emulator
• Unified workflow to build apps
© Copyright by Cloud Mentor Pro | Confidential 610
 Lambda Container Images
• Example: build from the base images provided by AWS

© Copyright by Cloud Mentor Pro | Confidential 611

 AWS Lambda Versions
• When you work on a Lambda function,
we work on $LATEST
• When we’re ready to publish a Lambda
function, we create a version
• Versions are immutable
• Versions have increasing version
numbers
• Versions get their own ARN (Amazon
Resource Name)
• Version = code + configuration (nothing
can be changed - immutable)
• Each version of the lambda function can
be accessed
© Copyright by Cloud Mentor Pro | Confidential 612
 AWS Lambda Aliases
• Aliases are ”pointers” to Lambda
function versions
• We can define a “dev”, ”test”,
“prod” aliases and have them point
at different lambda versions
• Aliases are mutable
• Aliases enable Canary deployment
by assigning weights to lambda
functions
• Aliases enable stable configuration
of our event triggers / destinations
• Aliases have their own ARNs
• Aliases cannot reference aliases
© Copyright by Cloud Mentor Pro | Confidential 613
 Lambda & CodeDeploy
• CodeDeploy can help you automate
traffic shift for Lambda aliases
• Feature is integrated within the SAM
framework
• Linear: grow traffic every N minutes until
100%
• Linear10PercentEvery3Minutes
• Linear10PercentEvery10Minutes
• Canary: try X percent then 100%
• Canary10Percent5Minutes
• Canary10Percent30Minutes
• AllAtOnce: immediate
• Can create Pre & Post Traffic hooks to
check the health of the Lambda function
© Copyright by Cloud Mentor Pro | Confidential 614
 Lambda & CodeDeploy – AppSpec.yml
• Name (required) – the name of the Lambda
function to deploy
• Alias (required) – the name of the alias to the
Lambda function
• CurrentVersion (required) – the version of the
Lambda function traffic currently points to
• TargetVersion (required) – the version of the
Lambda function traffic is shifted to

© Copyright by Cloud Mentor Pro | Confidential 615

 Lambda – Function URL
• Dedicated HTTP(S) endpoint for your Lambda function
• A unique URL endpoint is generated for you (never changes)
• https://<url-id>.lambda-url.<region>.on.aws (dual-stack IPv4 & IPv6)
• Invoke via a web browser, curl, Postman, or any HTTP client
• Access your function URL through the public Internet only
• Doesn’t support PrivateLink (Lambda functions do support)
• Supports Resource-based Policies & CORS configurations
• Can be applied to any function alias or to $LATEST (can’t be
applied to other function versions)
• Create and configure using AWS Console or AWS API
• Throttle your function by using Reserved Concurrency https://yj4xbxeirvacv3xdjp5uyt3j7y0ltzqa.la
mbda-url.us-east-1.on.aws/

© Copyright by Cloud Mentor Pro | Confidential 616

 Lambda – Function URL Security
• Resource-based Policy
• Authorize other accounts / specific CIDR / IAM principals

• Cross-Origin Resource Sharing (CORS)

• If you call your Lambda function URL from a different domain

© Copyright by Cloud Mentor Pro | Confidential 617

 Lambda – Function URL Security
• AuthType NONE – allow public and unauthenticated access
• Resource-based Policy is always in effect (must grant public access)

© Copyright by Cloud Mentor Pro | Confidential 618

 Lambda – Function URL Security
• AuthType AWS_IAM – IAM is used to authenticate and authorize requests
• Both Principal’s Identity-based Policy & Resource-based Policy are evaluated
• Principal must have lambda:InvokeFunctionUrl permissions
• Same account – Identity-based Policy OR Resource-based Policy as ALLOW
• Cross account – Identity-based Policy AND Resource Based Policy as ALLOW

© Copyright by Cloud Mentor Pro | Confidential 619

 Lambda and CodeGuru Profiling +

• Gain insights into runtime performance of your Lambda

functions using CodeGuru Profiler
• CodeGuru creates a Profiler Group for your Lambda function
• Supported for Java and Python runtimes
• Activate from AWS Lambda Console
• When activated, Lambda adds:
• CodeGuru Profiler layer to your function
• Environment variables to your function
• AmazonCodeGuruProfilerAgentAccess policy to your function

© Copyright by Cloud Mentor Pro | Confidential 620

 AWS Lambda Limits to Know - per region
• Execution:
• Memory allocation: 128 MB – 10GB (1 MB increments)
• Maximum execution time: 900 seconds (15 minutes)
• Environment variables (4 KB)
• Disk capacity in the “function container” (in /tmp): 512 MB to 10GB
• Concurrency executions: 1000 (can be increased)
• Deployment:
• Lambda function deployment size (compressed .zip): 50 MB
• Size of uncompressed deployment (code + dependencies): 250 MB
• Can use the /tmp directory to load other files at startup
• Size of environment variables: 4 KB
© Copyright by Cloud Mentor Pro | Confidential 621
 AWS Lambda Best Practices
• Perform heavy-duty work outside of your function handler
• Connect to databases outside of your function handler
• Initialize the AWS SDK outside of your function handler
• Pull in dependencies or datasets outside of your function handler
• Use environment variables for:
• Database Connection Strings, S3 bucket, etc… don’t put these values in your code
• Passwords, sensitive values… they can be encrypted using KMS
• Minimize your deployment package size to its runtime necessities.
• Break down the function if need be
• Remember the AWS Lambda limits
• Use Layers where necessary
• Avoid using recursive code, never have a Lambda function call itself
© Copyright by Cloud Mentor Pro | Confidential 622
 Exercise
Amazon S3 trigger Lambda to create thumbnail images

© Copyright by Cloud Mentor Pro | Confidential

 Section 12
• Amazon DynamoDB

© Copyright by Cloud Mentor Pro | Confidential

Amazon DynamoDB
NoSQL Serverless Database

© Copyright by Cloud Mentor Pro | Confidential 625

 Traditional Architecture

• Traditional applications leverage RDBMS databases

• These databases have the SQL query language
• Strong requirements about how the data should be modeled
• Ability to do query joins, aggregations, complex computations
• Vertical scaling (getting a more powerful CPU / RAM / IO)
• Horizontal scaling (increasing reading capability by adding EC2 / RDS Read Replicas)
© Copyright by Cloud Mentor Pro | Confidential 626
 NoSQL databases
• NoSQL databases are non-relational databases and are distributed
• NoSQL databases include MongoDB, DynamoDB, …
• NoSQL databases do not support query joins (or just limited support)
• All the data that is needed for a query is present in one row
• NoSQL databases don’t perform aggregations such as “SUM”, “AVG”, …
• NoSQL databases scale horizontally

• There’s no “right or wrong” for NoSQL vs SQL, they just require to

model the data differently and think about user queries differently
© Copyright by Cloud Mentor Pro | Confidential 627
 Amazon DynamoDB
• Fully managed, highly available with replication across multiple AZs
• NoSQL database - not a relational database
• Scales to massive workloads, distributed database
• Millions of requests per seconds, trillions of row, 100s of TB of storage
• Fast and consistent in performance (low latency on retrieval)
• Integrated with IAM for security, authorization and administration
• Enables event driven programming with DynamoDB Streams
• Low cost and auto-scaling capabilities
• Standard & Infrequent Access (IA) Table Class
© Copyright by Cloud Mentor Pro | Confidential 628
 DynamoDB - Basics
• DynamoDB is made of Tables
• Each table has a Primary Key (must be decided at creation time)
• Each table can have an infinite number of items (= rows)
• Each item has attributes (can be added over time – can be null)
• Maximum size of an item is 400KB
• Data types supported are:
• Scalar Types – String, Number, Binary, Boolean, Null
• Document Types – List, Map
• Set Types – String Set, Number Set, Binary Set

© Copyright by Cloud Mentor Pro | Confidential 629

 DynamoDB – Primary Keys
• Option 1: Partition Key (HASH)
• Partition key must be unique for each item
• Partition key must be “diverse” so that the data is distributed
• Example: “User_ID” for a users table

© Copyright by Cloud Mentor Pro | Confidential 630

 DynamoDB – Primary Keys
• Option 2: Partition Key + Sort Key (HASH + RANGE)
• The combination must be unique for each item
• Data is grouped by partition key
• Example: users-games table, “User_ID” for Partition Key and “Game_ID” for Sort Key

© Copyright by Cloud Mentor Pro | Confidential 631

 DynamoDB – Partition Keys (Exercise)
• We’re building a movie database
• What is the best Partition Key to maximize data distribution?
• movie_id
• producer_name
• leader_actor_name
• movie_language

• “movie_id” has the highest cardinality so it’s a good candidate

• “movie_language” doesn’t take many values and may be skewed towards
English so it’s not a great choice for the Partition Key

© Copyright by Cloud Mentor Pro | Confidential 632

 DynamoDB – Read/Write Capacity Modes
• Control how you manage your table’s capacity (read/write throughput)

• Provisioned Mode (default)

• You specify the number of reads/writes per second
• You need to plan capacity beforehand
• Pay for provisioned read & write capacity units

• On-Demand Mode
• Read/writes automatically scale up/down with your workloads
• No capacity planning needed
• Pay for what you use, more expensive ($$$)

• You can switch between different modes once every 24 hours

© Copyright by Cloud Mentor Pro | Confidential 633
 R/W Capacity Modes – Provisioned
• Table must have provisioned read and write capacity units
• Read Capacity Units (RCU) – throughput for reads
• Write Capacity Units (WCU) – throughput for writes
• Option to setup auto-scaling of throughput to meet demand
• Throughput can be exceeded temporarily using “Burst Capacity”
• If Burst Capacity has been consumed, you’ll get a
“ProvisionedThroughputExceededException”
• It’s then advised to do an exponential backoff retry

© Copyright by Cloud Mentor Pro | Confidential 634

 DynamoDB – Write Capacity Units (WCU)
• One Write Capacity Unit (WCU) represents one write per second for an
item up to 1 KB in size
• If the items are larger than 1 KB, more WCUs are consumed

• Example 1: we write 10 items per second, with item size 2 KB

2 KB
• We need 10 ∗ ( ) = 20 WCUs
1 𝐾B
• Example 2: we write 6 items per second, with item size 4.5 KB
5 KB
• We need 6 ∗ ( ) = 30 WCUs (4.5 gets rounded to the upper KB)
1 𝐾B
• Example 3: we write 120 items per minute, with item size 2 KB
120 2 KB
• We need ( ) ∗( ) = 4 WCUs
60 1 𝐾B

© Copyright by Cloud Mentor Pro | Confidential 635

 Strongly Consistent Read
vs. Eventually Consistent Read
• Eventually Consistent Read (default)
• If we read just after a write, it’s possible we’ll
get some stale data because of replication

• Strongly Consistent Read

• If we read just after a write, we will get the
correct data
• Set “ConsistentRead” parameter to True in API
calls (GetItem, BatchGetItem, Query, Scan)
• Consumes twice the RCU

© Copyright by Cloud Mentor Pro | Confidential 636

 DynamoDB – Read Capacity Units (RCU)
• One Read Capacity Unit (RCU) represents one Strongly Consistent Read per second,
or two Eventually Consistent Reads per second, for an item up to 4 KB in size
• If the items are larger than 4 KB, more RCUs are consumed

• Example 1: 10 Strongly Consistent Reads per second, with item size 4 KB

4 KB
• We need 10 ∗ ( ) = 10 RCUs
4 𝐾B
• Example 2: 16 Eventually Consistent Reads per second, with item size 12 KB
16 12 KB
• We need ( ) ∗ ( ) = 24 RCUs
2 4 𝐾B
• Example 3: 10 Strongly Consistent Reads per second, with item size 6 KB
8 KB
• We need 10 ∗ ( ) = 20 RCUs (we must round up 6 KB to 8 KB)
4 𝐾B

© Copyright by Cloud Mentor Pro | Confidential 637

 DynamoDB – Partitions Internal
• Data is stored in partitions
• Partition Keys go through a hashing algorithm to know to
which partition they go to

• To compute the number of partitions:

𝑅𝐶𝑈𝑠𝑇𝑜𝑡𝑎𝑙 𝑊𝐶𝑈𝑠𝑇𝑜𝑡𝑎𝑙
• # of partitionsby capacity = ( ) +( )
3000 1000
𝑇𝑜𝑡𝑎𝑙 𝑆𝑖𝑧𝑒
• # of partitionsby size = ( )
10 𝐺𝐵
• # of partitions = ceil(max(# of partitionsby capacity , of partitionsby size ) )

• WCUs and RCUs are spread evenly across partitions

© Copyright by Cloud Mentor Pro | Confidential 638

 DynamoDB –Throttling
• If we exceed provisioned RCUs or WCUs, we get
“ProvisionedThroughputExceededException”
• Reasons:
• Hot Keys – one partition key is being read too many times (e.g., popular item)
• Hot Partitions
• Very large items, remember RCU and WCU depends on size of items
• Solutions:
• Exponential backoff when exception is encountered (already in SDK)
• Distribute partition keys as much as possible
• If RCU issue, we can use DynamoDB Accelerator (DAX)

© Copyright by Cloud Mentor Pro | Confidential 639

 R/W Capacity Modes – On-Demand
• Read/writes automatically scale up/down with your workloads
• No capacity planning needed (WCU / RCU)
• Unlimited WCU & RCU, no throttle, more expensive
• You’re charged for reads/writes that you use in terms of RRU and WRU
• Read Request Units (RRU) – throughput for reads (same as RCU)
• Write Request Units (WRU) – throughput for writes (same as WCU)
• 2.5x more expensive than provisioned capacity (use with care)
• Use cases: unknown workloads, unpredictable application traffic, …

© Copyright by Cloud Mentor Pro | Confidential 640

 DynamoDB – Writing Data
• PutItem
• Creates a new item or fully replace an old item (same Primary Key)
• Consumes WCUs

• UpdateItem
• Edits an existing item’s attributes or adds a new item if it doesn’t exist
• Can be used to implement Atomic Counters – a numeric attribute that’s unconditionally
incremented

• Conditional Writes
• Accept a write/update/delete only if conditions are met, otherwise returns an error
• Helps with concurrent access to items
• No performance impact
© Copyright by Cloud Mentor Pro | Confidential 641
 DynamoDB – Reading Data
• GetItem
• Read based on Primary key
• Primary Key can be HASH or HASH+RANGE
• Eventually Consistent Read (default)
• Option to use Strongly Consistent Reads (more RCU - might take longer)
• ProjectionExpression can be specified to retrieve only certain attributes

© Copyright by Cloud Mentor Pro | Confidential 642

 DynamoDB – Reading Data (Query)
• Query returns items based on:
• KeyConditionExpression
• Partition Key value (must be = operator) – required
• Sort Key value (=, <=, >, >=, Between, Begins with) – optional
• FilterExpression
• Additional filtering after the Query operation (before data returned to you)
• Use only with non-key attributes (does not allow HASH or RANGE attributes)
• Returns:
• The number of items specified in Limit
• Or up to 1 MB of data
• Ability to do pagination on the results
• Can query table, a Local Secondary Index, or a Global Secondary Index
© Copyright by Cloud Mentor Pro | Confidential 643
 DynamoDB – Reading Data (Scan)
• Scan the entire table and then filter out data (inefficient)
• Returns up to 1 MB of data – use pagination to keep on reading
• Consumes a lot of RCU
• Limit impact using Limit or reduce the size of the result and pause
• For faster performance, use Parallel Scan
• Multiple workers scan multiple data segments at the same time
• Increases the throughput and RCU consumed
• Limit the impact of parallel scans just like you would for Scans
• Can use ProjectionExpression & FilterExpression (no changes to RCU)
© Copyright by Cloud Mentor Pro | Confidential 644
 DynamoDB – Deleting Data
• DeleteItem
• Delete an individual item
• Ability to perform a conditional delete

• DeleteTable
• Delete a whole table and all its items
• Much quicker deletion than calling DeleteItem on all items

© Copyright by Cloud Mentor Pro | Confidential 645

 DynamoDB – Batch Operations
• Allows you to save in latency by reducing the number of API calls
• Operations are done in parallel for better efficiency
• Part of a batch can fail; in which case we need to try again for the failed items
•
• BatchWriteItem
• Up to 25 PutItem and/or DeleteItem in one call
• Up to 16 MB of data written, up to 400 KB of data per item
• Can’t update items (use UpdateItem)
• UnprocessedItems for failed write operations (exponential backoff or add WCU)

• BatchGetItem
• Return items from one or more tables
• Up to 100 items, up to 16 MB of data
• Items are retrieved in parallel to minimize latency
• UnprocessedKeys for failed read operations (exponential backoff or add RCU)

© Copyright by Cloud Mentor Pro | Confidential 646

 DynamoDB – PartiQL
• SQL -compatible query language for DynamoDB
• Allows you to select, insert, update, and delete
data in DynamoDB using SQL
• Run queries across multiple DynamoDB tables
• Run PartiQL queries from:
• AWS Management Console
• NoSQL Workbench for DynamoDB
• DynamoDB APIs
• AWS CLI
• AWS SDK

© Copyright by Cloud Mentor Pro | Confidential 647

 DynamoDB – Conditional Writes
• For PutItem, UpdateItem, DeleteItem, and BatchWriteItem
• You can specify a Condition expression to determine which items should be modified:
• attribute_exists
• attribute_not_exists
• attribute_type
• contains (for string)
• begins_with (for string)
• ProductCategory IN (:cat1, :cat2) and Price between :low and :high
• size (string length)

• Note: Filter Expression filters the results of read queries, while Condition Expressions
are for write operations
© Copyright by Cloud Mentor Pro | Confidential 648
 Conditional Writes – Example on Update Item

© Copyright by Cloud Mentor Pro | Confidential 649

 Conditional Writes – Example on Delete Item
• attribute_not_exists
• Only succeeds if the attribute doesn’t exist yet (no value)

• attribute_exists
• Opposite of attribute_not_exists

© Copyright by Cloud Mentor Pro | Confidential 650

 Conditional Writes –
Do Not Overwrite Elements
• attribute_not_exists(partition_key)
• Make sure the item isn’t overwritten

• attribute_not_exists(partition_key) and
attribute_not_exists(sort_key)
• Make sure the partition / sort key combination is not overwritten

© Copyright by Cloud Mentor Pro | Confidential 651

 Conditional Writes – Example Complex
Condition

© Copyright by Cloud Mentor Pro | Confidential 652

 Conditional Writes – Example of String
Comparisons
• begins_with – check if prefix matches
• contains – check if string is contained in another string

© Copyright by Cloud Mentor Pro | Confidential 653

 DynamoDB – Local Secondary Index (LSI)
• Alternative Sort Key for your table (same Partition Key as that of base table)
• The Sort Key consists of one scalar attribute (String, Number, or Binary)
• Up to 5 Local Secondary Indexes per table
• Must be defined at table creation time
• Attribute Projections – can contain some or all the attributes of the base table
(KEYS_ONLY, INCLUDE, ALL)

© Copyright by Cloud Mentor Pro | Confidential 654

 DynamoDB – Global Secondary Index (GSI)
• Alternative Primary Key (HASH or HASH+RANGE) from the base table
• Speed up queries on non-key attributes
• The Index Key consists of scalar attributes (String, Number, or Binary)
• Attribute Projections – some or all the attributes of the base table (KEYS_ONLY, INCLUDE, ALL)
• Must provision RCUs & WCUs for the index
• Can be added/modified after table creation

© Copyright by Cloud Mentor Pro | Confidential 655

 DynamoDB – Indexes and Throttling
• Global Secondary Index (GSI):
• If the writes are throttled on the GSI, then the main table will be throttled!
• Even if the WCU on the main tables are fine
• Choose your GSI partition key carefully!
• Assign your WCU capacity carefully!
• Local Secondary Index (LSI):
• Uses the WCUs and RCUs of the main table
• No special throttling considerations

© Copyright by Cloud Mentor Pro | Confidential 656

 DynamoDB - PartiQL
• Use a SQL -like syntax to manipulate DynamoDB tables

• Supports some (but not all) statements:

• INSERT
• UPDATE
• SELECT
• DELETE
• It supports Batch operations
© Copyright by Cloud Mentor Pro | Confidential 657
 DynamoDB – Optimistic Locking
• DynamoDB has a feature called “Conditional Writes”
• A strategy to ensure an item hasn’t changed before you update/delete it
• Each item has an attribute that acts as a version number

© Copyright by Cloud Mentor Pro | Confidential 658

 DynamoDB Accelerator (DAX)
• Fully-managed, highly available, seamless in-memory
cache for DynamoDB
• Microseconds latency for cached reads & queries
• Doesn’t require application logic modification
(compatible with existing DynamoDB APIs)
• Solves the “Hot Key” problem (too many reads)
• 5 minutes TTL for cache (default)
• Up to 10 nodes in the cluster
• Multi-AZ (3 nodes minimum recommended for
production)
• Secure (Encryption at rest with KMS, VPC, IAM,
CloudTrail, …)
© Copyright by Cloud Mentor Pro | Confidential 659
 DynamoDB Accelerator (DAX) vs. ElastiCache

© Copyright by Cloud Mentor Pro | Confidential 660

 DynamoDB Streams
• Ordered stream of item-level modifications (create/update/delete) in a table
• Stream records can be:
• Sent to Kinesis Data Streams
• Read by AWS Lambda
• Read by Kinesis Client Library applications
• Data Retention for up to 24 hours
• Use cases:
• react to changes in real-time (welcome email to users)
• Analytics
• Insert into derivative tables
• Insert into OpenSearch Service
• Implement cross-region replication

© Copyright by Cloud Mentor Pro | Confidential 661

 DynamoDB Streams

© Copyright by Cloud Mentor Pro | Confidential 662

 DynamoDB Streams
• Ability to choose the information that will be written to the stream:
• KEYS_ONLY – only the key attributes of the modified item
• NEW_IMAGE – the entire item, as it appears after it was modified
• OLD_IMAGE – the entire item, as it appeared before it was modified
• NEW_AND_OLD_IMAGES – both the new and the old images of the item
• DynamoDB Streams are made of shards, just like Kinesis Data Streams
• You don’t provision shards, this is automated by AWS

• Records are not retroactively populated in a stream after enabling it

© Copyright by Cloud Mentor Pro | Confidential 663
 DynamoDB Streams & AWS Lambda
• You need to define an Event Source
Mapping to read from a DynamoDB
Streams

• You need to ensure the Lambda function

has the appropriate permissions

• Your Lambda function is invoked

synchronously

© Copyright by Cloud Mentor Pro | Confidential 664

 DynamoDB –Time To Live (TTL)
• Automatically delete items after an expiry timestamp
• Doesn’t consume any WCUs (i.e., no extra cost)
• The TTL attribute must be a “Number” data type
with “Unix Epoch timestamp” value
• Expired items deleted within 48 hours of expiration
• Expired items, that haven’t been deleted, appears in
reads/queries/scans (if you don’t want them, filter
them out)
• Expired items are deleted from both LSIs and GSIs
• A delete operation for each expired item enters the
DynamoDB Streams (can help recover expired items)
• Use cases: reduce stored data by keeping only
current items, adhere to regulatory obligations, …
© Copyright by Cloud Mentor Pro | Confidential 665
 DynamoDB CLI – Good to Know
• --projection-expression: one or more attributes to retrieve
• --filter-expression: filter items before returned to you

• General AWS CLI Pagination options (e.g., DynamoDB, S3, …)

• --page-size: specify that AWS CLI retrieves the full list of items but with a larger
number of API calls instead of one API call (default: 1000 items)
• --max-items: max. number of items to show in the CLI (returns NextToken)
• --starting-token: specify the last NextToken to retrieve the next set of items

© Copyright by Cloud Mentor Pro | Confidential 666

 DynamoDB Transactions
• Coordinated, all-or-nothing operations (add/update/delete) to multiple items across
one or more tables
• Provides Atomicity, Consistency, Isolation, and Durability (ACID)
• Read Modes – Eventual Consistency, Strong Consistency, Transactional
• Write Modes – Standard, Transactional
• Consumes 2x WCUs & RCUs
• DynamoDB performs 2 operations for every item (prepare & commit)
• Two operations:
• TransactGetItems – one or more GetItem operations
• TransactWriteItems – one or more PutItem, UpdateItem, and DeleteItem operations
• Use cases: financial transactions, managing orders, multiplayer games, …
© Copyright by Cloud Mentor Pro | Confidential 667
 DynamoDB Transactions

A Transaction is written to both tables, or none!

© Copyright by Cloud Mentor Pro | Confidential 668

 DynamoDB Transactions – Capacity
Computations
• Important for the exam!

• Example1: 3 Transactional writes per second, with item size 5 KB

5 KB
• We need 3 ∗ ( ) * 2 (transactional cost) = 30 WCUs
1 𝐾B

• Example 2: 5 Transaction reads per second , with item size 5 KB

8 KB
• We need 5 ∗ ( ) * 2 (transactional cost) = 20 RCUs
4 𝐾B
• (5 gets rounded to the upper 4 KB)

© Copyright by Cloud Mentor Pro | Confidential 669

 DynamoDB as Session State Cache
• It’s common to use DynamoDB to store session states

• vs. ElastiCache
• ElastiCache is in-memory, but DynamoDB is serverless
• Both are key/value stores
• vs. EFS
• EFS must be attached to EC2 instances as a network drive
• vs. EBS & Instance Store
• EBS & Instance Store can only be used for local caching, not shared caching
• vs. S3
• S3 is higher latency, and not meant for small objects
© Copyright by Cloud Mentor Pro | Confidential 670
 DynamoDB – Write Types

© Copyright by Cloud Mentor Pro | Confidential 671

 DynamoDB – Large Objects Pattern

© Copyright by Cloud Mentor Pro | Confidential 672

 DynamoDB Operations
• Table Cleanup
• Option 1: Scan + DeleteItem
• Very slow, consumes RCU & WCU, expensive
• Option 2: Drop Table + Recreate table
• Fast, efficient, cheap
• Copying a DynamoDB Table
• Option 1: Using AWS Data Pipeline
• Option 2: Backup and restore into a new table
• Takes some time
• Option 3: Scan + PutItem or BatchWriteItem
• Write your own code

© Copyright by Cloud Mentor Pro | Confidential 673

 DynamoDB – Security & Other Features
• Security
• VPC Endpoints available to access DynamoDB without using the Internet
• Access fully controlled by IAM
• Encryption at rest using AWS KMS and in-transit using SSL/TLS
• Backup and Restore feature available
• Point-in-time Recovery (PITR) like RDS
• No performance impact
• Global Tables
• Multi-region, multi-active, fully replicated, high performance
• DynamoDB Local
• Develop and test apps locally without accessing the DynamoDB web service (without Internet)
• AWS Database Migration Service (AWS DMS) can be used to migrate to DynamoDB
(from MongoDB, Oracle, MySQL, S3, …)
© Copyright by Cloud Mentor Pro | Confidential 674
 Exercise
Use an S3 bucket event to
trigger SQS Queue to
insert image info into
DynamoDB Table

© Copyright by Cloud Mentor Pro | Confidential

 Section 13
• Amazon API Gateway

© Copyright by Cloud Mentor Pro | Confidential

Amazon API Gateway
Build, Deploy and Manage APIs

© Copyright by Cloud Mentor Pro | Confidential 677

 Example: Building a Serverless API

© Copyright by Cloud Mentor Pro | Confidential 678

 AWS API Gateway
• AWS Lambda + API Gateway: No infrastructure to manage
• Support for the WebSocket Protocol
• Handle API versioning (v1, v2…)
• Handle different environments (dev, test, prod…)
• Handle security (Authentication and Authorization)
• Create API keys, handle request throttling
• Swagger / Open API import to quickly define APIs
• Transform and validate requests and responses
• Generate SDK and API specifications
• Cache API responses
© Copyright by Cloud Mentor Pro | Confidential 679
 API Gateway – HTTP API vs REST API
• HTTP APIs
• low-latency, cost-effective AWS
Lambda proxy, HTTP proxy APIs and
private integration (no data mapping)
• support OIDC and OAuth 2.0
authorization, and built-in support
for CORS
• No usage plans and API keys
• REST APIs
• All features (except Native OpenID
Connect / OAuth 2.0)
Full list here: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-vs-rest.html

© Copyright by Cloud Mentor Pro | Confidential 680

 API Gateway – Integrations High Level
• Lambda Function
• Invoke Lambda function
• Easy way to expose REST API backed by AWS Lambda
• HTTP
• Expose HTTP endpoints in the backend
• Example: internal HTTP API on premise, Application Load Balancer…
• Why? Add rate limiting, caching, user authentications, API keys, etc…
• AWS Service
• Expose any AWS API through the API Gateway
• Example: start an AWS Step Function workflow, post a message to SQS
• Why? Add authentication, deploy publicly, rate control…
© Copyright by Cloud Mentor Pro | Confidential 681
 API Gateway - Architecture
• Create a single interface for
all the microservices in your
company
• Use API endpoints with
various resources
• Apply a simple domain name
and SSL certificates
• Can apply forwarding and
transformation rules at the
API Gateway level

© Copyright by Cloud Mentor Pro | Confidential 682

 API Gateway – AWS Service Integration
Kinesis Data Streams example

© Copyright by Cloud Mentor Pro | Confidential 683

 API Gateway - Endpoint Types
• Edge-Optimized (default): For global clients
• Requests are routed through the CloudFront Edge locations (improves latency)
• The API Gateway still lives in only one region
• Regional:
• For clients within the same region
• Could manually combine with CloudFront (more control over the caching
strategies and the distribution)
• Private:
• Can only be accessed from your VPC using an interface VPC endpoint (ENI)
• Use a resource policy to define access
© Copyright by Cloud Mentor Pro | Confidential 684
 API Gateway – Security
• User Authentication through
• IAM Roles (useful for internal applications)
• Cognito (identity for external users – example mobile users)
• Custom Authorizer (your own logic)
• Custom Domain Name HTTPS security through integration with AWS
Certificate Manager (ACM)
• If using Edge-Optimized endpoint, then the certificate must be in us-east-1
• If using Regional endpoint, the certificate must be in the API Gateway region
• Must setup CNAME or A-alias record in Route 53

© Copyright by Cloud Mentor Pro | Confidential 685

 API Gateway – Deployment Stages
• Making changes in the API Gateway does not mean they’re effective
• You need to make a “deployment” for them to be in effect
• It’s a common source of confusion
• Changes are deployed to “Stages” (as many as you want)
• Use the naming you like for stages (dev, test, prod)
• Each stage has its own configuration parameters
• Stages can be rolled back as a history of deployments is kept

© Copyright by Cloud Mentor Pro | Confidential 686

 API Gateway – Stages v1 and v2 API
breaking change

https://api.example.com/v1

https://api.example.com/v2

© Copyright by Cloud Mentor Pro | Confidential 687

 API Gateway – Stage Variables
• Stage variables are like environment variables for API Gateway
• Use them to change often changing configuration values
• They can be used in:
• Lambda function ARN
• HTTP Endpoint
• Parameter mapping templates
• Use cases:
• Configure HTTP endpoints your stages talk to (dev, test, prod…)
• Pass configuration parameters to AWS Lambda through mapping templates
• Stage variables are passed to the ”context” object in AWS Lambda
• Format: ${stageVariables.variableName}
© Copyright by Cloud Mentor Pro | Confidential 688
 API Gateway Stage Variables & Lambda Aliases
• We create a stage variable to indicate the corresponding Lambda alias
• Our API gateway will automatically invoke the right Lambda function!

© Copyright by Cloud Mentor Pro | Confidential 689

 API Gateway – Canary Deployment
• Possibility to enable canary deployments for any stage (usually prod)
• Choose the % of traffic the canary channel receives

• Metrics & Logs are separate (for better monitoring)

• Possibility to override stage variables for canary
• This is blue / green deployment with AWS Lambda & API Gateway
© Copyright by Cloud Mentor Pro | Confidential 690
 API Gateway - Integration Types
• Integration Type MOCK
• API Gateway returns a response without sending the request to the backend

• Integration Type HTTP / AWS (Lambda & AWS Services)

• you must configure both the integration request and integration response
• Setup data mapping using mapping templates for the request & response

© Copyright by Cloud Mentor Pro | Confidential 691

 API Gateway - Integration Types
• Integration Type AWS_PROXY (Lambda Proxy):
• incoming request from the client is the input to Lambda
• The function is responsible for the logic of request / response
• No mapping template, headers, query string parameters… are passed as
arguments

© Copyright by Cloud Mentor Pro | Confidential 692

 API Gateway - Integration Types
• Integration Type HTTP_PROXY
• No mapping template
• The HTTP request is passed to the backend
• The HTTP response from the backend is forwarded by API Gateway
• Possibility to add HTTP Headers if need be (ex: API key)

© Copyright by Cloud Mentor Pro | Confidential 693

 Mapping Templates (AWS & HTTP Integration)
• Mapping templates can be used to modify request / responses
• Rename / Modify query string parameters
• Modify body content
• Add headers
• Uses Velocity Template Language (VTL): for loop, if etc…
• Filter output results (remove unnecessary data)
• Content-Type can be set to application/json or application/xml

© Copyright by Cloud Mentor Pro | Confidential 694

 Mapping Example: JSON to XML with SOAP
• SOAP API are XML based, whereas REST API are JSON based

• In this case, API Gateway should:

• Extract data from the request: either path, payload or header
• Build SOAP message based on request data (mapping template)
• Call SOAP service and receive XML response
• Transform XML response to desired format (like JSON), and respond to the user
© Copyright by Cloud Mentor Pro | Confidential 695
 Mapping Example: Query String parameters

© Copyright by Cloud Mentor Pro | Confidential 696

 API Gateway - Open API spec
• Common way of defining REST APIs, using API definition as code
• Import existing OpenAPI 3.0 spec to API Gateway
• Method
• Method Request
• Integration Request
• Method Response
• + AWS extensions for API gateway and setup every single option
• Can export current API as OpenAPI spec
• OpenAPI specs can be written in YAML or JSON
• Using OpenAPI we can generate SDK for our applications
© Copyright by Cloud Mentor Pro | Confidential 697
 REST API – Request Validation
• You can configure API Gateway to perform basic validation of an API
request before proceeding with the integration request
• When the validation fails, API Gateway immediately fails the request
• Returns a 400-error response to the caller
• This reduces unnecessary calls to the backend
• Checks:
• The required request parameters in the URI, query string, and headers of an
incoming request are included and non-blank
• The applicable request payload adheres to the configured JSON Schema request
model of the method
© Copyright by Cloud Mentor Pro | Confidential 698
 REST API – RequestValidation – OpenAPI
• Setup request validation by importing OpenAPI definitions file

© Copyright by Cloud Mentor Pro | Confidential 699

 Caching API responses
• Caching reduces the number of calls made to
the backend
• Default TTL (time to live) is 300 seconds
(min: 0s, max: 3600s)
• Caches are defined per stage
• Possible to override cache settings per
method
• Cache encryption option
• Cache capacity between 0.5GB to 237GB
• Cache is expensive, makes sense in
production, may not make sense in dev / test
© Copyright by Cloud Mentor Pro | Confidential 700
 API Gateway Cache Invalidation
• Able to flush the entire cache
(invalidate it) immediately
• Clients can invalidate the
cache with header: Cache-
Control: max-age=0 (with
proper IAM authorization)
• If you don't impose an
InvalidateCache policy (or
choose the Require
authorization check box in
the console), any client can
invalidate the API cache
© Copyright by Cloud Mentor Pro | Confidential 701
 API Gateway – Usage Plans & API Keys
• If you want to make an API available as an offering ($) to your customers
• Usage Plan:
• who can access one or more deployed API stages and methods
• how much and how fast they can access them
• uses API keys to identify API clients and meter access
• configure throttling limits and quota limits that are enforced on individual client
• API Keys:
• alphanumeric string values to distribute to your customers
• Ex: WBjHxNtoAb4WPKBC7cGm64CBibIb24b4jt8jJHo9
• Can use with usage plans to control access
• Throttling limits are applied to the API keys
• Quotas limits is the overall number of maximum requests
© Copyright by Cloud Mentor Pro | Confidential 702
 API Gateway – Correct Order for API keys
• To configure a usage plan
1. Create one or more APIs, configure the methods to require an API key,
and deploy the APIs to stages.
2. Generate or import API keys to distribute to application developers
(your customers) who will be using your API.
3. Create the usage plan with the desired throttle and quota limits.
4. Associate API stages and API keys with the usage plan.

• Callers of the API must supply an assigned API key in the x-api-key
header in requests to the API.
© Copyright by Cloud Mentor Pro | Confidential 703
 API Gateway – Logging & Tracing
• CloudWatch Logs
• Log contains information about request/response body
• Enable CloudWatch logging at the Stage level (with Log Level - ERROR, DEBUG, INFO)
• Can override settings on a per API basis

• X-Ray
• Enable tracing to get extra information about requests in API Gateway
• X-Ray API Gateway + AWS Lambda gives you the full picture
© Copyright by Cloud Mentor Pro | Confidential 704
 API Gateway – CloudWatch Metrics
• Metrics are by stage, Possibility to enable detailed metrics
• CacheHitCount & CacheMissCount: efficiency of the cache
• Count: The total number API requests in a given period.
• IntegrationLatency: The time between when API Gateway relays a
request to the backend and when it receives a response from the
backend.
• Latency: The time between when API Gateway receives a request from a
client and when it returns a response to the client. The latency includes
the integration latency and other API Gateway overhead.
• 4XXError (client-side) & 5XXError (server-side)
© Copyright by Cloud Mentor Pro | Confidential 705
 API Gateway Throttling
• Account Limit
• API Gateway throttles requests at 10,000 rps across all API
• Soft limit that can be increased upon request
• In case of throttling => 429 Too Many Requests (retriable error)
• Can set Stage limit & Method limits to improve performance
• Or you can define Usage Plans to throttle per customer

• Just like Lambda Concurrency, one API that is overloaded, if not limited,
can cause the other APIs to be throttled
© Copyright by Cloud Mentor Pro | Confidential 706
 API Gateway - Errors
• 4xx means Client errors
• 400: Bad Request
• 403: Access Denied, WAF filtered
• 429: Quota exceeded, Throttle

• 5xx means Server errors

• 502: Bad Gateway Exception, usually for an incompatible output
returned from a Lambda proxy integration backend and occasionally
for out-of-order invocations due to heavy loads.
• 503: Service Unavailable Exception
• 504: Integration Failure – ex Endpoint Request Timed-out Exception
API Gateway requests time out after 29 second maximum
© Copyright by Cloud Mentor Pro | Confidential 707
 AWS API Gateway - CORS
• CORS must be enabled when you receive API calls from another domain.
• The OPTIONS pre-flight request must contain the following headers:
• Access-Control-Allow-Methods
• Access-Control-Allow-Headers
• Access-Control-Allow-Origin
• CORS can be enabled through the console

© Copyright by Cloud Mentor Pro | Confidential 708

 CORS – Enabled on the API Gateway

© Copyright by Cloud Mentor Pro | Confidential 709

 API Gateway – Security
IAM Permissions
• Create an IAM policy authorization and attach to User / Role
• Authentication = IAM | Authorization = IAM Policy
• Good to provide access within AWS (EC2, Lambda, IAM users…)
• Leverages “Sig v4” capability where IAM credential are in headers

© Copyright by Cloud Mentor Pro | Confidential 710

 API Gateway – Resource Policies
• Resource policies (similar
to Lambda Resource
Policy)

• Allow for Cross Account

Access (combined with
IAM Security)
• Allow for a specific source
IP address
• Allow for a VPC Endpoint
© Copyright by Cloud Mentor Pro | Confidential 711
 API Gateway – Security Cognito
User Pools
• Cognito fully manages user lifecycle, token expires automatically
• API gateway verifies identity automatically from AWS Cognito
• No custom implementation required
• Authentication = Cognito User Pools | Authorization = API Gateway Methods

© Copyright by Cloud Mentor Pro | Confidential 712

 API Gateway – Security Lambda Authorizer
(formerly Custom Authorizers)
• Token-based authorizer (bearer token) – ex JWT (JSON Web Token) or Oauth
• A request parameter-based Lambda authorizer (headers, query string, stage var)
• Lambda must return an IAM policy for the user, result policy is cached
• Authentication = External | Authorization = Lambda function

© Copyright by Cloud Mentor Pro | Confidential 713

 API Gateway – Security – Summary
• IAM:
• Great for users / roles already within your AWS account, + resource policy for cross account
• Handle authentication + authorization
• Leverages Signature v4
• Custom Authorizer:
• Great for 3rd party tokens
• Very flexible in terms of what IAM policy is returned
• Handle Authentication verification + Authorization in the Lambda function
• Pay per Lambda invocation, results are cached
• Cognito User Pool:
• You manage your own user pool (can be backed by Facebook, Google login etc…)
• No need to write any custom code
• Must implement authorization in the backend
© Copyright by Cloud Mentor Pro | Confidential 714
 Exercise
Build API Gateway with
Lambda Integration connect
DynamoDB

© Copyright by Cloud Mentor Pro | Confidential

 Section 14
• AWS Serverless: SAM - Serverless Application Model
• Cloud Development Kit (CDK)
• Cognito: Cognito User Pools, Cognito Identity Pools & Cognito Sync
• Other Serverless: Step Functions & AppSync

© Copyright by Cloud Mentor Pro | Confidential

AWS Serverless Application Model
(SAM)
Taking your Serverless Development to the next level

© Copyright by Cloud Mentor Pro | Confidential 717

 AWS SAM
• SAM = Serverless Application Model
• Framework for developing and deploying serverless applications
• All the configuration is YAML code
• Generate complex CloudFormation from simple SAM YAML file
• Supports anything from CloudFormation: Outputs, Mappings,
Parameters, Resources…
• SAM can use CodeDeploy to deploy Lambda functions
• SAM can help you to run Lambda, API Gateway, DynamoDB locally

© Copyright by Cloud Mentor Pro | Confidential 718

 AWS SAM – Recipe
• Transform Header indicates it’s SAM template:
• Transform: 'AWS::Serverless-2016-10-31’
• Write Code
• AWS : : Serverless : : Function
• AWS : : Serverless : : Api
• AWS : : Serverless : : SimpleTable
• Package & Deploy: sam deploy (optionally preceded by “ sam package”)
• Quickly sync local changes to AWS Lambda (SAM Accelerate): sam sync --watch

© Copyright by Cloud Mentor Pro | Confidential 719

 Deep Dive into SAM Deployment

© Copyright by Cloud Mentor Pro | Confidential 720

 SAM Accelerate (sam sync)
• SAM Accelerate is a set of features to reduce latency while deploying
resources to AWS
• sam sync
• Synchronizes your project declared in SAM templates to AWS
• Synchronizes code changes to AWS without updating infrastructure (uses
service APIs & bypass CloudFormation)

© Copyright by Cloud Mentor Pro | Confidential 721

 SAM Accelerate (sam sync) – Examples
• sam sync (no options)
• Synchronize code and infrastructure
• sam sync --code
• Synchronize code changes without updating infrastructure (bypass CloudFormation, update in
seconds)
• sam sync --code --resource AWS::Serverless::Function
• Synchronize only all Lambda functions and their dependencies
• sam sync --code --resource-id HelloWorldLambdaFunction
• Synchronize only a specific resource by its ID
• sam sync --watch
• Monitor for file changes and automatically synchronize when changes are detected
• If changes include configuration, it uses sam sync
• If changes are code only, it uses sam sync --code
© Copyright by Cloud Mentor Pro | Confidential 722
 SAM – CLI Debugging
• Locally build, test, and debug your serverless
applications that are defined using AWS SAM
templates
• Provides a lambda-like execution
environment locally
• SAM CLI + AWS Toolkits => step-through and
debug your code
• Supported IDEs: AWS Cloud9, Visual Studio
Code, JetBrains, PyCharm, IntelliJ, …
• AWS Toolkits: IDE plugins which allows you
to build, test, debug, deploy, and invoke
Lambda functions built using AWS SAM
© Copyright by Cloud Mentor Pro | Confidential 723
 SAM Policy Templates
• List of templates to apply permissions to
your Lambda Functions
• Full list available here:
https://docs.aws.amazon.com/serverless -
application-
model/latest/developerguide/serverless-
policy-templates.html#serverless-policy-
template-table
• Important examples:
• S3ReadPolicy: Gives read only permissions to
objects in S3
• SQSPollerPolicy: Allows to poll an SQS queue
• DynamoDBCrudPolicy: CRUD = create read
update delete
© Copyright by Cloud Mentor Pro | Confidential 724
 SAM and CodeDeploy
• SAM framework natively uses
CodeDeploy to update Lambda
functions

• Traffic Shifting feature

• Pre and Post traffic hooks
features to validate deployment
(before the traffic shift starts and
after it ends)
• Easy & automated rollback using
CloudWatch Alarms
© Copyright by Cloud Mentor Pro | Confidential 725
 SAM and CodeDeploy
• AutoPublishAlias
• Detects when new code is being deployed
• Creates and publishes an updated version
of that function with the latest code
• Points the alias to the updated version of
the Lambda function
• DeploymentPreference
• Canary, Linear, AllAtOnce
• Alarms
• Alarms that can trigger a rollback
• Hooks
• Pre and post traffic shifting Lambda
functions to test your deployment
© Copyright by Cloud Mentor Pro | Confidential 726
 SAM – Local Capabilities
• Locally start AWS Lambda
• sam local start-lambda
• Starts a local endpoint that emulates AWS Lambda
• Can run automated tests against this local endpoint
• Locally Invoke Lambda Function
• sam local invoke
• Invoke Lambda function with payload once and quit
after invocation completes
• Helpful for generating test cases
• If the function make API calls to AWS, make sure
you are using the correct --profile option

© Copyright by Cloud Mentor Pro | Confidential 727

 SAM – Local Capabilities
• Locally Start an API Gateway Endpoint
• sam local start-api
• Starts a local HTTP server that hosts all your functions
• Changes to functions are automatically reloaded

• Generate AWS Events for Lambda Functions

• sam local generate-event
• Generate sample payloads for event sources
• S3, API Gateway, SNS, Kinesis, DynamoDB…

© Copyright by Cloud Mentor Pro | Confidential 728

 SAM – Multiple Environments

© Copyright by Cloud Mentor Pro | Confidential 729

AWS Cloud Development Kit

© Copyright by Cloud Mentor Pro | Confidential 730

 AWS Cloud Development Kit (CDK)
• Define your cloud infrastructure using a
familiar language:
• JavaScript/TypeScript, Python, Java, and .NET
• Contains high level components called
constructs
• The code is “compiled” into a
CloudFormation template (JSON/YAML)
• You can therefore deploy infrastructure and
application runtime code together
• Great for Lambda functions
• Great for Docker containers in ECS / EKS

© Copyright by Cloud Mentor Pro | Confidential 731

 CDK in a diagram

© Copyright by Cloud Mentor Pro | Confidential 732

 CDK vs SAM
• SAM:
• Serverless focused
• Write your template declaratively in JSON or YAML
• Great for quickly getting started with Lambda
• Leverages CloudFormation
• CDK:
• All AWS services
• Write infra in a programming language JavaScript/TypeScript, Python, Java, and
.NET
• Leverages CloudFormation

© Copyright by Cloud Mentor Pro | Confidential 733

 CDK + SAM
• You can use SAM CLI to locally test your CDK apps
• You must first run cdk synth

© Copyright by Cloud Mentor Pro | Confidential 734

 CDK – Important Commands to know

© Copyright by Cloud Mentor Pro | Confidential 735

 CDK – Bootstrapping
• The process of provisioning resources for CDK
before you can deploy CDK apps into an AWS
environment
• AWS Environment = account & region
• CloudFormation Stack called CDKToolkit is created
and contains:
• S3 Bucket – to store files
• IAM Roles – to grant permissions to perform
deployments
• You must run the following command for each
new environment:
• cdk bootstrap aws://<aws_account>/<aws_region>
• Otherwise, you will get an error “Policy contains a
statement with one or more invalid principal”
© Copyright by Cloud Mentor Pro | Confidential 736
 CDK –Testing
• To test CDK apps, use CDK Assertions Module
combined with popular test frameworks such as
Jest (JavaScript) or Pytest (Python)
• Verify we have specific resources, rules, conditions,
parameters…
• Two types of tests:
• Fine-grained Assertions (common) – test specific aspects
of the CloudFormation template (e.g., check if a
resource has this property with this value)
• Snapshot Tests – test the synthesized CloudFormation
template against a previously stored baseline template
• To import a template
• Template.fromStack(MyStack) : stack built in CDK
• Template.fromString(mystring) : stack build outside CDK
© Copyright by Cloud Mentor Pro | Confidential 737
Amazon Cognito

© Copyright by Cloud Mentor Pro | Confidential 738

 Amazon Cognito
• Give users an identity to interact with our web or mobile application
• Cognito User Pools:
• Sign in functionality for app users
• Integrate with API Gateway & Application Load Balancer

• Cognito Identity Pools (Federated Identity):

• Provide AWS credentials to users so they can access AWS resources directly
• Integrate with Cognito User Pools as an identity provider

• Cognito vs IAM: “hundreds of users”, ”mobile users”, “authenticate with

SAML”
© Copyright by Cloud Mentor Pro | Confidential 739
 Cognito User Pools (CUP) – User Features
• Create a serverless database of user for your web & mobile apps
• Simple login: Username (or email) / password combination
• Password reset
• Email & Phone Number Verification
• Multi-factor authentication (MFA)
• Federated Identities: users from Facebook, Google, SAML…
• Feature: block users if their credentials are compromised elsewhere
• Login sends back a JSON Web Token (JWT)

© Copyright by Cloud Mentor Pro | Confidential 740

 Cognito User Pools (CUP) – Diagram

© Copyright by Cloud Mentor Pro | Confidential 741

 Cognito User Pools (CUP) - Integrations
• CUP integrates with API Gateway and Application Load Balancer

© Copyright by Cloud Mentor Pro | Confidential 742

 Cognito User Pools – Lambda Triggers
• CUP can invoke a Lambda function synchronously on these triggers:

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-
© Copyright by Cloud Mentor Pro | Confidential lambda-triggers.html 743
 Cognito User Pools – Hosted Authentication UI
• Cognito has a hosted authentication UI
that you can add to your app to handle
sign-up and sign-in workflows
• Using the hosted UI, you have a
foundation for integration with social
logins, OIDC or SAML
• Can customize with a custom logo and
custom CSS

https://aws.amazon.com/blogs/aws/launch-amazon-cognito-user-pools-general-availability-app-integration-and-federation/

© Copyright by Cloud Mentor Pro | Confidential 744

 CUP – Hosted UI Custom Domain
• For custom domains, you must create an ACM certificate in us-east-1
• The custom domain must be defined in the “App Integration” section

© Copyright by Cloud Mentor Pro | Confidential 745

 Application Load Balancer – Cognito Auth.

© Copyright by Cloud Mentor Pro | Confidential 746

 ALB – Auth through Cognito User Pools
• Create Cognito User Pool, Client and Domain
• Make sure an ID token is returned
• Add the social or Corporate IdP if needed
• Several URL redirections are necessary
• Allow your Cognito User Pool Domain on
your IdP app's callback URL. For example:
• https://domainprefix.auth.region.amazoncognito.
com/saml2/ idpresponse
• https://user-pool-domain/oauth2/idpresponse

© Copyright by Cloud Mentor Pro | Confidential 747

 Cognito Identity Pools (Federated Identities)
• Get identities for “users” so they obtain temporary AWS credentials
• Your identity pool (e.g identity source) can include:
• Public Providers (Login with Amazon, Facebook, Google, Apple)
• Users in an Amazon Cognito user pool
• OpenID Connect Providers & SAML Identity Providers
• Developer Authenticated Identities (custom login server)
• Cognito Identity Pools allow for unauthenticated (guest) access
• Users can then access AWS services directly or through API Gateway
• The IAM policies applied to the credentials are defined in Cognito
• They can be customized based on the user_id for fine grained control
© Copyright by Cloud Mentor Pro | Confidential 748
 Cognito Identity Pools – Diagram

© Copyright by Cloud Mentor Pro | Confidential 749

 Cognito Identity Pools – Diagram with CUP

© Copyright by Cloud Mentor Pro | Confidential 750

 Cognito User Pools vs Identity Pools
• Cognito User Pools (for authentication = identity verification)
• Database of users for your web and mobile application
• Allows to federate logins through Public Social, OIDC, SAML…
• Can customize the hosted UI for authentication (including the logo)
• Has triggers with AWS Lambda during the authentication flow
• Adapt the sign-in experience to different risk levels (MFA, adaptive authentication, etc…)
• Cognito Identity Pools (for authorization = access control)
• Obtain AWS credentials for your users
• Users can login through Public Social, OIDC, SAML & Cognito User Pools
• Users can be unauthenticated (guests)
• Users are mapped to IAM roles & policies, can leverage policy variables
• CUP + CIP = authentication + authorization

© Copyright by Cloud Mentor Pro | Confidential 751

Other Serverless

© Copyright by Cloud Mentor Pro | Confidential 752

 AWS Step Functions
• Model your workflows as state
machines (one per workflow)
• Order fulfillment, Data processing
• Web applications, Any workflow
• Written in JSON
• Visualization of the workflow and
the execution of the workflow, as
well as history
• Start workflow with SDK call, API
Gateway, Event Bridge
(CloudWatch Event)
© Copyright by Cloud Mentor Pro | Confidential 753
 Step Function –Task States
• Do some work in your state machine
• Invoke one AWS service
• Can invoke a Lambda function
• Run an AWS Batch job
• Run an ECS task and wait for it to complete
• Insert an item from DynamoDB
• Publish message to SNS, SQS
• Launch another Step Function workflow…
• Run an one Activity
• EC2, Amazon ECS, on-premises
• Activities poll the Step functions for work
• Activities send results back to Step Functions

© Copyright by Cloud Mentor Pro | Confidential 754

 Example – Invoke Lambda Function

© Copyright by Cloud Mentor Pro | Confidential 755

 Step Function - States
• Choice State -Test for a condition to send to a branch (or default branch)
• Fail or Succeed State - Stop execution with failure or success
• Pass State - Simply pass its input to its output or inject some fixed data,
without performing work.
• Wait State - Provide a delay for a certain amount of time or until a
specified time/date.
• Map State - Dynamically iterate steps.’
• Parallel State - Begin parallel branches of execution.

© Copyright by Cloud Mentor Pro | Confidential 756

 Visual workflow in Step Functions

© Copyright by Cloud Mentor Pro | Confidential 757

 Error Handling in Step Functions
• Any state can encounter runtime errors for various reasons:
• State machine definition issues (for example, no matching rule in a Choice state)
• Task failures (for example, an exception in a Lambda function)
• Transient issues (for example, network partition events)
• Use Retry (to retry failed state) and Catch (transition to failure path) in the State
Machine to handle the errors instead of inside the Application Code
• Predefined error codes:
• States.ALL : matches any error name
• States.Timeout: Task ran longer than TimeoutSeconds or no heartbeat received
• States.TaskFailed: execution failure
• States.Permissions: insufficient privileges to execute code
• The state may report is own errors

© Copyright by Cloud Mentor Pro | Confidential 758

 Step Functions – Retry (Task or Parallel State)
• Evaluated from top to bottom
• ErrorEquals: match a specific kind of
error
• IntervalSeconds: initial delay before
retrying
• BackoffRate: multiple the delay
after each retry
• MaxAttempts: default to 3, set to 0
for never retried
• When max attempts are reached,
the Catch kicks in

© Copyright by Cloud Mentor Pro | Confidential 759

 Step Functions – Catch (Task or Parallel State)
• Evaluated from top to bottom
• ErrorEquals: match a specific
kind of error
• Next: State to send to
• ResultPath - A path that
determines what input is sent
to the state specified in the
Next field.

© Copyright by Cloud Mentor Pro | Confidential 760

 Step Function – ResultPath
• Include the error in the input

© Copyright by Cloud Mentor Pro | Confidential 761

 Step Functions – Wait for Task Token
• Allows you to pause Step Functions during a Task until a Task Token is
returned
• Task might wait for other AWS services, human approval, 3rd party
integration, call legacy systems…
• Append .waitForTaskToken to the Resource field to tell Step Functions to
wait for the Task Token to be returned

• Task will pause until it receives that Task Token back with a
SendTaskSuccess or SendTaskFailure API call
© Copyright by Cloud Mentor Pro | Confidential 762
 Step Functions – Wait for Task Token

© Copyright by Cloud Mentor Pro | Confidential 763

 Step Functions – Activity Tasks
• Enables you to have the Task work performed by an Activity
Worker
• Activity Worker apps can be running on EC2, Lambda, mobile
device…
• Activity Worker poll for a Task using GetActivityTask API
• After Activity Worker completes its work, it sends a response
of its success/failure using SendTaskSuccess or
SendTaskFailure
• To keep the Task active:
• Configure how long a task can wait by setting TimeoutSeconds
• Periodically send a heartbeat from your Activity Worker using
SendTaskHeartBeat within the time you set in
HeartBeatSeconds
• By configuring a long TimeoutSeconds and actively sending a
heartbeat, Activity Task can wait up to 1 year

© Copyright by Cloud Mentor Pro | Confidential 764

 Step Functions – Standard vs. Express

© Copyright by Cloud Mentor Pro | Confidential 765

 AWS AppSync - Overview
• AppSync is a managed service that uses GraphQL
• GraphQL makes it easy for applications to get exactly the data they need.
• This includes combining data from one or more sources
• NoSQL data stores, Relational databases, HTTP APIs…
• Integrates with DynamoDB, Aurora, OpenSearch & others
• Custom sources with AWS Lambda
• Retrieve data in real-time with WebSocket or MQTT on WebSocket
• For mobile apps: local data access & data synchronization
• It all starts with uploading one GraphQL schema

© Copyright by Cloud Mentor Pro | Confidential 766

 GraphQL Example

© Copyright by Cloud Mentor Pro | Confidential 767

 AppSync Diagram

© Copyright by Cloud Mentor Pro | Confidential 768

 AppSync – Security
• There are four ways you can authorize applications to interact with your
AWS AppSync GraphQL API:
• API_KEY
• AWS_IAM: IAM users / roles / cross-account access
• OPENID_CONNECT: OpenID Connect provider / JSON Web Token
• AMAZON_COGNITO_USER_POOLS

• For custom domain & HTTPS, use CloudFront in front of AppSync

© Copyright by Cloud Mentor Pro | Confidential 769

 AWS Amplify
Create mobile and web applications

© Copyright by Cloud Mentor Pro | Confidential 770

 AWS Amplify
• Set of tools to get started with creating mobile
and web applications
• “Elastic Beanstalk for mobile and web
applications”
• Must-have features such as data storage,
authentication, storage, and machine-learning,
all powered by AWS services
• Front-end libraries with ready-to-use
components for React.js, Vue, Javascript, iOS,
Android, Flutter, etc…
• Incorporates AWS best practices to for
reliability, security, scalability
• Build and deploy with the Amplify CLI or
Amplify Studio
© Copyright by Cloud Mentor Pro | Confidential 771
 AWS Amplify – Important Features

AUTHENTICATION DATASTORE
• Leverages Amazon Cognito • Leverages Amazon AppSync and
• User registration, Amazon DynamoDB
authentication, account • Work with local data and have
recovery & other automatic synchronization to the cloud
operations without complex code
• Support MFA, Social Sign-in, • Powered by GraphQL
etc… • Offline and real-time capabilities
• Pre-built UI components • Visual data modeling w/ Amplify Studio
• Fine-grained authorization
© Copyright by Cloud Mentor Pro | Confidential 772
 AWS Amplify Hosting

• Build and Host Modern Web Apps

• CICD (build, test, deploy)
• Pull Request Previews
• Custom Domains
• Monitoring
• Redirect and Custom Headers
• Password protection

© Copyright by Cloud Mentor Pro | Confidential 773

 AWS Amplify – End-to-End (E2E) Testing
• Run end-to-end (E2E) tests in the test phase in
Amplify
• Catch regressions before pushing code to
production
• Use the test step to run any test commands at
build time (amplify.yml)
• Integrated with Cypress testing framework
• Allows you to generate UI report for your tests

© Copyright by Cloud Mentor Pro | Confidential 774

 Exercise
Create, build and Deploy a
Sample Hello World App
using AWS SAM

© Copyright by Cloud Mentor Pro | Confidential

 Section 15
• AWS CICD: CodeCommit, CodePipeline, CodeBuild, CodeDeploy

© Copyright by Cloud Mentor Pro | Confidential

AWS CICD
CodeCommit, CodePipeline, CodeBuild, CodeDeploy, …

© Copyright by Cloud Mentor Pro | Confidential 777

 CICD – Introduction
• We have learned how to:
• Create AWS resources, manually (fundamentals)
• Interact with AWS programmatically (AWS CLI)
• Deploy code to AWS using Elastic Beanstalk
• All these manual steps make it very likely for us to do mistakes!

• We would like our code “in a repository” and have it deployed onto AWS
• Automatically
• The right way
• Making sure it’s tested before being deployed
• With possibility to go into different stages (dev, test, staging, prod)
• With manual approval where needed
• To be a proper AWS developer… we need to learn AWS CICD
© Copyright by Cloud Mentor Pro | Confidential 7
7
 CICD – Introduction
• This section is all about automating the deployment we’ve done so far
while adding increased safety

• We’ll learn about:

• AWS CodeCommit – storing our code
• AWS CodePipeline – automating our pipeline from code to Elastic Beanstalk
• AWS CodeBuild – building and testing our code
• AWS CodeDeploy – deploying the code to EC2 instances (not Elastic Beanstalk)
• AWS CodeStar – manage software development activities in one place
• AWS CodeArtifact – store, publish, and share software packages
• AWS CodeGuru – automated code reviews using Machine Learning
© Copyright by Cloud Mentor Pro | Confidential 779
 Continuous Integration (CI)
• Developers push the code to a code
repository often (e.g., GitHub, CodeCommit,
Bitbucket…)
• A testing / build server checks the code as
soon as it’s pushed (CodeBuild, Jenkins CI, …)
• The developer gets feedback about the tests
and checks that have passed / failed

• Find bugs early, then fix bugs

• Deliver faster as the code is tested
• Deploy often
• Happier developers, as they’re unblocked

© Copyright by Cloud Mentor Pro | Confidential 780

 Continuous Delivery (CD)
• Ensures that the software can be released reliably whenever needed
• Ensures deployments happen often and are quick
• Shift away from “one release every 3 months” to ”5 releases a day”
• That usually means automated deployment (e.g., CodeDeploy, Jenkins
CD, Spinnaker, …)

© Copyright by Cloud Mentor Pro | Confidential 781

 AWS CodeCommit(deprecated July 25, 2024)
• Version control is the ability to understand the various changes that
happened to the code over time (and possibly roll back)
• All these are enabled by using a version control system such as Git
• A Git repository can be synchronized on your computer, but it usually is
uploaded on a central online repository
• Benefits are:
• Collaborate with other developers
• Make sure the code is backed-up somewhere
• Make sure it’s fully viewable and auditable

© Copyright by Cloud Mentor Pro | Confidential 782

 AWS CodeCommit
• Git repositories can be expensive
• The industry includes GitHub, GitLab, Bitbucket, …
• And AWS CodeCommit:
• Private Git repositories
• No size limit on repositories (scale seamlessly)
• Fully managed, highly available
• Code only in AWS Cloud account => increased security and
compliance
• Security (encrypted, access control, …)
• Integrated with Jenkins, AWS CodeBuild, and other CI tools
© Copyright by Cloud Mentor Pro | Confidential 783
 CodeCommit – Security
• Interactions are done using Git (standard)
• Authentication
• SSH Keys – AWS Users can configure SSH keys in their IAM Console
• HTTPS – with AWS CLI Credential helper or Git Credentials for IAM user
• Authorization
• IAM policies to manage users/roles permissions to repositories
• Encryption
• Repositories are automatically encrypted at rest using AWS KMS
• Encrypted in transit (can only use HTTPS or SSH – both secure)
• Cross-account Access
• Do NOT share your SSH keys or your AWS credentials
• Use an IAM Role in your AWS account and use AWS STS (AssumeRole API)
© Copyright by Cloud Mentor Pro | Confidential 784
 CodeCommit vs. GitHub

© Copyright by Cloud Mentor Pro | Confidential 785

 AWS CodePipeline
• Visual Workflow to orchestrate your CICD
• Source – CodeCommit, ECR, S3, Bitbucket, GitHub
• Build – CodeBuild, Jenkins, CloudBees, TeamCity
• Test – CodeBuild, AWS Device Farm, 3rd party tools, …
• Deploy – CodeDeploy, Elastic Beanstalk, CloudFormation, ECS, S3, …
• Invoke – Lambda, Step Functions
• Consists of stages:
• Each stage can have sequential actions and/or parallel actions
• Example: Build Test Deploy Load Testing …
• Manual approval can be defined at any stage
© Copyright by Cloud Mentor Pro | Confidential 786
 Technology Stack for CICD

© Copyright by Cloud Mentor Pro | Confidential 787

 CodePipeline – Artifacts
• Each pipeline stage can create artifacts
• Artifacts stored in an S3 bucket and passed on to the next stage

© Copyright by Cloud Mentor Pro | Confidential 788

 CodePipeline –Troubleshooting
• For CodePipeline Pipeline/Action/Stage Execution State Changes
• Use CloudWatch Events (Amazon EventBridge). Example:
• You can create events for failed pipelines
• You can create events for cancelled stages

• If CodePipeline fails a stage, your pipeline stops, and you can get
information in the console
• If pipeline can’t perform an action, make sure the “IAM Service Role”
attached does have enough IAM permissions (IAM Policy)
• AWS CloudTrail can be used to audit AWS API calls
© Copyright by Cloud Mentor Pro | Confidential 789
 AWS CodeBuild
• A fully managed continuous integration (CI) service
• Continuous scaling (no servers to manage or provision – no build queue)
• Compile source code, run tests, produce software packages, …
• Alternative to other build tools (e.g., Jenkins)
• Charged per minute for compute resources (time it takes to complete the builds)
• Leverages Docker under the hood for reproducible builds
• Use prepackaged Docker images or create your own custom Docker image
• Security:
• Integration with KMS for encryption of build artifacts
• IAM for CodeBuild permissions, and VPC for network security
• AWS CloudTrail for API calls logging
© Copyright by Cloud Mentor Pro | Confidential 790
 AWS CodeBuild
• Source – CodeCommit, S3, Bitbucket, GitHub
• Build instructions: Code file buildspec.yml or insert manually in Console
• Output logs can be stored in Amazon S3 & CloudWatch Logs
• Use CloudWatch Metrics to monitor build statistics
• Use EventBridge to detect failed builds and trigger notifications
• Use CloudWatch Alarms to notify if you need “thresholds” for failures

• Build Projects can be defined within CodePipeline or CodeBuild

© Copyright by Cloud Mentor Pro | Confidential 791

 CodeBuild – Supported Environments
• Java
• Ruby
• Python
• Go
• Node.js
• Android
• .NET Core
• PHP
• Docker – extend any environment you like
© Copyright by Cloud Mentor Pro | Confidential 792
 CodeBuild – How it Works

© Copyright by Cloud Mentor Pro | Confidential 793

 CodeBuild – buildspec.yml
• buildspec.yml file must be at the root of your code
• env – define environment variables
• variables – plaintext variables
• parameter-store – variables stored in SSM Parameter Store
• secrets-manager – variables stored in AWS Secrets Manager
• phases – specify commands to run:
• install – install dependencies you may need for your build
• pre_build – final commands to execute before build
• Build – actual build commands
• post_build – finishing touches (e.g., zip output)
• artifacts – what to upload to S3 (encrypted with KMS)
• cache – files to cache (usually dependencies) to S3 for
future build speedup
© Copyright by Cloud Mentor Pro | Confidential 794
 AWS CodeDeploy
• Deployment service that automates
application deployment
• Deploy new applications versions to EC2
Instances, On -premises servers, Lambda
functions, ECS Services
• Automated Rollback capability in case of failed
deployments, or trigger CloudWatch Alarm
• Gradual deployment control
• A file named appspec.yml defines how the
deployment happens
© Copyright by Cloud Mentor Pro | Confidential 795
 CodeDeploy – EC2/On-premises Platform
• Can deploy to EC2 Instances & on-premises servers
• Perform in-place deployments or blue/green deployments
• Must run the CodeDeploy Agent on the target instances
• Define deployment speed
• AllAtOnce: Deploys to all instances at the same time, most downtime but fastest

• HalfAtATime: Deploys to half of the instances at a time, reduces capacity by 50%

• OneAtATime: Deploys to one instance at a time, slowest but least impact capacity

• Custom: define a custom percentage of instances to deploy at a time

© Copyright by Cloud Mentor Pro | Confidential 796
 CodeDeploy – In -Place Deployment

© Copyright by Cloud Mentor Pro | Confidential 797

 CodeDeploy – Blue-Green Deployment

© Copyright by Cloud Mentor Pro | Confidential 798

 CodeDeploy Agent
• The CodeDeploy Agent must be
running on the EC2 instances as a pre-
requisites
• It can be installed and updated
automatically if you’re using Systems
Manager
• The EC2 Instances must have sufficient
permissions to access Amazon S3 to get
deployment bundles

© Copyright by Cloud Mentor Pro | Confidential 799

 CodeDeploy – Lambda Platform
• CodeDeploy can help you automate traffic
shift for Lambda aliases
• Feature is integrated within the SAM
framework
• Linear: grow traffic every N minutes until
100%
• LambdaLinear10PercentEvery3Minutes
• LambdaLinear10PercentEvery10Minutes
• Canary: try X percent then 100%
• LambdaCanary10Percent5Minutes
• LambdaCanary10Percent30Minutes
• AllAtOnce: immediate
© Copyright by Cloud Mentor Pro | Confidential 800
 CodeDeploy – ECS Platform
• CodeDeploy can help you automate the
deployment of a new ECS Task
Definition
• Only Blue/Green Deployments
• Linear: grow traffic every N minutes
until 100%
• ECSLinear10PercentEvery3Minutes
• ECSLinear10PercentEvery10Minutes
• Canary: try X percent then 100%
• ECSCanary10Percent5Minutes
• ECSCanary10Percent30Minutes
• AllAtOnce: immediate
© Copyright by Cloud Mentor Pro | Confidential 801
 CodeDeploy – Deployment to EC2
• Define how to deploy the
application using
appspec.yml + Deployment
Strategy
• Will do In -place update to
your fleet of EC2 instances
• Can use hooks to verify
the deployment after each
deployment phase

© Copyright by Cloud Mentor Pro | Confidential 802

 CodeDeploy – Deploy to an ASG
• In-place Deployment
• Updates existing EC2 instances
• Newly created EC2 instances by an
ASG will also get automated
deployments
• Blue/Green Deployment
• A new Auto-Scaling Group is created
(settings are copied)
• Choose how long to keep the old
EC2 instances (old ASG)
• Must be using an ELB

© Copyright by Cloud Mentor Pro | Confidential 803

 CodeDeploy – Redeploy & Rollbacks
• Rollback = redeploy a previously deployed revision of your application
• Deployments can be rolled back:
• Automatically – rollback when a deployment fails or rollback when a CloudWatch
Alarm thresholds are met
• Manually
• Disable Rollbacks — do not perform rollbacks for this deployment

• If a roll back happens, CodeDeploy redeploys the last known good

revision as a new deployment (not a restored version)

© Copyright by Cloud Mentor Pro | Confidential 804

 AWS CodeStar
• An integrated solution that groups: GitHub, CodeCommit, CodeBuild,
CodeDeploy, CloudFormation, CodePipeline, CloudWatch, …
• Quickly create “CICD-ready” projects for EC2, Lambda, Elastic Beanstalk
• Supported languages: C#, Go, HTML 5, Java, Node.js, PHP, Python, Ruby
• Issue tracking integration with JIRA / GitHub Issues
• Ability to integrate with Cloud9 to obtain a web IDE (not all regions)
• One dashboard to view all your components
• Free service, pay only for the underlying usage of other services
• Limited Customization
© Copyright by Cloud Mentor Pro | Confidential 805
 AWS CodeArtifact
• Software packages depend on each other to be built (also called code
dependencies), and new ones are created
• Storing and retrieving these dependencies is called artifact management
• Traditionally you need to setup your own artifact management system
• CodeArtifact is a secure, scalable, and cost-effective artifact management
for software development
• Works with common dependency management tools such as Maven,
Gradle, npm, yarn, twine, pip, and NuGet
• Developers and CodeBuild can then retrieve dependencies straight from
CodeArtifact
© Copyright by Cloud Mentor Pro | Confidential 806
 AWS CodeArtifact

© Copyright by Cloud Mentor Pro | Confidential 807

 CodeArtifact – EventBridge Integration

© Copyright by Cloud Mentor Pro | Confidential 808

 CodeArtifact – Resource Policy
• Can be used to authorize another
account to access CodeArtifact
• A given principal can either read all the
packages in a repository or none of them

© Copyright by Cloud Mentor Pro | Confidential 809

 Amazon CodeGuru
• An ML-powered service for automated code reviews and application
performance recommendations
• Provides two functionalities
• CodeGuru Reviewer: automated code reviews for static code analysis (development)
• CodeGuru Profiler: visibility/recommendations about application performance during
runtime (production)

© Copyright by Cloud Mentor Pro | Confidential 810

 Amazon CodeGuru Reviewer
• Identify critical issues, security
vulnerabilities, and hard-to-find bugs
• Example: common coding best practices,
resource leaks, security detection, input
validation
• Uses Machine Learning and automated
reasoning
• Hard-learned lessons across millions of
code reviews on 1000s of open-source
and Amazon repositories
• Supports Java and Python
• Integrates with GitHub, Bitbucket, and
AWS CodeCommit
https://aws.amazon.com/codeguru/features/
© Copyright by Cloud Mentor Pro | Confidential 811
 Amazon CodeGuru Profiler
• Helps understand the runtime behavior of your
application
• Example: identify if your application is consuming
excessive CPU capacity on a logging routine
• Features:
• Identify and remove code inefficiencies
• Improve application performance (e.g., reduce CPU
utilization)
• Decrease compute costs
• Provides heap summary (identify which objects using
up memory)
• Anomaly Detection
• Support applications running on AWS or on-
premise
• Minimal overhead on application
https://aws.amazon.com/codeguru/features/
© Copyright by Cloud Mentor Pro | Confidential 812
 Amazon CodeGuru – Agent Configuration
• MaxStackDepth – the maximum depth of the stacks in the code that is
represented in the profile
• Example: if CodeGuru Profiler finds a method A, which calls method B, which calls method C,
which calls method D, then the depth is 4
• If the MaxStackDepth is set to 2, then the profiler evaluates A and B
• MemoryUsageLimitPercent – the memory percentage used by the profiler
• MinimumTimeForReportingInMilliseconds – the minimum time between sending
reports (milliseconds)
• ReportingIntervalInMilliseconds – the reporting interval used to report profiles
(milliseconds)
• SamplingIntervalInMilliseconds – the sampling interval that is used to profile
samples (milliseconds)
• Reduce to have a higher sampling rate
© Copyright by Cloud Mentor Pro | Confidential 813
 AWS Cloud9
• Cloud-based Integrated Development
Environment (IDE)
• Code editor, debugger, terminal in a browser
• Work on your projects from anywhere with
an Internet connection
• Prepackaged with essential tools for popular
programming languages (JavaScript, Python,
PHP, …)
• Share your development environment with
your team (pair programming)
• Fully integrated with AWS SAM & Lambda to https://aws.amazon.com/cloud9/

easily build serverless applications

© Copyright by Cloud Mentor Pro | Confidential 814
 Exercise
A Step by Step Guide to
Create a CI/CD Pipeline with
AWS Services

© Copyright by Cloud Mentor Pro | Confidential

 Section 16
• Advanced Identity
• AWS Security & Encryption: KMS, Encryption SDK, SSM Parameter
Store, IAM & STS
• AWS Other Services

© Copyright by Cloud Mentor Pro | Confidential

Advanced Identity in AWS

© Copyright by Cloud Mentor Pro | Confidential 817

 AWS STS – Security Token Service
• Allows to grant limited and temporary access to AWS resources (up to 1 hour).
• AssumeRole: Assume roles within your account or cross account
• AssumeRoleWithSAML: return credentials for users logged with SAML
• AssumeRoleWithWebIdentity
• return creds for users logged with an IdP (Facebook Login, Google Login, OIDC compatible…)
• AWS recommends against using this, and using Cognito Identity Pools instead
• GetSessionToken: for MFA, from a user or AWS account root user
• GetFederationToken: obtain temporary creds for a federated user
• GetCallerIdentity: return details about the IAM user or role used in the API call
• DecodeAuthorizationMessage: decode error message when an AWS API is denied
© Copyright by Cloud Mentor Pro | Confidential 818
 Using STS to Assume a Role
• Define an IAM Role within your account
or cross-account
• Define which principals can access this
IAM Role
• Use AWS STS (Security Token Service) to
retrieve credentials and impersonate
the IAM Role you have access to
(AssumeRole API)
• Temporary credentials can be valid
between 15 minutes to 1 hour

© Copyright by Cloud Mentor Pro | Confidential 819

 Cross account access with STS

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html

© Copyright by Cloud Mentor Pro | Confidential 820

 STS with MFA
• Use GetSessionToken from STS
• Appropriate IAM policy using IAM
Conditions
• aws:MultiFactorAuthPresent:true
• Reminder, GetSessionToken returns:
• Access ID
• Secret Key
• Session Token
• Expiration date

© Copyright by Cloud Mentor Pro | Confidential 821

 IAM Best Practices – General
• Never use Root Credentials, enable MFA for Root Account
• Grant Least Privilege
• Each Group / User / Role should only have the minimum level of permission it
needs
• Never grant a policy with “*” access to a service
• Monitor API calls made by a user in CloudTrail (especially Denied ones)
• Never ever ever store IAM key credentials on any machine but a personal
computer or on-premise server
• On premise server best practice is to call STS to obtain temporary
security credentials
© Copyright by Cloud Mentor Pro | Confidential 822
 IAM Best Practices – IAM Roles
• EC2 machines should have their own roles
• Lambda functions should have their own roles
• ECS Tasks should have their own roles
(ECS_ENABLE_TASK_IAM_ROLE=true)
• CodeBuild should have its own service role
• Create a least-privileged role for any service that requires it
• Create a role per application / lambda function (do not reuse roles)

© Copyright by Cloud Mentor Pro | Confidential 823

 IAM Best Practices – Cross Account Access
• Define an IAM Role for another
account to access
• Define which accounts can access
this IAM Role
• Use AWS STS (Security Token Service)
to retrieve credentials and
impersonate the IAM Role you have
access to (AssumeRole API)
• Temporary credentials can be valid
between 15 minutes to 1 hour

© Copyright by Cloud Mentor Pro | Confidential 824

 Advanced IAM - Authorization Model Evaluation
of Policies, simplified
1. If there’s an explicit DENY, end decision and DENY
2. If there’s an ALLOW, end decision with ALLOW
3. Else DENY

© Copyright by Cloud Mentor Pro | Confidential 825

 IAM Policies & S3 Bucket Policies
• IAM Policies are attached to users, roles, groups
• S3 Bucket Policies are attached to buckets
• When evaluating if an IAM Principal can perform an operation X on a
bucket, the union of its assigned IAM Policies and S3 Bucket Policies will
be evaluated.

© Copyright by Cloud Mentor Pro | Confidential 826

 Example 1
• IAM Role attached to EC2 instance, authorizes RW to “my_bucket”
• No S3 Bucket Policy attached

=> EC2 instance can read and write to “my_bucket”

© Copyright by Cloud Mentor Pro | Confidential 827

 Example 2
• IAM Role attached to EC2 instance, authorizes RW to “my_bucket”
• S3 Bucket Policy attached, explicit deny to the IAM Role

=> EC2 instance cannot read and write to “my_bucket”

© Copyright by Cloud Mentor Pro | Confidential 828

 Example 3
• IAM Role attached to EC2 instance, no S3 bucket permissions
• S3 Bucket Policy attached, explicit RW allow to the IAM Role

=> EC2 instance can read and write to “my_bucket”

© Copyright by Cloud Mentor Pro | Confidential 829

 Example 4
• IAM Role attached to EC2 instance, explicit deny S3 bucket permissions
• S3 Bucket Policy attached, explicit RW allow to the IAM Role

=> EC2 instance cannot read and write to “my_bucket”

© Copyright by Cloud Mentor Pro | Confidential 830

 Dynamic Policies with IAM
• How do you assign each user a /home/<user> folder in an S3 bucket?
• Option 1:
• Create an IAM policy allowing georges to have access to /home/georges
• Create an IAM policy allowing sarah to have access to /home/sarah
• Create an IAM policy allowing matt to have access to /home/matt
• … One policy per user!
• This doesn’t scale
• Option 2:
• Create one dynamic policy with IAM
• Leverage the special policy variable ${aws:username}
© Copyright by Cloud Mentor Pro | Confidential 831
 Dynamic Policy example

© Copyright by Cloud Mentor Pro | Confidential 832

 Inline vs Managed Policies
• AWS Managed Policy
• Maintained by AWS
• Good for power users and administrators
• Updated in case of new services / new APIs
• Customer Managed Policy
• Best Practice, re-usable, can be applied to many principals
• Version Controlled + rollback, central change management
• Inline
• Strict one-to-one relationship between policy and principal
• Policy is deleted if you delete the IAM principal
© Copyright by Cloud Mentor Pro | Confidential 833
 What is Microsoft Active Directory (AD)?
• Found on any Windows Server
with AD Domain Services
• Database of objects: User
Accounts, Computers, Printers,
File Shares, Security Groups
• Centralized security
management, create account,
assign permissions
• Objects are organized in trees
• A group of trees is a forest
© Copyright by Cloud Mentor Pro | Confidential 834
 AWS Directory Services
• AWS Managed Microsoft AD
• Create your own AD in AWS, manage users locally,
supports MFA
• Establish “trust” connections with your on- premises
AD

• AD Connector
• Directory Gateway (proxy) to redirect to on- premises
AD, supports MFA
• Users are managed on the on-premises AD

• Simple AD
• AD-compatible managed directory on AWS
• Cannot be joined with on-premises AD

© Copyright by Cloud Mentor Pro | Confidential 835

AWS Security & Encryption
KMS, Encryption SDK, SSM Parameter Store

© Copyright by Cloud Mentor Pro | Confidential 836

 Why encryption?
Encryption in flight (TLS / SSL)
• Data is encrypted before sending and decrypted after receiving
• TLS certificates help with encryption (HTTPS)
• Encryption in flight ensures no MITM (man in the middle attack) can
happen

© Copyright by Cloud Mentor Pro | Confidential 837

 Why encryption?
Server-side encryption at rest
• Data is encrypted after being received by the server
• Data is decrypted before being sent
• It is stored in an encrypted form thanks to a key (usually a data key)
• The encryption / decryption keys must be managed somewhere, and the
server must have access to it

© Copyright by Cloud Mentor Pro | Confidential 838

 Why encryption?
Client-side encryption
• Data is encrypted by the client and never decrypted by the server
• Data will be decrypted by a receiving client
• The server should not be able to decrypt the data
• Could leverage Envelope Encryption

© Copyright by Cloud Mentor Pro | Confidential 839

 AWS KMS (Key Management Service)
• Anytime you hear “encryption” for an AWS service, it’s most likely KMS
• AWS manages encryption keys for us
• Fully integrated with IAM for authorization
• Easy way to control access to your data
• Able to audit KMS Key usage using CloudTrail
• Seamlessly integrated into most AWS services (EBS, S3, RDS, SSM…)
• Never ever store your secrets in plaintext, especially in your code!
• KMS Key Encryption also available through API calls (SDK, CLI)
• Encrypted secrets can be stored in the code / environment variables

© Copyright by Cloud Mentor Pro | Confidential 840

 KMS Keys Types
• KMS Keys is the new name of KMS Customer Master Key
• Symmetric (AES-256 keys)
• Single encryption key that is used to Encrypt and Decrypt
• AWS services that are integrated with KMS use Symmetric CMKs
• You never get access to the KMS Key unencrypted (must call KMS API to use)
• Asymmetric (RSA & ECC key pairs)
• Public (Encrypt) and Private Key (Decrypt) pair
• Used for Encrypt/Decrypt, or Sign/Verify operations
• The public key is downloadable, but you can’t access the Private Key unencrypted
• Use case: encryption outside of AWS by users who can’t call the KMS API

© Copyright by Cloud Mentor Pro | Confidential 841

 AWS KMS (Key Management Service)
• Types of KMS Keys:
• AWS Owned Keys (free): SSE-S3, SSE-SQS, SSE-DDB (default key)
• AWS Managed Key: free (aws/service-name, example: aws/rds or aws/ebs)
• Customer managed keys created in KMS: $1 / month
• Customer managed keys imported (must be symmetric key): $1 / month
• + pay for API call to KMS ($0.03 / 10000 calls)

• Automatic Key rotation:

• AWS-managed KMS Key: automatic every 1 year
• Customer-managed KMS Key: (must be enabled) automatic every 1 year
• Imported KMS Key: only manual rotation possible using alias

© Copyright by Cloud Mentor Pro | Confidential 842

 Copying Snapshots across regions

KMS ReEncrypt with KMS Key B

© Copyright by Cloud Mentor Pro | Confidential 843
 KMS Key Policies
• Control access to KMS keys, “similar” to S3 bucket policies
• Difference: you cannot control access without them

• Default KMS Key Policy:

• Created if you don’t provide a specific KMS Key Policy
• Complete access to the key to the root user = entire AWS account
• Custom KMS Key Policy:
• Define users, roles that can access the KMS key
• Define who can administer the key
• Useful for cross-account access of your KMS key

© Copyright by Cloud Mentor Pro | Confidential 844

 Copying Snapshots across accounts
1. Create a Snapshot, encrypted with
your own KMS Key (Customer
Managed Key)
2. Attach a KMS Key Policy to authorize
cross-account access
3. Share the encrypted snapshot
4. (in target) Create a copy of the
Snapshot, encrypt it with a CMK in
your account
5. Create a volume from the snapshot KMS Key Policy

© Copyright by Cloud Mentor Pro | Confidential 845

 How does KMS work?
API – Encrypt and Decrypt

© Copyright by Cloud Mentor Pro | Confidential 846

 Envelope Encryption
• KMS Encrypt API call has a limit of 4 KB
• If you want to encrypt >4 KB, we need to use Envelope Encryption
• The main API that will help us is the GenerateDataKey API

• For the exam: anything over 4 KB of data that needs to be encrypted must
use the Envelope Encryption == GenerateDataKey API

© Copyright by Cloud Mentor Pro | Confidential 847

 Deep dive into Envelope Encryption
GenerateDataKey API

© Copyright by Cloud Mentor Pro | Confidential 848

 CloudHSM
• KMS => AWS manages the software for encryption
• CloudHSM => AWS provisions encryption hardware
• Dedicated Hardware (HSM = Hardware Security Module)
• You manage your own encryption keys entirely (not AWS)
• HSM device is tamper resistant, FIPS 140-2 Level 3 compliance
• Supports both symmetric and asymmetric encryption (SSL/TLS keys)
• No free tier available
• Must use the CloudHSM Client Software
• Redshift supports CloudHSM for database encryption and key management
• Good option to use with SSE-C encryption
© Copyright by Cloud Mentor Pro | Confidential 849
 SSM Parameter Store
• Secure storage for configuration and secrets
• Optional Seamless Encryption using KMS
• Serverless, scalable, durable, easy SDK
• Version tracking of configurations / secrets
• Security through IAM
• Notifications with Amazon EventBridge
• Integration with CloudFormation

© Copyright by Cloud Mentor Pro | Confidential 850

 SSM Parameter Store Hierarchy
• /my-department/
• my-app/
• dev/
• db-url
• db-password
• prod/
• db-url
• db-password
• other-app/
• /other-department/
• /aws/reference/secretsmanager/secret_ID_in_Secrets_Manager
• /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 (public)

© Copyright by Cloud Mentor Pro | Confidential 851

 Standard and advanced parameter tiers
Standard Advanced
Total number of parameters 10000 100000
allowed
(per AWS account and Region)
Maximum size of a 4 KB 8 KB
parameter value
Parameter policies available No Yes
Cost No additional charge Charges apply
Storage Pricing Free $0.05 per advanced parameter
per month

© Copyright by Cloud Mentor Pro | Confidential 852

 AWS Secrets Manager
• Newer service, meant for storing secrets
• Capability to force rotation of secrets every X days
• Automate generation of secrets on rotation (uses Lambda)
• Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
• Secrets are encrypted using KMS

• Mostly meant for RDS integration

© Copyright by Cloud Mentor Pro | Confidential 853

 AWS Secrets Manager – Multi-Region Secrets
• Replicate Secrets across multiple AWS Regions
• Secrets Manager keeps read replicas in sync with the primary Secret
• Ability to promote a read replica Secret to a standalone Secret
• Use cases: multi-region apps, disaster recovery strategies, multi-region DB…

© Copyright by Cloud Mentor Pro | Confidential 854

 SSM Parameter Store vs Secrets Manager
• Secrets Manager ($$$):
• Automatic rotation of secrets with AWS Lambda
• Lambda function is provided for RDS, Redshift, DocumentDB
• KMS encryption is mandatory
• Can integration with CloudFormation
• SSM Parameter Store ($):
• Simple API
• No secret rotation (can enable rotation using Lambda triggered by EventBridge)
• KMS encryption is optional
• Can integration with CloudFormation
• Can pull a Secrets Manager secret using the SSM Parameter Store API
© Copyright by Cloud Mentor Pro | Confidential 855
 SSM Parameter Store vs. Secrets Manager
Rotation

© Copyright by Cloud Mentor Pro | Confidential 856

Other Services
Quick overview of other services that might have questions on at the exam

© Copyright by Cloud Mentor Pro | Confidential 857

 Amazon Simple Email Service (Amazon SES)
• Fully managed service to send emails securely, globally and at scale
• Allows inbound/outbound emails
• Reputation dashboard, performance insights, anti-spam feedback
• Provides statistics such as email deliveries, bounces, feedback loop
results, email open
• Supports DomainKeys Identified Mail (DKIM) and Sender Policy
Framework (SPF)
• Flexible IP deployment: shared, dedicated, and customer-owned IPs
• Send emails using your application using AWS Console, APIs, or SMTP
• Use cases: transactional, marketing and bulk email communications

© Copyright by Cloud Mentor Pro | Confidential 858

 Amazon OpenSearch Service
• Amazon OpenSearch is successor to Amazon ElasticSearch
• In DynamoDB, queries only exist by primary key or indexes…
• With OpenSearch, you can search any field, even partially matches
• It’s common to use OpenSearch as a complement to another database
• Two modes: managed cluster or serverless cluster
• Does not natively support SQL (can be enabled via a plugin)
• Ingestion from Kinesis Data Firehose, AWS IoT, and CloudWatch Logs
• Security through Cognito & IAM, KMS encryption, TLS
• Comes with OpenSearch Dashboards (visualization)
© Copyright by Cloud Mentor Pro | Confidential 859
 Amazon Athena
• Serverless query service to analyze data stored in Amazon S3
• Uses standard SQL language to query the files (built on Presto)
• Supports CSV, JSON, ORC, Avro, and Parquet
• Pricing: $5.00 per TB of data scanned
• Commonly used with Amazon Quicksight for
reporting/dashboards

• Use cases: Business intelligence / analytics / reporting, analyze &

query VPC Flow Logs, ELB Logs, CloudTrail trails, etc...
• Exam Tip: analyze data in S3 using serverless SQL, use Athena
© Copyright by Cloud Mentor Pro | Confidential 860
 Amazon Athena – Federated Query
• Allows you to run SQL queries across
data stored in relational, non-
relational, object, and custom data
sources (AWS or on-premises)
• Uses Data Source Connectors that run
on AWS Lambda to run Federated
Queries (e.g., CloudWatch Logs,
DynamoDB, RDS, …)
• Store the results back in Amazon S3

© Copyright by Cloud Mentor Pro | Confidential 861

 AWS Certificate Manager (ACM)
• Let’s you easily provision, manage, and deploy
SSL/TLS Certificates
• Used to provide in-flight encryption for
websites (HTTPS)
• Supports both public and private TLS
certificates
• Free of charge for public TLS certificates
• Automatic TLS certificate renewal
• Integrations with (load TLS certificates on)
• Elastic Load Balancers
• CloudFront Distributions
• APIs on API Gateway
© Copyright by Cloud Mentor Pro | Confidential 862
 AWS Macie
• Amazon Macie is a fully managed data security and data privacy service
that uses machine learning and pattern matching to discover and protect
your sensitive data in AWS.
• Macie helps identify and alert you to sensitive data, such as personally
identifiable information (PII)

© Copyright by Cloud Mentor Pro | Confidential 863