AWS CloudTrail – Certification

AWS CloudTrail Overview

  • CloudTrail provides visibility into user activity by recording actions taken on your account. It logs user activity on your account and delivers log files to S3
  • CloudTrail records information about each action, including user who made the request, the services used by the request, the actions performed, and parameters used for the action, and the response returned by the AWS service.
  • Information logged by CloudTrail helps track changes and troubleshoot operational issues.
  • CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards
  • AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing

Continue reading “AWS CloudTrail – Certification”

AWS EC2 – Enhanced Networking – Certification

Enhanced Networking

  • Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on specific supported instance types.
  • SR-IOV is a method of device virtualization which provides higher I/O performance and lower CPU utilization
  • Enhanced networking can be enabled using either

Continue reading “AWS EC2 – Enhanced Networking – Certification”

AWS – EBS – Exam Tips

An Amazon EBS volume is a block-level storage device that you can attach to a single EC2 instance. Like a virtual hard disk, this can host the instance operating systems, database as well as system and data files. You can use it like a physical hard drive attached to your servers in the AWS Cloud.

Amazon EBS provides the following volume types:

  • General Purpose SSD (gp2)
  • Provisioned IOPS SSD (io1)
  • Throughput Optimized HDD (st1)
  • Cold HDD (sc1)
  • Magnetic (standard).

Key Features of EBS Volumes

  • Data Durability – EBS Volumes are automatically replicated within the availability zone it was created in to prevent data loss due to hardware failures. In addition, volumes can be attached as native block devices similar to physical hard drives and the instance can interact with the volume including formatting the volume with a file system and installing applications. You can stripe data across the volumes for increased I/O and throughput performance
  • Data Persistence – EBS Volumes can exist independently of any server instance similar to virtual hard disks that can be attached to Virtual Machines. By default, EBS volumes that are attached to a running instance automatically detach from the instance with their data intact when that instance is terminated. This is except where you have the root volume attached when you launch the instance and the ‘Delete on Termination’ checkbox is ticked.  In addition, with EBS backed instances, you can stop and restart that instance without affecting the data stored in the attached volume.
  • Data encryption – You can create encrypted EBS volumes with the encryption option available when creating new volumes. Amazon EBS encryption uses 256-bit Advanced Encryption Standard algorithms (AES-256) and an Amazon-managed key infrastructure. You can use a customer master key (CMK) for your EBS volumes too.
  • Snapshots – You can create a point in time snapshot of any EBS volumes to store backups of your data. Snapshots are stored in Amazon S3, with redundancy across multiple Availability Zones. In addition, you can create periodic snapshots of the volume which are incremental backups of the data. Snapshots can be used to create multiple new EBS volumes, expand the size of a volume, or move volumes across Availability Zones. Snapshots of encrypted EBS volumes are automatically encrypted. Snapshots can also be shared between AWS accounts or made publicly available.If you need to create a snapshot of a volume that is being us as a boot/root device, you must first stop the instance before taking the snapshot. If you don’t. Amazon will automatically stop the instance when you attempt to take the snapshot and as such, it would be advisable to plan a schedule for taking such snapshots in live production environments.


Encrypting snapshots

  • Snapshots of encrypted volumes are automatically encrypted.
  • Volumes that are created from encrypted snapshots are automatically encrypted.
  • When you copy an unencrypted snapshot that you own, you can encrypt it during the copy process.
  • When you copy an encrypted snapshot that you own, you can re-encrypt it with a different key during the copy process.

AWS – Security – Exam Tips

Understand the shared responsibility model. AWS is responsible for securing the underlying infrastructure that supports the cloud, and you’re responsible for anything you put on the cloud or connect to the cloud.

Understand regions and Availability Zones. Each region is completely independent. Each region is designed to be completely isolated from the other regions. This achieves the greatest possible fault tolerance and stability. Regions are a collection of Availability Zones. Each Availability Zone is isolated, but the Availability Zones in a region are connected through low-latency links.

Understand High-Availability System Design within AWS. You should architect your AWS usage to take advantage of multiple regions and Availability Zones. Distributing applications across multiple Availability Zones provides the ability to remain resilient in the face of most failure modes, including natural disasters or system failures.

Understand the network security of AWS. Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, ACLs, and configurations to enforce the flow of information to specific information system services.

AWS has strategically placed a limited number of access points to the cloud to allow for a more comprehensive monitoring of inbound and outbound communications and network traffic. These customer access points are called API endpoints, and they allow HTTPS access, which allows you to establish a secure communication session with your storage or compute instances within AWS.

Amazon EC2 instances cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.

Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy. Violations of the AWS Acceptable Use Policy are taken seriously, and every reported violation is investigated.

It is not possible for an Amazon EC2 instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance.

Understand the use of credentials on AWS. AWS employs several credentials in order to positively identify a person or authorize an API call to the platform. Credentials include:

  • Passwords
  • AWS root account or IAM user account login to the AWS Management Console
  • Multi-Factor Authentication (MFA)
  • AWS root account or IAM user account login to the AWS Management Console
  • Access Keys
  • Digitally signed requests to AWS APIs (using the AWS SDK, CLI, or REST/Query APIs)

Understand the proper use of access keys. Because access keys can be misused if they fall into the wrong hands, AWS encourages you to save them in a safe place and not to embed them in your code. For customers with large fleets of elastically-scaling Amazon EC2 instances, the use of IAM roles can be a more secure and convenient way to manage the distribution of access keys.

Understand the value of AWS CloudTrail. AWS CloudTrail is a web service that records API calls made on your account and delivers log files to your Amazon S3 bucket. AWS CloudTrail’s benefit is visibility into account activity by recording API calls made on your account.

Understand the security features of Amazon EC2. Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. Public-key cryptography uses a public key to encrypt a piece of data, such as a password, and then the recipient uses the private key to decrypt the data. The public and private keys are known as a key pair.

To log in to your instance, you must create a key pair, specify the name of the key pair when you launch the instance, and provide the private key when you connect to the instance. Linux instances have no password, and you use a key pair to log in using SSH. With Windows instances, you use a key pair to obtain the administrator password and then log in using RDP.

A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.

Understand AWS use of encryption of data in transit. All service endpoints support encryption of data in transit via HTTPS.

Know which services offer encryption of data at rest as a feature. The following services offer a feature to encrypt data at rest:

  • Amazon S3
  • Amazon EBS
  • Amazon Glacier
  • AWS Storage Gateway
  • Amazon RDS
  • Amazon Redshift
  • Amazon WorkSpaces

AWS – ElastiCache – Exam Tips

Know how to use Amazon ElastiCache. Improve the performance of your application by deploying Amazon ElastiCache clusters as part of your application and offloading read requests for frequently accessed data. Use the cache-aside pattern in your application first to check the cache for your query results before checking the database.

Understand when to use a specific cache engine. Amazon ElastiCache gives you the choice of cache engine to suit your requirements. Use Memcached when you need a simple, in-memory object store that can be easily partitioned and scaled horizontally. Use Redis when you need to back up and restore your data, need many clones or read replicas, or are looking for advanced functionality like sort and rank or leaderboards that Redis natively supports.

Understand how to scale a Redis cluster horizontally. An Amazon ElastiCache cluster running Redis can be scaled horizontally first by creating a replication group, then by creating additional clusters and adding them to the replication group.

Understand how to scale a Memcached cluster horizontally. An Amazon ElastiCache cluster running Memcached can be scaled horizontally by adding or removing additional cache nodes to the cluster. The Amazon ElastiCache client library supports Auto Discovery and can discover new nodes added or removed from the cluster without having to hardcode the list of nodes.

Know how to back up your Amazon ElastiCache cluster. You can create a snapshot to back up your Amazon ElastiCache clusters running the Redis engine. Snapshots can be created automatically on a daily basis or manually on demand. Amazon ElastiCache clusters running Memcached do not support backup and restore natively.