AWS Developer Associate Exam preparation 31/01: consolidation

Just a little note-taking post to reinforce some concepts from practice exams today.

Access Advisor on IAM console helps to identify/remove unused IAM roles.

IAM Access Analyzer helps to identify resources that are shared externally.

If you configure forecast based AWS Budgets alerts, it takes 5 weeks to generate the forecasts.

Cloudfront Key pairs that are used to create signed URLs for private content can only be created by the root user

If you have an Elastic Load Balancer, and all the instances in the target group are unhealthy, but you can still access the instances by using Instance IPs, that might mean that the route for the health check is misconfigured or that the Security group of the EC2 instance doesn’t allow traffic from the security group of the Load Balancer.

By default user data on the EC2 is run using root user priviledges.

aws ec2 monitor-instances --instance-ids i-1234567890abcdef0 – to enable detailed monitoring of an existing instance;

aws ec2 run-instances --image-id ami-09092360 --monitoring Enabled=true

It’s possible to reuse SSH key-pairs between regions.

KMS encryption process : KMS stores the CMK, receives data from the clients, encrypts it and sends back.

Maximum data size supported by KMS is 4KB.

Exported Output Values in CloufFormation templates must have unique names in a region.

A root user cannot use SMS text message based MFA.

Load Balancer: if cross-zone load balancing is disabled, each load balancer node distributes traffic only across the registered targets in its Availability Zone. For example, us-east-1a has 2 instances, us-east-1b has 3 instances, 20% of traffic per instance will be received if cross-region load-balancing is enabled; otherwise us-east-1a ad us-east-1b receive 50% of traffic each.

Fargate containers should be put in the same task definition if they should be launched and terminated together, or if they reference each other, or if they shared resources or data volumes.

Autoscaling groups cannot span multiple regions.

If you have an app at and you want users to access it using, you use a CNAME record. Alias records route traffic to other resources, and cannot be used for 3rd party domains.

HTTP 503 ‘Service unavailable’ error on ALB is an indicator of the target groups for the load balancer having no registered targets.

If you’d like to have a 3rd party authorization mechanism on the API Gateway, the best option to use is a Lambda authorizer (could be token based or request-parameter based).

You can configure Application Auto Scaling to manage provisioned concurrency on a schedule or based on utilization.

AWS Security Token Service CANNOT be used for API Gateway authentication.

You can run CodeBuild locally using a CodeBuild agent.

You can enable CodeBuild timeouts. The default timeout is 8 hours, but it’s possible to set this to start from 5 mins.

In CodeBuild you can noticeably reduce your build time by caching dependencies.

When CodeDeploy rolls back a deployment, it first deploys to the failed instances.

CodeDeploy agent archives revisions and log files. :max_revisions in the agent configuration to specify the number of app revisions.

The AppSpec file is used to: 1)map the source files in your application revision to their destinations on the instance. 2) specify custom permissions for deployed files. 3) specify scripts to be run on each instance at various stages of the deployment process.

IAM can be used as a certificate manager only when you must support HTTPS connections in a Region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage.

Kinesis Data Firehose supports streaming to S3, Redshift, ElasticSearch but NOT Elasticache.

Kinesis enhanced fanout should be used if you have, or expect to have, multiple consumers retrieving data from a stream in parallel. 

To backup a DynamoDB table, it’s possible to use: Data Pipeline to S3 export, EMR (Hive) to S3, AWS Glue to copy to S3.

S3: if two writes are made to a single non-versioned object at the same time, it is possible that only a single event notification will be sent.

A subnet is ALWAYS associated with some route table.

When working with spot instances, it’s possible to stop/hibernate/terminate an instance.s

RDS supports transactions( Online Transaction Processing).

EBS volumes are AZ locked.

A volume restored from an encrypted snapshot or a copy of encrypted snapshot is always encrypted. Encryption by default is a Region-specific setting. If you enable it for a Region, you cannot disable it for individual volumes or snapshots in that Region. You can encrypt both the boot and data volumes of an EC2 instance. EBS works with AWS KMS to encrypt and decrypt your EBS volume.

CreateVolume event logs are not available for EBS volumes if they were created on EC2 launch.

Elasticache Redis cluster mode – can scale to large amounts of storage, flexibility, enhanced availability; allows horizontal scaling by adding or removing shards.

Maximum delay for SQS delay queues is 15 min. SQS queues don’t have a limit on the number of messages, but approximately 120,000 messages in flight.

Envelope Encryption can be used to reduce network load because only request and delivery of a small data key go over the network.

 /etc/ecs/ecs.config has config data for the ECS Container agent.

If you terminate a container instance in the RUNNING state, that container instance is automatically removed, or deregistered, from the cluster. However, if you terminate a container instance in the STOPPED state, that container instance isn’t automatically removed from the cluster.

API Gateway doesn’t use security groups but uses resource policies. API Gateway can have caching of responses enabled. Default TTL value is 300 sec, max is 3600 sec; TTL=0 means caching is disabled.

SQS max message retention=14 days.

SQS Extended client – used to process large messages (up to 2 GB).

CloudWatch Events detect and react to changes in the state of a pipeline, stage, or action.

The total size of all Lambda environment variables is 4KB, no limit on the number of variables.

You can configure a Lambda function to connect to private subnets. When you connect a function to a VPC, Lambda creates an elastic network interface for each combination of the security group and subnet in your function’s VPC configuration.

With Elastic Beanstalk, you can offload tasks to a worker environment, for operations that take a long time to complete. You ca define scheduled tasks in cron.yaml.

Organisational CloudTrail – members can see but cannot edit/delete it. Only tracks bucket-level actions; enabling S3 Data Events tracks data at object level.