AWS Certification Guide
60% - Designing highly available, cost-efficient, fault-tolerant, scalable systems
1. Security
2. Reliability
3. Performance Efficiency
4. Cost Optimization
5. Operational Excellence
Security
- Apply security at all layers
- Enable trace-ability
- Implement a principle of least privilege:
- Focus on securing your system
- Automate security best practices
Identity and Access Management:
- users, groups, services, and roles/resp.
- protecting AWS root account credentials
- Roles/Responsibilities of system users to control human access to the AWS Management Console and API
- Limiting automated access to AWS resources like Scripts/Third party
- AWS Identity and Access Management (IAM)
- Multi-factor authentication (MFA)
- Security Assertion Markup Language
- Okta
- Ping
- AWS Security Token Service
Detective controls:
Capturing and analyzing logs into log processing system like CloudWatch Logs, Splunk, Papertrail. AWS CloudTrail, AWS Config, Amazon CloudWatch
Infrastructure protection:
Enforcing network and host-level boundary protection, Leveraging AWS service level security, Protecting Integrity of OS ie immutable AMI. Amazon Virtual Private Cloud (VPC)
Data protection:
Classifying your data, encrypting/protecting data/managing keys/ data in transit. Elastic Load Balancing, Amazon Elastic Block Store (EBS), Amazon Simple Storage Service (S3), and Amazon Relational Database Service (RDS), AWS Key Management Service (KMS), AWS CloudHSM
Incident response:
Authorization to incident response team. Amazon CloudFormation
Reliability
Performance Efficiency
NoSQL databases
media transcoding, and machine learning
data access patterns
Compute Unified Device Architecture
General-Purpose computing on Graphics Processing Units
running read replicas
media transcoding, and machine learning
data access patterns
Compute Unified Device Architecture
General-Purpose computing on Graphics Processing Units
running read replicas
Operational Excellence
Cost Optimization
10% - Implementation/Deployment
Amazon EC2, Amazon S3, AWS Elastic Beanstalk, AWS CloudFormation,
AWS OpsWorks, Amazon Virtual Private Cloud (VPC), and AWS Identity and Access
Management (IAM) to code and implement a cloud solution.
Content may include the following:
•
Configure an Amazon Machine Image (AMI)
•
Operate and extend service management in a
hybrid IT architecture
•
Configure services to support compliance
requirements in the cloud
•
Launch instances across the AWS global
infrastructure
•
Configure IAM policies and best practices
20% - Data Security
•
AWS shared responsibility model
•
AWS platform compliance
•
AWS security attributes (customer workloads down
to physical layer)
•
AWS administration and security services
•
AWS Identity and Access Management (IAM)
•
Amazon Virtual Private Cloud (VPC)
•
AWS CloudTrail
•
Ingress vs. egress filtering, and which AWS services
and features fit
•
“Core” Amazon EC2 and S3 security feature sets
•
Incorporating common conventional security
products (Firewall, VPN)
•
Design patterns
•
DoS mitigation
•
Encryption solutions (e.g., key services)
•
Complex access controls (building sophisticated
security groups, ACLs, etc.)
•
Amazon CloudWatch for the security architect
•
Trusted Advisor
•
CloudWatch Logs
Recognize critical disaster recovery techniques and their implementation.
• Disaster recovery
Recovery time objective
Recovery point objective
Amazon Elastic Block Store
• AWS Import/Export
• AWS Storage Gateway
• Amazon Route53
• Validation of data recovery method
10% - Troubleshooting
Strategies that help in event of failure
1. Automated Backup/Restore
2. Process threads that resume on reboot, and State of the system to re-sync by reloading messages from queues with Pre-configured and pre-optimized virtual images to support on launch/boot
3. Avoiding in-memory sessions or stateful user context, move that to data stores. Like Maintain multiple Database slaves across Availability Zones and hot replication
4. Whole Application should be impervious to reboots and re-launches
Consider before Design
1. Ensure Scalablity. If every component implements a service interface, responsible for its own scalability in all appropriate dimensions, then the overall system will have a scalable base. Proactive Cyclic Scaling that occurs at fixed interval (daily, weekly, monthly, quarterly) Proactive Event-based Scaling when expecting a big surge of traffic requests due to a scheduled event(new product launch, campaigns) Auto-scaling based on demand using Monitoring service, system can send triggers so that it scales up or down(utilization of servers/network i/o)
2. For Manageability and High-availability, make sure that your components are loosely coupled, without having tight dependencies between each other.
3. Implement Parallelization, Distributing the tasks on multiple machines, multithreading your requests and effective aggregation of results obtained in parallel
Secondary Consideration
1. Ensure Resilience. If any component fails (and failures happen all the time), the system should automatically alert, failover, and re-sync back to the "last known state" as if nothing failed
2. Cost factor. The key is using on-demand resources and not pay for idle resource
Awesome post presented by you..your writing style is fabulous and keep update with your
ReplyDeleteblogs AWS Online Course