# AWS Certified Associate ## IAM * Users * New users have **NO permissions** when first created. * New Users are assigned **Access Key ID & Secret Access Keys** when first created. * **Only get to view these once.** * Roles * Groups * Policies ### IAM is universal --- ## S3 * **Object-based** * File can be from **0 Byte to 5TB** * **S3 is a universal namespace**. By default, all newly created buckets are PRIVATE. You can setup access control to your buckets using; * **Bucket Policies** * **Access Control Lists** ### S3 Types * S3 Standard * S3 IA (Infrequently Accessed) * S3 One Zone - IA * S3 Intellignet Tiering * S3 Glacier * S3 Glacier Deep Archive #### Glacier Amazon S3 Glacier 儲存類別針對您的使用案例提供**三種**擷取選項。 * 快速擷取 通常可在 1-5 分鐘傳回資料，非常適合作用中存檔使用案例。 * 標準擷取 通常可在 3-5 小時內完成，適合較無時間急迫性的需求使用，例如備份資料、媒體編輯或長期分析。 * 大批擷取 成本最低的擷取選項，可在 5-12 小時內傳回大量資料。Amazon S3 Glacier Deep Archive 儲存類別提供兩個擷取選項，範圍從 12 到 48 小時。 ### Encryption in Transit * SSL/TLS ### Encryption as Rest * S3 Managed Keys - SSE-S3 * AWS Key Management Service, Managed Keys - SSE-KMS * Server Side Encryption With Customer Provided Keys - SSE-C ### AWS Organizations ### Share S3 Buckets * Using Bucket Policies & IAM (applies across the entire bucket). Programmatic Access Only * Using Bucket ACLs & IAM (individual objects). Programmatic Access Only * Cross-account IAM Roles. Programmatic & Console Access ### Corss Region Replication * Versioning must be enabled on both the source and destinaion buckets. * File in an exision bucket are not replicated automatically. * All subsequent updated files will be replicated automatically. * Delete makers are not replicated. * Deleting individual versions or delete markers will not be replicated. * Understand what Cross Region Replication is at a high level ### Lifecycle Policies * Automates moving your objects between the different storage tiers. * Can be used in conjunction with versioning. * Can be applied to current versions and previous versions. ### CloudFront * **Edge Location** * This is the location where content will be cached. This is separate to an AWS Region/AZ * Edge locations are not just READ only -- you can wirte to them too * Objects are cached for the life of the TTL (Time to live) * You can clear cached objects, but you will be charged. * **Origin** This is the origin og all the files that the CDN will distribute. This can be either an S3 bucket, an EC2 Instance, an Elastic Load Balancer, or Route53. * **Distribution** This is the name given the CDN which consists of a collection of Edge Locations. * **Web Distribution** Typically used for Websides. * **RTMP** Used for Media Streaming. * **CloudFront OAI** To restrict access to content that you serve from Amazon S3 buckets, follow these steps: Create a special CloudFront user called an origin access identity (OAI) and associate it with your distribution. Configure your S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket and serve them to your users. Make sure that users can’t use a direct URL to the S3 bucket to access a file there. After you take these steps, users can only access your files through CloudFront, not directly from the S3 bucket. ### Snowball ### Storage Gateway #### File Gateway * File Gateway - For flat files, stored directly on S3 #### Volume Gateway * **Stored Volumes** - Entire Dataset is stored on site and is asynchronously backed up to S3. * **Cache Volumes** - Entire Dataset is stored on S3 and the most frequently accessed data is cached on site. #### Gateway Virtual Tape Library Used for backup and uses popular backup applications like NetBackup, Backup Exec, Veeam etc. ### Amazon Athena * Athena os an interactive query service * It allows you to query data located in S3 using standard SQL * Serverless * Commonly used to analyse log data stored in S3 Amazon Athena 是一種互動式查詢服務，可讓您使用標準 SQL 輕鬆分析 Amazon S3 中的資料。Athena 沒有伺服器，所以不需管理基礎設施，而且您只需支付執行的查詢費用。 Athena 很容易使用。只需指向 Amazon S3 中的資料，定義結構描述，然後使用標準 SQL 開始查詢即可。大部分結果會在幾秒鐘內交付。有了 Athena，就不需要使用複雜的 ETL 任務來準備資料以進行分析。這樣可讓每個具有 SQL 技術的人都能快速分析大規模的資料集。 ### Macie * Macie use AI to analyze data in S3 and helps indentify PII * Can also be used to analyse CloudTrail logs for suspicious API activity * Includes Dashboards, Reports and Alerting * Great for PCI-DSS compliance and preventing ID theft. --- ## EC2 ### Pricing Model * **On-Demand** Allows you to pay a fixed rate by the hour (or by the second) with no commitment * **Reserved - RI** Provides you with a capacity reservation, and offer a significant discount on the hourly charge for an instance. Contract Terms are 1 Year or 3 Year Terms. * **Spot** Enables you to bid whatever price you want for instance capacity, providing for even greater savings if your applications have flexible start and end times. * **Dedicated Host** Physical EC2 server dedicated for your use. Dedicated Hosts can helps you reduce costs by allowing you to use your existing server-bound software licenses. ### EBS * Termination Protection is **truned off** by default, you must turn it on. * On an EBS-backed instance, the **default action is for the root EBS volume to be deleted** when the instance is terminated. * EBS Root Volumes of your DEFAULT AMI's **CAN** be encrypted, You can also use a third party tool (such as bitlocker etc) to encrypt the root volumes, or this can be done when creating AMI's in the AWS console or using the API * Additional volumes can be encrypted. #### EBS Snapshots * Volumes exist on EBS. Think of EBS as a virtual hard disk. * Snapshots exist on S3, Think of snapshots as a photograph of the disk. * Snapshots are point in time copies of Volumes. * Spanshots are incremental - this means that only the blocks that have changed since your last snapshot are moved to S3. * If this is your first snapshot, it may take some time to create. * To create a snapshot for Amazon EBS volumes that serve as root devices, you should stop the instance before taking the snapshot. * However you can take a snap while the instance is running. * You can create AMI's from both Volumes and Snapshots. * You can change EBS volumes sizes on the fly, including changing the size and storage type. * **Volumes will ALWAYS be in the same AZ** as the EC2 instance. ### Migrating EBS * To move an EC2 volume from one AZ to another, take a snapshot of it, create an AMI from the snapshot and then use the AMI to launch the EC2 instance in a new AZ. * To move an EC2 volume from one region to another, take a snapshot of it, create an AMI from the snapshot and then copy the AMI from one region to the other. Then use the copied AMI to launch the new EC2 instance in the new region. ### EBS Encryption * Snapshots of encrypted volumes are encrypted automatically. * Volumes restores from encrypted snapshots are encrypted automatically. * You can share snapshots, but only if they are not unencrypted. * These snapshots can be shared with other AWS accounts or made public. #### Encryption Root Device Volumes If you have an unencrypted root device volumes that needs to be encrypted do the following; 1. Create a snapshot of the unencrypted root device volume 2. Create a copy oof the snapshot and select the encrypt option 3. Create AMI to launch new encrypted snapshot 4. Use that AMI to launch new encrypted instances ### EBS vs Instance Store - Instance Store - Instance Store Volumes are sometimes called **Epnhemeal Storage**. - Instance Store volumes cannot be stopped. If the underlying host fails, you will lose your data. - EBS - EBS backed instances can be stopped. You will not lose the data on this instance if it is stopped. You can reboot instance both, you will not lose your data. By default, both ROOT volumes will be deleted on terminaion. However, with EBS volumes, you can tell AWS to kepp the root device volume. ### Security Groups * All Inbound traffic is blocked by default. * All Outbound traffic is allowed. * Changes to Security Groups take effectt immediately. * You can have any number of EC2 instances within a security group. * You can have multiple security groups attached to EC2 instances. * Security Groups are **STATEFUL**. If you create an inbound rule allowing traffic in, that traffic is automatically allowed back out again. * You cannot block specific IP addresses using Security Groups, instead use Network Access Control Lists. * You can specify allow rules, but not deny rules. ### IAM Roles - Roles are more secure than storing your access key and secret access key on individual EC2 instances. - Roles are easier to manage. - Roles can be assigned to an EC2 instance after it is created using both the console & command line. - Roles are universal - you can use them in any region. ### Boostrap Script - Bootstrap scripts run when an EC2 instance first boots. - Can be powerful way of automating software installs and updates. ### Meta Data & User Data - Used to get information about an instance (such as public ip) - curl http://169.254.169.254/latest/meta-data/ - curl http://169.254.169.254/latest/user-data/ ### EFS - Supports the Network File System version 4 (NFSv4) protocol - You only pay for the storage you use (no pre-provisioning required.) - Can scale up to the petabytes - Can supprot thousands of concurrent NFS connections - Data is stored across multiple AZ's within a region - Read After Write Consistency ### EC2 Placement Groups - Cluster Placement Group - Low Network Lantency / High Network Throughput -  - Spread Placement Group - Individual Critical EC2 instances -  - Partitioned - Multiple EC2. instances HDFS, Hbase, and Cassandra -  --- ## Database ### RDS (OLTP) - RDS runs on virtual machines - You cannot login to these operating system however. - Patching og the RDS Operating System and DB is Amazon's responsibility - RDS is NOT Serverless - Aurora Serverless is Serverless #### Types - SQL Server - MySQL - PostgreSQL - Oracle - Aurora - MariaDB #### Aurora - 2 copies of your data are contained in each AZ, with minimum of 3 AZs, 6 copies of your data. - You can share Aurora Snapshots with other AWS Accounts. - 3 types of replicas available. Aurora Replicas, MySQL replicas, PostgreSQL replicas. Automated failover is only avaliable with Aurora Replicas. - Aurora has automated backups turned on by default. You can also take snapshots with Aurora. You can share these snapshots with another AWS accounts. - Use Aurora Serverless if you want a simple, cost-effective option for infrequent, intermittent, or unpredictable workloads. #### RDS Backup - Automated Backups - Database Snapshots #### Read Replicas - Can be Multi-AZ - Used to increase performance. - Must have backups turned on. - Can be different regions, - Can be MySQL, PostgreSQL, MariaDB, Oracle, Aurora - Can be promoted to master, this will break the Read Replica #### Multi-AZ - Used for DR - You can force a faliover from one AZ to another by rebooting the RDS instance. #### Encryption Encryption at rest is supported for MySQL, Oracle, SQL Server, PostgreSQL, MariaDB & Aurora. Encryption is done using the AWS Key Management (KMS) service. Once your RDS instance is encrypted, the data stroed at rest in the underlying storage is encrypted, as are its automateds backups, read replicas, and snapshots. ### DynamoDB (NoSQL) - Stored on SSD Storage - Spread Across 3 geographically distinct data centers - Events Consistent Reads (Default) - Strongly Consostent Reads * 讀取容量單位 (RCU)： 每個從表格讀取資料的 API 呼叫即視為一個讀取請求。讀取請求可以是嚴格一致、最終一致或交易形式。對於大小達 4 KB 的項目，一個 RCU 每秒可執行一個嚴格一致的讀取請求。大於 4 KB 的項目則需要額外的 RCU。對於大小達 4 KB 的項目，一個 RCU 每秒可執行兩個最終一致的讀取請求。對於大小達 4 KB 的項目，需要兩個 RCU 才能每秒執行一個交易讀取請求。例如，嚴格一致讀取 8 KB 項目的請求需要兩個 RCU 來執行；最終一致讀取 8 KB 項目的請求需要一個 RCU；而交易讀取 8 KB 項目的請求則需要 4 個 RCU。如需詳細資訊，請參閱讀取一致性。 * 寫入容量單位 (WCU)： 每個寫入資料到表格的 API 呼叫即視為一個寫入請求。對於大小達 1 KB 的項目，一個 WCU 每秒可執行一個標準寫入請求。大於 1 KB 的項目需要額外的 WCU。對於大小達 1 KB 的項目，需要兩個 WCU 才能每秒執行一個交易寫入請求。例如，標準寫入 1 KB 項目的請求需要一個 WCU 來執行；標準寫入 3 KB 項目的請求需要三個 WCU；而交易寫入 3 KB 項目的請求則需要六個 WCU。 * 複寫的寫入容量單位 (rWCU)： 使用 DynamoDB 全域表時，系統會自動將資料寫入多個由您選擇的 AWS 區域。每個寫入作業除了發生在本機區域，也會發生在複寫區域。 串流讀取請求單位：每個對 DynamoDB Streams 的 GetRecords API 呼叫即視為一個串流讀取請求單位。每個串流讀取請求單位皆可傳回最多 1 MB 的資料。 交易讀取/寫入請求：在 DynamoDB 中，交易讀取/寫入與標準讀取或寫入不同，這是因為交易請求可保證包含在單一交易集內的所有作業皆以一個集合的形式成功或失敗。 ### Red Shift (OLAP) - Redshift is used for business intelligence - Available in only 1 AZ #### Redshift Backups - Enable by default with a 1 day retention period. - Maxiumum retention period is 35 days. - Redshift always attempts to maintain la least 3 copies of your data (the original and replica on the compute nodes and a backup in Amazon S3). - Redshift can also asynchronously replicate your snapshots to S3 in another region for disaster recovery. ### Elasticache - Use Elasticache to increase database and web application preformance. - Redis is Multi-AZ - You can do backups and restores os Redis - If you need to scale horizontally, use memcached #### Types - Memcached - Redis --- ## CloudWatch - CloudWatch is used for monitoring performance. - CloudWatch can mointor most of AWS as well as your applications that run on AWS. - CloudWatch with EC2 will monitor events every 5 minutes by default. - You can have 1 minute intervals by turning on detailed monitoring. - You can create CloudWatch alarms which trigger notifications. - **CloudWatch is all about performance. CloudTrail is all about auditing.** ### What can I do with CloudWatch? - **Dashboard** - Create awssome dashboards to see what is happening with your AWS environment. - **Alarms** - Allows your to set Alarms that notify you when particular whresholds are hit. - Events - CloudWatch Events helps you to respond to state changes in your AWS resource. - Logs - CloudWatch Log helps you to aggregate, monitor, and store logs. ### CloudWatch TunnelState Metric. ### [Monitoring memory and disk metrics for Amazon EC2 Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/mon-scripts.html) --- ## ECS ## Route53 - ELBs do not have pre-definded IPv4 addresses; you resolve to them using a DNS name. - Understand the difference between an **Alias Recoed** and **a CNAME**. - Given the choice, **always choose an Alias Record over a CNAME** ### DNS Types - SOA Records - NS Records - A Records - CNAMES - MX Records - PTR Records ### Routing Policies - Simple Routing - You can only have one record with multiple IP addresses. - If you specify multiple values in a record, Route53 returns all values to the user in a **random order**. - Weighted Routing - Latency-based Routing - Failover Routing - Use Active / Passive to choose Routing path. - If Active has been detected a failure, it will send the traffic to Passive. - Geolocation Routing - Geoproximity Routing (Traffic Flow Only) - To use Geoproximity routing, you must use Route53 traffic flow. - Multivalue Answer Routing - Essentially the same as with Simple based routing, expect you get **Health Checks**. ### Health Checks - You can set health checks on individual records sets. - If a record set fails a health check it will be removed from Route53 until it passes the health check. - You can set SNS notifications to alert you if a health check is failed. ## VPC - Think of a VPC as a logical datacenter in AWS - Consists of IGWs (or Virtual Private Gateways), Route Table, Network Access Control List, Subnets, and Security Groups. - 1 Subnet = 1 AZ - Security Groups are **Stateful**; Network Access Control Lists are **Stateless** - **No Transitive Peering** ### Building VPC - When you create a VPC a default Route Table, Network ACL and a default Security Group. - It won't create any subnets, nor will if create a default Internet Gateway. - The AZ's are randomized. - Amazon always reserve 5 IP addresses within your subnets - You can only have 1 Internet Gateway per VPC. - Security Groups Can't span VPCs. ### NAT Instances - When creating a NAT instance, **Disable Source/ Destination Check on the instance.** - NAT instances must be in a public subnet. - There must be a route out of the private subnet to the NAT instance, in order for this to work. - The amount of traffic that NAT instances can support depands on the instance size. if you are bottlenecking, increase the instance size. - You can create high availability using Auto Scaling Groups, multiple subnets in different AZs, and a script to automate failover. - Behind a Security Group. ### NAT Gateways - **Only IPv4 !!!** - Redundant inside the AZ - Preferred by the enterprise. - Starts at 5 Gbps and scales currently to 45Gbps - No need to patch - Not associated with security groups - Automatically assigned a public IP address - Remember to update your route table. - No need to disable Source / Destination Checks - You can **share one NAT Gateway with multiple AZ**, but if that NAT Gateway is down, **resourece in the other AZ will lose Internet Access**. - To Create an AZ-independent architecture, create a NAY Gateway in each AZ and configure your routing to ensure that resource use the NAT Gateway in the same AZ. #### Exam Tips - Your VPC automatcally comes with a default network ACL, and by default it allows all outbound and inbound traffic. - You can create custom network ACLs. By default, each custom network ACL denies all inbound and outbound traffic until you add rules. - Each subnet in your VPC must be associated with a network ACL, If you dont't explicitly associated a subnet with a Network ACL, the subnet is automatically asssociated with the default Network ACL. - **Block IP Addresses using Network ACLs** not Security Groups. - You can associate a Network ACL with multiple subnets; however,** a subnet can be associated with only one network ACL** at a time. When you associate a Network ACL with a subnet, the privious association is removed. - Network ACLs contain a numbered list of rules that is evaluated in order, **starting with the lowest numbered rule**. - Network ACLs have spearate inbound and outbound rules, and each rule can either allow or deny traffic. - **Network ACLs are stateless**; responses to allowed inbound traffic are subject to the rules for outbound traffic.(and vice versa) - You need a **minimum of 2 Public Subnets** to deploy an internet facing Load Balancer. ### VPC Flow Logs - You can't enable Flow Logs for VPCs that are peered with your VPC unless the peer VPC is in your account. - You can tag Flow Logs. - **After you've created a Flow Log, you cannot change its configuration**; for example, you can't associate a different IAM role with the flow log. - **Not all IP traffic is monitored** - Traffic generated by instances when they contact the Amazon DNS server, **If you use your own DNS server, then all traffic to that DNS server is logged.** - Traffic generated by a Windows instance for Amazon **Windows license activation.** - Traffic to and from **169.254.169.254** for instance metadata. - DHCP Traffic. - Traffic to the reserve IP address for the default VPC Router. ### Bastion vs NAT Gateway/Instances - A NAT Gateway or NAT Instance is used to provide internet traffic to EC2 instances in a private subnets. - A Bastions is used to security administer EC2 Instances (Using SSH or RDP). Bastions are called. Jump Boxes in Australia. - You cannot use a NAT Gateway as a Bastion host. ### Direct Connect - Direct Connect directly connects your data center to AWS - Useful for high throughput workloads - Or if you need a stable and reliable secure connection. #### Steps to Creating a Direct Connect Connection. - Create a virtual interface in the Direct Connect console. **This is a Public Virtual Interface**. - Go to VPC console and then to VPN connections. Create a Customer Gateway. - Create a Virtual Private Gateway. - Attach the Virtual Private Gateway to the desired VPC. - Select VPN Conntections and create new VPN Conntection. - Select the Virtual Private Gateway and the Customer Gateway - Once the VPN is available, setup the VPN on the customer gateway or firewall. ### Global Accelerator - AWS Global Acceletator is a service in which you create acceletators to improve availbility and performance of your applications for local and global users. - You are assigned 2 static IP addresses (or alternatively you can bring your own). - You can control traffic using traffic dials. This is done within the endpoint group. - You can control weighting to individual end points using weights. ### VPC Endpoint - Interface Endpoints - Gateway Endpoints - Support these service - Amazon S3 - DynamoDB --- ## HA Architecture ### 3 Types of Load Balancers - Application Load Balancers - Network Load Balancers - Classic Load Balancers ### Exam Tips - 504 Error means the gateway has timeout, This means that the application not responding within the idle timeout period. - Troubleshoot the application. Is it the Web Server or Database Server? - If you need the IPv4 address of your end user, look for the **X-Forwarded-For** header. - Instances monitored by ELB are reported as: In-Service or Out-of-Service - Health Checks check the instance health by talking to it. - **Load Balancer have their own DNS name. You are never given an IP address.** - **Read the ELB FAQ for Classic Load Balancers.** ### Advanced Load Balancer Theory - Stickt Sessions enable your users to **stick to the same EC2 instance.** Can be useful if you care storing information locally to that instance. - Cross Zone Load Balancing enables you to load balance across multiple AZs. - Path patterns allow you ti direct traffic to different EC2 instance based on the URL contained in the request. ### CloudFormation - Is a way of completely scripting your cloud environment - Quick Start is a bunch of CloudFormation templates already built by AWS Solutions Architechs allowing you to create complex environments very quickly. ### Elastic Beanstalk With Elastic Beanstalk, you can quickly deploy and manage applications in the AWS Cloud without worrying about the infrastucture that runs those applications. You simply upload your application, and Elstic Beanstalk automatically handles the details of capacity provisioning, load balanceing, scaling, and application health monitoring. --- ## Application ### SQS - SQS is a way to de-couple your infrastructure - **SQS is pull based, not pushed based**. - Messages are **256KB** in size. - Messages can be kept in the queue from 1 minute to 14 days; the default retention period is 4 days. - Standard SQS and FIFO SQS. - Standard order is not guarateed and messages can be delivered more than once. - FIFO order is strictly maintained and **messages are delivered only once.** - Visibility Time Out is the amount of time that the message is invisible in the SQS queue after a reader picks up that message. Provided the job is processed before the visibility time out expires, the message will then be deleted from the queue, If the job is not processed within that time, the message will become visible again and another reader will process it, This could result in the same message being delivered twice. - Visibility timeout maximum is 12 hours. - SQS guarantees that your messages will be processed at least once. - Amazon SQS long polling is a way to retrieve messages from your Amazon SQS queues. While the regular short polling returns immdiately (even if the message queue being polled is empty), long polling doesn't return a response until a message arrives in the messages queue, or the long poll times out. #### SQS vs SWS - SQS has a retention period of up to 14 days; with SWF, workflow executions can last up to 1 year. - Amazon SWF presents a task-oriented API, where as Amazon SQS offers a message-oriented API - Amazon SWF ensures that a task is assigned only once and is never duplicated. With Amazon SQS, you need to handle duplicated messages and may also need to ensure that a messages is processed only once. - Amazon SWF keeps track os all the tasks and events in an application. With Amazon SQS, you need to implements your own application-level tracking, especially if your application use multiple queues. ### SWF Actors - Workflow Starters An application that can initate (start) a workflow. Could be your e-commerce website following the placement of an order, or a mobile app seatching for bus times. - Deciders Control the flow of activity tasks in a workflow execution. If something has fisished (or failed) in a workflow, a Decider decides what to do next. - Activity Workers Carry out the activity tasks. ### SNS - Instantaneous, push-based delivery (no polling) - Simple APIs and easy integration with applications. - Flexible message delivery over multiple transport protocals - Inexpensive, pay-as-you-go model with no up-front costs. - Web-based AWS Management Console offers the simplicity of a point-and-click interface #### SNS vs SQS - Both Messaging Services in AWS - SNS - Push - SQS - Polls(Pulls) ### Elastic Transcoder Just remember that Elastic Transcoder is a media transcoder in the cloud, It coverts medias files from their original source format in to different formats that will play on smartphones, tablets, PCs, etc. ### API Gateway - API Gateway is at a high level - API Gateway has caching capabilitie to increase performance - API Gatewat is low cost and scales automatically. - You can throttle API Gateway to prevent attacks. - You can log results to CloudWatch. - If you're using AJAX that uses multiple domains with API Gateway, **ensure that you have enabled CORS on API Gateway.** - CORS is enforced by the client. ### Kinesis - Amazon Kinesis Data Streams (KDS) 一種可大規模擴展且耐久的即時資料串流服務。KDS 可以從數十萬個來源持續擷取每秒數 GB 的資料，這些來源包括網站點擊流、資料庫事件串流、金融交易、社交媒體饋送、IT 日誌和位置追蹤事件等。收集的資料能在幾毫秒內準備就緒，可用於即時儀表板、即時異常偵測、動態定價等即時分析使用案例。 - Amazon Kinesis Data Firehose 將串流資料載入資料湖、資料存放區和分析工具最簡單可靠的方式。它可以擷取串流資料，並將資料轉換和載入 Amazon S3、Amazon Redshift、Amazon Elasticsearch Service 及 Splunk，再使用現有的商業智慧工具以及您目前正在使用的儀表板進行近乎即時的分析。這是一項全受管的服務，可自動擴展以因應資料的輸送量，而且不用全程管理。它也可以在載入資料之前先進行批次處理、壓縮、轉換及加密，以大幅減少目標使用的儲存體數量及提高安全性。 - Amazon Kinesis Data Analytics 分析串流資料、取得可行洞見，以及即時回應業務和客戶需求最簡單的方法。Amazon Kinesis Data Analytics 可簡化建構、管理及整合串流應用程式與其他 AWS 服務的複雜程序。SQL 使用者可透過範本和互動式 SQL 編輯器輕鬆查詢串流資料或建立整個串流應用程式。Java 開發人員可使用開放原始碼 Java 程式庫和 AWS 整合快速建立精密的串流應用程式，以即時轉換和分析資料。 Amazon Kinesis Data Analytics 會處理持續執行您的即時應用程式所需的所有事項，並依傳入的資料量及輸送率自動擴展。使用 Amazon Kinesis Data Analytics，您只需支付串流應用程式耗用的資源費用。沒有最低費用、也沒有設定費用。 ### Cognito - Federaion allows users to authenticate with a Web Indentity Provider(Google Facebook Amazon) - The user authenticates first with the Web ID Provider and receives an authentication token, which is exchanged for temporary AWS credentials allowing them to assume an IAM role. - Cognito is an Identity Broker which handles interaction between your applications and the Web ID provider - User pool is use user based, It handles things like user registration, authentication, and account recovery. - Identity pools authorise access to your AWS resources. ## Lambda - Lambda scales out (not up) automatically. - Lambda functions are independent, 1 event = 1 function - Lambda is serverless ### AWS X-ray - Allows you to debug serverless service and know what is happening. - Lambda can do things globally, you can use it to back up S3 buckets to other S3 buckets etc. - Know your triggers ## Amazon Cognito 簡單、安全的使用者註冊、登入和存取控制 Amazon Cognito 可讓您快速輕鬆地將使用者註冊、登入和存取控制新增到 Web 和行動應用程式。Amazon Cognito 可擴展到數百萬使用者，且支援以社交身分供應商 (如 Facebook、Google 和 Amazon) 以及透過 SAML 2.0 以企業身分供應商進行登入。 ## AWS Data Pipeline AWS Data Pipeline 是一種 Web 服務，可協助您以指定的間隔，可靠地在不同 AWS 運算與儲存服務以及內部部署資料來源之間處理和移動資料。使用 AWS Data Pipeline，您可以時常從資料的存放處直接存取、大規模轉換和處理這些資料，並將結果有效率地傳輸到 Amazon S3、Amazon RDS、Amazon DynamoDB 和 Amazon EMR 等 AWS 服務。 ## Amazon Kinesis Data Firehose Amazon Kinesis Data Firehose 是將串流資料載入資料湖、資料存放區和分析工具最簡單可靠的方式。它可以擷取串流資料，並將資料轉換和載入 Amazon S3、Amazon Redshift、Amazon Elasticsearch Service 及 Splunk，再使用現有的商業智慧工具以及您目前正在使用的儀表板進行近乎即時的分析。這是一項全受管的服務，可自動擴展以因應資料的輸送量，而且不用全程管理。它也可以在載入資料之前先進行批次處理、壓縮、轉換及加密，以大幅減少目標使用的儲存體數量及提高安全性。 ## AWS Device Farm AWS Device Farm 是一項應用程式測試服務，讓您能夠透過在各種桌面瀏覽器和實際行動裝置上進行測試，來提升 Web 和行動應用程式的品質；無須佈建和管理任何測試基礎架構。該服務能讓您在多個桌面瀏覽器或實際裝置上同時執行測試，以加快測試套件的執行速度，並產生影片和日誌，以協助您快速識別應用程式中的問題。 ## 問題考題 no.1 no.12 no.23 no.29 no.30 no.33 正確答案是C no.34 no.36 no.40 no.49 no.55 no.61 no.63 有爭議 正確答案是 B no.65 no.69 no.75 no.79 no.90 no.95 no.96 no.104 no.105 A & C no.116 no.119 no.129 A & C no.149 A & D no.150 no.152 no.157 no.158 no.161 no.163 no.164 no.174 no.175 no.179 no.185 no.187 no.194 no.198 no.199 no.200 no.205