AWS SAP-C02 Notes

• When to Use Spot Instances

You can use Spot Instances for various fault-tolerant and flexible applications.

Examples include stateless web servers, API endpoints, big data and analytics applications, containerized workloads, CI/CD high performance and high throughput computing (HPC/HTC), rendering workloads, and other flexible workloads.

• Secret Manager vs Parameter Store Choose Secrets Manager when you need:

Automatic secret rotation

Built-in rotation for AWS services (RDS, Redshift, DocumentDB)

Cross-account secret sharing

Fine-grained IAM permissions at the secret level

Automatic generation of random secrets

Ability to store larger secrets (up to 64KB vs 8KB in Parameter Store)

Choose Parameter Store when:

You want to store non-sensitive configuration data and secrets

Cost is a major factor (Parameter Store has a free tier)

You need hierarchical storage of parameters

You don’t require automatic secret rotation

You’re storing smaller secrets (up to 8KB)

You need higher throughput (Parameter Store has higher API quota limits)

Best Practices:

Use Secrets Manager for sensitive information that requires rotation

Use Parameter Store for configuration data and less sensitive information

Implement proper IAM permissions using the principle of least privilege

Enable encryption for sensitive parameters in Parameter Store

Use tags to organize and manage your secrets

Monitor secret access using AWS CloudTrail

Consider using resource policies for cross-account access

Remember that while Secrets Manager provides more features, it comes at a higher cost. Choose the service that best matches your security requirements, budget, and operational needs.

The maximum total storage (in GB) on EBS volumes for all Amazon RDS DB instances added together.

This quota does not apply to Amazon Aurora, which has a maximum cluster volume of 128 TiB for each DB cluster.

Aurora Max Storage: 128 TiB

RDS Max Storage (most engines): 64 TiB

RDS Max Storage (SQL Server): 16 TiB

There are 3 types of CloudFormation DeletionPolicy Options:

“Delete”

“Retain” for S3

“Snapshot” for RDS

AWS Application Migration Service (MGN) is primarily used to migrate virtual machines.

Lift & Shift migration and modernization.

Automate conversion of source VMs to run on AWS.

SCP (Service Control Policies) never grants permissions.

SCPs affect only IAM users and roles that are managed by accounts that are part of the organization. SCPs don’t affect resource-based policies directly. They also don’t affect users or roles from accounts outside the organization.

SCPs do not affect any service-linked role.

Service-linked roles enable other AWS services to integrate with AWS Organizations and can’t be restricted by SCPs.

An alias record is a Route 53 extension to DNS.

It’s similar to a CNAME record, but you can create an alias record both for the root domain, such as example.com, and for subdomains, such as www.acme.com.

The DNS protocol prevents the assignment of CNAME records at the zone apex.

For example, if your domain is contoso.com , you can create a CNAME record for myapplication.contoso.com , but you can’t create a CNAME record for contoso.com itself.

Backup % Restore –> RTO/RPO : Hours

Pilot Light –> RTO/RPO : 10s of minutes

Warm Site –> RTO/RPO : Few minutes

Active/Active –> RTO/RPO : Near Real Time

Aurora has parallell query capability.

While some databases can parallelize query processing across CPUs in one or a handful of servers, Parallel Query takes advantage of Aurora’s unique architecture to push down and parallelize query processing across thousands of CPUs in the Aurora storage layer. By offloading analytical query processing to the Aurora storage layer, Parallel Query reduces network, CPU, and buffer pool contention with the transactional workload.

6 Application Migration Strategies:

Rehosting : Otherwise known as “lift-and-shift.”

Replatforming : I sometimes call this “lift-tinker-and-shift.”

Repurchasing : Moving to a different product.

Refactoring / Re-architecting : Re-imagining how the application is architected and developed, typically using cloud-native features.

Retire : Get rid of.

Retain : Usually this means “revisit” or do nothing (for now).

Each copy operation has some overhead because of encryption. To speed up the process of transferring small files to your AWS Snowball Edge device, you can batch them together in a single archive. When you batch files together, they can be auto-extracted when they are imported into Amazon S3, if they were batched in one of the supported archive formats.

You can | files to aws S3

Linux : tar -cf - /Logs/April | aws s3 cp - s3://amzn-s3-demo-bucket/batch01.tar –metadata snowball-auto-extract=true –endpoint http://192.0.2.0:8080

Windows : 7z a -tzip -so “test” | aws s3 cp - s3://amzn-s3-demo-bucket/batch01.zip –metadata snowball-auto-extract=true –endpoint http://192.0.2.0:8080

For Aurora Global Database, RTO can be in the order of minutes.
For an Aurora global database, RPO is typically measured in seconds.

if you use AssumeRoleWithSAML with STS, you still need to manage your own users somewhere (LDAP, AD etc.)

if you use AssumeRoleWithWebIdentity with STS, you can use users already exists such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP.