AWS Certified Developer Associate Exam Tips

## Notes Collection of AWS exam tips, operational complexity, efficiency, cost, etc ## Deployment - [ ] AWS Elastic Beanstalk to deploy applications - [ ] Serverless with Lambda - [ ] Deploy with CodePipeline, CodeBuild, CodeDeploy ### CodeBuild - Fully-managed build service; build from CodeCommit, GitHub, BitBucket - Local debugging is possible - Configure build steps with `buildspec.yaml` ```yaml # buildspec.yaml version: 1.0 environment_variables: plaintext: JAVA_HOME: "/usr/lib/..." phases: install: commands: - echo Downloading JUnit JAR file - mkdir lib - wget http://central.maven.org/maven2/junit/... pre_build: commands: - echo Creating directories - mkdir build - mkdir build/classes - mkdir build/jar build: commands: - echo Build started on `date` - ant post_build: commands: - echo Build completed on `date` artifacts: files: - build/jar/HelloWorld.jar ``` ### CodeDeploy - Minimize downtime with a controlled deployment strategy - Centralized control - Iteratively release new features - Deployment types: in-place, rolling, blue-green - Deployment configurations: *OneAtATime*, *HalfAtATime*, *AllAtOnce* - Can install `CodeDeploy` on EC2 and on-prem - Use `appspec.yaml` file ```yaml # appspec.yaml version: 0.0 on: linux files: - source: config.txt destination: /webapps/config - source: source destination: /webapps/myApp hooks: BeforeInstall: - location: scripts/unzipResourceBundle.sh - location: scripts/unzipDataBundle.sh AfterInstall: - location: scripts/runResourceTests.sh timeout: 100 ApplicationStart: - location: scripts/runFunctionalTests.sh timeout: 3600 ValidateService: - location: scripts/monitorService.sh timeout: 3600 runas: codedeployuser ``` ### CodePipeline - Manual approval step - Pipeline actions - Source: *CodeCommit*, *GitHub* - Build & Test: *CodeBuild*, *Jenkins* - Deploy: *CodeDeploy*, *CloudFormation*, *Elastic Beanstalk*, *OpsWorks* - Invoke: specify custom function to run like *Lambda* - Approval: Publish *SNS* topic for manual approval ### SAM - Uses *CloudFormation* under the hood - Separate `sam` CLI vs `aws` CLI ### Lambda Deploy *Lambda* in two ways - `.zip` file that includes application code and dependencies--needs to be uploaded to S3 - Dockerized image uploaded to *ECR* ### ElasticBeanstalk Three ways to configure - `ebextensions` insert a configuration file in the root directory - Template flie - `eb` CLI ### Strategies | Method | Impact of Failure | Time | Zero Downtime | Rollback Process | Code Deployed | | ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ---- | ------------- | ----------------------- | -------------------------- | | All at Once | Downtime | 1/4 | False | Re-deploy | Existing instances | | Rolling | Single batch of instance will be out of service. Any successfully deployed instances prior to failure will running new application | 2/4 | True | Re-deploy | Existing instances | | Rolling with additional batch | Minimum if first batch fails; similar to Rolling | 3/4 | True | Re-deploy | New and existing instances | | Immutable | Minimal | 4/4 | True | terminate new instances | New instances | | Blue/green (two environments) | Minimal | 4/4 | True | Swap URL | New instances | --- ## Security - Do secure authenticated calls to different AWS services - Know how to assume IAM roles - Make sure to apply least privilege - Encrypt data at rest and in transit - Implement application authentication and authorization with Cognito ### Cognito #### User Pools - Provides sign-up and sign-in options - Built-in, customizable UI - Social sign-in: Google, Facebook through [[SAML]] and [[OIDC]] - MFA, password reset, phone code #### Identity Pools - Grant user access to AWS services with temporary credentials #### Differences - User Pools - Design sign-up/sign-in pages - Access/manage user data - Track user device, location, IP - Use custom auth flow - Identity Pools - Give temporary access to S3 or DynamoDB ### API Gateway - Use resource policies to allow/deny access to APIs - IAM roles & policies to apply least privilege when connecting other AWS services to API Gateway - Lambda authorizers - Control REST API access using bearer token - Configure API method to use Cognito User Pool--allow logged-in users access to APIs #### Throttle API Requests to Improve Performance - Set per-client throttling limits to limit requests - Per-method throttling - Account-level throttling - AWS Regional throttling ### CloudFront - Validate JWT in header of requests ### DynamoDB #### Server Client-Side Encryption - Encryption by default - All tables (global), streams, and backups are encrypted by default #### Client-side Encryption - End-to-end encryption - Sign table items to detect changes --- ## Development - Serverless - Write code that interacts with AWS services via APIs, SDKs, CLI ### DynamoDB - Keys - Partition key (hash attribute): simple primary key - Composite primary key (hash and range attribute): first attribute is the partition key, second attribute is the sort key - Access patterns - O(1) for partition key - Best practices - Spread keys across multiple partitions - Composite key would be good if need to retrieve something in order #### Read Capacity Units - Calculation - All reads are 4 KB - Eventually consistent reads are 2 reads per second - Strongly consistent reads are 1 read per second - Example - Items stored are 7kb, strongly consistent reads, max read rate of 3 items/sec - 7kb/4kb = 1.75kb, rounding up to 2kb - Strongly consistent reads mean 1 read/sec - 3 items/sec * 2 kb = **6 read capacity units** #### Write Capacity Units - Parameters - All writes are 1 kb - All writes are 1 write/sec - Example - 7kb items; write rate is 10 items/sec - 10 items/sec * 7kb = **70 write capacity units** ### SQS #### Two Types - **Standard queues** - Best-effort - Once-and-only-once delivery - **FIFO** - Guarantee only once processing in order received - 300 requests per second #### Short Vs Long Polling - **Short polling** - SQS service requests queue at regular intervals - Reduces time taken to retrieve messages - Higher request/response latencies - **Long polling** - Sends request to queue and waits (up to 20 seconds) - If no messages, request is terminated with "no messages found" - Else, messages are returned in response and request is terminated - Reduces number of empty responses - Improves performance #### Visibility Timeout - Make a message invisible for 12 hours - Good for multiple consumers to one queue - Prevents multiple processes #### Message Lifecycle - Messages are kept for default 4 days, max 14 days - Max 256kb text in any format - Consumer picks up message, visibility timeout kicks in - Default 30 seconds, max 12 hours - Consumer deletes message once processed ## Refactoring - Refactor applications so they're able to use other AWS services - Move sessions from server to *Elasticache* - Migrate to AWS ### Elasticache #### Memcache - Simplest model possible - Large nodes with multiple cores/threads - Ability to scale - Share data across multiple nodes - need to cache objects such as a database #### Redis - Need complex data types, like strings, hashes, lists, sets - Sort/rank in-memory datasets - Persistence for key store - Replicate data from primary to replicas for availability - Automatic failover if any primary nodes fail - Pub/sub - Backup and restore ## Monitoring and Troubleshooting - X-Ray and CloudWatch - Perform root cause analysis - CI/CD pipelines - CloudWatch/X-Ray for serverless ## References - [AWS Developer Associate Exam Guide - Towards the Cloud](https://towardsthecloud.com/aws-developer-associate-exam-guide) - [Assume IAM Role](https://towardsthecloud.com/aws-cli-assume-iam-role) ## Appendix ### Assume an IAM Role - Can use something like Secure Token Service (STS) to assume the role - Get temporary credentials to get those permissions - Good for - Cross-account access - Temporary elevated permissions - Delegating permissions to services ### User Pool Vs Identity Pool - User Pool is for authentication--making sure an agent is who they say they are - Identity Pool is for authorization--granting privileges to agent ### API Gateway Lambda Authorizer - *Lambda authorizer* takes caller's identity and returns a policy