AWS certified developer associate hints. IAM, EC2, ALB and ASG (part I)
IAM, Users, Groups and Policies
IAM = Identity and access management.
Root account created by default should not be used or shared.
Users are people of your organizations, they can be grouped.
Some users could not have a group, some users could belong to multiple groups.
Users and groups could get IAM policies
IAM policy
Consists of:
Version
Id (optional)
Statement: one or more Statements<Statement>
Statement:
Sid - statement id(optional)
Effect - Allow or Deny
Principal - account/user/role to which applied
Action: list of API calls
Resource: list of resources where this policy is applied
Condition: condition for adding rule (optional)
IAM - Password policy
You can enforce users to have:
- Min pass length
- Uppercase/lowercase
- Numbers
- Non-alphanumeric
- Require user to change passwords
- Prevent password re-use
Also possible to use MFA devices for authentication
- Virtual MFA device
- Universal 2 factor security key (physical device)
- Hardware Key Fob MFA device
- Hardware Key Fob for AWS Cloud Government
IAM Roles for Services
Same as for users but for services.
Give permission for one service to call another service.
IAM Security Tools
- IAM credential report (account level), contains all users and status of their credentials
- IAM Access Advisor (user-level), shows the service permissions granted to a user and when those services were last accessed
AWS EC2
EC2 sizing & configuration options
- Operation system
- CPU
- RAM
- Storage => EBS or EFS or EC2 instance store
- Network card, public IP address
- Firewall rules
- Bootstrap script: EC2 user data
EC2 user data
- Launching commands when machine starts
- Run once
- Automate boot tasks like installing dependencies
- Runs with root user privilege
EC2 Instance types
Instance type description:
m5.2xlarge => m: instance class, 5: generation, 2xlarge: size within the instance class
Available instance types:
- General purpose(t) => Webservers
- Compute optimized(c) => batch processing, high performance computing
- Memory optimized(r, x, z) => data bases, cache, in memory DB
- Storage optimized(i1, h1): high frequency online processing (OLTP), Relational and NoSQL database, cache, data warehousing
Security Groups
- Control traffic in and out of our EC2 instance
- Only contains "Allow" rules
- Possible to use IP addressed or other security groups
- Control access to ports
- Authorized IP ranges - IPv4 and IPv6
- Control inbound network
- Control outbound network
- Can be attach to multiple instances, one instance can have multiple security groups
- Locked down to a region / VPC combination
EC2 instances purchasing options
- On-Demand instances - short workload, predictable pricing pay by second
- Reserver (1 & 3 years) long workloads, convertible and not
- Savings plans (1 & 3 years) commitment to an amount of usage
- Spot instances - short workloads, cheap, can lose instance
- Dedicated Hosts - book an entire physical server, control instance placement, possible to use software licenses
- Dedicated Instance - no other customers will share your hardware
- Capacity Reservation - reserve capacity in a specific AZ for any duration
AWS EC2 storage options
EBS volumes
- An EBS (Elastic Block Store) Volume is a network drive you can attach to your instance while they run
- It allows your instances to persist data, even after their termination
- One instance can have multiple EBS volumes
- Can only be mounted to one instance
- Some EBS support multi-attach features
- They are bound to a specific AZ
EBS volume is a network drive (not a physical device), and:
- it uses the network to communicate the instance, have latency
- It can be detached from an EC2 instance and attached to another one quickly
It’s locked to an AZ:
- EBS volume in us-east-1a can not be attached to us-east-1b
- To move a volume across, you first need to snapshot
You need to provide capacity in advance.
Root EBS volume is deleted by default on instance termination, possible to change.
EBS snapshots
- Make a backup of your EBS volume
- Not necessary to detach volume to do snapshot, but recommended
- Can copy snapshots across AZ or Region
EBS snapshot archive, allows to store snapshots 75% cheaper, takes 24-27hr to restore.
EBS recycle bin for EBS snapshot, could be moved to recycle bin from 1 day to 1 year.
Fast snapshot restore, force full initialization of snapshot to have no latency on the first use.
AMI Overview
- AMI = amazon machine image
- AMI is our customized EC2 instance
- Your own software, configuration, operation system and monitoring
- Faster boot, configuration time because its pre-packaged
- Build for specific regions, can be copied across regions
Instances can be launched from:
- Public AMI: AWS provided
- Own AMI
- Marketplace AMI
AMI process
- Start an EC2 instance and customize it
- Stop the instance
- Build an AMI - this will also create EBS snapshot
- Launch instance from other AMIs

EC2 Instance Store
- Hardware disc attached to you machine
- It has better I/O performance
- EC2 instance store lose their storage if they are stopped
- Good buffer/cache/tmp content
EBS Volume types
- gp2/gp3 - general purpose SSD
- ios1/io2 - highest performance SSD
- st1 - Low cost HDD volume, frequently access data
- sc1 - lowest cost HDD, less frequently access data
Only gp2/gp3 and io1/io2 can be used as boot volumes
General purpose SSD
- Cost effective
- Possible to use as sys boot
- 1GiB- 16 TiB
gp3:
- baseline of 3.000 IOPS and throughput of 125 MiB/s
- possible to increase IOPS up to 16.000 and throughput to 1000 MiB/s independently
gp2:
- Small gp2 volumes can burst IOPS to 3.000
- Size of the volume and IOPS are linked, max IOPS is 16.000
- 3000 IOPS per GB, means at 5334 GB we are at the max IOPS (3000 * 5334 = 16.000 IOPS)
Provision IOPS (PIOPS) SSD
- Critical business application with sustained IOPS performance
- Or application the need more than 16 000 IOPS
- Great for database workloads (sensitive storage)
io1 (4GiB - 16TiB)
- Max IOPS 64 000 for Nitro EC2 instance & 32 000 for others.
- Can increase PIOPS independently from storage size.
- io2 have more durability and more IOPS per GiB (same price).
io2 Block Express (4GiB - 64 TiB)
- Sub millisecond latency
- Max 256 000 IOPS with an IOPS:GiB of 1 000: 1
Support EBS multi-attach.
Hard Disk Drives (HDD)
- Can not be a boot volume
- 125 GiB to 16 TiB
Throughput optimized HDD st1:
- Big data, data, warehousing, log processing
- Max throughputs 500 MiB/s - max IOPS 500
Cold HDD (sc1):
- Archive data
- Lowest cost
- Max throughput 250 MiB/s - max IOPS 250
EBS multi-attach (io1/io2)
- Attach the same EBS volume to multiple EC2
- Each instance has full read & write permissions
- Achieve higher application availability in cluster
- Concurrent write application
- Work in 1 AZ
- Up to 16 EC2 instances
- Cluster aware file system not XFS/EXT4
Amazon EFS - elastic file system
- Managed NFS (network file system) that can be mounted on many EC2
- EFS work with EC2 instances in multi-AZ
- Highly available, scalable, expensive (3* gp2), pay per use
- Use NFSv4.1 protocol
- Controlled with security groups
- Compatible with Linux based AMI
- Possible to encrypt with KMS
- POSIX file system
- File system scales automatically
Possible to chose performance mode.
General purpose (web sites):
- Max I/O - higher latency, throughput, highly parallel
Throughput Mode:
- Bursting - 1 TiB = 50MiB/s + burst of up to 100MiB/s
- Provisioned - set your throughput
- Elastic - automatically scales throughput up or down based on your workload
Storage Tiers (lifecycle management feature):
- Standard: for frequently accessed files
- Infrequent access (EFS-IA): cost to retrieve files, lower price to store. Enable EFS-IA with a lifecycle policy
Availability and durability
- Standard: Multi-AZ, great for prod
- One Zone: One AZ, great for dev
Elastic load balancing (ELB)
- Spread load
- Expose single point of access DNS
- Handle failures
- Health checks
- SSL termination HTTPS
- Enforce stickiness with cookies
- High availability across zones
- Separate public traffic from private
Integration
- EC2, EC2 ASG, amazon ECS
- aws certificate manger, could watch
- route 53, AWS WAF, AWS global accelerator
Types
- Classic (http, https, tcp, ssl)
- Application (https, https, websocket)
- Network (tcp, tls(secure tcp), udp)
- Gateway - (IP protocol)
Application load balancer layer 7
Support redirects from http to https, support http/2 and websocket.
Latency is 400 ms.
Routing to different target groups based on:
- url
- hostaname
- query string
- client location (geography)
Great for container based apps, has port mapping to a dynamic port in ECS.
Target groups:
- EC2
- ECS tasks
- Lambda
- IP addresses - must be private IPs
Has fixed hostname.
The true IP of the client is inserted in the X-Forwarded-For.
Network load balancer layer 4
TCP and UDP trafic.
Millions of request per second.
Latency is 100ms.
Has one static IP per AZ and support Elastic IP.
Target groups:
- EC2
- IP addresses
- application load balancer
Health checks TCP, HTTP, HTTPS
Gateway load balancer layer 3
Uses the GENEVE protocol import 6081.
3rd party network virtual appliances in AWS.
Used for firewalls, intrusion detections and prevention systems, deep packet inspections systems.
Target groups:
- EC2
- IP addresses
Sticky session
Can be used for CLB, ALB, NLB.
Custom cookie:
- generated by target
- must be specified individually for each target group
- Don’t use AWSALB, AWSALBAPP pr AWSALBTG -reserver for ELB
Application cookie:
- generated by loadbalancer
- cookie name is AWSALBAPP
Duration cookies
- cookies generated by load balancer
- cookie name is AWSALB for ALB, AWSELB for CLB
Cross zone balancing
Spread traffic to all instances in all AZ equally.
For ALB enabled by default, can be disabled at the Target Group level, no charges for inter AZ data.
For NLB and GLB disabled by default, you have to pay money for inter AZ data.
CLB disabled by default, no charges for inter AZ data.
ELB SSL/TLS
The load balancer uses an X.509 certificate.
You can use AWS certificate manager including
uploading your own certificate.
HTTPS listener:
- you must specify a default certificate
- you can add an optional list of certs to support multiple domains
- client can use SNI (server name indication) to specify the hostname
- possible to use older version of SSL/TLS (legacy clients)
SNI - server name indication
Solves the problem of loading multiple SSL certificates for one web server.
Works with ALB and NLB.
Connection draining
1 - 3600 seconds, default is 300, can be disabled.
For CLB - connection draining.
For ALB and NLB - de-registration delay.
Time to complete in flight requests while the instance is de-registering or unhealthy.
Stop sending new requests to the EC2 instance which is de-registering.
Auto scaling group (ASG)
Scale out and scale in to increase or decrease instances count.
Ensure that you have a min and max number of EC2 instances.
Automatically register new instance to a load balancer.
Re-create an EC2 instance in case previous one was terminated.
A Launch template (older launch configuration) contain information on how to lunch your EC2 instances:
- AMI, Instance type
- EC2 user data
- EBS volume
- Security groups
- SSH key pairs
- IAM roles
- Network and subnets
- Load balancer info
It is possible to scale an ASG based on CloudWatch alarms.
The alarm monitor a metric (such as Average CPU, or a custom metric).
Inside a scaling group, it’s possible to overwrite instance type requirements, including enabling sport instances.
Scaling policies
Dynamic scaling:
- target tracking scaling (ASG cpu stay around 40%)
- simple / step scaling (add/remove 2 units on cloud watch alarm)
- schedule actions (you know when)
Predictive scaling:
- predictive scaling (based on forecast)
Good metrics to scale on:
- CPUUtilization: average CPU
- RequestCountPerTarget
- Average Network IN/OUT
- Custom metrics that you push to CloudWatch
Scaling cooldown - 300 seconds, no scale in/out in this period.
Use ready-to-use AMI to reduce configuration time in order to be serving request faster and reduce cooldown period.
Auto scaling - instance refresh
Goal is to update launch template and then re-create EC2 instances.
We set minimum healthy percentage, we can set up warm-up time.