AWS certified developer associate hints. Route53, CloudFront, S3 (part III)
AWS Route 53
- Highly available, scalable, fully managed and Authoritative DNS
- Route 53 is also a Domain registrar
- Ability to check the health of your resources
- The only AWS service which provide 100% availability SLA
- Why route 53? 53 is a reference to the traditional DNS port
Each record of route 53 has:
- Domain/subdomain name
- Record type
- Value
- Routing policy
- TTL
Route 53 Record types
- A - maps a hostname to IPv4
- AAAA - maps a hostname to IPv6
- CNAME - maps a hostname to another hostname, the target is a domain name which must have an A or AAAA record, Can’t create a CNAME record for the top node of a DNS namespace
- NS - name servers for the hosted zones, control how traffic is router for a domain
Hosted zones
- A container for records that define how to route traffic to a domain and its subdomains
- Public hosted zone - contains records that specify how to route traffic on the Internet
- Private Hosted zones - contain records that specify how you route traffic within one or more VPCs
Route 53 Record TTL
Used to cache results for clients.
Cached per client.
Possible to check with “dig” command.
CNAME vs ALIAS
AWS resource expose an AWS hostname and you want to connect it to your domain.
CNAME - possible to map a host name to any other hostname aside from ROOT.
ALIAS - possible to map hostname to AWS resource, work for ROOT domain.
Alias records:
- Map a hostname to an AWS resource
- An extension to DNS functionally
- Automatically recognize changes in the resources IP address
- Unlike CNAME it can be used for the top node of a DNS namespace (Zone Apex)
- Alias record is always of type A/AAAA for AWS resources
- You can not set TTL
Route 53 Health checks
- HTTP health checks are only for public resources
- Health check = automated DNS failover
- Possible to monitor endpoint, other health check, cloud watch alarms
- Health checks are integrated with Cloud Watch metrics
- About 15 global health checkers will check the endpoint health
- Healthy/unhealthy threshold is 3 (default)
- Interval 30 sec (can set to 10 sec higher cost)
- Supported protocol HTTP, HTTPS and TCP
- Health checks pass only when the endpoint responds with 2xx and 3xx codes
- Health checks can be set up to pass/fail based on text in response, in the first 5120 bytes
- Configure you router/firewall to allow incoming requests from Route 53 health checkers
Calculated health checks:
- Combine the result of multiple health checks in a single one
- You can use OR, AND or NOT
- Can monitor up to 256 Child health checks
- Specify how many of the health checks need to pass to make the parent pass
Route 53 Routing policies
Simple routing policy:
- Typically route traffic to a single resource
- Can specify multiple values in the same record
- If multiple values are returned a random one is chosen
- When alias enabled, specify only one AWS resource
- Can’t be associated with health checks
Weighted routing policy:
- Control the % of the requests that go to each specific resource
- Assign each record a relative weight
- DNS records but have the same name and type
- Can be associated with health checks
Latency based:
- Redirect to the resource that has the least latency close to us
- Super helpful when latency for users is a priority
- Latency is based on traffic between users and AWS regions
- Can be combined with health check
Fail over:
- Provide 2 instances, main one and failover
- If the main is considered as not healthy, redirect to failover
Geo Location:
- Different from latency based
- This routing is based on user location
- Should created a default record, in case there is no matching location
Geo proximity:
- Route traffic to your resource base on the geographic location of users and resources
- Ability to shift more traffic to resources based on the defined bias
IP based routing:
- Routing is based on the client IP address
- You provide a list of CIDRs for your client and corresponding endpoints
Multi-value:
- Use when routing traffic to multiple values/resources
- Route 53 return multiple values
- Can be associated with health checks
- Up to 8 healthy records are returned for each
- Multi value is a not substitute for having an ELB
AWS CloudFront
- Content delivery network
- Improve read performance, content is cached at the edge
- Improve user experience
- 216 point of presence globally
- DDoS protection integration with AWS Shield, AWS Web Application Firewall
CloudFront Origins
S3 bucket:
- For distributing files and caching them at the edge
- Enchanced security with CloudFront Origin Access Control
- OAC is replacing Origin Access Identity
- CloudFront can be used as an ingress (to upload files to S3)
Custom origin (HTTP):
- Application load balancer
- EC2 instance
- S3 Website
CloudFront vs S3 Cross Region Replication
Cloud front
- global edge network:
- files are cached
- great for static content that must be available
S3 cross region replication:
- must be setup for each region
- files are updated in near real-time
- read only
- great for dynamic content
CloudFront cache
CloudFront cache keys:
- A unique identifier for every object in the cache
- By default consists of hostname + resource portion of the URL
- You can add other elements to the Cache key using CloudFront Cache Policies
CloudFront Cache Policies:
- HTTP headers
- Cookies
- Query string
- TTL (0 seconds - 1 year)
Strategies:
- None - don’t include query string
- Whitelist - specify what’s included
- Include All-Except - specify what’s not included
- All - include all
CloudFront - Cache Behavior
- Configure different settings for a given URL path pattern
- Route to different kind of origins/origin groups based on the content type or path (/images/* and /api/*)
- When adding additional Cache behaviors, the default cache behavior is always the last to be processed and is always “/*”
CloudFront - ALB or EC2 as origin
- No private cloud connectivity
- Public IP of edge locations must be allowed in security groups
CloudFront Geo Restrictions
- Possible to define Allowlist and Blocklist
- The country is determined using a 3rd party Geo-IP data
CloudFront Signed URL/ Signed cookie
Distribute paid shared content to premium users.
Policy contains:
- URL expiration
- IP ranges to access
- Trusted signers (which AWS account can generate)
Signed URL = one file, Signed Cookies = many files.
Two types of signers:
- trusted group (recommended)
- aws account that contains a CloudFront Key Pair
CloudFront Signed URL vs S3 Pre-signed URL
CloudFront:
- Allow access to a path, no matter the origin
- Account wide key-par, only the root can manage it
- Can be filtered by IP, path, data, expiration
- Can leverage caching feature
S3:
- Issues a request as a person who presigned the URL
- Uses the IAM key of the IAM principle
- Limited lifetime
CloudFront - Price Classes
- All - best performance
- Price class 200 - most regions, but exclude the most expensive
- Price Class 100 - only the least expensive regions
CloudFront Origin Groups
- Increases high availability and do failover
- Origin Group: one primary and one secondary origin
- If the primary origin fails, the second one is used
CloudFront - Field Level Encryption
- Protect user sensitive information through application stack
- Adds an additional layer of security with HTTPS
- Sensetive information encrypted at the edge close to use
- Uses asymmetric encryption
CloudFront - Real Time logs
- Get real-time requests received by CloudFront sent to Kineses data streams
- Monitor, analyze and take actions based on content delivery performance
- Allow sampling rate in percentage
- Specific fields and Cache Behaviors
Amazon S3
Used for:
- backup and storage
- disaster recovery
- archive
- hibrid coud storage
- application hosting
- media hosting
- data lake & big data analytics
- software delivery
- static websites
Bucket stores objects buckets must have global unique name (across all regions and accounts).
Buckets are defined at the region level.
Naming:
- no uppercase, no underscore
- 3-63 characters long
- not an IP
- must start with lowercase letter or number
- must not start with the prefix xn - -
Object has keys, key is full path, prefix + object name.
Max size is 5 TB.
If file is larger then 5Gb you must use multi-part upload.
Metadata - key value pairs.
Tags - useful for security.
Version id - if versioning enabled.
Amazon S3 security
User-based:
- IAM policies - which API calls should you be allowed
Resource-based:
- Bucket policies - bucket wide rules from s3 console - allows cross account access
- object access control list (ACL) - fine grain (can be disabled)
- bucket access control list (ACL) - less common (can be disabled)
For EC2 instances we use IAM roles, not IAM users.
Amazon S3 Versioning
- It’s enabled on bucket level
- Same key overwrite will change the version
- Protects against unintended deletes (create delete marker)
- Easy roll back to previous version
- Any file that was in bucket before, will get version “null”
- Suspending versioning doesn’t delete the previous version
Amazon S3 Replication
There are 2 types, Cross region replication and Same region replication
- Must enable versioning in source and destination buckets
- Buckets can be in different AWS accounts
- Copying is asynchronous
- Must give proper IAM permissions to s3
- Only new objects will be replicated
- Optionally, you can replicate existing using s3 batch replication
For delete operation:
- can replicate delete markets from source to target (optional setting)
- deletion with a version ID are not replicated
There is no “chaining” of replication:
- if bucket 1 has replication into 2, which has replication into bucket 3
- object from bucket 1 are not replicated into bucket 3
S3 Storage Classes
- S3 Standard - general purpose
- S3 Standard-Infrequent Access (IA)
- S3 One Zone-Infrequent Access
- S3 Glacier Instant Retrieval
- S3 Glacier Flexible Retrieval
- S3 Glacier Deep Archive
- S3 Intelligent Tiering
S3 Durability and Availability
Durability how many files lost:
- high durability (99.999999999 || 9s) of
- if you store 10 000 000 object, expect a loss of 1 object once every 10 000 years
- same for all storage classes
Availability how available the storage is
 - measure how readily available a service is:
- varies on storage class
- s3 standard has 99.99 availability = not available 53 mins a year
S3 Standard - general purpose:
- 99.99 availability
- Used for frequently accessed data
- Low latency and high throughput
- Sustain 2 concurrent facility failures
S3 Standard-Infrequent Access (IA):
- 99.9 available
- less frequent access but requires rapid access
- lower cost than s3 standard
S3 One Zone-Infrequent Access:
- 99.5 available
- high durability but dates lost when AZ is destroyed
S3 Glacier Instant Retrieval:
Pricing per storage + object retrieval costs.
- milliseconds retrieval
- minimum storage duration of 90 days
S3 Glacier Flexible Retrieval:
- expedited (1 to 5 minutes), standard (3 to 5 hours), bulk (5 to 12 hours) - free
- minimum storage duration of 90 days
S3 Glacier Deep Archive:
- Standard (12 hrs), Build (48 hrs)
- Minimum storage duration of 180 days
S3 Intelligent Tiering:
- Small monthly monitoring auto-tiering fee
- Moves object automatically between tiers
- No retrieval charge
Frequent access tier (auto) default.
Infrequent access tier (auto) not accessed for 30 days.
Archive instant tier (auto) not accessed for 90 days.
Archive access tier (optional) config from 90 to 700+ days.
Deep archive tier (optional) config from 180 to 700+ days.
S3 Lifecycle rules
- Transition actions - configure object to transition to another storage class
- Expiration actions - configure objects to expire (example: logs in 365, old version if versioning is enabled, incomplete Multi-Part)
- Rules can be created for a certain prefix
- Rules can be created for certain object Tags (ex: Department)
S3 Analytics gives you a CSV report on when to move object between tiers.
S3 Event Notifications
- S3:ObjectCreated, S3:ObjectRemoved, S3:ObjectRestore, S3:Replication…
- Object name filtering possible (e.g. ".jpg" suffix)
S3 notifications could go to SNS, SQS, Lambda, event bridge (can be sent to 18 services from it).
S3 Performance
Latency 100-200ms.
3500 put/copy/post/delete and 
5500 get/head per second per prefix in a bucket.
S3 transfer acceleration, increase speed by transferring file to edge locations and forwarding to the target region(over fast private AWS network).
S3 Byte-Range Fetches - parallelize GET requests by specific byte range, or get XX bites of the file.
S3 Select and Glacier Select
- Retrieve less data using SQL by performing server-side filtering
- Can filter by rows and columns
- Less network transfer, less CPU costs
S3 Object Tags and Meta
Meta data:
- User defined metadata begins with “”x-amz-meta-“
- Must be lowercase
Object tags:
- key-value pairs for objects in s3
- useful for fine-grained permissions
- useful for analytics
Not possible to search using metadata or object tags.
If you want to search, you need to build external search index.
Amazon S3 Object encryption
Server-side encryption:
- server side encryption with Amazon S3-Managed keys (SSE-S3) enabled by default
- server-side encryption with KMS (SSE-KMS)
- server-side encryption with custom provided keys (SSE-C)
- client-side Encryption, encrypt on the client and upload
SSE-S3:
- encrypted keys handled, managed, and owned by AWS
- Objects is encrypted server-side
- Encryption type is AES-256
- Must set header “x-amz-server-side-encryption”: “AES256”
- Enabled by default
SSE-KMS:
- Encryption using keys handled and managed by AWS KMS
- KMS advantage: user control + audit key usage using CloudTrail
- Must set header “x-amz-server-side-encryption”: “aws:kms”
- Has quotas
SSE-C:
- Server-side encryption, user must provide and manage keys outside of AWS
- HTTPS must be used
- Encryption key must be provided in HTTP headers for every HTTP request made
Client-side Encryption:
- Encryption happens on the client side
- Decryption happens on the client side
- Client manage keys
Encryption in transit (in flight ssl/tls):
- HTTPS is recommended
- If you use SSE-C it’s mandatory
- Possible to deny not secure traffic in policy
- aws:SecureTransport: false
Possible to force encryption with a bucket policy “s3:x-amz-server-side-encryption”: “aws:kms”.
S3 CORS
Cross-origin Request sharing - blocks not same origin, define as JSON object in bucket settings
S3 MFA Delete
MFA is required only for dangerous operations if enabled.
Versioning must be enabled for MFA delete.
Only the bucket owner can enable MFA delete.
Enabled using AWS CLI, setting is visible in versioning tab.
After that it’s not possible to delete from UI, only from CLI.
S3 Access Logs
- Any request made to s3 will be logged in s3 bucket
- The data can be analyzed using data analysis tools
- The target logging bucket must be in the same AZ
- Do not set logs bucket same as origin bucket
S3 Pre-signed URLs
- 1 min to 720 mins (12hrs)
- User will have same permission as you for this object
S3 Access Points
- Bucket policy which give access to the bucket
- Access point simplify security management for S3
- Each access point will have it’s own DNS
If access to VPC needed, you need to create additionally VPC endpoint.
S3 Object lambda
Data that access through Access Point, modified by lambda function S3 Lambda object Access Point.
Enhance and change origin data for different Access Points (or user groups).