AWS certified developer associate hints. Route53, CloudFront, S3 (part III)

AWS Route 53

  • Highly available, scalable, fully managed and Authoritative DNS
  • Route 53 is also a Domain registrar
  • Ability to check the health of your resources
  • The only AWS service which provide 100% availability SLA
  • Why route 53? 53 is a reference to the traditional DNS port

Each record of route 53 has:

  • Domain/subdomain name
  • Record type
  • Value
  • Routing policy
  • TTL

Route 53 Record types

  • A - maps a hostname to IPv4
  • AAAA - maps a hostname to IPv6
  • CNAME - maps a hostname to another hostname, the target is a domain name which must have an A or AAAA record, Can’t create a CNAME record for the top node of a DNS namespace
  • NS - name servers for the hosted zones, control how traffic is router for a domain

Hosted zones

  • A container for records that define how to route traffic to a domain and its subdomains
  • Public hosted zone - contains records that specify how to route traffic on the Internet
  • Private Hosted zones - contain records that specify how you route traffic within one or more VPCs

Route 53 Record TTL

Used to cache results for clients.

Cached per client.

Possible to check with “dig” command.

CNAME vs ALIAS

AWS resource expose an AWS hostname and you want to connect it to your domain.

CNAME - possible to map a host name to any other hostname aside from ROOT.

ALIAS - possible to map hostname to AWS resource, work for ROOT domain.

Alias records:

  • Map a hostname to an AWS resource
  • An extension to DNS functionally
  • Automatically recognize changes in the resources IP address
  • Unlike CNAME it can be used for the top node of a DNS namespace (Zone Apex)
  • Alias record is always of type A/AAAA for AWS resources
  • You can not set TTL

Route 53 Health checks

  • HTTP health checks are only for public resources
  • Health check = automated DNS failover
  • Possible to monitor endpoint, other health check, cloud watch alarms
  • Health checks are integrated with Cloud Watch metrics
  • About 15 global health checkers will check the endpoint health
  • Healthy/unhealthy threshold is 3 (default)
  • Interval 30 sec (can set to 10 sec higher cost)
  • Supported protocol HTTP, HTTPS and TCP
  • Health checks pass only when the endpoint responds with 2xx and 3xx codes
  • Health checks can be set up to pass/fail based on text in response, in the first 5120 bytes
  • Configure you router/firewall to allow incoming requests from Route 53 health checkers

Calculated health checks:

  • Combine the result of multiple health checks in a single one
  • You can use OR, AND or NOT
  • Can monitor up to 256 Child health checks
  • Specify how many of the health checks need to pass to make the parent pass

Route 53 Routing policies

Simple routing policy:

  • Typically route traffic to a single resource
  • Can specify multiple values in the same record
  • If multiple values are returned a random one is chosen
  • When alias enabled, specify only one AWS resource
  • Can’t be associated with health checks

Weighted routing policy:

  • Control the % of the requests that go to each specific resource
  • Assign each record a relative weight
  • DNS records but have the same name and type
  • Can be associated with health checks

Latency based:

  • Redirect to the resource that has the least latency close to us
  • Super helpful when latency for users is a priority
  • Latency is based on traffic between users and AWS regions
  • Can be combined with health check

Fail over:

  • Provide 2 instances, main one and failover
  • If the main is considered as not healthy, redirect to failover

Geo Location:

  • Different from latency based
  • This routing is based on user location
  • Should created a default record, in case there is no matching location

Geo proximity:

  • Route traffic to your resource base on the geographic location of users and resources
  • Ability to shift more traffic to resources based on the defined bias

IP based routing:

  • Routing is based on the client IP address
  • You provide a list of CIDRs for your client and corresponding endpoints

Multi-value:

  • Use when routing traffic to multiple values/resources
  • Route 53 return multiple values
  • Can be associated with health checks
  • Up to 8 healthy records are returned for each
  • Multi value is a not substitute for having an ELB

AWS CloudFront

  • Content delivery network
  • Improve read performance, content is cached at the edge
  • Improve user experience
  • 216 point of presence globally
  • DDoS protection integration with AWS Shield, AWS Web Application Firewall

CloudFront Origins

S3 bucket:

  • For distributing files and caching them at the edge
  • Enchanced security with CloudFront Origin Access Control
  • OAC is replacing Origin Access Identity
  • CloudFront can be used as an ingress (to upload files to S3)

Custom origin (HTTP):

  • Application load balancer
  • EC2 instance
  • S3 Website

CloudFront vs S3 Cross Region Replication

Cloud front
- global edge network:

  • files are cached
  • great for static content that must be available

S3 cross region replication:

  • must be setup for each region
  • files are updated in near real-time
  • read only
  • great for dynamic content

CloudFront cache

CloudFront cache keys:

  • A unique identifier for every object in the cache
  • By default consists of hostname + resource portion of the URL
  • You can add other elements to the Cache key using CloudFront Cache Policies

CloudFront Cache Policies:

  • HTTP headers
  • Cookies
  • Query string
  • TTL (0 seconds - 1 year)

Strategies:

  • None - don’t include query string
  • Whitelist - specify what’s included
  • Include All-Except - specify what’s not included
  • All - include all

CloudFront - Cache Behavior

  • Configure different settings for a given URL path pattern
  • Route to different kind of origins/origin groups based on the content type or path (/images/* and /api/*)
  • When adding additional Cache behaviors, the default cache behavior is always the last to be processed and is always “/*”

CloudFront - ALB or EC2 as origin

  • No private cloud connectivity
  • Public IP of edge locations must be allowed in security groups

CloudFront Geo Restrictions

  • Possible to define Allowlist and Blocklist
  • The country is determined using a 3rd party Geo-IP data

CloudFront Signed URL/ Signed cookie

Distribute paid shared content to premium users.

Policy contains:

  • URL expiration
  • IP ranges to access
  • Trusted signers (which AWS account can generate)

Signed URL = one file, Signed Cookies = many files.

Two types of signers:

  • trusted group (recommended)
  • aws account that contains a CloudFront Key Pair

CloudFront Signed URL vs S3 Pre-signed URL

CloudFront:

  • Allow access to a path, no matter the origin
  • Account wide key-par, only the root can manage it
  • Can be filtered by IP, path, data, expiration
  • Can leverage caching feature

S3:

  • Issues a request as a person who presigned the URL
  • Uses the IAM key of the IAM principle
  • Limited lifetime

CloudFront - Price Classes

  • All - best performance
  • Price class 200 - most regions, but exclude the most expensive
  • Price Class 100 - only the least expensive regions

CloudFront Origin Groups

  • Increases high availability and do failover
  • Origin Group: one primary and one secondary origin
  • If the primary origin fails, the second one is used

CloudFront - Field Level Encryption

  • Protect user sensitive information through application stack
  • Adds an additional layer of security with HTTPS
  • Sensetive information encrypted at the edge close to use
  • Uses asymmetric encryption

CloudFront - Real Time logs

  • Get real-time requests received by CloudFront sent to Kineses data streams
  • Monitor, analyze and take actions based on content delivery performance
  • Allow sampling rate in percentage
  • Specific fields and Cache Behaviors

Amazon S3

Used for:

  • backup and storage
  • disaster recovery
  • archive
  • hibrid coud storage
  • application hosting
  • media hosting
  • data lake & big data analytics
  • software delivery
  • static websites

Bucket stores objects buckets must have global unique name (across all regions and accounts).

Buckets are defined at the region level.

Naming:

  • no uppercase, no underscore
  • 3-63 characters long
  • not an IP
  • must start with lowercase letter or number
  • must not start with the prefix xn - -

Object has keys, key is full path, prefix + object name.

Max size is 5 TB.

If file is larger then 5Gb you must use multi-part upload.

Metadata - key value pairs.

Tags - useful for security.

Version id - if versioning enabled.

Amazon S3 security

User-based:

  • IAM policies - which API calls should you be allowed

Resource-based:

  • Bucket policies - bucket wide rules from s3 console - allows cross account access
  • object access control list (ACL) - fine grain (can be disabled)
  • bucket access control list (ACL) - less common (can be disabled)

For EC2 instances we use IAM roles, not IAM users.

Amazon S3 Versioning

  • It’s enabled on bucket level
  • Same key overwrite will change the version
  • Protects against unintended deletes (create delete marker)
  • Easy roll back to previous version
  • Any file that was in bucket before, will get version “null”
  • Suspending versioning doesn’t delete the previous version

Amazon S3 Replication

There are 2 types, Cross region replication and Same region replication

  • Must enable versioning in source and destination buckets
  • Buckets can be in different AWS accounts
  • Copying is asynchronous
  • Must give proper IAM permissions to s3
  • Only new objects will be replicated
  • Optionally, you can replicate existing using s3 batch replication

For delete operation:

  • can replicate delete markets from source to target (optional setting)
  • deletion with a version ID are not replicated

There is no “chaining” of replication:

  • if bucket 1 has replication into 2, which has replication into bucket 3
  • object from bucket 1 are not replicated into bucket 3

S3 Storage Classes

  • S3 Standard - general purpose
  • S3 Standard-Infrequent Access (IA)
  • S3 One Zone-Infrequent Access
  • S3 Glacier Instant Retrieval
  • S3 Glacier Flexible Retrieval
  • S3 Glacier Deep Archive
  • S3 Intelligent Tiering

S3 Durability and Availability

Durability how many files lost:

  • high durability (99.999999999 || 9s) of
  • if you store 10 000 000 object, expect a loss of 1 object once every 10 000 years
  • same for all storage classes

Availability how available the storage is
 - measure how readily available a service is:

  • varies on storage class
  • s3 standard has 99.99 availability = not available 53 mins a year

S3 Standard - general purpose:

  • 99.99 availability
  • Used for frequently accessed data
  • Low latency and high throughput
  • Sustain 2 concurrent facility failures

S3 Standard-Infrequent Access (IA):

  • 99.9 available
  • less frequent access but requires rapid access
  • lower cost than s3 standard

S3 One Zone-Infrequent Access:

  • 99.5 available
  • high durability but dates lost when AZ is destroyed

S3 Glacier Instant Retrieval:

Pricing per storage + object retrieval costs.

  • milliseconds retrieval
  • minimum storage duration of 90 days

S3 Glacier Flexible Retrieval:

  • expedited (1 to 5 minutes), standard (3 to 5 hours), bulk (5 to 12 hours) - free
  • minimum storage duration of 90 days

S3 Glacier Deep Archive:

  • Standard (12 hrs), Build (48 hrs)
  • Minimum storage duration of 180 days

S3 Intelligent Tiering:

  • Small monthly monitoring auto-tiering fee
  • Moves object automatically between tiers
  • No retrieval charge

Frequent access tier (auto) default.

Infrequent access tier (auto) not accessed for 30 days.

Archive instant tier (auto) not accessed for 90 days.

Archive access tier (optional) config from 90 to 700+ days.

Deep archive tier (optional) config from 180 to 700+ days.

S3 Lifecycle rules

  • Transition actions - configure object to transition to another storage class
  • Expiration actions - configure objects to expire (example: logs in 365, old version if versioning is enabled, incomplete Multi-Part)
  • Rules can be created for a certain prefix
  • Rules can be created for certain object Tags (ex: Department)

S3 Analytics gives you a CSV report on when to move object between tiers.

S3 Event Notifications

  • S3:ObjectCreated, S3:ObjectRemoved, S3:ObjectRestore, S3:Replication…
  • Object name filtering possible (e.g. ".jpg" suffix)

S3 notifications could go to SNS, SQS, Lambda, event bridge (can be sent to 18 services from it).

S3 Performance

Latency 100-200ms.

3500 put/copy/post/delete and 
5500 get/head per second per prefix in a bucket.

S3 transfer acceleration, increase speed by transferring file to edge locations and forwarding to the target region(over fast private AWS network).

S3 Byte-Range Fetches - parallelize GET requests by specific byte range, or get XX bites of the file.

S3 Select and Glacier Select

  • Retrieve less data using SQL by performing server-side filtering
  • Can filter by rows and columns
  • Less network transfer, less CPU costs

S3 Object Tags and Meta

Meta data:

  • User defined metadata begins with “”x-amz-meta-“
  • Must be lowercase

Object tags:

  • key-value pairs for objects in s3
  • useful for fine-grained permissions
  • useful for analytics

Not possible to search using metadata or object tags.

If you want to search, you need to build external search index.

Amazon S3 Object encryption

Server-side encryption:

  • server side encryption with Amazon S3-Managed keys (SSE-S3) enabled by default
  • server-side encryption with KMS (SSE-KMS)
  • server-side encryption with custom provided keys (SSE-C)
  • client-side Encryption, encrypt on the client and upload

SSE-S3:

  • encrypted keys handled, managed, and owned by AWS
  • Objects is encrypted server-side
  • Encryption type is AES-256
  • Must set header “x-amz-server-side-encryption”: “AES256”
  • Enabled by default

SSE-KMS:

  • Encryption using keys handled and managed by AWS KMS
  • KMS advantage: user control + audit key usage using CloudTrail
  • Must set header “x-amz-server-side-encryption”: “aws:kms”
  • Has quotas

SSE-C:

  • Server-side encryption, user must provide and manage keys outside of AWS
  • HTTPS must be used
  • Encryption key must be provided in HTTP headers for every HTTP request made

Client-side Encryption:

  • Encryption happens on the client side
  • Decryption happens on the client side
  • Client manage keys

Encryption in transit (in flight ssl/tls):

  • HTTPS is recommended
  • If you use SSE-C it’s mandatory
  • Possible to deny not secure traffic in policy
  • aws:SecureTransport: false

Possible to force encryption with a bucket policy “s3:x-amz-server-side-encryption”: “aws:kms”.

S3 CORS

Cross-origin Request sharing - blocks not same origin, define as JSON object in bucket settings

S3 MFA Delete

MFA is required only for dangerous operations if enabled.

Versioning must be enabled for MFA delete.

Only the bucket owner can enable MFA delete.

Enabled using AWS CLI, setting is visible in versioning tab.

After that it’s not possible to delete from UI, only from CLI.

S3 Access Logs

  • Any request made to s3 will be logged in s3 bucket
  • The data can be analyzed using data analysis tools
  • The target logging bucket must be in the same AZ
  • Do not set logs bucket same as origin bucket

S3 Pre-signed URLs

  • 1 min to 720 mins (12hrs)
  • User will have same permission as you for this object

S3 Access Points

  • Bucket policy which give access to the bucket
  • Access point simplify security management for S3
  • Each access point will have it’s own DNS

If access to VPC needed, you need to create additionally VPC endpoint.

S3 Object lambda

Data that access through Access Point, modified by lambda function S3 Lambda object Access Point.

Enhance and change origin data for different Access Points (or user groups).