CSAA

AWS Certified Solutions Architect Associate (SAA-C01)

  • Creating an AWS account
  • Sign in to AWS newly created account
  • Create Billing Alerts for notification of free tier consumption
  • Create Billing alarms in Cloud Watch metric using SNS topic
  • Enabling Cost Explorer in Myaccount-->My billing dashboard
  • Enabling MFA (Multi Factor Authentication) in MyAccount-->My Security Credentials-->MFA-->Activate MFA-->Virtual MFA Device

Architecture 101

Access Management

Principal: A person or application that can make an authenticated or anonymous request to perform an action on a system

Authentication: The process of authenticating a principal against an identity. This could be via username and password or API keys.

Identity: Objects that require authentication and are authorized to access resources

Authorization: The process of checking and allowing or denying access to a resource for an identity

Shared Responsibility Model

Customer: Responsible for security IN the cloud. Customer Data, Platform, Applications, Identity and Access Management, Operating Systems, Network and Firewall Configuration, Encryption (at Rest and in Transit), Network Protection

AWS: Responsible for security OF the cloud. Software, Compute, Storage, Database, Network, Hardware/AWS Global Infrastructure, Regions, Availability Zones, Edge Locations

Service Models

Service models define how a service or product is delivered, how we pay and what we receive. They also define which part of the product we manage and accept the risks for, as well as which part the vendor is responsible for.

Data-->Applications-->Code Runtime-->Operating System (OS)-->Virtualization-->Host/Servers-->Network and Storage-->Data Center

IaaS: Infrastructure as a Service: Data-->Applications-->Code Runtime-->Operating System managed by Customer. For example; AWS EC2 Instances, Microsoft Exchange

PaaS: Platform as a Service: Data-->Applications managed by Customer. For example; AWS Kubernetes

SaaS: Software as a Service: Data is managed by Customer. For example; Netflix, Office 365, Gmail

FaaS: Function as a Service: Data-->partial Application managed by customer. For example; AWS Lambda

High Availability Vs Fault Tolerance

High Availability: Hardware, software and configuration allowing a system to recover quickly in the event of a failure. Not to prevent a failure.

Fault Tolerance: System designed to operate through a failure with no user impact. More expensive and complex to achieve. For example, using ELB to divert traffic from faulty instance to working instance.

Disaster Recovery

Recovery Point Objective (RPO): How much a business can tolerate to lose, expressed in time. The maximum time between a failure and the last successful backup.

Recovery Time Objective (RTO): The maximum amount of time a system can be down. How long a solution takes to recover.

Scaling

Vertical Scaling is achieved by adding additional resources in the form of CPU or memory to an existing machine. By doing so, the machines able to service additional customers or perform compute tasks quicker. Eventually, maximum machine sized will constrain our ability to scale - either technically or from a cost perspective.

Horizontal Scaling is achieved by adding additional machines into a pool of resources, each of which provide the same service. Horizontal scaling suffers none of the size limitations of vertical scaling and can scale to nearly infinite levels but requires application support to scale effectively.

Tiered Application Design

Architecturally, applications consist of three tiers;

Presentation tier interacts with the consumer of the application

Logic tier delivers the application functionality

Data tier controls interaction with a database of some kind

If these tiers are implemented in the same code base and not separated, we refer to it as a monolithic application. A monolithic application is hard to scale and generally has to be done vertically.

On the other hand, applications if designed correctly, implement the tiers as isolated components. Architecturally, these can be provisioned on separate machines or pools of machines. As each tier has differing demands on CPU, memory and disk I/O, it allows each tier's performance to be managed independently.

Encryption

Encryption is the process of taking plaintext and converting it into ciphertext and converting ciphertext into plaintext. Plaintext and ciphertext can be text, images or any other form of data.

Encryption generally uses an algorithm and one or more keys. It is commonly used to encrypt data at rest or in transit.

The process can be symmetrical (where the same key is used for encryption and decryption) or asymmetrical (where different keys - called public and private keys - are used).

Demo of Symmetrical Encryption:

Start a linux instance. Log into instance.

echo "cats are amazing" > message.txt
gpg -c message.txt (press ENTER and input a passphrase)
ls -la

gpg cache the passphrase. So we will clear the cache of gpg to demonstrate that we have given the file (message.txt.gpg) to another user along with passphrase to decrypt the file.

echo RELOADAGENT | gpg-connect-agent
gpg -o output.txt message.txt.gpg (press ENTER and input the passphrase)
ls -la
cat output.txt

Demo of Asymmetrical Encryption:

rm message.txt.gpg (remove file message.txt.gpg)
rm output.txt (remove file output.txt)
gpg --gen-key (press ENTER and input 1 for default encryption selection, press ENTER to accept default key size, press ENTER to accept default expiry state, input y to confirm and press ENTER, input Real name ('userid') and press ENTER, input Email Address and press ENTER, input o to confirm and press ENTER, input a passphrase and press ENTER)

Public and private key are now generated. Now we will export the public component of the encryption key.

gpg --armor --output pubkey.txt --export 'userid' (press ENTER)
cat pubkey.txt

Backup Private key

gpg --armor --output privkey.asc --export-secret-keys 'userid'

Now to encrypt the message.txt file using public key just exported;

gpg --encrypt --recipient 'userid' message.txt

Now decrypting the message.txt.gpg file using private key just backed up;

gpg --output afterdecryption.txt --decrypt message.txt.gpg (press ENTER and enter passphrase entered earlier)
ls -la
cat afterdecryption.txt

Cost Efficient or Cost effective

Implementing a solution within AWS using products or product features that provide the required service for as little initial and ongoing cost as possible. Using our funds effectively and knowing if product X is better or worse than product Y for a given solution.

Secure

In a systems architecture context, implementing a given solution that secures data and operations as much as possible from an internal or external attack.

Application session state

Data that represents what a customer is doing, what they have chosen, or what they have configured. Examples include items and quantities in a shopping card, notes on X-ray and 3D position of a real-time heart scan. Session state can be stored on a server (stateful server) or external to a server (stateless server).

Undifferentiated heavy lifting

A part of an application, system or platform that is not specific to our business. Allowing a vendor (AWS) to handle this part frees our staff to work on adding direct value to our customers.

Next: AWS Architecture