AWS Certified SysOps Administrator – Associate (Tips)

• AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections.
• You can create three types of Amazon Route 53 health checks:
  • Health checks that monitor an endpoint.
  • Health checks that monitor other health checks (calculated health checks).
  • Health checks that monitor CloudWatch alarms.
• PercentIOLimit – Shows how close a file system is to reaching the I/O limit of the General Purpose performance mode. If this metric is at 100 percent more often than not, consider moving your application to a file system using the Max I/O performance mode.
• ACM provides managed renewal for your Amazon-issued SSL/TLS certificates. This means that ACM will either renew your certificates automatically (if you are using DNS validation), or it will send you email notices when expiration is approaching. These services are provided for both public and private ACM certificates.
• Having a single login URL for different AWS accounts is not possible.
• If you want to remediate non-compliant security groups, you can do so using AWS Systems Manager Automation documents. These documents define the actions to be performed on noncompliant AWS resources evaluated by AWS Config Rules.
• You can improve performance by increasing the proportion of your viewer requests that are served from CloudFront edge caches instead of going to your origin servers for content; that is, by improving the cache hit ratio for your distribution. This can be done by doing any of the following:
  • Increase the TTL of your objects
  • Configure the distribution to forward only the required query string parameters, cookies, or request headers for which your origin will return unique objects.
  • Remove Accept-Encoding header when compression is not needed
  • Serving Media Content by using HTTP
• AWS Backup follows the default mechanism of taking backups. In this case, the default mechanism for backing up EBS volumes is to backup with no-reboot behavior. This means that AWS Backup will not be able to help you create an AMI that guarantees file system integrity since you need to reboot the instance to do this.
• A resource is considered to have drifted if any of its actual property values differ from the expected property values. This includes if the property or resource has been deleted. To determine the configured changes in the resources, you can use drift detection. Drift detection enables you to detect whether a stack’s actual configuration differs, or has drifted, from its expected configuration. Resolving drift helps to ensure configuration consistency and successful stack operations.
• Oracle database on a RAC configuration is not supported by RDS.
• A NAT instance/gateway does not support IPv6 address. You have to use an egress-only Internet gateway instead.
• Associate the CreationPolicy attribute with a resource to prevent its status from reaching create complete until AWS CloudFormation receives a specified number of success signals or the timeout period is exceeded.
• Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your application load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files.
• AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances.
• AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between your on-premises IT environment and the AWS storage infrastructure.
• You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create.
• The WaitOnResourceSignals property specifies whether the Auto Scaling group waits on signals from new instances during an update. Use this property to ensure that instances have completed installing and configuring applications before the Auto Scaling group update proceeds. AWS CloudFormation suspends the update of an Auto Scaling group after new EC2 instances are launched into the group. AWS CloudFormation must receive a signal from each new instance within the specified PauseTime before continuing the update.
• When you launch a new EC2 instance, the EC2 service attempts to place the instance in such a way that all of your instances are spread out across underlying hardware to minimize correlated failures. You can use placement groups to influence the placement of a group of interdependent instances to meet the needs of your workload.
• To enable instances in your VPC to reach your customer gateway, you must configure your route table to include the routes used by your VPN connection and point them to your virtual private gateway.
• You can use the existing Parameters section of your CloudFormation template to define Systems Manager parameters, along with other parameters. Systems Manager parameters are a unique type that is different from existing parameters because they refer to actual values in the Parameter Store. The value for this type of parameter would be the Systems Manager (SSM) parameter key instead of a string or other value. CloudFormation will fetch values stored against these keys in Systems Manager in your account and use them for the current stack operation.
• Your launch template determines all the possible Spot capacity pools (instance types and Availability Zones) from which Spot Fleet can launch Spot Instances. However, when launching instances, Spot Fleet uses the allocation strategy that you specify to pick the specific pools from all your possible pools. You can specify one of the following allocation strategies:
  • • priceCapacityOptimized
  • • capacityOptimized
  • • diversified
  • • lowestPrice
  • • InstancePoolsToUseCount
• RI discounts apply to accounts in an organization’s consolidated billing family depending upon whether RI sharing is turned on or off for the accounts. By default, RI sharing for all accounts in an organization is turned on. The management account of an organization can change this setting by turning off RI sharing for an account.
• Amazon S3 inventory is one of the tools Amazon S3 provides to help manage your storage. You can use it to audit and report on the replication and encryption status of your objects for business, compliance, and regulatory needs.
• In a Multi-AZ deployment, Amazon FSx automatically provisions and maintains a standby file server in a different Availability Zone.
• Since tags are case-sensitive, giving them a consistent naming format is a good practice. Depending on how your tagging rules are set up, having a disorganized naming convention may lead to permission issues like the one described in the scenario. In the scenario, the administrator can leverage the require-tags managed rule in AWS Config. This rule checks if a resource contains the tags that you specify.
• As your infrastructure grows, common patterns can emerge in which you declare the same components in multiple templates. You can separate out these common components and create dedicated templates for them. Then use the resource in your template to reference other templates, creating nested stacks.
• With RAID 0, I/O is distributed across the volumes in a stripe. If you add a volume, you get the straight addition of throughput and IOPS. The resulting size of a RAID 0 array is the sum of the sizes of the volumes within it, and the bandwidth is the sum of the available bandwidth of the volumes within it. For example, two 500 GiB io1 volumes with 4,000 provisioned IOPS each create a 1000 GiB RAID 0 array with an available bandwidth of 8,000 IOPS and 1,000 MiB/s of throughput.
• The cfn-signal helper script signals AWS CloudFormation to indicate whether Amazon EC2 instances have been successfully created or updated.
• By default, Amazon EC2 sends metric data to CloudWatch in 5-minute periods. To send metric data for your instance to CloudWatch in 1-minute periods, you can enable detailed monitoring on the instance.
• Traffic Mirroring is an Amazon VPC feature that can be used to copy network traffic from an elastic network interface of type interface.
• The WRITE ACL permission allows the grantee to create, overwrite, and delete any object in the bucket and WRITE_ACP allows the grantee to write the ACL for the applicable bucket.
• You can also use CloudWatch metric math to aggregate and transform metrics from multiple accounts and Regions. Metric math enables you to query multiple CloudWatch metrics and use math expressions to create new time series based on these metrics.
• Route 53 Resolver is a regional DNS service that provides recursive DNS lookups for names hosted in EC2 as well as public names on the internet. This functionality is available by default in every Amazon Virtual Private Cloud (VPC). If you have workloads that leverage both VPCs and on-premises resources, you need to resolve DNS records hosted on-premises.
• Backtracking “rewinds” the DB cluster to the time you specify. Backtracking is not a replacement for backing up your DB cluster so that you can restore it to a point in time.
• When you purchase a Reserved Instance, you can choose between a Standard or Convertible offering class. The Reserved Instance applies to a single instance family, platform, scope, and tenancy over a term. If your computing needs change, you may be able to modify or exchange your Reserved Instance, depending on the offering class. You can choose between: Standard Reserved Instance or a Convertible Reserved Instance.
• Creating this DB snapshot on a Single-AZ DB instance results in a brief I/O suspension that can last from a few seconds to a few minutes, depending on the size and class of your DB instance. Multi-AZ DB instances are not affected by this I/O suspension since the backup is taken on standby.
• The Auto Scaling group can grow up to ten percent larger than its maximum size.
• if the number of evictions increases, you should add more nodes to your existing Memcached Cluster.
• If you notice a significant increase in the number of HTTP 503-slow down responses received for Amazon S3 PUT or DELETE object requests to a bucket that has versioning enabled, you might have one or more objects in the bucket for which there are millions of versions. When you have objects with millions of versions, Amazon S3 automatically throttles requests to the bucket to protect the customer from an excessive amount of request traffic, which could potentially impede other requests made to the same bucket.
• Amazon RDS Proxy can improve application recovery time after database failovers. RDS Proxy reduces client recovery time after failover by up to 79% for Amazon Aurora MySQL and by up to 32% for Amazon RDS for MySQL.
• The following are a few reasons why your EC2 instance goes from the pending state to the terminated state immediately after restarting it:
  • – You’ve reached your EBS volume limit.
  • – An EBS snapshot is corrupt.
  • – The root EBS volume is encrypted and you do not have permission to access the KMS key for decryption.
  • – The instance store-backed AMI that you used to launch the instance is missing a required part (an image.part.xx file).
• You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get this credential report from the AWS Management Console, the AWS SDKs and Command Line Tools, or the IAM API.
• Cached volumes are only used when you want to store your primary data in Amazon S3 while retaining your frequently accessed data locally in the cache for low latency access.
• When you create a stack, no stack policy is set, so all update actions are allowed on all resources. To protect stack resources from update actions, define a stack policy and then set it on your stack.
• After the tag is activated, AWS starts applying the tag to resources that are created after the AWS-generated tag was activated. The AWS-generated tags are available only in the Billing and Cost Management console and reports, and doesn’t appear anywhere else in the AWS console, including the AWS Tag Editor. The createdBy tag does not count towards your tags per resource limit.
• Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon Relational Database Service (RDS) that makes applications more scalable, more resilient to database failures, and more secure.
• AWS Artifact is your go-to central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements.
• To create an active-passive failover configuration with one primary record and one secondary record, you just create the records and specify Failover for the routing policy. When the primary resource is healthy, Route 53 responds to DNS queries using the primary record. When the primary resource is unhealthy, Route 53 responds to DNS queries using the secondary record.
• Provisioned IOPS SSD volumes utilize solid-state drives (SSDs) and are best suited for high-performance Amazon EBS storage volumes.
• AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashboard gives you a personalized view into the performance and availability of the AWS services underlying your AWS resources.
• You need to set the “Evaluate Target Health” flag to true on Route 53. This way, Route 53 will check both ALB entry to ensure that your ALBs are responding. Route 53 will then decide to which ALB it will direct the user. If one region goes down, Route 53 will know it via the “Evaluate Target Health” setting and will not redirect users to that region’s ALB.
• Amazon S3 Transfer Acceleration is a bucket-level feature that enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. Transfer Acceleration takes advantage of the globally distributed edge locations in Amazon CloudFront. As the data arrives at an edge location, the data is routed to Amazon S3 over an optimized network path.
• A stack goes into the UPDATE_ROLLBACK_FAILED state when AWS CloudFormation cannot roll back all changes during an update. To resolve this problem, you must fix the error that causes the update rollback to fail and continue to roll back your stack.
• To increase database security, we recommend that you use AWS Secrets Manager instead of environment variables to store database credentials.
• Popular Objects Report can determine what objects are frequently being accessed and get statistics on those objects. Usage Reports tells you the number of HTTP and HTTPS requests that CloudFront responds to from edge locations in selected regions. Viewers Reports can determine the locations of the viewers that access your content most frequently.
• CloudFormation service will automatically rollback the stack in the event of failures.
• In AWS Cost and Usage reports, you can choose to have AWS publish billing reports to an Amazon Simple Storage Service (Amazon S3) bucket that you own.
• To meet your connectivity and workload requirements, Aurora Auto Scaling dynamically adjusts the number of Aurora Replicas provisioned for an Aurora DB cluster.
• With step scaling policies, you can specify the number of seconds that it takes for a newly launched instance to warm up. Until its specified warm-up time has expired, an instance is not counted toward the aggregated metrics of the Auto Scaling group. While scaling out, AWS also does not consider instances that are warming up as part of the current capacity of the group.
• Amazon Web Services (AWS) monitors the health of each EC2 instance with two status checks. An EC2 instance becomes unreachable if a status check fails. A system status check failure indicates a problem with the AWS systems that your instance runs on. When a problem with an underlying host impacts your production, you can stop and start your instance to migrate from the underlying host.
• To route domain traffic to an ELB load balancer, use Amazon Route 53 to create an alias record that points to your load balancer.
• In a VPC, the first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance.
• The cfn-init helper script it interprets the metadata that contains the sources, packages, files, and services.
• EC2Rescue can help you diagnose and troubleshoot problems on Amazon EC2 Linux and Windows Server instances.