Skip to main content

High Lights- 4

AWS Lambda​

  • AWS Lambda functions always operate from an AWS-owned VPC.
    By default, Lambda functions have full access to the public internet, including AWS APIs (e.g., DynamoDB PutItem, Query).
    VPC access is only required when interacting with private resources in private subnets (e.g., RDS).

    Source: AWS Blog

  • Since Lambda can scale rapidly, implement CloudWatch Alarms for metrics like ConcurrentExecutions or Invocations.
    Also, use AWS Budgets to monitor costs.

Amazon S3 and Glacier Compliance​

  • Amazon S3 Object Lock in Compliance mode + S3 Glacier Vault Lock provides ideal WORM protection for regulatory compliance.

  • S3 Object Lock ensures write-once-read-many data integrity.

  • S3 Glacier Vault Lock enforces immutable archive policies that can't be modified once set.

Disaster Recovery (DR) Strategies​

Disaster Recovery (DR) involves restoring infrastructure after disruption. AWS supports multiple DR models:

Pilot Light​

  • Minimal core services always running in the cloud.
  • Allows fast ignition of full infrastructure during recovery.
  • Example: Core system components like databases always running on AWS.

Backup and Restore​

  • Traditional backup to offsite (e.g., tapes) β†’ slow recovery.
  • With AWS, use Amazon S3 as backup destination for faster network-based restores.

Warm Standby​

  • A scaled-down functional environment always running.
  • Faster than pilot light due to running app components.

Multi-Site (Active-Active)​

  • Runs in both AWS and on-premise infrastructure.
  • Use Recovery Point Objective (RPO) and Recovery Time Objective (RTO) to guide data replication.
  • Costlier but most resilient.

pt3-q24-i1
Source: AWS DR Guide

IAM Roles​

Trust Policy​

  • Trust policies define who (principals) can assume the role.
  • IAM roles need:
    • Trust policy
    • Identity-based policy
  • IAM only supports one resource-based policy type: role trust policy.

Amazon API Gateway​

API Gateway enables:

  • REST and WebSocket APIs
  • Serverless and containerized workloads
  • Monitoring, throttling, and caching

Acts as the "front door" for backend service access.

Amazon EventBridge vs SNS​

  • Amazon SNS does not support third-party integration.
  • Use Amazon EventBridge to react to events from:
    • SaaS apps
    • AWS services

AWS Auto Scaling Group (ASG)​

  • Even if ASG spans 3 AZs, setting minCapacity = 2 launches 2 instances in separate AZs.
  • When load increases, a 3rd instance is added in the 3rd AZ.
  • ASG scales-in again to maintain 2-instance HA baseline.

AWS DMS & DynamoDB​

AWS DMS supports data migration between:

  • Relational DBs
  • Data warehouses
  • Streaming platforms
  • AWS data stores

DynamoDB​

Amazon DynamoDB read/write modes:

  • On-demand
  • Provisioned (default & free-tier eligible)

On-demand mode is ideal if:

  • Workload is unpredictable
  • Usage is unknown
  • You want pay-per-request pricing

Additional features:

  • Deletion protection: prevents accidental table removal
  • Point-in-time recovery (PITR): restore within last 35 days (but doesn’t prevent deletion)

AWS RDS​

  • IAM authentication is an alt login mechanism.
  • For in-transit encryption, use SSL β€” it offers stronger security guarantees than IAM alone.

VPC Gateway Endpoints​

  • A Gateway Endpoint lets your VPC route traffic to:
    • Amazon S3
    • DynamoDB

Used to securely access these services without needing internet access or NAT.

Load Balancers​

  • Network Load Balancer (NLB):
    • Provides a static public IP
    • Ideal for predictable addressing
    • Enables scalability via ASG behind the NLB