Tips for AWS Certified DevOps Engineer – Professional

• You can use AWS CodeDeploy with a deployment type configured to Blue/Green deployment configuration. To terminate the original fleet after two hours, change the deployment settings of the Blue/Green deployment. Set Original instances value to Terminate the original instances in the deployment group and choose a waiting period of X hours.
• Create an Amazon S3 bucket. Enable logging and provide an Amazon S3 bucket ARN as a WAF logging destination. Bucket names for AWS WAF logging must start with aws-waf-logs- and can end with any suffix you want.
• Utilize EC2 Image Builder to rebuild the custom AMI that includes the latest AWS Systems Manager Agent version. Set up the Auto Scaling group to attach the AmazonSSMManagedInstanceCore role to EC2 instances. Leverage Systems Manager Session Manager for centralized and automated login. Configure logging of session details to Amazon S3. Set up an S3 event notification for new file uploads to notify the security team via an Amazon Simple Notification Service (Amazon SNS) topic.
• You can use Scheduled scaling Auto Scaling policy, and create a scheduled action with AWS Lambda function as a scalable target.
• You can designate one of the AWS accounts in your organization as the administrator for Firewall Manager in AWS Organizations. Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
• In some cases, a Blue/Green deployment fails during the AllowTraffic lifecycle event, but the deployment logs do not indicate the cause for the failure. This failure is typically due to incorrectly configured health checks in Elastic Load Balancing for the Classic Load Balancer, Application Load Balancer, or Network Load Balancer used to manage traffic for the deployment group.
• Set up AWS Config in the AWS account that needs the security best practice implemented. You can use the managed rule required-tags to check if your resources have the tags that you specify.
• When you perform some operations using the AWS Management Console, Amazon S3 uses a multipart upload if the object is greater than 16 MB in size. In this case, the checksum is not a direct checksum of the full object, but rather a calculation based on the checksum values of each individual part.
• The custom resource provider processes the AWS CloudFormation request and returns a response of SUCCESS or FAILED to the pre-signed URL
• Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. In AWS, these attributes are called tags. You can attach tags to IAM resources, including IAM entities (users or roles), and to AWS resources. You can create a single ABAC policy or a small set of policies for your IAM principals. These ABAC policies can be designed to allow operations when the principal's tag matches the resource tag.
• When an update to a CloudFormation stack fails, AWS CloudFormation automatically initiates a rollback process to revert the stack to its previous known stable state. In certain cases, such as when there are dependencies on external resources, the rollback process might stall or encounter an error. To help recover from a failed stack update, you can use the ContinueUpdateRollback command.
• The cluster endpoint provides failover support for read/write connections to the DB cluster. If the current primary DB instance of a DB cluster fails, Aurora automatically fails over to a new primary DB instance. During a failover, the DB cluster continues to serve connection requests to the cluster endpoint from the new primary DB instance, with minimal interruption of service. This is the reason we need to change the application configuration to point to cluster endpoint and not to instance endpoint, in the current scenario.
• AWS CloudFormation does not support drift detection of custom resources.
• AWS Global Accelerator can be used in conjunction with the Amazon API Gateway to present Internet-facing API via static IP addresses to end users. This design addresses the need for static IP safe listing, however, it is not useful to reduce latency.
• Oftentimes, you may want to execute some code and actions before terminating an Amazon Elastic Compute Cloud (Amazon EC2) instance that is part of an Amazon EC2 Auto Scaling group. One way to execute code and actions before terminating an instance is to create a lifecycle hook that puts the instance in Terminating:Wait status. This allows you to perform any desired actions before immediately terminating the instance within the Auto Scaling group. The Terminating:Wait status can be monitored by an Amazon CloudWatch event, which triggers an AWS Systems Manager automation document to perform the action you want.
• With Amazon CloudWatch cross-account observability, you can monitor and troubleshoot applications that span multiple accounts within a Region. Seamlessly search, visualize, and analyze your metrics, logs, and traces in any of the linked accounts without account boundaries.
• Amazon EC2 Auto Scaling can temporarily exceed the specified maximum capacity of a group by a 10 percent margin (or by a margin of one instance, whichever is greater) during a rebalancing activity.
• When an Auto Scaling group with a mixed instances policy scales in, Amazon EC2 Auto Scaling will first identify which of the two types (Spot or On-Demand) should be terminated. This can temporarily cause a misbalance between the AZs.
• It is a high recommendation and the best option to renumber IP networks when possible based on two reasons: cost, and simplicity. Changing network configurations is not easy, but is beneficial in the long term because it removes the ongoing cost of running required components when connecting overlapping networks. Having non-overlapping IPs also makes troubleshooting easier when things go wrong, as resources can easily be identified to the network they are deployed to. This also removes the complexity of managing firewall rules across the organization.
• Read replicas can be created in another region and can also be promoted when needed to become standalone DB instances.
• You can use AWS Config to record configuration changes for Dedicated Hosts, and instances that are launched, stopped, or terminated on them. You can then use the information captured by AWS Config as a data source for license reporting.
• Amazon EC2 instances configured for Systems Manager are also described as managed instances. In the console, however, the IDs of your hybrid instances are distinguished from Amazon EC2 instances with the prefix “mi-“. Amazon EC2 instance IDs use the prefix “i-“.
• The VM Import/Export enables you to easily import virtual machine images from your existing environment to Amazon EC2 instances and export them back to your on-premises environment.
• During each deployment lifecycle event, hook scripts can access the following environment variables:
  • APPLICATION_NAME – The name of the application in CodeDeploy that is part of the current deployment (for example, WordPress_App).
  • DEPLOYMENT_ID – The ID CodeDeploy has assigned to the current deployment (for example, d-AB1CDEF23).
  • DEPLOYMENT_GROUP_NAME – The name of the deployment group in CodeDeploy that is part of the current deployment (for example, WordPress_DepGroup).
  • DEPLOYMENT_GROUP_ID – The ID of the deployment group in CodeDeploy that is part of the current deployment (for example, b1a2189b-dd90-4ef5-8f40-4c1c5EXAMPLE).
  • LIFECYCLE_EVENT – The name of the current deployment lifecycle event (for example, AfterInstall).
• 
• An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances within the VPC to the internet and prevents the internet from initiating an IPv6 connection with instances within the VPC. Unlike an internet gateway (IGW), which allows both inbound and outbound IPv4 traffic, an egress-only internet gateway allows only outbound IPv6 traffic.
• AWS Application Discovery Service helps you plan your migration to the AWS cloud by collecting usage and configuration data about your on-premises servers. Application Discovery Service is integrated with AWS Migration Hub, which simplifies your migration tracking. After performing discovery, you can view the discovered servers, group them into applications, and then track the migration status of each application from the Migration Hub console. The discovered data can be exported for analysis in Microsoft Excel or AWS analysis tools such as Amazon Athena and Amazon QuickSight.
• If a custom resource is used to invoke a Lambda function in AWS CloudFormation, the request will include a pre-signed URL. The Lambda function is responsible for returning a response to the pre-signed URL to indicate if the resource creation was successful or not. If the Lambda function fails to respond to the pre-signed URL, the CloudFormation stack will remain in the CREATE_IN_PROGRESS state and wait for a response.
• DynamoDB supports two types of secondary indexes:
  • – Global secondary index — an index with a partition key and a sort key that can be different from those on the base table. A global secondary index is considered “global” because queries on the index can span all of the data in the base table, across all partitions.
  • – Local secondary index — an index that has the same partition key as the base table, but a different sort key. A local secondary index is “local” in the sense that every partition of a local secondary index is scoped to a base table partition that has the same partition key value.
• Amazon DynamoDB global tables are a fully managed, multi-Region, and multi-active database option that delivers fast and localized read and write performance for massively scaled global applications. Global tables provide automatic multi-active replication to AWS Regions worldwide. They enable you to deliver low-latency data access to your users no matter where they are located.
• RefreshCache refreshes the cached inventory of objects for the specified file share. This operation finds objects in the Amazon S3 bucket that were added, removed, or replaced since the gateway last listed the bucket’s contents and cached the results. This operation does not import files into the S3 File Gateway cache storage. It only updates the cached inventory to reflect changes in the inventory of the objects in the S3 bucket. This operation is only supported in the S3 File Gateway types.
• Insights is a feature of X-Ray that records performance outliers and tracks their impact until they are resolved. With insights, issues can be identified where they are occurring and what is causing them, and be triaged with the appropriate severity. Insights notifications are sent as the issue changes over time and can be integrated with your monitoring and alerting solution using Amazon EventBridge.
• Lambda extensions come in two flavors: external and internal. The main difference is that an external extension runs in a separate process and is allowed to run longer to clean up after the Lambda function terminates, whereas an internal one runs in-process.
• When you modify the database engine for your DB instance in a Multi-AZ deployment, Amazon RDS upgrades both the primary and secondary DB instances at the same time. In this case, the database engine for the entire Multi-AZ deployment is shut down during the upgrade.
• You can add an UpdatePolicy attribute to your Auto Scaling group to perform rolling updates (or replace the group) when a change has been made to the group. To specify how AWS CloudFormation handles replacement updates for an Auto Scaling group, use the AutoScalingReplacingUpdate policy.
• You can add a lifecycle hook to your Auto Scaling group so that you can perform custom actions when instances launch or terminate.
• The default runOrder value for an action is 1. The value must be a positive integer (natural number). You cannot use fractions, decimals, negative numbers, or zero. To specify a serial sequence of actions, use the smallest number for the first action and larger numbers for each of the rest of the actions in sequence. To specify parallel actions, use the same integer for each action you want to run in parallel.
• To properly instrument your applications in Amazon ECS, you have to create a Docker image that runs the X-Ray daemon, upload it to a Docker image repository, and then deploy it to your Amazon ECS cluster. You can use port mappings and network mode settings in your task definition file to allow your application to communicate with the daemon container. The AWS X-Ray daemon is a software application that listens for traffic on UDP port 2000.
• An interface VPC endpoint (interface endpoint) can be used to connect to services powered by AWS PrivateLink, which is a technology that enables private access to Amazon Elastic Compute Cloud (Amazon EC2) and Systems Manager APIs using private IP addresses.
• Strongly consistent reads are not supported on global secondary indexes.
• You can not add a local secondary index to an already existing table.
• You can configure alarms for several scenarios in CloudTrail events. In this case, you can create an Amazon CloudWatch alarm that is triggered when an Amazon S3 API call is made to PUT or DELETE bucket policy, bucket lifecycle, bucket replication, or to PUT a bucket ACL. A CloudTrail trail is required since it will send its logs to a CloudWatch Log group. To create an alarm, you must first create a metric filter and then configure an alarm based on the filter.
• You can call the EC2 CreateSnapshot API directly as a target from CloudWatch Events.
• By default, CodeDeploy removes all files on the deployment location and the auto rollback will deploy the old revision files cleanly. You should choose “Retain the content” option for future deployments so that only the files included in the old app revision will be deployed and the existing contents will be retained.
• Lambda@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency. Lambda@Edge lets you use CloudFront triggers to invoke a Lambda function.
• To find out what’s preventing your Auto Scaling group from updating correctly during a stack update, work through the following troubleshooting scenarios as needed:
  • *Configure WaitOnResourceSignals and PauseTime to avoid problems with success signals - * In your AutoScalingRollingUpdate policy, set the WaitOnResourceSignals property to false. Take note that if WaitOnResourceSignals is set to true, PauseTime changes to a timeout value. AWS CloudFormation waits to receive a success signal until the maximum time specified by the PauseTime value. If a signal is not received, AWS CloudFormation cancels the update. Then, AWS CloudFormation rolls back the stack with the same settings, including the same PauseTime value.
  • *Configure MinSuccessfulInstancesPercent to avoid stack rollback - * If you’re replacing a large number of instances during a rolling update and waiting for a success signal for each instance, complete the following: In your AutoScalingRollingUpdate policy, set the value of the MinSuccessfulInstancesPercent property. Take note that setting the MinSuccessfulInstancesPercent property prevents AWS CloudFormation from rolling back the entire stack if only a single instance fails to launch.
  • *Configure SuspendProcesses to avoid unexpected changes to the Auto Scaling group - * During a rolling update, suspend the following Auto Scaling processes: HealthCheck, ReplaceUnhealthy, AZRebalance, AlarmNotification, and ScheduledActions. It is quite important to know that if you’re using your Auto Scaling group with Elastic Load Balancing (ELB), you should not suspend the following processes: Launch, Terminate, and AddToLoadBalancer. These processes are required to make rolling updates. Take note that if an unexpected scaling action changes the state of the Auto Scaling group during a rolling update, the update can fail. The failure can result from an inconsistent view of the group by AWS CloudFormation.
• Although you can configure a trigger to use Amazon SNS to send emails about some repository events, those events are limited to operational events, such as creating branches and pushing code to a branch. Triggers do not use CloudWatch Events rules to evaluate repository events. They are more limited in scope. You can integrate Amazon SNS topics and Lambda functions with triggers in CodeCommit, but you must first create and then configure resources with a policy that grants CodeCommit the permissions to interact with those resources. You must create the resource in the same AWS Region as the CodeCommit repository.
• EC2Rescue can help you diagnose and troubleshoot problems on Amazon EC2 Linux and Windows Server instances. You can run the tool manually or you can run the tool automatically by using Systems Manager Automation and the AWSSupport-ExecuteEC2Rescue document.
• Oracle RAC is supported via the deployment using Amazon EC2 only since Amazon RDS and Aurora do not support it.
• The Alert Manager in Amazon Managed Service for Prometheus (AMP) handles the alerts that are sent when the alerting rules are firing.
• In the Security Hub, turn on auto-enable accounts.
• Two ways to fine-tune GuardDuty monitoring are —
  • 1. a trusted IP list, which allows GuardDuty to skip the creation of finding if the IP in question is in the list. Thereby, reducing costs.
  • 2. and, on the opposite end, a threat list which makes sure GuardDuty creates a finding for the IP in question if it matches one on the list.
• In Cloud Formation the template could be trying to create global resources that must be unique but aren’t, such as S3 buckets.
• AWS Control Tower manages a multi-account environment and enforces compliance and security rules across all Organizational Units (OUs). Proactive controls in AWS Control Tower enforce these rules, ensuring that all OUs adhere to the same set of compliance and security rules.
• Permissions boundaries control the maximum permissions that an identity-based policy can grant to an IAM entity, but they do not deny permissions.
• You can use subscription filters to get access to a real-time feed of log events from CloudWatch Logs and have it delivered to other services such as an Amazon Kinesis stream, an Amazon Data Firehose stream, or AWS Lambda for custom processing, analysis, or loading to other systems. When log events are sent to the receiving service, they are Base64 encoded and compressed with the gzip format.
• Attaching an SCP in the organization and applying all the aws:VpcSourcelp, aws:EC2InstanceSourcePrivateIPv4, aws:EC2InstanceSourceVPC, and aws:SourceVpc condition keys in the SCP, the company can restrict access based on the source IP of the VPC, the private IPv4 address of the EC2 instance, the source VPC of the EC2 instance, and the source VPC. This ensures that the credentials of each EC2 instance are used exclusively by the instance they are assigned to, preventing any potential misuse or unauthorized access.
• Amazon RDS Proxy is a service that allows applications to pool and share database connections, improving their ability to scale and making them more resilient to database failures. When an application connects to an RDS Proxy, the proxy maintains a pool of connections to the database and reuses these connections across requests.
• The aws:runDocument plugin runs SSM documents stored in Systems Manager or on a local share. You can use this plugin with the aws:downloadContent plugin to download an SSM document from a remote location to a local share, and then run it. This plugin is supported on Linux and Windows Server operating systems.
• With AWS Code Deploy native integrations to Amazon SNS, notifications may be enabled for deployment (and even instance) events. Up to 10 triggers may be configured for each deployment group.
• API Gateway performance provides a great starting point for handling incoming API requests, ie. 10,000 req/s throttle quota. However, as an application scales and experiences increased traffic, it is essential to manage duplicate work in serving requests. API Gateway helps in this regard by providing the capability to enable caching for API stages.
• DynamoDB Accelerator is a fully managed, highly available, in-memory caching service for DynamoDB.
• You cannot attach an SCP to IAM identities.
• When you organize your AWS resources based on lifecycle and ownership, you might want to build a stack that uses resources that are in another stack. You can hard-code values or use input parameters to pass resource names and IDs. However, these methods can make templates difficult to reuse or can increase the overhead to get a stack running. Instead, use cross-stack references to export resources from a stack so that other stacks can use them. Stacks can use the exported resources by calling them using the Fn::ImportValue function.
• AWS offers S3 Cross-Region Replication (CRR) as a fully managed service that automatically replicates objects across S3 buckets in different Regions, ensuring data consistency. With bidirectional replication, changes made to objects in either bucket are automatically replicated to the other, maintaining data consistency between the Regions.
• You can create permissions policies that determine who can access your AWS resources based on the configured attribute value. When you enable ABAC and specify attributes, IAM Identity Center passes the attribute value of the authenticated user into IAM for use in policy evaluation. You can use access control attributes in your permission sets using the aws:PrincipalTag condition key for creating access control rules.
• Account Factory for Terraform (AFT) sets up a Terraform pipeline to help you provision and customize accounts in AWS Control Tower. AFT provides you with the advantage of Terraform-based account provisioning while allowing you to govern your accounts with AWS Control Tower.
• To enable the Enterprise Support option, set the following feature flag to True in your AFT deployment input configuration aft_feature_enterprise_support=false
• AWS Control Tower provides a single location to easily set up your new well-architected multi-account environment and govern your AWS workloads with rules for security, operations, and internal compliance. You can automate the setup of your AWS environment with best-practices blueprints for multi-account structure, identity, access management, and account provisioning workflow. For ongoing governance, you can select and apply pre-packaged policies enterprise-wide or to specific groups of accounts.
• Amazon S3 Access Points are a feature of S3 that allows you to create unique hostnames with dedicated access policies for your applications or shared datasets
• CodeBuild handles the environment where the database is set up. If the pipeline execution mode were to be set to PARALLEL, multiple executions would be able to use the database concurrently, possibly leading to data corruption and flaky tests. In order for a pipeline stage to be locked to a single execution, the pipeline execution mode must be set to either QUEUED or SUPERSEDED. However, since there is also a requirement to allow executions to finish even in the face of incoming executions, the execution mode must be set to QUEUED.
• SUPERSEDED is the default execution mode for CodePipeline pipelines.
• Customizations for AWS Control Tower (CfCT) helps you customize your AWS Control Tower landing zone and stay aligned with AWS best practices. Customizations are implemented with AWS CloudFormation templates and service control policies (SCPs).
• If a custom resource is used to invoke a Lambda function in AWS CloudFormation, the request will include a pre-signed URL. The Lambda function is responsible for returning a response to the pre-signed URL to indicate if the resource creation was successful or not. If the Lambda function fails to respond to the pre-signed URL, the CloudFormation stack will remain in the CREATE_IN_PROGRESS state and wait for a response.