Amazon GuardDuty

July 3, 2023 ~ Last updated on : July 28, 2023 ~ jayendrapatil

Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors the AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
is a continuous security monitoring service that analyzes and processes the following data sources:
- CloudTrail S3 data events and management event logs,
- DNS logs,
- EKS audit logs, and
- VPC flow logs.
uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within the AWS environment.
combines machine learning, anomaly detection, network monitoring, and malicious file discovery, utilizing both AWS-developed and industry-leading third-party sources to help protect workloads and data on AWS
is a Regional service and is recommended to be enabled in all supported AWS Regions. This helps generate findings of unauthorized or unusual activity even in Regions not actively used.
does not look at historical data, it monitors only the activity that starts after it is enabled.
operates completely independent of the AWS resources and therefore has no impact on the performance or availability of the accounts or workloads.
GuardDuty supports
- Suppression rules, allow the creation of very specific combinations of attributes to suppress findings.
- Trusted IP List for highly secure communication with the AWS environment. Findings are not generated based on trusted IP lists.
- Threat List for known malicious IP addresses. Findings are generated based on threat lists.
Security findings are retained and made available through the GuardDuty console and APIs for 90 days, after which they are discarded.
Findings are assigned a severity, and actions can be automated by integrating with Security Hub, EventBridge, Lambda, and Step Functions.
Amazon Detective is also tightly integrated with GuardDuty which helps perform deeper forensic and root cause investigations.
GuardDuty Malware Protection feature helps to detect malicious files on EBS volumes attached to an EC2 instance and container workloads.

GuardDuty with Multiple Accounts

GuardDuty has multi-account management through AWS Organizations integration, which allows delegating an administrator account for the organization.
The delegated administrator (DA) account is a centralized account that consolidates all findings and can configure all member accounts.
The administrator account helps to associate and manage multiple AWS accounts.
All security findings are aggregated to the administrator account for review and remediation.
CloudWatch Events are also aggregated to the administrator account when using this configuration.

GuardDuty Automated Remediation

GuardDuty security findings can be remediated automatically using EventBridge and AWS Lambda
For example, a Lambda function can be created to modify the AWS security group rules based on security findings. For a GuardDuty finding indicating one of your EC2 instances is being probed by a known malicious IP, the address can be added through an EventBridge rule, initiating a Lambda function to automatically modify the security group rules and restrict access on that port.

GuardDuty Malware Protection

GuardDuty Malware Protection helps scan EBS volume data for possible malware and identifies suspicious behavior indicative of malicious software in EC2 instances or container workloads.
is optimized to consume large data volumes for near real-time processing of security detections.
scans a replica EBS volume that GuardDuty generates based on the snapshot of the EBS volume for trojans, worms, crypto miners, rootkits, bots, and more.

AWS Certification Exam Practice Questions

Which AWS service makes detecting and reporting unexpected and potentially malicious activity in your AWS environment easy?
1. AWS Shield
2. AWS Inspector
3. AWS GuardDuty
4. AWS WAF

References

Amazon_GuardDuty

AWS Redshift Advanced

June 30, 2023 ~ Last updated on : July 11, 2023 ~ jayendrapatil ~ 11 Comments

AWS Redshift Advanced

Redshift Distribution Style determines how data is distributed across compute nodes and helps minimize the impact of the redistribution step by locating the data where it needs to be before the query is executed.
Redshift enhanced VPC routing forces all COPY and UNLOAD traffic between the cluster and the data repositories through the VPC.
Redshift workload management (WLM) enables users to flexibly manage priorities within workloads so that short, fast-running queries won’t get stuck in queues behind long-running queries.
Redshift Spectrum helps query and retrieve structured and semistructured data from files in S3 without having to load the data into Redshift tables.
Redshift Federated Query feature allows querying and analyzing data across operational databases, data warehouses, and data lakes.

Distribution Styles

Table distribution style determines how data is distributed across compute nodes and helps minimize the impact of the redistribution step by locating the data where it needs to be before the query is executed.
Redshift supports four distribution styles; AUTO, EVEN, KEY, or ALL.

KEY distribution

A single column acts as a distribution key (DISTKEY) and helps place matching values on the same node slice.
As a rule of thumb, choose a column that:
- Is uniformly distributed – Otherwise skew data will cause unbalances in the volume of data that will be stored in each compute node leading to undesired situations where some slices will process bigger amounts of data than others and causing bottlenecks.
- acts as a JOIN column – for tables related to dimensions tables (star-schema), it is better to choose as DISTKEY the field that acts as the JOIN field with the larger dimension table, so that matching values from the common columns are physically stored together, reducing the amount of data that needs to be broadcasted through the network.

EVEN distribution

distributes the rows across the slices in a round-robin fashion, regardless of the values in any particular column
Choose EVEN distribution
- when the table does not participate in joins
- when there is not a clear choice between KEY and ALL distribution.

ALL distribution

Whole table is replicated in every compute node.
ensures that every row is collocated for every join that the table participates in.
ideal for relatively slow-moving tables, tables that are not updated frequently or extensively.
Small dimension tables DO NOT benefit significantly from ALL distribution, because the cost of redistribution is low.

AUTO distribution

Redshift assigns an optimal distribution style based on the size of the table data for e.g. apply ALL distribution for a small table and as it grows changes it to Even distribution
Amazon Redshift applies AUTO distribution, by default.

Sort Key

Sort keys define the order in which the data will be stored.
Sorting enables efficient handling of range-restricted predicates.
Only one sort key per table can be defined, but it can be composed of one or more columns.
Redshift stores columnar data in 1 MB disk blocks. The min and max values for each block are stored as part of the metadata. If the query uses a range-restricted predicate, the query processor can use the min and max values to rapidly skip over large numbers of blocks during table scans
The are two kinds of sort keys in Redshift: Compound and Interleaved.

Compound Keys

A compound key is made up of all of the columns listed in the sort key definition, in the order, they are listed.
A compound sort key is more efficient when query predicates use a prefix, or query’s filter applies conditions, such as filters and joins, which is a subset of the sort key columns in order.
Compound sort keys might speed up joins, GROUP BY and ORDER BY operations, and window functions that use PARTITION BY and ORDER BY.

Interleaved Sort Keys

An interleaved sort key gives equal weight to each column in the sort key, so query predicates can use any subset of the columns that make up the sort key, in any order.
An interleaved sort key is more efficient when multiple queries use different columns for filters.
Don’t use an interleaved sort key on columns with monotonically increasing attributes, such as identity columns, dates, or timestamps.
Use cases involve performing ad-hoc multi-dimensional analytics, which often requires pivoting, filtering, and grouping data using different columns as query dimensions.

Constraints

Redshift does not support Indexes.
Redshift supports UNIQUE, PRIMARY KEY, and FOREIGN KEY constraints, however, they are only for informational purposes.
Redshift does not perform integrity checks for these constraints and is used by the query planner, as hints, in order to optimize executions.
Redshift does enforce NOT NULL column constraints.

Redshift Enhanced VPC Routing

Redshift enhanced VPC routing forces all COPY and UNLOAD traffic between the cluster and the data repositories through the VPC.
Without enhanced VPC routing, Redshift would route traffic through the internet, including traffic to other services within the AWS network.

Redshift Workload Management

Redshift workload management (WLM) enables users to flexibly manage priorities within workloads so that short, fast-running queries won’t get stuck in queues behind long-running queries.
Redshift provides query queues, in order to manage concurrency and resource planning. Each queue can be configured with the following parameters:
- Slots: number of concurrent queries that can be executed in this queue.
- Working memory: percentage of memory assigned to this queue.
- Max. Execution Time: the amount of time a query is allowed to run before it is terminated.
Queries can be routed to different queues using Query Groups and User Groups.
As a rule of thumb, it is considered a best practice to have separate queues for long running resource-intensive queries and fast queries that don’t require big amounts of memory and CPU.
By default, Redshift configures one queue with a concurrency level of five, which enables up to five queries to run concurrently, plus one predefined Superuser queue, with a concurrency level of one.
A maximum of eight queues can be defined, with each queue configured with a maximum concurrency level of 50. The maximum total concurrency level for all user-defined queues (not including the Superuser queue) is 50.
Redshift WLM supports two modes – Manual and Automatic
- Automatic WLM supports queue priorities.

Redshift Short Query Acceleration – SQA

Short query acceleration (SQA) prioritizes selected short-running queries ahead of longer-running queries.
SQA runs short-running queries in a dedicated space, so that SQA queries aren’t forced to wait in queues behind longer queries.
SQA only prioritizes queries that are short-running and are in a user-defined queue.

Redshift Loading Data

A COPY command is the most efficient way to load a table.
- COPY command is able to read from multiple data files or multiple data streams simultaneously.
- Redshift allocates the workload to the cluster nodes and performs the load operations in parallel, including sorting the rows and distributing data across node slices.
- COPY command supports loading data from S3, EMR, DynamoDB, and remote hosts such as EC2 instances using SSH.
- COPY supports decryption and can decrypt the data as it performs the load if the data is encrypted
- COPY can then speed up the load process by uncompressing the files as they are read if the data is compressed.
- COPY command can be used with COMPUPDATE set to ON to analyze and apply compression automatically based on sample data.
- Optimizing storage for narrow tables (multiple rows few columns) by using Single COPY command instead of multiple COPY commands, as it would not work well due to hidden fields and compression issues.
Auto Copy
- Auto-copy provides the ability to automate copy statements by tracking S3 folders and ingesting new files without customer intervention
- Without Auto-copy, a copy statement immediately starts the file ingestion process for existing files.
- Auto-copy extends the existing copy command and provides the ability to
  - Automate file ingestion process by monitoring specified S3 paths for new files
  - Re-use copy configurations, reducing the need to create and run new copy statements for repetitive ingestion tasks and
  - Keep track of loaded files to avoid data duplication.
INSERT command
- Clients can connect to Amazon Redshift using ODBC or JDBC and issue ‘insert’ SQL commands to insert the data.
- INSERT command is much less efficient than using COPY as they are routed through the single leader node.

Redshift Resizing Cluster

Elastic resize
- Use elastic resize to change the node type, number of nodes, or both. (Circa April 2020 – Changing node type is available recently and was not supported before)
- If only the number of nodes is changed, then queries are temporarily paused and connections are held open if possible.
- During the resize operation, the cluster is read-only.
- Elastic resize takes 10–15 minutes.
Classic resize
- Use classic resize to change the node type, number of nodes, or both.
- During the resize operation, data is copied to a new cluster and the source cluster is read-only
- Classic resize takes 2 hours – 2 days or longer, depending on the data’s size
Snapshot and restore with classic resize
- To keep the cluster available during a classic resize, create a snapshot , make a copy of an existing cluster, then resize the new cluster.

Redshift Spectrum

Redshift Spectrum helps query and retrieve structured and semistructured data from files in S3 without having to load the data into Redshift tables.
Redshift Spectrum queries employ massive parallelism to execute very fast against large datasets. Much of the processing occurs in the Redshift Spectrum layer, and most of the data remains in S3.
Multiple clusters can concurrently query the same dataset in S3 without the need to make copies of the data for each cluster.
Redshift Spectrum resides on dedicated Redshift servers that are independent of the existing cluster.
Redshift Spectrum pushes many compute-intensive tasks, such as predicate filtering and aggregation, down to the Redshift Spectrum layer.
Redshift Spectrum also scales automatically, based on the demands of the queries, and can potentially use thousands of instances to take advantage of massively parallel processing.
Supports external data catalog using Glue, Athena, or Hive metastore
Redshift cluster and the S3 bucket must be in the same AWS Region.
Redshift Spectrum external tables are read-only. You can’t COPY or INSERT to an external table.

Redshift Federated Query

Redshift Federated Query feature allows querying and analyzing data across operational databases, warehouses, and lakes.
Redshift Federated Query allows integrating queries on live data in RDS for PostgreSQL and Aurora PostgreSQL with queries across Redshift and S3.

AWS Certification Exam Practice Questions

A Redshift data warehouse has different user teams that need to query the same table with very different query types. These user teams are experiencing poor performance. Which action improves performance for the user teams in this situation?
1. Create custom table views.
2. Add interleaved sort keys per team.
3. Maintain team-specific copies of the table.
4. Add support for workload management queue hopping.

Amazon Athena

June 29, 2023 ~ Last updated on : July 11, 2023 ~ jayendrapatil ~ 3 Comments

Amazon Athena

Amazon Athena is a serverless, interactive analytics service built on open-source frameworks, supporting open-table and file formats.
provides a simplified, flexible way to analyze petabytes of data in an S3 data lake and 30 data sources, including on-premises data sources or other cloud systems using SQL or Python without loading the data.
is built on open-source Trino and Presto engines and Apache Spark frameworks, with no provisioning or configuration effort required.
is highly available and runs queries using compute resources across multiple facilities, automatically routing queries appropriately if a particular facility is unreachable
can process unstructured, semi-structured, and structured datasets.
integrates with QuickSight for visualizing the data or creating dashboards.
supports various standard data formats, including CSV, TSV, JSON, ORC, Avro, and Parquet.
supports compressed data in Snappy, Zlib, LZO, and GZIP formats. You can improve performance and reduce costs by compressing, partitioning, and using columnar formats.
can handle complex analysis, including large joins, window functions, and arrays
uses a managed Glue Data Catalog to store information and schemas about the databases and tables that you create for the data stored in S3
uses schema-on-read technology, which means that the table definitions are applied to the data in S3 when queries are being applied. There’s no data loading or transformation required. Table definitions and schema can be deleted without impacting the underlying data stored in S3.
supports fine-grained access control with AWS Lake Formation which allows for centrally managing permissions and access control for data catalog resources in the S3 data lake.

Athena Workgroups

Athena workgroups can be used to separate users, teams, applications, or workloads, to set limits on amount of data each query or the entire workgroup can process, and to track costs.
Resource-level identity-based policies can be used to control access to a specific workgroup.
Workgroups help view query-related metrics in CloudWatch, control costs by configuring limits on the amount of data scanned, create thresholds, and trigger actions, such as SNS, when these thresholds are breached.
Workgroups integrate with IAM, CloudWatch, Simple Notification Service, and AWS Cost and Usage Reports as follows:
- IAM identity-based policies with resource-level permissions control who can run queries in a workgroup.
- Athena publishes the workgroup query metrics to CloudWatch if you enable query metrics.
- SNS topics can be created that issue alarms to specified workgroup users when data usage controls for queries in a workgroup exceed the established thresholds.
- Workgroup tag can be configured as a cost allocation tag in the Billing and Cost Management console and the costs associated with running queries in that workgroup appear in the Cost and Usage Reports with that cost allocation tag.

AWS Certification Exam Practice Questions

A SysOps administrator is storing access logs in Amazon S3 and wants to use standard SQL to query data and generate a report
without having to manage infrastructure. Which AWS service will allow the SysOps administrator to accomplish this task?
1. Amazon Inspector
2. Amazon CloudWatch
3. Amazon Athena
4. Amazon RDS
A Solutions Architect must design a storage solution for incoming billing reports in CSV format. The data does not need to be
scanned frequently and is discarded after 30 days. Which service will be MOST cost-effective in meeting these requirements?
1. Import the logs into an RDS MySQL instance
2. Use AWS Data pipeline to import the logs into a DynamoDB table
3. Write the files to an S3 bucket and use Amazon Athena to query the data
4. Import the logs to an Amazon Redshift cluster

References

Amazon_Athena

AWS Data Pipeline

June 27, 2023 ~ Last updated on : July 18, 2023 ~ jayendrapatil ~ 4 Comments

AWS Data Pipeline

AWS Data Pipeline is a web service that makes it easy to automate and schedule regular data movement and data processing activities in AWS
helps define data-driven workflows
integrates with on-premises and cloud-based storage systems
helps quickly define a pipeline, which defines a dependent chain of data sources, destinations, and predefined or custom data processing activities
supports scheduling where the pipeline regularly performs processing activities such as distributed data copy, SQL transforms, EMR applications, or custom scripts against destinations such as S3, RDS, or DynamoDB.
ensures that the pipelines are robust and highly available by executing the scheduling, retry, and failure logic for the workflows as a highly scalable and fully managed service.

AWS Data Pipeline features

Distributed, fault-tolerant, and highly available
Managed workflow orchestration service for data-driven workflows
Infrastructure management service, as it will provision and terminate resources as required
Provides dependency resolution
Can be scheduled
Supports Preconditions for readiness checks.
Grants control over retries, including frequency and number
Native integration with S3, DynamoDB, RDS, EMR, EC2 and Redshift
Support for both AWS based and external on-premise resources

AWS Data Pipeline Concepts

Pipeline Definition

Pipeline definition helps the business logic to be communicated to the AWS Data Pipeline
Pipeline definition defines the location of data (Data Nodes), activities to be performed, the schedule, resources to run the activities, per-conditions, and actions to be performed

Pipeline Components, Instances, and Attempts

Pipeline components represent the business logic of the pipeline and are represented by the different sections of a pipeline definition.
Pipeline components specify the data sources, activities, schedule, and preconditions of the workflow
When AWS Data Pipeline runs a pipeline, it compiles the pipeline components to create a set of actionable instances and contains all the information needed to perform a specific task
Data Pipeline provides durable and robust data management as it retries a failed operation depending on frequency & defined number of retries

Task Runners

A task runner is an application that polls AWS Data Pipeline for tasks and then performs those tasks
When Task Runner is installed and configured,
- it polls AWS Data Pipeline for tasks associated with activated pipelines
- after a task is assigned to Task Runner, it performs that task and reports its status back to Pipeline.
A task is a discreet unit of work that the Pipeline service shares with a task runner and differs from a pipeline, which defines activities and resources that usually yields several tasks
Tasks can be executed either on the AWS Data Pipeline managed or user-managed resources.

Data Nodes

Data Node defines the location and type of data that a pipeline activity uses as source (input) or destination (output)
supports S3, Redshift, DynamoDB, and SQL data nodes

Databases

supports JDBC, RDS, and Redshift database

Activities

An activity is a pipeline component that defines the work to perform
Data Pipeline provides pre-defined activities for common scenarios like sql transformation, data movement, hive queries, etc
Activities are extensible and can be used to run own custom scripts to support endless combinations

Preconditions

Precondition is a pipeline component containing conditional statements that must be satisfied (evaluated to True) before an activity can run
A pipeline supports
- System-managed preconditions
  - are run by the AWS Data Pipeline web service on your behalf and do not require a computational resource
  - Includes source data and keys check for e.g. DynamoDB data, table exists or S3 key exists or prefix not empty
- User-managed preconditions
  - run on user defined and managed computational resources
  - Can be defined as Exists check or Shell command

Resources

A resource is a computational resource that performs the work that a pipeline activity specifies
supports AWS Data Pipeline-managed and self-managed resources
AWS Data Pipeline-managed resources include EC2 and EMR, which are launched by the Data Pipeline service only when they’re needed
Self managed on-premises resources can also be used, where a Task Runner package is installed which continuously polls the AWS Data Pipeline service for work to perform
Resources can run in the same region as their working data set or even on a region different than AWS Data Pipeline
Resources launched by AWS Data Pipeline are counted within the resource limits and should be taken into account

Actions

Actions are steps that a pipeline takes when a certain event like success, or failure occurs.
Pipeline supports SNS notifications and termination action on resources

AWS Certification Exam Practice Questions

An International company has deployed a multi-tier web application that relies on DynamoDB in a single region. For regulatory reasons they need disaster recovery capability in a separate region with a Recovery Time Objective of 2 hours and a Recovery Point Objective of 24 hours. They should synchronize their data on a regular basis and be able to provision the web application rapidly using CloudFormation. The objective is to minimize changes to the existing web application, control the throughput of DynamoDB used for the synchronization of data and synchronize only the modified elements. Which design would you choose to meet these requirements?
1. Use AWS data Pipeline to schedule a DynamoDB cross region copy once a day. Create a ‘Lastupdated’ attribute in your DynamoDB table that would represent the timestamp of the last update and use it as a filter. (Refer Blog Post)
2. Use EMR and write a custom script to retrieve data from DynamoDB in the current region using a SCAN operation and push it to DynamoDB in the second region. (No Schedule and throughput control)
3. Use AWS data Pipeline to schedule an export of the DynamoDB table to S3 in the current region once a day then schedule another task immediately after it that will import data from S3 to DynamoDB in the other region. (With AWS Data pipeline the data can be copied directly to other DynamoDB table)
4. Send each item into an SQS queue in the second region; use an auto-scaling group behind the SQS queue to replay the write in the second region. (Not Automated to replay the write)
Your company produces customer commissioned one-of-a-kind skiing helmets combining nigh fashion with custom technical enhancements. Customers can show off their Individuality on the ski slopes and have access to head-up-displays, GPS rear-view cams and any other technical innovation they wish to embed in the helmet. The current manufacturing process is data rich and complex including assessments to ensure that the custom electronics and materials used to assemble the helmets are to the highest standards. Assessments are a mixture of human and automated assessments you need to add a new set of assessment to model the failure modes of the custom electronics using GPUs with CUD across a cluster of servers with low latency networking. What architecture would allow you to automate the existing process using a hybrid approach and ensure that the architecture can support the evolution of processes over time?
1. Use AWS Data Pipeline to manage movement of data & meta-data and assessments. Use an auto-scaling group of G2 instances in a placement group. (Involves mixture of human assessments)
2. Use Amazon Simple Workflow (SWF) to manage assessments, movement of data & meta-data. Use an autoscaling group of G2 instances in a placement group. (Human and automated assessments with GPU and low latency networking)
3. Use Amazon Simple Workflow (SWF) to manage assessments movement of data & meta-data. Use an autoscaling group of C3 instances with SR-IOV (Single Root I/O Virtualization). (C3 and SR-IOV won’t provide GPU as well as Enhanced networking needs to be enabled)
4. Use AWS data Pipeline to manage movement of data & meta-data and assessments use auto-scaling group of C3 with SR-IOV (Single Root I/O virtualization). (Involves mixture of human assessments)

References

AWS_Data_Pipeline_Developer_Guide

AWS Lake Formation

June 27, 2023 ~ Last updated on : June 30, 2023 ~ jayendrapatil ~ 2 Comments

AWS Lake Formation

AWS Lake Formation easily creates secure data lakes, making data available for wide-ranging analytics.
is an integrated data lake service that helps to discover, ingest, clean, catalog, transform, and secure data and make it available for analysis and ML.
automatically manages access to the registered data in S3 through services including AWS Glue, Athena, Redshift, QuickSight, and EMR using Zeppelin notebooks with Apache Spark to ensure compliance with your defined policies.
helps configure and manage your data lake without manually integrating multiple underlying AWS services.
can manage data ingestion through AWS Glue. Data is automatically classified, and relevant data definitions, schema, and metadata are stored in the central Glue Data Catalog. Once the data is in the S3 data lake, access policies, including table-and-column-level access controls can be defined, and encryption for data at rest enforced.
uses a shared infrastructure with AWS Glue, including console controls, ETL code creation and job monitoring, blueprints to create workflows for data ingest, the same data catalog, and a serverless architecture.
integrates with IAM so authenticated users and roles can be automatically mapped to data protection policies that are stored in the data catalog. The IAM integration also supports Microsoft Active Directory or LDAP to federate into IAM using SAML.
helps centralize data access policy controls. Users and roles can be defined to control access, down to the table and column level.
supports private endpoints in the VPC and records all activity in AWS CloudTrail for network isolation and auditability.

AWS Certification Exam Practice Questions

References

AWS_Lake_Formation

AWS Control Tower

June 27, 2023 ~ Last updated on : July 16, 2023 ~ jayendrapatil

AWS Control Tower

AWS Control Tower helps set up and govern an AWS multi-account environment, following prescriptive best practices.
AWS Control Tower offers the easiest way to set up and govern a secure, compliant, well-architected, multi-account AWS environment, that adheres to corporate standards, and meets regulatory requirements based on best practices established by working with thousands of enterprises.
AWS Control Tower orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog, and AWS Identity Center (AWS Single Sign-on), to build a landing zone in less than an hour. Resources are set up and managed on your behalf.
Control Tower applies preventive and detective controls (guardrails) to help keep AWS organizations and accounts from drift, which is a divergence from best practices for e.g, guardrails can be used to help ensure that security logs and necessary cross-account access permissions are created, and not altered.
Control Tower enables end-users on distributed teams to provision new AWS accounts quickly using configurable account templates in Account Factory. The central cloud administrators can monitor that all accounts are aligned with established, company-wide compliance policies.

Control Tower Features

Landing zone
- A landing zone is a well-architected, multi-account environment that’s based on security and compliance best practices.
- It is the enterprise-wide container that holds all of the organizational units (OUs), accounts, users, and other resources that need to be subject to compliance regulation.
- A landing zone can scale to fit the needs of an enterprise of any size.
- AWS Control Tower automates a landing zone to set up a baseline environment that includes:
  - A multi-account environment using AWS Organizations.
  - Identity management using AWS Single Sign-On (SSO).
  - Federated access to accounts using AWS SSO.
  - Centralize logging from CloudTrail, and Config stored in S3.
  - Cross-account security audits using AWS IAM and AWS SSO.
Guardrails
- A guardrail is a high-level rule that provides ongoing governance for the overall AWS environment.
- Two kinds of guardrails exist
  - Preventive – uses SCPs and helps establish intent and prevent deployment of resources that don’t conform to the policies.
  - Detective – using AWS Config and continuously monitors deployed resources for non-conformance.
- Three categories of guidance apply to the two kinds of guardrails
  - mandatory
  - strongly recommended
  - elective
- AWS Control Tower automatically translates guardrails into granular AWS policies by:
  - Establishing a configuration baseline using AWS CloudFormation
  - Preventing configuration changes of the underlying implementation using SCPs (for preventive guardrails)
  - Continuously detecting configuration changes through AWS Config rules (for detective guardrails)
  - Updating guardrail status on the AWS Control Tower dashboard
Account Factory
- An Account Factory is a configurable account template that helps to standardize the provisioning of new accounts with pre-approved account configurations.
- AWS Control Tower offers a built-in Account Factory that helps automate the account provisioning workflow in the organization.
- Account Factory uses AWS Service Catalog to provision new accounts.
Dashboard
- The dashboard offers continuous oversight of the landing zone to your team of central cloud administrators.
- Use the dashboard to see provisioned accounts across the enterprise, guardrails enabled for policy enforcement, guardrails enabled for continuous detection of policy non-conformance and non-compliant resources organized by accounts and OUs.

AWS Certification Exam Practice Questions

A company is expanding its use of AWS services across its portfolios. The company wants to provision AWS accounts for each team to ensure a separation of business processes for security, compliance, and billing. Account creation and bootstrapping should be completed in a scalable and efficient way so new accounts are created with a defined baseline and governance guardrails in place. An administrator needs to design a provisioning process that saves time and resources. Which action should be taken to meet these requirements?
1. Automate using AWS Elastic Beanstalk to provision the AWS accounts, set up infrastructure, and integrate with AWS Organizations.
2. Create bootstrapping scripts in AWS OpsWorks and combine them with AWS CloudFormation templates to provision accounts and infrastructure.
3. Use AWS Config to provision accounts and deploy instances using AWS Service Catalog.
4. Use AWS Control Tower to create a template in Account Factory and use the template to provision new accounts.

References

AWS_Control_Tower

AWS Resource Access Manager – RAM

June 24, 2023 ~ Last updated on : July 17, 2023 ~ jayendrapatil

AWS Resource Access Manager – RAM

AWS Resource Access Manager – RAM helps secure sharing of the AWS resources created in one AWS account with other AWS accounts.
Using RAM, with multiple AWS accounts, a resource can be created once and made usable by those other accounts.
For an account managed by AWS Organizations, resources can be shared with all the other accounts in the organization or only those accounts contained by one or more specified organizational units (OUs).
Resources can also be shared with specific AWS accounts by account ID, regardless of whether the account is part of an organization.

RAM Benefits

Reduces operational overhead
- Create a resource once, and then use AWS RAM to share that resource with other accounts. This eliminates the need to provision duplicate resources in every account, which reduces operational overhead.
Provides security and consistency
- Simplify security management for the shared resources by using a single set of policies and permissions.
Provides visibility and auditability
- AWS RAM provides comprehensive visibility into shared resources and accounts through the integration with CloudWatch and CloudTrail.

RAM vs Resource-based Policies

Resources can be shared with an Organization or OU without having to enumerate every one of the AWS account IDs.
Users can see the resources shared with them directly in the originating AWS service console and API operations as if those resources were directly in the user’s account.
Owners of a resource can see which principals have access to each individual resource that they have shared.
RAM initiates an invitation process for resources shared with an account that isn’t part of the organization. Sharing within an organization doesn’t require an invitation and is auto-accepted.

RAM Supported Resources

AWS App Mesh
Amazon Aurora
AWS Certificate Manager Private Certificate Authority
AWS CodeBuild
Amazon EC2
EC2 Image Builder
AWS Glue
AWS License Manager
AWS Migration Hub Refactor Spaces
AWS Network Firewall
AWS Outposts
Amazon S3 on Outposts
AWS Resource Groups
Amazon Route 53
Amazon SageMaker
AWS Service Catalog AppRegistry
AWS Systems Manager Incident Manager
Amazon VPC
AWS Cloud WAN

AWS Certification Exam Practice Questions

References

AWS_Resource_Access_Manager

AWS Elastic Map Reduce – EMR

June 22, 2023 ~ Last updated on : June 28, 2023 ~ jayendrapatil ~ 27 Comments

AWS EMR – Elastic Map Reduce

Amazon EMR – Elastic Map Reduce is a web service that utilizes a hosted Hadoop framework running on the web-scale infrastructure of EC2 and S3.
enables businesses, researchers, data analysts, and developers to easily and cost-effectively process vast amounts of data.
uses Apache Hadoop as its distributed data processing engine, which is an open-source, Java software that supports data-intensive distributed applications running on large clusters of commodity hardware
provides data processing, interactive analysis, and machine learning using open-source frameworks such as Apache Spark, Hive, and Presto.
is ideal for problems that necessitate fast and efficient processing of large amounts of data.
helps focus on crunching, transforming, and analyzing data without having to worry about time-consuming set-up, the management, or tuning of Hadoop clusters, the compute capacity, or open-source applications.
can help perform data-intensive tasks for applications such as web indexing, data mining, log file analysis, machine learning, financial analysis, scientific simulation, bioinformatics research, etc
provides web service interface to launch the clusters and monitor processing-intensive computation on clusters.
workloads can be deployed using EC2, Elastic Kubernetes Service (EKS), or on-premises AWS Outposts.
seamlessly supports On-Demand, Spot, and Reserved Instances.
EMR launches all nodes for a given cluster in the same AZ, which improves performance as it provides a higher data access rate.
EMR supports different EC2 instance types including Standard, High CPU, High Memory, Cluster Compute, High I/O, and High Storage.
EMR charges on hourly increments i.e. once the cluster is running, charges apply the entire hour.
EMR integrates with CloudTrail to record AWS API calls
EMR Serverless helps run big data frameworks such as Apache Spark and Apache Hive without configuring, managing, and scaling clusters.
EMR Studio is an IDE that helps data scientists and data engineers to develop, visualize, and debug data engineering and data science applications written in R, Python, Scala, and PySpark.
EMR Notebooks provide a managed environment, based on Jupyter Notebook, that helps prepare and visualize data, collaborate with peers, build applications, and perform interactive analysis using EMR clusters.

EMR Architecture

EMR uses industry-proven, fault-tolerant Hadoop software as its data processing engine.
Hadoop is an open-source, Java software that supports data-intensive distributed applications running on large clusters of commodity hardware
Hadoop splits the data into multiple subsets and assigns each subset to more than one EC2 instance. So, if an EC2 instance fails to process one subset of data, the results of another Amazon EC2 instance can be used.
EMR consists of Master node, one or more Slave nodes
- Master Node Or Primary Node
  - Master node or Primary node manages the cluster by running software components to coordinate the distribution of data and tasks among other nodes for processing.
  - Primary node tracks the status of tasks and monitors the health of the cluster.
  - Every cluster has a primary node, and it’s possible to create a single-node cluster with only the primary node.
  - EMR currently does not support automatic failover of the master nodes or master node state recovery
  - If master node goes down, the EMR cluster will be terminated and the job needs to be re-executed.
- Slave Nodes – Core nodes and Task nodes
  - Core nodes
    - with software components that host persistent data using Hadoop Distributed File System (HDFS) and run Hadoop tasks
    - Multi-node clusters have at least one core node.
    - can be increased in an existing cluster
  - Task nodes
    - only run Hadoop tasks and do not store data in HDFS.
    - can be increased or decreased in an existing cluster.
  - EMR is fault tolerant for slave failures and continues job execution if a slave node goes down.
  - Currently, EMR does not automatically provision another node to take over failed slaves
EMR supports Bootstrap actions which allow
- users a way to run custom set-up prior to the execution of the cluster.
- can be used to install software or configure instances before running the cluster

EMR Storage

Hadoop Distributed File System (HDFS)
- HDFS is a distributed, scalable file system for Hadoop.
- HDFS distributes the data it stores across instances in the cluster, storing multiple copies of data on different instances to ensure that no data is lost if an individual instance fails.
- HDFS is ephemeral storage that is reclaimed when you terminate a cluster.
- HDFS is useful for caching intermediate results during MapReduce processing or for workloads that have significant random I/O.
EMR File System – EMRFS
- EMR File System (EMRFS) helps extend Hadoop to add the ability to directly access data stored in S3 as if it were a file system like HDFS.
- You can use either HDFS or S3 as the file system in your cluster. Most often, S3 is used to store input and output data and intermediate results are stored in HDFS.
Local file system
- Local file system refers to a locally connected EC2 pre-attached disk instance store storage.
- Data on instance store volumes persists only during the lifecycle of its Amazon EC2 instance.
Storing data on S3 provides several benefits
- inherent features high availability, durability, lifecycle management, data encryption, and archival of data to Glacier
- cost-effective as storing data in S3 is cheaper as compared to HDFS with the replication factor
- ability to use Transient EMR cluster and shutdown the clusters after the job is completed, with data being maintained in S3
- ability to use Spot instances and not having to worry about losing the spot instances at any time.
- provides data durability from any HDFS node failures, where node failures exceed the HDFS replication factor
- data ingestion with high throughput data stream to S3 is much easier than ingesting to HDFS

EMR Security

EMR cluster starts with different security groups for Master and Cluster nodes
- Master security group
  - has a port open for communication with the service.
  - has an SSH port open to allow direct SSH into the instances, using the key specified at the startup.
- Cluster security group
  - only allows interaction with the master instance
  - SSH to the slave nodes can be done by doing SSH to the master node and then to the slave node
- Security groups can be configured with different access rules

EMR Security Encryption

EMR always uses HTTPS to send data between S3 and EC2.
EMR enables the use of security configuration
- which helps to encrypt data at rest, data in transit, or both
- can be used to specify settings for S3 encryption with EMR file system (EMRFS), local disk encryption, and in-transit encryption
- is stored in EMR rather than the cluster configuration making it reusable
- gives the flexibility to choose from several options, including keys managed by AWS KMS, keys managed by S3, and keys and certificates from custom providers that you supply.
At-rest Encryption for S3 with EMRFS
- EMRFS supports Server-side (SSE-S3, SSE-KMS) and Client-side encryption (CSE-KMS or CSE-Custom)
- S3 SSE and CSE encryption with EMRFS are mutually exclusive; either one can be selected but not both
- Transport layer security (TLS) encrypts EMRFS objects in-transit between EMR cluster nodes & S3
At-rest Encryption for Local Disks
- Open-source HDFS Encryption
  - HDFS exchanges data between cluster instances during distributed processing, and also reads from and writes data to instance store volumes and the EBS volumes attached to instances
  - Open-source Hadoop encryption options are activated
    - Secure Hadoop RPC is set to “Privacy”, which uses Simple Authentication Security Layer (SASL).
    - Data encryption on HDFS block data transfer is set to true and is configured to use AES 256 encryption.
- EBS Volume Encryption
  - EBS Encryption
    - EBS encryption option encrypts the EBS root device volume and attached storage volumes.
    - EBS encryption option is available only when you specify AWS KMS as your key provider.
  - LUKS
    - EC2 instance store volumes (except boot/root volumes) and the attached EBS volumes can be encrypted using LUKS.
In-Transit Data Encryption
- Encryption artifacts used for in-transit encryption in one of two ways:
  - either by providing a zipped file of certificates that you upload to S3,
  - or by referencing a custom Java class that provides encryption artifacts
EMR block public access prevents a cluster in a public subnet from launching when any security group associated with the cluster has a rule that allows inbound traffic from anywhere (public access) on a port, unless the port has been specified as an exception.
EMR Runtime Roles help manage access control for each job or query individually, instead of sharing the EMR instance profile of the cluster.
EMR IAM service roles help perform actions on your behalf when provisioning cluster resources, running applications, dynamically scaling resources, and creating and running EMR Notebooks.
SSH clients can use an EC2 key pair or Kerberos to authenticate to cluster instances.
Lake Formation based access control can be applied to Spark, Hive, and Presto jobs that you submit to the EMR clusters.

EMR Cluster Types

EMR has two cluster types, transient and persistent
Transient EMR Clusters
- Transient EMR clusters are clusters that shut down when the job or the steps (series of jobs) are complete
- Transient EMT clusters can be used in situations
  - where total number of EMR processing hours per day < 24 hours and its beneficial to shut down the cluster when it’s not being used.
  - using HDFS as your primary data storage.
  - job processing is intensive, iterative data processing.
Persistent EMR Clusters
- Persistent EMR clusters continue to run after the data processing job is complete
- Persistent EMR clusters can be used in situations
  - frequently run processing jobs where it’s beneficial to keep the cluster running after the previous job.
  - processing jobs have an input-output dependency on one another.
  - In rare cases when it is more cost effective to store the data on HDFS instead of S3

EMR Serverless

EMR Serverless helps run big data frameworks such as Apache Spark and Apache Hive without configuring, managing, and scaling clusters.
currently supports Apache Spark and Apache Hive engines.
automatically determines the resources that the application needs and gets these resources to process the jobs, and releases the resources when the jobs finish.
minimum and maximum number of concurrent workers and the vCPU and memory configuration for workers can be specified.
supports multiple AZs and provides resilience to AZ failures.
An EMR Serverless application internally uses workers to execute your workloads and it offers two options for workers
- On-demand workers
  - are launched only when needed for a job and are released automatically when the job is complete.
  - scales the application up or down based on the workload, so you don’t have to worry about over- or under-provisioning resources.
  - takes up to 120 seconds to determine the required resources and provision them.
  - distributes jobs across multiple AZs by default, but each job runs only in one AZ.
  - automatically runs your job in another healthy AZ, if an AZ fails.
- Pre-initialized workers
  - are an optional feature where you can keep workers ready to respond in seconds.
  - It effectively creates a warm pool of workers for an application which allows jobs to start instantly, making it ideal for iterative applications and time-sensitive jobs.
  - submits job in an healthy AZ from the specified subnets. Application needs to be restarted to switch to another healthy AZ, if an AZ becomes impaired.

EMR Studio

EMR Studio is an IDE that helps data scientists and data engineers to develop, visualize, and debug data engineering and data science applications written in R, Python, Scala, and PySpark.
is a fully managed application with single sign-on, fully managed Jupyter Notebooks, automated infrastructure provisioning, and the ability to debug jobs without logging into the AWS Console or cluster.

EMR Notebooks

EMR Notebooks provide a managed environment, based on Jupyter Notebook, that allows data scientists, analysts, and developers to prepare and visualize data, collaborate with peers, build applications, and perform interactive analysis using EMR clusters.
AWS recommends using EMR Studio instead of EMR Notebooks now.
Users can create serverless notebooks directly from the console, attach them to an existing shared EMR cluster, or provision a cluster directly from the console and build Spark applications and run interactive queries.
Notebooks are auto-saved to S3 buckets, and can be retrieved from the console to resume work.
Notebooks can be detached and attached to new clusters.
Notebooks are prepackaged with the libraries found in the Anaconda repository, allowing you to import and use these libraries in the notebooks code and use them to manipulate data and visualize results.

EMR Best Practices

Data Migration
- Two tools – S3DistCp and DistCp – can be used to move data stored on the local (data center) HDFS storage to S3, from S3 to HDFS and between S3 and local disk (non HDFS) to S3
- AWS Import/Export and Direct Connect can also be considered for moving data
Data Collection
- Apache Flume is a distributed, reliable, and available service for efficiently collecting, aggregating, & moving large amounts of log data
- Flume agents can be installed on the data sources (web-servers, app servers etc) and data shipped to the collectors which can then be stored in persistent storage like S3 or HDFS
Data Aggregation
- Data aggregation refers to techniques for gathering individual data records (for e.g. log records) and combining them into a large bundle of data files i.e. creating a large file from small files
- Hadoop, on which EMR runs, generally performs better with fewer large files compared to many small files
- Hadoop splits the file on HDFS on multiple nodes, while for the data in S3 it uses the HTTP Range header query to split the files which helps improve performance by supporting parallelization
- Log collectors like Flume and Fluentd can be used to aggregate data before copying it to the final destination (S3 or HDFS)
- Data aggregation has following benefits
  - Improves data ingest scalability by reducing the number of times needed to upload data to AWS
  - Reduces the number of files stored on S3 (or HDFS), which inherently helps provide better performance when processing data
  - Provides a better compression ratio as compressing large, highly compressible files is often more effective than compressing a large number of smaller files.
Data compression
- Data compression can be used at the input as well as intermediate outputs from the mappers
- Data compression helps
  - Lower storage costs
  - Lower bandwidth cost for data transfer
  - Better data processing performance by moving less data between data storage location, mappers, and reducers
  - Better data processing performance by compressing the data that EMR writes to disk, i.e. achieving better performance by writing to disk less frequently
- Data Compression can have an impact on Hadoop data splitting logic as some of the compression techniques like gzip do not support it
Data Partitioning
- Data partitioning helps in data optimizations and lets you create unique buckets of data and eliminate the need for a data processing job to read the entire data set
- Data can be partitioned by
  - Data type (time series)
  - Data processing frequency (per hour, per day, etc.)
  - Data access and query pattern (query on time vs. query on geo location)
Cost Optimization
- AWS offers different pricing models for EC2 instances
  - On-Demand instances
    - are a good option if using transient EMR jobs or if the EMR hourly usage is less than 17% of the time
  - Reserved instances
    - are a good option for persistent EMR cluster or if the EMR hourly usage is more than 17% of the time as is more cost effective
  - Spot instances
    - can be a cost effective mechanism to add compute capacity
    - can be used where the data is persists on S3
    - can be used to add extra task capacity with Task nodes, and
    - is not suited for Master node, as if it is lost the cluster is lost and Core nodes (data nodes) as they host data and if lost needs to be recovered to rebalance the HDFS cluster
- Architecture pattern can be used,
  - Run master node on On-Demand or Reserved Instances (if running persistent EMR clusters).
  - Run a portion of the EMR cluster on core nodes using On-Demand or Reserved Instances and
  - the rest of the cluster on task nodes using Spot Instances.

AWS Certification Exam Practice Questions

You require the ability to analyze a large amount of data, which is stored on Amazon S3 using Amazon Elastic Map Reduce. You are using the cc2.8xlarge instance type, who’s CPUs are mostly idle during processing. Which of the below would be the most cost efficient way to reduce the runtime of the job? [PROFESSIONAL]
1. Create smaller files on Amazon S3.
2. Add additional cc2.8xlarge instances by introducing a task group.
3. Use smaller instances that have higher aggregate I/O performance.
4. Create fewer, larger files on Amazon S3.
A customer’s nightly EMR job processes a single 2-TB data file stored on Amazon Simple Storage Service (S3). The Amazon Elastic Map Reduce (EMR) job runs on two On-Demand core nodes and three On-Demand task nodes. Which of the following may help reduce the EMR job completion time? Choose 2 answers
1. Use three Spot Instances rather than three On-Demand instances for the task nodes.
2. Change the input split size in the MapReduce job configuration.
3. Use a bootstrap action to present the S3 bucket as a local filesystem.
4. Launch the core nodes and task nodes within an Amazon Virtual Cloud.
5. Adjust the number of simultaneous mapper tasks.
6. Enable termination protection for the job flow.
Your department creates regular analytics reports from your company’s log files. All log data is collected in Amazon S3 and processed by daily Amazon Elastic Map Reduce (EMR) jobs that generate daily PDF reports and aggregated tables in CSV format for an Amazon Redshift data warehouse. Your CFO requests that you optimize the cost structure for this system. Which of the following alternatives will lower costs without compromising average performance of the system or data integrity for the raw data? [PROFESSIONAL]
1. Use reduced redundancy storage (RRS) for PDF and CSV data in Amazon S3. Add Spot instances to Amazon EMR jobs. Use Reserved Instances for Amazon Redshift. (Only Spot instances impacts performance)
2. Use reduced redundancy storage (RRS) for all data in S3. Use a combination of Spot instances and Reserved Instances for Amazon EMR jobs. Use Reserved instances for Amazon Redshift (Combination of the Spot and reserved with guarantee performance and help reduce cost. Also, RRS would reduce cost and guarantee data integrity, which is different from data durability)
3. Use reduced redundancy storage (RRS) for all data in Amazon S3. Add Spot Instances to Amazon EMR jobs. Use Reserved Instances for Amazon Redshift (Only Spot instances impacts performance)
4. Use reduced redundancy storage (RRS) for PDF and CSV data in S3. Add Spot Instances to EMR jobs. Use Spot Instances for Amazon Redshift. (Spot instances impacts performance and Spot instance not available for Redshift)
A research scientist is planning for the one-time launch of an Elastic MapReduce cluster and is encouraged by her manager to minimize the costs. The cluster is designed to ingest 200TB of genomics data with a total of 100 Amazon EC2 instances and is expected to run for around four hours. The resulting data set must be stored temporarily until archived into an Amazon RDS Oracle instance. Which option will help save the most money while meeting requirements? [PROFESSIONAL]
1. Store ingest and output files in Amazon S3. Deploy on-demand for the master and core nodes and spot for the task nodes.
2. Optimize by deploying a combination of on-demand, RI and spot-pricing models for the master, core and task nodes. Store ingest and output files in Amazon S3 with a lifecycle policy that archives them to Amazon Glacier. (Master and Core must be RI or On Demand. Cannot be Spot)
3. Store the ingest files in Amazon S3 RRS and store the output files in S3. Deploy Reserved Instances for the master and core nodes and on-demand for the task nodes. (Need better durability for ingest file. Spot instances can be used for task nodes for cost saving. RI will not provide cost saving in this case)
4. Deploy on-demand master, core and task nodes and store ingest and output files in Amazon S3 RRS (Input should be in S3 standard, as re-ingesting the input data might end up being more costly then holding the data for limited time in standard S3)
Your company sells consumer devices and needs to record the first activation of all sold devices. Devices are not activated until the information is written on a persistent database. Activation data is very important for your company and must be analyzed daily with a MapReduce job. The execution time of the data analysis process must be less than three hours per day. Devices are usually sold evenly during the year, but when a new device model is out, there is a predictable peak in activation’s, that is, for a few days there are 10 times or even 100 times more activation’s than in average day. Which of the following databases and analysis framework would you implement to better optimize costs and performance for this workload? [PROFESSIONAL]
1. Amazon RDS and Amazon Elastic MapReduce with Spot instances.
2. Amazon DynamoDB and Amazon Elastic MapReduce with Spot instances.
3. Amazon RDS and Amazon Elastic MapReduce with Reserved instances.
4. Amazon DynamoDB and Amazon Elastic MapReduce with Reserved instances

References

Amazon S3 Replication

June 15, 2023 ~ jayendrapatil

Amazon S3 Replication

S3 Replication enables automatic, asynchronous copying of objects across S3 buckets in the same or different AWS regions.
S3 Cross-Region Replication – CRR is used to copy objects across S3 buckets in different AWS Regions.
S3 Same-Region Replication – SRR is used to copy objects across S3 buckets in the same AWS Regions.
S3 Replication helps to
- Replicate objects while retaining metadata
- Replicate objects into different storage classes
- Maintain object copies under different ownership
- Keep objects stored over multiple AWS Regions
- Replicate objects within 15 minutes
S3 can replicate all or a subset of objects with specific key name prefixes
S3 encrypts all data in transit across AWS regions using SSL
Object replicas in the destination bucket are exact replicas of the objects in the source bucket with the same key names and the same metadata.
Objects may be replicated to a single destination bucket or multiple destination buckets.
Cross-Region Replication can be useful for the following scenarios:-
- Compliance requirement to have data backed up across regions
- Minimize latency to allow users across geography to access objects
- Operational reasons compute clusters in two different regions that analyze the same set of objects
Same-Region Replication can be useful for the following scenarios:-
- Aggregate logs into a single bucket
- Configure live replication between production and test accounts
- Abide by data sovereignty laws to store multiple copies

S3 Replication Requirements

source and destination buckets must be versioning-enabled
for CRR, the source and destination buckets must be in different AWS regions.
S3 must have permission to replicate objects from that source bucket to the destination bucket on your behalf.
If the source bucket owner also owns the object, the bucket owner has full permission to replicate the object. If not, the source bucket owner must have permission for the S3 actions s3:GetObjectVersion and s3:GetObjectVersionACL to read the object and object ACL
Setting up cross-region replication in a cross-account scenario (where the source and destination buckets are owned by different AWS accounts), the source bucket owner must have permission to replicate objects in the destination bucket.
if the source bucket has S3 Object Lock enabled, the destination buckets must also have S3 Object Lock enabled.
destination buckets cannot be configured as Requester Pays buckets

S3 Replication – Replicated & Not Replicated

Only new objects created after you add a replication configuration are replicated. S3 does NOT retroactively replicate objects that existed before you added replication configuration.
Objects encrypted using customer provided keys (SSE-C), objects encrypted at rest under an S3 managed key (SSE-S3) or a KMS key stored in AWS Key Management Service (SSE-KMS).
S3 replicates only objects in the source bucket for which the bucket owner has permission to read objects and read ACLs
Any object ACL updates are replicated, although there can be some delay before S3 can bring the two in sync. This applies only to objects created after you add a replication configuration to the bucket.
S3 does NOT replicate objects in the source bucket for which the bucket owner does not have permission.
Updates to bucket-level S3 subresources are NOT replicated, allowing different bucket configurations on the source and destination buckets
Only customer actions are replicated & actions performed by lifecycle configuration are NOT replicated
Replication chaining is NOT allowed, Objects in the source bucket that are replicas, created by another replication, are NOT replicated.
S3 does NOT replicate the delete marker by default. However, you can add delete marker replication to non-tag-based rules to override it.
S3 does NOT replicate deletion by object version ID. This protects data from malicious deletions.

AWS Certification Exam Practice Questions

References

S3_Replication

Amazon S3 Event Notifications

June 15, 2023 ~ jayendrapatil

S3 Event Notifications

S3 notification feature enables notifications to be triggered when certain events happen in the bucket.
Notifications are enabled at the Bucket level
Notifications can be configured to be filtered by the prefix and suffix of the key name of objects. However, filtering rules cannot be defined with overlapping prefixes, overlapping suffixes, or prefix and suffix overlapping
S3 can publish the following events
- New Object created events
  - Can be enabled for PUT, POST, or COPY operations
  - You will not receive event notifications from failed operations
- Object Removal events
  - Can public delete events for object deletion, version object deletion or insertion of delete marker
  - You will not receive event notifications from automatic deletes from lifecycle policies or from failed operations.
- Restore object events
  - restoration of objects archived to the S3 Glacier storage classes
- Reduced Redundancy Storage (RRS) object lost events
  - Can be used to reproduce/recreate the Object
- Replication events
  - for replication configurations that have S3 replication metrics or S3 Replication Time Control (S3 RTC) enabled
S3 can publish events to the following destination
- SNS topic
- SQS queue
- AWS Lambda
For S3 to be able to publish events to the destination, the S3 principal should be granted the necessary permissions
S3 event notifications are designed to be delivered at least once. Typically, event notifications are delivered in seconds but can sometimes take a minute or longer.

AWS Certification Exam Practice Questions

References

Amazon_S3_Event_Notifications