AWS SAP-C02教程5--基础中间件

在AWS中除了计算、存储、网络之外，还有一些组件非常重要，包括基础组件、消息队列组件、日志组件、编排组件等，接下来就通过分成几个不同类别（这个分类按照AWS的大概分类进行分类，并无统一标准，只是具备一定相同功能归类在一起方便记忆）

1 消息中间件

消息中间件当然与我们使用的消息中间件如kafka、rabbitmq等相关，而在AWS中提供以下几种不同的消息中间件。

1.1 Amazon SQS

Amazon Sqs Amazon SQS 提供安全、耐用且可用的托管队列。亚马逊 SQS 提供常见的结构，例如死信队列和成本分配标签。你可以简单理解为一个kafka消息队列。主要用途就是用来解耦。

1.1.1 基础特性

• 是一个无服务的组件
• 主要用于解耦（接收来自源，定量消费，解决高并发的方式之一）

例题：An e-commerce company is revamping its IT infrastructure and is planning to use AWS services. The company’s CIO has asked a Solutions Architect to design a simple, highly available, and loosely coupled order processing application, The application is responsible for receiving and processing orders before storing them in an Amazon DynamoDB table, The application has a sporadic traffic pattern and should be able to scale during marketing campaigns to process the orders with minimal delays. Which of the following is the MOST reliable approach to meet the requirements?
A. Receive the orders in an Amazon EC2-hosted database and use EC2 instances to process them
B. Receive the orders in an Amazon SOS queue and trigger an AWS Lambda function to process them.
C. Receive the orders using the AWS Step Functions program and trigger an Amazon ECS container to process them
D, Receive the orders in Amazon Kinesis Data Streams and use Amazon EC2 instances to process them.
答案：B
答案解析：题目中关键词就是order processing application，loosely coupled ，sporadic traffic pattern。一个处理订单程序，解耦，且高并发。A可以解决普通流量无法处理高并发；C的Step Functions 是编排工具并非用于处理高并发请求；D的Kinesis Data Streams是处理大数据流。因此B是通过消息中间件做解耦同时也能处理高并发。

例题：A company is running an application in the AWS Cloud. Recent application metrics show inconsistent response times and a significant increase in error rates. Calls to third-party services are causing the delays. Currently, the application calls third-party services synchronously by directly invoking an AWS Lambda function.
A solutions architect needs to decouple the third-party service calls and ensure that all the calls are eventually completed.
Which solution will meet these requirements?
A. Use an Amazon Simple Queue Service (Amazon SQS) queue to store events and invoke the Lambda function.
B. Use an AWS Step Functions state machine to pass events to the Lambda function.
C. Use an Amazon EventBridge rule to pass events to the Lambda function.
D. Use an Amazon Simple Notification Service (Amazon SNS) topic to store events and Invoke the Lambda function.
答案：A
答案解析：题目要求解耦调用第三方API，因此就是异步调用，而使用SQS是最好的方法之一，因此答案选择A选项。

• 消息最大是256KB（可以使用S3配置传输超过最大值的消息）
• 可使用batch处理
• 有超时限制，90分钟

1.1.2 高级特性

• DLQ（死信队列）：对于无法成功处理（使用）的消息将进入死信队列DLQ中

例题：A company has implemented an ordering system using an event driven architecture. During initial testing, the system stopped processing orders. Further log analysis revealed that one order message in an Amazon Simple Queue Service (Amazon SQS) standard queue was causing an error on the backend and blocking all subsequent order messages. The visibility timeout of the queue is set to 30 seconds, and the backend processing timeout is set to 10 seconds. A solutions architect needs to analyze faulty order messages and ensure that the system continues to process subsequent messages.
Which step should the solutions architect take to meet these requirements?
A. Increase the backend processing timeout to 30 seconds to match the visibility timeout.
B. Reduce the visibility timeout of the queue to automatically remove the faulty message.
C. Configure a new SQS FIFO queue as a dead-letter queue to isolate the faulty messages.
D. Configure a new SQS standard queue as a dead-letter queue to isolate the faulty messages.
答案：D
答案解析：题目出现消息阻塞，希望给出一个解决方案。消息处理失败可以采用DLQ处理，但是C选项使用FIFO没必要，反而会导致性能下降，因此答案为D选项

• 异步处理：运行异步发送消息
• SQS FIFO：具有标准队列的所有功能，但旨在在操作和事件顺序至关重要或无法容忍重复时增强应用程序之间的消息传送。注意：FIFO会严重影响性能，如果非必要不推荐使用FIFO。

例题：A solutions architect is designing a solution to process events. The solution must have the ability to scale in and out based on the number of events that the solution receives. If a processing error occurs, the event must move into a separate queue for review.
Which solution will meet these requirements?
A. Send event details to an Amazon Simple Notification Service (Amazon SNS) topic. Configure an AWS Lambda function as a subscriber to the SNS topic to process the events. Add an on-failure destination to the function. Set an Amazon Simple Queue Service (Amazon SQS) queue as the target.
B. Publish events to an Amazon Simple Queue Service (Amazon SQS) queue. Create an Amazon EC2 Auto Scaling group. Configure the Auto Scaling group to scale in and out based on the ApproximateAgeOfOldestMessage metric of the queue. Configure the application to write failed messages to a dead-letter queue.
C. Write events to an Amazon DynamoDB table. Configure a DynamoDB stream for the table. Configure the stream to invoke an AWS Lambda function. Configure the Lambda function to process the events.
D. Publish events to an Amazon EventBndge event bus. Create and run an application on an Amazon EC2 instance with an Auto Scaling group that is behind an Application Load Balancer (ALB). Set the ALB as the event bus target. Configure the event bus to retry events. Write messages to a dead-letter queue if the application cannot process the messages.
答案：B
答案解析：题目希望一个能按照事件数量自动伸缩的，并且有一个队列存储失败事件，很明显需要一个消息队列。从答案中A选项和B选项都符合，但是失败进入一个队列，而SNS是每个订阅都有一个死信队列，因此更加倾向于B选项。

1.1.3 典型架构

• 幂等性处理架构
  
• 与Lambda集成的架构
  
• 异步处理架构
  

1.2 Amazon MQ

Amazon MQ 是一项托管消息代理服务，使其易于迁移到云中的消息代理。消息代理 允许软件应用程序和组件使用各种编程语言、操作系统和正式消息收发协议进行通信。目前，Amazon MQ 支持 Apache ActiveMQ 和 RabbitMQ 引擎类型。

1.2.1 基本特性与SQS&SNS区别

• 支持Active MQ和RabbitMQ引擎
• 支持标准协议（MQTT、AMQP、WSS、STOMP、Openwire）（注意：该点是与SQS&SNS最大区别，如果你迁移云一定要使用标准消息协议，那么只能选择Amazon MQ，而SQS&SNS只是AWS自身协议）
• 同时支持SNS的消息队列，以及支持SQS的发布订阅模式
• 几乎具备SNS和SQS的所有功能

1.2.2 典型架构

• 第三方迁移到Amazon MQ架构
  

1.3 Amazon SNS

1.3.1 基本特性

• 一个生产者对多个消费者，就是发布订阅模式（注意：这个特性是与SQS的区别，也是考试重点之一，当涉及1对多的时候，就需要选择SNS）
• topic可以可以理解是一个分组，一个topic可以有很多个订阅者（最多可以10000000个topic）
• 订阅者可以通过过滤器过滤自身所需消息
• 支持AWS某些服务订阅：Amazon Kinesis Data Firehose、Amazon SQS、AWS Lambda、HTTP、电子邮件、移动推送通知和移动短信 (SMS)

1.3.2 消息重试和死信队列

• 消息重试：下表为订阅SNS时，默认的消息发送失败后的重试情况。（注意：如果你使用HTTP订阅，你可以通过policy设置重试）
  
• 死信队列：死信队列是 Amazon SNS 订阅针对无法成功传输给订阅者的消息可以将其视为目标的一个 Amazon SQS 队列。由于客户端错误或服务器错误而无法传输的消息将保留在死信队列中，以进行进一步分析或重新处理。也就是说上面消息重试了所有次数之后，将进入死信队列。每个订阅都有自己的死信队列。
  

1.3.3 典型架构

• 扇出架构（Fan out）
  

例题：A company runs a serverless application in a single AWS Region. The application accesses external URLs and extracts metadata from those sites. The company uses an Amazon Simple Notification Service (Amazon SNS) topic to publish URLs to an Amazon Simple Queue Service (Amazon SQS) queue. An AWS Lambda function uses the queue as an event source and processes the URLs from the queue. Results are saved to an Amazon S3 bucket.
The company wants to process each URL in other Regions to compare possible differences in site localization. URLs must be published from the existing Region.
Results must be written to the existing S3 bucket in the current Region.
Which combination of changes will produce multi-Region deployment that meets these requirements? (Choose two.)
A. Deploy the SQS queue with the Lambda function to other Regions.
B. Subscribe the SNS topic in each Region to the SQS queue.
C. Subscribe the SQS queue in each Region to the SNS topic.
D. Configure the SQS queue to publish URLs to SNS topics in each Region.
E. Deploy the SNS topic and the Lambda function to other Regions.
答案：AC
答案解析：题目要求多区域部署。首先在每个区域中创建SQS和Lambda，然后将SQS队列订阅到SNS主题(不需要在每个区域中创建另一个SNS主题)，因此选择AC。

2 管理与监管组件

这个分类是用于一些很基础的监管、管理等功能组件。

2.1 Amazon Cloudwatch

Amazon CloudWatch 可实时监控您的亚马逊云科技 (AWS) 资源以及您在 AWS 上运行的应用程序。您可以使用 CloudWatch 收集和跟踪指标，这些指标是您可衡量的相关资源和应用程序的变量。CloudWatch是监管组件最重要的一环，所有的AWS组件都可以将其相关指标发送到CloudWatch，然后在经过下游处理（比如警告、图表展现等）。

2.1.1 基本特性

• 需要理清楚3个东西：metric（指标）、Alarms（警告）、dashboard（展示）
• 关于metric：EC2默认5分钟采集一次、内存是不采集的
• 关于Alarms：可以触发action（比如EC2重启、ASG、甚至账单等）、可以被Cloudwatch Event拦截

2.1.2 CloudWatch Event

2.1.3 Cloudwatch Logs

• 常见AWS服务的Logs（CloudWatch的来源）
  

例题：A company has VPC flow logs enabled for its NAT gateway. The company is seeing Action = ACCEPT for inbound traffic that comes from public IP address
198.51.100.2 destined for a private Amazon EC2 instance.
A solutions architect must determine whether the traffic represents unsolicited inbound connections from the internet. The first two octets of the VPC CIDR block are 203.0.
Which set of steps should the solutions architect take to meet these requirements?
A. Open the AWS CloudTrail console. Select the log group that contains the NAT gateway’s elastic network interface and the private instance’s elastic network interface. Run a query to filter with the destination address set as “like 203.0” and the source address set as “like 198.51.100.2”. Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
B. Open the Amazon CloudWatch console. Select the log group that contains the NAT gateway’s elastic network interface and the private instance’s elastic network interface. Run a query to filter with the destination address set as “like 203.0” and the source address set as “like 198.51.100.2”. Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
C. Open the AWS CloudTrail console. Select the log group that contains the NAT gateway’s elastic network interface and the private instance’s elastic network interface. Run a query to filter with the destination address set as “like 198.51.100.2” and the source address set as “like 203.0”. Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
D. Open the Amazon CloudWatch console. Select the log group that contains the NAT gateway’s elastic network interface and the private instance’s elastic network interface. Run a query to filter with the destination address set as “like 198.51.100.2” and the source address set as “like 203.0”. Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
答案：D
答案解析：题目中已经说明了从Internet入站到私有IP有一个Action=Accept。目标是确定这是请求的还是未请求的流量。如果请求，流量将首先从私有IP地址发起，然后接收返回的流量。如果未经请求，将不会有从私有IP地址出站的初始流量。所以选择D选项。

例题：A company runs applications on Amazon EC2 instances. The company plans to begin using an Auto Scaling group for the instances. As part of this transition, a solutions architect must ensure that Amazon CloudWatch Logs automatically collects logs from all new instances. The new Auto Scaling group will use a launch template that includes the Amazon Linux 2 AMI and no key pair.
Which solution meets these requirements?
A. Create an Amazon CloudWatch agent configuration for the workload. Store the CloudWatch agent configuration in an Amazon S3 bucket. Write an EC2 user data script to fetch the configuration file from Amazon S3. Configure the CloudWatch agent on the instance during initial boot.
B. Create an Amazon CloudWatch agent configuration for the workload in AWS Systems Manager Parameter Store. Create a Systems Manager document that installs and configures the CloudWatch agent by using the configuration. Create an Amazon EventBridge (Amazon CloudWatch Events) rule on the default event bus with a Systems Manager Run Command target that runs the document whenever an instance enters the running state.
C. Create an Amazon CloudWatch agent configuration for the workload. Create an AWS Lambda function to install and configure the CloudWatch agent by using AWS Systems Manager Session Manager. Include the agent configuration inside the Lambda package. Create an AWS Config custom rule to identify changes to the EC2 instances and invoke Lambda function.
D. Create an Amazon CloudWatch agent configuration for the workload. Save the CloudWatch agent configuration as part of an AWS Lambda deployment package. Use AWS CloudTrail to capture EC2 tagging events and initiate agent installation. Use AWS CodeBuild to configure the CloudWatch agent on the instances that run the workload.
答案：B
答案解析：通过SSM安装CloudWatch Agent是可行的:。参考：https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/download-CloudWatch-Agent-on-EC2-Instance-SSM-first.html

例题：A company has an application that is deployed on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling group. The application has unpredictable workloads and frequently scales out and in. The company’s development team wants to analyze application logs to find ways to improve the application’s performance. However, the logs are no longer available after instances scale in.
Which solution will give the development team the ability to view the application logs after a scale-in event?
A. Enable access logs for the ALB. Store the logs in an Amazon S3 bucket.
B. Configure the EC2 instances to publish logs to Amazon CloudWatch Logs by using the unified CloudWatch agent.
C. Modify the Auto Scaling group to use a step scaling policy.
D. Instrument the application with AWS X-Ray tracing.
答案：B
答案解析：题目要求在ALB+EC2架构下，能够很好采集EC2的日志（原先EC2如果伸缩，日志则会丢失）。A选项采集ALB的日志不是题目需要的；C选项改变伸缩策略并没有解决问题；D选项X-Ray是用于系统间调用。因此答案是B选项

• Logs的管理
  
• 与S3作为日志导出和加密
  

2.1.4 典型架构

• CloudWatch Alarm典型集成架构
  
• Logs的下游应用
  
• 统一日志账户架构（在教程4–身份与联合身份认证-日志账户体系结构）
  

2.2 AWS Config

AWS Config 可以提供关于您的 AWS 账户中的 AWS 资源配置的详细信息。这些信息包括资源之间的关联方式以及资源以前的配置方式，让您了解资源的配置和关系如何随着的时间的推移而更改。如果你使用过微服务，那么一定知道有一个config的组件，比如springcloud里面的springcloud config、nacos等，而AWS Config 做的就是这样的事情。

2.2.1 基本特性

• 可以帮助你审核和记录合规性
• 可以记录config resource的所有变更
• 但是仅仅是记录和评估，并不会阻止对config resource的修改
• 可以与SNS集成发送通知
• 同时能够跨区域

2.2.2 AWS Config Rules

• 能够维护75条合规规则
• 可以使用Lambda定义规则
• 规则还能设置自动恢复功能，修复不合规的resource

2.3 AWS X-ray

AWS X-Ray是一项服务，收集您应用程序所服务的请求的相关数据，并提供用于查看、筛选和获取数据洞察力的工具，以确定问题和发现优化的机会。这里记住以下2个点即可

• 它是微服务跟踪可视化最好的工具
• 集成了多个组件：EC2、ECS、Lambda、Beanstalk、API Gateway等

3 编排工具

3.1 AWS Step Functions

AWS Step Functions是一项无服务器协调服务，可让您与AWS Lambda功能和其他功能集成AWS 服务以构建业务关键型应用程序。通过 Step Functions 的图形控制台，您可以将应用程序的工作流程视为一系列事件驱动的步骤。Step Functions 基于状态机和任务。在 Step Functions 中，工作流程称为状态机，它是一系列事件驱动的步骤。工作流程中的每个步骤都称为状态。任务状态表示其他AWS服务（例如AWS Lambda）执行的工作单元。任务状态可以调用任何AWS 服务或 API。可以简单理解Step Functions就是类似低代码平台（当然还远远达不到）。

3.1.1 基本特性

• json格式的状态机
• 具备编排功能：顺序、并发、条件、错误等等流程
• 与大部分组件集成：Lambda、EC2等
• 最长能执行1年的任务，且还能加入人工审批
• 触发step function：AWS控制台、SDK、CLI、Lambda、API Gateway、EventBridge、CodePipeline、Step Function。

3.1.2 Workflows类型

3.1.3 常见的任务设计

• Lambda Task：调用Lambda执行
• Activity Task：使用一个HTTP worker（比如：EC2、mobile devices、甚至在On-premise的服务）
• Service Task：连接AWS的服务
• Wait Task：定时执行某个任务
  （注意：考试中的考点：Step Functions并未与机器学习框架Mechanical Turk集成，如果要与Mechanical Turk集成请选择SWF）

3.1.4 典型架构

3.3 Amazon SWF

借助 Amazon Simple Workflow Service (Amazon SWF) 可轻松构建能够跨越各分布组件对工作进行协调的应用程序。在 Amazon SWF 中，一个任务表示的是由您的应用程序组件所执行之工作的一个逻辑单位。跨越应用程序协作任务依据应用逻辑流程涉及有任务间依赖关系的管理、排定和并发性协调。Amazon SWF 可使您完全控制任务的执行和协作，无需担心跟踪任务进度和维持任务状态等底层复杂性。乍一看，SWF与Step Functions很类似，都是任务编排，但是其实使用场景不一样，SWF更多的是任务协调工作，也就是常用于机器学习的计算任务，因此与机器学习框架Mechanical Turk集成，这也是考试点。

3.4 Amazon EventBridge

Amazon EventBridge 是一项无服务器服务，它使用事件将应用程序组件连接在一起，使您可以更轻松地构建可扩展的事件驱动应用程序。简单来说就是一个接收Events的总线，通过EventBridge可以将Events触发目标操作。

• 不同事件来源的Bus：AWS服务的Events、第三方合作的Events、自定义的Events
  
• 常见应用场景：归档事件、重放事件、启停EC2等

例题：A company runs its application in the eu-west-1 Region and has one account for each of its environments: development, testing, and production. All the environments are running 24 hours a day, 7 days a week by using stateful Amazon EC2 instances and Amazon RDS for MySQL databases. The databases are between 500 GB and 800 GB in size.
The development team and testing team work on business days during business hours, but the production environment operates 24 hours a day, 7 days a week. The company wants to reduce costs. All resources are tagged with an environment tag with either development, testing, or production as the key.
What should a solutions architect do to reduce costs with the LEAST operational effort?
A. Create an Amazon EventBridge rule that runs once every day. Configure the rule to invoke one AWS Lambda function that starts or slops instances based on me tag, day, and time.
B. Create an Amazon EventBridge rule that runs every business day in the evening. Configure the rule to invoke an AWS Lambda function that stops instances based on the tag. Create a second EventBridge rule that runs every business day in the morning. Configure the second rule lo invoke another Lambda function that starts instances based on the tag.
C. Create an Amazon EventBridge rule that runs every business day in the evening, Configure the rule to invoke an AWS Lambda function that terminates, instances based on the lag. Create a second EventBridge rule that runs every business day in the morning. Configure the second rule lo invoke another Lambda function that restores the instances from their last backup based on the tag.
D. Create an Amazon EventBridge rule that runs every hour. Configure the rule to invoke one AWS Lambda function that terminates or restores instances from their last backup based on the tag. day, and time.
答案：B
答案解析：题目有2个环境分别白天使用和7*24小时使用，要节省成本。A选项要求每天停止和启动实例一次，这可能导致实例在使用时被停止，或者在不使用时不被停止。C选项将在非业务时间终止实例，并在上午恢复它们，这可能导致数据丢失或启动时间延长。D选项将每小时终止或恢复实例，这可能导致不必要的成本以及数据丢失或更长的启动时间。因此选择B选项

例题：A delivery company is running a serverless solution in the AWS Cloud. The solution manages user data, delivery information, and past purchase details. The solution consists of several microservices. The central user service stores sensitive data in an Amazon DynamoDB table. Several of the other microservices store a copy of parts of the sensitive data in different storage services.
The company needs the ability to delete user information upon request. As soon as the central user service deletes a user, every other microservice must also delete its copy of the data immediately.
Which solution will meet these requirements?
A. Activate DynamoDB Streams on the DynamoDB table. Create an AWS Lambda trigger for the DynamoDB stream that will post events about user deletion in an Amazon Simple Queue Service (Amazon SQS) queue. Configure each microservice to poll the queue and delete the user from the DynamoDB table.
B. Set up DynamoDB event notifications on the DynamoDB table. Create an Amazon Simple Notification Service (Amazon SNS) topic as a target for the DynamoDB event notification. Configure each microservice to subscribe to the SNS topic and to delete the user from the DynamoDB table.
C. Configure the central user service to post an event on a custom Amazon EventBridge event bus when the company deletes a user. Create an EventBridge rule for each microservice to match the user deletion event pattern and invoke logic in the microservice to delete the user from the DynamoDB table.
D. Configure the central user service to post a message on an Amazon Simple Queue Service (Amazon SQS) queue when the company deletes a user. Configure each microservice to create an event filter on the SQS queue and to delete the user from the DynamoDB table.
答案：C
答案解析：题目要求删除用户时，其它微服务能够删除其副本的用户。A选项和D选项期望SQS被几个微服务使用，但是你需要在微服务中写一些代码。B选项没有“DynamoDB事件通知”这样的东西。因此选择C选项。

• Schema Registry：注册event的schema
• resource-base policy：管理特定bus的权限，比如跨账号等

3.5 AWS CodeDeploy

AWS CodeDeploy 是一项部署服务，可自动将应用程序部署到 Amazon EC2 实例、本地实例、无服务器 Lambda 函数或 Amazon ECS 服务。CodeDeploy 经常在考试中出现，下面通过一些基本特性功能以及与各种服务集成的基本原理，让你对CodeDeploy有一个了解，考试中经常出现的无损切换版本、自动切换版本等，都是与其自动化部署、流量路由切换、blue/green部署等功能有关系。

3.5.1 基本特性

• 服务器、无服务器和容器应用程序。 CodeDeploy允许您在服务器上部署传统应用程序，也可以部署无服务器AWS Lambda功能版本或 Amazon ECS 应用程序的应用程序。
• 自动部署。 CodeDeploy 可完全自动执行跨您的开发环境、测试环境和生产环境部署应用程序的过程。 CodeDeploy 随着您的基础设施进行扩展，让您能够部署到一个实例或数千个实例。
• 最大程度减少停机时间。如果您的应用程序使用 EC2/本地计算平台，则 CodeDeploy 有助于最大限度地提高应用程序的可用性。在就地部署期间， CodeDeploy 对 Amazon EC2 实例执行滚动更新。您可以指定在进行更新时每次进入脱机状态的实例的数量。在蓝/绿部署中，最新应用程序修订安装在替换实例上。在您选择时，流量会立即重新路由到这些实例，或者在完成新环境测试之后立即重新路由。对于两种部署类型， CodeDeploy 将根据您配置的规则跟踪应用程序运行状况。
• 停止并回滚。出现错误时，您可以自动或手动停止和回滚部署。
• 集中控制。您可以通过 CodeDeploy 控制台或启动部署并跟踪部署状态AWS CLI。您会收到一份报告，其中列出了每个应用程序修订的部署时间以及 Amazon EC2 实例部署到哪些 Amazon EC2 实例。
• 易于采用。 CodeDeploy 不受平台限制，适用于任何应用程序。您可以轻松地重复使用您的设置代码。 CodeDeploy 还可以与您的软件发布流程或持续交付工具链集成。
• 并发部署。如果您有多个使用 EC2/本地计算平台的应用程序，则 CodeDeploy 可以将它们同时部署到同一组实例。

3.5.2 部署EC2

• 使用appspec.yml文件配置以及设置部署策略
• 可以在EC2 Fleet中进行更新部署
• 可以使用Hooks进行验证是否部署成功

3.5.3 部署ASG

2种方式的部署

• 第一种：正常部署：与前面EC2部署一样，只不过新部署的EC2属于ASG管理
• 第二种：blue/green部署：使用一个ELB；部署2套应用；启动切换；（注意：blue/green部署方式在考试中常见）
  

例题：A company has an application that runs on Amazon EC2 instances in an Amazon EC2 Auto Scaling group. The company uses AWS CodePipeline to deploy the application. The instances that run in the Auto Scaling group are constantly changing because of scaling events.
When the company deploys new application code versions, the company installs the AWS CodeDeploy agent on any new target EC2 instances and associates the instances with the CodeDeploy deployment group. The application is set to go live within the next 24 hours.
What should a solutions architect recommend to automate the application deployment process with the LEAST amount of operational overhead?
A. Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke an AWS Lambda function when a new EC2 instance is launched into the Auto Scaling group. Code the Lambda function to associate the EC2 instances with the CodeDeploy deployment group.
B. Write a script to suspend Amazon EC2 Auto Scaling operations before the deployment of new code. When the deployment is complete, create a new AMI and configure the Auto Scaling group’s launch template to use the new AMI for new launches. Resume Amazon EC2 Auto Scaling operations.
C. Create a new AWS CodeBuild project that creates a new AMI that contains the new code. Configure CodeBuild to update the Auto Scaling group’s launch template to the new AMI. Run an Amazon EC2 Auto Scaling instance refresh operation.
D. Create a new AMI that has the CodeDeploy agent installed. Configure the Auto Scaling group’s launch template to use the new AMI. Associate the CodeDeploy deployment group with the Auto Scaling group instead of the EC2 instances.
答案：D
答案解析：参考：https://docs.aws.amazon.com/codedeploy/latest/userguide/integrations-aws-auto-scaling.html

3.5.4 部署ECS

• 支持blue/green部署在ECS或者Fargate
• 但是不是在CodeDeploy设置部署任务，而是在ECS中设置
• 流量自动切换或者定义百分比切换
• 能够部署后在X分钟验证没问题删除旧版本
  

3.5.5 部署Lambda

• 流量转移：通过Lambda的alias进行转移
• pre和post traffic hook进行部署流量切换前后的回调
• 轻松自动回滚（结合CloudWatch Alarms）
• SAM底层使用的就是CodeDeploy
  

3.6 AWS CloudFormation

AWS CloudFormation 是一项服务，可帮助您对 AWS 资源进行建模和设置，以便能花较少的时间管理这些资源，而将更多的时间花在运行于 AWS 中的应用程序上。您创建一个描述您所需的所有 AWS 资源（如 Amazon EC2 实例或 Amazon RDS 数据库实例）的模板，并且 CloudFormation 将负责为您预置和配置这些资源。您无需单独创建和配置 AWS 资源并了解 what; CloudFormation 句柄处理该工作时所依赖的内容。以下方案演示 CloudFormation 如何提供帮助。简单理解就是一个以代码方式定义一组基础设施资源，是一个非常底层的组件，被其它组件广泛使用。

3.6.1 基本特性

• 以代码方式定义一组基础设施资源。

例题：A company is running its solution on AWS in a manually created VPC. The company is using AWS CloudFormation to provision other parts of the infrastructure. According to a new requirement, the company must manage all infrastructure in an automatic way.
What should the company do to meet this new requirement with the LEAST effort?
A. Create a new AWS Cloud Development Kit (AWS CDK) stack that strictly provisions the existing VPC resources and configuration. Use AWS CDK to import the VPC into the stack and to manage the VPC.
B. Create a CloudFormation stack set that creates the VPC. Use the stack set to import the VPC into the stack.
C. Create a new CloudFormation template that strictly provisions the existing VPC resources and configuration. From the CloudFormation console, create a new stack by importing the existing resources.
D. Create a new CloudFormation template that creates the VPC. Use the AWS Serverless Application Model (AWS SAM) CLI to import the VPC.
答案：C
答案解析：题目要求以CloudFormation 来创建VPC。参考：https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-existing-stack.html

• 可以跨多账号多区域使用
• 在Beanstalk、Service Catalog、SAM中作为底层组件使用
• 利用Lambda自定义一些操作
• Cross&Nested stacks不同使用场景
  1）Cross stacks：引用
  2）Nested stacks：重复使用
• CloudFormer：通过先有资源创建CloudFormation 模板
• ChangeSets：查看CloudFormation 的变更情况
• StackSets：跨账号和跨区域部署CloudFormation

例题：A company is using AWS Organizations to manage multiple AWS accounts. For security purposes, the company requires the creation of an Amazon Simple
Notification Service (Amazon SNS) topic that enables integration with a third-party alerting system in all the Organizations member accounts.
A solutions architect used an AWS CloudFormation template to create the SNS topic and stack sets to automate the deployment of CloudFormation stacks.
Trusted access has been enabled in Organizations.
What should the solutions architect do to deploy the CloudFormation StackSets in all AWS accounts?
A. Create a stack set in the Organizations member accounts. Use service-managed permissions. Set deployment options to deploy to an organization. Use CloudFormation StackSets drift detection.
B. Create stacks in the Organizations member accounts. Use self-service permissions. Set deployment options to deploy to an organization. Enable the CloudFormation StackSets automatic deployment.
C. Create a stack set in the Organizations master account. Use service-managed permissions. Set deployment options to deploy to the organization. Enable CloudFormation StackSets automatic deployment.
D. Create stacks in the Organizations master account. Use service-managed permissions. Set deployment options to deploy to the organization. Enable CloudFormation StackSets drift detection.
答案：C
答案解析：题目要求通过CloudFormation实现跨账号自动化部署。CloudFormation StackSets 就是可以实现，需要在master账号创建stacks，然后设置automatic deployment。

例题：A company has its cloud infrastructure on AWS. A solutions architect needs to define the infrastructure as code. The infrastructure is currently deployed in one
AWS Region. The company’s business expansion plan includes deployments in multiple Regions across multiple AWS accounts.
What should the solutions architect do to meet these requirements?
A. Use AWS CloudFormation templates. Add IAM policies to control the various accounts. Deploy the templates across the multiple Regions.
B. Use AWS Organizations. Deploy AWS CloudFormation templates from the management account. Use AWS Control Tower to manage deployments across accounts.
C. Use AWS Organizations and AWS CloudFormation StackSets. Deploy a CloudFormation template from an account that has the necessary IAM permissions.
D. Use nested stacks with AWS CloudFormation templates. Change the Region by using nested stacks.
答案：C
答案解析：题目希望做到跨区域、跨账号，那么应该使用CloudFormation StackSets。因此选择C选项。

• Stack Policies：对资源的删除/更新策略，可以防止删除CloudFormation 删除基础设施资源，可以设置DeletePolicy=Retain（考试中出现过的考题）

例题：A company is using AWS CloudFormation to deploy its infrastructure, The company is concerned that, if a production CloudFormation stack is deleted, important data stored in Amazon RDS databases or Amazon EBS volumes might also be deleted. How can the company prevent users from accidentally deleting data in this way?
A. Modify the CloudFormation templates to add a DeletionPolicy attribute to RDS and EBS resources
B. Configure a stack policy that disallows the deletion of RDS and EBS resources.
C. Modify IAM policies to deny deleting RDS an EBS resources that are tagged with an “aws:cloudformation:stackname” tag.
D. Use AWS Config rules to prevent deleting RDS and EBS resources
答案：A
答案解析：题目关键词：CloudFormation stack , deleted, prevent。想在CloudFormation stack防止CloudFormation stack 被删除时资源也被删除，那么可以使用Stack Policies中的DeletePolicy属性配置为Retain，因此A答案是正确的

3.6.2 权限相关

当你使用CloudFormation 创建资源时，如何才能有权限对某个资源有创建权限，有2种方式

• 给使用CloudFormation 的用户用于该资源的创建权限
• 使用角色（有创建该资源的角色）赋予CloudFormation Stack，一样也可以创建该资源

3.6.3 典型架构

• 与ASG集成
  

3.7 AWS CodePipeline（CICD）

了解AWS CodePipeline之前，最好先了解CICD持续交付和持续集成。这点简单说一下就是随时随地快速的发布版本。CICD的流程大概如下图所示：

AWS CodePipeline 是一种持续交付服务，可用于建模、可视化和自动执行发布软件所需的步骤。您可以快速对软件发布过程的不同阶段进行建模和配置。CodePipeline自动执行持续发布软件更改所需的步骤。其实现的技术栈如下图：

例题：During an audit, a security team discovered that a development team was putting IAM user secret access keys in their code and then committing it to an AWS CodeCommit repository. The security team wants to automatically find and remediate instances of this security vulnerability. Which solution will ensure that the credentials are appropriately secured automatically?
A. Run a script nightly using AWS Systems Manager Run Command to search for credentials on the development instances. If found, use AWS Secrets Manager to rotate the credentials.
B. Use a scheduled AWS Lambda function to download and scan the application code from CodeCommit. If credentials are found, generate new credentials and store them in AWS KMS.
C. Configure Amazon Macie to scan for credentials in CodeCommit repositories. If credentials are found, trigger an AWS Lambda function to disable the credentials and notify the user.
D. Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If credentials are found, disable them in AWS IAM and notify the user.
答案：D
答案解析：题目希望在提交代码做一次安全检测。因此使用CodeCommit trigger触发Lambda。因此选择D选项

例题：A company uses an AWS CodeCommit repository. The company must store a backup copy of the data that is in the repository in a second AWS Region.
Which solution will meet these requirements?
A. Configure AWS Elastic Disaster Recovery to replicate the CodeCommit repository data to the second Region.
B. Use AWS Backup to back up the CodeCommit repository on an hourly schedule. Create a cross-Region copy in the second Region.
C. Create an Amazon EventBridge rule to invoke AWS CodeBuild when the company pushes code to the repository. Use CodeBuild to clone the repository. Create a .zip file of the content. Copy the file to an S3 bucket in the second Region.
D. Create an AWS Step Functions workflow on an hourly schedule to take a snapshot of the CodeCommit repository. Configure the workflow to copy the snapshot to an S3 bucket in the second Region
答案：C
答案解析：参考：https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-code-in-multiple-aws-regions-using-aws-codepipeline-aws-codecommit-and-aws-codebuild.html

3.7.1 典型架构

• 版本发布架构
  

例题： A company plans to refactor a monolithic application into a modern application design deployed on AWS.The CI/CD pipeline needs to be upgraded to support the modern design for the application with the following requirements:
.-It should allow changes to be released several times every hour.
–It should be able to roll back the changes as quickly as possible.
Which design will meet these requirements?
A. Deploy a CI/CD pipeline that incorporates AMls to contain the application and their configurations.Deploy the application by replacing Amazon EC2 instances.
B. Specify AWS Elastic Beanstalk to stage in a secondary environment as the deployment target for the CI/ CD pipeline of’ the application. To deploy, swap the staging and production environment URLS.
C. Use AWS Systems Manager to re-provision the infrastructure for each deployment. Update the Amazon EC2 user data to pull the latest code artifact from amazon S3 and use Amazon Route 53 weighted routing to point to the new environment.
D. Roll out the application update as part of an auto Scaling event using prebuilt AMls.Use new versions of the AMls to add instances and phase out all instances that use the previous AMl version with version with the configured termination policy during a deployment event.
答案：B
答案解析：题目关键词released several times every hour，as quickly as possible。通过CI/CD能够快速部署以及快速回滚。答案明显就是上图的架构，通过Beanstalk实现快速部署新环境，在通过多个环境快速切换实现回滚。

3.8 OpsWorks

相对来说，OpsWorks在考试中较少出现。这里简单讲一下关键点。AWS OpsWorks是一项配置管理服务，可帮助您使用 Puppet 或 Chef 配置和操作云企业中的应用程序。

• 如果你原先使用 Puppet 或 Chef，那么迁移到AWS上面，最好就是使用OpsWorks
• 其实OpsWorks与SSM、Beanstalk、CloudFormation功能类似

3.9 AWS Cloud Development Kit（CDK）

AWS CDK 使您能够借助编程语言的强大表达能力，在云中构建可靠、可扩展且成本高效的应用程序。简单的说，CloudFormation是我们使用json或者yaml文件来构建我们AWS的基础设施，但如果我们不想使用CloudFormation或者说不想使用json或者yaml文件，而是想使用自己熟悉的编程语言（比如JavaScript、Python、java等），那么使用CDK就可以将你使用其他编程语言转换为CloudFormation，最后部署我们的AWS 服务。

3.10 AWS App Runner

AWS App Runner是一个AWS服务，它提供了一种快速、简单且经济高效的方式来从源代码或容器映像直接部署到AWS云。您不需要学习新技术、决定要使用的计算服务或了解如何配置和配置AWS资源的费用。简单来讲就是自动触发部署，这个在CICD中也有类似模块，就是你的代码或者你的镜像更新了，将自动为你部署新的版本。

• 不需要了解底层架构
• 自动部署，且支持伸缩、负载均衡、VPC授权等

3.10.1 典型架构

• 跨区域部署
  

3.11 AWS Amplify

AWS Amplify是一组专门构建的工具和功能，使前端 Web 和移动开发人员能够快速轻松地在上构建全栈应用程序AWS。Amplify 提供两项服务：Amplify Hosting 和 Amplify Studio。

• Amplify Hosting 提供了基于 git 的工作流，用于托管持续部署的全栈无服务器 Web 应用程序。该用户指南提供了开始使用 Amplify Hostace Hofy Hostace。
• Amplify Studio 是一个直观的开发环境，可简化可扩展的全栈 Web 和移动应用程序的创建。使用 Studio 借助一组UI，构建前端 ready-to-use UI，创建应用程序后端，然后将两者连接在一起

例题：A company runs an application in an on-premises data center. The application gives users the ability to upload media files. The files persist in a file server. The web application has many users. The application server is overutilized, which causes data uploads to fail occasionally. The company frequently adds new storage to the file server. The company wants to resolve these challenges by migrating the application to AWS.
Users from across the United States and Canada access the application. Only authenticated users should have the ability to access the application to upload files. The company will consider a solution that refactors the application, and the company needs to accelerate application development.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use AWS Application Migration Service to migrate the application server to Amazon EC2 instances. Create an Auto Scaling group for the EC2 instances. Use an Application Load Balancer to distribute the requests. Modify the application to use Amazon S3 to persist the files. Use Amazon Cognito to authenticate users.
B. Use AWS Application Migration Service to migrate the application server to Amazon EC2 instances. Create an Auto Scaling group for the EC2 instances. Use an Application Load Balancer to distribute the requests. Set up AWS IAM Identity Center (AWS Single Sign-On) to give users the ability to sign in to the application. Modify the application to use Amazon S3 to persist the files.
C. Create a static website for uploads of media files. Store the static assets in Amazon S3. Use AWS AppSync to create an API. Use AWS Lambda resolvers to upload the media files to Amazon S3. Use Amazon Cognito to authenticate users.
D. Use AWS Amplify to create a static website for uploads of media files. Use Amplify Hosting to serve the website through Amazon CloudFront. Use Amazon S3 to store the uploaded media files. Use Amazon Cognito to authenticate users.
答案：D
答案解析：题目要求公司将原先的媒体文件上传程序迁移到AWS，支持美国和加拿大可用，并且LEAST operational overhead。因此采用Amazon CloudFront托管网站可确保美国和加拿大用户的低延迟访问，并使用Amplify快速部署静态网站是一个操作开销最小的方案。因此选择D选项

4 其它基础中间件

4.1 AWS Health

AWS Health提供对资源性能和可用性的持续可见性AWS 服务和账户。您可以使用AWS Health 事件了解服务和资源更改会如何影响正在运行的应用程序AWS.AWS Health提供相关和及时的信息，帮助您管理正在进行的活动。AWS Health还可以帮助您了解计划中的活动并为之做好准备。该服务会提供由 AWS 资源运行状况变化触发的报警和通知，因此您可以近乎即时地了解事件和获得指导，以帮助加快故障排除。

• 默认有3种Dashboard：Account notification、Issue、Scheduled change。
• 与EventBridge结合，可以通过EventBridge订阅AWS Health的事件，然后以SNS方式发送给订阅者

4.2 Amazon SES（Simple Email Service）

Amazon Simple Email Service（SES）是一个易于使用且经济高效的电子邮件平台，有便于您通过该平台，使用您自己的电子邮件地址和域来发送或接收电子邮件。

4.2.1 基本特性

• 为任何应用程序添加发送电子邮件的功能。
• 您还可以使用 AWS SDK 或 Amazon SES SMTP 接口，甚至通过直接调用 Amazon SES API 的方式，从 Amazon EC2 发送电子邮件。
• 集成很多AWS服务：
  1）使用 AWS Elastic Beanstalk 创建具备电子邮件功能的应用程序
  2）设置 Amazon Simple Notification Service（Amazon SNS），在您的电子邮件被退回、产生投诉或已成功送达收件人的邮件服务器时通知您。在使用 Amazon SES 接收电子邮件时，您的电子邮件内容可以发布到 Amazon SNS 主题。
  3）使用 AWS Management Console 来设置 Easy DKIM，后者是一种验证电子邮件的方式。尽管您可以通过任何 DNS 提供商来使用 Easy DKIM，但使用 Route 53 管理域的话，设置起来格外简单。
  4）使用 AWS Identity and Access Management（IAM）控制用户对您的电子邮件发送的访问权限。
  5）将您收到的电子邮件存储在 Amazon Simple Storage Service（Amazon S3）中。
  6）触发 AWS Lambda 函数，对您收到的电子邮件执行操作。
  7）使用 AWS Key Management Service（AWS KMS）选择性地加密在 Amazon S3 存储桶中收到的邮件。
  8）使用 AWS CloudTrail 记录您使用控制台或 Amazon SES API 进行的 Amazon SES API 调用。
  9）将电子邮件发送事件发布到 Amazon CloudWatch 或 Amazon Kinesis Data Firehose。如果将电子邮件发送事件发布到 Kinesis Data Firehose，您可以在 Amazon Redshift、Amazon OpenSearch Service 或 Amazon S3 中进行访问。
• SES template（邮件模板）。可以设置邮件模板，比如将电子邮件发送到最多 50 个目标。目标包含一个收件人列表，包括抄送和密件抄送收件人。（考试中出现过希望发送填充客户信息，就采用SES template，注意SES template存储在SES上面）

例题：A software as a service (SaaS) based company provides a case management solution to customers A3 part of the solution. The company uses a standalone Simple Mail Transfer Protocol (SMTP) server to send email messages from an application. The application also stores an email template for acknowledgement email messages that populate customer data before the application sends the email message to the customer.
The company plans to migrate this messaging functionality to the AWS Cloud and needs to minimize operational overhead.
Which solution will meet these requirements MOST cost-effectively?
A. Set up an SMTP server on Amazon EC2 instances by using an AMI from the AWS Marketplace. Store the email template in an Amazon S3 bucket. Create an AWS Lambda function to retrieve the template from the S3 bucket and to merge the customer data from the application with the template. Use an SDK in the Lambda function to send the email message.
B. Set up Amazon Simple Email Service (Amazon SES) to send email messages. Store the email template in an Amazon S3 bucket. Create an AWS Lambda function to retrieve the template from the S3 bucket and to merge the customer data from the application with the template. Use an SDK in the Lambda function to send the email message.
C. Set up an SMTP server on Amazon EC2 instances by using an AMI from the AWS Marketplace. Store the email template in Amazon Simple Email Service (Amazon SES) with parameters for the customer data. Create an AWS Lambda function to call the SES template and to pass customer data to replace the parameters. Use the AWS Marketplace SMTP server to send the email message.
D. Set up Amazon Simple Email Service (Amazon SES) to send email messages. Store the email template on Amazon SES with parameters for the customer data. Create an AWS Lambda function to call the SendTemplatedEmail API operation and to pass customer data to replace the parameters and the email destination.
答案：D
答案解析：题目要求将邮件服务迁移到AWS上，使用模板填充客户数据，并且MOST cost-effectively。因此首先是使用SES比直接在EC2部署SMTP server会更方便，因此排除A选项和C选项。填充用户数据，可以使用SES的email template。因此选择D选项

4.2.2 configuration sets（配置集）

configuration sets是可以应用于已验证身份的规则组。经过验证的身份是您用来通过 Amazon SES 发送电子邮件的域、子域或电子邮件地址。当您对电子邮件应用配置集时，该配置集中的所有规则将应用于该电子邮件。

• Event destinations：可让您将电子邮件发送指标（包括发送数、送达数、打开数、单击数、退回数以及投诉数）发布到其他 AWS 产品。
• IP pool management： 如果您租赁专用 IP 地址在 Amazon SES 中使用，可以使用这些地址创建组（称为专用 IP 池）以用来发送特定类型的电子邮件。

4.2.3 TLS 加密

如果通过 SMTP 接口访问 Amazon SES，那么您需要使用传输层安全性（TLS）来加密您的连接。请注意，提及 TLS 时通常使用其前身协议的名称：安全套接字层 (SSL)。
Amazon SES 支持两种建立 TLS 加密连接的机制：STARTTLS 和 TLS Wrapper。

• TARTTLS – STARTTLS 是一种将未加密的连接升级到加密连接的方式。提供了适用于各种协议的 STARTTLS 版本；SMTP 版本已在 RFC 3207 中定义。对于 STARTTLS 连接，Amazon SES 支持 TLS 1.2 和 TLS 1.3。支持端口25、587和2587
• TLS Wrapper – TLS Wrapper（也称为 SMTPS 或握手协议）是一种在无需先建立未加密连接的情况下启动加密连接的方式。利用 TLS Wrapper，Amazon SES SMTP 端点不执行 TLS 协商：客户端负责使用 TLS 连接到端点，然后继续对整个对话使用 TLS。虽然 TLS Wrapper 是一项旧协议，但许多客户端仍支持它。对于 TLS 包装器连接，Amazon SES 支持 TLS 1.2。支持端口465和2465
  （注意：考试中出现过TLS加密，推荐使用TARTTLS ）

例题：A company recently completed the migration from an on-premises data center to the AWS Cloud by using a replatforming strategy. One of the migrated servers is running a legacy Simple Mail Transfer Protocol (SMTP) service that a critical application relies upon. The application sends outbound email messages to the company’s customers. The legacy SMTP server does not support TLS encryption and uses TCP port 25. The application can use SMTP only.
The company decides to use Amazon Simple Email Service (Amazon SES) and to decommission the legacy SMTP server. The company has created and validated the SES domain. The company has lifted the SES limits.
What should the company do to modify the application to send email messages from Amazon SES?
A. Configure the application to connect to Amazon SES by using TLS Wrapper. Create an IAM role that has ses:SendEmail and ses:SendRawEmail permissions. Attach the IAM role to an Amazon EC2 instance.
B. Configure the application to connect to Amazon SES by using STARTTLS. Obtain Amazon SES SMTP credentials. Use the credentials to authenticate with Amazon SES.
C. Configure the application to use the SES API to send email messages. Create an IAM role that has ses:SendEmail and ses:SendRawEmail permissions. Use the IAM role as a service role for Amazon SES.
D. Configure the application to use AWS SDKs to send email messages. Create an IAM user for Amazon SES. Generate API access keys. Use the access keys to authenticate with Amazon SES.
答案：B
答案解析：题目要求将本地邮件服务迁移到AWS，使用25端口。因此想要加密TLS且端口是25，那么选择STARTTLS。因此选择B选项。

4.3 Amazon EC2 Image Builder

Amazon EC2 Image Builder 是一款完全托管AWS 服务的，可帮助您自动创建、管理和部署自定义、安全的 up-to-date 服务器映像。您可以使用AWS Management ConsoleAWS Command Line Interface、或 API 在中创建自定义映像AWS 账户。简单理解就是将你已经部署好的EC2实例打包为一个AMI方便部署。

4.3.1 基本特性

• 提高工作效率
• 集中的实施和跟踪管理
• 简化了跨区域的资源共享 AWS 账户

4.3.2 与CodePipeline（CICD）集成

当部署一个EC2实例中包括比较多的组件时，推荐使用AMI方式。

4.4 AWS Serverless Application Model（SAM）

AWS Serverless Application Model(AWS SAM) 是一个工具包，可改善开发人员在上AWS构建和运行无服务器应用程序的体验。简单理解就是配置yaml文件格式去部署serverless（比如Lambda、CloudFront、API Gateway等）。

• 底层使用的是CloudFormation
• 以YAML文件方式
• 结合CodeDeploy做到Lambda流量自动切换（注意：当考试中出现部署Lambda多版本流量切换，且特别强调部署serverless服务，那么最佳选择就是SAM）
  

例题：A company has a serverless application comprised of Amazon CloudFront, Amazon API Gateway, and AWS Lambda functions. The current deployment process of the application code is to create a new version number of the Lambda function and run an AWS CLI script to update, lf the new function version has errors another CLI script reverts by deploying the previous working version of the function, The company would like to decrease the time to deploy new versions of the application logic provided by the Lambda functions, and also reduce the time to detect and revert when errors are identified.
How can this be accomplished?
A. Create and deploy nested AWS CloudFormation stacks with the parent stack consisting of the AWS CloudFront distribution and API Gateway, and the child stack containing the Lambda function. For changes to Lambda, create an AWS CloudFormation change set and deploy: if errors are triggered, revert the AWS CloudFormation change set to the previous version.
B. Use AWS SAM and built-in AWS CodeDeploy to deploy the new Lambda version, gradually shift traffic to the newversion, and use pre-traffic and post-traffic test functions to verify code. Rollback if Amazon Cloud Watch alarms are triggered.
C. Refactor the AWS CLI scripts into a single script that deploys the new Lambda version. When deployment is completed, the script tests execute. If errors are detected, revert to the previous Lambda version.
D. Create and deploy an AWS CloudFormation stack that consists of a new API Gateway endpoint that references the new Lambda version. Change the CloudFront origin to the new API Gateway endpoint, monitor errors and if detected, change the AWS CloudFront origin to the previous API Gateway endpoint.
答案：B
答案解析：题目关键词serverless application，deploy new versions，reduce the time。更新Lambda版本，且减少可以检测回滚时间。A选项可以做到更新版本，但是当出现回滚时，需要回滚API Gateway；C选项同样需要更新API Gateway，这样时间上就无法减少；D选项非自动化，回滚时间上也是无法做到极致。使用SAM就是管理serverless服务且兼备版本更新的功能。

4.5 AWS Service Catalog

AWS Service Catalog使组织能够创建和管理经批准的 IT 服务目录AWS。这些 IT 服务可以包括从虚拟机映像、服务器、软件、数据库等到完整的多层应用程序架构的所有内容。简单来说Service Catalog其实就是定义好CloudFormation模板，在将其授权到IAM权限，将IAM权限授予用户，从而达到统一标准且精确权限控制。

4.5.1 作用

• 标准化：管理员可以通过限制可启动产品的位置、可使用的实例类型以及多种其他配置选项，来管理已获批准的资产。这样可以为整个组织的产品预配置创建标准化的环境。（注意：考试中出现使用了很多不规范（比如使用实例过大等等），想统一规范，那么一般与Service Catalog有关）
• 自助式发现和启动：用户浏览其有权访问的产品（服务或应用程序）的列表，找到要使用的产品并将其作为预配置产品自行启动。
• 访问权限的精细控制：管理员从其目录中组装产品组合，添加用于配置的限制和资源标签，然后通过以下方式授予对产品组合的访问权限AWS Identity and Access Management(IAM) 用户和群组。（注意：考试中出现使用资源需要审批一般与Service Catalog有关）

例题：A company has an application that uses Amazon EC2 instances in an Auto Scaling group. The Quality Assurance (QA) department needs to launch a large number of short-lived environments to test the application. The application environments are currently launched by the Manager of the department using an AWS
CloudFormation template. To launch the stack, the Manager uses a role with permission to use CloudFormation, EC2, and Auto Scaling APIs. The Manager wants to allow testers to launch their own environments, but does not want to grant broad permissions to each user.
Which set up would achieve these goals?
A. Upload the AWS CloudFormation template to Amazon S3. Give users in the QA department permission to assume the Manager’s role and add a policy that restricts the permissions to the template and the resources it creates. Train users to launch the template from the CloudFormation console.
B. Create an AWS Service Catalog product from the environment template. Add a launch constraint to the product with the existing role. Give users in the QA department permission to use AWS Service Catalog APIs only. Train users to launch the templates from the AWS Service Catalog console.
C. Upload the AWS CloudFormation template to Amazon S3. Give users in the QA department permission to use CloudFormation and S3 APIs, with conditions that restrict the permission to the template and the resources it creates. Train users to launch the template from the CloudFormation console.
D. Create an AWS Elastic Beanstalk application from the environment template. Give users in the QA department permission to use Elastic Beanstalk permissions only. Train users to launch Elastic Beanstalk environment with the Elastic Beanstalk CLI, passing the existing role to the environment as a service role.
答案：B
答案解析：题目要求控制用户使用CloudFormation创建环境的权限，因此选择Service Catalog最合适。因此选择B选项

例题：A company wants to optimize AWS data-transfer costs and compute costs across developer accounts within the company’s organization in AWS Organizations. Developers can configure VPCs and launch Amazon EC2 instances in a single AWS Region. The EC2 instances retrieve approximately 1 TB of data each day from Amazon S3.
The developer activity leads to excessive monthly data-transfer charges and NAT gateway processing charges between EC2 instances and S3 buckets, along with high compute costs. The company wants to proactively enforce approved architectural patterns for any EC2 instance and VPC infrastructure that developers deploy within the AWS accounts. The company does not want this enforcement to negatively affect the speed at which the developers can perform their tasks.
Which solution will meet these requirements MOST cost-effectively?
A. Create SCPs to prevent developers from launching unapproved EC2 instance types. Provide the developers with an AWS CloudFormation template to deploy an approved VPC configuration with S3 interface endpoints. Scope the developers’ IAM permissions so that the developers can launch VPC resources only with CloudFormation.
B. Create a daily forecasted budget with AWS Budgets to monitor EC2 compute costs and S3 data-transfer costs across the developer accounts. When the forecasted cost is 75% of the actual budget cost, send an alert to the developer teams. If the actual budget cost is 100%, create a budget action to terminate the developers’ EC2 instances and VPC infrastructure.
C. Create an AWS Service Catalog portfolio that users can use to create an approved VPC configuration with S3 gateway endpoints and approved EC2 instances. Share the portfolio with the developer accounts. Configure an AWS Service Catalog launch constraint to use an approved IAM role. Scope the developers’ IAM permissions to allow access only to AWS Service Catalog.
D. Create and deploy AWS Config rules to monitor the compliance of EC2 and VPC resources in the developer AWS accounts. If developers launch unapproved EC2 instances or if developers create VPCs without S3 gateway endpoints, perform a remediation action to terminate the unapproved resources.
答案：C
答案解析：题目要求通过审批方式控制资源创建部署，因此选择Service Catalog最合适。因此选择C选项

• 扩展性和版本控制：管理员可将产品添加到任意数量的产品组合并施加限制，无需创建另一个副本。将产品更新为新版本后，更新会传播到涵盖该产品的每个产品组合中的所有产品。