CodeDeploy AppSpec file

  • AppSpec file should be placed in the root directory of the application’s source content’s directory structure.

AWS X-Ray

AWS X-Ray is a service that collects data about requests that your application serves, and provides tools you can use to view, filter, and gain insights into that data to identify issues and opportunities for optimization.

Lambda function invoking

Asynchronous invokes (Event)

Several AWS services invoke functions asynchronously to process events:

  • Amazon Simple Storage Service
  • Amazon Simple Notification Service
  • Amazon Simple Email Service
  • AWS CloudFormation
  • Amazon CloudWatch Logs
  • Amazon CloudWatch Events
  • AWS CodeCommit
  • AWS Config
    Asynchronous invokes place your invoke request in Lambda service queue and we process the requests as they arrive. You should use AWS X-Ray to review how long your request spent in the service queue by checking the “dwell time” segment.

Poll-based invokes (Stream/Queue)

Lambda polls the queue/steam and invokes your Lambda function synchronously with an event that contains queue messages.

  • SQS
  • DynamoDB Stream
  • Kinesis data stream

Synchronous invokes (Push)

AWS executes your Lambda function and wait for the function to complete. When you perform a synchronous invoke, you are responsible for checking the response and determining if there was an error and if you should retry the invoke.

  • Elastic Load Balancing (Application Load Balancer)
  • Amazon Cognito
  • Amazon Lex
  • Amazon Alexa
  • Amazon API Gateway
  • Amazon CloudFront (Lambda@Edge)
  • Amazon Kinesis Data Firehose
lambda invoke models

AWS Cognito Sync

Amazon Cognito lets you save end user data in datasets containing key-value pairs. This data is associated with an Amazon Cognito identity, so that it can be accessed across logins and devices.
Amazon Cognito Sync is an AWS service and client library that enables cross-device syncing of application-related user data.

AWS Cognito Push Sync

Amazon Cognito automatically tracks the association between identity and devices.

Push sync ensures that, whenever the sync store data changes for a particular identity, all devices associated with that identity receive a silent push notification informing them of the change. Note that you need to grant AWS Cognito the right permission to send an SNS notification.

SQS long polling vs short polling

If you used long polling, the connection stays open to SQS until a message has been found in SQS, or until the timeout (e.g. max 20s) is reached.

  • With short polling, the ReceiveMessage request queries only a subset of the servers (based on a weighted random distribution) to find messages that are available to include in the response. Amazon SQS sends the response right away, even if the query found no messages.
    • With long polling, the ReceiveMessage request queries all of the servers for messages. Amazon SQS sends a response after it collects at least one available message, up to the maximum number of messages specified in the request. Amazon SQS sends an empty response only if the polling wait time expires.

Short polling occurs when the WaitTimeSeconds parameter of a ReceiveMessage request is set to 0 in one of two ways:

  • The ReceiveMessage call sets WaitTimeSeconds to 0.
  • The ReceiveMessage call doesn’t set WaitTimeSeconds, but the queue attribute ReceiveMessageWaitTimeSeconds is set to 0.

Caching strategy

Lazy loading / cache aside

A disadvantage when using cache-aside as the only caching pattern is that because the data is loaded into the cache only after a cache miss, some overhead is added to the initial response time because additional roundtrips to the cache and database are needed.

Write through

  • A disadvantage of the write-through approach is that infrequently-requested data is also written to the cache, resulting in a larger and more expensive cache.

Decouple RDS instance with beanstalk

  • Use an Elastic Beanstalk blue (environment A)/green (environment B) deployment to decouple an RDS DB instance from environment A.
  • Create a new Elastic Beanstalk environment (environment B) with the necessary information to connect to the RDS DB instance.

API Gateway cache

  • For better performance and faster API execution, you can optionally provision a dedicated cache for each stage of your APIs.
  • Cache is far more important than calls. Use caching in dev and test environment only when needed.

Lambda /tmp storage

/tmp directory storage quota: 512 MB, CANNOT be changed.

Lambda logs

AWS Lambda automatically monitors Lambda functions on your behalf, reporting metrics through Amazon CloudWatch. To help you troubleshoot failures in a function, Lambda logs all requests handled by your function and also automatically stores logs generated by your code through Amazon CloudWatch Logs.

Requiring HTTPS for Cloudfront

Origin Protocol Policy

Change the Origin Protocol Policy for the applicable origins in your distribution:

  • HTTPS Only – CloudFront uses only HTTPS to communicate with your custom origin.
  • Choose Match Viewer only if you specify Redirect HTTP to HTTPS or HTTPS Only for Viewer Protocol Policy.

Viewer Protocol Policy

Choose the protocol policy that you want viewers to use to access your content in CloudFront edge locations:

  • HTTP and HTTPS: Viewers can use both protocols.
  • Redirect HTTP to HTTPS: Viewers can use both protocols, but HTTP requests are automatically redirected to HTTPS requests.
  • HTTPS Only: Viewers can only access your content if they’re using HTTPS.

DynamoDB Read Capacity Units

  • A read capacity unit represents one strongly consistent read per second, or two eventually consistent reads per second, for an item up to 4 KB in size.
  • Reading an item larger than 4 KB consumes more read capacity units. For example, a strongly consistent read of an item that is 8 KB (4 KB × 2) consumes 2 read capacity units. An eventually consistent read on that same item consumes only 1 read capacity unit. Item sizes for reads are rounded up to the next 4 KB multiple. For example, reading a 3,500-byte item consumes the same throughput as reading a 4 KB item.

Amazon EC2 Query API toubleshooting

If an API request exceeds the API request rate for its category, the request returns the RequestLimitExceeded error code.
To prevent this error, ensure that your application doesn’t retry API requests at a high rate.
You can do this by using care when polling and by using exponential backoff retries.

Deploy lambda function via CloudFormation

  • Write the code directly in CloudFormation
  • Upload zip to S3 and refer to it in CloudFormation

Run X-Ray with ECS

  • Create a docker image that runs X-Ray daemon
  • Instrument the code
  • Create a role for the task

Large message in SQS

To manage large Amazon Simple Queue Service (Amazon SQS) messages, you can use Amazon Simple Storage Service (Amazon S3) and the Amazon SQS Extended Client Library for Java. This is especially useful for storing and consuming messages up to 2 GB.

DynamoDB random number partition key to distribute loads more evenly

One strategy for distributing loads more evenly across a partition key space is to add a random number to the end of the partition key values. Then you randomize the writes across the larger space.

A namespace is a container for CloudWatch metrics

  • A dimension is a name/value pair that is part of the identity of a metric. You can assign up to 10 dimensions to a metric.
  • A namespace is a container for CloudWatch metrics. Metrics in different namespaces are isolated from each other, so that metrics from different applications are not mistakenly aggregated into the same statistics.

web identity federation

With web identity federation, you don’t need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP.

X-Ray annotation and metadata

  • Annotations are simple key-value pairs that are indexed for use with filter expressions. Use annotations to record data that you want to use to group traces in the console, or when calling the GetTraceSummaries API. X-Ray indexes up to 50 annotations per trace.
  • Metadata are key-value pairs with values of any type, including objects and lists, but that are not indexed. Use metadata to record data you want to store in the trace but don’t need to use for searching traces.

Git Credentials

With Git credentials, you can generate a static user name and password in the Identity and Access Management (IAM) console that you can use to access AWS CodeCommit repositories from the command line, Git CLI, or any Git tool that supports HTTPS authentication.

API Gateway Lambda Authorizor

A Lambda authorizer (formerly known as a custom authorizer) is an API Gateway feature that uses a Lambda function to control access to your API.

A Lambda authorizer is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML, or that uses request parameters to determine the caller’s identity.

When a client makes a request to one of your API’s methods, API Gateway calls your Lambda authorizer, which takes the caller’s identity as input and returns an IAM policy as output.

There are two types of Lambda authorizers:

  • A token-based Lambda authorizer (also called a TOKEN authorizer) receives the caller’s identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token.
  • A request parameter-based Lambda authorizer (also called a REQUEST authorizer) receives the caller’s identity in a combination of headers, query string parameters, stageVariables, and $context variables.

For WebSocket APIs, only request parameter-based authorizers are supported.

MFA - GetSessionToken API

The primary occasion for calling the GetSessionToken API operation or the get-session-token CLI command is when a user must be authenticated with multi-factor authentication (MFA).

Cognito user pool vs identity pool

  • User pools are for authentication (identify verification). With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP).
  • Identity pools are for authorization (access control).

Cognito user pool API gateway authorizor

After the API is deployed, the client must first sign the user in to the user pool, obtain an identity or access token for the user, and then call the API method with one of the tokens, which are typically set to the request’s Authorization header.

Service role

A role that a service assumes to perform actions on your behalf is called a service role.

API Gateway usage plan

After you create, test, and deploy your APIs, you can use API Gateway usage plans to make them available as product offerings for your customers. You can configure usage plans and API keys to allow customers to access selected APIs at agreed-upon request rates and quotas that meet their business requirements and budget constraints.

CLI command: put-metrics-data and put-metrics-alarm

  • put-metrics-data publishes metric data points to Amazon CloudWatch.
  • put-metrics-alarm creates or updates an alarm and associates it with the specified metric, metric math expression, or anomaly detection model.

Redis read replica

A Redis (cluster mode disabled) cluster has a single shard, inside of which is a collection of Redis nodes; one primary read/write node and up to five secondary, read-only replica nodes. Each read replica maintains a copy of the data from the cluster’s primary node.