AWS Services
AWS MSK (Managed Streaming for Apache Kafka)
What is AWS MSK?
Amazon Managed Streaming for Apache Kafka (MSK) is a fully managed service that makes it easy to build and run applications that use Apache Kafka to process streaming data. MSK provides the control-plane operations, such as creating, updating, and deleting clusters, while managing the underlying Apache Kafka infrastructure.
Key Features
- Fully Managed: AWS handles the operational overhead of managing Apache Kafka clusters
- High Availability: Multi-AZ deployments with automatic failover
- Security: Encryption at rest and in transit, IAM integration, VPC isolation
- Scalability: Easy scaling of storage and compute resources
- Monitoring: Integration with CloudWatch for metrics and logging
Architecture
# MSK Cluster Architecture
MSK Cluster:
- Broker 1 (AZ-1a)
- Topic Partitions
- Replicas
- Broker 2 (AZ-1b)
- Topic Partitions
- Replicas
- Broker 3 (AZ-1c)
- Topic Partitions
- Replicas
Configuration Example
# Create MSK Cluster
aws kafka create-cluster \
--cluster-name "my-kafka-cluster" \
--kafka-version "2.8.1" \
--number-of-broker-nodes 3 \
--broker-node-group-info \
BrokerAZDistribution=DEFAULT,InstanceType=kafka.t3.small,ClientSubnets=subnet-123456,subnet-789012,subnet-345678 \
--encryption-info \
EncryptionInTransit=ClientBroker,EncryptionAtRest=DataVolumeKmsKeyId=arn:aws:kms:region:account:key/key-id
Integration with Other AWS Services
// Producer Example with MSK
Properties props = new Properties();
props.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, "b-1.mycluster.region.kafka.amazonaws.com:9092");
props.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.StringSerializer");
props.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG, "org.apache.kafka.common.serialization.StringSerializer");
props.put(ProducerConfig.SECURITY_PROTOCOL_CONFIG, "SASL_SSL");
props.put("sasl.mechanism", "AWS_MSK_IAM");
props.put("sasl.jaas.config", "software.amazon.msk.auth.iam.IAMLoginModule required;");
props.put("sasl.client.callback.handler.class", "software.amazon.msk.auth.iam.IAMClientCallbackHandler");
KafkaProducer<String, String> producer = new KafkaProducer<>(props);
AWS ECS Fargate
What is ECS Fargate?
Amazon ECS Fargate is a serverless compute engine for containers that works with both Amazon ECS and Amazon EKS. Fargate eliminates the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.
Key Features
- Serverless: No server management required
- Pay-per-use: Only pay for the resources your containers use
- Security: Each task runs in its own isolated compute environment
- Scalability: Automatic scaling based on demand
- Integration: Works seamlessly with other AWS services
Task Definition Example
{
"family": "web-app",
"networkMode": "awsvpc",
"requiresCompatibilities": ["FARGATE"],
"cpu": "256",
"memory": "512",
"executionRoleArn": "arn:aws:iam::account:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
"name": "web",
"image": "nginx:latest",
"portMappings": [
{
"containerPort": 80,
"protocol": "tcp"
}
],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/web-app",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
}
}
]
}
Service Definition
# Create ECS Service
aws ecs create-service \
--cluster my-cluster \
--service-name web-service \
--task-definition web-app:1 \
--desired-count 2 \
--launch-type FARGATE \
--network-configuration "awsvpcConfiguration={subnets=[subnet-123456],securityGroups=[sg-123456],assignPublicIp=ENABLED}"
AWS Event Bridge
What is Event Bridge?
Amazon EventBridge is a serverless event bus service that makes it easy to connect applications together using real-time data streams. EventBridge delivers a stream of real-time data from your applications, SaaS applications, and AWS services to targets such as AWS Lambda functions, HTTP invocation endpoints, or event buses in other AWS accounts.
Key Features
- Event Routing: Route events to multiple targets
- Schema Registry: Discover, create, and manage event schemas
- Dead Letter Queues: Handle failed event processing
- Cross-Account: Share events across AWS accounts
- SaaS Integration: Connect with third-party SaaS applications
Event Pattern Example
{
"source": ["aws.ec2"],
"detail-type": ["EC2 Instance State Manager Instance State Change"],
"detail": {
"state": ["terminated", "stopped"]
}
}
Rule Configuration
# Create EventBridge Rule
aws events put-rule \
--name "ec2-state-change" \
--event-pattern '{"source":["aws.ec2"],"detail-type":["EC2 Instance State Manager Instance State Change"]}' \
--state ENABLED
# Add target to rule
aws events put-targets \
--rule "ec2-state-change" \
--targets "Id"="1","Arn"="arn:aws:lambda:region:account:function:my-function"
AWS Lambda
What is AWS Lambda?
AWS Lambda is a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. You can use Lambda to extend other AWS services with custom logic, or create your own back-end services that operate at AWS scale, performance, and security.
Key Features
- Serverless: No server management required
- Event-Driven: Automatically triggered by events
- Scalable: Automatically scales with demand
- Pay-per-use: Only pay for compute time used
- Multi-language: Supports Node.js, Python, Java, Go, .NET, Ruby
Function Example (Python)
import json
import boto3
def lambda_handler(event, context):
# Process the event
print(f"Received event: {json.dumps(event)}")
# Your business logic here
result = {
'statusCode': 200,
'body': json.dumps({
'message': 'Hello from Lambda!',
'event': event
})
}
return result
Function Configuration
# Create Lambda function
aws lambda create-function \
--function-name my-function \
--runtime python3.9 \
--role arn:aws:iam::account:role/lambda-execution-role \
--handler index.lambda_handler \
--zip-file fileb://function.zip
# Add environment variables
aws lambda update-function-configuration \
--function-name my-function \
--environment Variables="{DB_HOST=database.example.com,API_KEY=secret}"
Event Source Mappings
# Create SQS event source mapping
aws lambda create-event-source-mapping \
--function-name my-function \
--event-source-arn arn:aws:sqs:region:account:my-queue \
--batch-size 10
AWS Secrets Manager
What is Secrets Manager?
AWS Secrets Manager helps you protect the secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
Key Features
- Automatic Rotation: Automatically rotate secrets on a schedule
- Encryption: Encrypts secrets using AWS KMS
- Fine-grained Access: Control access using IAM policies
- Cross-Region Replication: Replicate secrets across regions
- Integration: Works with RDS, DocumentDB, and other services
Secret Creation
# Create a secret
aws secretsmanager create-secret \
--name "my-app/database" \
--description "Database credentials for my application" \
--secret-string '{"username":"admin","password":"mypassword","engine":"mysql","host":"db.example.com","port":3306}'
# Retrieve a secret
aws secretsmanager get-secret-value \
--secret-id "my-app/database"
Automatic Rotation
# Enable automatic rotation
aws secretsmanager rotate-secret \
--secret-id "my-app/database" \
--rotation-rules '{"AutomaticallyAfterDays":30}'
Application Integration
// Java example for retrieving secrets
import com.amazonaws.services.secretsmanager.AWSSecretsManager;
import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;
import com.amazonaws.services.secretsmanager.model.GetSecretValueRequest;
import com.amazonaws.services.secretsmanager.model.GetSecretValueResult;
public class SecretsManagerExample {
public static String getSecret(String secretName) {
AWSSecretsManager client = AWSSecretsManagerClientBuilder.standard()
.withRegion("us-east-1")
.build();
GetSecretValueRequest request = new GetSecretValueRequest()
.withSecretId(secretName);
GetSecretValueResult result = client.getSecretValue(request);
return result.getSecretString();
}
}
AWS S3 (Simple Storage Service)
What is Amazon S3?
Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. S3 is designed for 99.999999999% (11 9's) of durability and stores data for millions of applications for companies all around the world.
Key Features
- Durability: 99.999999999% (11 9's) durability
- Availability: 99.99% availability SLA
- Security: Encryption, access controls, compliance
- Scalability: Virtually unlimited storage
- Cost-effective: Pay only for what you use
Storage Classes
S3 Storage Classes:
- S3 Standard:
- Availability: 99.99%
- Durability: 99.999999999%
- Use Case: Frequently accessed data
- S3 Intelligent-Tiering:
- Automatic cost optimization
- Use Case: Unknown access patterns
- S3 Standard-IA:
- Availability: 99.9%
- Use Case: Infrequently accessed data
- S3 One Zone-IA:
- Availability: 99.5%
- Use Case: Recreatable data
- S3 Glacier:
- Retrieval time: Minutes to hours
- Use Case: Long-term archival
- S3 Glacier Deep Archive:
- Retrieval time: 12-48 hours
- Use Case: Lowest cost archival
Bucket Operations
# Create bucket
aws s3 mb s3://my-unique-bucket-name
# Upload file
aws s3 cp local-file.txt s3://my-bucket/
# Download file
aws s3 cp s3://my-bucket/file.txt ./
# List objects
aws s3 ls s3://my-bucket/
# Sync directory
aws s3 sync ./local-directory s3://my-bucket/
Lifecycle Policies
{
"Rules": [
{
"ID": "MoveToIA",
"Status": "Enabled",
"Filter": {
"Prefix": "logs/"
},
"Transitions": [
{
"Days": 30,
"StorageClass": "STANDARD_IA"
}
]
},
{
"ID": "MoveToGlacier",
"Status": "Enabled",
"Filter": {
"Prefix": "archive/"
},
"Transitions": [
{
"Days": 90,
"StorageClass": "GLACIER"
}
]
}
]
}
AWS SQS (Simple Queue Service)
What is Amazon SQS?
Amazon SQS is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message-oriented middleware.
Key Features
- Reliability: At-least-once message delivery
- Scalability: Automatically scales with your application
- Security: Encryption, access controls, VPC endpoints
- Cost-effective: Pay only for what you use
- Integration: Works with Lambda, ECS, and other AWS services
Queue Types
SQS Queue Types:
- Standard Queue:
- At-least-once delivery
- Best-effort ordering
- Unlimited throughput
- FIFO Queue:
- Exactly-once processing
- Strict ordering
- Limited to 300 messages/second
Queue Operations
# Create queue
aws sqs create-queue --queue-name my-queue
# Send message
aws sqs send-message \
--queue-url https://sqs.region.amazonaws.com/account/my-queue \
--message-body "Hello, SQS!"
# Receive messages
aws sqs receive-message \
--queue-url https://sqs.region.amazonaws.com/account/my-queue \
--max-number-of-messages 10
Application Integration
// Java example for SQS operations
import com.amazonaws.services.sqs.AmazonSQS;
import com.amazonaws.services.sqs.AmazonSQSClientBuilder;
import com.amazonaws.services.sqs.model.SendMessageRequest;
import com.amazonaws.services.sqs.model.ReceiveMessageRequest;
public class SQSExample {
private AmazonSQS sqs = AmazonSQSClientBuilder.standard()
.withRegion("us-east-1")
.build();
public void sendMessage(String queueUrl, String message) {
SendMessageRequest request = new SendMessageRequest()
.withQueueUrl(queueUrl)
.withMessageBody(message);
sqs.sendMessage(request);
}
public void receiveMessages(String queueUrl) {
ReceiveMessageRequest request = new ReceiveMessageRequest()
.withQueueUrl(queueUrl)
.withMaxNumberOfMessages(10);
List<Message> messages = sqs.receiveMessage(request).getMessages();
for (Message message : messages) {
System.out.println("Received: " + message.getBody());
}
}
}
AWS Event Bridge Connector
What is Event Bridge Connector?
Event Bridge Connector is a feature that allows you to connect your applications to SaaS applications and AWS services using pre-built connectors. Connectors handle authentication, authorization, and event transformation, making it easy to integrate with third-party services.
Available Connectors
Event Bridge Connectors:
- SaaS Applications:
- Salesforce
- ServiceNow
- Zendesk
- PagerDuty
- Datadog
- AWS Services:
- Amazon S3
- Amazon DynamoDB
- Amazon RDS
- AWS Lambda
- Amazon SQS
Connector Configuration
# Create API destination
aws events create-api-destination \
--name "my-api-destination" \
--http-method POST \
--invocation-endpoint "https://api.example.com/webhook" \
--invocation-rate-limit-per-second 100
# Create connection
aws events create-connection \
--name "my-connection" \
--authorization-type API_KEY \
--auth-parameters '{"ApiKeyAuthParameters":{"ApiKeyName":"X-API-Key","ApiKeyValue":"my-api-key"}}'
AWS S3 Connector
What is S3 Connector?
The S3 Connector for Event Bridge allows you to automatically trigger events when objects are created, updated, or deleted in your S3 buckets. This enables event-driven architectures that respond to S3 operations in real-time.
Event Types
S3 Event Types:
- s3:ObjectCreated:* - Object creation events
- s3:ObjectCreated:Put - PUT object events
- s3:ObjectCreated:Post - POST object events
- s3:ObjectCreated:Copy - COPY object events
- s3:ObjectCreated:CompleteMultipartUpload - Multipart upload completion
- s3:ObjectRemoved:* - Object deletion events
- s3:ObjectRemoved:Delete - DELETE object events
- s3:ObjectRemoved:DeleteMarkerCreated - Delete marker creation
Configuration Example
{
"source": ["aws.s3"],
"detail-type": ["Object Created"],
"detail": {
"bucket": {
"name": ["my-bucket"]
},
"object": {
"key": [{"prefix": "uploads/"}]
}
}
}
Integration with Lambda
import json
import boto3
def lambda_handler(event, context):
# Process S3 event
for record in event['Records']:
bucket = record['s3']['bucket']['name']
key = record['s3']['object']['key']
event_name = record['eventName']
print(f"Event: {event_name}")
print(f"Bucket: {bucket}")
print(f"Key: {key}")
# Process the S3 object
process_s3_object(bucket, key)
def process_s3_object(bucket, key):
s3 = boto3.client('s3')
# Get object metadata
response = s3.head_object(Bucket=bucket, Key=key)
# Process based on file type
if key.endswith('.jpg') or key.endswith('.png'):
# Process image
pass
elif key.endswith('.json'):
# Process JSON file
pass
AWS Snowflake Connector
What is Snowflake Connector?
The Snowflake Connector for AWS allows you to easily load data from AWS services into Snowflake data warehouse. It provides optimized data loading, transformation, and integration capabilities between AWS and Snowflake.
Key Features
- Direct Integration: Load data directly from S3 to Snowflake
- Performance: Optimized for large-scale data loading
- Security: Encrypted data transfer and authentication
- Automation: Automated data pipeline orchestration
- Monitoring: Real-time monitoring and alerting
Configuration
-- Create storage integration
CREATE STORAGE INTEGRATION aws_s3_integration
TYPE = EXTERNAL_STAGE
STORAGE_PROVIDER = S3
ENABLED = TRUE
STORAGE_AWS_ROLE_ARN = 'arn:aws:iam::account:role/snowflake-s3-role'
STORAGE_ALLOWED_LOCATIONS = ('s3://my-bucket/');
-- Create file format
CREATE FILE FORMAT my_csv_format
TYPE = CSV
FIELD_DELIMITER = ','
SKIP_HEADER = 1;
-- Create external stage
CREATE STAGE my_s3_stage
URL = 's3://my-bucket/data/'
STORAGE_INTEGRATION = aws_s3_integration
FILE_FORMAT = my_csv_format;
Data Loading
-- Copy data from S3 to Snowflake
COPY INTO my_table
FROM @my_s3_stage
PATTERN = '.*\.csv'
ON_ERROR = 'CONTINUE';
-- Load with transformation
COPY INTO my_table (id, name, created_date)
FROM (
SELECT
$1::INTEGER as id,
$2::STRING as name,
CURRENT_TIMESTAMP() as created_date
FROM @my_s3_stage
)
PATTERN = '.*\.csv';
Automation with AWS
import boto3
import snowflake.connector
def load_data_to_snowflake():
# Connect to Snowflake
conn = snowflake.connector.connect(
user='username',
password='password',
account='account',
warehouse='warehouse',
database='database',
schema='schema'
)
# Execute copy command
cursor = conn.cursor()
cursor.execute("""
COPY INTO my_table
FROM @my_s3_stage
PATTERN = '.*\.csv'
""")
cursor.close()
conn.close()
# Trigger from S3 event
def lambda_handler(event, context):
for record in event['Records']:
if record['s3']['object']['key'].endswith('.csv'):
load_data_to_snowflake()
AWS IAM (Identity and Access Management)
What is AWS IAM?
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. IAM enables you to manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access.
Key Features
- Users and Groups: Manage access for users and groups
- Roles: Temporary permissions for applications and services
- Policies: Fine-grained permissions using JSON policies
- MFA: Multi-factor authentication for additional security
- Access Analyzer: Identify unused permissions and resources
IAM Components
IAM Components:
- Users:
- Individual AWS accounts
- Can have access keys and passwords
- Can belong to groups
- Groups:
- Collections of users
- Policies attached to groups apply to all users
- Roles:
- Temporary permissions
- Used by AWS services and applications
- No long-term credentials
- Policies:
- JSON documents defining permissions
- Attached to users, groups, or roles
Policy Examples
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Effect": "Deny",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::my-bucket/important/*"
}
]
}
User Management
# Create user
aws iam create-user --user-name my-user
# Create access key
aws iam create-access-key --user-name my-user
# Attach policy to user
aws iam attach-user-policy \
--user-name my-user \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
# Create group
aws iam create-group --group-name my-group
# Add user to group
aws iam add-user-to-group \
--user-name my-user \
--group-name my-group
Role Creation
# Create role
aws iam create-role \
--role-name my-lambda-role \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'
# Attach policy to role
aws iam attach-role-policy \
--role-name my-lambda-role \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Best Practices
IAM Best Practices:
- Principle of Least Privilege:
- Grant minimum permissions required
- Regularly review and remove unused permissions
- Use Roles Instead of Access Keys:
- Roles provide temporary credentials
- No long-term credential management
- Enable MFA:
- Require MFA for all users
- Use hardware or virtual MFA devices
- Regular Access Reviews:
- Review user access quarterly
- Remove unused users and permissions
- Use IAM Access Analyzer:
- Identify unused permissions
- Find publicly accessible resources
Integration Patterns
Event-Driven Architecture
Event-Driven Pattern:
- S3 Object Created:
- Triggers Event Bridge Rule
- Invokes Lambda Function
- Processes Data
- Stores Results in S3
- Sends Notification via SQS
- Database Changes:
- RDS Event Triggers Event Bridge
- Lambda Processes Change
- Updates Snowflake via Connector
- Logs to CloudWatch
Microservices Architecture
Microservices with AWS:
- API Gateway:
- Handles HTTP requests
- Routes to Lambda functions
- Lambda Functions:
- Business logic processing
- Database operations
- External API calls
- SQS Queues:
- Asynchronous processing
- Decoupling services
- S3 Storage:
- File storage
- Data lake foundation
- Event Bridge:
- Service communication
- Event routing
Data Pipeline Architecture
Data Pipeline:
- Data Sources:
- S3 Buckets
- RDS Databases
- External APIs
- Processing:
- Lambda Functions
- ECS Fargate Tasks
- MSK Streams
- Storage:
- S3 Data Lake
- Snowflake Warehouse
- DynamoDB Tables
- Monitoring:
- CloudWatch Metrics
- Event Bridge Alerts
- SQS Dead Letter Queues
This comprehensive guide covers the essential AWS services for building modern, scalable, and secure cloud applications. Each service is designed to work seamlessly with others, enabling you to create robust and efficient solutions.