/aws/

AWS Certified Cloud Practitioner (CLF-C01)

2020-07-23 05:12:00

Domains

Domain 1: Cloud Concepts

1.1 Define the AWS Cloud and its value proposition
1.2 Identify aspects of AWS Cloud economics
1.3 List the different cloud architecture design principles

Domain 2: Security and Compliance

2.1 Define the AWS shared responsibility model
2.2 Define AWS Cloud security and compliance concepts
2.3 Identify AWS access management capabilities
2.4 Identify resources for security support

Domain 3: Technology

3.1 Define methodsof deploying and operating in the AWS Cloud
3.2 Define the AWS global infrastructure
3.3 Identify the core AWS services
3.4 Identify resources for technology support

Domain 4: Billing and Pricing

4.1 Compare and contrast the various pricing models for AWS
4.2 Recognize the various account structures in relation to AWS billing and pricing
4.3 Identifyresources available for billing support

Exam Guide

Exam Guide - Content Outline

  • Cloud Concept - 28%
  • Security - 24%
  • Technology - 36%
  • Billing and Pricing - 12%

Exam Guide - Response Types

  • Multiple-choice (Choose 1 out of 4)
  • Multiple-response (Choose 2 out of 5)

Exam Guide - White Papers

  • July 2019 - Overview of Amazon Web Services
  • Oct 2018 - Architecting for the Cloud: AWS Best Practices
  • Jun 2018 - How AWS Pricing Works
  • Mar 2018 - Cost Management in the AWS Cloud

Exam Guide - What is Cloud Computing ?

  • cloud com-put-ing noun the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather then a local server or a personal computer.

Exam Guide - On-Premise

  • You own the servers
  • You hire the IT people
  • You pay or rent the real-estate
  • You take all the risk

Exam Guide - Cloud Providers

  • Someone else owns the servers
  • Someone else hire the IT people
  • Someone else pays or rent the real-estate
  • You are responsible for your configuration cloud services and code, someone else take care of the rest

Exam Guide - Six Advantages and Benefits of Cloud Computing

Why go with a Cloud Provider over On-Premis? 1. Trade capital expense for variable expense - No upfront-cost instead of paying for data center and servers. Pay On-Demand Pay only when you consume computing resources 2. Benefit from massive economies of scale - Usage from hundreds of thousand of customers aggregated in the cloud. You are sharing the cost with other customers to get unbeatable savings 3. Stop guessing capacity - Eliminate guesswork about infrastructure capacity needs. Instead of paying for idle or underutilized servers, you can scale up or down to meet the current need. 4. Increase speed and agility - Lounch resources within a few clicks in minutes instead of waiting days or weeks of your IT to implement the solution on-premis 5. Stop spending money on running and maintaining data centers - Focus on you own customers, rather than on the heavy lifting of racking, stacking, and powering servers. 6. Go global in minutes - Deploy your app in multiple regions around the world with a few clicks. Provide lower latency and a better experience for you customers at minimal cost.

Exam Guide - SaaS / PaaS / IasS

  • SaaS For Customer Software as a Service A completed product that is run and managed by the service provider. (gmail, office365)
  • PaaS For Developers Platform as a Service Removes the need for your organization to manage the underlying infrastructure. Focus on the deployment and management of your applications. (heroku, google engine)
  • IasS For Admins Infrastructure as Service The basic building blocks for cloud IT. Provides access to networking features, computers and data storage space. (aws, gcp, azure)

Exam Guide - Cloud Computing Deployment Models

  • Cloud - Fully utilizing cloud computing (Startups, SaaS offerings, New projects and companies)
  • Hybrid - Using both Cloud and On-Premise (Banks, FinTech, Investment Management, Large Professional Service providers, Legacy on-premise)
  • On-Premise - Deploying resources on-premises, using virtualization and resource managment tools, is sometimes called 'private cloud' (Public Sector eg. Government, Super Sensitive Data eg. Hospitals, Large Enterprise with heave regulation eg. Insurance Companies)

AWS Global Infrastructure

  • Summary
    • Global DNS: Route 53
      • Great to route users to the closest deployment with least latency
      • Great for disaster recovery strategies
    • Global Content Delivery Network (CDN): CloudFront
      • Replicate part of your application to AWS Edge Locations - decreases latency
      • Cache common requests - improved user experience and decreased latency
    • S3 Transfer Acceleration
      • Accelerate global uploads & downloads into Amazon S3
    • AWS Global Accelerator
      • Improve global application availability and performance using thr AWS global network
  • Info
    • A global application is an application deployed in multiple geographies
    • On AWS: this could be Regions and / or Edge Locations
    • Decreased Latency
      • Latency is the time it takes for a network packet to reach a server
      • It takes time for a packet from Asia to reach the US
      • Deploy your applications closer to your users to decrease latency, better experience
    • Disaster Recovery (DR)
      • If an AWS regions goes down (earthquake, storms, power shutdown, politics)...
      • You can fail-over to another region and have your application still working
      • A DR plan is important to increase the availability of your application
    • Attack protection
      • distributed global infrastructure is harder to attack

AWS Global Infrastructure - Region-AZ-EdgeLocation

  • 22 Geographic Regions, 69 Availability Zones Edge Location
  • Regions physical locations in word with multiple AZs
  • Availability Zones one or more discrete data centers
  • Edge Location datacenter owned by a trusted partner of AWS

AWS Global Infrastructure - Regions

  • A geographically distinct location which has multiple datacenters (AZs)
  • Every region is physically isolated from and independent of every other region in terms of location, power, water supply
  • Each regions has at least 2 AZs
  • AWS largest region is US-EAST
  • New services almost always become available first in US-EAST
  • Not all services are available in all regions
  • US-EAST-1 is the region where you see all your billing information

AWS Global Infrastructure - Availability Zones (AZs)

  • An AZ is a datacenter owned and operated by AWS in which AWS services run
  • Each region has at least 2 AZs
  • AZs are represented by a Region Code, followed by a letter identifier eg. us-east-1a
  • Multi-AZ Distributing your instances across multiple AZs allows failover configuration for handling requests when one goes downd.
  • <10ms latency between AZs
  • An AZ is an isolated location within AWS region

AWS Global Infrastructure - Edge Locations

  • Get data fast or upload data fast to AWS
  • An Edge Location is a datacenter owned by a trusted partner of AWS which has ad direct connection to the AWS network.
  • These locations serve requests for CloudFront and Route 53. Requests going to either of these services will be routed to the nearest edge location automatically.
  • S3 Transfer Acceleration traffic and API Gateway endpoint traffic also use the AWS Edge Network.
  • this allows for low latency no matter where the end user is geographically located.

AWS Global Infrastructure - GovCloud(US)

  • AWS GovCloud Regions allow customers to host sensitive Controlled Unclassified Information and other types of regulated workloads.
  • GovCloud Regions are only operated by employees who are U.S. citizens, on U.S soil.
  • They are only accessible to U.S. entities and root account holders who pass a screening process
  • Customers can architect secure cloud solution that complly with:
    • FedRAMP High baseline
    • DOJ's Criminal Justice Information Systems (CJIS) Security Policy
    • U.S. International Traffic in Arms Regulations (ITAR)
    • Export Administration Regulations (EAR)
    • Department of Defense (DoD) Cloud Computing Security Requirements Guide

AWS Global Infrastructure - Global Applications

  • Global DNS: Route 53
    • Great to route users to the closest deployment with least latency
    • Great to disaster recovery strategies
  • Global Content Delivery Network (CDN): CloudFront
    • Replicate part of your application to AWS Edge Locations - decrease latency
    • Cache common requests - imported user experience and decreased latency
  • S3 Transfer Acceleration
    • Accelerate global uploads & downloads into Amazon S3
  • AWS Global Accelerator
    • Improve global application availability and performance using the AWS global network

AWS Global Infrastructure - Route 53

  • Route53 is a Managed DNS (Domain Name System)
  • DNS is a collection of rules and records which helps clients understand how to reach a server through URLs
  • In AWS, the most common records are
    • www.example.com -> 12.34.56.78 == A record (IPv4)
    • www.example.com -> 0000:0000:0000:0000:0000:0000:0000:0000 == AAAA (IPv6)
    • search.example.com -> example.com == CNAME:hostname to hostname
    • example.com -> AWS resource == Alias (ex: ELB, CloudFront, S3, RDS, etc...)
  • Routing policy
    • Simple routing policy
    • Weighted routing policy
    • Latency routing policy
    • Failover routing policy

AWS Global Infrastructure - CloudFront

  • Content Delivery Network (CDN)
  • Improves read performance, content is cached at the edge
  • Improves user experience
  • 216 Point of Presence globally (edge locations)
  • DDos protection, integration with Shield, AWS Web Application Firewall
  • CloudFront - Origins
    • S3 bucket
      • For distributing files and caching them at the edge
      • Enhanced security with CloudFront Origin Access Identity (OAI)
      • CloudFront can be used as an ingress (to upload files to S3)
    • Custom Origin (HTTP)
      • Application Load Balancer
      • EC2 instance
      • S3 website (must first enable the bucket as a static S3 website)
      • Any HTTP backend you want

AWS Global Infrastructure - S3 Transfer Acceleration

  • Increase transfer speed by transferring file to an AWS edge location which will forward the data to the S3 bucket in the target region

AWS Global Infrastructure - Global Accelerator

  • Improve global application availability and performance using the AWS global network
  • Leverage the AWS internal network to optimize the route to your application (60% improvement)
  • 2 Anycast IP are created for your application and traffic is sent through Edge Location
  • No caching, proxying packets at the edge to applications running in one or more AWS Regions
  • Improve performance for a wide range of applications over TCP or UDP
  • Good for HTTP use case that require static IP addresses
  • Good for HTTP use case that required deterministic, fast regional failover

AWS Well-Architected and the Five Pillars

Operational Excellence Pillar

The operational excellence pillar focuses on running and monitoring systems to deliver business value, and continually improving processes and procedures. Key topics include automating changes, responding to events, and defining standards to manage daily operations.

Security Pillar

The security pillar focuses on protecting information and systems. Key topics include confidentiality and integrity of data, identifying and managing who can do what with privilege management, protecting systems, and establishing controls to detect security events.

Reliability Pillar

The reliability pillar focuses on ensuring a workload performs its intended function correctly and consistently when it’s expected to. A resilient workload quickly recovers from failures to meet business and customer demand. Key topics include distributed system design, recovery planning, and how to handle change.

Performance Efficiency Pillar

The performance efficiency pillar focuses on using IT and computing resources efficiently. Key topics include selecting the right resource types and sizes based on workload requirements, monitoring performance, and making informed decisions to maintain efficiency as business needs evolve.

Cost Optimization Pillar

The cost optimization pillar focuses on avoiding unnecessary costs. Key topics include understanding and controlling where money is being spent, selecting the most appropriate and right number of resource types, analyzing spend over time, and scaling to meet business needs without overspending.

AWS - Services

AWS - Services - Know your Initialisms

  • IAM - Identity and Access Management
  • S3 - Simple Storage Service
  • SWF - Simple Workflow Service
  • SNS - Simple Notification Service
  • SQS - Simple Queue Service
  • SES - Simple Email Service
  • SSM - Simple System Manager
  • RDS - Relational Database Service
  • VPC - Virtual Private Cloud
  • VPN - Virtual Private Network
  • CFN - CloudFormation
  • WAF - Web Application Firewall
  • MQ - Amazon ActiveMQ
  • ASG - Auto Scaling Groups
  • TAM - Technical Account Manager
  • ELB - Elastic Load Balancer
  • ALB - Application Load Balancer
  • NLB - Network Load Balancer
  • EC2 - Elastic Cloud Compute
  • ECS - Elastic Container Service
  • ECR - Elastic Container Repository
  • EBS - Elastic Block Storage
  • EFS - Elastic File Storage
  • EMR - Elastic MapReduce
  • EB - Elastic Beanstalk
  • ES - Elasticsearch
  • KMS - Elastic Kubernetes Service
  • MKS - Managed Kafka Service
  • IoT - Internet of Things
  • RI - Reserved Instances

AWS - Services - VPN - Virtual Private Network

  • lets you establish a secure and private tunnel from your network or device to the AWS global network
  • types
    • AWS Site-to-Site VPN
      • securely connect on-premises network or branch office site to VPC
    • AWS Client VPN
      • securely connect users to AWS or on-premises networks

AWS - Services - AWS Networking

  • Region - the geographical location of your network
  • AZ - the data center of your AWS resources
  • VPC - a logically isolated section of the AWS Cloud where you can launch AWS resources
  • Internet Gateway - Enable access to the Internet
  • Route Tables - determine where network traffic from your subnets are directed
  • NACLs - Acts as a firewalls at the subnet level
  • Security Groups - Act as firewall at the instance level
  • Subnets - a logical partition of an IP network into multiple, smaller network segments

AWS - Services - ASG - Auto Scaling Groups

  • will automatically launch EC2 instance based on configuration and current demand
  • will automatically kill EC2 instance based on configuration and current demand
  • removing auto scaling group will take down all related EC2 instances

AWS - Services - LB - Load Balancer

  • Spread load across multiple downstream instances
  • Expose a single point of access (DNS) to your application
  • Seamlessly handle checks to your instances
  • Provide SSL termination (HTTPS) for your websites
  • High availability across zones

AWS - Services - ELB - Elastic Load Balancer

  • An ELB is a managed load balancer
    • AWS guarantees that it will be working
    • AWS takes care of upgrades, maintenance, hugh availability
    • AWS provides only a few configurations knobs
  • It costs less to setup your own load balancer but it will be a lot more effort on your end (maintenance, integrations)
  • 3 kinds of load balancers offered by AWS
    • Application Load Balancer (http, https) [Layer 7]
      • types: internet-facing, internal
      • at least in 2 AZs
      • required Target Group (target groups contains list of EC2 instances)
      • DNS name -> Listener -> Port with Rule -> Target Group -> Target (EC2 instance)
      • deleting ELB, will not remove related EC2 instances
    • Network Load Balancer (tcp, tls, udp) [Layer 4]
    • Classic Load Balancer (http, https, tcp) (previous generation) (slowly retiring) [Layer 4 & 7]

AWS - Services - Cloud Front

  • CDN - content distribution network
  • Content Distribution Network, It create a cached copy of your website and copies to servers located near people trying download website

AWS - Services - EC2 - Pricing Model

  • On-Demand Instances (Least Commitment)
    • low cost and flexible
    • only pay per hour, or by the minute - varies based on EC2 Instance types
    • Use case: short-term, spiky, unpredictable workloads, first time app
    • Ideal when your workload cannot be interrupted
    • when you launch an EC2 instance it is by default using On-Demand Pricing
    • On-Demand has no up-front payment and no long-term commitment
  • Reserved Instances (RI) up to 75% off (Best Long-term)
    • Use cases: steady-state, predicable usage, or require reserved capacity.
    • reduced pricing is base on Term x Class Offering x Payment Options
      • offering class
        • Standard - up to 75 % reduced pricing compared to on-demand. Cannot change RI Attributes
        • Convertible - up to 54 % reduced pricing compared to on-demand. Allows you to change RI Attributes if greater or equal in value.
        • Scheduled - you reserve instance for specific time periods eg one a week for a few hours
      • terms
        • 1 year or 3 years contract, the longer the term the greater saving
      • payment options
        • all upfront, partial upfront and no upfront
        • the great upfront the great the saving
    • RIs can be shared between multiple accounts within an org
    • unused RIs can be sold in the Reserved Instance Marketplace
  • Spot Instances up to 90% (Biggest Savings)
    • AWS has unused compute capacity that they want to maximize the utility of their idle servers
    • spot instances provide a discount of 90% compared to On-Demand Pricing
    • spot instances can be terminated by AWS if the computing capacity is needed by on-demand customers
    • Use case: for non-critical background jobs
    • Use case: can handle interruptions (server randomly stopping and starting)
    • designed for application that have flexible start and end times or application that are only feasible at very low computer costs
    • AWS Batch is an easy and convenient way to use Spot Pricing
    • Termination Conditions
      • instance can be terminated by AWS ant anytime
      • if your instance is terminated by AWS, you don't get charged for a partial hour of usage
      • if you terminate an instance you will still be charged for any hour that it ran
  • Dedicated (Most Expensive)
    • dedicated servers
    • can be on-demand or reserved (up to 70% off)
    • when you need a guarantee of isolate hardware (enterprise requirements)
    • designed to meet regulatory requirements. When you have to strict server-bound licensing that wan't support multi-tenancy or cloud deployments
    • Use case: when you need a guarantee of isolate hardware (enterprise requirements)
    • Dedicated Host Instance
      • is Single Tenant, when a single customer has dedicated hardware. Physical isolation is what separates customers
      • is NOT Multi-Tenant, when multiple customers are running workloads on the same hardware. Virtual Isolation is what separate customers
    • Enterprises and Large Organizations may have security concerns or obligations about against sharing the same hardware with other AWS Customers

AWS - Services - AWS Landing Zone

  • helps enterprises quickly set-up a secure, AWS multi-account
  • provides you with a baseline environment to get started with a multi-account architecture
  • AWS Account Vending Machine (AVM) Automatically provisions and configure new accounts via Service Catalog Template
  • Uses Single Sing-on (SSO) for managing and accessing accounts
  • The environment is customizable to allow customers to implement their own account baselines through a Landing Zone configuration and update pipeline

AWS - Services - AWS Quick Starts

  • Prebuilt templates by AWS and AWS Partners to help you deploy popular stacks on AWS
  • Reduce hundreds of manual procedures into just a few steps
  • A Quick Start is composed of 3 parts
    • A reference architecture for the deployment
    • AWS CloudFormation templates that automate and configure the deployment
    • A deployment guide explaining the architecture and implementation in details
  • Most Quick Start reference deployment enable you to spin up a fully functional architecture in less than a hour

AWS - Services - AWS Artifact (Security)

  • Way to prove AWS meets a compliance
  • No cost, self-service portal for on-demand access to AWS compliance reports
  • On-demand access to AWS security and compliance reports and select online agreements

AWS - Services - Amazon Inspector (Security)

  • Hardening - the act of eliminating as many security risks as possible
  • AWS Inspector runs a security benchmark against specific EC2 instances
  • You can run a variety of security benchmarks
  • Can perform both Network and Host Assessments
    • Install the AWS agent on your EC2 instances
    • Run an assessment for your assessment target
    • Review your findings and remediate security issues

AWS - Services - AWS WAF (Security)

  • AWS Web Application Firewall protect your web applications from common web exploits
    • Write your own rules to ALLOW or DENY traffic based on the contents of HTTP request
    • Use a ruleset from a trusted AWS Security Partner in the AWS WAF Rules Marketplace
    • WAF can be attached to either CloudFormation or an Application Load Balancer
  • Protect web applications from attacks covered in the OWASP TOP 10 most dangerous attacks:
    • Injection
    • Broken Authentication
    • Sensitive data exposure
    • XML External Entities (XXE)
    • Broken Access control
    • Security misconfigurations
    • Cross Site Scripting (XSS)
    • Insecure Deserialization
    • Using Components with know vulnerabilities
    • Insufficient logging and monitoring

AWS - Services - AWS Shield (Security)

  • AWS Shield is a managed DDoS (Distributed Denial of Service) protection service that safeguards applications running on AWS
  • What is a DDoS attack ? - A malicious attempt to disrupt normal traffic by flooding a website a large amount of fake traffic
  • All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge
  • When you route your traffic through Route53 or CloudFront you are using AWS Shield Standard
  • Protects you against Layer 3,4 and 7 attacks
    • 7 Application
    • 4 Transport
    • 3 Network
    • Types
    • Shield Standard (Free)
      • For protection against most common DDoS attacks, and access to tools and best practices to build a DDOS resilient architecture
      • Automatically available on all AWS services
    • Shield Advanced (3000 USD / Year)
      • For additional protection against larger and more sophisticated attacks, visibility into attacks, and 24x7 access to DDoS experts for complex cases
      • Available on:
        • Amazon Route53
        • Amazon CloudFront
        • Elastic Load Balancing
        • AWS Global Accelerator
        • Elastic IP (Amazon Elastic Compute Cloud and Network Load Balancer)

AWS - Services - Amazon Guard Duty (Security)

  • What is IDS/IPS ?
    • Intrusion Detection Sytem
    • Intrusion Protection System
  • A device or software application that monitors a network or systems for malicious activity or policy violations
  • Guard Duty is a threat detection service that continuously monitors for malicious, suspicious activity and unauthorized behavior, It uses Machine Learning to analyze the following AWS logs:
    • CloudTrail Logs
    • VPN Flow Logs
    • DNS logs
  • It will alert you of Findings which you can automate a incident response via CloudWatch Events or with 3rd Party Services

AWS - Services - KMS - Kay Management Service

  • A managed service that makes it easy for to create and control the encryption keys to used to encrypt your data
    • KMS is a multi-tenant HSM (hardware security module)
    • Many AWS services are integrated to use KMS to encrypt your data with a simple checkbox
    • KMS uses Envelope Encryption
  • Envelope Encryption
    • When you encrypt your data, your data is protected, but you have to protect your encryption key
    • When you encrypt your data key with a master key as an additional layer of security

AWS - Services - Amazon Macie - (Security)

  • Macie is a fully managed service that continuosly monitors S3 data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks
  • Macie works by uses Machine Learning to Analyze your CloudTrail logs
  • Macie has a variety of alerts
    • Anonymized Access
    • Config Compliance
    • Credential Loss
    • Data Compliance
    • File Hosting
    • Identity Enumeration
    • Information Loss
    • Location Anomaly
    • Open Permissions
    • Privilege Escalation
    • Ransomware
    • Service Disruption
    • Suspicious Access

AWS - Services - CloudSearch

  • search engine, you have an ecommerce website, and you want to add a search bar

AWS - Services - Direct Connect

  • Dedicated Fiber Optics Connections from DataCenter to AWS
  • A large enterprise has their own datacenter, and they need an insanely fast connection directly AWS. If you need to security you can apply a VPN connect on-top of Direct Connect

AWS - Services - Amazon Connect

  • Call Center Service
  • Get a toll free number, accept inbound and outbound calls, setup automated phone systems

AWS - Services - Amazon Kinesis

  • Overview
    • Kinesis is a managed alternative to Apache Kafka
    • Great for application logs, metrics, IoT, clickstream
    • Great for real-time bid-data
    • Great for streaming processing frameworks (Spark, NiFi, etc...)
    • Data is automatically replicated synchronously to 3 AZ
  • Amazon Kinesis Streams
    • low latency streaming ingest at scale
    • can take a lot of data from
      • click streams
      • IoT devices
      • metrics & logs
  • Amazon Kinesis Analytics
    • perform real-time analytics on stream using SQL
  • Amazon Kinesis Firehose
    • load streams into S3 or Redshift or ElasticSearch or Splunk

AWS - Services - Media Connect

  • New version of Elastic Transcoder, Converts Videos to Different Video Types
  • You have 1000 of videos and you need to transcode them into different videos format, maybe you need to apply watermarks, or insert introduction video in front of every video

AWS - Services - The Free Services

  • IAM - Identity Access Management
  • Amazon VPC
  • Auto Scaling can provision AWS service which cost money
  • CloudFormation can provision AWS service which cost money
  • Elastic Beanstalk can provision AWS service which cost money
  • Opsworks can provision AWS service which cost money
  • Amplify can provision AWS service which cost money
  • AppSync can provision AWS service which cost money
  • CodeStar can provision AWS service which cost money
  • Organizations & Consolidated Billing
  • AWS Cost Explorer

AWS - Services - Systems Manager

  • AWS Systems Manager gives you visibility and control of your infrastructure on AWS
  • Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources
  • With Systems Manager, you can group resources, like Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances, by application, view operational data for monitoring and troubleshooting, and take action on your groups of resources

AWS - Services - AWS Organizations

  • AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS.
  • Whether you are a growing startup or a large enterprise, Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts.
  • Using AWS Organizations, you can automate account creation, create groups of accounts.
  • You can also simplify billing by setting up a single payment method for all of your AWS accounts.

AWS - Services - AWS Batch

  • Fully managed batch processing jobs on AWS
  • Efficiently run 100,000s of computing jobs on AWS
  • A 'batch' job is a job with start and an end
  • Batch will dynamically launch EC2 instances of Spot Instances
  • AWS Batch provisions the right amount of compute / memory
  • You submit or schedule batch jobs and AWS Batch does the rest
  • Batch jobs are defined as Docker images and run on ECS
  • Helpful for cost optimizations and focusing less on the infrastructure

AWS - Services - Amazon Lightsail

  • Virtual servers, storage, databases, and networking
  • Low & predicable pricing
  • Simpler alternative to using EC2, RDS, ELB, EBS, Route 53
  • Great for people with little cloud experience
  • Can setup notification and monitoring of your Lightsail resources
  • Use cases
    • Simple web application (has templates for LAMP, Ngnix, MEAN, Node.js...)
    • Websites (templates for WordPress, Magento, Plesk, Joomla)
    • Dev / Test environment
  • Has high availability but no auto-scaling, limited AWS integration

AWS - Services - Storage

  • S3 - Simple Storage Service - object storage
  • S3 Glacier - low cost storage for archiving and long-term backup
  • Storage Gateway - hybrid cloud storage with local caching (file gateway, volume gateway, tape gateway)
  • EBS - Elastic Block Storage - hard drive in the cloud you attach to EC2 instances (SSD, IOPS, Throughput HHD, Cold HHD)
  • EFS - Elastic File Storage - file storage mountable to multiple EC2 instances at the same time
  • Snowball - Physically migrate lots of data via a compute suitcase 50-80 TB
    • Snowball Edge - A better version of Snowball - 100TB
    • Snowmobile - Shipping container, pulled by a semi-trailer truck - 100PB

S3 - Simple Storage Service

  • Amazon S3 is a simple key-based object store
  • How much data can I store in Amazon S3?
    • The total volume of data and number of objects you can store are unlimited.
    • Individual Amazon S3 objects can range in size from a minimum of 0 bytes to a maximum of 5TB terabytes.
    • The largest object that can be uploaded in a single PUT is 5GB gigabytes.
    • For objects larger than 100 megabytes, customers should consider using the Multipart Upload capability.
  • S3 buckets are region specific
  • S3 bucket name are globally unique, like dns name
  • Objects are directly accessible via URL
  • You can store virtually any kind of data in any format

S3 - Use cases

  • Backup and storage
  • Disaster Recovery
  • Archive
  • Hybrid Cloud storage
  • Application hosting
  • Media hosting
  • Data lakes & big data analytics
  • Software delivery
  • Static website

S3 - Summary

  • Buckets vs Objects - global unique name, tied to a region
  • S3 security - IAM policy, S3 Bucket Policy (public access), S3 Encryption
  • S3 Websites - host a static website on Amazon S3
  • S3 Versioning - multiple versions for files, prevent accidental deletes
  • S3 Access Logs - log requests made within your S3 bucket
  • S3 Replication - same-region or cross-region, must enable versioning
  • S3 Storage Classes - Standard, IA, IZ-IA, Intelligent, Glacier, Deep Archive
  • S3 Lifecycle Rules - transition objects between classes
  • Snowball / Snowmobile - import data onto S3 through a physical device
  • Storage Gateway - hybrid solution to extend on-premises storage to S3

Database Services

  • DynamoDB - NoSQL key/value database (like cassandra)
  • DocumentDB - NoSQL Document database that is MongoDB compatible (like MongoDB)
  • RDS - Relational Database Service that support multiple engines (engines: MySQL, Postgres, Maria DB, Microsoft SQL Server, Aurora)
    • Aurora MySQL (5x faster) and PSQL (3x faster) database fully managed
    • Aurora Serverless - only runs when you need it, like AWS lambda
  • Neptune - Managed Graph Database
  • Redshift - Columnar database, petabyte warehouse
  • ElastiCache - Redis or Memcached database

Database Services - RDS - Relational Database Service

  • RDS stands for Relational Database Service
  • It's a managed DB service for DB use SQL as a query language
  • It allows you to create databases in the cloud that are managed by AWS
    • Postgres
    • MySQL
    • MariaDB
    • Oracle
    • Microsoft SQL Server
    • Aurora (AWS Proprietary database)

Database Services - Redshift

  • Redshift is based on PostgreSQL, but it's not used for OLTP (Online transaction processing)
  • It's OLAP - online analytical processing (analytics and data warehousing)
  • Load data once every hour, not every second
  • 10x better performance than other data warehouses, scale to PBs of data
  • Columnar storage of data (instead of row based)
  • Massively Parallel Query Execution (MPP), highly available
  • Pay as you go based on the instances provisioned
  • Has a SQL interface for performing the queries
  • BI tools such as AWS Quicksinght or Tableau integrate with it

Database Services - ElastiCache

  • The same way RDS is to get managed Relational Databases
  • Elasticache is to get managed Redis or Memcached
  • Caches are in-memory databases with high performance, low latency
  • Helps reduce load off databases for read intensive workloads
  • AWS takes care of OS maintenance / patching, optimizations, setup, configuration, monitoring, failure recovery and backup

Database Services - DynamoDB

  • Fully Managed Highly avaiable with replication across 3 AZ
  • NoSQL database - not a relational database
  • Scales to massive workloads, distributed 'serverless' database
  • Millions of requests per seconds, trillions of row, 100s of TB of storage
  • Fast and consistent in performance
  • Single-digit millisecond latency - low latency retrieval
  • Integrated with IAM for security, authorization and administration
  • Low cost and auto scaling capabilities

Database Services - Amazon EMR

  • EMR stands for 'Elastic MapReduce'
  • EMR helps creating Hadoop clusters (Big Data) to analyze and process vast amount of data
  • The clusters canbe made of hundreads of EC2 instances
  • Also supports Apache Spark, HBase, Presto, Flink...
  • EMR takes care of all provisioning and configuration
  • Auto-scaling and integrated with Spot instances
  • Use cases: data processing, machine learning, web indexing, big data...

Database Services - Athena

  • What is Athena & Key Benefits
    • Serverless interactive query tool
    • Its not an ETL tool
    • Pay per Query ($ = Scanned data volume)
  • How Athena Works
    • Load data from S3 -> Define the schema -> Query
    • Build on top of Apache Presto
    • Works with AWS Glue
    • ANSI SQL Compliant
    • Popular formats (CSV, JSON, Parquet, Aveo, ORC)
  • Optimise Cost
    • Use columnar formats (e.g. use Parquet)
    • Use compression
    • Use partitions
  • Common Workloads
    • Ad-hoc queries / Exploration / Infrequent queries
    • Redshift + EMR + Athena
  • Fully Serverless database with SQL capabilities
  • Used to query data in S3
  • Pay per query
  • Output results back to S3
  • Secured through IAM

Database Services - DMS - Database Migration Service

  • Quickly and securely migrate databases to AWS, resilient, self healing
  • The source database remains available during the migration
  • Supports
    • ex Oracle to Oralce
    • ex Microsoft SQL Server to Aurora

Database Services - AWS Glue

  • Managed extract, transform, and load (ETL) service
  • Useful to prepare and transform data for analytics
  • Fully serverless service

Deployment

  • CloudFormation (AWS only)
    • Infrastructure as Code, works with alost all AWS resources
    • Repeat across Regions & Accounts
  • Beanstalk (AWS only)
    • Platform as a Service (PaaS), limited to certain programing languages or Docker
    • Deploy code consistently with a known architecture: ALB + EC2 + RDS
  • CodeDeploy (hybrid)
    • deploy & upgrade any application onto servers
  • System Manager (hybrid)
    • patch, configure and run commands at scale
  • OpsWorks (hybrid)
    • managed Chef and Puppet in AWS

Deployment - CloudFormation

  • infrastructure as code, set up services via templating script eg. yml,json
  • cloudformation is a declarative way of outlining your AWS Infrastructure, for any resources (most of them are supported)
  • benefits of cloud formation
    • infrastructure as code
      • no resources are manually created, which is excellent for control
      • changes to the infrastructure are reviewed through code
    • cost
      • each resources within the stack is tagged with an identifier so you can easily see how much a stack cost you
      • you can estimate the cost of your resources using the CloudFormation template
      • savings strategy: In Dev, you could automation deletion of templates at 5 PM and recreated at 8 AM, safely
    • productivity
      • ability to destroy and re-create an infrastructure on the cloud on the fly
      • automated generation of Diagram for your templates
      • declarative programming (no need to figure out ordering and orchestration)
    • do not re-invert the wheel
      • leverage existing templates on the web
      • leverage the documentation
    • support (almost) all AWS resources
      • what is not supported can be use in CF as custom resources
  • CloudFormation Stack Designer
    • we can see all the resources
    • we can see the relations between the components

Deployment - Elastic Beanstalk

  • Elastic Beanstalk is a developer centric view of deploying an application on AWS
  • It uses all the component's we've seen before: EC2, ASG, ELB, RDS, etc...
  • Beanstalk = Platform as a Service (PaaS)
  • Managed service
    • Instance configuration / OS is handled by Beanstalk
    • Deployment strategy is configurable but performed by Elastic Beanstalk
  • Just the application code is the responsibility of the developer
  • Three architecture models:
    • Single Instance deploymnet: good for dev
    • LB + ASG: great for production and pre-production web applications
    • ASG only: great for non-web apps in production (workers, etc..)
  • Support for many platforms: Go, Java SE, Java with Tomcat, .NET on Windows Server with IIS, Node.js, PHP, Python, Ruby, Packer Builder, Single Container Docker, Multi-Container Docker, Preconfigured Docker
  • If not supported, you can write your custom platform (advanced)

Deployment - AWS CodeDeploy

  • We want to deploy our application automatically
  • Works with EC2 Instances
  • Works with On-Premises Servers
  • Hybrid service
  • Servers / Instances must be provisioned and configured ahead of time with the CodeDeploy Agent

Deployment - AWS System Manager (SSM)

  • Helps you manage your EC2 and On-Premises systems at scale
  • Another Hybrid AWS service
  • Get operational insights about the state of your infrastructure
  • Suite of 10+ products
  • Most important features are:
    • Patching automation for enhanced compliance
    • Run commands across an en entire fleet of servers
    • Store parameter configuration with the SSM Parameter Store
  • Works for both Windows and Linux OS
  • How System Manager works
    • We need to install the SSM agent onto the systems we control
    • Installed by default on Amazon Linux AMI & some Ubuntu AMI
    • If an instance can't be controlled with SSM, it's probably an issue with the SSM agent

Deployment - AWS OpsWorks

  • Chef & Puppet help you perform server configuration automatically, or repetitive actions
  • They work great with EC2 & On-Premises VM
  • AWS OpsWorks = Managed Chef & Puppet
  • It's an alternative to AWS SSM
  • Only provision standard AWS resources
    • EC2 Instances, Databases, Load Balancers, EBS volumes...
  • In the exam: Chef or Puppet needed => AWS OpsWorks

Cloud Monitoring

  • CloudWatch
    • Metrics - monitor the performance of AWS services and billing metrics
    • Alarms - automate notification, perform EC2 action, notify to SNS based onmetric
    • Logs - collect log files from EC2 instances, servers, Lambda functions...
    • *Events (EventBridge) * - react to events in AWS, or trigger a rule ona schedule
  • CloudTrail
    • audit API calls made within your AWS account
  • X-Ray
    • trace requests made through your distributed application
  • Service Health Dashboard
    • status of all AWS services across all regions
  • Personal Health Dashboard
    • AWS events that impact your infrastructure

Cloud Monitoring - CloudWatch

  • CloudWatch - is a collection of multiple services
    • CloudWatch Logs - Performance data about AWS Services eg. CPU Utilization, Memory, Network in Application Logs eg. Rails, Nginx. Lambda logs
    • CloudWatch Metrics - Represents a time-ordered set of data points. A variable to monitor
    • CloudWatch Events - trigger an event based on a condition eg. ever hour take snapshot of server
    • CloudWatch Alarms - triggers notifications based on metrics
    • CloudWatch Dashboard - create visualizations based on metrics

Cloud Monitoring - CloudWatch Metrics

  • Cloud Watch provides metrics for every serves in AWS
  • Metric is a variable to monitor (CPUUtilization, Network...)
  • Metrics have timestamps
  • Can create CloudWatch dashboards of metrics
  • Important Metrics
    • EC2 instances: CPU Utilization, Status Checks, Network, not RAM
      • Default metrics every 5 minutes
      • Option for Detailed Monitoring ($$$), metrics evert 1 minute
    • EBS volumes: Disk Read/Writes
    • S3 buckets: BucketSizeBytes, NumberOfObjects, AllRequests
    • Billing: Total Estimated Charge (only in us-east-1)
    • Service Limits: how much you've been using a service API
    • Custom metrics: push your own metrics

Cloud Monitoring - CloudWatch Alarms

  • Alarms are used to trigger notifications for any metric
  • Alarms actions...
    • Auto Scaling: increase or decrease EC2 instances "desired" count
    • EC2 Action, stop, terminate, reboot or recover an EC2 instance
    • SNS notifications: send a notification into an SNS topic
  • Various options (smapling, %, max, min, etc...)
  • Can choose the period on which to evalyate and alarm
  • Example: create a billing alarm on the CloudWatch Billing metric
  • Alarm States: OK, INSUFFICIENT_DATA, ALARM

Cloud Monitoring - CloudTrail

  • AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.
  • CloudTrail is enabled by default
  • With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
  • CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
  • Can put logs from CloudTrail into CloudWatchLogs or S3
  • A trail can be applied to All Regions (default) or a single Region
  • If a resource is deleted in AWS, investigate CloudTrail first

Cloud Monitoring - X-Ray

  • Troubleshooting performance (bottlenecks)
  • Understand dependencies in a microservice architecture
  • Pinpoint service issues
  • Review request behavior
  • Find errors and exceptions
  • Identify users that are impacted

Cloud Monitoring - Service Health Dashboard

  • Shows all regions, all services health
  • Shows historical information for each day
  • Has an RSS feed you can subscribe to

Cloud Monitoring - Personal Health Dashboard

  • AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you
  • While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashbord gives you a personalized view into the performance and availability of the AWS services underlying your AWS resources
  • The dashboard displays relevant and timely information to help you manage events in progress and provides proactive notification to help you plan for scheduled activities
  • Shows how AWS outages directly impact you & your AWS resources

Docker

Docker - ECS - Elastic Container Service

  • Launch Docker container on AWS
  • You must provision & maintain the infrastructure (the EC2 instances)
  • AWS takes care of starting / stopping containers
  • Has integrations with the Application Load Balancer

Docker - Fargate

  • Launch Docker container on AWS
  • You do not provision the infrastructure (no EC2 instances to mange) - simpler
  • Serverless offering
  • AWS just runs containers for you based on the CPU / RAM you need

Docker - ECR - Elastic Container Registry

  • Private Docker Registry on AWS
  • This is where you store your Docker images, so they can be run by ECS or Forgate

Serverless Introduction

  • Serverless is a new paradigm in which the developer don't have to manage servers anymore. They just deploy code / function.
  • Serverless does not mean there are no servers, it means you just don't manage / provison them
  • ex
    • Amazon S3
    • DynamoDB
    • Fargate
    • Lambda

Serverless Introduction - Lambda

  • runtime: node.js, python, java, c#, golang, ruby,
  • virtual function - no servers to manage
  • limited by time - short execution
  • run on-demand
  • scaling is automated
  • easy pricing
    • pay per request and compute time
    • free tier of 1,000,000 AWS Lambda requests and 400,000 GBs of compute time
    • pricing
      • pay per calls
        • first 1,000,000 requests are free
        • $0.20 per 1,000,000 requests
      • pay per duration (in increment of 100ms)
        • 400,000 GB-seconds of computing time per month if free
          • 400,000 seconds if function is 1 GB RAM
          • 3,200,000 seconds if function is 128 MB RAM
          • after that $1.00 for 600,000 GBs
  • integrated with the whole AWS suite of services
  • easy monitoring through AWS CloudWatch
  • easy to get more resources per function (up to 3GB of RAM)
  • increasing RAM will also improve CPU and networking

AWS Trusted Advisor

AWS Trusted Advisor - General

  • Free - 7 Trusted Advisor Checks
  • Business, Enterprise - All Trusted Advisor Checks
  • Advice you on security, saving money, performance, service limits and fault tolerance

AWS Trusted Advisor - Cost Optimization

  • Amazon EC2 Reserved Instances Optimization
  • Low Utilization Amazon EC2 Instances
  • Underutilized Amazon EBS Volumes
  • Amazon EC2 Reserved Instances Lease Expiration
  • Amazon RDS Idle DB Instances
  • Amazon Route 53 Latency Resource Record Sets
  • Idle Load Balancers
  • Unassociated Elastic IP Address
  • Underutilized Amazon Redshift Clusters

AWS Trusted Advisor - Performance

  • CloudFront Alternate Domain Names
  • Amazon EBS Provisioned IOPS (SSD) Volume Attachment Configuration
  • Amazon EC2 to EBS Throughput Optimization
  • Amazon Route 53 Alias Resource Record Sets
  • CloudFront Content Delivery Optimization
  • CloudFront Header Forwarding and Cache Hit Ratio
  • High Utilization Amazon EC2 Instances
  • Large Number of EC2 Security Groups Rules Applied to an Instance
  • Large Number of Rules in an EC2 Security Group
  • Overutilized Amazon EBS Magnetic Volumes

AWS Trusted Advisor - Security

  • AWS CloudTrail Logging
  • IAM Password Policy
  • MFA on Root Account
  • Security Group - Specific Ports Unrestricted
  • Security Group - Unrestricted Access
  • Amazon S3 Bucket Permissions
  • IAM Access Key Rotation
  • Amazon EBS Public Snapshot
  • Amazon RDS Public Snapshot
  • Amazon RDS Security Group Access Risk
  • Amazon Route 53 MX Resource Record Sets and Sender Policy Framework
  • CloudFront Custom SSL Certificates in the IAM Certificate Store
  • CloudFront SSL Certificate on the Origin Server
  • ELB Listener Security
  • ELB Security Group
  • Exposed Access Keys
  • IAM Use

AWS Trusted Advisor - Fault Tolerance

  • Amazon EBS Snapshots
  • Amazon RDS Multi-AZ
  • Amazon S3 Bucket Logging
  • Amazon S3 Bucket Versioning
  • Amazon Aurora DB Instance Accessibility
  • Amazon EC2 Availability Zone Balance
  • Amazon RDS Backups
  • Amazon Route 53 Deleted Health Checks
  • Amazon Route 53 Failover Resource Record Set
  • Amazon Route 53 High TTL Resource Record Set
  • Amazon Route 53 Name Server Delegations
  • Auto Scaling Group Health Check
  • Auto Scaling Group Resources
  • ELB Connection Draining
  • ELB Cross-Zone Load Balancing
  • Load Balancer Optimization
  • VPN Tunnel Redundancy
  • AWS Direct Connect Connection Redundancy
  • AWS Direct Connect Location Redundancy
  • AWS Direct connect Virtual Interface Redundancy
  • EC2Config Service for EC2 Windows Instances
  • ENA Driver Version for EC2 Windows Instances
  • PV Driver Version for EC2 Windows Instances

AWS Trusted Advisor - Service Limits

  • Auto Scaling Group
  • Auto Scaling Launch Configuration
  • CloudFormation Stacks
  • DynamoDB Read Capacity
  • DynamoDB Write Capacity
  • EBS Active Snapshot
  • EBS Active Volumes
  • EBS Cold HDD (sc1) Volume Storage
  • EBS General Purpose SSD (gp2) Volume Storage
  • EBS Magnetic (standard) Volume Storage
  • EBS Provisioned IOPS (SSD) Volume Aggregate IOPS
  • EBS Provisioned IOPS SSD (io1) Volume Storage
  • EBS Throughput Optimized HDD (st1) Volume Storage
  • EC2 Elastic IP Addresses
  • EC2 On-Demand Instances Leases
  • EC2 Reserved Instances Leases
  • ELB Active Load Balancers
  • IAM Group
  • IAM Instance Profiles
  • IAM Policies
  • IAM Roles
  • IAM Server Certificates
  • IAM Users
  • Kinesis Shards per Region
  • RDS Cluster Parameter Groups
  • RDS Cluster Roles
  • RDS Clusters
  • RDS DB Instances
  • RDS DB Parameter Groups
  • RDS DB Security Groups
  • RDS DB Snapshots Per User
  • RDS Event Subscription
  • RDS Max Auths per Security Groups
  • RDS Option Groups
  • RDS Read Replica per Master
  • RDS Reserved Instances
  • RDS Subnet Groups
  • RDS Subnets per Subnet Groups
  • RDS Total Storage Quota
  • Route 53 Hosted Zone
  • Route 53 Max Health Checks
  • Route 53 Reusable Delegation Sets
  • Route 53 Traffic Policies
  • Route 53 Traffic Policy Instances
  • SES Daily Sending Quota
  • VPC
  • VPC Elastic IP Address
  • VPC Internet Gateway

VPC & Networking

  • VPC is something you should know is depth for the AWS Certified Solution Architect Associated & AWS Certified SysOpsAdmin
  • At the AWS Certified Cloud Practitioner Level, you should know
    • VPC, Subnets, Internet Gateways & NAT Gateways
    • Security Groups, Networks ACL (NACL), VPC Flow Logs
    • VPC Peering, VPC Endpoints
    • Site to site VPN & Direct Connect
    • Transit Gateway

VPC & Networking - VPC & Subnets

  • VPC - Virtual Private Cloud - private network to deploy your resources (regional resource)
  • Subnets allow you to partition your network inside your VPC (Availability Zone resource)
  • A public subnet is a subnet that is accessible from internet
  • A private subnet is a subnet that is not accessible from the internet
  • To define access to the internet and between subnets, we use Route Tables
  • Internet Gateway helps our VPC instances connect with the internet
  • Public Subnets have a route to the internet gateway
  • NAT Gateways (AWS-managed) & NAT Instances (self-managed) allow your instances in your Private Subnets to access the internet wile remaining private

VPC & Networking - Security Groups and NACLs

  • NACL (Network ACL)
    • A firewall which controls traffic from and to subnet
    • Can have ALLOW and DENY rules
    • Are attached at the Subnet level
    • Rules only include IP addresses
  • Security Group
    • A firewall that controls traffic to and from an ENI / an EC2 Instance
    • Can have only ALLOW rules
    • Rules include IP addresses and other security groups

VPC & Networking - Security Groups vs NACLs

  • Security Groups
    • Acts as a firewall at the INSTANCE level
    • Supports ALLOW rules
    • Is statefull - returned traffic is automatically allowed, regardless of any rules
  • NACLs - Network Access Control Lists
    • Acts as a firewall at the SUBNET level
    • Supports ALLOW and DENY rules
    • Is stateless - returned traffic must be explicitly allowed by rules

Billing and Pricing

Billing and Pricing - Consolidated Billing

  • One bill for all of your accounts
  • Consolidate your billing and payment methods across multiple AWS accounts into one bill
  • For billing AWS treats all the accounts in an organization as if they were one account
  • You can designate one master account that pays the charges of all the other member accounts
  • Consolidated billing is offered at no additional cost
  • Use Cost Explorer to visualize usage for consolidated billing

Billing and Pricing - Consolidated Billing - Volume Discounts

  • AWS has Volume Discounts for many services. The more you use, the more you save.
  • Consolidated Billing lets you take advantage of Volume Discounts

Billing and Pricing - AWS Cost Explorer

  • AWS Cost Explorer lets you visualize, understand, and manage your AWS costs and usage over time
  • If you are have multiple AWS accounts within an AWS Organization costs will be consolidated in master account
  • Default reports help you gain insight into your cost drivers and usage trends
  • You can view your data at a monthly or daily level of granularity
  • You can use filter and grouping functionalities to dig even deeper into you data

Billing and Pricing - AWS Budgets

  • first two budgets are free of charge
  • each budget is $0.02 per day ~0.60 USD / month
  • 20,000 budgets limit
  • AWS Budgets give you the ability to setup alerts if you exceed or are approaching your defined budget
  • Budget types Cost budget, Usage budget and Reservation budget
  • can be tracked at the monthly, quarterly, or yearly levels, with customizable start and end dates
  • alerts supports EC2, RDS, Redshift, and ElastiCache reservations
  • can be easily manage from the AWS Budget dashboard or via the Budget API
  • get notification by providing an email or Chatbot

Billing and Pricing - TCO Calculator

  • The Total Cost of Ownership allows you to estimate how much you would save when moving to AWS from on-premise
  • Provides you a detailed set of reports that can be used in executive presentation
  • The tool is build on underlying calculation models that generate fair assessments of value that you can achieve given the data provided
  • The tool is for approximation purposes only!

Billing and Pricing - Resource Groups and Tagging

  • Tags are words or phrases that act as metadata for organizing your AWS resources
  • Resource group are a collection of resource that share one or more tags
  • Helps you organize and consolidate information based on your project and the resources that you use
  • Resource Groups can display details about a group of resource based on
    • Metrics
    • Alarms
    • Configuration Settings
  • At any time you can modify the settings of your resource groups to change what resources appear

Billing and Pricing - AWS Cost and Usage Report

  • Generate a detailed spreadsheet, enabling you to better analyze and understand your AWS costs
  • Places the reports into S3
  • Use Athena to turn the report into a queryable database
  • Use QuickSight to visualize your billing data as graphs

Security

Security - Shared Responsibility Model

  • IN - Customers are responsible for Security in the Cloud - Data / Configuration
  • OF - AWS is responsible for Security of the Cloud - Hardware / Operation of Managed Services / Global Infrastructure

Security - Shared Responsibility Model

  • Customer
    • Customer data
    • Platforms, Applications, Identity and Access Management
    • Operating System, Network and Firewall Configuration
    • Client-Side Data Encryption and Data Integrity Authentication
    • Server-Side Encryption (File System and/or Data)
    • Networking Traffic Protection (Encryption, Integrity, Identity)
  • AWS
    • Software
    • Compute
    • Storage
    • Database
    • Networking
    • Hardware / AWS Global Infrastructure
    • Regions
    • Availability Zones
    • Edge Location

Security - Penetration Testing

  • What is PenTesting ?
    • An authorized simulated cyber attack on a computer system, performed to evaluate the security of the system
    • Can you perform Pentesting on AWS ? Yes
    • Permitted Services
      • EC2 instances, NAT Gateways, and ELB
      • RDS
      • CloudFront
      • Aurora
      • API Gateways
      • AWS Lambda and Lambda@Edge functions
    • Prohibited Activities
      • DNS zone walking Amazon Route 53 Hosted Zones
      • Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS
      • Port flooding
      • Protocol flooding
      • Request flooding (login request flooding, API request flooding)
    • For Other Simulated Events you will need to submit a request to AWS. A reply could take up to 7 days

Cloud Integration

  • Synchronous between applications can be problematic if there are sudden spikes of traffic
  • What if you need to suddenly encode 1K videos but usually it's 10 ?
  • In that case, it's better to decouple your applications
    • using SQS: queue model
    • using SNS: pub/sub model
    • using Kinesis: real-time data streaming model (out of scope for the exam)
  • Those services can scale independently from our application

Cloud Integration - Amazon SQS - Simple Queue Service

  • Oldest AWS offering (over 10 years old)
  • Fully managed service (~serverless), use to decouple applications
  • Scales from 1 message per second to 10K per second
  • Default retention of message 4 days, maximum 14 days
  • No limit to how many messages can be in the queue
  • Message are deleted after they're read by consumers
  • Low latency (<10 ms on publish and receive)
  • Consumer share the work to read messages & scale horizontally

Cloud Integration - Amazon SNS - Simple Notification Service

  • The 'event publishers' only sends message to one SNS topic
  • As many 'event subscribers' as we want to listen to the SNS topic notification
  • Each subscriber to the topic will get all the messages
  • Up to 10,000,000 subscriptions per topic, 100,000 topics limit
  • SNS Subscribers ca be
    • HTTP/HTTPS (with delivery retries - how many times)
    • Emails, SMS messages, Mobile Notification
    • SQS quees (fan-out pattern), Lambda Functions (write-your-own integration)

General

AWS Organizations and Accounts

  • Organizations allows you to centrally manage billing, control access, compliance, security, and share resources across your AWS accounts.
  • Root Account User is a single sign-in identity that has complete access to all AWS services and resources in an account. Each account has a Root Account User
  • Organization Units are a group of AWS accounts within an organization which can also contain other organizational units - creating a hierarchy
  • Service Control Policies give central control over the allowed permission for all accounts in your organization, helping to ensure your accounts stay within your organization's guidelines

AWS Support Plans

  • Basic (0 $ / month)
    • Email Support only For Billing and Account
    • 7 Trusted Advisor Checks
  • Developer (20 $ / month)
    • Tech Support via Email ~24 hours until reply
    • No third party support
    • General Guidance (< 24h)
    • System Impaired (< 12h)
    • ALL Trusted Advisor Checks
  • Business (100 $ / month)
    • Tech Support via Email ~24 hours until reply
    • No third party support
    • General Guidance
    • System Impaired
    • ALL Trusted Advisor Checks
    • Tech Support via Chat, Phone - anytime 24/7
    • Production System Impaired (< 4h)
    • Production System DOWN (< 1h)
  • Enterprise (15,000 $ / month)
    • Tech Support via Email ~24 hours until reply
    • No third party support
    • General Guidance
    • System Impaired
    • ALL Trusted Advisor Checks
    • Tech Support via Chat, Phone - anytime 24/7
    • Production System Impaired (< 4h)
    • Production System DOWN (< 1h)
    • Business-Critical system DOWN (< 15m)
    • Personal Concierge
    • Technical Account Manager TAM

AWS Support Center

  • https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html

AWS Marketplace

  • https://aws.amazon.com/marketplace

Provisioning

What is provisioning ? - The allocation or creation of resources and services to a customer

  • Elastic Beanstalk - service for deploying and scaling web applications adn services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker
  • OpsWorks - configuration management service that provides managed instances of Chef and Puppet
  • CloudFormation - infrastructure as code, JSON or YAML
  • AWS QuickStart - pre-made packages that can launch and configure your AWS compute, network, storage, and other services required to deploy a workload on AWS
  • AWS Marketplace - a digital catalogue of thousands of software listings from independent software vendors you can use to find, buy, test, and deploy software

Computing

  • EC2 - Elastic Compute Cloud - highly configurable server eg. CPU, Memory, Network, OS
  • ECS - Elastic Container Service Docker as a Service highly scalable, high-performance container orchestration service that supports Docker containers, pay for EC2 instances
  • Forgate - Microservices where you don't think about the infrastructure. Play per task
  • EKS - Kubernetes as a Service easy to deploy, manage, and scale containerized applications using Kubernetes
  • Lambda - serverless function run code without provisioning or managing servers. You pay only for the compute time you consume
  • Elastic Beanstalk - orchestrates various AWS services, including EC2, S3, Simple Notification Service (SNS), CloudWatch, autoscaling, and Elastic Load Balancers
  • AWS Batch - plans, schedules, and executes your batch computing workloads across the full range of AWS compute services and features, such as Amazon EC2 and Spot Instances

Business Centric Services

  • Amazon Connect - Call Center - Cloud-based call center service you can setup in just a few clicks - based on the same proven system by the Amazon customer service teams.
  • WorkSpaces- Virtual Remote Desktop - Secure managed service for provisioning either Windows or Linux desktop in just a few minutes which quickly scales up to thousands of desktops
  • WorkDocs - A content creation and collaboration service - easily create, edit, and share content saved centrally in AWS. (the AWS version of Sharepoint)
  • Chime - AWS Platform for online meetings, video conferencing, and business calling which elastically scales to meet your capacity needs
  • WorkMail - Managed business email, contacts, and calendar service with support for existing desktop and email client applications.
  • Pinpoint - Marketing campaign management system you can use for sending targeted email, SMS, push notification, and voice messages
  • SES - Simple Email Service - A cloud-based email sending service designed for marketers nad application developers to send marketing, notification, and emailas
  • QuickSight - A Business Intelligence (BI) service, Connect multiple datasource and quickly visualize data in the form of graphs with little to no programing knowledge

Enterprise Integration

  • Direct Connect - dedicated Gigabit network connection from your premises to AWS. Imagine having a direct fibre optic cable running straight to AWS
  • VPN - establish a secure connection to your AWS network
    • Site-to-Site VPN - Connecting your on-premise to your AWS network
    • Client VPN - Connecting a Client (a laptop) to your AWS network
  • Storage Gateway - A hybrid storage service that enables your on-premises applications to use AWS cloud storage. You can use this for backup and archiving, disaster recovery, cloud data processing, storage tiering, and migration
  • Active Directory - The AWS Directory Service for Microsoft Active Directory also know as AWS Managed Microsoft AD - enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud

A. vs B.

Elastic Transcoder vs MediaConvert

  • Elastic Transoder (the old way)
    • Transcodes videos to streaming formats
  • AWS Elemental MediaConvert (the new way)
    • Transcodes videos to streaming formats
    • Overlays images
    • Insert videos clips
    • Extracts captions data
    • Robust UI

SNS vs SQS

  • Simple Notification Service - Pass Alongs Messages eg. PubSub
    • Send notifications to subscribers of topics via multiple protocol. eg, HTTP, Email, SQS, SMS
    • SNS is generally used for sending plain text emails which is triggered via other AWS Services. The best example of this is billing alarms
    • Can retry sending in case of failure for HTTPS
    • Really good for webhooks, simple internal emails, triggering lambdas functions
  • Simple Queue Service - Queue Up Messages, Guaranteed Delivery
    • Places messages into a queue. Applications pull queue using AWS SDK
    • Can retain a message for up to 14 days
    • Can send them in sequential order or in parallel
    • Can ensure only one message is sent
    • Can ensure messages are delivered at least once
    • Really good for delayed tasks, queueing up emails

Amazon Inspector vs AWS Trusted Advisor

  • Amazon Inspector
    • Audits a single EC2 instance that you've selected
    • Generates a report from a long lisst of security checks i.e 699 checks
  • Trusted Advisor
    • Trusted Advisor doesn't generate out a PDF report
    • Gives you a holistic view of recommendations across multiple services and best practices
    • eg. You have open ports on these security groups
    • eg. you should enable MFA on your root account

ALB vs NLB vs CLB

  • Application
    • Layer 7 Requests
    • HTTP and HTTPS traffic
    • Routing Rules, more usability from old load balancer
    • Cam attach WAF
    • Can attach Amazon Certification Manager (ACM) SSL Certificate
  • Network
    • Layer 4 IP protocol data
    • TCP and TLS traffic where extreme performance is required
    • Capable of handling millions of requests per second while maintaing ultra-low latencies
    • Optimized for suddent and volatile traffic patterns while using a single static IP address per Availability Zone
    • Can attach Amazon Certification Manager (ACM) SSL Certificate
  • Classic
    • Layer 4 and Layer 7
    • Intended for applications that were build within the EC2-Classic network
    • Doesn't use target Groups
    • Can attach Amazon Certification Manager (ACM) SSL Certificate

SNS vs SES

  • SNS - Simple Notifications Service (Practical and Internal)
    • Send notifications to subscribers of topics via multiple protocol. eg, HTTP, Email, SQS, SMS
    • SNS is generally used for sending plain text emails which is triggered via other AWS Services. the best eample of this is billing alarms
    • Most exam question are going to be talking about SNS because lots of services can trigger SNS for notifications
    • You Need to Know what are the Topics and Subscriptions regarding SNS
  • SES - Simple Email Service (Professional, Marketing, Emails)
    • A cloud based email service. eg.SendGrid
    • SES sends html emails, SNS cannot
    • SES can receive inbound emails
    • SES can create Email Templates
    • Custom domain name email
    • Monitor your email reputation

AWS Artifact vs AWS Inspector

  • Both Artifact and Inspector compile out PDFs
  • AWS Artifact
    • Why should an enterprise trust AWS ?
    • Generates a security report that's based on global compliance frameworks such as
      • Service Organization control (SOC)
      • Payment Card Industry (PCI)
  • AWS Inspector
    • How do we know this EC2 instance is secure ?
    • Runs a script that analyzes your EC2 instance, that generates a PDF report telling you which security checks passed
    • Audit tool for security of EC2 instances

Scalability vs Elasticity vs Agility

  • Scalability - ability to accommodate a larger load by making the hardware stronger (scale up), or by adding nodes (scale out)
  • Elasticity - once a system is scalable, elasticity mean that there will be some 'auto-scaling' so that the system can scale based on the load. This is 'cloud-friendly': pay-per-use, match demand, optimize costs
  • Agility - (not related to scalability - distractor) new IT resources are one a click away, which means that you reduce the time to make those resources availabe to your developers from weeks to just minutes

AWS Batch vs AWS Lambda

  • Lambda
    • Time limit
    • Limited runtimes
    • Limited temporary disk space
    • Serverless
  • Batch
    • No time limit
    • Any runtime as long as it's packaged as Docker image
    • Rely on EBS / instance storage disk space
    • Relies on EC2 (can be managed by AWS)

References