AWS Certified Cloud Practitioner (CLF-C01)

2020-07-23 05:12:00


Domain 1: Cloud Concepts

1.1 Define the AWS Cloud and its value proposition
1.2 Identify aspects of AWS Cloud economics
1.3 List the different cloud architecture design principles

Domain 2: Security and Compliance

2.1 Define the AWS shared responsibility model
2.2 Define AWS Cloud security and compliance concepts
2.3 Identify AWS access management capabilities
2.4 Identify resources for security support

Domain 3: Technology

3.1 Define methodsof deploying and operating in the AWS Cloud
3.2 Define the AWS global infrastructure
3.3 Identify the core AWS services
3.4 Identify resources for technology support

Domain 4: Billing and Pricing

4.1 Compare and contrast the various pricing models for AWS
4.2 Recognize the various account structures in relation to AWS billing and pricing
4.3 Identifyresources available for billing support

Exam Guide

Exam Guide - Content Outline

  • Cloud Concept - 28%
  • Security - 24%
  • Technology - 36%
  • Billing and Pricing - 12%

Exam Guide - Response Types

  • Multiple-choice (Choose 1 out of 4)
  • Multiple-response (Choose 2 out of 5)

Exam Guide - White Papers

  • July 2019 - Overview of Amazon Web Services
  • Oct 2018 - Architecting for the Cloud: AWS Best Practices
  • Jun 2018 - How AWS Pricing Works
  • Mar 2018 - Cost Management in the AWS Cloud

Exam Guide - What is Cloud Computing ?

  • cloud com-put-ing noun the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather then a local server or a personal computer.

Exam Guide - On-Premise

  • You own the servers
  • You hire the IT people
  • You pay or rent the real-estate
  • You take all the risk

Exam Guide - Cloud Providers

  • Someone else owns the servers
  • Someone else hire the IT people
  • Someone else pays or rent the real-estate
  • You are responsible for your configuration cloud services and code, someone else take care of the rest

Exam Guide - Six Advantages and Benefits of Cloud Computing

Why go with a Cloud Provider over On-Premis? 1. Trade capital expense for variable expense - No upfront-cost instead of paying for data center and servers. Pay On-Demand Pay only when you consume computing resources 2. Benefit from massive economies of scale - Usage from hundreds of thousand of customers aggregated in the cloud. You are sharing the cost with other customers to get unbeatable savings 3. Stop guessing capacity - Eliminate guesswork about infrastructure capacity needs. Instead of paying for idle or underutilized servers, you can scale up or down to meet the current need. 4. Increase speed and agility - Lounch resources within a few clicks in minutes instead of waiting days or weeks of your IT to implement the solution on-premis 5. Stop spending money on running and maintaining data centers - Focus on you own customers, rather than on the heavy lifting of racking, stacking, and powering servers. 6. Go global in minutes - Deploy your app in multiple regions around the world with a few clicks. Provide lower latency and a better experience for you customers at minimal cost.

Exam Guide - SaaS / PaaS / IasS

  • SaaS For Customer Software as a Service A completed product that is run and managed by the service provider. (gmail, office365)
  • PaaS For Developers Platform as a Service Removes the need for your organization to manage the underlying infrastructure. Focus on the deployment and management of your applications. (heroku, google engine)
  • IasS For Admins Infrastructure as Service The basic building blocks for cloud IT. Provides access to networking features, computers and data storage space. (aws, gcp, azure)

Exam Guide - Cloud Computing Deployment Models

  • Cloud - Fully utilizing cloud computing (Startups, SaaS offerings, New projects and companies)
  • Hybrid - Using both Cloud and On-Premise (Banks, FinTech, Investment Management, Large Professional Service providers, Legacy on-premise)
  • On-Premise - Deploying resources on-premises, using virtualization and resource managment tools, is sometimes called 'private cloud' (Public Sector eg. Government, Super Sensitive Data eg. Hospitals, Large Enterprise with heave regulation eg. Insurance Companies)

AWS Global Infrastructure

AWS Networking

  • Region - the geographical location of your network
  • AZ - the data center of your AWS resources
  • VPC - a logically isolated section of the AWS Cloud where you can launch AWS resources
  • Internet Gateway - Enable access to the Internet
  • Route Tables - determine where network traffic from your subnets are directed
  • NACLs - Acts as a firewalls at the subnet level
  • Security Groups - Act as firewall at the instance level
  • Subnets - a logical partition of an IP network into multiple, smaller network segments

AWS Global Infrastructure

  • 69 Availability Zones within 22 Geographic Regions around the world Way More Edge Location than AZs!
  • AWS serves over a million active customers in more than 190 countries
  • Regions physical locations in word with multiple AZs
  • Availability Zones one or more discrete data centers
  • Edge Location datacenter owned by a trusted partner of AWS

AWS Global Infrastructure - Regions

  • A geographically distinct location which has multiple datacenters (AZs)
  • Every region is physically isolated from and independent of every other region in terms of location, power, water supply
  • Each regions has at least 2 AZs
  • AWS largest region is US-EAST
  • New services almost always become available first in US-EAST
  • Not all services are available in all regions
  • US-EAST-1 is the region where you see all your billing information

AWS Global Infrastructure - Availability Zones (AZs)

  • An AZ is a datacenter owned and operated by AWS in which AWS services run
  • Each region has at least 2 AZs
  • AZs are represented by a Region Code, followed by a letter identifier eg. us-east-1a
  • Multi-AZ Distributing your instances across multiple AZs allows failover configuration for handling requests when one goes downd.
  • <10ms latency between AZs
  • An AZ is an isolated location within AWS region

AWS Global Infrastructure - Edge Locations

  • Get data fast or upload data fast to AWS
  • An Edge Location is a datacenter owned by a trusted partner of AWS which has ad direct connection to the AWS network.
  • These locations serve requests for CloudFront and Route 53. Requests going to either of these services will be routed to the nearest edge location automatically.
  • S3 Transfer Acceleration traffic and API Gateway endpoint traffic also use the AWS Edge Network.
  • this allows for low latency no matter where the end user is geographically located.

AWS Global Infrastructure - GovCloud(US)

  • AWS GovCloud Regions allow customers to host sensitive Controlled Unclassified Information and other types of regulated workloads.
  • GovCloud Regions are only operated by employees who are U.S. citizens, on U.S soil.
  • They are only accessible to U.S. entities and root account holders who pass a screening process
  • Customers can architect secure cloud solution that complly with:
    • FedRAMP High baseline
    • DOJ's Criminal Justice Information Systems (CJIS) Security Policy
    • U.S. International Traffic in Arms Regulations (ITAR)
    • Export Administration Regulations (EAR)
    • Department of Defense (DoD) Cloud Computing Security Requirements Guide

AWS - Services

Know your Initialisms

  • IAM - Identity and Access Management
  • S3 - Simple Storage Service
  • SWF - Simple Workflow Service
  • SNS - Simple Notification Service
  • SQS - Simple Queue Service
  • SES - Simple Email Service
  • SSM - Simple System Manager
  • RDS - Relational Database Service
  • VPC - Virtual Private Cloud
  • VPN - Virtual Private Network
  • CFN - CloudFormation
  • WAF - Web Application Firewall
  • MQ - Amazon ActiveMQ
  • ASG - Auto Scaling Groups
  • TAM - Technical Account Manager
  • ELB - Elastic Load Balancer
  • ALB - Application Load Balancer
  • NLB - Network Load Balancer
  • EC2 - Elastic Cloud Compute
  • ECS - Elastic Container Service
  • ECR - Elastic Container Repository
  • EBS - Elastic Block Storage
  • EFS - Elastic File Storage
  • EMR - Elastic MapReduce
  • EB - Elastic Beanstalk
  • ES - Elasticsearch
  • KMS - Elastic Kubernetes Service
  • MKS - Managed Kafka Service
  • IoT - Internet of Things
  • RI - Reserved Instances

VPN - Virtual Private Network

  • lets you establish a secure and private tunnel from your network or device to the AWS global network
  • types
    • AWS Site-to-Site VPN
      • securely connect on-premises network or branch office site to VPC
    • AWS Client VPN
      • securely connect users to AWS or on-premises networks

ASG - Auto Scaling Groups

  • will automatically launch EC2 instance based on configuration and current demand
  • will automatically kill EC2 instance based on configuration and current demand
  • removing auto scaling group will take down all related EC2 instances

ELB - Elastic Load Balancer

  • Application Load Balancer (http, https)
    • types: internet-facing, internal
    • at least in 2 AZs
    • required Target Group (target groups contains list of EC2 instances)
    • DNS name -> Listener -> Port with Rule -> Target Group -> Target (EC2 instance)
    • deleting ELB, will not remove related EC2 instances
  • Network Load Balancer (tcp, tls, udp)
  • Classic Load Balancer (http, https, tcp) (previous generation)

S3 - Simple Storage Service

  • Amazon S3 is a simple key-based object store
  • How much data can I store in Amazon S3?
    • The total volume of data and number of objects you can store are unlimited.
    • Individual Amazon S3 objects can range in size from a minimum of 0 bytes to a maximum of 5TB terabytes.
    • The largest object that can be uploaded in a single PUT is 5GB gigabytes.
    • For objects larger than 100 megabytes, customers should consider using the Multipart Upload capability.
  • S3 buckets are region specific
  • S3 bucket name are globally unique, like dns name
  • Objects are directly accessible via URL
  • You can store virtually any kind of data in any format

Cloud Front

  • CDN - content distribution network
  • Content Distribution Network, It create a cached copy of your website and copies to servers located near people trying download website

RDS - Relational Database Service

  • https://aws.amazon.com/rds/


  • runtime: .net.core, go, java, node.js, python, ruby
  • max 15m

EC2 - Pricing Model

  • On-Demand Instances (Least Commitment)
    • low cost and flexible
    • only pay per hour, or by the minute - varies based on EC2 Instance types
    • Use case: short-term, spiky, unpredictable workloads, first time app
    • Ideal when your workload cannot be interrupted
    • when you launch an EC2 instance it is by default using On-Demand Pricing
    • On-Demand has no up-front payment and no long-term commitment
  • Reserved Instances (RI) up to 75% off (Best Long-term)
    • Use cases: steady-state, predicable usage, or require reserved capacity.
    • reduced pricing is base on Term x Class Offering x Payment Options
      • offering class
        • Standard - up to 75 % reduced pricing compared to on-demand. Cannot change RI Attributes
        • Convertible - up to 54 % reduced pricing compared to on-demand. Allows you to change RI Attributes if greater or equal in value.
        • Scheduled - you reserve instance for specific time periods eg one a week for a few hours
      • terms
        • 1 year or 3 years contract, the longer the term the greater saving
      • payment options
        • all upfront, partial upfront and no upfront
        • the great upfront the great the saving
    • RIs can be shared between multiple accounts within an org
    • unused RIs can be sold in the Reserved Instance Marketplace
  • Spot Instances up to 90% (Biggest Savings)
    • AWS has unused compute capacity that they want to maximize the utility of their idle servers
    • spot instances provide a discount of 90% compared to On-Demand Pricing
    • spot instances can be terminated by AWS if the computing capacity is needed by on-demand customers
    • Use case: for non-critical background jobs
    • Use case: can handle interruptions (server randomly stopping and starting)
    • designed for application that have flexible start and end times or application that are only feasible at very low computer costs
    • AWS Batch is an easy and convenient way to use Spot Pricing
    • Termination Conditions
      • instance can be terminated by AWS ant anytime
      • if your instance is terminated by AWS, you don't get charged for a partial hour of usage
      • if you terminate an instance you will still be charged for any hour that it ran
  • Dedicated (Most Expensive)
    • dedicated servers
    • can be on-demand or reserved (up to 70% off)
    • when you need a guarantee of isolate hardware (enterprise requirements)
    • designed to meet regulatory requirements. When you have to strict server-bound licensing that wan't support multi-tenancy or cloud deployments
    • Use case: when you need a guarantee of isolate hardware (enterprise requirements)
    • Dedicated Host Instance
      • is Single Tenant, when a single customer has dedicated hardware. Physical isolation is what separates customers
      • is NOT Multi-Tenant, when multiple customers are running workloads on the same hardware. Virtual Isolation is what separate customers
    • Enterprises and Large Organizations may have security concerns or obligations about against sharing the same hardware with other AWS Customers

Database Services

  • DynamoDB - NoSQL key/value database (like cassandra)
  • DocumentDB - NoSQL Document database that is MongoDB compatible (like MongoDB)
  • RDS - Relational Database Service that support multiple engines (engines: MySQL, Postgres, Maria DB, Microsoft SQL Server, Aurora)
    • Aurora MySQL (5x faster) and PSQL (3x faster) database fully managed
    • Aurora Serverless - only runs when you need it, like AWS lambda
  • Neptune - Managed Graph Database
  • Redshift - Columnar database, petabyte warehouse
  • ElastiCache - Redis or Memcached database

CloudTrail - Track user activity and API usage

  • AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.
  • With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
  • CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.


  • CloudWatch - is a collection of multiple services
    • CloudWatch Logs - Performance data about AWS Services eg. CPU Utilization, Memory, Network in Application Logs eg. Rails, Nginx. Lambda logs
    • CloudWatch Metrics - Represents a time-ordered set of data points. A variable to monitor
    • CloudWatch Events - trigger an event based on a condition eg. ever hour take snapshot of server
    • CloudWatch Alarms - triggers notifications based on metrics
    • CloudWatch Dashboard - create visualizations based on metrics

AWS Landing Zone

  • helps enterprises quickly set-up a secure, AWS multi-account
  • provides you with a baseline environment to get started with a multi-account architecture
  • AWS Account Vending Machine (AVM) Automatically provisions and configure new accounts via Service Catalog Template
  • Uses Single Sing-on (SSO) for managing and accessing accounts
  • The environment is customizable to allow customers to implement their own account baselines through a Landing Zone configuration and update pipeline

AWS Quick Starts

  • Prebuilt templates by AWS and AWS Partners to help you deploy popular stacks on AWS
  • Reduce hundreds of manual procedures into just a few steps
  • A Quick Start is composed of 3 parts
    • A reference architecture for the deployment
    • AWS CloudFormation templates that automate and configure the deployment
    • A deployment guide explaining the architecture and implementation in details
  • Most Quick Start reference deployment enable you to spin up a fully functional architecture in less than a hour

AWS Artifact (Security)

  • Way to prove AWS meets a compliance
  • No cost, self-service portal for on-demand access to AWS compliance reports
  • On-demand access to AWS security and compliance reports and select online agreements

Amazon Inspector (Security)

  • Hardening - the act of eliminating as many security risks as possible
  • AWS Inspector runs a security benchmark against specific EC2 instances
  • You can run a variety of security benchmarks
  • Can perform both Network and Host Assessments
    • Install the AWS agent on your EC2 instances
    • Run an assessment for your assessment target
    • Review your findings and remediate security issues

AWS WAF (Security)

  • AWS Web Application Firewall protect your web applications from common web exploits
    • Write your own rules to ALLOW or DENY traffic based on the contents of HTTP request
    • Use a ruleset from a trusted AWS Security Partner in the AWS WAF Rules Marketplace
    • WAF can be attached to either CloudFormation or an Application Load Balancer
  • Protect web applications from attacks covered in the OWASP TOP 10 most dangerous attacks:
    • Injection
    • Broken Authentication
    • Sensitive data exposure
    • XML External Entities (XXE)
    • Broken Access control
    • Security misconfigurations
    • Cross Site Scripting (XSS)
    • Insecure Deserialization
    • Using Components with know vulnerabilities
    • Insufficient logging and monitoring

AWS Shield (Security)

  • AWS Shield is a managed DDoS (Distributed Denial of Service) protection service that safeguards applications running on AWS
  • What is a DDoS attack ? - A malicious attempt to disrupt normal traffic by flooding a website a large amount of fake traffic
  • All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge
  • When you route your traffic through Route53 or CloudFront you are using AWS Shield Standard
  • Protects you against Layer 3,4 and 7 attacks
    • 7 Application
    • 4 Transport
    • 3 Network
    • Types
    • Shield Standard (Free)
      • For protection against most common DDoS attacks, and access to tools and best practices to build a DDOS resilient architecture
      • Automatically available on all AWS services
    • Shield Advanced (3000 USD / Year)
      • For additional protection against larger and more sophisticated attacks, visibility into attacks, and 24x7 access to DDoS experts for complex cases
      • Available on:
        • Amazon Route53
        • Amazon CloudFront
        • Elastic Load Balancing
        • AWS Global Accelerator
        • Elastic IP (Amazon Elastic Compute Cloud and Network Load Balancer)

Amazon Guard Duty (Security)

  • What is IDS/IPS ?
    • Intrusion Detection Sytem
    • Intrusion Protection System
  • A device or software application that monitors a network or systems for malicious activity or policy violations
  • Guard Duty is a threat detection service that continuously monitors for malicious, suspicious activity and unauthorized behavior, It uses Machine Learning to analyze the following AWS logs:
    • CloudTrail Logs
    • VPN Flow Logs
    • DNS logs
  • It will alert you of Findings which you can automate a incident response via CloudWatch Events or with 3rd Party Services

KMS - Kay Management Service

  • A managed service that makes it easy for to create and control the encryption keys to used to encrypt your data
    • KMS is a multi-tenant HSM (hardware security module)
    • Many AWS services are integrated to use KMS to encrypt your data with a simple checkbox
    • KMS uses Envelope Encryption
  • Envelope Encryption
    • When you encrypt your data, your data is protected, but you have to protect your encryption key
    • When you encrypt your data key with a master key as an additional layer of security

Amazon Macie - (Security)

  • Macie is a fully managed service that continuosly monitors S3 data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks
  • Macie works by uses Machine Learning to Analyze your CloudTrail logs
  • Macie has a variety of alerts
    • Anonymized Access
    • Config Compliance
    • Credential Loss
    • Data Compliance
    • File Hosting
    • Identity Enumeration
    • Information Loss
    • Location Anomaly
    • Open Permissions
    • Privilege Escalation
    • Ransomware
    • Service Disruption
    • Suspicious Access


  • infrastructure as code, set up services via templating script eg. yml,json


  • search engine, you have an ecommerce website, and you want to add a search bar

Direct Connect

  • Dedicated Fiber Optics Connections from DataCenter to AWS
  • A large enterprise has their own datacenter, and they need an insanely fast connection directly AWS. If you need to security you can apply a VPN connect on-top of Direct Connect

Amazon Connect

  • Call Center Service
  • Get a toll free number, accept inbound and outbound calls, setup automated phone systems

Amazon Kinesis

  • Overview
    • Kinesis is a managed alternative to Apache Kafka
    • Great for application logs, metrics, IoT, clickstream
    • Great for real-time bid-data
    • Great for streaming processing frameworks (Spark, NiFi, etc...)
    • Data is automatically replicated synchronously to 3 AZ
  • Amazon Kinesis Streams
    • low latency streaming ingest at scale
    • can take a lot of data from
      • click streams
      • IoT devices
      • metrics & logs
  • Amazon Kinesis Analytics
    • perform real-time analytics on stream using SQL
  • Amazon Kinesis Firehose
    • load streams into S3 or Redshift or ElasticSearch or Splunk

Media Connect

  • New version of Elastic Transcoder, Converts Videos to Different Video Types
  • You have 1000 of videos and you need to transcode them into different videos format, maybe you need to apply watermarks, or insert introduction video in front of every video

The Free Services

  • IAM - Identity Access Management
  • Amazon VPC
  • Auto Scaling can provision AWS service which cost money
  • CloudFormation can provision AWS service which cost money
  • Elastic Beanstalk can provision AWS service which cost money
  • Opsworks can provision AWS service which cost money
  • Amplify can provision AWS service which cost money
  • AppSync can provision AWS service which cost money
  • CodeStar can provision AWS service which cost money
  • Organizations & Consolidated Billing
  • AWS Cost Explorer

Systems Manager

  • AWS Systems Manager gives you visibility and control of your infrastructure on AWS
  • Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources
  • With Systems Manager, you can group resources, like Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances, by application, view operational data for monitoring and troubleshooting, and take action on your groups of resources

AWS Organizations

  • AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS.
  • Whether you are a growing startup or a large enterprise, Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts.
  • Using AWS Organizations, you can automate account creation, create groups of accounts.
  • You can also simplify billing by setting up a single payment method for all of your AWS accounts.


  • What is Athena & Key Benefits
    • Serverless interactive query tool
    • Its not an ETL tool
    • Pay per Query ($ = Scanned data volume)
  • How Athena Works
    • Load data from S3 -> Define the schema -> Query
    • Build on top of Apache Presto
    • Works with AWS Glue
    • ANSI SQL Compliant
    • Popular formats (CSV, JSON, Parquet, Aveo, ORC)
  • Optimise Cost
    • Use columnar formats (e.g. use Parquet)
    • Use compression
    • Use partitions
  • Common Workloads
    • Ad-hoc queries / Exploration / Infrequent queries
    • Redshift + EMR + Athena


  • S3 - Simple Storage Service - object storage
  • S3 Glacier - low cost storage for archiving and long-term backup
  • Storage Gateway - hybrid cloud storage with local caching (file gateway, volume gateway, tape gateway)
  • EBS - Elastic Block Storage - hard drive in the cloud you attach to EC2 instances (SSD, IOPS, Throughput HHD, Cold HHD)
  • EFS - Elastic File Storage - file storage mountable to multiple EC2 instances at the same time
  • Snowball - Physically migrate lots of data via a compute suitcase 50-80 TB
    • Snowball Edge - A better version of Snowball - 100TB
    • Snowmobile - Shipping container, pulled by a semi-trailer truck - 100PB

AWS Trusted Advisor

AWS Trusted Advisor - General

  • Free - 7 Trusted Advisor Checks
  • Business, Enterprise - All Trusted Advisor Checks
  • Advice you on security, saving money, performance, service limits and fault tolerance

AWS Trusted Advisor - Cost Optimization

  • Amazon EC2 Reserved Instances Optimization
  • Low Utilization Amazon EC2 Instances
  • Underutilized Amazon EBS Volumes
  • Amazon EC2 Reserved Instances Lease Expiration
  • Amazon RDS Idle DB Instances
  • Amazon Route 53 Latency Resource Record Sets
  • Idle Load Balancers
  • Unassociated Elastic IP Address
  • Underutilized Amazon Redshift Clusters

AWS Trusted Advisor - Performance

  • CloudFront Alternate Domain Names
  • Amazon EBS Provisioned IOPS (SSD) Volume Attachment Configuration
  • Amazon EC2 to EBS Throughput Optimization
  • Amazon Route 53 Alias Resource Record Sets
  • CloudFront Content Delivery Optimization
  • CloudFront Header Forwarding and Cache Hit Ratio
  • High Utilization Amazon EC2 Instances
  • Large Number of EC2 Security Groups Rules Applied to an Instance
  • Large Number of Rules in an EC2 Security Group
  • Overutilized Amazon EBS Magnetic Volumes

AWS Trusted Advisor - Security

  • AWS CloudTrail Logging
  • IAM Password Policy
  • MFA on Root Account
  • Security Group - Specific Ports Unrestricted
  • Security Group - Unrestricted Access
  • Amazon S3 Bucket Permissions
  • IAM Access Key Rotation
  • Amazon EBS Public Snapshot
  • Amazon RDS Public Snapshot
  • Amazon RDS Security Group Access Risk
  • Amazon Route 53 MX Resource Record Sets and Sender Policy Framework
  • CloudFront Custom SSL Certificates in the IAM Certificate Store
  • CloudFront SSL Certificate on the Origin Server
  • ELB Listener Security
  • ELB Security Group
  • Exposed Access Keys
  • IAM Use

AWS Trusted Advisor - Fault Tolerance

  • Amazon EBS Snapshots
  • Amazon RDS Multi-AZ
  • Amazon S3 Bucket Logging
  • Amazon S3 Bucket Versioning
  • Amazon Aurora DB Instance Accessibility
  • Amazon EC2 Availability Zone Balance
  • Amazon RDS Backups
  • Amazon Route 53 Deleted Health Checks
  • Amazon Route 53 Failover Resource Record Set
  • Amazon Route 53 High TTL Resource Record Set
  • Amazon Route 53 Name Server Delegations
  • Auto Scaling Group Health Check
  • Auto Scaling Group Resources
  • ELB Connection Draining
  • ELB Cross-Zone Load Balancing
  • Load Balancer Optimization
  • VPN Tunnel Redundancy
  • AWS Direct Connect Connection Redundancy
  • AWS Direct Connect Location Redundancy
  • AWS Direct connect Virtual Interface Redundancy
  • EC2Config Service for EC2 Windows Instances
  • ENA Driver Version for EC2 Windows Instances
  • PV Driver Version for EC2 Windows Instances

AWS Trusted Advisor - Service Limits

  • Auto Scaling Group
  • Auto Scaling Launch Configuration
  • CloudFormation Stacks
  • DynamoDB Read Capacity
  • DynamoDB Write Capacity
  • EBS Active Snapshot
  • EBS Active Volumes
  • EBS Cold HDD (sc1) Volume Storage
  • EBS General Purpose SSD (gp2) Volume Storage
  • EBS Magnetic (standard) Volume Storage
  • EBS Provisioned IOPS (SSD) Volume Aggregate IOPS
  • EBS Provisioned IOPS SSD (io1) Volume Storage
  • EBS Throughput Optimized HDD (st1) Volume Storage
  • EC2 Elastic IP Addresses
  • EC2 On-Demand Instances Leases
  • EC2 Reserved Instances Leases
  • ELB Active Load Balancers
  • IAM Group
  • IAM Instance Profiles
  • IAM Policies
  • IAM Roles
  • IAM Server Certificates
  • IAM Users
  • Kinesis Shards per Region
  • RDS Cluster Parameter Groups
  • RDS Cluster Roles
  • RDS Clusters
  • RDS DB Instances
  • RDS DB Parameter Groups
  • RDS DB Security Groups
  • RDS DB Snapshots Per User
  • RDS Event Subscription
  • RDS Max Auths per Security Groups
  • RDS Option Groups
  • RDS Read Replica per Master
  • RDS Reserved Instances
  • RDS Subnet Groups
  • RDS Subnets per Subnet Groups
  • RDS Total Storage Quota
  • Route 53 Hosted Zone
  • Route 53 Max Health Checks
  • Route 53 Reusable Delegation Sets
  • Route 53 Traffic Policies
  • Route 53 Traffic Policy Instances
  • SES Daily Sending Quota
  • VPC
  • VPC Elastic IP Address
  • VPC Internet Gateway


AWS Organizations and Accounts

  • Organizations allows you to centrally manage billing, control access, compliance, security, and share resources across your AWS accounts.
  • Root Account User is a single sign-in identity that has complete access to all AWS services and resources in an account. Each account has a Root Account User
  • Organization Units are a group of AWS accounts within an organization which can also contain other organizational units - creating a hierarchy
  • Service Control Policies give central control over the allowed permission for all accounts in your organization, helping to ensure your accounts stay within your organization's guidelines

AWS Support Plans

  • Basic (0 $ / month)
    • Email Support only For Billing and Account
    • 7 Trusted Advisor Checks
  • Developer (20 $ / month)
    • Tech Support via Email ~24 hours until reply
    • No third party support
    • General Guidance (< 24h)
    • System Impaired (< 12h)
    • ALL Trusted Advisor Checks
  • Business (100 $ / month)
    • Tech Support via Email ~24 hours until reply
    • No third party support
    • General Guidance
    • System Impaired
    • ALL Trusted Advisor Checks
    • Tech Support via Chat, Phone - anytime 24/7
    • Production System Impaired (< 4h)
    • Production System DOWN (< 1h)
  • Enterprise (15,000 $ / month)
    • Tech Support via Email ~24 hours until reply
    • No third party support
    • General Guidance
    • System Impaired
    • ALL Trusted Advisor Checks
    • Tech Support via Chat, Phone - anytime 24/7
    • Production System Impaired (< 4h)
    • Production System DOWN (< 1h)
    • Business-Critical system DOWN (< 15m)
    • Personal Concierge
    • Technical Account Manager TAM

AWS Support Center

  • https://docs.aws.amazon.com/awssupport/latest/user/getting-started.html

AWS Marketplace

  • https://aws.amazon.com/marketplace


What is provisioning ? - The allocation or creation of resources and services to a customer

  • Elastic Beanstalk - service for deploying and scaling web applications adn services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker
  • OpsWorks - configuration management service that provides managed instances of Chef and Puppet
  • CloudFormation - infrastructure as code, JSON or YAML
  • AWS QuickStart - pre-made packages that can launch and configure your AWS compute, network, storage, and other services required to deploy a workload on AWS
  • AWS Marketplace - a digital catalogue of thousands of software listings from independent software vendors you can use to find, buy, test, and deploy software


  • EC2 - Elastic Compute Cloud - highly configurable server eg. CPU, Memory, Network, OS
  • ECS - Elastic Container Service Docker as a Service highly scalable, high-performance container orchestration service that supports Docker containers, pay for EC2 instances
  • Forgate - Microservices where you don't think about the infrastructure. Play per task
  • EKS - Kubernetes as a Service easy to deploy, manage, and scale containerized applications using Kubernetes
  • Lambda - serverless function run code without provisioning or managing servers. You pay only for the compute time you consume
  • Elastic Beanstalk - orchestrates various AWS services, including EC2, S3, Simple Notification Service (SNS), CloudWatch, autoscaling, and Elastic Load Balancers
  • AWS Batch - plans, schedules, and executes your batch computing workloads across the full range of AWS compute services and features, such as Amazon EC2 and Spot Instances

Business Centric Services

  • Amazon Connect - Call Center - Cloud-based call center service you can setup in just a few clicks - based on the same proven system by the Amazon customer service teams.
  • WorkSpaces- Virtual Remote Desktop - Secure managed service for provisioning either Windows or Linux desktop in just a few minutes which quickly scales up to thousands of desktops
  • WorkDocs - A content creation and collaboration service - easily create, edit, and share content saved centrally in AWS. (the AWS version of Sharepoint)
  • Chime - AWS Platform for online meetings, video conferencing, and business calling which elastically scales to meet your capacity needs
  • WorkMail - Managed business email, contacts, and calendar service with support for existing desktop and email client applications.
  • Pinpoint - Marketing campaign management system you can use for sending targeted email, SMS, push notification, and voice messages
  • SES - Simple Email Service - A cloud-based email sending service designed for marketers nad application developers to send marketing, notification, and emailas
  • QuickSight - A Business Intelligence (BI) service, Connect multiple datasource and quickly visualize data in the form of graphs with little to no programing knowledge

Enterprise Integration

  • Direct Connect - dedicated Gigabit network connection from your premises to AWS. Imagine having a direct fibre optic cable running straight to AWS
  • VPN - establish a secure connection to your AWS network
    • Site-to-Site VPN - Connecting your on-premise to your AWS network
    • Client VPN - Connecting a Client (a laptop) to your AWS network
  • Storage Gateway - A hybrid storage service that enables your on-premises applications to use AWS cloud storage. You can use this for backup and archiving, disaster recovery, cloud data processing, storage tiering, and migration
  • Active Directory - The AWS Directory Service for Microsoft Active Directory also know as AWS Managed Microsoft AD - enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud

Billing and Pricing

Billing and Pricing - Consolidated Billing

  • One bill for all of your accounts
  • Consolidate your billing and payment methods across multiple AWS accounts into one bill
  • For billing AWS treats all the accounts in an organization as if they were one account
  • You can designate one master account that pays the charges of all the other member accounts
  • Consolidated billing is offered at no additional cost
  • Use Cost Explorer to visualize usage for consolidated billing

Billing and Pricing - Consolidated Billing - Volume Discounts

  • AWS has Volume Discounts for many services. The more you use, the more you save.
  • Consolidated Billing lets you take advantage of Volume Discounts

Billing and Pricing - AWS Cost Explorer

  • AWS Cost Explorer lets you visualize, understand, and manage your AWS costs and usage over time
  • If you are have multiple AWS accounts within an AWS Organization costs will be consolidated in master account
  • Default reports help you gain insight into your cost drivers and usage trends
  • You can view your data at a monthly or daily level of granularity
  • You can use filter and grouping functionalities to dig even deeper into you data

Billing and Pricing - AWS Budgets

  • first two budgets are free of charge
  • each budget is $0.02 per day ~0.60 USD / month
  • 20,000 budgets limit
  • AWS Budgets give you the ability to setup alerts if you exceed or are approaching your defined budget
  • Budget types Cost budget, Usage budget and Reservation budget
  • can be tracked at the monthly, quarterly, or yearly levels, with customizable start and end dates
  • alerts supports EC2, RDS, Redshift, and ElastiCache reservations
  • can be easily manage from the AWS Budget dashboard or via the Budget API
  • get notification by providing an email or Chatbot

Billing and Pricing - TCO Calculator

  • The Total Cost of Ownership allows you to estimate how much you would save when moving to AWS from on-premise
  • Provides you a detailed set of reports that can be used in executive presentation
  • The tool is build on underlying calculation models that generate fair assessments of value that you can achieve given the data provided
  • The tool is for approximation purposes only!

Billing and Pricing - Resource Groups and Tagging

  • Tags are words or phrases that act as metadata for organizing your AWS resources
  • Resource group are a collection of resource that share one or more tags
  • Helps you organize and consolidate information based on your project and the resources that you use
  • Resource Groups can display details about a group of resource based on
    • Metrics
    • Alarms
    • Configuration Settings
  • At any time you can modify the settings of your resource groups to change what resources appear

Billing and Pricing - AWS Cost and Usage Report

  • Generate a detailed spreadsheet, enabling you to better analyze and understand your AWS costs
  • Places the reports into S3
  • Use Athena to turn the report into a queryable database
  • Use QuickSight to visualize your billing data as graphs


Security - Shared Responsibility Model

  • IN - Customers are responsible for Security in the Cloud - Data / Configuration
  • OF - AWS is responsible for Security of the Cloud - Hardware / Operation of Managed Services / Global Infrastructure

Security - Shared Responsibility Model

  • Customer
    • Customer data
    • Platforms, Applications, Identity and Access Management
    • Operating System, Network and Firewall Configuration
    • Client-Side Data Encryption and Data Integrity Authentication
    • Server-Side Encryption (File System and/or Data)
    • Networking Traffic Protection (Encryption, Integrity, Identity)
  • AWS
    • Software
    • Compute
    • Storage
    • Database
    • Networking
    • Hardware / AWS Global Infrastructure
    • Regions
    • Availability Zones
    • Edge Location

Security - Penetration Testing

  • What is PenTesting ?
    • An authorized simulated cyber attack on a computer system, performed to evaluate the security of the system
    • Can you perform Pentesting on AWS ? Yes
    • Permitted Services
      • EC2 instances, NAT Gateways, and ELB
      • RDS
      • CloudFront
      • Aurora
      • API Gateways
      • AWS Lambda and Lambda@Edge functions
    • Prohibited Activities
      • DNS zone walking Amazon Route 53 Hosted Zones
      • Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS
      • Port flooding
      • Protocol flooding
      • Request flooding (login request flooding, API request flooding)
    • For Other Simulated Events you will need to submit a request to AWS. A reply could take up to 7 days

A. vs B.

Elastic Transcoder vs MediaConvert

  • Elastic Transoder (the old way)
    • Transcodes videos to streaming formats
  • AWS Elemental MediaConvert (the new way)
    • Transcodes videos to streaming formats
    • Overlays images
    • Insert videos clips
    • Extracts captions data
    • Robust UI


  • Simple Notification Service - Pass Alongs Messages eg. PubSub
    • Send notifications to subscribers of topics via multiple protocol. eg, HTTP, Email, SQS, SMS
    • SNS is generally used for sending plain text emails which is triggered via other AWS Services. The best example of this is billing alarms
    • Can retry sending in case of failure for HTTPS
    • Really good for webhooks, simple internal emails, triggering lambdas functions
  • Simple Queue Service - Queue Up Messages, Guaranteed Delivery
    • Places messages into a queue. Applications pull queue using AWS SDK
    • Can retain a message for up to 14 days
    • Can send them in sequential order or in parallel
    • Can ensure only one message is sent
    • Can ensure messages are delivered at least once
    • Really good for delayed tasks, queueing up emails

Amazon Inspector vs AWS Trusted Advisor

  • Amazon Inspector
    • Audits a single EC2 instance that you've selected
    • Generates a report from a long lisst of security checks i.e 699 checks
  • Trusted Advisor
    • Trusted Advisor doesn't generate out a PDF report
    • Gives you a holistic view of recommendations across multiple services and best practices
    • eg. You have open ports on these security groups
    • eg. you should enable MFA on your root account


  • Application
    • Layer 7 Requests
    • HTTP and HTTPS traffic
    • Routing Rules, more usability from old load balancer
    • Cam attach WAF
    • Can attach Amazon Certification Manager (ACM) SSL Certificate
  • Network
    • Layer 4 IP protocol data
    • TCP and TLS traffic where extreme performance is required
    • Capable of handling millions of requests per second while maintaing ultra-low latencies
    • Optimized for suddent and volatile traffic patterns while using a single static IP address per Availability Zone
    • Can attach Amazon Certification Manager (ACM) SSL Certificate
  • Classic
    • Layer 4 and Layer 7
    • Intended for applications that were build within the EC2-Classic network
    • Doesn't use target Groups
    • Can attach Amazon Certification Manager (ACM) SSL Certificate


  • SNS - Simple Notifications Service (Practical and Internal)
    • Send notifications to subscribers of topics via multiple protocol. eg, HTTP, Email, SQS, SMS
    • SNS is generally used for sending plain text emails which is triggered via other AWS Services. the best eample of this is billing alarms
    • Most exam question are going to be talking about SNS because lots of services can trigger SNS for notifications
    • You Need to Know what are the Topics and Subscriptions regarding SNS
  • SES - Simple Email Service (Professional, Marketing, Emails)
    • A cloud based email service. eg.SendGrid
    • SES sends html emails, SNS cannot
    • SES can receive inbound emails
    • SES can create Email Templates
    • Custom domain name email
    • Monitor your email reputation

AWS Artifact vs AWS Inspector

  • Both Artifact and Inspector compile out PDFs
  • AWS Artifact
    • Why should an enterprise trust AWS ?
    • Generates a security report that's based on global compliance frameworks such as
      • Service Organization control (SOC)
      • Payment Card Industry (PCI)
  • AWS Inspector
    • How do we know this EC2 instance is secure ?
    • Runs a script that analyzes your EC2 instance, that generates a PDF report telling you which security checks passed
    • Audit tool for security of EC2 instances

Security Groups vs NACLs

  • Security Groups
    • Acts as a firewall at the instance level
    • Implicitly denies all traffic
    • You create Allow rules
    • Eg. Allow an EC2 instance access on port 22 for SSH
  • NACLs - Network Access Control Lists
    • Acts as a firewall at the subnet level
    • You create Allow and Deny rules
    • Eg. Block a specific IP address known for abuse