AWS Certified Cloud Practitioner Exam Guide
Learn cloud fundamentals and best practices
- AWS Certified Cloud Practioner AWS Homepage for CPC certification. Download sample questions and the exam guide.
- AWS Web Services Overiew : Whitepaper that describes the full offering from AWS. This is an important paper to read and remember before the test.
- Crushing the aws ccp exam An amazing article on crushing the aws cpc exam recommended resources linked.
- “Training Notes 2021” by Neal Davis:
- Cloud Guru Videos:
- Dojo Practice Exams:
- Udemy “AWS Certified Cloud Practitioner: 500 Practice Exam Questions”:
- Udemy “AWS Certified Cloud Practitioner: 6 Full Practice Exams 2021”:
- DigitalCloud Practice Exam:
- DigitalCloud Exam Simulator:
- YouTube freeCodeCamp freeCodeCamp video is good to review to ensure a full understanding of the broader scope.
- AWS training and certification has CLF-001 sample exam questions here
Study Notes:
A few questions to get you warmed up!
- What is the value of the cloud?
- What is the AWS shared responsibility model?
- What are AWS security best practices?
- How would you estimate AWS Cloud for your workloads before migration?
- What are the economics of the cloud?
- What are AWS billing practices?
- What are the core AWS services offered?
- What are the compute options offered by AWS ?
- What are the network options offered by AWS?
- What are the database technologies offered by AWS?
- What are the various storage options on AWS?
- What are the common use-cases that AWS can support?
- What is a Service Control Policy?
- What is a Security Group?
- What is a NACL?
- What is EC2?
- What is an IG?
- What is a Subnet?
- What is a VPC?
- How do you access an EC2 instance?
- How to ensure high availability across EC2 instances?
- How to create a hybrid cloud architecture?
- What is a storage gateway?
- What is ELB?
- What is EFS?
- What is S3
AWS Cloud
AWS is faster, cheaper, durable and more reliable than most internally managed data centers.
Public cloud general benefits
- Fast Global Deployment in Minutes
- AWS has regions globally and deployments can be done in minutes.
- Speed to Market with Agility
- Faster innovation with AWS allows for faster delivery to customers.
- Discounts from economies of scale
- Costs are shared across users and cheap due to economies of scale.
- No upfront cost to running and maintaining data centers
- Quickly get an application deployed without thinking about IT infrastructure.
- OpEx in favor of CapEx
- Capital Expenditures – are big upfront costs. Operating Expenses are funds to run day-to-day operations. The accounting department will care.
- Elastic Capacity
- No need to guess upfront Capacity – pay as you go.
Non-functional requirements can be met with ease when hosting on public cloud
The following cloud terminology is important for the exam:
- High Availability
- Redundancy, and Failovers allow for a system to have longer uptimes.
- Elasticity
- Demand based capacity provisioning allows for optimal usage of resources that minimizes waste.
- Agility
- AWS Services can help customers innovate faster allowing for reduced time to market.
- Durability
- AWS provides data services that offer long-term data protection and storage.
- Latency
- Time elapsed between a user request and reponse. Low latency is a good thing.
Cloud Computing Models
- IaaS: Infrastructure as a Service e.g.EC2
- PaaS: Platform as a Service e.g. Cloud9
- SaaS: Software as a Service e.g. Sagemaker
Cloud Hosting Models
- Private Cloud: On-prem virtualization as well as off-prem fully managed private cloud, also with Amazone Outpost
- Public Cloud: Fully publicly hosted and managed cloud.
- Hybrid Cloud: AWS Direct Connect service connects customer’s data center with Amazon.
AWS Regions, AZs and Region
Amazon EC2 is hosted in multiple locations world-wide. These locations are composed of AWS Regions, Availability Zones, Local Zones, AWS Outposts, and Wavelength Zones.
- Region
- Is a separate geographic area. Therefore if one is impacted by a natural disaster, chances are that another will not.
- Regions are fully independent.
- Services and resources vary by region.
- No automagic replication across regions.
- Availability Zone
- An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.
- AZs give customers the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center.
- All AZs in an AWS Region are interconnected with high-bandwidth, low-latency networking, over fully redundant, dedicated metro fiber providing high-throughput, low-latency networking between AZs.
- All traffic between AZs is encrypted.
- The network performance is sufficient to accomplish synchronous replication between AZs.
- If applications are distrbuted – deploy to multiple AZs with load balancing.
- Data Center
- Two or more data centers together are part of an AZ.
- Each data center has protections across 4 layers:
- Perimeter – secured perimeter for physical access.
- Infrastrucutre – HVAC, power, fire suppression.
- Data – servers within the building, racked and stacked.
- Environment – site location, seismic data, flooding etc.
- Local Zones
- A Local Zone is an extension of an AWS Region in geographic proximity to your users.
- Local Zones have their own connections to the internet and support AWS Direct Connect, so that resources created in a Local Zone can serve local users with low-latency communications.
- Local Zones provide you the ability to place resources, such as compute and storage, in multiple locations closer to your end users.
- Use case: Run latency sensitive applications closer to the end users.
- Wavelength Zone
- A Wavelength Zone is an isolated zone in the carrier location where the Wavelength infrastructure is deployed. Wavelength Zones are tied to a Region.
- A Wavelength Zone is a logical extension of a Region, and is managed by the control plane in the Region.
- Global Edge Network
- Amazon CloudFront peers with thousands of Tier 1/2/3 telecom carriers globally.
- CloudFront is well connected with all major access networks for optimal performance, and has hundreds of terabits of deployed capacity.
- CloudFront edge locations are connected to the AWS Regions through the AWS network backbone – fully redundant, multiple 100GbE parallel fiber that circles the globe and links with tens of thousands of networks for improved origin fetches and dynamic content acceleration.these are cached closest to audience.
- Mini-data centers created for low latency between applications and users.
- There are many more edge locations than AZs or regions.
Leveraging the Well-Architected Framework
AWS Well Architected helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for a variety of applications and workloads.
- Operational Excellence
- Plan for and anticipate failure.
- Deploy smaller, reversible changes.
- Script infrastructure as code.
- Learn from failure and refine.
- Use case: AWS CodeCommit for versioning application as well as infrastructure.
- Security
- Automate security tasks.
- Encrypt data in transit and at rest.
- Assign only the least privileges required.
- Track who did what and when.
- Ensure security at all application layers.
- Use case: CloudTrail to log all actions performed on your account.
- Reliability
- Recover from failure automatically.
- Scale horizontally for resilience.
- Stop guessing capacity.
- Manage change through automation.
- Test recovery procedures.
- Use Case: RDS on multi-AZ deployments.
- Performance Efficiency
- Use serverless architectures first.
- Use multi-region deployments.
- Delegate tasks to a cloud vendor.
- Experiement with virtual resources.
- Use Case: Lambda to run serverless compute workloads.
- Cost Optimization
- Utilize consumption-based pricing.
- Implement Cloud Financial Management.
- Measure overall efficiency.
- Pay only for resources your application requires.
- Use case: S3 Intelligent Tiering to automatically move your data between access tiers based on usage patterns.
- Sustainability
- Understand your impact.
- Establish sustainability goals.
- Maximize utilization.
- Use managed services.
- Reduce downstream impact.
- Use Case: EC2 Auto-scaling to scale down when demand is low.
AWS Core Services (and concepts)
The following concepts and list of AWS Core Services are essential to understand various layers of an architecture. AWS offers Trusted Advisor tool to business and higher subscriptions. * Provides recommendations that help you follow AWS best practices. * Benefits: cost optimization, performance, security, fault tolerance and service quotas.
For example, a web-based enterprise application will utilize most if no all the layers and select technologies.
Architecture
- Elasticity: The ability to add or remove resources based on demand.
- Scalability: Scalability is the ability to handle increased workload by repeatedly applying a cost-effective strategy for extending a system’s capacity
- Fault Tolerance: Is the property that enables a system to continue operating properly in the event of a failure of one or more faults withing some if its components.
- High Availability: Property of a system to serve the business without failure over a given period of time.
- Principle of least priviledge: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error.
Billing
- AWS Organization
- Account management services that enables you to consolidate multiple AWS Accounts into an organization that you create and centrally manage.
- Use case: ease of billing, budgetary, security and compliance needs.
- Consolidated billing
- AWS Organizations has a management account that pays the charges of all the member accounts.
- Multiple AWS Accounts can be consolidated for billing and payments.
Security
- Firewall
- AWS Network Firewall automatically scales your network firewall to protect your managed infrastructure.
- Open source rule formats and underlying rules engine easily implements policies.
- IAM
- Identity and Access Managment (IAM) sets and manages guardrails and fine-grained access controls for your workforce and workloads.
- Centrally connect identities to multiple AWS accounts.
- Grant temporary security credentials for workloads that access your AWS resources.
- Continually analyze access to right-size permissions on the journey to least privilege.
- Usecase: “Who can access what” Who=users and workloads. Can access= Permissions with IAM policy. What=Resources within your AWS organization.
- Security Group (SG)
- Is a virtual firewall for EC2 instances to control incomcing and outgoing traffic.
- User Credentials
- Each identity has unique credentials within AWS.
- Identity types: Account Root User, AWS Identity and Access Management user, AWS IAM Identity Center user and Federated identity.
- Access Control List (ACL):
- A firewall layer on the subnet level.
- ACL cannot grant permissions to users in the account.
- ACL can grant basic read/write permissions to other AWS accounts to buckets and objects.
Networking and Content Delivery
- AWS Global Accelerator : Global Traffic
- Improve application availability, performance, and security using the AWS global network.
- Usecases: global traffic manager, API acceleration, Global static IP, low-latency gaming and media workloads.
- Global accelerator sends your users through the AWS global network when accessing your content, speeding up delivery.
- AWS Transit Gateway : No more peering
- AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub.
- Put an end to complex peering relationships.
- Highly scalable cloud router where each new connection is made only once.
- Virtual Private Cloud (VPC): Slice of the cloud
- Foundational service that creates a private virtual network to launch resources.
- Spans AZs in a region.
- VPC A and VPC B can be peered so they act as one logical VPC.You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different Regions (also known as an inter-Region VPC peering connection).
- The default VPC always exists in every region. But all new VPCs are region specific.
- Subnet : One per AZ
- A subnet is a range of IP address in the VPC. This is a sub-network which allows you to split the network inside the VPC – it is where resources such as EC2 can be launched.
- A private subnet is a good choice for hosting a Database – it will not be accessible directly from the Internet
- A public subnet is a good choice for hosting a WebServer – however it requires a NACL, Router and IG to ensure Internet connectivity
- Each subnet must reside entirely within one Availability Zone and cannot span zones. For HA, launch EC2 instances into subnets of separate AZs
- Public subnet: The subnet has a direct route to an internet gateway. Resources in a public subnet can access the public internet.
- Private subnet: The subnet does not have a direct route to an internet gateway. Resources in a private subnet require a NAT device to access the public internet.
- VPN-only subnet: The subnet has a route to a Site-to-Site VPN connection through a virtual private gateway. The subnet does not have a route to an internet gateway.
- A subnet CIDR reservation is a range of IPv4 or IPv6 addresses that you set aside so that AWS can’t assign them to your network interfaces.
- NACL versus Security Group Subnet and Instance traffic rules.
- NACL is
stateless
and allow one-way traffic i.e. separatly specific inbound and outbound traffic to the subnet. - NACL allow and deny rules are supported. NACLs have an implicit
deny
. NACL rules are processed in order. - Security Group is stateful i.e. rules for inbound and outbound to EC2 instances are same. They allow return traffic.
- Security Group only supports
allow
rules.
- NACL is
- CloudFront: CDN
- A Content Delivery Network (CDN)
- Provides low latency for content delivery.
- Global distribution even when it is hosted in a region.
- Static and dynamic web content. How? Edge location to cache content.
- Route53: DNS
- DNS Service that routes users to Internet applications.
- Domain Name System – a DNS server translates a domain name to an IP address.
- Performs health checks on AWS resources
- Supports hybrid cloud architectures – makes DNS resolution easier
- AWS Direct Connect: VLAN
- Dedicated physical network connection from your on-premises data center to AWS
- Data travels over a private network – virtual LAN from on-prem data center over ethernet fiber optic cable.
- Supports hybrid cloud architecture e.g. host database in the private cloud and the application on the public cloud, direct connect ensures the two talk and allows for data sovereignity
- Use case: Transfer internal data directly to AWS bypassing your ISP, or, build hybrid models or transfer large data sets to AWS.
- AWS VPN: VPN
- Site-to-site VPN creates a secure connection between your internal network and your AWS VPCs.
- Similar to Direct Connect – but the data travels through the public internet
- Cheaper than Direct Connect
- Customer Gateway hosted on-prem connects with a virtual private gateway to establish a site-to-site VPN over the Internet via an ISP.
- API Gateway: API Management
- Build, manage, secure, and scale APIs.
- API Gateway can invoke services such as Lambda functions.
- Support RESTful APIs and WEBSOCKET APIs.
Compute
- Lambda: Serverless Compute
- Serverless: write functions and deploy. AWS manages the servers but no direct access.
- Scales automatically – no need to configure, patch or manage.
- Use case: Real-time file processing, sending email notifications, Backend business logic
- Supports Java, Go, PoweShell, Node.Js, C#, Python, and Ruby. Executes code in response to events, timers or other triggers. Lambda has ’re actively hiring engineers as we respond to changing market conditr – deploy a db or web server whatever you need
- SSH securly connects with a key pair. SSH Client uses private key, the EC2 instance uses a public key
- EIC is EC2 Instance Connect – uses IAM polices to control SSH access to your instances
- AWS Systems Manager- use a web browser, or AWS CLI to manage EC2 instances directly
- ELB: Block Storage
- Distribute network traffic to improve application scalability.
- Elastic Load Balancing and Auto-Scaling is offered by EC2.
- Automatically distribute load across servers – classic, application, gateway and network load balancers.
- Fargate: Containers
- Serverless compute engine for containers.
- Manages containers like Docker.
- Scaled automatically – and serverless.
- ECS: Containers
- Elastic container service.
- Run highly secure, reliable, and scalable containers.
- EKS: Containers
- Amazone Elastic Kubernetes Service.
- Start, run, and scale Kubernetes.
- Lightsail: IAC
- Quickly lauch all resources you need for small projects.
- Simple for folks with no cloud experience.
- Low and predictable fees.
- Outpost: Hybrid Cloud
- Run AWS Infrastructure and services on premises for a consistent hybrid cloud architecture.
- Allows cloud services in the internal data ’re actively hiring engineers as we respond to changing market conditcenter
- Useful for latency or data sovereignty needs
- Used for hybrid experience
- Batch: IAC Spot
- Process large workloads in smaller chunks.
- Dynamically provisions instances based on volume.
- Example – send high volume email 1000 emails at a time or process ML.
Operational Databases and Caching
- Relational Database Service (RDS)
- Launch, manage and scale relational databases on the cloud. Supports Aurora, PostgreSQL, MySQL, MariaDB, Oracle, SQLServer.
- Offers HA, fault tolerance using Multi-AZ deployment option.
- AWS manages the database with automatic software patching, automated backups, OS updates.
- Launch read-repliccas across Regions in order to provide enhanced performance and durability.
- Does not automatically add capacity or storage.
- Aurora
- AWS build Aurora for the cloud compatible with MySQL and PostgreSQL – created by AWS.
- Supported MySQL and PostgreSQL database enginges. 5x and 3x faster that native.
- Scales automatically by adding capacity and storage while providing durability and high availability.
- Backs up to S3, replication to multiple region and storage across 6 stores.
- DynamoDB
- Fully managed serverless NoSQL key-value and document database.
- Scales automatically to massive workloads.
- Adds capacity automatically.
- DocumentDB
- Fully managed document database that supports MongoDB.
- Serverless, scales enterprise workloads using a fully managed native JSON document database.
- Neptune
- Graph database service, fully managed and serverless.
- Fast, reliable and durable.
- User profiles and social connections.
- Usecases: Customer360, Detect fraud patterns, machine learning predictions, IT security detection and investigation.
- ElastiCache
- Microsecond latency and scale with in-memory caching.
- In-memory data cache compatible with Redis and Memcache.
- High-performance, low latency and no durability.
- Usecases: Application performance, ease backend database load, low latency data retrieval needs.
Data Migration and Transfer
- Database Migration Service *
- Feature rich tool that helps you migrate databases to or within AWS.
- Homogenous and hetrogenous databases can be migrated with virtually no downtime.
- Data is synchronized between the source and target continuously.
- Server Migration Service: Deprecated in favor of AWS MGN (AWS Application Migration Services)
- AWS Server Migration Service will automatically replicate live server volumes to AWS and create Amazon Machine Images (AMI) as needed.
- This is being discontiuned in favor of AWS Application Migration Service.
- Application Migration Service: Lift and Shift
- Migrate applications from any source infrastructure that runs supported operating systems.
- Application Migration Service is the next generation of CloudEndure Migration
- Snow Family
- Move large amounts of data to and from AWS physically or process data at the edge.
- Snowcone: Smallest member holds 8TB of usable storage, collect process
- Snowball: 80TB. Cheaper And Snowball Edge used for petabyte scale data migration and has local processing when in a remote environment – supports EC2 and lambda.
- Snowmobile: 100PB. Multi-perabyte or exabyte scale. Data loaded to S3 – securely transported with escort vehicle.
- Data Sync Data Transfer Service
- Data transfer online with speeds are 10x faster.
- Data replication cross-region and cross-account.
Data Analytics
- RedShift : Data warehouse
- Data warehouse: data storage solution with historical data from disparate sources.
- Business intelligence, querying and business intelligence.
- Handles exabyte-scale data.
- Use case: Data consolidation. Run a database when it doesn’t require CRUD.
- Analytics – allows querying to gain business insights.
- Glue : ETL *
- Discover, prepare, and integrate all your data at any scale.
- ETL Service.
- Prepare to better understand your data.
- Lake Formation : Data Lake
- Build, manage, and secure data lakes in days.
- Create, administer, and protect data lakes using familiar database-like features quickly.
- QuickSight: BI
- Business Analytics visualization of data with interactive dashboards that can be embedded in your applications
- Athena : SQL for S3
- Analyze petabyte-scale data where it lives with ease and flexibility.
- S3 SQL. Pre-configured to work with Glue.
- Query service to analyze data using SQL. It is serverless.
- Use cases: run federated queries across relational, nonrelational, object, and custom data sources running on premises or in the cloud. Use ML models in SQL queries or Python. Build distributed big data reconciliation engines. Analyze google analytics data by using AppFlow to store in S3 to query it.
- Data Pipeline :
- Helps you move data between compute and storage services running either AWS or on-premises
- Move data based on conditions, intervals and sends notifactions
- Move from S3 to Redshift.
Big Data and Search
- EMR Map Reduce
- Process large amounts of data via map reduce.
- Analyze data using Hadoop and Apache Spark.
- Usecase: Perform big data analytics, build scalable data piplelines, process real-time data streams, accelerate data science and ML adoption.
- OpenSearch Interactive Log Analytics
- Search petabytes of unstructured data.
- Open source Elastic Search, Open Search Dashboard and Kibana.
Streams
- Kinesis: Stream proecessor
- Easily collect, process, and analyze video and data streams in real time.
- Usecase: Real-time video and data streams, IoT Data, Click Log, Web Stream logs are good use-cases.
- Evolve from batch to real-time analytics.
- MSK: Kafka
- Managed Streaming for Apache Kafka.
- Usecase: Ingest and process log and event streams, run centralized state or data buses, power your event-driven systems.
Artificial Intelligence and Machine Learning
- Rekognitionusecases: Computer Vision
- Automate image and video analysis
- Identify custom labels in image and video
- Use cases: Analyze pizza images to ensure toppings
- Comprehend: NLP
- Natural Language Processing (NLP) Service that finds relationships in text
- Customer sentiment analysis on social media
- Polly: Speech-to-text
- High quality natural sounding human voices in dozens of languages.
- Customize Text to speech output with Speech Synthesis Markup Language tags.
- Usecases: Generate speech in dozens of languages, engage customers with a natural-sounding voice, adjust speaking style, speech rate, pitch and loudness.
- SageMaker: ML
- Machine Learning service.
- Helps you build, train and deploy machine learning models quickly.
- Prepare data for models, train and deploy models, provides deep learning AMIs.
- Recommendation engine for movies, music etc.
- Translate: Translate
- Provides language tanslation and support many languages and content formats.
- Use case: Add localization to websites and applications.
- Lex: Chatbot
- Chatbots with conversational AI.
- Helps you build conversational interfaces like chatbots.
- Recognize speech and understand language.
- Powers Amazon Alexa.
- Integrate voice into device.
- Usecases: Build virtual agents and voice assistants, automate informational responses, improve productivity with application bots, maxminize the information trapped in transcripts.
Storage
- Simple Storage Service S3 – Regional Service with global namespace and bucket policies
- Unique name across all buckets in AWS
- 11 9s of durability: regional level redundancy
- 4 9s of availability
- S3 does not automatically replicate across regions – it can be setup.
- Usecase: Host static websites, data archivale, analytics such as redshift and athena. Upload with S3 transfer acceleration for file uploads from mobile applications.
- S3 Storage Class
- Standard: Durable 11-9s. 4-9s available.
- Intelligent Tiering: Unknown or changing access. Standard durability with 3-9s availability
- Infrequent Access: For Long-Lived, Infrequently Accessed, Millisecond access when needed. Durable with 3 9s availability.
- One-Zone Infrequent Access: Cost 20% less than IA. Use if data is recreatable, infrequent millisecond access, availability is 99.5%.
- Glacier: Data retrieval options 1-5 minutes, 3-5 hours, 5-12 hours. Multiple AZs. Standard durability. Cheap storage options.
- Glacier Deep Archieve: 12hrs or 48hr retrieval options. Cheapest. Long-term data archivale accessed once or twice a year. No availability – but standard durability.
- Outposts: Data that needs to be kept local. Demanding application performance needs.
- Buckets: Root level ‘folders’ for file storage
- Folder
- Object Durability
- Object Availability
- Object Lifecycle
- Object sharing
- Object versioning
- S3 Transfer Acceleration
- S3TA improves uploads and downloads to and from S3 buckets between 50% and 500%.
- Moves data faster over longer distances.
- Shorten distance to S3 via CloudFront.
- EC2 Instance Storage
- Emphemeral storage that is temporary block-level for your instance.
- Lasts during the life of the instance.
- It is temporary block-level storage for instances.
- Provides local fastest I/O.
- EBS – Elastic Block Storage
- Scalable block storage at any scale. Raw volume.
- Good for database storage.
- HDD with an independent life from the instance it is attached to.
- Only one per instance.
- Use cases: Build SAn in the cloud for I/O intensive applications, Run relational or NoSQL databases, reight-size your big-data analytic engine.
- EFS – Elastic File System : Shared file system.
- EFS file system as a common data source for workloads and applications running on multiple instances
- Regional serverless network file system. Like dropbox.
- Only for Linux filesystems.
- Shared directories. Expensive option.
- 11-9s durability and 4-9s availability.
- Storage Gateway: Hybrid storage
- On-prem extends storage to cloud.
- Some on the cloud, some local. File directory – some hosted locally some on the cloud.
- Moving backups to the cloud.
- Reduce costs by being selective, opt for low latency local files.
- AWS Backup: Backup and recovery
- Create a backup plan for all storage.
Messaging and Integration Services
- SQS: Queue
- Fully managed message queuing for microservices, distributed systems, and servlerless applications.
- Sends messages on a queue between publisher and a single subscriber.
- Securely send sensitive data between applications and centrally manage your keys using AWS Key Management.
- Reliably deliver large volumes of data, at any level of throughput, without losing messages or needing other services to be available.
- Usecase: architect a loosely coupled system architecture such as money transfer application. Improve performance and scalability. Requests are processed in FIFO.
- SNS: Topic
- Simple Notification Service – Fully managed Pub/Sub service for A2A and A2P messaging.
- A2P with SMS, texts, push notifactions and email (plain text).
- SES: Email
- Sends rich text HTML Emails from your applications.
- Get reliable, scalable email to communicate with customers at the lowest industry prices.
- Marketing campaigns, and professional richly formatted HTML text.
Developer Tools
- Cloud9: IDE
- IDE write and debug code in your browser
- Build serverless applications – preconfigures environment.
- CodeCommit : Git
- Source Control system for private Git repositories.
- CodeBuild: Build Server
- Allows you to build and test your applicaton source code.
- Compiles source code and runs tests.
- Enables CI-CD
- Produces build artifacts ready to be deployed
- CodeDeploy : Delivery Server
- Automate code edeployment to maintain application uptime.
- Manage the deployment of code to on-premises as well as cloud.
- Use prepackaged build environments or your own, and encrypt artifacts with your own keys.
- Maintain application uptime, deploy to EC2, lambda, fargate and others.
- Supports rolling deployments – it minimizes application downtime.
- CodePipeline: Release Server
- Automate release pipelines with CI-CD.
- AWS offers continuous integration and continuous delivery service.
- CodeStar: Pre-configured CI-CD with CodeCommit, CodeBuild, CodeDeploy and CodePipeline out of the box.
- AWS CodeStar allows you to accelerate application delivery by providing a pre-configured continuous delivery toolchain for developing, building, testing, and deploying your projects on AWS.
- X-Ray: NDC Logs
- X-Ray uses trace data from the AWS resources that power your cloud applications to generate a detailed service map. Typically, applications use nested diagnostic context (NDC) for distributed tracing for microservices.
- The service map shows the client, your front-end service, and backend services that your front-end service calls to process requests and persist data.
- Use the service map to identify bottlenecks, latency spikes, and other issues to solve to improve the performance of your applications.
Deployment and Infrastructure Management Service
- CloudFormation: IaC
- Speed up cloud provisioning with infrastructure as code (IaC).
- A CloudFormation template describes your desired resources and their dependencies so you can launch and configure them together as a stack.
- JSON and YAML are supported – define templates to create stacks.
- Repeatable process for provisioning of resources.
- Usecase: automate the infrastructure-provisiong for EC2 servers
- Elastic Beanstalk: IaC for dummies
- Deploy your web applications and services to AWS and not on-prem.
- Orchestration service that provisions resources.
- Automatically handles deployments, handles capacity provisioning, load balancing and auto-scaling.
- Monitors application health via a health dashboard.
- Usecase: Quickly deploy a scalable Java-based web application to AWS.
- OpsWorks: DevSecOps
- Automate operations with Chef and Puppet on-premises or AWS.
- OpsWorks has three offerings, AWS Opsworks for Chef Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks.
Auditing, Monitoring and Logging
- CloudTrail: Audit Trails
- Log and retain account activity as well as unusual activity – enable operational and risk auditing, governance, and compliance of your AWS account
- Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
- Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
- If a user terminates an EC2 instance via an API. Cloudtrail will be able to tell which user took that action.
- Username, event time and name, IP address, access key, region, and error code can be tracked.
- CloudWatch: Logs
- Observe and monitor resources and applications on AWS, on premises, and on other clouds e.g. EC2 on AWS can be watched.
- Amazon CloudWatch is a monitoring and management service for AWS, hybrid, and on-premises applications and infrastructure resources.
- Performance and operational data in the form of logs and metrics.
- Use to detect anomalies in your environment. Set alarms.
- Use cases: Monitor full stack (applications, infrastructure, network, and services) and use alarms, logs, and events data to take automated actions and reduce mean time to resolution (MTTR).
- Amazon Workspace : VDI
- Allows you to host virtual desktops in the cloud.
- Enables employees to work from Home with no data stored on local devices.
- Use cases: Desktop as a service, Virtual Desktop (VDI).
- Amazon Connect : Contact Center
- Provide customer service at a lower cost with a cloud contact center.
- Cloud contact center service.
- Provides customer service functionality.
- Improves productivity of help desk.
- Use cases: omnichannel self-service experience, agent productivity with AI, optimize from insights.
AWS Shared Responsibility Model
“AWS has the responsibilty OF the cloud. Customer has the responsibility IN the cloud.”
Source: https://aws.amazon.com/compliance/shared-responsibility-model/
As a customer of AWS – you are not responsible for the hardware, software, networking, and facilities that run AWS Cloud services across its regions, AZs, data centers and edge locations.
Depending on the Cloud Model – AWS and it’s customer share responsibilities for different layers. However, the customer is Never responsible for the virtualization or the underlying physical infrastructure.
- Inherited Controls (AWS only)
- Controls which a customer fully inherits from AWS.
- Physical and Environmental controls
- Shared Controls (AWS and Customer)
- Patch Management
- Configuration Management
- Awareness & Training
- Customer Controls (Customer only)
- Service and Communications Protection
- Zone Security
- which may require a customer to route or zone data within specific security environments.
AWS is responsible for protecting and securing their infrastructure like whatever is in their data centers. Physical security of AWS data center. AWS maintains UPS, CRAC, fire suppression systems and more. AWS is responisble for any managed service and underlying software, operating system.
You are responsible for your data and applications. Application Data including encryption options. Security configuration – rotating credentials, APIs, VPC access etc. Patching guest operating system of EC2 instances. IAM – application security, identity and access management for systems. Network traffice – you are responsible for it including group firewall configuration.
Report AWS abuse resource
Rotate your keys and change your password, then contact the AWS Trust & Safety team using the Report Amazon AWS abuse form.
AWS Security Best Practices
This is 25% of the weight of the exam
Root User
- Automatically created when you create an AWS account.
- Only root user can delete the account.
- There is just one root user that can exclusively:
- Change your account settings. This includes the account name, email address, root user password, and root user access keys.
- Restore IAM user permissions. If the only IAM administrator accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions.
- Activate IAM access to the Billing and Cost Management console.
- View certain tax invoices. An IAM user with the aws-portal:ViewBilling permission can view and download VAT invoices from AWS Europe, but not AWS Inc. or Amazon Internet Services Private Limited (AISPL).
- Close your AWS account.
- Register as a seller in the Reserved Instance Marketplace.
- Configure an Amazon S3 bucket to enable MFA (multi-factor authentication).
- Edit or delete an Amazon Simple Storage Service (Amazon S3) bucket policy that includes an invalid virtual private cloud (VPC) ID or VPC endpoint ID
- Sign up for AWS GovCloud (US).
- Request AWS GovCloud (US) account root user access keys from AWS Support.
Best Practice: Identity and Access Management – create a new user and provide a role. Never use the root user unless absolutely required. Protect root account with MFA (Multi-factor authentication).
VPC – Vitual Private Cloud. Default VPC will always be created for you.
- AWS Management Console
- Easy to navigate via web-browser.
- Good for non-technical roles. Use the search feature for easy access.
- AWS CLI – same features as the management console
- New features show up here first.
- Programmatic access provides access to your AWS resources.
- AWS SDK – can be leveraged to make changes to the environment via programmatic access.
Concepts
- Authentication
- An identity that is verified.
- Credentials such as username and password.
- Authorization
- Determines which services and resources the idenitity has access to.
- Permissions are granted via a policy.
- Least Privilege
- Give a user the minimum access required to get the job done.
IAM
- IAM
- A web service that allows you securely control access to AWS resources.
- Users
- Entities in IAM to represent a person or application that can be given access to your AWS resources.
- Applications can be users. This is normally done via access keys.
- Group
- Collection of users – conveniently apply common permissions.
- This is not EC2 Security Group – that is a firewall.
- Can you nest groups? Can you have group inheritance? Are there unlimited groups that can be created?
- Roles
- Roles define access permissions and are temporarily assumed by an IAM user or service.
- DevOps role, Lambda-Execution role are examples.
- Access is assigned using policies.
- You grant users in one AWS account access to resources in another AWS acccount using roles.
- Attach a role to an EC2 instance for access to S3. Applications running on that instance will have access to S3 via roles. This is useful because the application will not need credentials or access keys. This is most secure.
- Policies
- You manage persmissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it. The policy itself is decoupled from IAM identitieis.
- User – {Policy:Access} – Resource
- Developer Group = {Policy: Resource Access} – Resource
- Role – {Policy:Allow-S3-Access} – S3
- How to limit access to an Amazeon S3 to specific users only? You can add a bucket access policy directly to an Amazon S3 bucket to grant IAM users accesss. I wonder if there is another way, create a special bucket access group with policy to the group, and then add users to the group. Or add users to the policy directly.
- IAM Credentials Report
- Assistance with compliance and auditing by offering a downloadable report that lists all your IAM users in this account and the status of their various credentials including MFA devices in your account.
Security Services
- WAF : XSS SQL-Injection
- WAF is a Web Application Firewall that can protect against common attacks such as XSS or SQL injection.
- Shield DDOS
- AWS Shielf is a managed DDOS protection service. Sheild standard is free but Sheild Advanced provides access to AWS experts for a fee.
- DDOS protections from CloudFront, Route53, Elastic Load Balancing, and AWS Global Accelerator.
- Receive real-time notifications of suspected DDoS incidents via CloudWatch metrics and assistance from AWS during the attack.
- Automatically scrub bad traffic at specific layers: layer 3,4 and 7. Minimize application downtime and latency. Monitor and protect up to 1000 resource types.
- Macie Sensitive Data
- hHelps you discover and protect sensitive data. Uses maching learning, evaluates S3 environment, uncovers PII information.
- Use cases: discover passport numbers stored on S3 using Macie. Find SSNs in S3 files.
- Config Audit config
- Assess, audit, and evaluate configurations of your resources.
- Record and altert by storing in S3.
- Use cases: Streamline operational troubleshooting and change management. Deploy a complicant-as-code framework. Continually audit security monitoring and analysis.
- GuardDuty Threat detection
- Protect your AWS accounts with intelligent threat detection.
- Continuously monitors workload for malicious activity and delivers detailed security findings for visibility and remediation. Network and API calls.
- Use cases: Improve security operations visibility. Assist security analysts in investigations. Identify files containing malware. Route insightful information on security findings.
- Inspector Vulnerability (EC2)
- Automate vulnerability management at scale in EC2, Lambda and ECR container images and network exposure.
- Automated vulnerability management service that continually scans workloads for software vulnerabilities and unintended network exposure. EC2.
- Use cases: Quickly discover vulnerabilities in compute workloads. Prioritize patch remediation. Meet compliance requirements. Identify zero-day vulnerabilities sooner.
- Artifact Compliance Report
- Access Independent Software Vendor compliance report.
- Use artifact to SOC and PCI compliance reports. You can generate the report. Access to the report can be provided. Self-service portal.
- Cognito CIAM
- Customer identity and acess management.
- Delivery frictionless CIAM. Adaptive authentication, support compliance, and data residency requirements. Scale to millions of users with a fully managed, high-performantm and reliable identity store. Federate sign-in using OIDC or SAML 2.0 connect to a broad group of AWS services and products.
- Use-cases: Social media accounts to log in to your application.
Data Encryption and Secrets Management Services
- KMS Key Management
- Key Management Service is multi-tenant encryption key management service.
- Create and control encryption keys managed by AWS used to encrypt or digitally sign your data.
- Centrally manage keys and define policies across integrated services and application from a single point.
- Encrypt data within your applications with the AWS Encryption SDK data encryption library.
- Encrypt EBS volume using KMS.
- CloudHSM Encryption Key Generator.
- Manage single-tenant hardware security modules (HSMs) on AWS.
- Use case: Generate and use cryptographic keys on dedicated FIPS 140-2 Level 3 single-tenant HSM instances. Deploy workloads with high reliability and low latency, and help meet regulatory compliance. Pay by the hour, and backup and shut down HSMS when they’re not needed. Manage HSM capacity and control your costs by adding and removing HSMs from your cluster.
- Secrets Manager Secrets Management
- Use cases: Store secrets securely, manage acess with fine-grained policies, automate secrets rotation, audit and monitor secrets usage.
- Database credentials, API keys, encrypt secrets at rest, integreates with RDS, DOcumentDB, Redshift.
- Retrieve database credentials needed for your application code. Secrets Manager allows you to retrieve database credentials with a call to Secrets Manager APIs, removing the need to hardcode sensitive information in plain text within your application code.
- AWS Certificate Manager Certificate Manager
- Provisiong public and private certificats for free.
- SSL/TLS certificates are supported.
- Use key management for certs and get managed certificate renewal.
- Integrates with Elastic Load Balancing, API Gateway and more.
AWS Costs, Economics and Billing Practices
16% of the exam_questions about 8-10 questions
- EC2 Instances are priced as follows
- On-Demand: EC2 capacity billed to the second.
- Pay for what you use.
- Use case: Applications are under development, workloads are not expected to run for more than a year, no upfront payment or long-term committment, unpredictable workloads but don’t want to be interrupted.
- On-Demand Capacity Reservation: It is possible to buy upfront capacity to mitigate against capacity contraints in an AZ.
- Spot: unused EC2 capacity on sale.
- Pay the least but no guarantee of runtimes or interruptions. A 2-minute warning is provided via instance meta-data that your application should check for and prepare for shutdown.
- Use case: Start and stop time of the workload does not matter. 90% savings over On-Demand. When your workload is feasable only at the lowest price points.
- Spot price in effect at the beginning of each hour.
- Reserved: Upfront capacity reservation committment for long running workloads.
- Pay upfront with a contract to get discounts.
- Use case: Save 75% versus On-Demand and willing to pay upfront for 1 or 3 year reservation.
- Flexibility: All upfront, partial upfront or no upfront is possible. A contract is required. Provides convertible types at 54% discount – change tenancy, OS or region.
- Dedicated Instance and Dedicated Host:
- Dedicated Host: Dedicated bare metal rental and host exclusively for you to install software that have licensing tied to host size.
- Dedicated Instance: Instances run on VPCs on a hardware dedicated to a single customer.
- Use Case: Save 70% off of On-Demand. Software that is licensed based on per-core, per-socket or per-VM. Regulations that require tenancy exclusivity.
- Dedidicated host is a physical server, dedicated instance runs on a host.
- Savings Plan: Compute usage committment for 1 or 3 years applicable across multiple compute services.
- Save upto 72% off of On-Demand.
- Use Case: For flexibility across various services like Lambda, Fargate, and EC2.
- This is a billing convenience nothing to do with a capacity reservation.
- Lambda Pricing
- Computer Time – no charge for times that code is not running.
- Duration – duration of compute and memory usage while execution is counted.
- Free Tier – the free tier includes 1 million free requests each month
- S3 Pricing
- Storage Class
- Storage – number of items, and size.
- Data transfer – outbound.
- Request and data retrieval – number of requests made.
- RDS Pricing
- Running Clock Hours
- Type of Database – brand, size, memory class etc
- Storage – amount of data
- Purchase type – on-demand, reserved instance
- DB count – number of instance
- API – number of calls
- Deployment type – is it multi-AZ
- Outbound – data transfer
Pricing, Billing and Governance
Compute, storage and outbound data transfer is where the costs are for AWS. Data in flight moving between system. Data movement within the AWS region are usually not charged. Data out of AWS to end user is where the data transfer costs are. How AWS Pricing Works whitepaper
- Total Cost of Ownership. Direct and indirect cost of running AWS workloads. How can I reduce my TCO using AWS?
- Minimize capital expenditures.
- Utilize reserved instances.
- Right size your resources.
- Does not consider Networking or Data costs. No personnel or facilities costs.
- AWS Price List API
- Query the price of AWS Services using JSON or CSV. Bulk price or individual APIs.
- Receive price alerts when prices change.
- Application Disovery Service
- Determine the cost of migrating to the cloud.
- Plan migration projects and estimate TCO.
- You can view the discovered servers, group them into applications, and then track the migration status of each application from the Migration Hub console in your home Region.
- Budgets
- Set custom budgets for cost and usage tracking. Alerts.
- Cost, usage and reservation budgets.
- You can choose to be notified through email and Amazon SNS topics when your utilization drops below 80 percent for a given day.
- Cost and Usage Reports
- Break down costs by the hour, day, or month, by product or product resource, or by tags that you define yourself.
- If you get a huge bill – this is where you need to find the needle in the haystack.
- Downloadable detailed and comprehensive report, list usage for each service category and aggregate usage data on a daily, hourly or monthly level.
- Cost Allocation Tags
- Label resources using key-value pairrs.
- Track costs via the cost allocation report.
- Cost Explorer
- Visualize, understand, and manage your AWS costs and usage over time.
- Forecast, build custom apps that use it’s apis, and use granular filtering offered by it’s analytical engine.
- Organizations
- Centrally manage your environment as you scale your AWS resources. Consolidate billing, save costs via volume discounts + reserved instance sharing and govern accounts centrally.
- Programmatically create AWS accounts as you scale at no additional charge.
- Centrally secure and audit. Manage and optimize costs centrally. Group accounts and apply policies across.
- Root Organization is the master payer account that pays for all the accounts.
- You can apply Service Control Policies (SCPs) across all member accounts within the organization.
- Control Tower
- Set up well-architected multi-account environments with pre-configured controls to ensure best practices.
- Provides dashboard to help manage accounts.
- Example, if you want to disallow public write access to all S3 buckets across your accounts – you can use Control Tower to enforce this.
- Systems Manager
- Operation insights into AWS resources, other cloud resources and on-prem resources.
- Automate configuration and ongoing management including instance compliance relative to patch, configuration and custom policies.
- Visibility and control. Group resources to take action. Patch and run commands on multiple EC2 and RDS.
- Usecase: Deploy operating system and software patchs automatically across a large group of instances.
- Trusted Advisor
- Cost, Performance, Security, Fault Tolerance, and Service Limits.
- Checks IAM password policy (not free). RDS public snapshot, service usage greater than 80% (available to business or enterprise). Check for exposed access keys (business support) and various other checks.
- Use case: check read and write capacity service limits for DynamoDB.
- Personal Health Dashboard
- Alerts you on impacts to your AWS environment.
- Marketplace
- Digital catalog of prebuilt solutions you can purchase or license.
- AWS Partner Network (APN)
- Global community of approved partners that offer solutions and consulting services
- Help design and build a new application.
- Managed Services
- Augment internall staff with additional resources to manage AWS.
- Patch management, monitoring, event management, cost optimization etc.
- Will not operate or configur your applications.
- Professional Services
- Move to a cloud based operating model
- Propose solutions.
- Architect soutions.
- You can quickly move from on-prem to cloud.
- AWS License Manager
- AWS and on-premise license manager.
- Fine-tune your license costs.
Support Plans
- Basic – free. * Email support only and discussion forums.
- Developer – $29 pm : * Fordevelopment and testing. * 1 contact. * Cloud support associate via email during business hours.
- Business – $100 pm : * Production workloads. * Unlimited contact. * Full Trusted Advisory. * Email, phone and chat 24/7. Production system down – less than one hour.
- Enterprise – $15k pm * Mission-critical production workloads. * Exclusive: Technical Account Manager, Concierge support team, infrastructure event support. * Less than 15m for business critical system down.
AWS Official Web Pages
AWS Official Certification
- Currently Available AWS Certifications
- AWS Certification Preparation Page
- AWS Training
- Schedule and Manage Exams
- Benefits for AWS Certified Individuals
- AWS Blogs
- AWS Labs
- AWS Free Course
- AWS Skill Builder
AWS Exam Guide
AWS White Papers
- AWS Well-Architected Framework
- AWS Well-Architected Framework: Operational Excellence Pillar
- AWS Well-Architected Framework: Reliability Pillar
- AWS Well-Architected Framework: Security Pillar
- AWS Well-Architected Framework: Performance Efficiency Pillar
- AWS Well-Architected Framework: Cost Optimization Pillar
- AWS: Overview of Security Processes
- Backup, Archive, and Restore Approaches Using AWS
- Big Data Analytics Options on AWS
- Blue/Green Deployments on AWS
- Getting Started with Amazon Aurora
- How AWS Pricing Works
- Overview of Amazon Web Services
- Serverless Architectures with AWS Lambda
FAQ
- API Gateway
- Auto Scaling
- CloudFormation
- CloudWatch
- CloudTrail
- DynamoDB
- EBS (Elastic Block Store)
- EC2
- ElastiCache
- Elastic Beanstalk
- IAM (Identity and Access Management)
- KMS (Key Management Service)
- Kinesis Data Streams
- Lambda
- RDS
- Route53
- S3
- SQS (Simple Queue Service)
- SNS (Simple Notification Service
- VPC
Videos Course
- Youtube video course by Andrew Brown of ExamPro: 4 hours
- AWS Cloud Practitioner Essentials (Second Edition)
- AWS Certified Cloud Practitioner Training Bootcamp
- paid Udemy course by Stephane Maarek: 11 hours, 5 articles and 1 practice test
- paid Whizlabs course: 6 hours and 21 labs
- paid Udemy course by Alan Rodrigues: 9 hours, 13 articles and 2 practice tests
- Official Sample Questions
- Exam topics +800 questions (mostly accessible without Login)
- paid Udemy Practice Exam Questions by Neal Davis: 6 practice tests
- paid Tutorials Dojo 4 practice exams by Jon Bonso
- paid Whizlabs: 3 Full-Length Mock Exams (195 unique questions) and Practice Tests – 3 Set of the quiz (65 questions in each quiz)
Notes
- AWS CCP – Thoughts, My Journey, My Opinion
- AWS Certified Cloud Practitioner Exam Study Path
- AWS Practitioner Training Notes / Cheat Sheets
- I Sat the AWS Cloud Practitioner Exam Online: Here’s What Happened
- Video: Passing the AW
Learn cloud fundamentals and best practices
- AWS Certified Cloud Practioner AWS Homepage for CPC certification. Download sample questions and the exam guide.
- AWS Web Services Overiew : Whitepaper that describes the full offering from AWS. This is an important paper to read and remember before the test.
- Crushing the aws ccp exam An amazing article on crushing the aws cpc exam recommended resources linked.
- “Training Notes 2021” by Neal Davis:
- Cloud Guru Videos:
- Dojo Practice Exams:
- Udemy “AWS Certified Cloud Practitioner: 500 Practice Exam Questions”:
- Udemy “AWS Certified Cloud Practitioner: 6 Full Practice Exams 2021”:
- DigitalCloud Practice Exam:
- DigitalCloud Exam Simulator:
- YouTube freeCodeCamp freeCodeCamp video is good to review to ensure a full understanding of the broader scope.
- AWS training and certification has CLF-001 sample exam questions here
Study Notes:
A few questions to get you warmed up!
- What is the value of the cloud?
- What is the AWS shared responsibility model?
- What are AWS security best practices?
- How would you estimate AWS Cloud for your workloads before migration?
- What are the economics of the cloud?
- What are AWS billing practices?
- What are the core AWS services offered?
- What are the compute options offered by AWS ?
- What are the network options offered by AWS?
- What are the database technologies offered by AWS?
- What are the various storage options on AWS?
- What are the common use-cases that AWS can support?
- What is a Service Control Policy?
- What is a Security Group?
- What is a NACL?
- What is EC2?
- What is an IG?
- What is a Subnet?
- What is a VPC?
- How do you access an EC2 instance?
- How to ensure high availability across EC2 instances?
- How to create a hybrid cloud architecture?
- What is a storage gateway?
- What is ELB?
- What is EFS?
- What is S3
01 Value of AWS Cloud
AWS is faster, cheaper, durable and more reliable than most internally managed data centers.
Public cloud general benefits
- Fast Global Deployment in Minutes
- AWS has regions globally and deployments can be done in minutes.
- Speed to Market with Agility
- Faster innovation with AWS allows for faster delivery to customers.
- Discounts from economies of scale
- Costs are shared across users and cheap due to economies of scale.
- No upfront cost to running and maintaining data centers
- Quickly get an application deployed without thinking about IT infrastructure.
- OpEx in favor of CapEx
- Capital Expenditures – are big upfront costs. Operating Expenses are funds to run day-to-day operations. The accounting department will care.
- Elastic Capacity
- No need to guess upfront Capacity – pay as you go.
Non-functional requirements can be met with ease when hosting on public cloud
The following cloud terminology is important for the exam:
- High Availability
- Redundancy, and Failovers allow for a system to have longer uptimes.
- Elasticity
- Demand based capacity provisioning allows for optimal usage of resources that minimizes waste.
- Agility
- AWS Services can help customers innovate faster allowing for reduced time to market.
- Durability
- AWS provides data services that offer long-term data protection and storage.
- Latency
- Time elapsed between a user request and reponse. Low latency is a good thing.
- IaaS: Infrastructure as a Service e.g.EC2
- PaaS: Platform as a Service e.g. Cloud9
- SaaS: Software as a Service e.g. Sagemaker
- Private Cloud: On-prem virtualization as well as off-prem fully managed private cloud, also with Amazone Outpost
- Public Cloud: Fully publicly hosted and managed cloud.
- Hybrid Cloud: AWS Direct Connect service connects customer’s data center with Amazon.
- Region
- Is a separate geographic area. Therefore if one is impacted by a natural disaster, chances are that another will not.
- Regions are fully independent.
- Services and resources vary by region.
- No automagic replication across regions.
- Availability Zone
- An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.
- AZs give customers the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center.
- All AZs in an AWS Region are interconnected with high-bandwidth, low-latency networking, over fully redundant, dedicated metro fiber providing high-throughput, low-latency networking between AZs.
- All traffic between AZs is encrypted.
- The network performance is sufficient to accomplish synchronous replication between AZs.
- If applications are distrbuted – deploy to multiple AZs with load balancing.
- Data Center
- Two or more data centers together are part of an AZ.
- Each data center has protections across 4 layers:
- Perimeter – secured perimeter for physical access.
- Infrastrucutre – HVAC, power, fire suppression.
- Data – servers within the building, racked and stacked.
- Environment – site location, seismic data, flooding etc.
- Local Zones
- A Local Zone is an extension of an AWS Region in geographic proximity to your users.
- Local Zones have their own connections to the internet and support AWS Direct Connect, so that resources created in a Local Zone can serve local users with low-latency communications.
- Local Zones provide you the ability to place resources, such as compute and storage, in multiple locations closer to your end users.
- Use case: Run latency sensitive applications closer to the end users.
- Wavelength Zone
- A Wavelength Zone is an isolated zone in the carrier location where the Wavelength infrastructure is deployed. Wavelength Zones are tied to a Region.
- A Wavelength Zone is a logical extension of a Region, and is managed by the control plane in the Region.
- Global Edge Network
- Amazon CloudFront peers with thousands of Tier 1/2/3 telecom carriers globally.
- CloudFront is well connected with all major access networks for optimal performance, and has hundreds of terabits of deployed capacity.
- CloudFront edge locations are connected to the AWS Regions through the AWS network backbone – fully redundant, multiple 100GbE parallel fiber that circles the globe and links with tens of thousands of networks for improved origin fetches and dynamic content acceleration.these are cached closest to audience.
- Mini-data centers created for low latency between applications and users.
- There are many more edge locations than AZs or regions.
- Operational Excellence
- Plan for and anticipate failure.
- Deploy smaller, reversible changes.
- Script infrastructure as code.
- Learn from failure and refine.
- Use case: AWS CodeCommit for versioning application as well as infrastructure.
- Security
- Automate security tasks.
- Encrypt data in transit and at rest.
- Assign only the least privileges required.
- Track who did what and when.
- Ensure security at all application layers.
- Use case: CloudTrail to log all actions performed on your account.
- Reliability
- Recover from failure automatically.
- Scale horizontally for resilience.
- Stop guessing capacity.
- Manage change through automation.
- Test recovery procedures.
- Use Case: RDS on multi-AZ deployments.
- Performance Efficiency
- Use serverless architectures first.
- Use multi-region deployments.
- Delegate tasks to a cloud vendor.
- Experiement with virtual resources.
- Use Case: Lambda to run serverless compute workloads.
- Cost Optimization
- Utilize consumption-based pricing.
- Implement Cloud Financial Management.
- Measure overall efficiency.
- Pay only for resources your application requires.
- Use case: S3 Intelligent Tiering to automatically move your data between access tiers based on usage patterns.
- Sustainability
- Understand your impact.
- Establish sustainability goals.
- Maximize utilization.
- Use managed services.
- Reduce downstream impact.
- Use Case: EC2 Auto-scaling to scale down when demand is low.
- Elasticity: The ability to add or remove resources based on demand.
- Scalability: Scalability is the ability to handle increased workload by repeatedly applying a cost-effective strategy for extending a system’s capacity
- Fault Tolerance: Is the property that enables a system to continue operating properly in the event of a failure of one or more faults withing some if its components.
- High Availability: Property of a system to serve the business without failure over a given period of time.
- Principle of least priviledge: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error.
- AWS Organization
- Account management services that enables you to consolidate multiple AWS Accounts into an organization that you create and centrally manage.
- Use case: ease of billing, budgetary, security and compliance needs.
- Consolidated billing
- AWS Organizations has a management account that pays the charges of all the member accounts.
- Multiple AWS Accounts can be consolidated for billing and payments.
- Firewall
- AWS Network Firewall automatically scales your network firewall to protect your managed infrastructure.
- Open source rule formats and underlying rules engine easily implements policies.
- IAM
- Identity and Access Managment (IAM) sets and manages guardrails and fine-grained access controls for your workforce and workloads.
- Centrally connect identities to multiple AWS accounts.
- Grant temporary security credentials for workloads that access your AWS resources.
- Continually analyze access to right-size permissions on the journey to least privilege.
- Usecase: “Who can access what” Who=users and workloads. Can access= Permissions with IAM policy. What=Resources within your AWS organization.
- Security Group (SG)
- Is a virtual firewall for EC2 instances to control incomcing and outgoing traffic.
- User Credentials
- Each identity has unique credentials within AWS.
- Identity types: Account Root User, AWS Identity and Access Management user, AWS IAM Identity Center user and Federated identity.
- Access Control List (ACL):
- A firewall layer on the subnet level.
- ACL cannot grant permissions to users in the account.
- ACL can grant basic read/write permissions to other AWS accounts to buckets and objects.
- AWS Global Accelerator : Global Traffic
- Improve application availability, performance, and security using the AWS global network.
- Usecases: global traffic manager, API acceleration, Global static IP, low-latency gaming and media workloads.
- Global accelerator sends your users through the AWS global network when accessing your content, speeding up delivery.
- AWS Transit Gateway : No more peering
- AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub.
- Put an end to complex peering relationships.
- Highly scalable cloud router where each new connection is made only once.
- Virtual Private Cloud (VPC): Slice of the cloud
- Foundational service that creates a private virtual network to launch resources.
- Spans AZs in a region.
- VPC A and VPC B can be peered so they act as one logical VPC.You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different Regions (also known as an inter-Region VPC peering connection).
- The default VPC always exists in every region. But all new VPCs are region specific.
- Subnet : One per AZ
- A subnet is a range of IP address in the VPC. This is a sub-network which allows you to split the network inside the VPC – it is where resources such as EC2 can be launched.
- A private subnet is a good choice for hosting a Database – it will not be accessible directly from the Internet
- A public subnet is a good choice for hosting a WebServer – however it requires a NACL, Router and IG to ensure Internet connectivity
- Each subnet must reside entirely within one Availability Zone and cannot span zones. For HA, launch EC2 instances into subnets of separate AZs
- Public subnet: The subnet has a direct route to an internet gateway. Resources in a public subnet can access the public internet.
- Private subnet: The subnet does not have a direct route to an internet gateway. Resources in a private subnet require a NAT device to access the public internet.
- VPN-only subnet: The subnet has a route to a Site-to-Site VPN connection through a virtual private gateway. The subnet does not have a route to an internet gateway.
- A subnet CIDR reservation is a range of IPv4 or IPv6 addresses that you set aside so that AWS can’t assign them to your network interfaces.
- NACL versus Security Group Subnet and Instance traffic rules.
- NACL is
stateless
and allow one-way traffic i.e. separatly specific inbound and outbound traffic to the subnet. - NACL allow and deny rules are supported. NACLs have an implicit
deny
. NACL rules are processed in order. - Security Group is stateful i.e. rules for inbound and outbound to EC2 instances are same. They allow return traffic.
- Security Group only supports
allow
rules. - CloudFront: CDN
- A Content Delivery Network (CDN)
- Provides low latency for content delivery.
- Global distribution even when it is hosted in a region.
- Static and dynamic web content. How? Edge location to cache content.
- Route53: DNS
- DNS Service that routes users to Internet applications.
- Domain Name System – a DNS server translates a domain name to an IP address.
- Performs health checks on AWS resources
- Supports hybrid cloud architectures – makes DNS resolution easier
- AWS Direct Connect: VLAN
- Dedicated physical network connection from your on-premises data center to AWS
- Data travels over a private network – virtual LAN from on-prem data center over ethernet fiber optic cable.
- Supports hybrid cloud architecture e.g. host database in the private cloud and the application on the public cloud, direct connect ensures the two talk and allows for data sovereignity
- Use case: Transfer internal data directly to AWS bypassing your ISP, or, build hybrid models or transfer large data sets to AWS.
- AWS VPN: VPN
- Site-to-site VPN creates a secure connection between your internal network and your AWS VPCs.
- Similar to Direct Connect – but the data travels through the public internet
- Cheaper than Direct Connect
- Customer Gateway hosted on-prem connects with a virtual private gateway to establish a site-to-site VPN over the Internet via an ISP.
- API Gateway: API Management
- Build, manage, secure, and scale APIs.
- API Gateway can invoke services such as Lambda functions.
- Support RESTful APIs and WEBSOCKET APIs.
- Lambda: Serverless Compute
- Serverless: write functions and deploy. AWS manages the servers but no direct access.
- Scales automatically – no need to configure, patch or manage.
- Use case: Real-time file processing, sending email notifications, Backend business logic
- Supports Java, Go, PoweShell, Node.Js, C#, Python, and Ruby. Executes code in response to events, timers or other triggers. Lambda has ’re actively hiring engineers as we respond to changing market conditr – deploy a db or web server whatever you need
- SSH securly connects with a key pair. SSH Client uses private key, the EC2 instance uses a public key
- EIC is EC2 Instance Connect – uses IAM polices to control SSH access to your instances
- AWS Systems Manager- use a web browser, or AWS CLI to manage EC2 instances directly
- ELB: Block Storage
- Distribute network traffic to improve application scalability.
- Elastic Load Balancing and Auto-Scaling is offered by EC2.
- Automatically distribute load across servers – classic, application, gateway and network load balancers.
- Fargate: Containers
- Serverless compute engine for containers.
- Manages containers like Docker.
- Scaled automatically – and serverless.
- ECS: Containers
- Elastic container service.
- Run highly secure, reliable, and scalable containers.
- EKS: Containers
- Amazone Elastic Kubernetes Service.
- Start, run, and scale Kubernetes.
- Lightsail: IAC
- Quickly lauch all resources you need for small projects.
- Simple for folks with no cloud experience.
- Low and predictable fees.
- Outpost: Hybrid Cloud
- Run AWS Infrastructure and services on premises for a consistent hybrid cloud architecture.
- Allows cloud services in the internal data ’re actively hiring engineers as we respond to changing market conditcenter
- Useful for latency or data sovereignty needs
- Used for hybrid experience
- Batch: IAC Spot
- Process large workloads in smaller chunks.
- Dynamically provisions instances based on volume.
- Example – send high volume email 1000 emails at a time or process ML.
- Relational Database Service (RDS)
- Launch, manage and scale relational databases on the cloud. Supports Aurora, PostgreSQL, MySQL, MariaDB, Oracle, SQLServer.
- Offers HA, fault tolerance using Multi-AZ deployment option.
- AWS manages the database with automatic software patching, automated backups, OS updates.
- Launch read-repliccas across Regions in order to provide enhanced performance and durability.
- Does not automatically add capacity or storage.
- Aurora
- AWS build Aurora for the cloud compatible with MySQL and PostgreSQL – created by AWS.
- Supported MySQL and PostgreSQL database enginges. 5x and 3x faster that native.
- Scales automatically by adding capacity and storage while providing durability and high availability.
- Backs up to S3, replication to multiple region and storage across 6 stores.
- DynamoDB
- Fully managed serverless NoSQL key-value and document database.
- Scales automatically to massive workloads.
- Adds capacity automatically.
- DocumentDB
- Fully managed document database that supports MongoDB.
- Serverless, scales enterprise workloads using a fully managed native JSON document database.
- Neptune
- Graph database service, fully managed and serverless.
- Fast, reliable and durable.
- User profiles and social connections.
- Usecases: Customer360, Detect fraud patterns, machine learning predictions, IT security detection and investigation.
- ElastiCache
- Microsecond latency and scale with in-memory caching.
- In-memory data cache compatible with Redis and Memcache.
- High-performance, low latency and no durability.
- Usecases: Application performance, ease backend database load, low latency data retrieval needs.
- Database Migration Service *
- Feature rich tool that helps you migrate databases to or within AWS.
- Homogenous and hetrogenous databases can be migrated with virtually no downtime.
- Data is synchronized between the source and target continuously.
- Server Migration Service: Deprecated in favor of AWS MGN (AWS Application Migration Services)
- AWS Server Migration Service will automatically replicate live server volumes to AWS and create Amazon Machine Images (AMI) as needed.
- This is being discontiuned in favor of AWS Application Migration Service.
- Application Migration Service: Lift and Shift
- Migrate applications from any source infrastructure that runs supported operating systems.
- Application Migration Service is the next generation of CloudEndure Migration
- Snow Family
- Move large amounts of data to and from AWS physically or process data at the edge.
- Snowcone: Smallest member holds 8TB of usable storage, collect process
- Snowball: 80TB. Cheaper And Snowball Edge used for petabyte scale data migration and has local processing when in a remote environment – supports EC2 and lambda.
- Snowmobile: 100PB. Multi-perabyte or exabyte scale. Data loaded to S3 – securely transported with escort vehicle.
- Data Sync Data Transfer Service
- Data transfer online with speeds are 10x faster.
- Data replication cross-region and cross-account.
- RedShift : Data warehouse
- Data warehouse: data storage solution with historical data from disparate sources.
- Business intelligence, querying and business intelligence.
- Handles exabyte-scale data.
- Use case: Data consolidation. Run a database when it doesn’t require CRUD.
- Analytics – allows querying to gain business insights.
- Glue : ETL *
- Discover, prepare, and integrate all your data at any scale.
- ETL Service.
- Prepare to better understand your data.
- Lake Formation : Data Lake
- Build, manage, and secure data lakes in days.
- Create, administer, and protect data lakes using familiar database-like features quickly.
- QuickSight: BI
- Business Analytics visualization of data with interactive dashboards that can be embedded in your applications
- Athena : SQL for S3
- Analyze petabyte-scale data where it lives with ease and flexibility.
- S3 SQL. Pre-configured to work with Glue.
- Query service to analyze data using SQL. It is serverless.
- Use cases: run federated queries across relational, nonrelational, object, and custom data sources running on premises or in the cloud. Use ML models in SQL queries or Python. Build distributed big data reconciliation engines. Analyze google analytics data by using AppFlow to store in S3 to query it.
- Data Pipeline :
- Helps you move data between compute and storage services running either AWS or on-premises
- Move data based on conditions, intervals and sends notifactions
- Move from S3 to Redshift.
- EMR Map Reduce
- Process large amounts of data via map reduce.
- Analyze data using Hadoop and Apache Spark.
- Usecase: Perform big data analytics, build scalable data piplelines, process real-time data streams, accelerate data science and ML adoption.
- OpenSearch Interactive Log Analytics
- Search petabytes of unstructured data.
- Open source Elastic Search, Open Search Dashboard and Kibana.
- Kinesis: Stream proecessor
- Easily collect, process, and analyze video and data streams in real time.
- Usecase: Real-time video and data streams, IoT Data, Click Log, Web Stream logs are good use-cases.
- Evolve from batch to real-time analytics.
- MSK: Kafka
- Managed Streaming for Apache Kafka.
- Usecase: Ingest and process log and event streams, run centralized state or data buses, power your event-driven systems.
- Rekognitionusecases: Computer Vision
- Automate image and video analysis
- Identify custom labels in image and video
- Use cases: Analyze pizza images to ensure toppings
- Comprehend: NLP
- Natural Language Processing (NLP) Service that finds relationships in text
- Customer sentiment analysis on social media
- Polly: Speech-to-text
- High quality natural sounding human voices in dozens of languages.
- Customize Text to speech output with Speech Synthesis Markup Language tags.
- Usecases: Generate speech in dozens of languages, engage customers with a natural-sounding voice, adjust speaking style, speech rate, pitch and loudness.
- SageMaker: ML
- Machine Learning service.
- Helps you build, train and deploy machine learning models quickly.
- Prepare data for models, train and deploy models, provides deep learning AMIs.
- Recommendation engine for movies, music etc.
- Translate: Translate
- Provides language tanslation and support many languages and content formats.
- Use case: Add localization to websites and applications.
- Lex: Chatbot
- Chatbots with conversational AI.
- Helps you build conversational interfaces like chatbots.
- Recognize speech and understand language.
- Powers Amazon Alexa.
- Integrate voice into device.
- Usecases: Build virtual agents and voice assistants, automate informational responses, improve productivity with application bots, maxminize the information trapped in transcripts.
- Simple Storage Service S3 – Regional Service with global namespace and bucket policies
- Unique name across all buckets in AWS
- 11 9s of durability: regional level redundancy
- 4 9s of availability
- S3 does not automatically replicate across regions – it can be setup.
- Usecase: Host static websites, data archivale, analytics such as redshift and athena. Upload with S3 transfer acceleration for file uploads from mobile applications.
- S3 Storage Class
- Standard: Durable 11-9s. 4-9s available.
- Intelligent Tiering: Unknown or changing access. Standard durability with 3-9s availability
- Infrequent Access: For Long-Lived, Infrequently Accessed, Millisecond access when needed. Durable with 3 9s availability.
- One-Zone Infrequent Access: Cost 20% less than IA. Use if data is recreatable, infrequent millisecond access, availability is 99.5%.
- Glacier: Data retrieval options 1-5 minutes, 3-5 hours, 5-12 hours. Multiple AZs. Standard durability. Cheap storage options.
- Glacier Deep Archieve: 12hrs or 48hr retrieval options. Cheapest. Long-term data archivale accessed once or twice a year. No availability – but standard durability.
- Outposts: Data that needs to be kept local. Demanding application performance needs.
- Buckets: Root level ‘folders’ for file storage
- Folder
- Object Durability
- Object Availability
- Object Lifecycle
- Object sharing
- Object versioning
- S3 Transfer Acceleration
- S3TA improves uploads and downloads to and from S3 buckets between 50% and 500%.
- Moves data faster over longer distances.
- Shorten distance to S3 via CloudFront.
- EC2 Instance Storage
- Emphemeral storage that is temporary block-level for your instance.
- Lasts during the life of the instance.
- It is temporary block-level storage for instances.
- Provides local fastest I/O.
- EBS – Elastic Block Storage
- Scalable block storage at any scale. Raw volume.
- Good for database storage.
- HDD with an independent life from the instance it is attached to.
- Only one per instance.
- Use cases: Build SAn in the cloud for I/O intensive applications, Run relational or NoSQL databases, reight-size your big-data analytic engine.
- EFS – Elastic File System : Shared file system.
- EFS file system as a common data source for workloads and applications running on multiple instances
- Regional serverless network file system. Like dropbox.
- Only for Linux filesystems.
- Shared directories. Expensive option.
- 11-9s durability and 4-9s availability.
- Storage Gateway: Hybrid storage
- On-prem extends storage to cloud.
- Some on the cloud, some local. File directory – some hosted locally some on the cloud.
- Moving backups to the cloud.
- Reduce costs by being selective, opt for low latency local files.
- AWS Backup: Backup and recovery
- Create a backup plan for all storage.
- SQS: Queue
- Fully managed message queuing for microservices, distributed systems, and servlerless applications.
- Sends messages on a queue between publisher and a single subscriber.
- Securely send sensitive data between applications and centrally manage your keys using AWS Key Management.
- Reliably deliver large volumes of data, at any level of throughput, without losing messages or needing other services to be available.
- Usecase: architect a loosely coupled system architecture such as money transfer application. Improve performance and scalability. Requests are processed in FIFO.
- SNS: Topic
- Simple Notification Service – Fully managed Pub/Sub service for A2A and A2P messaging.
- A2P with SMS, texts, push notifactions and email (plain text).
- SES: Email
- Sends rich text HTML Emails from your applications.
- Get reliable, scalable email to communicate with customers at the lowest industry prices.
- Marketing campaigns, and professional richly formatted HTML text.
- Cloud9: IDE
- IDE write and debug code in your browser
- Build serverless applications – preconfigures environment.
- CodeCommit : Git
- Source Control system for private Git repositories.
- CodeBuild: Build Server
- Allows you to build and test your applicaton source code.
- Compiles source code and runs tests.
- Enables CI-CD
- Produces build artifacts ready to be deployed
- CodeDeploy : Delivery Server
- Automate code edeployment to maintain application uptime.
- Manage the deployment of code to on-premises as well as cloud.
- Use prepackaged build environments or your own, and encrypt artifacts with your own keys.
- Maintain application uptime, deploy to EC2, lambda, fargate and others.
- Supports rolling deployments – it minimizes application downtime.
- CodePipeline: Release Server
- Automate release pipelines with CI-CD.
- AWS offers continuous integration and continuous delivery service.
- CodeStar: Pre-configured CI-CD with CodeCommit, CodeBuild, CodeDeploy and CodePipeline out of the box.
- AWS CodeStar allows you to accelerate application delivery by providing a pre-configured continuous delivery toolchain for developing, building, testing, and deploying your projects on AWS.
- X-Ray: NDC Logs
- X-Ray uses trace data from the AWS resources that power your cloud applications to generate a detailed service map. Typically, applications use nested diagnostic context (NDC) for distributed tracing for microservices.
- The service map shows the client, your front-end service, and backend services that your front-end service calls to process requests and persist data.
- Use the service map to identify bottlenecks, latency spikes, and other issues to solve to improve the performance of your applications.
- CloudFormation: IaC
- Speed up cloud provisioning with infrastructure as code (IaC).
- A CloudFormation template describes your desired resources and their dependencies so you can launch and configure them together as a stack.
- JSON and YAML are supported – define templates to create stacks.
- Repeatable process for provisioning of resources.
- Usecase: automate the infrastructure-provisiong for EC2 servers
- Elastic Beanstalk: IaC for dummies
- Deploy your web applications and services to AWS and not on-prem.
- Orchestration service that provisions resources.
- Automatically handles deployments, handles capacity provisioning, load balancing and auto-scaling.
- Monitors application health via a health dashboard.
- Usecase: Quickly deploy a scalable Java-based web application to AWS.
- OpsWorks: DevSecOps
- Automate operations with Chef and Puppet on-premises or AWS.
- OpsWorks has three offerings, AWS Opsworks for Chef Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks.
- Log and retain account activity as well as unusual activity – enable operational and risk auditing, governance, and compliance of your AWS account
- Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
- Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
- If a user terminates an EC2 instance via an API. Cloudtrail will be able to tell which user took that action.
- Username, event time and name, IP address, access key, region, and error code can be tracked.
- Observe and monitor resources and applications on AWS, on premises, and on other clouds e.g. EC2 on AWS can be watched.
- Amazon CloudWatch is a monitoring and management service for AWS, hybrid, and on-premises applications and infrastructure resources.
- Performance and operational data in the form of logs and metrics.
- Use to detect anomalies in your environment. Set alarms.
- Use cases: Monitor full stack (applications, infrastructure, network, and services) and use alarms, logs, and events data to take automated actions and reduce mean time to resolution (MTTR).
- Allows you to host virtual desktops in the cloud.
- Enables employees to work from Home with no data stored on local devices.
- Use cases: Desktop as a service, Virtual Desktop (VDI).
- Provide customer service at a lower cost with a cloud contact center.
- Cloud contact center service.
- Provides customer service functionality.
- Improves productivity of help desk.
- Use cases: omnichannel self-service experience, agent productivity with AI, optimize from insights.
- Inherited Controls (AWS only)
- Controls which a customer fully inherits from AWS.
- Physical and Environmental controls
- Shared Controls (AWS and Customer)
- Patch Management
- Configuration Management
- Awareness & Training
- Customer Controls (Customer only)
- Service and Communications Protection
- Zone Security
- which may require a customer to route or zone data within specific security environments.
- Automatically created when you create an AWS account.
- Only root user can delete the account.
- There is just one root user that can exclusively:
- Change your account settings. This includes the account name, email address, root user password, and root user access keys.
- Restore IAM user permissions. If the only IAM administrator accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions.
- Activate IAM access to the Billing and Cost Management console.
- View certain tax invoices. An IAM user with the aws-portal:ViewBilling permission can view and download VAT invoices from AWS Europe, but not AWS Inc. or Amazon Internet Services Private Limited (AISPL).
- Close your AWS account.
- Register as a seller in the Reserved Instance Marketplace.
- Configure an Amazon S3 bucket to enable MFA (multi-factor authentication).
- Edit or delete an Amazon Simple Storage Service (Amazon S3) bucket policy that includes an invalid virtual private cloud (VPC) ID or VPC endpoint ID
- Sign up for AWS GovCloud (US).
- Request AWS GovCloud (US) account root user access keys from AWS Support.
- AWS Management Console
- Easy to navigate via web-browser.
- Good for non-technical roles. Use the search feature for easy access.
- AWS CLI – same features as the management console
- New features show up here first.
- Programmatic access provides access to your AWS resources.
- AWS SDK – can be leveraged to make changes to the environment via programmatic access.
- Authentication
- An identity that is verified.
- Credentials such as username and password.
- Authorization
- Determines which services and resources the idenitity has access to.
- Permissions are granted via a policy.
- Least Privilege
- Give a user the minimum access required to get the job done.
- IAM
- A web service that allows you securely control access to AWS resources.
- Users
- Entities in IAM to represent a person or application that can be given access to your AWS resources.
- Applications can be users. This is normally done via access keys.
- Group
- Collection of users – conveniently apply common permissions.
- This is not EC2 Security Group – that is a firewall.
- Can you nest groups? Can you have group inheritance? Are there unlimited groups that can be created?
- Roles
- Roles define access permissions and are temporarily assumed by an IAM user or service.
- DevOps role, Lambda-Execution role are examples.
- Access is assigned using policies.
- You grant users in one AWS account access to resources in another AWS acccount using roles.
- Attach a role to an EC2 instance for access to S3. Applications running on that instance will have access to S3 via roles. This is useful because the application will not need credentials or access keys. This is most secure.
- Policies
- You manage persmissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it. The policy itself is decoupled from IAM identitieis.
- User – {Policy:Access} – Resource
- Developer Group = {Policy: Resource Access} – Resource
- Role – {Policy:Allow-S3-Access} – S3
- How to limit access to an Amazeon S3 to specific users only? You can add a bucket access policy directly to an Amazon S3 bucket to grant IAM users accesss. I wonder if there is another way, create a special bucket access group with policy to the group, and then add users to the group. Or add users to the policy directly.
- IAM Credentials Report
- Assistance with compliance and auditing by offering a downloadable report that lists all your IAM users in this account and the status of their various credentials including MFA devices in your account.
- WAF : XSS SQL-Injection
- WAF is a Web Application Firewall that can protect against common attacks such as XSS or SQL injection.
- Shield DDOS
- AWS Shielf is a managed DDOS protection service. Sheild standard is free but Sheild Advanced provides access to AWS experts for a fee.
- DDOS protections from CloudFront, Route53, Elastic Load Balancing, and AWS Global Accelerator.
- Receive real-time notifications of suspected DDoS incidents via CloudWatch metrics and assistance from AWS during the attack.
- Automatically scrub bad traffic at specific layers: layer 3,4 and 7. Minimize application downtime and latency. Monitor and protect up to 1000 resource types.
- Macie Sensitive Data
- hHelps you discover and protect sensitive data. Uses maching learning, evaluates S3 environment, uncovers PII information.
- Use cases: discover passport numbers stored on S3 using Macie. Find SSNs in S3 files.
- Config Audit config
- Assess, audit, and evaluate configurations of your resources.
- Record and altert by storing in S3.
- Use cases: Streamline operational troubleshooting and change management. Deploy a complicant-as-code framework. Continually audit security monitoring and analysis.
- GuardDuty Threat detection
- Protect your AWS accounts with intelligent threat detection.
- Continuously monitors workload for malicious activity and delivers detailed security findings for visibility and remediation. Network and API calls.
- Use cases: Improve security operations visibility. Assist security analysts in investigations. Identify files containing malware. Route insightful information on security findings.
- Inspector Vulnerability (EC2)
- Automate vulnerability management at scale in EC2, Lambda and ECR container images and network exposure.
- Automated vulnerability management service that continually scans workloads for software vulnerabilities and unintended network exposure. EC2.
- Use cases: Quickly discover vulnerabilities in compute workloads. Prioritize patch remediation. Meet compliance requirements. Identify zero-day vulnerabilities sooner.
- Artifact Compliance Report
- Access Independent Software Vendor compliance report.
- Use artifact to SOC and PCI compliance reports. You can generate the report. Access to the report can be provided. Self-service portal.
- Cognito CIAM
- Customer identity and acess management.
- Delivery frictionless CIAM. Adaptive authentication, support compliance, and data residency requirements. Scale to millions of users with a fully managed, high-performantm and reliable identity store. Federate sign-in using OIDC or SAML 2.0 connect to a broad group of AWS services and products.
- Use-cases: Social media accounts to log in to your application.
- KMS Key Management
- Key Management Service is multi-tenant encryption key management service.
- Create and control encryption keys managed by AWS used to encrypt or digitally sign your data.
- Centrally manage keys and define policies across integrated services and application from a single point.
- Encrypt data within your applications with the AWS Encryption SDK data encryption library.
- Encrypt EBS volume using KMS.
- CloudHSM Encryption Key Generator.
- Manage single-tenant hardware security modules (HSMs) on AWS.
- Use case: Generate and use cryptographic keys on dedicated FIPS 140-2 Level 3 single-tenant HSM instances. Deploy workloads with high reliability and low latency, and help meet regulatory compliance. Pay by the hour, and backup and shut down HSMS when they’re not needed. Manage HSM capacity and control your costs by adding and removing HSMs from your cluster.
- Secrets Manager Secrets Management
- Use cases: Store secrets securely, manage acess with fine-grained policies, automate secrets rotation, audit and monitor secrets usage.
- Database credentials, API keys, encrypt secrets at rest, integreates with RDS, DOcumentDB, Redshift.
- Retrieve database credentials needed for your application code. Secrets Manager allows you to retrieve database credentials with a call to Secrets Manager APIs, removing the need to hardcode sensitive information in plain text within your application code.
- AWS Certificate Manager Certificate Manager
- Provisiong public and private certificats for free.
- SSL/TLS certificates are supported.
- Use key management for certs and get managed certificate renewal.
- Integrates with Elastic Load Balancing, API Gateway and more.
- On-Demand: EC2 capacity billed to the second.
- Pay for what you use.
- Use case: Applications are under development, workloads are not expected to run for more than a year, no upfront payment or long-term committment, unpredictable workloads but don’t want to be interrupted.
- On-Demand Capacity Reservation: It is possible to buy upfront capacity to mitigate against capacity contraints in an AZ.
- Spot: unused EC2 capacity on sale.
- Pay the least but no guarantee of runtimes or interruptions. A 2-minute warning is provided via instance meta-data that your application should check for and prepare for shutdown.
- Use case: Start and stop time of the workload does not matter. 90% savings over On-Demand. When your workload is feasable only at the lowest price points.
- Spot price in effect at the beginning of each hour.
- Reserved: Upfront capacity reservation committment for long running workloads.
- Pay upfront with a contract to get discounts.
- Use case: Save 75% versus On-Demand and willing to pay upfront for 1 or 3 year reservation.
- Flexibility: All upfront, partial upfront or no upfront is possible. A contract is required. Provides convertible types at 54% discount – change tenancy, OS or region.
- Dedicated Instance and Dedicated Host:
- Dedicated Host: Dedicated bare metal rental and host exclusively for you to install software that have licensing tied to host size.
- Dedicated Instance: Instances run on VPCs on a hardware dedicated to a single customer.
- Use Case: Save 70% off of On-Demand. Software that is licensed based on per-core, per-socket or per-VM. Regulations that require tenancy exclusivity.
- Dedidicated host is a physical server, dedicated instance runs on a host.
- Savings Plan: Compute usage committment for 1 or 3 years applicable across multiple compute services.
- Save upto 72% off of On-Demand.
- Use Case: For flexibility across various services like Lambda, Fargate, and EC2.
- This is a billing convenience nothing to do with a capacity reservation.
- Computer Time – no charge for times that code is not running.
- Duration – duration of compute and memory usage while execution is counted.
- Free Tier – the free tier includes 1 million free requests each month
- Storage – number of items, and size.
- Data transfer – outbound.
- Request and data retrieval – number of requests made.
- Type of Database – brand, size, memory class etc
- Storage – amount of data
- Purchase type – on-demand, reserved instance
- DB count – number of instance
- API – number of calls
- Deployment type – is it multi-AZ
- Outbound – data transfer
- Total Cost of Ownership. Direct and indirect cost of running AWS workloads. How can I reduce my TCO using AWS?
- Minimize capital expenditures.
- Utilize reserved instances.
- Right size your resources.
- Does not consider Networking or Data costs. No personnel or facilities costs.
- AWS Price List API
- Query the price of AWS Services using JSON or CSV. Bulk price or individual APIs.
- Receive price alerts when prices change.
- Application Disovery Service
- Determine the cost of migrating to the cloud.
- Plan migration projects and estimate TCO.
- You can view the discovered servers, group them into applications, and then track the migration status of each application from the Migration Hub console in your home Region.
- Budgets
- Set custom budgets for cost and usage tracking. Alerts.
- Cost, usage and reservation budgets.
- You can choose to be notified through email and Amazon SNS topics when your utilization drops below 80 percent for a given day.
- Cost and Usage Reports
- Break down costs by the hour, day, or month, by product or product resource, or by tags that you define yourself.
- If you get a huge bill – this is where you need to find the needle in the haystack.
- Downloadable detailed and comprehensive report, list usage for each service category and aggregate usage data on a daily, hourly or monthly level.
- Cost Allocation Tags
- Label resources using key-value pairrs.
- Track costs via the cost allocation report.
- Cost Explorer
- Visualize, understand, and manage your AWS costs and usage over time.
- Forecast, build custom apps that use it’s apis, and use granular filtering offered by it’s analytical engine.
- Centrally manage your environment as you scale your AWS resources. Consolidate billing, save costs via volume discounts + reserved instance sharing and govern accounts centrally.
- Programmatically create AWS accounts as you scale at no additional charge.
- Centrally secure and audit. Manage and optimize costs centrally. Group accounts and apply policies across.
- Root Organization is the master payer account that pays for all the accounts.
- You can apply Service Control Policies (SCPs) across all member accounts within the organization.
- Control Tower
- Set up well-architected multi-account environments with pre-configured controls to ensure best practices.
- Provides dashboard to help manage accounts.
- Example, if you want to disallow public write access to all S3 buckets across your accounts – you can use Control Tower to enforce this.
- Systems Manager
- Operation insights into AWS resources, other cloud resources and on-prem resources.
- Automate configuration and ongoing management including instance compliance relative to patch, configuration and custom policies.
- Visibility and control. Group resources to take action. Patch and run commands on multiple EC2 and RDS.
- Usecase: Deploy operating system and software patchs automatically across a large group of instances.
- Trusted Advisor
- Cost, Performance, Security, Fault Tolerance, and Service Limits.
- Checks IAM password policy (not free). RDS public snapshot, service usage greater than 80% (available to business or enterprise). Check for exposed access keys (business support) and various other checks.
- Use case: check read and write capacity service limits for DynamoDB.
- Personal Health Dashboard
- Alerts you on impacts to your AWS environment.
- Marketplace
- Digital catalog of prebuilt solutions you can purchase or license.
- AWS Partner Network (APN)
- Global community of approved partners that offer solutions and consulting services
- Help design and build a new application.
- Managed Services
- Augment internall staff with additional resources to manage AWS.
- Patch management, monitoring, event management, cost optimization etc.
- Will not operate or configur your applications.
- Professional Services
- Move to a cloud based operating model
- Propose solutions.
- Architect soutions.
- You can quickly move from on-prem to cloud.
- AWS License Manager
- AWS and on-premise license manager.
- Fine-tune your license costs.
- Basic – free. * Email support only and discussion forums.
- Developer – $29 pm : * Fordevelopment and testing. * 1 contact. * Cloud support associate via email during business hours.
- Business – $100 pm : * Production workloads. * Unlimited contact. * Full Trusted Advisory. * Email, phone and chat 24/7. Production system down – less than one hour.
- Enterprise – $15k pm * Mission-critical production workloads. * Exclusive: Technical Account Manager, Concierge support team, infrastructure event support. * Less than 15m for business critical system down. AWS Official Web Pages
- Currently Available AWS Certifications
- AWS Certification Preparation Page
- AWS Training
- Schedule and Manage Exams
- Benefits for AWS Certified Individuals
- AWS Blogs
- AWS Labs
- AWS Free Course
- AWS Skill Builder
- AWS Well-Architected Framework
- AWS Well-Architected Framework: Operational Excellence Pillar
- AWS Well-Architected Framework: Reliability Pillar
- AWS Well-Architected Framework: Security Pillar
- AWS Well-Architected Framework: Performance Efficiency Pillar
- AWS Well-Architected Framework: Cost Optimization Pillar
- AWS: Overview of Security Processes
- Backup, Archive, and Restore Approaches Using AWS
- Big Data Analytics Options on AWS
- Blue/Green Deployments on AWS
- Getting Started with Amazon Aurora
- How AWS Pricing Works
- Overview of Amazon Web Services
- Serverless Architectures with AWS Lambda
- API Gateway
- Auto Scaling
- CloudFormation
- CloudWatch
- CloudTrail
- DynamoDB
- EBS (Elastic Block Store)
- EC2
- ElastiCache
- Elastic Beanstalk
- IAM (Identity and Access Management)
- KMS (Key Management Service)
- Kinesis Data Streams
- Lambda
- RDS
- Route53
- S3
- SQS (Simple Queue Service)
- SNS (Simple Notification Service
- VPC
- Youtube video course by Andrew Brown of ExamPro: 4 hours
- AWS Cloud Practitioner Essentials (Second Edition)
- AWS Certified Cloud Practitioner Training Bootcamp
- paid Udemy course by Stephane Maarek: 11 hours, 5 articles and 1 practice test
- paid Whizlabs course: 6 hours and 21 labs
- paid Udemy course by Alan Rodrigues: 9 hours, 13 articles and 2 practice tests
- Official Sample Questions
- Exam topics +800 questions (mostly accessible without Login)
- paid Udemy Practice Exam Questions by Neal Davis: 6 practice tests
- paid Tutorials Dojo 4 practice exams by Jon Bonso
- paid Whizlabs: 3 Full-Length Mock Exams (195 unique questions) and Practice Tests – 3 Set of the quiz (65 questions in each quiz)
- AWS CCP – Thoughts, My Journey, My Opinion
- AWS Certified Cloud Practitioner Exam Study Path
- AWS Practitioner Training Notes / Cheat Sheets
- Video: Passing the AWS Certified Cloud Practitioner Exam on the first try!
- Video: How I passed AWS Certified Cloud Practitioner Exam (882/1000)
- Rishab Kumar’s Notes on AWS Certfied Cloud Practitioner
- Rishab Kumar’s Notes on AWS Certfied Cloud Practitioner
Cloud Computing Models
Cloud Hosting Models
AWS Regions, AZs and Region
Amazon EC2 is hosted in multiple locations world-wide. These locations are composed of AWS Regions, Availability Zones, Local Zones, AWS Outposts, and Wavelength Zones.
Leveraging the Well-Architected Framework
AWS Well Architected helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for a variety of applications and workloads.
AWS Core Services (and concepts)
The following concepts and list of AWS Core Services are essential to understand various layers of an architecture. AWS offers Trusted Advisor tool to business and higher subscriptions. * Provides recommendations that help you follow AWS best practices. * Benefits: cost optimization, performance, security, fault tolerance and service quotas.
For example, a web-based enterprise application will utilize most if no all the layers and select technologies.
Architecture
Billing
Security
Networking and Content Delivery
Compute
Operational Databases and Caching
Data Migration and Transfer
Data Analytics
Big Data and Search
Streams
Artificial Intelligence and Machine Learning
Storage
Messaging and Integration Services
Developer Tools
Deployment and Infrastructure Management Service
Auditing, Monitoring and Logging
1. CloudTrail: Audit Trails
2. CloudWatch: Logs
3. Amazon Workspace : VDI
4. Amazon Connect : Contact Center
AWS Shared Responsibility Model
“AWS has the responsibilty OF the cloud. Customer has the responsibility IN the cloud.”
Source: https://aws.amazon.com/compliance/shared-responsibility-model/
As a customer of AWS – you are not responsible for the hardware, software, networking, and facilities that run AWS Cloud services across its regions, AZs, data centers and edge locations.
Depending on the Cloud Model – AWS and it’s customer share responsibilities for different layers. However, the customer is Never responsible for the virtualization or the underlying physical infrastructure.
AWS is responsible for protecting and securing their infrastructure like whatever is in their data centers. Physical security of AWS data center. AWS maintains UPS, CRAC, fire suppression systems and more. AWS is responisble for any managed service and underlying software, operating system.
You are responsible for your data and applications. Application Data including encryption options. Security configuration – rotating credentials, APIs, VPC access etc. Patching guest operating system of EC2 instances. IAM – application security, identity and access management for systems. Network traffice – you are responsible for it including group firewall configuration. Report AWS abuse resource Rotate your keys and change your password, then contact the AWS Trust & Safety team using the Report Amazon AWS abuse form.
AWS Security Best Practices
This is 25% of the weight of the exam
Root User
Best Practice: Identity and Access Management – create a new user and provide a role. Never use the root user unless absolutely required. Protect root account with MFA (Multi-factor authentication).
VPC – Vitual Private Cloud. Default VPC will always be created for you.
Concepts
IAM
Security Services
AWS Costs, Economics and Billing Practices
16% of the exam_questions about 8-10 questions
· EC2 Instances are priced as follows
· S3 Pricing Storage Class
· RDS Pricing Running Clock Hours
Pricing, Billing and Governance
Compute, storage and outbound data transfer is where the costs are for AWS. Data in flight moving between system. Data movement within the AWS region are usually not charged. Data out of AWS to end user is where the data transfer costs are. How AWS Pricing Works whitepaper ix.TCO
AWS Official Certification
AWS Exam Guide
AWS White Papers
FAQ
Videos Course
Notes