• On-demand self-service
• Broad netework access

• Resource pooling

  • Multi-tenant environments
• Rapid elasticity
• Measured service

• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Software as a Service (SaaS)

• Private cloud
• Community cloud
• Public cloud
• Hybrid cloud

• Amazon Elastic Compute (EC2)
• AWS Lambda
• Amazon Elastic Container Service (ECS)

• Amazon Elastic Block Store (EBS)
• Amazon Simple Storage Service (S3)
• Amazon Glacier

• Amazon Simple Notification Service (SNS)
• Amazon Simple Email Service (SES)
• Amazon Simple Queue Service (SQS)

• Amazon Relational Database Service (RDS)
• Amazon DynamoDB
• Amazon ElastiCache

• Amazon Kinesis
• Amazon Elasticsearch Service
• Amazon Redshift
• Amazon EMR
• Amazon Athena

• Amazon Virtual Private Cloud (VPC)

  • Subnets
  • Routing
  • Network Access Control Lists
  • Security Groups

• AWS CodeCommit
• AWS CodeDeploy
• AWS CodeBuild
• AWS CodePipeline
• AWS Elastic Beanstalk
• AWS OpsWorks

• On-demand resources

  • Get what you need when you need it

• Pay as you go

  • Pay for what you use

• No long-term commitments

  • Elasticity
• Highly automated
• Managed services

• Opex over capex
• Gain flexibility and agilty
• Immediate scalability
• Lower time to market
• Lower variable costs
• Lower upfront costs
• Easier cost allocation

Things to consider:

• Available services and features
• Cost of services
• Latency and proximity
• Disaster recovery
• Security and compliance laws

• Regions are split in at least two availability zones
• Availability zones have at least one data center
• Spread out and apart
• Connected to each other with a private fiber line

• Important locations for CDN and DNS
• Reside outside AWS region
• Customers do not have access to an edge location itself

• Logically isolated network
• Created per account per region
• A single VPC spans a single region
• Can all use all AZs in a region
• Can peer with other VPCs
• Uses internet and VPN gateways

1. Load Balancing tier
2. Application tier
3. Database tier

• Security via isolation
• High-availability
• Fault tolerance
• Performance

• Internet gateways allow networks to communicate with each

• Route tables determines the destination of the traffic

  • Route tables, by themselves, DO NOT allow instances to communicate to the internet; it only routes traffic
• Instances need a Public IP address to route its traffic to the internet

• Acts as a firewall for the subnet
• Allow and denies traffic to the subnets and destination ports

• Firewall for the machine
• Implicitly denies, can only allow

• Register domains
• Use AWS nameservers
• Public and private DNS zones
• Automated via API
• Health checks

• Different routing methods

  • Latency
  • Geographic
  • Weighted
  • Failover

• Private VPN connection to VPC
• Uses two Amazon Routers
• Good for simple tasks

• Fiber connection to AWS Region
• Through AWS Direct Connect Point of Presence

• Treat as disposable
• "Immutable infrastructure"
• Treat logs as streams (stream to other services)
• Leverage roles
• Automate deployments and enable scaling with auto scaling
• Monitor with CloudWatch

• Data independent of instance it is attached to
• Connected over network
• Pay for provisioned storage
• Exist in a single AZ
• Point-in-time snapshots

• Capabilities

  • Can detach from instances and reattach
  • Can be encrypted
  • Can be used in RAID or LVM
• Best for file systems and random IO
• Not encrypted by default

• Managed by AWS
• Layer 4 and 7
• Listens to ports
• Registers onto instances
• Forwards connections to any port
• Can offload SSL and allows to choose security options such as the SSL version, etc.

• Layer 7 requests
• Listens to ports
• Uses target groups made up of EC2 instances

• Rules can dictate which traffic goes to which target group

  • Based on URL path or domain name
  • Content filtering
• Dynamic port mapping allows instances to receive on different ports

• Layer 4 requests
• Listens to ports
• Uses target groups
• Connections to a static IP address can be spread across instances
• Useful for DNS, firewall rules, and long-running connections

• Static websites
• CSS, JS
• Images
• Software downloads
• Assets that do not change often

• Accessed less frequently but still has rapid access

• Standard

  • Stores in multiple AZs

• One-Zone

  • Stores in only a single AZ
  • More cost effective

• Data can not be publicly accessed by default
• Policies are only at the bucket level
• ACLs can control access to both the bucket and its objects

• EC2

  • Default 5 minute interval
  • 1 minute extra
  • Reported by hypervisor

• ELB

  • Requests/min
  • Healthy and unhealthy hosts
  • 1 minute interval

• RDS

  • Memory, connections, disk

• DynamoDB

  • Read/write throughput, storage
• Billing usage (different from AWS Budgets is that Budgets notifies on forecasted expenditure threshold)

• Triggered on breach of threshold

• Can trigger

  • Auto Scaling
  • Termination
  • Reboot
• Up to 5000 alarms per account

• Collect logs by streaming

  • Configure agent on instances to automatically stream logs to CloudWatch
• Collect Route 53 DNS queries
• Monitor CloudTrail events
• Can archive to S3
• Can process with Lambda

• Scaling policies
• CloudWatch alarms triggered by a CPU threshold

• Easily replace failing machines
• In the event an AZ goes down, autoscaling scales a proportionate amount to the other availability zones

• AWS handles synchronous replication to increase availability
• Automatic failover

• Customers can control backup window
• Point-in-time restore
• Retained up to 35 days
• Backups are deleted along with the instance

• May see performance increase (5x faster) compared to MySQL

• Storage up to 64TB

  • Auto-scaled and storage automatically provisioned
  • Six copies of data replicated across three AZs
• Up to 15 read replicas
• Aurora Serverless (new service)

• AWS Database Migration Service

  • Supports widely-used DBs
  • Heterogeneous/homogeneous DBs
  • Virtually zero downtime
  • Schema conversion tool, allowing to migrate to another DB engine

• No joins/relationships

• Schema-less

  • Key-value and documents
• No table size limit
• 400KB item size limit

• Ad impression/clicks
• Gaming leaderboards
• Shopping carts
• Session/state storage
• Operational state/history

1. A customer wants to be able to store archived data in Glacier. The data should be archived almost immediately after 10 days of age.

   1. Explain ONE drawback of storing data in Glacier.
   2. Identify ONE service the customer should use to store the data before archiving it.
   3. Identify ONE responsibility of AWS in Glacier that is typically managed by the customer.

1. The following prompts pertain to Amazon VPC.

   1. Explain ONE major difference between Network Access Control Lists (NACLs) and Security Groups.
   2. Explain another major difference between Network Access Control Lists (NACLs) and Security Groups.
   3. Explain ONE major difference between VPC Endpoints and Internet Gateways.

2. The following prompts pertain to Amazon EBS

   1. Explain ONE disadvantage of EBS over EFS.
   2. Explain ONE advantage of EBS over EFS.
   3. Identify ONE service in which EBS can store snapshots in.

1. A customer wants to automatically scale instances based on demand and trigger a Lambda function when services reach a specified limit. What service can be used to accomplish both of these tasks?
2. What service allows for large scale data analysis?
3. What service is fully managed by AWS that can run a MySQL database?

• Determine authorization or permissions
• Written in JSON

• Policy types

  • Managed policy

    • Can be used for multiple users

  • Inline policy

    • Written directly on a user

• Evaluation logic

  1. Implicitly deny
  2. Explicit deny
  3. Explicit allow

• Use temporary credentials

• Delegate permissions to

  • EC2 instance
  • AWS service
  • A user (elevating privileges)
  • Separate account for cross account sharing

• Organizational users

• Web/mobile app users

  • Bypass APIs

1. Enable CloudTrail
2. Create an admin user in IAM
3. Enable MFA on root account
4. Enable Cost and Usage Report
5. Log out of root account
6. Log in with admin user
7. Create additional users, groups, etc.

• Root credentials
• Follow principle of least privilege
• Rotate access keys
• Enable MFA
• Monitor with CloudTrail

• Consolidated billing

  • One bill, many accounts
  • Aggregated volume pricing

• Detailed billing

  • Published to S3 bucket
  • Import into spreadsheet
  • Filter by service, tag, etc.

• Cloud Security Alliance
• ISO 9001
• ISO 27001
• ISO 27017
• ISO 27018
• PCI DSS Level 1
• SOC 1, 2, 3

• FedRAMP
• FIPS
• FISMA
• HIPAA
• ITAR
• MPAA

• AWS is not directly certified, but customers can
• AWS is compliant at the physical layer
• Medical records

• Cardholder data
• Sensitive authentication data

• No long-term commitments
• Large fixed costs to smaller variable costs
• Fees include OS license
• Mostly billed per second, with a minimum of 60 seconds

• Up to 75% discount
• Provide capacity reservation
• 1-year or 3-year term

• Discounts on spare capacity
• Save up to 90%
• Price changes, depending on instance type, AZ, supply/demand
• Essentially a clearance sale
• Can be interrupted

• Integrated with

  • EMR
  • Autoscaling
  • ECS
  • CloudFormation
• Best for flexible schedule and test environments

• Charged per GB per 100ms
• Charged per 1 million requests
• Free tier available (1 mil req/mo, 400 TB-sec/mo)
• Additional charges for bandwidth and S3

• Charged $/GB/mo
• Inbound is generally free
• S3 to CloudFront is free

• Outbound to internet charged, with tiered pricing

  • Cross-region traffic

• Cross-AZ traffic may be charged depending on the service

  • Generally free for most services
• VPC peering

• Instance type
• DB engine (license fees)
• Reserved instance discounts
• Storage, $/GB/mo, $/IOPS/mo
• Multi-AZ deployment charged double

• Provisioned throughput, $/rw capacity unit
• Consumed storage, $/GB/mo
• Reserved capacity discounts

• Provisioned storage, $/GB/mo
• Additional costs for provisioned IOPS
• Additional costs for EBS snapshots to S3

• Consumed storage, $/GB/mo

• Additional costs for requests

  • PUT+COPY+POST+LIST $/1000 req.
  • GET $/1000 req.
• Storage classes (S3-IA, S3 Glacier)

1. S3 bucket permissions
2. Security groups in VPCs, unrestricted ports
3. IAM usage/permissions
4. MFA on root account
5. EBS snapshots publicly readable
6. RDS snapshots publicly readable

7. Service limits

   • Hard limits
   • Soft limits

• Notifications
• Programmatic access

• Seven core TA checks
• No tech support
• Can submit bugs, feature requests, service limit increases

• Recommended for testing or early development
• Seven core TA checks
• Business hours access to Cloud Support Associates
• Guidance <24 business hours response time
• Impairments <12 business hours
• General guidance

• Full set of TA Checks
• 24/7 access to Cloud Support Engineers
• Email, chat, phone
• 1 to 24-hour response
• Contextual guidance based on use case
• Infrastructure Event Management for additional fee

• Full set of TA checks
• 24/7 access to Cloud Support Engineers
• Email, chat, phone
• 15-min to 24-hour response
• Consultative review
• Applies to ALL accounts
• Access to Well-Architected review
• Access to online labs
• Access to Technical Account Manager

• DynamoDB - NoSQL key/value database
• DocumentDB - NoSQL Document database, MongoDB compatible

• RDS - Relational Database Service that supports multiple engines

  • Aurora - Fully managed database 5x faster than MySQL
  • Aurora Serverless - only runs when you need it like AWS Lambda
• Neptune - Managed Graph Database
• Redshift - Petabyte warehouse, good for large scale analysis
• ElastiCache - Redis or Memcached database

• Elastic Beanstalk - service for deploying and scaling webapps
• OpsWorks - configuration management service that provides managed instances of Chef and Puppet
• CloudFormation - infrastructure as code, JSON or YAML
• AWS QuickStart - pre-made packages that can configure AWS compute, network, storage, etc.
• AWS Marketplace - digital catalogue of software listings from independent vendors

• EC2 - highly configurable server
• ECS - Docker as a Service
• Fargate - microservices where you don't think about the infrastructure
• EKS - Kubernetes as a Service
• Lambda - serverless functions where you pay for compute time
• Elastic Beanstalk - orchestrates AWS services
• AWS Batch - schedules batch computing workloads across compute services

• S3 - object storage
• S3 Glacier - low cost storage archiving and long-term backup
• Storage Gateway - hybrid cloud storage
• EBS - block storage that attaches to an EC2 instance
• EFS - file storage that mounts to multiple EC2 instances
• Snowball - physical migration large amounts of data

• Direct Connect - dedicated fiber connection to AWS network
• VPN - secure connection to AWS network
• Storage Gateway - hybrid storage service

• CloudTrail - logs all API calls between AWS services (who can we blame)
• CloudWatch - tracks performance and can trigger events and alarms