AWS study notes

1. AWS Cloud Computing Concepts
Fundamentallythe term“compute”referstophysical serverscomprisedof the
processing,memory,andstorage requiredtorunan operatingsystemsuchasMicrosoft
WindowsorLinux,andsome virtualizednetworkingcapability.
The componentsof a compute serverinclude the following:
Processor or Central ProcessingUnit (CPU) ·the CPU isthe brainsof the computerand carries
out the instructionsof computerprograms
Memory or Random Access Memory(RAM) ·withinacomputermemoryisveryhigh-speed
storage for data storedonan integratedcircuitchip
Storage ·the storage locationforthe operatingsystemfiles(andoptionallydata).Thisis
typicallyalocal diskstoredwithinthe computerora networkdiskattachedusingablock
protocol such as iSCSI
Network·physicalnetworkinterfacecards(NICs) tosupportconnectivitywithotherservers.
Whenusedincloudcomputing,the operatingsystemsoftwarethatisinstalleddirectlyon
the serverisgenerallyahypervisorthatprovidesahardwareabstractionlayerontowhich
additionaloperatingsystemscanbe runasvirtualmachines(VMs)or“instances”.Thistechnique is
knownas hardware virtualization.
A VMisa containerwithinwhichvirtualizedresourcesincludingCPU(vCPU),memoryand
storage are presented,andanoperatingsystemcanbe installed.EachVMisisolatedfrom
otherVMs runningonthe same hosthardware and manyVMs can run on a single physical host,
witheachpotentiallyinstalledwithdifferentoperatingsystemsoftware.
The diagram belowdepictshardware virtualizationwithguestVMsrunningontopof a hostOS:
There are two maintypesof hypervisor:
Type 1 ·the hypervisorisinstalleddirectlyontopof the hardware andisconsidereda“bare-
metal”hypervisor
Type 2 ·the hypervisorsoftware runsontopof a hostoperatingsystem
Examplesof Type 1 hypervisorsinclude VMware ESXi andMicrosoftHyper-V andexamplesof
Type 2 hypervisorsinclude VMware WorkstationandOracle Virtual Box.Type 1hypervisors
typicallyprovidebetterperformance andsecuritythanType 2hypervisors.
The diagram above showsahardware virtualizationstackusingaType 1 hypervisor.The
diagrambelowdepictsaType 2 hypervisor:
As youcan see,the keydifference isthatthere isanadditional hostoperatingsystemlayer
that sitsdirectlyabove the physical hardware andbeneaththe hypervisorlayer.
Cloudcomputingisthe on-demanddeliveryof compute power,database storage,
applicationsandotherITresourcesthrougha cloudservicesplatformviathe Internetwith
pay-as-you-gopricing.
Cloudcomputingprovidesasimplewaytoaccessservers,storage,databasesandabroadsetof
Application servicesoverthe Internet.
A cloudservicesplatformsuchasAmazonWebServicesownsandmaintainsthe
network- connectedhardware requiredforthese applicationservices,while youprovisionand
use what youneedviaa webapplication.
6 advantages of cloud:

2. a) Trade capital expense forvariable expense
Insteadof havingto investheavilyindatacentersandserversbefore youknow how you’re
goingto use them,youcan pay onlywhenyouconsume computingresources,andpayonlyfor
howmuch youconsume.
b) Benefitfrom massive economiesofscale
By usingcloudcomputing,youcanachieve a lowervariable costthanyoucan get onyour own.
Because usage from hundredsof thousandsof customersis aggregatedin the cloud,providers
such as AWS can achieve highereconomiesof scale,whichtranslatesintolowerpayas-you-go
price.
c) Stop guessingabout capacity
Eliminate guessingonyourinfrastructure capacityneeds.Whenyoumake acapacitydecision
priorto deployingan application,youoftenendupeithersittingonexpensive idle resources
or dealingwithlimitedcapacity.
With cloudcomputing,these problemsgoaway.You can access as much or as little capacityas
youneed,andscale up and downas requiredwithonly afew minutes’notice.
d) Increase speedand agility
In a cloudcomputingenvironment,newITresourcesare onlya clickaway,whichmeansthat
youreduce the time to make those resourcesavailable toyourdevelopersfromweekstojust
minutes.
Thisresultsina dramaticincrease inagilityforthe organization,since the costandtime ittakes
to experimentanddevelopissignificantlylower.
e) Stop spendingmoneyrunning and maintainingdata centers
Focuson projectsthat differentiate yourbusiness,notthe infrastructure.Cloudcomputinglets
youfocus onyour owncustomers,ratherthanon the heavyliftingof racking,stacking,and
poweringservers.
f) Go global in minutes
Easilydeployyourapplicationinmultiple regionsaroundthe worldwithjust afew clicks.This
meansyoucan provide lowerlatencyandabetterexperience for yourcustomersatminimal
cost.

3. CloudComputing Service Models
1. Infrastructure as a Service (IaaS)
Infrastructure asa Service (IaaS) containsthe basicbuildingblocksfor cloudITand
typicallyprovideaccesstonetworkingfeatures,computers(virtual orondedicatedhardware),
and data storage space. IaaS providesyouwiththe highestlevelof flexibilityandmanagement
control overyour IT resourcesandismost similartoexistingITresourcesthatmanyIT
departmentsanddevelopersare familiarwithtoday.
WithIaaS services,suchas AmazonEC2, yourcompanycan consume compute servers,
knownas “instances”,on-demand.Thismeansthatthe hardware andsoftware stack,upto
the operatingsystemismanagedforyou.You thenneedtochoose whichoperatingsystemto
use withyourinstance (e.g.Linux orWindows) andyouare responsibleforthe configuration
and managementof the operatingsystemandanysoftware youinstallonit.An application
programminginterface (API) istypicallyprovidedforall cloudservices,whichcanbe usedfor
programmaticmanagement.Eachcompute instance will haveanallocatedstorage capacity,
and cloudnetworkingfunctionssuchasrouting,firewalls,andloadbalancerscanbe
configured. IaaSisthe leastpopularof the cloudcomputingservice modelsatpresent,though
it isgaininginpopularity.Currently,around12% of enterprise workloadsrunonIaaS.
The benefitsofIaaS include:
 You don’tneedtoinvestinyourownhardware
 The infrastructure scaleson-demandtosupportdynamicworkloads
 Increase stability,reliabilityandsupportability
 Maintainoperational control of the operatingsystem.
 Examplesof IaaS services:MicrosoftAzure IaaS, Amazon EC2, Google Compute Cloud
(GCP), and Rackspace.
2. Platform as a Service (PaaS)
Platformasa Service (PaaS)removesthe needforyourorganizationtomanage the
underlyinginfrastructure (usuallyhardware andoperatingsystems) andallowsyoutofocuson
the deploymentandmanagementof yourapplications.Thishelpsyoube more efficientasyou
don’tneedtoworryaboutresource procurement,capacityplanning,softwaremaintenance,
patching,oranyof the otherundifferentiatedheavyliftinginvolvedinrunningyourapplication.
Developerslove PaaSasitremovesmore complexityandoperational overheadfrom
them.WithPaaS,the cloudserviceprovidermanagesthe infrastructure layerandalsothe
middleware,developmenttools,businessintelligence(BI) services,database management
systemsandmore.Thisallowsdeveloperstoconcentrate ontheircode withoutneedingto
manage the environmentonwhichitruns.Developerssimplyuploadtheircode tobuildweb
applications.PaaSisdesignedtosupportthe completewebapplicationlife cycle:building,
testing,deploying,managing,andupdating.
You are notjust limitedtowebserviceswithPaaS.Databasescanalsobe offeredina
platformasa service model.Inthiscase the managementof the database engine and
underlyinghardware istakencare of bythe service provider,andyoucreate tablesandadd
data. Examplesof database PaaSofferingsinclude MicrosoftAzure SQLand Amazon RDS.
PaaS iscurrentlythe mostpopularcloudcomputingservice model,comprisingaround32% of all
enterprise workloadsandis expectedtogrow in 2020.
The benefitsofPaaS include:
 Cut codingtime – developapplicationsfasterDeploynew webapplicationstothe cloud
inminutes
 Reduce complexitywithmiddlewareasa service
 Examplesof PaaS services:MicrosoftAzure WebApps, AWSElasticBeanstalk,
Heroku,Force.com and GoogleApp Engine.

4. 3. Software as a Service (SaaS)
Software asa Service (SaaS) providesyouwithacompletedproductthatisrunand
managedbythe service provider.Inmostcases,people referringtoSoftware asa Service are
referringtoend-userapplications.WithaSaaS offeringyoudonothave to thinkabouthow the
service ismaintainedorhowthe underlyinginfrastructure ismanaged;youonlyneedtothink
abouthow youwill use thatparticularpiece of software.A commonexampleof aSaaS
applicationisweb-basedemail whichyoucanuse to sendand receive emailwithouthavingto
manage feature additionstothe email productormaintainthe serversandoperatingsystems
that the email programisrunningon.Provideshighavailability,faulttolerance,scalabilityan
elasticity.SaaSisa service model where software applicationsare deliveredoverthe Internet.
In the consumerspace,examplesinclude Gmail,FacebookandDropbox ·these servicesare
readyto use,no codingrequired,youjustuse them.With SaaSthe entire stackismanagedfor
you,thoughyouwill oftenhave some limitedscope toconfigure the service accordingtoyour
needs.SaaSisthe secondmostpopularcloudcomputingservice modelforenterprises,totalling
around 24% of all enterprise workloads.
The benefitsofSaaS include:
 Signup and rapidlystartusinginnovativebusinessapps
 Appsand data are accessible fromanyconnectedcomputer
 No data islostif your computerbreaks,asdata is inthe cloud
 The service isable to dynamicallyscale tousage needs
 Examplesof SaaS services:Google Apps, MicrosoftOffice 365, and Salesforce.
The diagram belowdepictsthesethree service modelsandshowswherethe responsibilityfor
managementlies,italsocomparesagainstthe “legacyIT” or “on-premises”model:

5. Cloud Computing Deployment Models
CloudComputingservicesmaybe deliveredon-premises,orinpublicclouds
There are 3 types of clouddeployment:
 PublicCloudorsimple “Cloud” –e.g.AWS,Azure,GCP.
 HybridCloud – mixture of publicandprivate clouds.
 Private Cloud(on-premise)–managedinyour owndata centre,e.g.Hyper-V,
OpenStack,VMware.
1. Private Cloud
In an on-premises,orprivate cloudcomputingdeploymentmodel anenterprisedeploys
theirowninfrastructure andapplications intotheirowndatacenter.The data centercan be on-
premisesorco-location(col0).Thoughanon-premisesdeploymentisverymuchthe “legacyIT”
setup,itcan have many of the characteristicsof cloudcomputingif the stack isdesignedproperly
– hence turningitintoa “private cloud”.
For instance,aprivate cloudcan be deliveredusingavirtualizationplatformwithorchestration
and self-service software.Fromadevelopersperspective,thiscanmeanelasticcompute capacity
isdeliveredon-demand, elastically(withinthe capacityconstraintsof the system),and
programmatically.
The private clouddeploymentistypicallysingle-tenant,meaningthe platformisnot
sharedwithotherorganizations.Itmay,however,have multipletenantswhichcouldbe
departmentswithinthe organization.
Private cloud is not a pay-as-you-go expense as you own (and pay for) the entire stack,
whetherit’sbeingusedor not. However,youcan use meteringtoeitherrecordand displayusage
across different tenants or to actually charge those user groups – these methods are sometimes
called“showback”or“chargeback”.
A private clouddeploymentdoesn’tprovidemanyof the benefitsof cloudcomputingbutis
sometimessoughtforitsabilitytoprovide dedicatedresources.Thoughyouhave complete control
onhowyoudeployandmanage aprivate cloud,thisneedstobe weighedagainstthe capitalexpense
of owningyourowndata center,and the limitationsinscalabilitythistype of architecture typically
imposes.
The benefitsof private cloud include:
a. Complete control of the entire stack
b. Security – ina fewcases,organizationsmayneedtokeepall orsome of theirapplications
and data inhouse
 Vendorsof private cloud“stacks” include VMware,Microsoft,RedHat, Dell
EMC, OpenStack,and HPE EMC, OpenStack, and HPE.
2. PublicCloud
Whenwe talkabout “cloudcomputing”thisistypicallywhat’sbeingdiscussedandisthe

6. model whichprovidesmostof the advantagesof cloud computing.A Publiccloudcomputing
deploymentmodel meansthe ITservicesthatyouconsume are hostedanddeliveredfromathird
party andaccessedoverthe Internet.Servicesare available tothe “public”touse,soany
organizationorendusercan create an accountwiththeircreditcard.
Thismodel istypicallymulti-tenantwithmanycustomerssharingthe same underlying
infrastructure (thoughyoucanuse dedicatedhardware inapubliccloud,e.g.AmazonEC2
DedicatedHosts.
 Top public cloudproviders include:AWS,MicrosoftAzure,and Google Cloud
Platform.
3. Hybrid Cloud
What is hybrid cloud? This is a cloud computingdeployment model in which a combination of on-
premises,private cloud,and public cloud services areconsumed.This model is extremely common,
especially with larger organizations,as a singlecloud deployment model may not be optimal for all
workloads.For instance,an organization may require some data to be maintained on-premises (or atleast
not in a multi-tenant public cloud) for compliancereasons,butmay wish to deploy web services in public
cloud providers around the world to leverage the elasticity and get content closer to customers. Hybrid
cloud models are also used for cloud bursting.This means that the organization may run their applications
primarily on-premises,or in a privatecloud,but in times of heavy load they can “burst” into the public
cloud,launchingadditional application servers to servicethe load,This model delivers some of the
benefits of private cloud and public cloud,though some organizations havefound that there are
operational advantages to going “all in”on a singledeployment model. It’s really up to each and every
organization to evaluate the pros and cons of each deployment model to work out the ideal fit.
Benefitsofhybrid cloud include:
a. Allowscompaniestokeepthe critical applicationsandsensitive dataina traditional data
centerenvironmentorprivate cloud
b. Enablestakingadvantage of publiccloudresourceslike SaaS,forthe latest
applications,andIaaS,forelasticvirtual resources
c. Facilitatesportabilityof data,appsand servicesandmore choicesfordeploymentmodels.
How do you decide onthe bestcloud computing deploymentmodel?
You shouldnowunderstandthe variouspatternsandanti-patternsassociatedwitheach
cloudcomputingdeploymentmodel.There are several approachestowardsdeterminingthe
bestmodel foryourorganization.These include:
Workloadcentric approach – in thisapproachyou analyze everyworkloadtodeterminethe
mostsuitable cloudcomputingdeploymentmodel.Youneedtotake intoaccountmultiple
factors,includingtechnologyfit,operational fit,andcost.
Organizationallycentric approach – in thisapproachyou take a more holisticview of whichtype
of cloudcomputingdeploymentmodelismostsuitable foryourcompany.Factorsto consider
wouldinclude businessagilityandgrowth,competitivedifferentiation,operational preference,
and CAPEXvsOPEX preferences

7. AWS Global Infrastructure
The AWS infrastructure isbuiltaroundRegionsandAvailabilityZones (AZs). AnAWSRegion
isa physical locationinthe worldwhere AWShave multipleAZs.
AZsconsistof one or more discrete datacenters, eachwithredundantpower,networking,and
connectivity,housedinseparate facilities.
Each regioniscompletelyindependent.EachAvailabilityZone isisolated,butthe AvailabilityZones
ina regionare connectedthroughlow-latencylinks.
AWS are constantlyexpandingaroundthe worldandcurrentlythere are:
Regions
A regionisa geographical area. Each regionconsistsof 2 or more availabilityzones. EachAmazon
Regionisdesignedtobe completelyisolated fromthe otherAmazonRegions. EachAWSRegion
has multiple AvailabilityZonesanddatacenters. Youcan replicate datawithinaregionand
betweenregionsusingprivateorpublicInternetconnections.
You retaincomplete control andownershipoverthe regioninwhichyourdataisphysicallylocated,
makingiteasyto meetregional complianceanddataresidencyrequirements.
Note that there isa charge fordata transferbetweenregions. WhenyoulaunchanEC2 instance,
youmust selectanAMI that’sin the same region.If the AMI isin anotherregion,youcancopy the
AMI to the regionyou’re using.
Regionsand Endpoints:
 Whenyouwork withan instance usingthe commandline interface orAPIactions,you
mustspecifyitsregional endpoint.
 To reduce data latencyinyourapplications,mostAmazonWebServicesofferaregional
endpointtomake yourrequests.
 An endpointisaURL that isthe entrypointfor a webservice.

8.  For example, https://dynamodb.us-west-2.amazonaws.comisanentrypointforthe
AmazonDynamoDBservice.
AvailabilityZones
AvailabilityZonesare physicallyseparate andisolatedfromeachother. AZsspanone or more data
centersandhave direct,low-latency,highthroughputandredundantnetwork connections
betweeneachother. EachAZ isdesignedasanindependentfailure zone.
Whenyoulaunch an instance,youcanselectanAvailabilityZone orletAWSchoose one foryou.
If you distribute yourEC2instancesacrossmultiple AvailabilityZonesandone instance fails,you
can designyourapplicationsothatan instance inanotherAvailabilityZone canhandle requests.
You can alsouse Elastic IPaddressestomaskthe failure of aninstance inone AvailabilityZone by
rapidlyremappingthe addresstoaninstance inanotherAvailabilityZone.
An AvailabilityZone isrepresentedbyaregion code followedbyaletteridentifier;forexample, us-
east-1a.
To ensure thatresourcesare distributedacrossthe AvailabilityZonesforaregion,AWS
independentlymapAvailabilityZonestonamesforeachAWSaccount.
For example,the AvailabilityZoneus-east-1aforyourAWSaccount mightnot be the same location
as us-east-1aforanotherAWSaccount.
To coordinate AvailabilityZonesacrossaccounts,youmustuse the AZ ID,whichisa unique and
consistentidentifierforanAvailabilityZone.
AZsare physicallyseparatedwithinatypical metropolitanregionandare locatedinlowerriskflood
plains.
AZsuse discrete UPS andonsite backupgenerationfacilitiesandare fedviadifferentgridsfrom
independentfacilities.
AZsare all redundantlyconnectedtomultipletier-1transitproviders.
The followinggraphicshowsthree AWSRegionseachof whichhasthree AvailabilityZones:

9. Local Zones
AWS Local Zonesplace compute,storage,database,andotherselectAWSservicesclosertoend-
users. WithAWS Local Zones,youcan easilyrunhighly-demandingapplicationsthatrequire single-
digitmillisecondlatenciestoyourend-users.
Each AWS Local Zone locationisan extensionof anAWSRegionwhere youcan runyour latency
sensitiveapplicationsusingAWSservicessuchasAmazonElasticCompute Cloud,AmazonVirtual
Private Cloud,AmazonElasticBlockStore,AmazonFileStorage,andAmazonElasticLoadBalancing
ingeographicproximitytoend-users.
AWS Local Zonesprovide ahigh-bandwidth,secure connectionbetweenlocal workloadsandthose
runninginthe AWS Region,allowingyoutoseamlesslyconnecttothe full range of in-region
servicesthroughthe same APIsandtool sets.
AWSWavelength
AWS Wavelengthenablesdeveloperstobuildapplicationsthatdeliver single-digitmillisecond
latenciestomobile devicesandend-users.
AWS developerscandeploytheirapplicationstoWavelengthZones,AWSinfrastructure
deploymentsthatembedAWScompute andstorage serviceswithinthe telecommunications
providers’datacentersatthe edge of the 5G networks,andseamlesslyaccessthe breadth of AWS

10. servicesinthe region. AWSWavelengthbringsAWSservicestothe edge of the 5G network,
minimizingthe latencytoconnecttoan applicationfromamobile device.
AWSOutposts
AWS Outpostsbringnative AWSservices,infrastructure,andoperatingmodelstovirtuallyanydata
center,co-locationspace, oron-premisesfacility. Youcanuse the same AWSAPIs,tools,and
infrastructure acrosson-premisesandthe AWScloudto deliver atrulyconsistenthybrid
experience.
AWS Outpostsisdesignedforconnectedenvironmentsandcanbe usedto supportworkloadsthat
needtoremainon-premisesdue tolow latencyorlocal data processingneeds.
Edge Locations and Regional Edge Caches
Edge locationsare ContentDeliveryNetwork (CDN)endpointsforCloudFront. There are many
more edge locationsthanregions. Currentlythere are over200 edge locations. Regional Edge
CachessitbetweenyourCloudFrontOrigin serversandthe Edge Locations. A Regional Edge Cache
has a largercache-widththaneachof the individual Edge Locations. The followingdiagramshows
CloudFrontEdge locations:

11. Identity and Access Management
General IAMConcepts
AWS IdentityandAccessManagement(IAM) isawebservice thathelpsyousecurelycontrol
access to AWSresources. Youuse IAMto control whois authenticated(signedin) andauthorized
(haspermissions) touse resources. IAMmakesiteasyto provide multipleuserssecure accessto
AWS resources.
Whenyoufirstcreate an AWSaccount, youbeginwitha single sign-inidentitythathascomplete
access to all AWSservicesandresourcesinthe account.
Thisidentityiscalledthe AWSaccount rootuser and isaccessedbysigninginwiththe email
addressandpasswordthat youusedto create the account.
IAMcan be usedtomanage:
 Users.
 Groups.
 Accesspolicies.
 Roles.
 User credentials.
 User passwordpolicies.
 Multi-factorauthentication(MFA).
 APIkeysforprogrammaticaccess (CLI).
IAMprovidesthe followingfeatures:
 Sharedaccessto your AWS account.
 Granular permissions.
 Secure accessto AWS resourcesforapplicationthatrunon AmazonEC2.
 Multi-Factorauthentication.
 Identityfederation.
 Identityinformationforassurance.
 PCIDSS compliance.
 IntegratedwithmayAWSservices.
 Eventuallyconsistent.

12.  Free to use.
You can work withAWSIdentityandAccessManagementinanyof the followingways:
 AWS ManagementConsole.
 AWS CommandLine Tools.
 AWS SDKs.
 IAMHTTPS API.
By defaultnewusersare createdwithNOaccessto any AWSservices – theycan onlylogintothe
AWS console.
Permissionmustbe explicitlygrantedtoallow auserto access an AWSservice.
IAMusersare individualswhohave beengrantedaccesstoan AWS account.
Each IAMuser hasthree maincomponents:
 A user-name.
 A password.
 Permissionstoaccessvariousresources.
You can apply granularpermissionswithIAM. Youcan assignusersindividual securitycredentials
such as accesskeys,passwords,andmulti-factorauthenticationdevices.
IAMisnot usedfor application-level authentication. IdentityFederation(includingAD,Facebook
etc.) can be configuredallowingsecure accesstoresourcesinanAWS account withoutcreatingan
IAMuseraccount.
Multi-factorauthentication(MFA) canbe enabled/enforcedfor the AWSaccount andfor individual
usersunderthe account. MFA usesan authenticationdevice thatcontinuallygeneratesrandom,
six-digit,single-useauthenticationcodes.
You can authenticate usinganMFA device inthe followingtwoways:
 Throughthe AWSManagementConsole – the userispromptedfora user name,password
and authenticationcode.
 Usingthe AWSAPI – restrictionsare addedtoIAMpoliciesanddeveloperscanrequest
temporarysecuritycredentialsandpassMFA parametersintheirAWSSTS API requests.
 Usingthe AWSCLI by obtainingtemporarysecuritycredentialsfromSTS(awsstsget-
session-token).

13. It isa bestpractice to alwayssetupmulti-factorauthenticationonthe rootaccount.
IAMisuniversal (global) anddoesnotapplytoregions.
IAMreplicatesdataacrossmultiple datacentresaroundthe world.
The “root account” is the account createdwhenyousetupthe AWSaccount. It has complete
Adminaccessand isthe onlyaccount that has thisaccessby default.
It isa bestpractice to avoid usingthe rootaccount for anythingotherthanbilling.
Poweruseraccessallowsall permissionsexceptthe managementof groupsandusersinIAM.
Temporarysecuritycredentialsconsistof the AWSaccesskeyID, secretaccesskey,andsecurity
token.
IAMcan assigntemporarysecuritycredentialstoprovide userswithtemporaryaccessto
services/resources. Tosign-inyoumustprovide youraccountIDor account aliasinadditiontoa
username and password.
The sign-inURL includesthe accountIDor account alias,e.g:
https://My_AWS_Account_ID.signin.aws.amazon.com/console/.
Alternatively,youcansign-inatthe followingURLand enteryouraccount ID or aliasmanually:
https://console.aws.amazon.com/
IAMintegrateswithmanydifferentAWSservices.
AuthenticationMethods
Console password:
 A passwordthatthe usercan enterto signinto interactive sessionssuchasthe AWS
ManagementConsole.
 You can allowuserstochange theirownpasswords.
 You can allowselectedIAMuserstochange theirpasswords bydisablingthe optionforall
usersand usinganIAM policytogrant permissionsforthe selectedusers.
Access Keys:
 A combinationof an access key ID and a secret accesskey.
 You can assigntwoactive access keystoa userat a time.
 These can be used to make programmaticcallsto AWSwhenusingthe API inprogram
code or at a commandpromptwhenusingthe AWSCLI or the AWSPowerShell tools.
 You can create,modify,view orrotate accesskeys.

14.  WhencreatedIAMreturnsthe access keyID andsecretaccess key.
 The secretaccess isreturnedonlyat creationtime andif losta new keymustbe created.
 Ensure access keysandsecretaccesskeysare storedsecurely.
 Users can be givenaccessto change theirownkeysthroughIAMpolicy(notfromthe
console).
 You can disable auser’saccesskeywhichpreventsitfrombeingusedforAPIcalls.
Servercertificates:
 SSL/TLS certificatesthatyoucan use to authenticate withsome AWSservices.
 AWS recommendsthatyouuse the AWSCertificate Manager(ACM) to provision,manage
and deployyourservercertificates.
 Use IAMonlywhenyoumustsupportHTTPS connectionsinaregionthat isnot supported
by ACM.
IAM Users
An IAMuserisan entitythatrepresentsapersonor service.

15. Can be assigned:
 An accesskeyID and secretaccesskey for programmaticaccessto the AWS API,CLI,SDK,
and otherdevelopmenttools.
 A passwordforaccess to the managementconsole.
By default,userscannotaccessanythinginyouraccount.
The account root usercredentialsare the email addressusedtocreate the accountand a
password.
The root account has full administrativepermissionsandthese cannotbe restricted.
Bestpractice for root accounts:
 Don’tuse the root usercredentials.
 Don’tshare the root usercredentials.
 Create an IAMuserand assignadministrative permissionsasrequired.
 Enable MFA.
IAMuserscan be createdtorepresentapplicationsandthese are knownas“service accounts”.
You can have up to 5000 usersperAWS account.
Each user accounthas a friendlyname and anARN whichuniquelyidentifiesthe useracrossAWS.
A unique IDisalsocreatedwhichisreturnedonlywhenyoucreate the userusingthe API,Toolsfor
WindowsPowerShell orthe AWSCLI.
You shouldcreate individual IAMaccountsforusers(bestpractice notto share accounts).
The AccessKeyID and SecretAccessKeyare notthe same as a passwordand cannotbe usedto
logintothe AWSconsole.
The AccessKeyID and SecretAccessKeycan onlybe usedonce and must be regeneratedif lost.
A passwordpolicy canbe definedforenforcingpasswordlength,complexityetc.(appliestoall
users).
You can allowor disallow the abilitytochange passwordsusinganIAMpolicy.
Accesskeysandpasswordsshouldbe changedregularly.
Groups
Groups are collectionsof usersandhave policiesattachedtothem.
A groupis notan identityandcannotbe identifiedasaprincipal inan IAMpolicy.

16. Use groupsto assignpermissionstousers.
Use the principle of leastprivilege whenassigningpermissions.
You cannot nestgroups(groupswithingroups).
Roles
Rolesare createdand then“assumed”bytrustedentitiesanddefine asetof permissions for
makingAWSservice requests.
WithIAMRolesyoucan delegate permissionstoresourcesforusersandserviceswithoutusing
permanentcredentials(e.g.username andpassword).
IAMusersor AWS servicescanassume a role toobtaintemporarysecuritycredentialsthatcanbe
usedto make AWSAPIcalls.
You can delegate usingroles.
There are nocredentialsassociatedwitharole (passwordoraccesskeys).
IAMuserscan temporarilyassume arole totake onpermissionsforaspecifictask.
A role can be assignedtoa federateduserwhosignsinusinganexternal identityprovider.
Temporarycredentialsare primarilyusedwithIAMrolesand automaticallyexpire.
Rolescan be assumedtemporarilythroughthe console orprogrammaticallywiththe AWS
CLI, Tools for WindowsPowerShell orAPI.
IAMroleswithEC2 instances:
 IAMrolescan be usedfor grantingapplicationsrunningonEC2 instances permissionsto
AWS APIrequestsusinginstance profiles.
 Onlyone role can be assignedtoan EC2 instance ata time.
 A role can be assignedatthe EC2 instance creationtime or at any time afterwards.
 Whenusingthe AWS CLI or APIinstance profilesmustbe createdmanually(it’sautomatic
and transparentthroughthe console).
 Applicationsretrieve temporarysecuritycredentialsfromthe instance metadata.
Role Delegation:
 Create an IAMrole withtwopolicies:

17. o Permissionspolicy –grantsthe user of the role the requiredpermissionsona
resource.
o Trust policy – specifiesthe trustedaccountsthatare allowedtoassume the role.
 Wildcards(*) cannot be specifiedasaprincipal.
 A permissionspolicymustalsobe attachedtothe userin the trustedaccount.
Policies
Policiesare documentsthatdefine permissionsandcanbe appliedtousers,groupsandroles.
Policydocumentsare writteninJSON (keyvaluepairthatconsistsof an attribute anda value).
All permissionsare implicitlydeniedbydefault.
The most restrictive policyisapplied.
The IAM policysimulatorisa tool to helpyouunderstand,test,andvalidatethe effectsof access
control policies.
The Conditionelementcanbe usedtoapplyfurtherconditional logic.
STS

18. The AWS SecurityTokenService (STS) isawebservice thatenablesyoutorequesttemporary,
limited-privilege credentialsforIAMusersorfor usersthat youauthenticate (federatedusers).
Temporarysecuritycredentialsworkalmostidenticallytolong-termaccesskeycredentialsthat
IAMuserscan use,withthe followingdifferences:
 Temporarysecuritycredentialsare short-term.
 Theycan be configuredtolastanywhere fromafew minutestoseveral hours.
 Afterthe credentialsexpire,AWSnolongerrecognizesthemorallowsanykindof accessto
APIrequestsmade withthem.
 Temporarysecuritycredentialsare notstoredwiththe userbutare generateddynamically
and providedtothe userwhenrequested.
 When(or evenbefore)the temporarysecuritycredentialsexpire,the usercanrequest new
credentials,aslongasthe userrequestingthemstill haspermissiontodoso.
Advantagesof STSare:
 You do nothave to distribute orembedlong-termAWSsecuritycredentialswithan
application.
 You can provide accessto yourAWS resourcestousers withouthavingtodefine anAWS
identityforthem(temporarysecuritycredentialsare the basisforIAMRolesandID
Federation).
 The temporarysecuritycredentialshave alimitedlifetime,soyoudonothave to rotate
themor explicitlyrevokethemwhen they’re nolongerneeded.
 Aftertemporarysecuritycredentialsexpire,theycannotbe reused(youcanspecifyhow
longthe credentialsare validfor,upto a maximumlimit)
Users can come from three sources.
Federation(typicallyAD):
 Uses SAML 2.0.
 Grants temporaryaccessbasedon the usersAD credentials.
 Doesnot needtobe a userinIAM.
 Single sign-onallowsuserstologintothe AWS console withoutassigningIAMcredentials.
FederationwithMobile Apps:
 Use Facebook/Amazon/GoogleorotherOpenIDproviderstologin.
Cross Account Access:

19.  Letsusersfrom one AWSaccount access resourcesinanother.
 To make a requestinadifferentaccountthe resource inthataccount musthave an
attachedresource-basedpolicywiththe permissionsyouneed.
 Or you mustassume a role (identity-basedpolicy) withinthataccountwiththe permissions
youneed.
IAM Best Practices
Lock away the AWSroot useraccess keys.
Create individual IAMusers.
Use AWSdefinedpoliciestoassignpermissionswheneverpossible.
Use groupsto assignpermissionstoIAMusers.
Grant leastprivilege.
Use accesslevelstoreviewIAMpermissions.
Configure astrongpasswordpolicyforusers.
Enable MFA.
Use rolesforapplicationsthatrunon AWSEC2 instances.
Delegate byusingrolesinsteadof sharingcredentials.
Rotate credentialsregularly.
Remove unnecessarycredentials.
Use policyconditionsforextrasecurity.
Monitoractivityinyour AWSaccount.

20. AWS Compute
Amazon EC2
AmazonElasticCompute Cloud(AmazonEC2) isa web service withwhichyoucanrun virtual
server“instances”inthe cloud.
AmazonEC2 instancescanrun the Windows,Linux,orMacOS operatingsystems.
The EC2 simple webservice interface allowsyoutoobtainandconfigure capacitywithminimal
friction.
EC2 isdesignedtomake web-scalecloudcomputingeasierfordevelopers.
AmazonEC2 changesthe economicsof computingbyallowingyoutopay onlyforcapacitythat you
actuallyuse.
AmazonEC2 providesdevelopersthe toolstobuildfailureresilientapplicationsandisolate them
fromcommon failure scenarios.
Benefitsof EC2include:
 Elastic Web-Scale computing– youcan increase ordecrease capacitywithinminutesnot
hoursand commissionone tothousandsof instancessimultaneously.
 Completelycontrolled –You have complete control include rootaccesstoeachinstance
and can stopand start instanceswithoutlosingdataandusingwebservice APIs.
 Flexible CloudHostingServices – youcan choose from multipleinstance types,operating
systems,andsoftware packagesaswell asinstanceswithvaryingmemory,CPUand
storage configurations.
 Integrated– EC2 isintegratedwithmostAWSservicessuchasS3, RDS, and VPCto provide
a complete,secure solution.
 Reliable – EC2 offersahighlyreliable environmentwhere replacementinstancescanbe
rapidlyandpredictablycommissionedwithSLAsof 99.99% foreach region.
 Secure – EC2 worksinconjunctionwithVPCtoprovide asecure locationwithanIP address
range you specifyandoffersSecurityGroups,NetworkACLs, andIPSecVPN features.

21.  Inexpensive –Amazonpassesonthe financial benefitsof scale bychargingverylow rates
and on a capacityconsumedbasis.
An AmazonMachine Image (AMI) isa special type of virtual appliance thatisusedtocreate a
virtual machine withinthe AmazonElasticCompute Cloud(“EC2”).
An AMI includesthe following:
 One or more EBS snapshots,or,for instance-store-backedAMIs,atemplate forthe root
volume of the instance (forexample,anoperatingsystem, anapplicationserver,and
applications).
 Launch permissionsthatcontrol whichAWSaccountscan use the AMI to launchinstances.
 A blockdevice mappingthatspecifies the volumestoattachto the instance whenit’s
launched.
AMIs come inthree maincategories:
 CommunityAMIs – free touse,generallyyoujustselectthe operatingsystemyouwant.
 AWSMarketplace AMIs – pay to use,generallycome packagedwithadditional,licensed
software.
 My AMIs – AMIsthat you create yourself.

22. Metadata and UserData:
 User data isdata that is suppliedbythe useratinstance launchinthe formof a script.
 Instance metadataisdata aboutyour instance thatyou can use to configure ormanage the
runninginstance.
 User data islimitedto16KB.
 User data and metadataare not encrypted.
 Instance metadataisavailable at http://169.254.169.254/latest/meta-data.
The Instance Metadata Querytool allowsyoutoquerythe instance metadatawithouthavingto
type out the full URIor categorynames.
Pricing
On-demand:
 Good forusersthat want the low cost and flexibilityof EC2withoutanyup-frontpayment
or longterm commitment.

23.  Applicationswithshortterm,spiky,orunpredictable workloadsthatcannotbe
interrupted.
 ApplicationsbeingdevelopedortestedonEC2 for the firsttime.
Reserved:
 Applicationswithsteadystate orpredictable usage.
 Applicationsthatrequirereserved capacity.
 Users can make up-frontpaymentstoreduce theirtotal computingcostsevenfurther.
 StandardReservedInstances(RIs) provide upto75% off on-demandprice.
 ConvertibleRIsprovide upto54% off on-demandprice –providesthe capabilitytochange
the attributesof the RI as longas the exchange resultsinthe creationof RIsof equal or
greatervalue.
 ScheduledRIsare available tolaunchwithinthe timewindow youreserve.Thisoption
allowsyoutomatch your capacityreservationtoa predictable recurringschedulethatonly
requiresafractionof a day,a week,ora month.
Spot:
 Applicationsthathave flexible startandendtimes.
 Applicationsthatare onlyfeasible atverylow compute prices.
 Users withanurgentneedfora large amountof additional computecapacity.
 If Amazonterminate yourinstancesyoudonotpay, if youterminate youpayfor the hour.
Dedicatedhosts:
 Physical serversdedicatedjustforyouruse.
 You thenhave control overwhichinstancesare deployedonthathost.
 Available asOn-DemandorwithDedicatedHostReservation.
 Useful if youhave server-boundsoftware licencesthatuse metricslike per-core,per-
socket,or per-VM.
 Each dedicatedhostcan onlyrunone EC2 instance size andtype.
 Good forregulatorycompliance orlicensingrequirements.
 Predictable performance.
 Complete isolation.
 Most expensive option.

24.  Billingisperhost.
Dedicatedinstances:
 Virtualizedinstancesonhardware justforyou.
 AlsousesphysicallydedicatedEC2servers.
 Doesnot provide the additional visibilityandcontrolsof dedicatedhosts(e.g.how instance
are placedona server).
 Billingisperinstance.
 May share hardware withothernon-dedicatedinstancesinthe same account.
 Available asOn-Demand,ReservedInstances,andSpotInstances.
 Cost additional $2perhour perregion.
Savings Plans:
 SavingsPlansisa flexible pricingmodelthatprovidessavingsof upto 72% on your AWS
compute usage.
 Thispricingmodel offerslowerpricesonAmazonEC2 instancesusage,regardlessof
instance family,size,OS,tenancyorAWSRegion.
 AlsoappliestoAWSFargate and AWSLambda usage.
Instance Types
AmazonEC2 providesawide selectionof instancetypesoptimizedtofitdifferentuse cases.
Instance typescomprise varyingcombinationsof CPU, memory,storage,andnetworkingcapacity
and give youthe flexibilitytochoose the appropriate mix of resourcesforyourapplications.
Each instance type includesone ormore instance sizes,allowingyoutoscale yourresourcestothe
requirementsof yourtargetworkload.
The table belowprovidesanoverview of the differentEC2instance types:

25. Amazon Elastic ContainerService (ECS)
AmazonElasticContainerService (ECS) isanotherproductinthe AWSCompute category.It
providesahighlyscalable,high performancecontainermanagementservice thatsupportsDocker
containersandallowsyoutoeasilyrunapplicationsonamanagedclusterof AmazonEC2
instances.
AmazonECS eliminatesthe needforyoutoinstall,operate,andscale yourowncluster
managementinfrastructure.
UsingAPI callsyoucan launchand stopcontainer-enabledapplications,querythe complete state
of clusters,andaccessmanyfamiliarfeatureslike securitygroups,ElasticLoadBalancing,EBS
volumesandIAMroles.
AmazonECS can be usedto schedule the placementof containersacrossclustersbasedon
resource needs andavailabilityrequirements. AnAmazonECSlaunchtype determinesthe type of
infrastructure onwhichyourtasksand servicesare hosted.
There are twolaunchtypesand the table below describessome of the differencesbetweenthe
twolaunch types:

26. The Elastic containerregistry(ECR) isamanagedAWS Dockerregistryservice forstoring,managing
and deployingDockerimages.
There isno additional charge forAmazonECS. You pay forAWS resources(e.g.EC2instancesor
EBS volumes) youcreate tostore and runyour application.
AmazonECR is integratedwithAmazonEC2ContainerService(ECS).
WithAmazonECR, there are noupfrontfeesorcommitments.Youpayonlyforthe amountof data
youstore inyourrepositoriesanddatatransferredtothe Internet.
AWSLambda
AWS Lambdais a serverlesscomputingtechnologythatallowsyoutorun code without
provisioningormanagingservers.
AWS Lambdaexecutescode onlywhenneeded andscalesautomatically.
You pay onlyforthe compute time youconsume (youpaynothingwhenyourcode isnot running).
Benefitsof AWSLambda:
 No serverstomanage.
 Continuousscaling.
 Subsecondmetering.
 Integrateswithalmostall otherAWSservices.
Primaryuse casesfor AWS Lambda:
 Data processing.
 Real-time file processing.

27.  Real-time streamprocessing.
 Buildserverlessbackendsforweb,mobile,IOT,and3rd partyAPI requests.
AmazonLightsail (AmazonLightSail Instances)
AmazonLightsail isone of the newestservicesinthe AWSCompute suite of products.Amazon
Lightsail isgreatfor userswhodonot have deepAWStechnical expertise asitmake itveryeasyto
provisioncompute services.
AmazonLightsail providesdeveloperscompute,storage,andnetworkingcapacityandcapabilities
to deployandmanage websites,webapplications,anddatabasesinthe cloud.
AmazonLightsail includeseverythingyouneedtolaunchyourprojectquickly –a virtual machine,
SSD-basedstorage,datatransfer,DNSmanagement, andastaticIP.
AmazonLightsail providespreconfiguredvirtualprivate servers(instances) thatinclude everything
requiredtodeployandapplicationorcreate adatabase.
The underlyinginfrastructure andoperatingsystemismanagedbyAmazonLightsail.
Bestsuitedtoprojectsthat require afew dozeninstancesorfewer.
Providesasimple managementinterface.
Good forblogs,websites,webapplications,e-commerceetc.
Can deployloadbalancersandattachblockstorage.
PublicAPI.
Limitedto20 Amazon Lightsail instances,5static IPs,3 DNS zones,20 TB blockstorage,40
databases,and5 loadbalancersperaccount.
Up to 20 certificatespercalendaryear.
Can connectto each otherandotherAWS resourcesthroughpublicInternetandprivate (VPC
peering) networking.
Applicationtemplatesinclude WordPress,WordPressMultisite,Drupal,Joomla!,Magento,
Redmine,LAMP,Nginx (LEMP),MEAN,Node.js,andmore.
AmazonLightsail currentlysupports6Linux orUnix-like distributions:AmazonLinux,CentOS,
Debian,FreeBSD,OpenSUSE,andUbuntu,as well as2 WindowsServerversions:2012 R2 and
2016.
Amazon LightSail Databases
AmazonLightsail databasesare instancesthatare dedicatedtorunningdatabases.

28. An AmazonLightsail database cancontainmultiple user-createddatabases,andyoucan accessit
by usingthe same toolsandapplicationsthatyouuse witha stand-alone database.
AmazonLightsail manageddatabasesprovide aneasy,low maintenance waytostore yourdata in
the cloud. AmazonLightsail managesarange of maintenance activitiesandsecurityforyour
database and itsunderlyinginfrastructure.
AmazonLightsail automaticallybacksupyourdatabase and allowspointintime restore fromthe
past 7 days usingthe database restore tool. AmazonLightsail databasessupportthe latestmajor
versionsof MySQL.Currently,these versionsare 5.6,5.7, and8.0 for MySQL. AmazonLightsail
databasesare available inStandardandHighAvailabilityplans.
HighAvailabilityplansaddredundancyanddurabilitytoyourdatabase,byautomaticallycreating
standbydatabase ina separate AvailabilityZone. AmazonLightsail isveryaffordable. Amazon
Lightsail plansare billedonanon-demandhourlyrate,so youpayonlyforwhat youuse. For every
AmazonLightsail planyouuse,we charge youthe fixedhourlyprice,uptothe maximummonthly
plancost.
AWSElastic Beanstalk
AWS ElasticBeanstalkisthe fastestandsimplestwaytogetwebapplicationsupandrunningon
AWS.Developerssimplyuploadtheirapplicationcode andthe service automaticallyhandlesall the
detailssuchas resource provisioning,loadbalancing,auto-scaling,andmonitoring.ElasticBeanstalk
isideal if youhave a PHP, Java,Python,Ruby,Node.js,.NET,Go,or Dockerwebapplication.Elastic
Beanstalkusescore AWSservicessuchas AmazonEC2, AmazonElasticContainerService (Amazon
ECS),AutoScaling,andElastic LoadBalancingto easilysupportapplicationsthatneedtoscale to

29. serve millionsof users.
AWSBatch
AWS Batch enablesdevelopers,scientists,andengineerstoeasilyandefficientlyrunhundredsof
thousandsof batch computingjobsonAWS.
AWS Batch dynamicallyprovisionsthe optimalquantityandtype of compute resources(e.g.,CPU
or memoryoptimizedinstances) basedonthe volume andspecificresource requirementsof the
batch jobssubmitted.
AWS Storage
Amazon Simple Storage Service (S3)
AmazonS3 is objectstorage builttostore and retrieve anyamountof datafrom anywhere –web
sitesandmobile apps,corporate applications,anddatafromIoT sensorsordevices.

30. You can store any type of file inS3. S3 is designedtodeliver99.999999999% durability,andstores
data for millionsof applicationsusedbymarketleadersineveryindustry.
S3 providescomprehensive securityandcompliance capabilitiesthatmeeteventhe moststringent
regulatoryrequirements.
S3 givescustomersflexibilityinthe waytheymanage dataforcost optimization,accesscontrol,
and compliance.
Typical use casesinclude:
 Backup and Storage – Provide databackupand storage servicesforothers.
 ApplicationHosting – Provide servicesthatdeploy,install,andmanage webapplications.
 MediaHosting – Builda redundant,scalable,andhighlyavailable infrastructure thathosts
video,photo,ormusicuploadsanddownloads.
 Software Delivery– Host yoursoftware applicationsthatcustomerscandownload.
 Static Website – youcan configure astaticwebsite torunfrom an S3 bucket.
S3 providesquery-in-place functionality,allowingyoutorunpowerful analyticsdirectlyonyour
data at rest inS3. AndAmazonS3 isthe most supportedcloudstorage service available,with
integrationfromthe largestcommunityof third-partysolutions,systemsintegratorpartners,and
otherAWS services. Filescanbe anywhere from0bytesto 5 TB. There isunlimitedstorage
available.
Filesare storedinbuckets.Bucketsare root level folders. Anysubfolderwithinabucketisknown
as a “folder”. S3 isa universal namespace sobucketnamesmustbe unique globally.
There are six S3 storage classes.
 S3 Standard (durable,immediatelyavailable,frequentlyaccessed).
 S3 Intelligent-Tiering(automaticallymovesdatatothe most cost-effective tier).
 S3 Standard-IA (durable,immediatelyavailable, infrequentlyaccessed).
 S3 One Zone-IA (lowercostforinfrequentlyaccesseddatawithlessresilience).
 S3 Glacier(archiveddata,retrieval timesinminutesorhours).
 S3 GlacierDeepArchive (lowestcoststorage classfor longtermretention).
The table belowprovidesthe detailsof eachAmazonS3storage class:

31. Whenyousuccessfullyuploadafile toS3you receive aHTTP 200 code.
S3 is a persistent,highlydurabledatastore.
Persistentdatastoresare non-volatilestorage systemsthatretaindatawhenpoweredoff.
Thisis incontrast to transientdatastoresand ephemeraldatastoreswhichlose the datawhen
poweredoff.
The followingtable providesadescriptionof persistent,transientandephemeral datastoresand
whichAWSservice touse:
Bucket names must followa set of rules:

32.  Namesmustbe unique acrossall of AWS.
 Namesmustbe 3 to 63 characters inlength.
 Namescan onlycontainlowercase letters,numbersandhyphens.
 Namescannotbe formattedasan IP address.
Objectsconsist of:
 Key (name of the object).
 Value (datamade upof a sequence of bytes).
 VersionID(usedforversioning).
 Metadata (dataabout the data that isstored).
Subresources:
 Accesscontrol lists.
 Torrent.
Objectsharing– the abilitytomake any objectpubliclyavailable viaaURL.
Lifecycle management –setrulestotransferobjectsbetweenstorage classesatdefinedtime
intervals.
Versioning–automaticallykeepmultiple versionsof anobject(whenenabled).
Encryptioncan be enabledforbucket. Datais securedusingACLsandbucketpolicies.
Tiers:
 S3 standard.
 S3-IA.
 S3 One Zone – IA.
 Glacier.
Charges:
 Storage.
 Requests.
 Storage managementpricing.
 Data transferpricing.
 Transferacceleration.
Whenyoucreate a bucketyouneedto selectthe regionwhere itwill be created.

33. It isa bestpractice to create bucketsinregionsthatare physicallyclosesttoyourusersto reduce
latency.
Additional capabilitiesofferedbyAmazonS3include:
AWSSnowball
WithAWS Snowball (Snowball),youcantransferhundredsof terabytesorpetabytesof data
betweenyouron-premisesdatacentersandAmazonSimple Storage Service (AmazonS3).
Uses a secure storage device forphysical transportation.
AWS Snowball Clientissoftwarethatisinstalledonalocal computerandis usedtoidentify,
compress,encrypt,andtransferdata.
Uses 256-bit encryption(managedwiththe AWSKMS) and tamper-resistantenclosureswithTPM.
Snowball (80TB) (50TB model available onlyinthe USA).
Snowball Edge (100TB) comeswithonboardstorage andcompute capabilities.
Snowmobile–exabyte scale withupto100PB perSnowmobile.
Snowcone isa small device usedforedge computing,storage anddatatransfer.
Snowball canimportto S3 or exportfromS3.
Import/exportiswhenyousendyourowndisksintoAWS – thisisbeingdeprecatedinfavourof
Snowball.
Snowball mustbe orderedfromandreturnedtothe same region.
To speedupdata transferitis recommendedtorunsimultaneousinstancesof the AWSSnowball
Clientinmultiple terminalsandtransfersmall files asbatches.

34. Amazon Elastic Block Store (EBS)
AmazonElasticBlockStore (AmazonEBS) providespersistentblockstorage volumesforuse
withAmazonEC2 instancesinthe AWS Cloud.
Each AmazonEBS volume isautomaticallyreplicatedwithinitsAvailability Zone toprotectyou
fromcomponentfailure,offeringhighavailabilityanddurability.
AmazonEBS volumesofferthe consistentandlow-latencyperformance neededtorunyour
workloads.WithAmazonEBS,youcan scale your usage up or downwithinminutes –all while
payinga lowprice for onlywhatyouprovision.
The followingtable showsacomparisonof a few EBS volume types:

35. EBS volume datapersistsindependentlyof the lifeof the instance. EBSvolumesdonotneed tobe
attachedto an instance. Youcan attach multiple EBSvolumestoaninstance. Youcannot attach an
EBS volume tomultiple instances(useElasticFileStore instead). EBSvolumesmustbe inthe same
AZ as the instancestheyare attachedto. Terminationprotectionisturnedoff bydefaultandmust
be manuallyenabled(keepsthe volume/datawhenthe instance isterminated). RootEBSvolumes
are deletedonterminationbydefault. Extranon-bootvolumesare notdeletedonterminationby
default. The behaviorcanbe changedbyalteringthe “DeleteOnTermination”attribute.
EBS Snapshots:
 Snapshotscapture a point-in-timestate of aninstance. Snapshotsare storedonS3.
 Doesnot provide granularbackup(nota replacementforbackupsoftware).
 If you make periodicsnapshotsof avolume,the snapshotsare incremental,whichmeans
that onlythe blocksonthe device thathave changedafteryourlastsnapshotare savedin
the newsnapshot.
 Eventhoughsnapshotsare savedincrementally,the snapshotdeletionprocessisdesigned
so that youneedtoretainonlythe most recentsnapshotinorderto restore the volume.
 Snapshotscan onlybe accessedthroughthe EC2 APIs. EBS volumesare AZspecificbut
snapshotsare regionspecific.

36. INSTANCE STORES
Instance store volumesare highperformance local disks thatare physicallyattachedtothe host
computeronwhichan EC2 instance runs.
Instance storesare ephemeral whichmeansthe dataislostwhenpoweredoff (non-persistent).
Instancesstoresare ideal fortemporarystorage of informationthatchangesfrequently,suchas
buffers,caches,or scratch data.
Instance store volume rootdevicesare createdfromAMItemplatesstoredonS3.
Instance store volumescannotbe detached/reattached.
Amazon Elastic File System(EFS)
EFS isa fully-managedservicethatmakesiteasyto setup and scale file storage inthe Amazon
Cloud.
Good forbig data andanalytics,mediaprocessingworkflows,contentmanagement,webserving,
home directoriesetc.
EFS usesthe NFSprotocol.
Pay forwhat youuse (nopre-provisioningrequired).
Can scale up to petabytes.
EFS iselasticandgrows andshrinksas youadd and remove data.
Can concurrentlyconnect1 to 1000s of EC2 instances,frommultiple AZs.
A file systemcanbe accessedconcurrentlyfromall AZsinthe regionwhere itislocated.
By defaultyoucancreate upto 10 file systemsperaccount.
On-premisesaccesscanbe enabledviaDirectConnectorAWS VPN.
Can choose General Purpose orMax I/O(bothSSD).
The VPC of the connectinginstance musthave DNShostnamesenabled.
EFS providesafile systeminterface,filesystemaccesssemantics(suchasstrongconsistencyand
file locking).
Data is storedacrossmultiple AZ’swithinaregion.
Readafterwrite consistency.
Needtocreate mounttargets andchoose AZ’sto include (recommendedtoinclude all AZ’s).
Instancescan be behindanELB.

37. There are twoperformance modes:
 “General Purpose”performance modeisappropriate formostfile systems.
 “Max I/O” performance mode isoptimizedforapplicationswhere tens,hundreds,or
thousands of EC2 instancesare accessingthe file system.
AmazonEFS isdesignedtoburstto allow highthroughputlevelsforperiodsof time.
AWSStorage Gateway
AWS Storage Gatewayisa hybridcloudstorage service thatgivesyouon-premisesaccessto
virtually unlimitedcloudstorage. Customersuse Storage Gatewaytosimplifystorage management
and reduce costsfor keyhybridcloudstorage use cases.
These include movingbackupstothe cloud,usingon-premisesfilesharesbackedbycloudstorage,
and providinglowlatencyaccesstodatain AWSfor on-premisesapplications.
To supportthese use cases,Storage Gatewayoffersthree differenttypesof gateways:
 File Gateway – providesfilesysteminterfacestoon-premisesservers.
 Volume Gateway –providesblock-basedaccessforon-premisesservers.
 Tape Gateway – providesavirtual tape librarythatis compatible withcommonbackup
software (blockandfile interfaces).

38. AWS Networking
Amazon Virtual Private Cloud (VPC)
A virtual private cloud(VPC) isavirtual network dedicatedtoyourAWSaccount. Analogousto
havingyourownDC inside AWS. Itislogicallyisolatedfromothervirtualnetworksinthe AWS
Cloud. Providescompletecontrol overthe virtual networkingenvironmentincludingselectionof IP
ranges,creationof subnets,andconfigurationof route tablesandgateways.
You can launchyour AWSresources,suchas AmazonEC2 instances,intoyourVPC.
Whenyoucreate a VPC,youmust specifyarange of IPv4addressesforthe VPCinthe formof a
ClasslessInter-DomainRouting(CIDR) block;forexample, 10.0.0.0/16.
Thisis the primaryCIDR blockforyour VPC. A VPCspansall the AvailabilityZonesinthe region.
You have full control overwhohasaccess to the AWS resourcesinside yourVPC.
You can create your ownIP addressranges,andcreate subnets,route tablesandnetwork
gateways.
Whenyoufirstcreate yourAWS account a defaultVPCiscreatedforyouin eachAWS region.
A defaultVPCiscreatedineachregionwitha subnetineachAZ. By defaultyoucan create up to 5
VPCsperregion.

39. You can define dedicatedtenancyforaVPCto ensure instancesare launchedondedicated
hardware (overridesthe configurationspecifiedatlaunch).
A defaultVPCisautomaticallycreatedforeachAWSaccount the firsttime AmazonEC2 resources
are provisioned.
The defaultVPChasall-publicsubnets.
Publicsubnetsare subnetsthathave:
 “Auto-assignpublicIPv4address”setto“Yes”.
 The subnetroute table hasan attached InternetGateway.
Instancesinthe defaultVPCalwayshave bothapublicandprivate IPaddress.
AZsnamesare mappedtodifferentzonesfordifferentusers(i.e.the AZ“ap-southeast-2a”may
map to a differentphysical zone foradifferentuser).
Componentsof aVPC:
 A Virtual Private Cloud: A logicallyisolatedvirtual networkinthe AWScloud.Youdefine a
VPC’sIPaddressspace fromrangesyou select.
 Subnet:A segmentof a VPC’sIPaddressrange where youcan place groupsof isolated
resources(mapstoan AZ, 1:1).
 InternetGateway: The AmazonVPCside of a connectiontothe publicInternet.
 NAT Gateway: A highlyavailable,managedNetworkAddressTranslation(NAT) service for
your resourcesina private subnettoaccessthe Internet.
 Hardware VPNConnection:A hardware-basedVPN connectionbetweenyour AmazonVPC
and yourdatacenter,home network,orco-locationfacility.
 Virtual Private Gateway: The AmazonVPCside of a VPN connection.
 CustomerGateway: Your side of a VPN connection.
 Router: Routersinterconnectsubnetsanddirecttrafficbetween Internetgateways,virtual
private gateways,NATgateways,andsubnets.
 PeeringConnection:A peeringconnectionenablesyoutoroute trafficviaprivate IP
addressesbetweentwopeeredVPCs.
 VPC Endpoints:Enablesprivate connectivitytoserviceshostedinAWS,fromwithinyour
VPCwithoutusinganInternetGateway,VPN,NetworkAddressTranslation(NAT) devices,
or firewall proxies.
 Egress-onlyInternetGateway:A stateful gatewaytoprovide egressonlyaccessforIPv6
trafficfromthe VPCto the Internet.

40. Optionsfor securelyconnectingto a VPC are:
 AWS managedVPN – fastto setup.
 DirectConnect– highbandwidth,low-latencybuttakesweekstomonthstosetup.
 VPN CloudHub – usedforconnectingmultiple sitestoAWS.
 Software VPN –use 3rd party software.
An ElasticNetworkInterface (ENI) isalogical networkingcomponentthatrepresentsaNIC.
ENIscan be attachedand detachedfromEC2 instancesandthe configurationof the ENIwill be
maintained.
FlowLogs capture informationaboutthe IPtrafficgoingtoand fromnetworkinterfacesinaVPC.
Flowlogdata isstoredusingAmazonCloudWatchLogs.
Flowlogscan be createdat the followinglevels:
 VPC.
 Subnet.
 Networkinterface.
Peeringconnectionscanbe createdwithVPCsindifferentregions(available inmostregionsnow).
Subnets
Aftercreatinga VPC,youcan add one or more subnetsineach AvailabilityZone.
Whenyoucreate a subnet,youspecifythe CIDRblockforthe subnet,whichisa subsetof the VPC
CIDR block.
Each subnetmustreside entirely withinone AvailabilityZone andcannotspanzones.
Typesof subnet:
 If a subnet’strafficisroutedtoan internetgateway,the subnetisknownasa public
subnet.
 If a subnetdoesn’thave aroute to the internetgateway,the subnetisknownasa private
subnet.
 If a subnetdoesn’thave aroute to the internetgateway,buthasitstrafficroutedtoa
virtual private gatewayforaVPN connection,the subnetisknownasa VPN-onlysubnet.
An InternetGatewayisahorizontallyscaled,redundant,andhighlyavailableVPCcomponentthat
allowscommunicationbetweeninstancesinyourVPCandthe internet.

41. Firewalls
NetworkAccessControl Lists(ACLs) provideafirewall/securitylayeratthe subnetlevel.
SecurityGroupsprovide afirewall/securitylayeratthe instance level.
The table belowdescribessome differencesbetweenSecurityGroupsandNetworkACLs:
VPC Wizard
The VPC Wizardcan be usedtocreate the followingfourconfigurations:
VPCwitha Single PublicSubnet:
 Your instancesrunina private,isolatedsectionof the AWScloudwithdirectaccessto the
Internet.
 Networkaccesscontrol listsandsecuritygroupscan be usedto provide strictcontrol over
inboundandoutboundnetworktraffictoyourinstances.
 Createsa /16 networkwitha/24 subnet.Publicsubnetinstancesuse ElasticIPsorPublic
IPsto access the Internet.

42. VPC withPublic and Private Subnets:
 In additiontocontainingapublicsubnet,thisconfigurationaddsaprivate subnetwhose
instancesare notaddressable fromthe Internet.
 Instancesinthe private subnetcanestablishoutboundconnectionstothe Internetviathe
publicsubnetusingNetworkAddressTranslation(NAT).
 Createsa /16 networkwithtwo/24 subnets.
 Publicsubnetinstancesuse ElasticIPstoaccess the Internet.
 Private subnetinstancesaccessthe InternetviaNetworkAddressTranslation(NAT).
VPCwithPublicandPrivate SubnetsandHardware VPN Access:
 ThisconfigurationaddsanIPsecVirtual Private Network(VPN) connectionbetweenyour
AmazonVPCand yourdata center– effectivelyextendingyourdatacenterto the cloud
while alsoprovidingdirectaccesstothe Internetforpublicsubnetinstancesinyour
AmazonVPC.
 Createsa /16 networkwithtwo/24 subnets.
 One subnetisdirectlyconnectedtothe Internetwhile the othersubnetisconnectedto
your corporate networkviaanIPsecVPN tunnel.
VPCwitha Private SubnetOnlyandHardware VPN Access:
 Your instancesrunina private,isolatedsectionof the AWScloudwitha private subnet
whose instancesare notaddressable fromthe Internet.
 You can connectthisprivate subnettoyour corporate data centerviaan IPsecVirtual
Private Network(VPN) tunnel.
 Createsa /16 networkwitha/24 subnetandprovisionsanIPsecVPN tunnel betweenyour
AmazonVPCand yourcorporate network.
NAT Instances
NATinstancesare managed by you. Used to enable private subnetinstancestoaccessthe Internet.
WhencreatingNATinstancesalwaysdisable the source/destinationcheckonthe instance. NAT
instancesmustbe ina single publicsubnet. NATinstancesneedtobe assignedtosecuritygroups.
NAT Gateways
NATgatewaysare managed foryou byAWS. NATgatewaysare highlyavailableineachAZinto
whichtheyare deployed. Theyare preferredbyenterprises. Canscale automaticallyupto45Gbps.
No needtopatch. Not associatedwithanysecuritygroups.

43. The table belowdescribessome differencesbetweenNATinstancesandNATgateways:
Direct Connect
AWS DirectConnectisa networkservice thatprovidesanalternativetousingthe Internetto
connecta customer’sonpremise sitestoAWS.
Data is transmitted throughaprivate networkconnectionbetweenAWSandacustomer’s
datacenteror corporate network.
Benefits:
 Reduce costwhenusinglarge volumesof traffic.
 Increase reliability (predictable performance).
 Increase bandwidth(predictable bandwidth).
 Decrease latency.
Each AWS DirectConnectconnectioncanbe configuredwithone ormore virtual interfaces(VIFs).

44. PublicVIFsallowaccesstopublicservices suchasS3, EC2, and DynamoDB. Private VIFsallow
access to yourVPC. FromDirect Connectyoucan connectto all AZs withinthe Region.
You can establishIPSecconnectionsover publicVIFstoremote regions. DirectConnectischarged
by porthours and data transfer. Available in1Gbpsand10Gbps.
Speedsof 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, and 500Mbps can be purchased
throughAWS DirectConnectPartners.
Each connectionconsistsof a single dedicatedconnectionbetweenportsonthe customerrouter
and an Amazonrouter. forHA you musthave 2 DX connections –can be active/activeor
active/standby.
Route tablesneedtobe updatedtopointto a Direct Connectconnection.
AWSGlobal Accelerator
AWS Global Acceleratorisaservice thatimprovesthe availabilityand performance of applications
withlocal or global users.
It providesstaticIPaddressesthatact as a fixedentrypointtoapplicationendpointsinasingle or
multiple AWSRegions,suchasApplicationLoadBalancers,NetworkLoadBalancersorEC2
instances.

45. Uses the AWSglobal networktooptimize the pathfromuserstoapplications,improvingthe
performance of TCPand UDP traffic.
AWS Global Acceleratorcontinuallymonitorsthe healthof applicationendpointsandwilldetectan
unhealthyendpointandredirecttraffictohealthyendpointsinlessthan1minute.
Detailsand Benefits
Uses redundant(two) staticanycastIPaddressesindifferentnetworkzones(A andB). The
redundantpairare globallyadvertized.
Uses AWSEdge Locations – addressesare announcedfrommultiple edgelocationsatthe same
time. Addressesare associatedtoregional AWSresourcesorendpoints.
AWS Global Accelerator’sIPaddressesserve asthe frontendinterface of applications.
Intelligenttrafficdistribution:Routesconnectionstothe closestpointof presence forapplications.
Targetscan be AmazonEC2 instancesorElasticLoad Balancers(ALBand NLB).
By usingthe staticIP addresses,youdon’tneedtomake anyclient-facingchangesorupdate DNS
recordsas you modifyorreplace endpoints.
The addressesare assignedtoyouracceleratorfor as longas itexists,evenif youdisable the
acceleratorandit no longeracceptsor routestraffic.
AWSOutposts
AWS Outpostsisa fullymanagedservicethatoffersthe same AWSinfrastructure,AWSservices,
APIs,andtoolsto virtuallyanydatacenter,co-locationspace,oron-premisesfacilityforatruly
consistenthybridexperience.
AWS Outpostsisideal forworkloadsthatrequire low latencyaccesstoon-premisessystems,local
data processing,dataresidency,andmigrationof applicationswithlocal system
interdependencies.
AWS compute,storage,database,andotherservicesrunlocallyonOutposts,andyoucan access
the full range of AWS servicesavailable inthe Regiontobuild, manage,andscale youron-premises
applicationsusingfamiliarAWSservicesandtools.
Outpostsisavailable asa42U rack that can scale from1 rack to 96 racks to create poolsof
compute andstorage capacity.
Servicesyoucanrun on AWS Outpostsinclude:
 AmazonEC2, Amazon EBS, AmazonS3, AmazonVPC,AmazonECS/EKS,AmazonRDS and
AmazonEMR.

46. AWS Databases
Use Cases For Different Database Types
The table belowprovidesguidance onthe typical use casesforseveral AWSdatabase/datastore
services:
We’ll nowcoverseveral of these database typesthatmaycome upon the exam.

47. Amazon Relational Database Services (RDS)
AmazonRelational Database Service (AmazonRDS) isa managedservice thatmakesiteasytoset
up,operate,andscale a relational database inthe cloud.
Relational databasesare knownasStructuredQueryLanguage (SQL) databases.
Non-relational databasesare knownasNoSQLdatabases.
RDS isan Online TransactionProcessing(OLTP) typeof database.
RDS featuresandbenefits:
 SQL type of database.
 Can be usedto performcomplex queriesandjoins.
 Easy to setup,highlyavailable,faulttolerant,andscalable.
 Usedwhendata isclearlydefined.
 Commonuse casesinclude onlinestoresandbankingsystems.
AmazonRDS supportsthe following database engines:
 SQL Server.
 Oracle.
 MySQL Server.
 PostgreSQL.
 Aurora.
 MariaDB.
Aurora isAmazon’sproprietarydatabase.
RDS isa fullymanagedserviceandyoudonot have access to the underlyingEC2instance (noroot
access).
The RDS service includesthe following:
 Securityandpatchingof the DB instances.
 Automatedbackupforthe DB instances.
 Software updatesforthe DB engine.
 Easy scalingforstorage and compute.
 Multi-AZoptionwithsynchronousreplication.
 AutomaticfailoverforMulti-AZoption.

48.  Readreplicasoptionforreadheavyworkloads.
A DB instance isa database environmentinthe cloudwiththe compute andstorage resourcesyou
specify.
Encryption:
 You can encryptyour AmazonRDSinstancesandsnapshotsat restby enablingthe
encryptionoptionforyourAmazonRDSDB instance.
 Encryptionat restis supportedforall DB typesandusesAWSKMS.
 You cannot encryptan existingDB,youneedtocreate a snapshot,copyit,encryptthe
copy,thenbuildanencryptedDB fromthe snapshot.
DB SubnetGroups:
 A DB subnetgroupisa collectionof subnets(typicallyprivate) thatyoucreate ina VPCand
that youthendesignate foryourDB instances.
 Each DB subnetgroupshouldhave subnetsinatleasttwoAvailabilityZonesinagiven
region.
 It isrecommendedtoconfigure asubnetgroupwithsubnetsineachAZ(evenfor
standalone instances).
AWS Charge for:
 DB instance hours(partial hoursare charged as full hours).
 Storage GB/month.
 I/Orequests/month –formagneticstorage.
 ProvisionedIOPS/month–forRDS provisionedIOPSSSD.
 Egressdata transfer.
 Backup storage (DBbackups andmanual snapshots).
Scalability:
 You can onlyscale RDS up (compute andstorage).
 You cannot decrease the allocatedstorage foranRDS instance.
 You can scale storage and change the storage type for all DB enginesexceptMSSQL.
RDS providesmulti-AZfordisasterrecoverywhichprovidesfaulttoleranceacrossavailability
zones:
 Multi-AZRDScreatesa replicainanotherAZ andsynchronouslyreplicatestoit(DRonly).
 There isan optionto choose multi-AZduringthe launchwizard.

49.  AWS recommendsthe use of provisionedIOPSstorage formulti-AZRDSDB instances.
 Each AZ runs onits ownphysicallydistinct,independentinfrastructure,andisengineered
to be highlyreliable.
 You cannot choose whichAZinthe regionwill be chosentocreate the standbyDB
instance.
ReadReplicas – provide improvedperformance forreads:
 Readreplicasare usedfor readheavyDBs and replicationisasynchronous.
 Readreplicasare for workloadsharingandoffloading.
 Readreplicasprovide read-onlyDR.
 Readreplicasare createdfrom a snapshotof the masterinstance.
 Must have automatedbackupsenabledonthe primary(retentionperiod>0).
Amazon DynamoDB
AmazonDynamoDBisa fullymanagedNoSQLdatabase servicethatprovidesfastandpredictable
performance withseamlessscalability.
DynamoDB featuresandbenefits:

50.  NoSQLtype of database (non-relational).
 Fast,highlyavailable,andfullymanaged.
 Usedwhendata isfluidandcan change.
 Commonuse casesinclude social networksandwebanalytics.
Pushbuttonscalingmeansthatyou can scale the DB at any time withoutincurringdowntime.
SSD basedanduseslimitedindexingonattributesforperformance.
DynamoDBis a Webservice thatusesHTTP overSSL (HTTPS) as a transportand JSON as a message
serialisationformat.
AmazonDynamoDBstoresthree geographicallydistributedreplicasof eachtable toenable high
availabilityanddatadurability.
Data is synchronouslyreplicatedacross3 facilities(AZs) inaregion.
Cross-regionreplicationallowsyoutoreplicate acrossregions:
 AmazonDynamoDBglobal tables providesafullymanagedsolutionfordeployingamulti-
region,multi-masterdatabase.
 Whenyoucreate a global table, youspecifythe AWSregionswhere youwantthe table to
be available.
 DynamoDBperformsall of the necessarytasksto create identical tablesintheseregions,
and propagate ongoingdatachangesto all of them.
Provideslowreadandwrite latency.
Scale storage and throughputupor downas neededwithoutcode changesordowntime.
DynamoDBis schema-less.
DynamoDBcan be usedforstoringsessionstate.
Providestworeadmodels.
Eventuallyconsistentreads(Default):
 The eventual consistencyoptionmaximises yourreadthroughput(bestreadperformance).
 An eventuallyconsistentreadmightnotreflectthe resultsof arecentlycompletedwrite.
 Consistencyacrossall copiesreachedwithin1second.
Stronglyconsistentreads:
 A stronglyconsistentreadreturnsa resultthatreflectsall writesthatreceivedasuccessful
response priortothe read (fasterconsistency).

51. AmazonDynamoDBAccelerator(DAX) isafullymanaged,highlyavailable,in-memorycache for
DynamoDBthat deliversuptoa 10x performance improvement–frommillisecondsto
microseconds –evenat millionsof requestspersecond.
Amazon RedShift
AmazonRedshiftisafast,fullymanageddatawarehouse thatmakesitsimple andcost-effectiveto
analyze all yourdata usingstandardSQL and existingBusinessIntelligence (BI) tools.
RedShiftisaSQL baseddata warehouse usedfor analyticsapplications.
RedShiftisarelational database thatisusedforOnline AnalyticsProcessing(OLAP) use cases.
RedShiftisusedforrunningcomplex analyticqueriesagainstpetabytesof structureddata,using
sophisticatedqueryoptimization,columnarstorage onhigh-performance local disks,andmassively
parallel queryexecution.
RedShiftisideal forprocessinglarge amountsof datafor businessintelligence.
RedShiftis10x fasterthan a traditional SQLDB.
RedShiftusescolumnardatastorage:
 Data is storedsequentiallyincolumnsinsteadof rows.
 ColumnarbasedDB isideal fordata warehousingandanalytics.
 RequiresfewerI/Oswhichgreatlyenhancesperformance.
RedShiftprovidesadvancedcompression:
 Data is storedsequentiallyincolumnswhichallowsformuchbetterperformanceandless
storage space.
 RedShiftautomaticallyselectsthe compressionscheme.
RedShiftusesreplicationandcontinuousbackupstoenhance availabilityandimprovedurability
and can automaticallyrecoverfromcomponentandnode failures.
RedShiftalwayskeepsthree copiesof yourdata:
 The original.
 A replicaoncompute nodes(withinthe cluster).
 A backupcopy on S3.
RedShiftprovidescontinuous/incrementalbackups:
 Multiple copieswithinacluster.
 ContinuousandincrementalbackupstoS3.

52.  Continuousandincrementalbackupsacrossregions.
 Streamingrestore.
RedShiftprovidesfaulttolerance forthe followingfailures:
 Diskfailures.
 Nodesfailures.
 Networkfailures.
 AZ/regionlevel disasters.
Amazon ElastiCache
ElastiCache isa webservice thatmakesiteasyto deployandrunMemcachedor Redisprotocol-
compliantservernodesin the cloud.
The in-memorycachingprovidedbyElastiCachecanbe usedto significantlyimprove latencyand
throughputformany read-heavyapplicationworkloadsorcompute-intensiveworkloads.
Bestfor scenarioswhere the DBloadis basedonOnline AnalyticsProcessing(OLAP)transactions.
The followingtable describesafewtypical use casesforElastiCache:
Elasticache EC2 nodescannotbe accessedfromthe Internet,norcan theybe accessedbyEC2
instancesinotherVPCs. Canbe on-demandorreservedinstancestoo(butnotSpotinstances).
Elasticache can be usedforstoringsessionstate.

53. There are twotypesof ElastiCache engine:
 Memcached – simplestmodel,canrunlarge nodeswithmultiple cores/threads,canbe
scaledinand out,can cache objectssuchas DBs.
 Redis– complex model,supportsencryption,master/slave replication,crossAZ(HA),
automaticfailoverandbackup/restore.
Amazon EMR
AmazonEMR isa webservice thatenablesbusinesses,researchers,dataanalysts,anddevelopers
to easilyandcost-effectivelyprocessvastamountsof data.
EMR utilizesahostedHadoopframeworkrunningonAmazonEC2 and AmazonS3.
Managed Hadoop frameworkforprocessinghuge amountsof data.
AlsosupportApache Spark,HBase,PrestoandFlink.
Most commonlyusedforloganalysis,financialanalysis,orextract,translate andloading(ETL)
activities.

54. Amazon EC2 Auto Scaling
AmazonEC2 AutoScalingautomatesthe processof launching(scalingout) andterminating
(scalingin) AmazonEC2instancesbasedonthe trafficdemandforyour application. AutoScaling
helpstoensure thatyou have the correct numberof EC2 instancesavailable tohandle the
applicationload. AmazonEC2AutoScalingprovideselasticityandscalability. Youcreate collections
of EC2 instances,calledanAutoScalinggroup(ASG).
You can specifythe minimumnumberof instancesineachASG,andAWS AutoScalingwill
ensure the groupnevergoesbeneaththissize. Youcanalsospecifythe maximumnumberof
instancesineachASG and the groupwill nevergoabove thissize. A desiredcapacitycanbe
configuredandAWSAutoScalingwill ensure the grouphasthisnumberof instances. Youcanalso
specifyscalingpoliciesthatcontrol whenAutoScalinglaunchesorterminatesinstances.
Scalingpoliciesdetermine when,if,andhow the ASGscalesandshrinks(on-
demand/dynamicscaling,cyclic/scheduledscaling). ScalingPlansdefine the triggersandwhen
instancesshouldbe provisioned/de-provisioned. A launchconfigurationisthe templateusedto
create newEC2 instancesandincludesparameterssuchasinstance family,instance type,AMI,key
pair andsecuritygroups.

55. Amazon Elastic Load Balancing (ELB)
ELB automaticallydistributesincomingapplicationtrafficacrossmultiple targets,suchasAmazon
EC2 instances,containers,andIPaddresses. sssELBcanhandle the varyingloadof yourapplication
trafficina single AvailabilityZone oracrossmultiple AvailabilityZones.
ELB featureshighavailability,automaticscaling,androbustsecuritynecessarytomake your
applicationsfaulttolerant.
There are fourtypesof ElasticLoad Balancer(ELB) on AWS:
 ApplicationLoadBalancer(ALB) –layer7 loadbalancerthat routesconnectionsbasedon
the contentof the request.
 NetworkLoadBalancer(NLB) – layer4 loadbalancerthat routesconnectionsbasedonIP
protocol data.
 ClassicLoad Balancer(CLB) – thisis the oldestof the three andprovidesbasicload
balancingat bothlayer4 andlayer7 (noton the examanymore).
 GatewayLoad Balancer(GLB) – distributesconnectionstovirtual appliancesandscales
themup or down(noton the exam).
Application Load Balancer (ALB)
ALB isbestsuitedforloadbalancingof HTTP and HTTPS trafficand providesadvancedrequest
routingtargetedat the deliveryof modernapplicationarchitectures,includingmicroservicesand
containers.
Operatingatthe individual requestlevel(Layer7), ApplicationLoadBalancerroutestrafficto
targetswithinAmazonVirtual PrivateCloud(AmazonVPC) basedonthe contentof the request.
Network Load Balancer (NLB)
NLB isbestsuitedforloadbalancingof TCP trafficwhere extremeperformance isrequired.
Operatingatthe connectionlevel (Layer4),NetworkLoadBalancerroutestraffictotargets within
AmazonVirtual Private Cloud(AmazonVPC) andiscapable of handlingmillionsof requestsper
secondwhile maintainingultra-lowlatencies.
NetworkLoad Balancerisalso optimizedtohandle suddenandvolatile trafficpatterns.

56. Content Delivery and DNS Services
Amazon Route 53
Route 53 is the AWSDomainName Service.
Route 53 performsthree mainfunctions:
 Domainregistration –Route 53 allowsyou to registerdomainnames.
 DomainName Service (DNS) –Route 53 translatesname toIP addressesusingaglobal
networkof authoritative DNSservers.
 Healthchecking– Route 53 sendsautomatedrequeststoyourapplicationtoverifythatit’s
reachable,available andfunctional.
You can use any combinationof these functions.
Route 53 benefits:

57.  Domainregistration.
 DNS service.
 TrafficFlow(senduserstothe bestendpoint).
 Healthchecking.
 DNS failover(automaticallychange domainendpointif systemfails).
 IntegrateswithELB,S3, and CloudFrontasendpoints.
Routingpoliciesdetermine how Route 53DNSrespondsto queries.
The followingtable highlightsthe keyfunctionof eachtype of routingpolicy:
Amazon CloudFront
CloudFrontisa contentdeliverynetwork(CDN) thatallowsyoutostore (cache) yourcontentat
“edge locations”locatedaroundthe world.
Thisallowscustomerstoaccesscontentmore quicklyandprovidessecurityagainstDDoSattacks.
CloudFrontcanbe usedfor data, videos,applications,andAPIs.
CloudFrontbenefits:
 Cache contentat Edge Locationfor fastdistributiontocustomers.
 Built-inDistributedDenial of Service (DDoS) attackprotection.

58.  IntegrateswithmanyAWSservices(S3,EC2,ELB, Route 53, Lambda).
OriginsandDistributions:
 An originisthe originof the filesthatthe CDN will distribute.
 Originscan be eitheranS3 bucket,an EC2 instance,anElasticLoad Balancer,or Route 53 –
can alsobe external (non-AWS).
 To distribute contentwithCloudFrontyouneedtocreate adistribution.
 There are twotypesof distribution:WebDistributionandRTMP Distribution.
CloudFrontusesEdge LocationsandRegional Edge Caches:
 An edge locationisthe locationwhere contentiscached(separate toAWSregions/AZs).
 Requestsare automaticallyroutedtothe nearestedge location.
 Regional Edge Cachesare locatedbetweenoriginwebserversandglobal edge locations
and have a largercache.
 Regional Edge cachesaimto getcontentcloserto users.
The diagram belowshowswhere RegionalEdge CachesandEdge Locationsare placedinrelationto
endusers:

59. Monitoring and Logging Services
Amazon CloudWatch
AmazonCloudWatchisa monitoringservice forAWScloudresourcesandthe applicationsyourun
on AWS.
CloudWatch isfor performance monitoring(CloudTrail isforauditing).
Usedto collectand track metrics,collectandmonitorlogfiles,andsetalarms.
Automaticallyreacttochangesinyour AWSresources.
Monitorresourcessuchas:
 EC2 instances.
 DynamoDBtables.
 RDS DB instances.
 Custommetricsgeneratedbyapplicationsandservices.
 Anylogfilesgeneratedbyyourapplications.
Gain system-widevisibilityintoresource utilization.
CloudWatchmonitoringincludesapplicationperformance.
Monitoroperational health.
CloudWatchisaccessedviaAPI,command-line interface,AWSSDKs,andthe AWS Management
Console.
CloudWatchintegrateswithIAM.
AmazonCloudWatchLogsletsyoumonitorand troubleshootyoursystemsandapplicationsusing
your existingsystem, applicationandcustomlogfiles.
CloudWatchLogscan be usedforreal time applicationandsystemmonitoringaswell aslongterm
logretention.
CloudWatchLogskeepslogsindefinitelybydefault.
CloudTrail logscanbe sentto CloudWatchLogs forreal-time monitoring.
CloudWatchLogsmetricfilterscanevaluate CloudTrail logsforspecificterms,phrasesorvalues.
CloudWatchretainsmetricdataas follows:
 Data pointswitha periodof lessthan60 secondsare available for3 hours.These data
pointsare high-resolutioncustommetrics.

60.  Data pointswitha periodof 60 seconds(1 minute) are available for15 days.
 Data pointswitha periodof 300 seconds(5 minute) are availablefor63 days.
 Data pointswitha periodof 3600 seconds(1hour) are available for455 days(15 months).
Dashboards allowyouto create,customize,interactwith,andsave graphsof AWS resourcesand
custommetrics.
Alarmscan be usedto monitoranyAmazonCloudWatchmetricinyour account.
Eventsare a streamof systemeventsdescribingchangesinyourAWSresources.
Logs helpyouto aggregate,monitorandstore logs.
Basic monitoring=5 mins(free forEC2 Instances,EBSvolumes,ELBsandRDS DBs).
Detailedmonitoring=1 min(chargeable).
Metrics are providedautomaticallyforanumberof AWS productsand services.
There isno standardmetricfor memoryusage onEC2 instances.
A custommetricis anymetricyou provide toAmazonCloudWatch(e.g.time toloadawebpage or
applicationperformance).
Optionsforstoringlogs:
 CloudWatchLogs.
 Centralizedloggingsystem(e.g.Splunk).
 Customscriptand store on S3.
Do not store logson non-persistentdisks:
Bestpractice is to store logsinCloudWatchLogs or S3.
CloudWatchLogssubscriptioncanbe usedacross multiple AWSaccounts(usingcrossaccount
access).
AmazonCloudWatchusesAmazonSNStosendemail.
AWS CloudTrail
AWS CloudTrail isawebservice thatrecordsactivitymade onyour account anddeliverslogfilesto
an AmazonS3 bucket.
CloudTrail isforauditing(CloudWatch isforperformance monitoring).
CloudTrail isaboutlogging andsavesa historyof APIcallsforyour AWS account.
Providesvisibilityintouseractivitybyrecordingactionstakenonyouraccount.

61. APIhistoryenablessecurityanalysis,resource change tracking,andcompliance auditing.
Logs APIcallsmade via:
 AWS ManagementConsole.
 AWS SDKs.
 Commandline tools.
 Higher-levelAWSservices(suchasCloudFormation).
CloudTrail recordsaccountactivityandservice eventsfrommostAWSservicesandlogsthe
followingrecords:
 The identityof the APIcaller.
 The time of the APIcall.
 The source IPaddressof the APIcaller.
 The requestparameters.
 The response elementsreturnedbythe AWSservice.
CloudTrail isenabledbydefault.
CloudTrail isperAWSaccount.
You can consolidate logsfrommultiple accountsusinganS3bucket:
1. Turn on CloudTrail inthe payingaccount.
2. Create a bucketpolicythatallowscross-accountaccess.
3. Turn on CloudTrail inthe otheraccountsand use the bucketinthe payingaccount.
You can integrate CloudTrail withCloudWatchLogstodeliverdataeventscapturedbyCloudTrailto
a CloudWatchLogs logstream.
CloudTrail logfile integrityvalidationfeature allowsyoutodetermine whetheraCloudTrail logfile
was unchanged,deleted,ormodifiedsince CloudTraildeliveredittothe specifiedAmazonS3
bucket.

62. Notification Services
Amazon Simple Notification Service
AmazonSimple NotificationService (AmazonSNS) isawebservice thatmakesiteasyto setup,
operate,andsendnotificationsfrom the cloud.
AmazonSNSis usedforbuildingandintegratingloosely-coupled,distributedapplications.
SNSprovidesinstantaneous,push-baseddelivery(nopolling).
SNSconcepts:
 Topics– howyou label andgroupdifferentendpointsthatyousendmessagesto.
 Subscriptions –the endpointsthatatopic sendsmessagesto.
 Publishers –the person/alarm/eventthatgivesSNSthe message thatneedstobe sent.
SNSusage:
 Sendautomatedormanual notifications.
 Sendnotificationtoemail,mobile (SMS),SQS,andHTTP endpoints.

63.  CloselyintegratedwithotherAWSservicessuchasCloudWatchsothat alarms,events,and
actionsinyour AWS accountcan triggernotifications.
Uses simple APIsandeasyintegrationwithapplications.
Flexible message deliveryisprovidedover multiple transportprotocols.
Offeredunderaninexpensive,pay-as-you-gomodel withnoup-frontcosts.
The web-basedAWSManagementConsole offersthe simplicityof apoint-and-clickinterface.
Data type is JSON.
SNSsupportsa wide varietyof needsincludingeventnotification,monitoringapplications,
workflowsystems,time-sensitiveinformationupdates,mobileapplications,andanyother
applicationthatgeneratesorconsumesnotifications.
SNSSubscribers:
 HTTP.
 HTTPS.
 Email.
 Email-JSON.
 SQS.
 Application.
 Lambda.
SNSsupportsnotificationsovermultipletransportprotocols:
 HTTP/HTTPS – subscribersspecifyaURL as part of the subscriptionregistration.
 Email/Email-JSON–messagesare sentto registeredaddressesasemail (text-basedor
JSON-object).
 SQS – userscan specifyanSQS standardqueue asthe endpoint.
 SMS – messagesare senttoregisteredphone numbersasSMS textmessages.
Topicnamesare limitedto256 characters.
SNSsupportsCloudTrail auditingforauthenticatedcalls.
SNSprovidesdurable storage of all messagesthatitreceives(acrossmultiple AZs).

64. AWS Billing and Pricing
General Pricing Information
AWS BillingandPricingisone of the keysubjectsonthe CloudPractitionerexam.
AWS worksona payas yougo model inwhichyou onlypayfor whatyou use,whenyouare using
it.If youturn off resources,youdon’tpayfor them(youmaypay for consumedstorage).
There are noupfrontchargesand you stoppayingfora service whenyoustopusingit. Aside from
EC2 reservedinstances youare notlockedintolongtermcontracts and can terminate whenever
youchoose to.
Volume discountsare available sothe more youuse a service the cheaperitgets(perunitused).
There are noterminationfees. The three fundamental driversof costwithAWSare:compute,
storage and outbounddatatransfer. Inmost cases,there isno charge for inbounddatatransferor
for data transferbetweenotherAWSserviceswithinthe same region(there are some exceptions).
Outbounddatatransferisaggregatedacross servicesandthenchargedat the outbounddata
transferrate. Free tierallowsyoutorun certainresourcesforfree. Free tierincludesoffersthat
expire after12 monthsandoffersthatneverexpire.
Pricingpoliciesinclude:
 Pay as yougo.
 Pay less whenyoureserve.
 Pay evenlessperunitwhenusingmore.
 Pay evenlessasAWSgrows.
 Custompricing(enterprise customersonly).
Free servicesinclude:
 AmazonVPC.
 ElasticBeanstalk(butnotthe resourcescreated).
 CloudFormation(butnotthe resourcescreated).
 IdentityAccessManagement(IAM).
 AutoScaling(butnot the resourcescreated).
 OpsWorks.
 ConsolidatedBilling.

65. Fundamentallychargesinclude:
1. Compute,Storage and Data out.
Amazon EC2 pricing
EC2 pricingisbasedon:
 Clockhoursof serveruptime.
 Instance configuration.
 Instance type.
 Numberof instances.
 Load balancing.
 Detailedmonitoring.
 AutoScaling(resourcescreated).
 ElasticIP addresses(chargedif allocatedbutnotused).
 Operatingsystemsandsoftware packages.
There are several pricingmodelforAWSservices,theseinclude:
On Demand:
 Means youpay forcompute or database capacitywithno long-termcommitmentsof
upfrontpayments.
 You pay forthe computercapacityperhour or persecond(Linux only,andappliestoOn-
Demand,ReservedandSpotinstances).
 Recommendedforuserswhopreferlow costandflexibilitywithoutupfrontpaymentor
long-termcommitments.
 Good forapplicationswithshort-term, spiky,orunpredictable workloadsthatcannotbe
interrupted.
DedicatedHosts:
 A dedicatedhostisanEC2 serversdedicatedtoasingle customer.
 Runsin yourVPC.
 Good forwhenyouwant to leverage existingserver-boundsoftware licencessuchas
WindowsServer,SQLServer,andSUSE Linux Enterprise Server.
 Alsogoodfor meetingcompliance requirements.

66. DedicatedInstances:
 DedicatedInstancesare AmazonEC2 instancesthatrunin a VPCon hardware that’s
dedicatedtoa single customer.
 Dedicatedinstancesare physicallyisolatedatthe hosthardware level frominstancesthat
belongtootherAWS accounts.
 Dedicatedinstancesmayshare hardware withotherinstancesfromthe same AWSaccount
that are notDedicatedinstances.
SpotInstances:
 Purchase spare computingcapacitywithnoupfrontcommitmentatdiscountedhourly
rates.
 Providesup to90% off the On-Demandprice.
 Recommendedforapplicationsthathave flexible startandendtimes,applicationsthatare
onlyfeasibleatverylowcompute prices,anduserswithurgentcomputingneedsforalot
of additional capacity.
 In the oldmodel Spotinstanceswere terminatedbecause of highercompetingbids,inthe
newmodel thisdoesnothappenbutinstancesstill maybe terminated(witha2 minute
warning) whenEC2needsthe capacityback – note:the exammaynot be updatedto
reflectthisyet.

67. SavingsPlans:
 Commitmenttoa consistentamountof usage (EC2+ Fargate + Lambda);Payby $/hour; 1
or 3-year commitment.
Reservations:
 Reservedinstancesprovidesignificantdiscounts,upto75% comparedtoOn-Demand
pricing,bypayingforcapacity aheadof time.
 Provide acapacity reservationwhenappliedtoaspecificAvailabilityZone.
 Good forapplicationsthathave predictable usage,thatneedreservedcapacity,andfor
customerswhocan committo a 1 or 3-year term.
Reservationsapplytovariousservices,including:
 AmazonEC2 ReservedInstances.
 AmazonDynamoDBReservedCapacity.
 AmazonElastiCache ReservedNodes.
 AmazonRDS ReservedInstances.
 AmazonRedShiftReservedInstances.
Reservationoptionsinclude noupfront,partial upfrontandall upfront.
Reservationtermsare 1 or 3 years.
Amazon Simple Storage Service (S3) Pricing
Storage pricingisdeterminedby:
 Storage class – e.g.Standardor IA.
 Storage quantity – data volume storedinyourbucketsona perGB basis.
 Numberof requests – the numberandtype of requests,e.g.GET,PUT, POST,LIST, COPY.
 Lifecycle transitionsrequests – movingdata betweenstorage classes.
 Data transfer – data transferredoutof an S3 regionischarged.
Amazon Glacier pricing
 Extremelylowcostandyoupay only forwhat youneedwithnocommitmentsof upfront
fees.
 Chargedfor requestsanddatatransferredoutof Glacier.

68.  “AmazonGlacierSelect”pricingallowsqueriestorundirectlyondata storedon Glacier
withouthavingtoretrieve the archive.Pricedonamountof data scanned,returned,and
numberof requestsinitiated.
 Three optionsforaccessto archives,listedinthe table below:
AWS SnowballPricing
Pay a service fee perdatatransferjobandthe cost of shippingthe appliance.
Each job allowsuse of Snowball appliance for10days onsite forfree.
Data transferinto AWS isfree and outboundischarged(perregionpricing).
Amazon Relational Database Service (RDS) Pricing
RDS pricingisdeterminedby:
 Clock hours of serveruptime – amountof time the DB instance isrunning.
 Database characteristics – e.g.database engine,size andmemoryclass.
 Database purchase type – e.g.On-Demand,Reserved.
 Numberof database instances.
 Provisionedstorage – backupis includedupto100% of the size of the DB. Afterthe DB is
terminatedbackupstorage ischargedperGB permonth.
 Additional storage – the amountof storage in additiontothe provisionedstorage is
chargedper GB per month.

69.  Requests– the numberof inputandoutputrequeststothe DB.
 Deploymenttype – single AZormulti-AZ.
 Data transfer – inboundisfree,outbounddatatransfercostsare tiered.
 ReservedInstances– RDS RIs can be purchasedwithNoUpfront,Partial Upfront,or All
Upfrontterms.Available forAurora,MySQL,MariaDB, Oracle andSQL Server.
Amazon CloudFront Pricing
CloudFrontpricingisdeterminedby:
 Traffic distribution– data transferand requestpricing,variesacrossregions,andisbased
on the edge locationfromwhichthe contentisserved.
 Requests– the numberandtype of requests(HTTPorHTTPS) and the geographicregionin
whichtheyare made.
 Data transfer out – quantityof data transferredoutof CloudFrontedge locations.
 There are additional chargeable itemssuchasinvalidationrequests,field-level encryption
requests,andcustomSSL certificates.
AWS Lambda Pricing
Pay onlyforwhatyou use and chargedbasedon the numberof requestsforfunctionsandthe time
it takesto execute the code.
Price isdependentonthe amountof memoryallocatedtothe function.
Amazon Elastic Block Store (EBS) Pricing
Pricingisbasedon three factors:
 Volumes –volume storage forall EBS volumestype ischargedbythe amountof GB
provisionedpermonth.
 Snapshots – basedon the amountof space consumedbysnapshotsinS3. Copying
snapshotsischargedon the amountof data copiedacrossregions.
 Data transfer– inbounddatatransferisfree,outbounddatatransferchargesare tiered.
Amazon DynamoDB Pricing
Chargedbasedon:

70.  Provisionedthroughput(write).
 Provisionedthroughput(read).
 Indexeddata storage.
 Data transfer – nocharge for data transferbetweenDynamoDBandotherAWSservices
withinthe same region,acrossregionsischargedonbothsidesof the transfer.
 Global tables– chargedbasedon the resourcesassociatedwitheachreplicaof the table
(replicatedwritecapacityunits,orrWCUs).
 ReservedCapacity – optionavailable foraone-time upfrontfee andcommitmentto
payinga minimumusage level atspecifichourlyratesforthe durationof the term.
Additional throughputischargedatstandardrates.
On-demandcapacity mode:
 Chargedfor readsand writes
 No needtospecifyhowmuchcapacityisrequired
 Good forunpredictable workloads
Provisionedcapacity mode:
 Specifynumberof readsandwritespersecond
 Can use Auto Scaling
 Good forpredictable workloads
 Consistenttrafficorgradual changes
AWS Support Plans
There are fourAWS supportplansavailable:
 Basic – billingandaccountsupportonly(accessto forumsonly).
 Developer–businesshourssupportviaemail.
 Business–24×7 email,chatand phone support.
 Enterprise –24×7 email,chatand phone support.
Enterprise supportcomeswithaTechnical AccountManager(TAM).
Developerallowsone persontoopenunlimitedcases.
BusinessandEnterprise allowunlimitedcontactstoopenunlimitedcases.

71. Resource Groups and Tagging
Tags are key/ value pairsthatcan be attachedto AWS resources.
Tags containmetadata(data aboutdata).
Tags can sometimesbe inherited –e.g.resourcescreatedbyAutoScaling,CloudFormation or
ElasticBeanstalk.
Resource groupsmake iteasyto group resourcesusingthe tagsthat are assignedtothem.Youcan
groupresourcesthat share one or more tags.
Resource groupscontaingeneral information,suchas:
 Region.

72.  Name.
 HealthChecks.
Andalsospecificinformation,suchas:
 Public& private IPaddresses(forEC2).
 Port configurations(forELB).
 Database engine (forRDS).
AWS Organizationsand ConsolidatedBilling
AWS organizationsallowsyoutoconsolidate multipleAWSaccountsintoan organizationthatyou
create and centrallymanage.
Available intwofeature sets:
 ConsolidatedBilling.
 All features.
Includesrootaccountsand organizational units.
Policiesare appliedtorootaccounts or OUs.
Consolidatedbillingincludes:
 PayingAccount– independentandcannotaccessresourcesof otheraccounts.
 LinkedAccounts – all linkedaccountsare independent.
Consolidatedbillinghasthe followingbenefits:
 One bill – You getone bill formultiple accounts.
 Easy tracking – You can track the charges across multipleaccountsanddownloadthe
combinedcostandusage data.
 Combinedusage – You can combine the usage acrossall accounts inthe organizationto
share the volume pricingdiscountsandReservedInstance discounts.Thiscanresultina
lowercharge for yourproject,department,orcompanythanwithindividual standalone
accounts.
 No extra fee – Consolidatedbillingisofferedatnoadditional cost.
Limitof 20 linkedaccounts(bydefault).
One bill formultiple AWSaccounts.
Easy to track chargesand allocate costs.

73. Volume pricingdiscountscanbe appliedtoresources.
Billingalertsenabledonthe Payingaccountinclude dataforall Linkedaccounts(orcan be created
perLinkedaccount).
Consolidatedbillingallowsyoutogetvolume discounts onall of youraccounts.
Unusedreservedinstances(RIs) forEC2are appliedacrossthe group.
CloudTrail isona per account basisandper regionbasisbutcan be aggregatedintoa single bucket
inthe payingaccount.
Bestpractices:
 Alwaysenable multi-factorauthentication(MFA) onthe rootaccount.
 Alwaysuse astrong and complex passwordonthe rootaccount.
 The Payingaccount shouldbe usedforbillingpurposesonly.Donotdeployresourcesinto
the Payingaccount.
AWS Quick Starts
QuickStarts are builtby AWSarchitects and partnersto helpyoudeploypopularsolutionson
AWS,basedon AWSbestpracticesfor securityandhighavailability.
These reference deploymentsimplementkeytechnologiesautomaticallyonthe AWSCloud,often
witha single clickandinlessthanan hour.
LeveragesCloudFormation.
AWS Cost Calculators and Tools
 AWSCost Explorer – enablesyoutovisualize yourusage patterns overtime andtoidentify
your underlyingcostdrivers.
 AWSPricing Calculator – create cost estimatestosuityourAWSuse cases.
AWS Cost Explorer
The AWS Cost Explorerisa free tool thatallowsyoutoview charts of your costs.
You can viewcostdata for the past 13 monthsand forecasthow muchyou are likelytospendover
the nextthree months.
Cost Explorercanbe usedto discoverpatternsinhow muchyou spendonAWS resourcesover
time andto identifycostproblemareas.

74. Cost Explorercanhelpyouto identifyservice usage statisticssuchas:
 Whichservicesyouuse the most.
 ViewmetricsforwhichAZhasthe mosttraffic.
 Whichlinkedaccountisusedthe most.
AWS Pricing Calculator
AWS PricingCalculatorisa webbasedservice thatyoucan use to create cost estimatestosuityour
AWS use cases.
AWS PricingCalculatorisuseful bothforpeoplewhohave neverusedAWSandfor those whowant
to reorganize orexpandtheirusage.
AWS PricingCalculatorallowsyoutoexploreAWSservicesbasedonyour use casesandcreate a
cost estimate.
AWS Cost & Usage Report
PublishAWSbillingreportstoanAmazonS3 bucket.
Reportsbreakdowncosts by:
 Hour, day,month,product,productresource,tags.
Can update the reportup to three timesaday.
Create,retrieve,anddeleteyourreportsusingthe AWSCUR APIReference.
AWS Price List API
Querythe pricesof AWS services.
Price ListService API(AKA the QueryAPI) –querywithJSON.
AWS Price ListAPI(AKA the BulkAPI) – querywithHTML.
AlertsviaAmazonSNS whenpriceschange.
AWS Budgets
Usedto track cost,usage,or coverage andutilizationforyourReservedInstancesandSavings
Plans,acrossmultiple dimensions,suchasservice,orCostCategories.
Alertingthroughevent-drivenalertnotificationsforwhenactual orforecastedcostor usage
exceedsyourbudgetlimit,orwhenyourRIand SavingsPlans’coverage orutilizationdropsbelow
your threshold.
Create annual,quarterly,monthly,orevendailybudgetsdependingonyourbusinessneeds.

75. AWS Shared Responsibility Model
The AWS SRM defines what you (as an AWS accountholder/user) and AWS areresponsiblefor when it
comes to security and compliance.
Security and Complianceis a shared responsibility between AWS and the customer. This shared model can
help relievecustomer’s operational burdens as AWS operates, manages and controls the components from
the host operatingsystem and virtualization layer down to the physical security of the facilities in which the
serviceoperates.
The customer assumes responsibility and management of the guest operatingsystem (includingupdates and
security patches),other associated application softwareas well as the configuration of the AWS provided
security group firewall.
AWS are responsible for “Security of the Cloud” .
 AWS is responsiblefor protecting the infrastructurethatruns all of the services offered in the AWS
Cloud.
 This infrastructureis composed of the hardware,software, networking, and facilities thatrun AWS
Cloud services.
Customers are responsible for “Security in the Cloud”.
 For EC2 this includes network level security (NACLs, security groups),operating system patches and
updates, IAM user access management, and clientand server sidedata encryption.
The following diagram shows the split of responsibilities between AWS and the customer:

76. InheritedControls –ControlswhichacustomerfullyinheritsfromAWS.
 Physical andEnvironmental controls.
SharedControls – Controlswhichapplytoboththe infrastructure layerandcustomerlayers,butin
completelyseparate contextsorperspectives.
In the AWS sharedsecuritymodel,asharedcontrol,AWSprovidesthe requirementsforthe
infrastructure andthe customermustprovide theirowncontrol implementationwithintheiruse of
AWS services..
Examples of sharedcontrolsinclude:
 Patch Management – AWS isresponsibleforpatchingandfixingflawswithinthe
infrastructure,butcustomersare responsibleforpatchingtheirguestOSandapplications.
 ConfigurationManagement– AWSmaintainsthe configurationof itsinfrastructure
devices,butacustomerisresponsible forconfiguringtheirownguestoperatingsystems,
databases,andapplications.
 Awareness& Training – AWS trainsAWS employees,butacustomermust traintheirown
employees.
CustomerSpecific–Controlswhichare solelythe responsibilityof the customerbasedonthe
applicationtheyare deployingwithinAWSservices..
Examplesof customerspecificcontrolsinclude:
 Service andCommunicationsProtectionorZone Securitywhichmay require acustomerto
route or zone data withinspecificsecurityenvironments.