Aws Certified Cloud Practitioner Flashcards

Cloud Computing Definition

NIST (National Institute of Standards and Technology) Cloud Computing Definition On-demand self-service Broad network access - reach them from the internet Resource pooling - multi-tenant hardware environment Rapid elasticity - ability to grow/shrink on-demand, can scale storage Measured (metered) - pay-as-you-use, if you run an image for an hour, you pay just for the hour.

3 Service Models

1. Infrastructure as a Service (IAAS) - we create our own software on top of IAAS - EC32. Platform as a Service (PaaS) - abstracts the infrastructure away so we can develop SaaS - GoDaddy3. Software as a Service (SaaS) - Microsoft 365, Gmail

3 types of Deployment Models

1. Public Cloud - AWS2. Private Cloud - own datacenter with one company - on premise3. Hybrid Cloud - leverage AWS for certain type of needs + on-prem equipment through fiber or VPN

AWS Value Proposition

1. On-demand resources - get what you need, when you need it.2. Pay-as-you-go - Pay for what you use, use what you need.3. No long-term commitments - Feel free to throw things away and turn off things that we don't need (test environment).4. Highly Automated - Provide repeatable infrastructure (create env's in Dev, Test, QA, Prod)5. Managed Services - Inherent high-availability, security, fault tolerance, durability (offload operational burdens of managing tools)

6 Benefits of Cloud Computing

1. Trade CapEx for VarEx - no need to build data centers, pay-as-you go compute resources2. Benefits from massive economies of scale - Amazon has HUGE purchasing power.3. Stop guessing about capacity - Auto Scaling to scale with demand4. Increase speed and agility - 5. Stop spending money running/maintaining data centers - Capital 1 got rid of all datacenters and went with AWS6. Go global in minutes

AWS Region

Primary Location to (Geographical Area) 2 or more AZsâ¢ Available services and features - â¢ Cost of services - may vary depends on regions, â¢ Latency, proximity to users - better experience to usersâ¢ Disaster recover - multiple regions to overlap DRâ¢ Security & compliance - laws that govern data and make correct choices

Availability Zones

collection of data centers

Edge Locations (Caching Content CloudFront)

1. No direct access to Edge Location2. Can write to Edge Location3. Objects are cached for TTL4. Power content delivery network services (CDN) & DNS5. 100+ world wide6. $$ to clear cached objects

AWS Support Plans

1. Basic - Free2. Developer - $29/month3. Business - $100/month4. Enterprise - $15,000/month

Basic Support Plan (Free)

Basic - Free Core Trusted Advisor Checks No technical Support Can submit Bugs Feature Requests Service limit increases

Developer Support Plan ($29/mo)

Developer - $29/month Core Trusted Advisor checks Business hours access to Cloud Support Associates Guidance <24 business hours Impairments <12 business hours Offers only "General Guidance"

Billing Alert/Billing Alarm

Alarm (SNS alert) when certain level of AWS spending has been reached

Business Support Plan - $100/month

Business - $100/month Full set of Trusted Advisor checks 24/7 access to Cloud Support Engineers Email, chat, phone 1 - 24 hour response time Offers contextual guidance based on use-case Per account basis

Access AWS in 3 ways

1. Via to CONSOLE2. Programmatically (Using the CLI)3. Using the SDK

Enterprise Support Plan - $15,000/month

Enterprise - $15,000/month Dedicated Technical Account Manager Full set of Trusted Advisor checks 24/7 access to Cloud Support Engineers Email, chat, phone 15 min - 24 hour response time Offers consultative review based on use-case Applies to all accounts Access to well-architected review Access to online labs

S3 has the following guarantees from Amazon

â¢ Built for 99.99% availability for the S3 platformâ¢ Amazon guarantee 99.9% availabilityâ¢ Guarantee durability 11 x9's.

S3 Storage classes (6 types)

1. S3 Standard - 99.99% available 11 x9's durable2. S3 - IA (Infrequent Access) - lower fee than S3 but charged for retrieval3. S3 One Zone - IA (Infrequent Access) - lower-cost option without multiple AZ coverage4. S3 Intelligent Tiering - machine learning to move data to different S3 options5. S3 Glacier - retrieval time minutes to hours6. S3 Glacier Deep Archive - lowest storage cost, retrieval time of 12 hours

Identity and Access Management (IAM)

â¢ It is GLOBALâ¢ Authorization via policies â Policies are JSON â Key value pairs ("name":"Ki_Chun")â¢ Usersâ¢ Groupsâ¢ Password policyâ¢ Multi-factor authentication

S3 Charges

1. Storage space2. Requests3. Storage Management Pricing4. Data Transfer Pricing5. Transfer Acceleration - Fast, easy and secure transfer over long distances your end user & S36. Cross Region Replication Pricing

Amazon VPC (Virtual Private Cloud)

1. Logically isolated network a. Cannot communicate with any other source2. Create per Account per Region a. Embrace the idea of multiple VPC b. Due to multiple regions and redu3. One VPC spans a SINGLE region4. VPC can use all AZs within one region5. Can peer with other VPC's a. By putting web app in one VPC and data store in one VPC and peering them we get better security and isolation of the DB.6. Internet and VPN gateways7. Number of security mechanisms a. Some part network to internet b. Some part communicate with on prem via VPN c. Several FW's to filter the traffic source/dest/port/protocols8. Initial soft limit is (5) VPC's per region9. It is possible to have two VPCs with same/different IP ranges but can't peer10. Must divide VPCs into subnets a. Subnets are tied to AVs b. AMI instance is launched into subnets and not VPCs c. Divide into one per AV, unique range of IP ranges

Simple Storage Service (S3)

Cost effective Object-based Storage0 to 5TB in sizeCreate buckets and put objects in themS3 is a key-value storeStored in BucketsNot suitable for OS or DBS3 name must be universally uniqueHTTP 200 code if upload is successfulObject is a file with Key-Value pairsCluster spans region (cluster distributed throughout available AZ)Durable to loss of 2 AZsServer side encryption (SSE) AES-256

Subnets Enable...

1. Security via isolation2. High-availability3. Fault-tolerance4. Performance - all machines needs to be in the subnet in the same AV to have optimal performance

How does data consistency work for S3

Read after Write consistency for PUTS of new Objects Will be able to read the file immediately after uploading it to S3Eventual Consistency for overwrite PUTS and DELETES (can take time to propagate) If updating AN EXISTING file or delete a file and read it immediately, you may get an older version, or you may not. Basically changes to objects can take a little bit of time to propagate.

Routing - First line of Defense

1. Internet gateway2. Route table (Destination/Target)3. Associate Route Table to Subnet - enable bi-directional traffic routing4. Public Subnet a. Has access to internet b. All images in the subnet needs to have a public IP address c. Could serve as DMB (bridging trusted to untrusted zones)5. Can use route table to selectively choose which IP ranges can communicate to/from other network. It is the first line of security.

Network Access Control List (NACL) - 2nd line of defense - firewall for the subnet as a whole

S3 has the following features

â¢ Tiered Storageâ¢ Lifecycle Management â¢ Versioningâ¢ Encryptionâ¢ Secure your data using Access Control (file level) List and Bucket Policies (bucket level).

Three-Tier Architecture

Security Group - Third line of defense - security specific to instances or DBs

AWS Hardware VPN

Well-Architected Infrastructure (5 Pillars)

Reliable Fault Tolerance High availability DurabilitySecure Right people in/wrong people outGood PerformanceCost Effective Save moneyOperationally Excellent Monitored Automated Effective processes

AWS Direct Connect (DX) POP - Fiber connection between region to customer

Dedicated 1GB or 10GB fiber connectionTransfer larger amount of data

Use Case Review - Network Security

Amazon Machine Image (AMI)

Amazon EC2 Use cases

Amazon Elastic Block Store (EBS)

Amazon Elastic Block Store (EBS) SSD (GP2) - balances price and performance for a wide variety of workloads SSD (IO1) - highest performance SSD. Mission-critical low-latency or high-throughput workloads Magnetic (ST1) - low cost HDD for frequency accessed, throughput-intensive workload Cold HDD (SC1) - lowest cost HDD for less frequently accessed workloads (File Server) Magnetic - previous generation Create EBS to have durable storage Multiple EBS to same EC2 instance If EC2 fails - the EBS is persistent Reattach ECS to new EC2 Data is independent of EC2 instance Connected over network (not NAS) Pay for provisioned storage If provisioned 1TB will have to pay for 1TB even if use 1GB Must exist in the same AZ as EC2 Can make Point-in-time snapshots in S3 - make EBS more durable Can detach from EC2 and attached to different EC2 Can encrypted (AES-256) Can be used in RAID or LVM RAID 0 performance increase RAID 1-5 slower performance

Elastic Load Balancing (ELB)

Distributes requests/trafficSpans regions, use every AZInherently secure, resilient, fault tolerance, scalableSupports health checksIntegrates with Auto ScalingIntegrates with Route 53 (DNS) can leverage C-NAMEsThree types Classic - Create ELB -> Listener (80/443) -> Register EC2 behind the ELB -> Forward to port (8080) Off load SSL (TLS or SSH) Health Checks ELB is inherently scalable & self-healing Application Create ELB -> Listener (80/443) -> Target Groups -> Register EC2 in the TG -> L7 Content Filtering URI or Hostnames routed to targets (/usr or domain.name.com) Dynamic port mapping - One EC2 instance to receive request on different ports. Can multiple apps on different port or one app in multiple ports Network - Create ELB -> Listener (80/443) -> Target Groups -> Register EC2 in the TG -> Static IP's can be spread and balanced (works well when need to hardcode static Ips) Improves latency and handles very long-running connections

Auto-Scaling

Can auto replace machineCan auto heal if AZ failsBy using RDS Can offet the management of the DB to Amazon Using more than 1 DBS can give redundancy and DR AWS will perform auto backup By using DynamoDB (noSQL DB) Amazon will manage the DB for userAmazon CloudFront will cache content before touching the system for better user experienceCloudWatch can collect metrics the sytem Over/Under provisioned Any operational issues Is there a rise in demand to scale tables/DB/app servers? Log filesAuto Scaling, triggered by CloudWatch can "right size" the networkCan archive long term storage with GlacierLeverage Lambda as Asyncrhonus need, a custom process

Amazon Route 53 - Globally distributed DNS service

Register DomainsUse AWS nameserversPublic and private DNS zones (Public internet accessible, private only accessible via VPC)Automated via API - consistent in a transient environmentHeath checks - http or https health check. Send a respsne and if not receive resposne configure alarmsDifferent routing methods Latency - push end users to IP's that have better latency Geographic - users in a particular state go to a particular end point. Outside US, do it by country Failover - useful in conjunction with health checks. If one end point fails, failover users to another end point Weighted Sets - push % of users from one location to another. Push 1% of traffic from one location to another to test, gradually migrate user to new end point.

CloudWatch Alarm

Triggered on breach of thresholdDoe not necessrily signal emergencyCan trigger Auto Scaling if not enough CPU add more CUP Termination - a machine and replace it Reboot a machineUp to 5000 alarms per account

Amazon CloudWatch

Are we over/under provisioned?What is the current demand/load?What is the bottle neck? Network IO CPU DiskHow is the EC2 performing?Are there idle resources?Key to meeting the instrumentation need and monitoringCollects metricsStores metrics for 2 weeksAccessible via APIUnique metrics set per serviceCustom metrics ($/metric)Example EC2 Default 5 min interval Detailed 1min interval ($/instance) Reported by hypervisorELB Default 1min interval Healthy/unhealthy hostsRDS Memory, connections, diskDynamo DB Read/write throughput

CloudWatch Logs

Collect logs by streaming (to a central place - one central place)Configure an agent on an instanceCollect Route 53 DNS queriesMonitor CloudTrail EventsDefault retention indefiniteCan archive to S3Stream to ElasticSearchProcess with Lambda (perform intelligent action based on content of logs)

AWS Auto Scaling

Replaces failed instances - helps build self-healing instancesChange capacity according to loadMaintain fixed size fleet (maintain the machines we have, if fail/replace)Works with CloudWatchSupports events SNS (Simple Notification Service) Lambda

Amazon EC2

Virtual Machines (instances)Your choice of Linux or WindowsXen or Nitro hypervisor (2017, improvement in speed)Bare metal is availableCombination of CPU, memory, disk, IOLaunch one to thousands (limited by service limit)Default limit 20 EC2 instancesDifferent billing modelsHourly fee includes OS licenseAWS Marketplace offers canned solutions (particular software solution)

Amazon CloudFront (Cache Service)

Create a Distribution (web or streaming)Configure when to use which Origin /assets/* comes from S3 All else comes from ELBEdge location will cache CloudFront closest to the userCaches content at Edge LocationStatic & dynamic contentCustomizable cache behavior (Static 60 mins, dynamic not cached, etc)Custom domain name CNAME or ALIASCustom SSL certificatesRTMP and HLS streaming

AWS Lambda (Serverless Infrastructure)

Amazon is managing the Lambda server (to us, it is serverless)Great for Scheduled Tasks Microservices Event HandlersPay for compute time per 100msCreate functions Inline editor Upload Zip fileInvoke functions CLI or SDK EventsAWS handles Infrastructure (high availablity, scalability, etc) Deployment Scaling of Infrastructure Can use Python code ( we configure) Runtime Memory Limit Execution timeout Can configure Lambda with CRON format

Managing a RDS

AWS manages Power Cooling Network Chassis CPU, RAM, HDD Operating System Database BackupsWe can concentrate on writing queries and adding valueChoice of MySQL SQL Server Oracle PostgreSQL MariaDB Amazon AuroraReduce operational burdenUsers can focus on applicationRead ReplicasAutomated OS & DB installation OS patches DB engine minor updates Backups Failover

Amazon EC2 Best Practices

Treat as disposable - design for failure Bug in automation to terminate Auto scaling could terminate instance The machine could go away at anytime"immutable infrastructure" - once the machine is launched (web server) it does not change from that stateTreat logs as streams Instead of shelling in and tailing logs, the logs could go away. Instead of leaving the logs on the machine stream the logs to youLeverage roles - controls permission when machine access other services like DynamoDBAutomate deploymentMonitor with CloudWatchEnable scaling and self-healing with Auto Scaling In some cases, auto scaling may replace an unhealthy machine

Multi-AZ Deployment

High availabilityPhysically distinct (separate machines in separate locations)Synchronous replicationAutomatic Failover Loss of network Compute failure Storage failureRTO/RPO in minutesProduction best practiceBackups: Automated Performed once per day You can control backup window Retained up to 35 days Point-in-time restore Delete along with instance Delete RDS instance All automated backups are also deletedBackups: Manual Snapshot Performed at any time Can copy to other regions Retained indefinitely\RDS Backups Like EBS backups Stored in S3 Can cross-region copy

Amazon Aurora

Compatible with MySQL 5.6 PostgreSQL 9./63-5x performance increase by moving to AuroraStorage up to 64TB Auto-scaled Normal the storage has to be pre-provisioned Six copies across three AzsUp to 15 read replicasAurora multi-master - ioncreae performanceAurora serverless (2017) similar to Lambda

Managing a RDS (Relational Database Service)

6 Different DBs in AWS SQL Server Oracle MySQL Server PostgreSQL Aurora MariaDB2 Key features Multiple Azs for disaster recovery (DR) Read Replicas - for PerformanceEC2 -> Primary DB (Write to)-> Secondary DB (5 copies)If Primary DB fail then AWS will auto fail over the secondary DB

OLTP (online transaction processing)

Capturing and storing data from ERP, CRM, POSDay-to-day business transactionsThe main focus is on efficiency of routine tasks

OLAP (online analytical processing)

A category of software tools that provide analysis of data stored in a database and is often used in data mining

Database Migration

Amazon DynamoDB Tables

DynamoDB (Non-relational DB)

Collection = TableDocument = RowKey Value Pairs = FieldsColumns in the table can varyThis will not affect other rows in the DB

Amazon DynamoDB Use Cases

Amazon Glacier

Glacier Lifecycle Rules

Amazon Redshift (Data Warehouse)

Amazon ElastiCache

Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in memoryCache most common queriesMemcached & Redis caching enginesThe service improves the performance of web applications byallowing you to retrieve information from fast, managed, in-memory caches, instead of relyingentirely on slower disk-based databases.

Elastic Bean Stalk (EBS)

AWS CloudFormation

Template-based infrastructure managementDeclarative programming (domain specific language to specify resources/options)Offers access of full breadth of AWSStore in source controlWrite once, deploy manyLibrary of common architecturesNo imposed modelVisually Start with template Handoff to CloudFormation engine Multiple Azs/ELB/

Infrastructure as Code (IaaC)

Apply tools of software development as neededTemplate is put into source control (GIT, SVN)Verify/Collaborate/AuditHooks can drive continuous optimization Test - Results can be given back to team Build - cloudformation build stack Stack does more tests - feedback to user

AWS WAF (Web Application Firewall)

Layer 7 content filteringSupport rules to block/allow/count requestsIntegrate with Amazon CloudFrontProtect against SQL Injection Cross-site Scripting (XSS)Block based on Ip addresses Http headers/body content URI stringRate limiting per client IPManaged rules for common threats OWASP Bots Common Vulnerabilities and Exposures (CVE)

AWS Shield

Distributed Denial of Service (DD0S) protection serviceStandard UDP reflection SYN floods SSL renegotiation Slow loris attacks Available for free to everyone

AWS shield Advanced

Additional detection/mitigationNear real-time visibilityIntegrates with AWS WAF (Web Access Firewall)Access to DDoS Response Team

Shared Responsibility Model

AWS is responsible for: Facilitates/Data center Edge locations Rack and chassis Network APIs Hypervisor (XEN or Nitro) Managed Services Storage DatabasesCustomers Operating system Network & firewall configuration Identity and access Credentials Permissions Applications Data Encryption At rest (AWS can encrypt) In transit (AWS can encrypt for us)Controls Inherited Physical Environmental Shared Patch management Configuration management Education Customer specific Application/Data Zone security

Credential types

Policies

Determine authorization (permissions)Written in JSONPolicy Types Managed Policy AWS managed Customer managed Inline Policy (written inline in a user/group)Create policies via Generator Hand written policiesEvaluation logic of a policy: Defaults to implicit deny Explicit deny Explicit allow

What NOT to do with Policies

Embed in Code (if credential rotates then need to redeploy code) Environment variablesShare with Third parties Hundreds of enterprise users Millions of web users

Roles

Use temporary credential (auto rotates/expires)Delegate permissions to: EC2 instance AWS service A user (elevate privileges) Separate account One you own Third partyVisual Role on EC2Roles for Cross Account Access

Federated Users

Users belong to outside entityOrganizational users Leveraging existing directories: LDAP Active Directory Temporary credentials Single sign onWeb/mobile application users: Apps bypass backend APIs/proxies

AWS New Account First Steps

Enable CouldTrail (record all calls made to AWS)Create an admin user in IAMEnable mulit-factor authentication on root accountEnable cost and usage report (on root credential)Log in with admin userCreate additional users, groups, etc.

IAM Best Practices

Root credentials Email address + password Protect at all costs Do not use for day-to-dayFollow principle of least privilegeRotate access keysEnable multi-factor authentication (MFA)Monitor what CloudTrail

AWS Organizations

Eases management of multiple AWS accountsAutomate create of AWS accounts Automate creation of sandbox accountsService Control Policies (SCPs) control service Dedicated of certain type of application or data This group is allowed EC2/RDS not allowed DynamoDB/RedShift

Consolidated and Detailed Billing

Consolidated billing One bill, many accounts Aggregated volume pricing - at a certain point the price goes down Reserved instances apply to all accountsDetailed Billing Published to S3 bucket in CSV format Import into spreadsheet Filter/Sort by service, tag (key value pairs, helps allocate pairs), account, etc.

AWS Assurance Programs

Certification/attestations Performed by third-party independent auditorCloud Security AllianceISO 9001ISO 27001ISO 27017ISO 27018PCI DSS Level 1SOC 1, 2, 3US Assurance Programs FedRAMP FIPS FISMA HIPPA ITAR MPAA (Motion Picture Association of America)

HIPPA Compliance (Health Insurance Portability & Accountability Act)

Designed to secure Protect Health Information (PHI)AWS not "directly" certifiedRequirements map to FedRAMP and NIST 800-53AWS provides Business Associate Addendum (BAA) - AWS handles physical infrasture that is certified

PCI-DSS Compliance (Payment Card Industry Data Security Standard)

Designed to protect Cardholder data (CHD) Sensitive Authentication Data (SAD)Applies to business that store/process/transmit such dataAWS is PCI DSS 3.2 Level 1 CompliantCustomers responsible for card data environment (CDE)AWS provides Attestation of Compliance (AOC) - letter saying AWS support HW certificatioinCustomer works towards complianceAWS provides necessary documentationKnows who is responsible AWS for physical control Customer for logical controlsKnow the controls you inheritKnow the services in scopeSpeak with your account managerCompliance resources - https://aws/amazon.com/compliance

AWS Config

Resource Inventory - inventory of all of the resources (EC2), software on EC2Configuration historyChange notificationsDetermine compliance against rulesEnables: Compliance auditing Security analysis Change tracking Troubleshooting

AWS Service Catalog

Manage catalogs of approved IT services - instead of dev team submitting tickets to opTeam, they can select products from a catalog that been vetted they can save timeAchieve consistent governanceCustomer defines Portfolios Products Defined as CloudFormation template

AWS Artifact

Access reports/details of >2500 security controlsOn-demand access to AWS security and compliance documentsDemonstrate security and compliance of your AWS environmentsExamples: SOC and PCI reports

AWS CloudTrail

Records all calls made to AWS APIs - launch EC2 instance, read/write to DynamoDBDeliver log files or files to S3 bucket - from all regionsIncludes: Identity Source IP Request/Response detailsDoes not record OS system logs Database queries Things happening in our Apps - use CloudWatch

Encryption and Key Management

Many services offer encryption Amazon S3 Amazon EBS Amazon RDS Amazon Glacier Amazon SQS (Simple Queue Service)AWS Key Management Service (KMS) Fully managed service Create/manage encryption keys Integrates with many other services Multi-tenant software backed by HSMsSingle tenant service AWS CloudHSM Single tenant HW Security Module FIPS 140-2 Level 3 validated On-demand, no upfront costs Can enable: SSL offloading Private key storage/security Transparent Data Encryption (TDE)

Network Security

Network Security of regulated workload

Vulnerability/Penetration Testing

Permission is required! - your account could be disabled!Must request permission vi ROOT credentialsIdentify the instances to be testedSpecify start and end date/timesAWS does NOT permit of - could negatively impact other customers M1.small T1.micro T2.nanoAWS policy permists testing of: EC2 RDS Aurora CloudFront API Gateway Lambda Lilghtsail DNS Zone Walking

EC2 Pricing Models

On Demand Fixes rate by second or hour No long term commitmentReserved Instances (RI) Up to 70% discount vs. on-demand Provide capacity reservation 1-yr or 3-yr termEC2 Spot Pricing Bid on spare capacity Save up to 90% vs on-demandDedicated Hosts Physical EC2 host dedicated for your use Use existing server bound software license Dictated by some government laws

AWS Lambda Pricing

Charged per GB per 100msCharged for 1M requestsFree tier - non expiring 1M requests/month 400K GB-Seconds/monthAdditional charges for Bandwidth Amazon S3

Data Transfer Pricing

Inbound bandwidth is generally free - user generated contentS3 to CloudFront is freePay for outbound to internet $/GB/month Applies cross-region traffic Tiered pricing 10/40/100TBCross-AZ traffic $/GB/monthVPC peering $/GB/monthREMEMBER WHAT YOU PAY FOR AS WHAT YOU PAY WILL CHANGE

Amazon RDS Pricing

Price determined by Instance type Database engine (license) Reserved instance discountMulti-AZ deployments 2X$Storage - built on top of EC2 and EBS $/GB/month $/provisioned IOPS/month

Amazon DynamoDB Pricing

Charged for provisioned throughput $/Write capacity unit $/Read capacity unitCharged for storage that is actually consumed - 10GB increments $/GB/month

Amazon EBS Pricing

$/GB/month of provisioned storage - provision 10TB will pay for 10TB even if using 10GB General purpose SSD Provisioned IOPS storage Magnetic volumeAdditional costs for $/provisioned IOPS EBS snapshots to Amazon S3

Amazon S3 Pricing

$/GB/month of consumed storageAdditional costs for requests PUT/COPY/POST/LIST $/1000 GET $/1000Storage classes Infrequent Access - data might not retrieve often Glacier - leverage lifecycle rules to move the data from S3 to Glacier

AWS simple monthly calculator - https://calculator.s3.amazonaws.com/index.html

EC2 Add type of EC2 OS Size of EC2 Type of billing option Also EBS volumes Elastic IP's Data Outbound InboundUnderstand data usage Know current bandwidth usage To make an educated guess of the bandwidth to get accurate monthly bill

AWS Total Cost of Ownership (TCO) - https://aws.amazon.com/tco-calculator/

Helps us realize total cost of running our own datacenter of running in AWS

AWS Cost Explorer - https://aws.amazon.com/aws-cost-management/aws-cost-explorer/

Look at cost per periodLook at cost per regionFilter type of account or usage (only EC2 in a certain region)Download that data in a CSV and view it in a graphic form

AWS Cost and Usage Reports

Highly detailed billing informationCSV files saved to S3 bucketImport reports into Redshift or Quicksight (perform visualization tool)Usage listed for each serviceUsage listed for tags (key valued pairs, project, cost cetner, etc)Can aggregate to daily or monthly

AWS Trusted Advisor

Automatically analyzes environmentOffers best practice recommendationsCost optimization Load balancers with no EC2 instances registered behind them (orphaned items) Running EC2 all the time (save money with reserved EC2)PerformanceSecurity recommendationsFault Tolerance recommendationsSeven Core Checks (Free to everyone) S3 Bucket Permissions S3 bucket is private by default Must be given permission to access S3 publicly Trusted Advisor will check to see if S3 has public access Security Group (Specific ports unrestricted) IAM Use - anyone has too much access MFA on Root Account EBS Public Snapshot - is the EBS snapshot publicly readable? RDS Public Snapshot Service Limits - AWS services have some limits Hard limits - due to technology Soft Limits - initial 20 EC2 instances - helps to control costsFull Benefits Notification Programmatic Access

3 Different terminology in CloudFront

Edge Location - This is the location where the content is cached. This is separate to an AWS Region or AZOrigin - This is the origin of the file the CDN will distribute. Can be S3 Bucket, EC2 Instance, ELB or Route 53Distribution - name of the CDN which is a collection of Edge Locations

2 different types of CloudFront Distributions

Web Distribution - Typically for WebsitesRTMP - Adobe Flash format for Media Streaming

Transfer Acceleration

Upload to edge locationThen use back-burn network to desired location

Website hosting on S3

Can host static website (no DB connection)Cannot host dynamic website (need DB connection like Wordpress)

EC2 Instance Types

Roles

1. More secure than Access Key ID's and easier to manage2. Can apply role to EC2 Instances3. Roles are Universal

3 Different Load Balancers

1. Application Load Balancer - Layer 7 Aware (Intelligent Decisions)2. Network Load Balancer - Extreme Performance/Static IP's3. Classic Load Balancer - Test & Dev, lowest cost

CloudFormation

1. An easy way to create and manage a collection of related AWS resources2. Provisioning and updating them in an orderly and predictable fashion3. Can provision almost every AWS resources

Traditional Computing vs Cloud Computing

1. IT Assets as Provisioned Resources2. Global, Available, and Scaleable Capacity3. Higher Level Managed Services - Machine Learning4. Built-in Security - IAM,. Multi-factor5. Architecting For Cost6. Operations on AWS - mv VM to AWS, Refactoring and Rearchitecting

Scaling on AWS

1. Scale Up2. Scale Out - multiple EC2 behind E a. Stateless Applications - Lambda b. Distribute Load to Multiple Nodes c. Stateless Components - signed in the cookie shows user info d. Stateful Components - RDS store of shopping history e. Implement Session Affinity - cookie in a browser ELB send route f. Distributed Processing - Elastic Map Reduce g. Implement Distributed Processing - many EC2 to process

Disposable Resources instead Fixed Servers

Instantiatice Compute Resources a. Bootstrapping - to auto create processes b. Golden Image - copy of EC2 c. Containers d. Hybrid - Containers + EC2 Infrascture as Code a. CloudFormation

Automation

Serverless Management and DeploymentInfrastructure Management and Deployment a. AWS Elastic Beanstalk b. Amazon EC2 Auto Recovery c. AWS Systems Manager d. Auto ScalingAlarms and Events a. Amazon CloudWatch alarms - billing alerts b. Amazon CloudWatch Events - S3 upload trigger a change c. Lambda scheduled events d. WAF (Web App Firewall) security automation - trigger action based on hacker

Loose Coupling

Well Defined Interfaces a. Amazon API Gateway - create own APIService Discovery a. Implement Service DiscoveryAsynchronous Integration a. Tight Coupling (procedural programming) b. Loose Couple (independent phase using queues)Distributed Systems Best Practices a. Graceful failure in practice

Services Not Servers

Managed Servers - Lambda, S3, Route 53, not physical serverServerless Architecture - don't have to manage servers

Databases

Aurora a. Scalability b. High Availability - Multi-AZ c. Anti-Patter-no need for joins or complex transactions, use no-SQLNon-Relational Database (DynamoiDB) a. Scalability b. High Availability - Multi-AZ c. anti-patterns - requires joins or patterns use AuroraData Warehouse (Redshift) a. Scalability b. High Availability - Multi-AZ c. anti-patterns - not meant for Online Transaction Processing (OLTP)Search a. CloudSearch b. ElasticSearchGraph Databases a. Amazon Neptune - Fully managed graph databaseData Lake a. S3

AWS_pricing_overview.pdf

...

3 Fundamental drivers of cost with AWS

ComputeStorageData Outbound

What services are free in AWS

Amazon VPC - virtual data centerElastic Beanstalk - provisioned instances are not freeCloudFormationIdentity Access Management (IAM)Auto ScalingOpsworks - like devOPS product like Elastic BeanstalkConsolidated Billing

What determines Price

EC2 - Clock hours of Server TImeInstance Type - T2Pricing ModelNumber of InstancesLoad BalancingDetailed Monitoring - every 5 mins default is freeAuto ScalingElastic IP AddressesOS systems and Software Packages

Lambda(Serverless) Pricing

Request Pricing a. Free tier - 1 million requests per month b. $.20 per 1 million request there afterDuration Pricing a. 400,000 GB-seconds per month free, up to 3.2 million seconds of compute time b. $.00001667 for every GB-second used there afterAdditional charges a. to or from write to S3

Aws Certified Cloud Practitioner Flashcards ionicons-v5-c

Aws Certified Cloud Practitioner Flashcards