###### tags: `Tools` # AWS Cloud Practitioner https://explore.skillbuilder.aws/learn/course/internal/view/elearning/134/aws-cloud-practitioner-essentials ## Introduction to Amazon Web Services **Client - Server model** *(client makes a request - server fulfills the client's request)* [x] **`client`** :heavy_minus_sign: *web browser or desktop app that makes requests to a computer servers* [x] **`server`** :heavy_minus_sign: *services such as amazon Elastic Compute Cloud (`EC2`)* **Cloud Computing** *(on-demand delivery of IT resources over the internet with pay-as-you-go pricing)* [x] access services on demand *(On-demand delivery indicates that AWS has the resources you need, when you need them)* [x] avoid large upfront investments [x] provision computing resources as needed [x] pay ony for what for use **Cloud deployment models** [x] **cloud** - run all parts of the app in the cloud - migrate existing apps to the cloud - build new apps in the cloud [x] **on premises** *(also known as private cloud deployment)* - use virtualization and resources to deploy resources *(Patch Manager - patch all the servers from AWS and checks if your datacenters have them all - basically supports the usage of the cloud)* - use application management [x] **hybrid** - connect on both models (cloud resources to on-premises infrastructure) - integrte with legacy IT applications --- :question: **What is cloud computing?** - *On-demand delivery of IT resources and applications through the internet with pay-as-you-go pricing* :question: **What is another name for on-premises deployment?** - *Private cloud deployment* :question: **How does the scale of cloud computing help you to save costs?** - *The aggregated cloud usage from a large number of customers results in lower pay-as-you-go prices* --- **Advantages** - variable expenses - focus on apps and customers rather then building data centers - scalability and capacity w/o investing in infrastructure - economies of scale - fast access to resources - global infrastructure with AWS (using a simple button) **Core services** :exclamation: *(the focus should be on below categories)* - Compute - Networking and Content delivery - Storage - Databases - Security - Management and governence ## Compute in the Cloud (learning about EC2, Load Balancing, SNS, SQS) **EC2 - Elastic Compute** - gives a secure, resizable compute capacity in the cloud - boot server in minutes - payment is for what is used **EC2 - instance types** *(optimized for different tasks)* [x] **General purpose** - *balances compute, memory and networking resources* - suitable for a broad range of workloads [x] **Compute optimized** - ideal for compute-bound applications that benefit from *high-performance processors* - ideal for high-performance web servers, compute-intensive applications servers, and dedicated gaming servers [x] **Memory optimized** - deliver fast performance for workloads that *process large datasets in memory* [x] **Storage optimized** - designed for workloads that require high, sequential read and write access to large datasets on local storage - workloads suitable for storage optimized instances include distributed file systems, data warehousing applications, and high-frequency online transaction processing (OLTP) systems **EC2 - pricing** [x] **On-demand** - with no minimum contract, good for short-term or irregular workloads that cannot be interrupted [x] **On spot** - for workloads with flexible start and end times and it offers savings up to 90% reserved - **1 or 3 year** commitment with a discount with a specific instance type compute saving plans - 1 or 3 year commitment but w/o an instance types [x] - **Dedicated computing** - EC2 instance in a hardware for a single customer - higher cost compared to standard EC2 instances [x] - **Dedicated host** - physical server with EC2 instance capacity for a single customer and is the **most expensive option** **EC2 Scalling** - involves beginning with only the resources you need and designing your architecture to automatically respond to changing demand by scaling out or in - *you pay for only the resources you use* [x] **Manual scalling** - times with low demand (1/2 servers), or times with high demand (more EC2 instances that holds your app) - :exclamation: it is not recommended [x] **Auto Scalling** - uses dynamic scalling and predictive scalling because it will use just enough instances to cover the demand of the app - you need to set a minimum of instances *(2 is the best practice, to have a single point of failure)* **Elastic Load Balacing** - distribute traffic accross multiple resources (accross EC2 instances) - replicated on 3 data centers (there is not a single point of failure) - no single instance has to carry the bulk of it - a load balancer acts as a single point of contact for all incoming web traffic to your Auto Scaling group **AWS messaging services** [x] **Amazon Simple Notification Service (`Amazon SNS`)** - publish/subscribe service to subscribers [x] **Amazon Simple Queue Service (`Amazon SQS`)** - message queuing service - send, store, and receive messages between software components, without losing messages or requiring other services to be available - sends messages into a queue --- :question: **Which AWS service is the best choice for publishing messages to subscribers?** - *Amazon Simple Notification Service (Amazon SNS)* --- **Additional compute services** [x] **Serverless computing** - “serverless” means that your code runs on servers, but you do not need to provision or manage these servers [x] **AWS Lambda** - *is a service for serverless computing* - run code without needing to provision or manage servers - pay only for copmute time while code is running - how it works: *upload code to Lambda :arrow_right: set code to trigger from an source event :arrow_right: code runs ony when triggered :arrow_right: :exclamation: maximum runtime of 15 minutes **(if it takes more than 15 minutes will run into timeout)*** [x] **AWS container services** - pack all the information (app, language, libraries, operating system) into containers and run into an instance (like EC2) - 2 container app that needs to be deployed on 100 EC2 instances: you have ECS or EKS - container otchestrators 1. **ECS - Elastic Container Service** - highly scalable, high-performance container management system - powerful, but you need to know about all configuration - is Amazon technology - use simple API calls to controller Docker-enabled apps 2. EKS - Elastic Kubernetes Servers - fully managed service that you can use to run Kubernetes on AWS - is not specific to Amazon - easy to work with because is most probably known - One of the solution must be used in combination with **AWS Fargate** - serverless way to lauch containers --- :question: **You want to use an Amazon EC2 instance for a batch processing workload. What would be the best Amazon EC2 instance type to use?** - *Compute optimized* :question: **What are the contract length options for Amazon EC2 Reserved Instances? (Select TWO.)** - *1 year & 3 years* :question: **You have a workload that will run for a total of 6 months and can withstand interruptions. What would be the most cost-efficient Amazon EC2 purchasing option?** - *Spot Instance* :question: **Which process is an example of Elastic Load Balancing?** - *Ensuring that no single Amazon EC2 instance has to carry the full workload on its own* :question: **You want to deploy and manage containerized applications. Which service should you use?** - *Amazon Elastic Kubernetes Service (Amazon EKS)* --- ## Global Infrastructure and Reliability Determine the right Region for services, data and apps based on four business factors: 1. Compliance with data governance and legal requirements 2. Proximity to customers (to get content faster) 3. Available services within a Region 4. Pricing :::info :bulb: **`Availability Zone`** - single data center or a group of data centers within a Region (located tens of miles apart from each other) ::: --- :question: **Which statement best describes an Availability Zone?** - *A single data center or group of data centers within a Region* --- **Edge locations** - a site that Amazon CloudFront uses to store cached copies of your content closer to your customers for faster delivery *(mini data center)* :bulb: https://d1.awsstatic.com/global-infrastructure/maps/Cloudfront-Map_9.24_2x.2eeac6e52bf404816c6d0aac3edbeb7b6b87fdaa.png :bulb: **AWS Outposts** - physical rack (you can put it in your own data center if you ask it from Amazon) **Interact with AWS services** [x] **AWS Management Console** - web-based interface for accessing and managing AWS services. [x] **AWS CLI** - command line inteface [x] **SDKs - Software development kits** - use AWS services through an API designed for your programming language or platform **AWS Elastic Beanstalk** - provide code and configuration settings - performs the following tasks: adjust capacity, load balacing, automatic scaling, health monitoring **AWS CloudFormation** - build an environment by writing lines of code --- :question: **Which statement is TRUE for the AWS global infrastructure?** - *A Region consists of two or more Availability Zones.* :question: **Which factors should be considered when selecting a Region? (Select TWO.)** - *Compliance with data governance and legal requirements & Proximity to your customers* :question: **Which statement best describes Amazon CloudFront?** - *A global content delivery service* :question: **Which site does Amazon CloudFront use to cache copies of content for faster delivery to users at any location?** - *Edge location* :question: **Which action can you perform with AWS Outposts?** - *Extend AWS infrastructure and services to your on-premises data center.* --- ## Networking The infrastructure should have public parts and private parts **Virtual Private Cloud - Amazon VPC** - enables to launch resources in a virtual network that is defined - provision an isolated section of the AWS Cloud - you have a public IP address and a private IP address; **Subnet** - a section of a VPC that can contain resources such as Amazon EC2 instances - you can place gropus of isolated resources a subnet can be public or private [x] **Public subnet** - contain resources that need to be accessible by the public - you receive a public ip address and a private ip address as well [x] **Private subnet** - contain respurces that should be accessible only through ptivate network - you only get a private ip address under VPC **Internet gateway** - routes the traffic from subnet to VPC - a connection between a VPC and the internet **Virtual Private Gateway** - access private resources in a VPC - have a VPN between the data center and private subnet **AWS Direct Connect** - physically connection between data center and cloud **Network traffic in a VPC** - request data from an app in AWS cloud is sent as a `packet` *(=a unit of data sent over the internet or a network)* **Network Access Control Lists - ACLs** - virtual firewall that controls inbound and outbound traffic at the subnet level - :exclamation: by default ACLs allows all inbound and outbound traffic - custom network ACL deny all inbound and outbound traffic - perform a `stateless packed filtering` *(=before a packet can exist a subnet it must be checked against the outbound rules)* **Security groups** - virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance - :exclamation: by default a security group *denies all inbound* traffic and *allows all outbound* traffic - when a request goes through the security groups, it can enter or exist freely because they went through security once and they remember - perform **stateful** packet filtering *(remember previous decisions made for incoming packets)* --- :question: **Which statement best describes an AWS account’s default network access control list?** - *It is stateless and allows all inbound and outbound traffic.* --- **Domain Name System - DNS** - the process of translating a domain name to an IP address [x] **Amazon Route S3** - is a DNS web service - reliable way to route end users to internet applications hosted in AWS - ability to manage the DNS records for domain names --- :question: **Which statement best describes DNS resolution?** - *Translating a domain name to an IP address* :question: **Your company has an application that uses Amazon EC2 instances to run the customer-facing website and Amazon RDS database instances to store customers’ personal information. How should the developer configure the VPC according to best practices?** - *Place the Amazon EC2 instances in a public subnet and the Amazon RDS database instances in a private subnet.* :question: **Which component can be used to establish a private dedicated connection between your company’s data center and AWS?** - *AWS Direct Connect* :question: **Which statement best describes security groups?** - *They are stateful and deny all inbound traffic by default.* :question: **Which component is used to connect a VPC to the internet?** - *Internet gateway* :question: **Which service is used to manage the DNS records for domain names?** - *Amazon Route 53* --- ## Storage and Databases **AWS Storage** - 3 types of storage: 1. **Block storage** - files are separated into equal-sized pieces of data - used for apps that run on EC2 instances 2. **Instance stores** - directly attached to the instance - the lifecycle of storage is connected with the lifecycle of the instance - provides temporary block-level storage for an Amazon EC2 instance 3. **EBS volumes** - stores data in a **single** Availability Zone - service that provides block-level storage volumes that you can use with Amazon EC2 instances - indirectly attached to the EC2 instance - if the instance is terminated you can attached the EBS volume to another instance - **EBS snapshot** is an incremental backup *can take snapshots with only the data that has change)* **Object storage** - each object consists of data, metadata and a key - you can store objects *(pdf, text file etc.)*, but with metadata and a key *(which is the identifier of the object, it is the name)* **Amazon Simple Storage Service - S3** - service that provides object-level storage - store objects in buckets + set permissions to controll access - unlimited storage [x] **S3 storage classes** 1. **Standard** - frequently accessed data 2. **Standard-IA** - infrequently data - lower storage price and higher retrieval price 3. **Intelligent-Tiering** - ideal for data with unknown or changing access patterns - small monthly monitoring and automation fee per object 4. **Glacier Instant Retrieval** - works well for archived data that requires immediate access - retrieve objects within a few milliseconds 5. **Glacier Flexible Retrieval** - low-cost cost, configurable retrieval time from minutes to hours 6. **Glacier Deep Archive** - lowest cost, retrive objects within 12 hours --- :question: **Which statement best describes DNS resolution?** - * Amazon S3 Standard-IA* --- **File storage** - multiple clients can access data that is stored in shared file folders - torage server uses block storage with a local file system to organize files [x] **Elastic File System - EFS** - scalable file system - regional service, stores data in and accross **multiple** Availability Zones **AWS Databases** [x] **Relational DB** *(tables and relations; e.g. MySQL)* - uses structured query language *(`SQL`)* **Relational Database Service** (`RDS`) - operate and scale a relationa DB, automate time-consuming tasks, store and transmit data securely :bulb: **Amazon Aurora** - competitive with MySQL or PostgreSQL - more performant because is developed in the clound - replicate six copies of data accross 3 availability zones & continuously backs up your data to Amazon S3. [x] **Nonrelational DB** - *(key and value)* - uses structures other than rows and columns to organize data but with key-value pairs :bulb: **Amazon DynamoDB** - serverless key-value DB - automatically scales to adjust for capacity changes, designed to handle over 10 trilion requests per day [x] **Redshift** - data warehousing service that you can use for big data analytics --- :question: **What are the scenarios in which you should use Amazon Relational Database Service (Amazon RDS)? (Select TWO.)** - *Using SQL to organize data & Storing data in an Amazon Aurora database* --- **AWS Database Migration service - DMS** - migrate relational databases, nonrelational databases, and other types of data stores to a target database [x] **DocumentDB** - document database service that supports MongoDB workloads. [x] **Neptune** - graph database service. [x] **QLDB** - ledger database service. --- :question: **Which Amazon S3 storage classes are optimized for archival data? (Select TWO.)** - *Amazon S3 Glacier Flexible Retrieval & Amazon S3 Glacier Deep Archive* :question: **Which statement or statements are TRUE about Amazon EBS volumes and Amazon EFS file systems?** - *EBS volumes store data within a single Availability Zone. Amazon EFS file systems store data across multiple Availability Zones.* :question: **You want to store data in an object storage service. Which AWS service is best for this type of storage?** - *Amazon Simple Storage Service (Amazon S3)* :question: **Which statement best describes Amazon DynamoDB?** - *A serverless key-value database service* :question: **Which service is used to query and analyze data across a data warehouse?** - * Amazon Redshift* --- ## Security **AWS Shared Reponsibility model** - divides into customer responsibilities (commonly referred to as `security in the cloud`) and AWS responsibilities (commonly referred to as `security of the cloud`) [x] **Customers** - responsible for everything they create and put in the AWS Cloud *(e.g. account management, instance operaing system, security groups are structured by customers)* [x] **AWS** - operates, manages, and controls the components at all layers of infrastructure - protecting the global infrastructure that runs all of the services offered in the AWS Cloud - protects also the physical infrastructure that hosts the resources --- :question: **Which tasks are the responsibilities of customers? (Select TWO.)** - *Patching software on Amazon EC2 instances & Setting permissions for Amazon S3 objects* --- **AWS Identity and Access Management - IAM** - manage access to AWS services and resources securely - provides flexibility to configure access based on company specific operational and security needs [x] **AWS account root user** - first account created is basically a `root user` *(the owner that has complete access to all AWS services and resources in the account)* [x] **IAM users** - person or application that interacts with AWS services and resources - consists of a name and credentials - when created, by default it has no permissions associated with it [x] **IAM policies** - document that grants or denies permission to AWS services an resources :boom: **always use the security principle of *least privilege* when granting permissions** :point_down: example ```json= { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListObject", "Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET" } } ``` [x] **IAM groups** - collection of IAM users - assign an IAM policy to a group, all users in the group are granted permissions specified by the policy [x] **IAM roles** - identity that provides temporary access to permissions *(the roles also have policies)* [x] **Multifactor authentication - MFA** - provides an extra layer of security for AWS account [x] **AWS Organizations** - consolidate and manage multiple AWS accounts within a central location - group accounts into organizational units (OUs) to make it easier to manage accounts with similar business or security requirements [x] **Service Control Policies - SCP** - centrally control permissions for the accounts within organization --- :question: **You are configuring service control policies (SCPs) in AWS Organizations. Which identities and resources can SCPs be applied to? (Select TWO.)** - *An individual member account & An organizational unit (OU)* --- **Compliance** [x] **AWS Artifact** - service that provides on-demand access to AWS security and compliance reports and select online agreements :bulb: *within Customer Compliance Center can find resources to help learn more about AWS compliance* --- :question: **Which tasks can you complete in AWS Artifact? (Select TWO.)** - *Access AWS compliance reports on-demand. & Review, accept, and manage agreements with AWS.* --- **Denial-of-service attacks - DoS** - deliberate attempt to make a website or application unavailable to users **Distributed denial-of-service attacks - DDoS** - multiple sources are used to start an attack that aims to make a website or application unavailable **AWS Sheild** - service that protects applications against DDoS attacks [x] **Standard** - automatically protects all AWS customers at no cost [x] **Advanced** - paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks **Additional security services** [x] **AWS Key Management Service (AWS KMS)** - perform encryption operations through the use of **cryptographic keys** *(=random string of digits used for locking (encrypting) and unlocking (decrypting) data)* [x] **AWS Web Application Firewall - WAF** - web application firewall that lets you monitor network requests that come into your web applications [x] **Amazon Inspector** - perform automated security assessments on apps - identify security vulnerabilities and deviations from best practices; receive recommendations on how to fix security issues [x] **Guard Duty** - analyze network and account activity, detect threats - review detailed findins and take actions --- :question: **Which statement best describes an IAM policy?** - *A document that grants or denies permissions to AWS services and resources* :question: **An employee requires temporary access to create several Amazon S3 buckets. Which option would be the best choice for this task?** - *IAM role* :question: **Which statement best describes the principle of least privilege?** - *Granting only the permissions that are needed to perform specific tasks* :question: **Which service helps protect your applications against distributed denial-of-service (DDoS) attacks?** - *AWS Shield* :question: **Which task can AWS Key Management Service (AWS KMS) perform?** - * Create cryptographic keys.* --- ## Monitoring and Analytics **Cloud Watch** - monitor and manage various metrics and configure alarm actions based on data from those metrics **Cloud Trail** - records API calls for your account *(basically a log of actions)* **Trusted Adviser** - web service that inspects your AWS environment and provides real-time recommendations in accordance with AWS best practices --- :question: **Which actions can you perform using Amazon CloudWatch? (Select TWO.)** - *Monitor your resources’ utilization and performance & Access metrics from a single dashboard* :question: **Which service enables you to review the security of your Amazon S3 buckets by checking for open access permissions?** - *AWS Trusted Advisor* :question: **Which categories are included in the AWS Trusted Advisor dashboard? (Select TWO.)** - *Performance & Fault tolerance* --- ## Pricing and Support **AWS Free Tier** - begin using certain services without having to worry about incurring costs for the specified period - available types: *always free, 12 Months Free, Trials* **AWS Pricing concepts** [x] **Pay as you go** *(pay for exactly the amount of resources that you actually use)* [x] **Pay less when you reserve** *(some services offer reservation options that provide a significant discount)* [x] **Pay less with volume-based discounts** *(some services offer tiered pricing, so the per-unit cost is incrementally lower with increased usage)* **Billing dashboard** - pay your AWS bill, monitor your usage, and analyze and control your costs **Consolidate billing** - receive a single bill for all AWS accounts in your organization - share bulk discount pricing, Savings Plans, and Reserved Instances across the accounts in the organization **AWS Budgets** - create budgets to plan your service usage, service costs, and instance reservations **AWS Cost Explorer** - visualize, understand, and manage AWS costs and usage over time **AWS Support** [x] **Basic** - free for all AWS customers - access to whitepapers, documentation, and support communities [x] **Developer** - access to features: best practice guidance, client-side diagnostic tools etc [x] **Business** - Trusted Advisor checks [x] **Enterprise On-Ramp** - pool of Technical Account Managers to provide proactive guidance and coordinate access to programs and AWS experts [x] **Enterprise** - designated Technical Account Manager to provide proactive guidance and coordinate access to programs and AWS experts **AWS Marketplace** - digital catalog with third-party software that runs on AWS --- :question: **Which action can you perform with consolidated billing?** - *Combine usage across accounts to receive volume pricing discounts.* :question: **Which pricing tool is used to visualize, understand, and manage your AWS costs and usage over time?** - *AWS Cost Explorer* :question: **Which pricing tool enables you to receive alerts when your service usage exceeds a threshold that you have defined?** - *AWS Budgets* :question: **Your company wants to receive support from an AWS Technical Account Manager (TAM). Which support plan should you choose?** - *Enterprise* :question: **Which service or resource is used to find third-party software that runs on AWS?** - *AWS Marketplace* --- ## Migration and Innovation **AWS Cloud Adoption Framework** - organizes guidance into 6 areas of focus, called **Perspectives** *(business, poaple, governance, platform, security, operations)* **Migration strategies** - strategies: *rehosting, replatforming, refactoring.re-architecting, repurchasing, retaining, retiring* **AWS Well-Architected Framerowk** - understand how to design and operate reliable, secure, efficient, and cost-effective systems in the AWS Cloud - based on 6 pillars: *operational excellence, security, reliability, performance efficiency, cost optimization, sustainability*