Paid Resources
Some of the above websites have free trials available
Chapter 4: Shared Responsibility Model
Chapter 7: Core Compute Services
pg 120-135
Domains 3.1, 3.3, 4.1-4.2
Chapter 6 part 3
Domains 2.2, 2.4, 3.1,3.3-3.6, 4.2
pgs 82-118
Chapter 6 part 2
Domains 2.2, 2.4, 3.1,3.3-3.6, 4.2
pgs 82-118
Chapter 6 part 1
Domains 2.2, 2.4, 3.1,3.3-3.6, 4.2
pgs 82-118
Chapter 5 cont - AWS Sec and Compliance Tools
AWS Compliance |
AMZ Inspector |
AMZ GuardDuty |
AWS Secret Manager |
AMZ Detective |
AWS Audit Manager |
AWS Cloud HSM |
AWS RAM |
AWS Security Hub |
AMZ = Amazon
RAM = Resource Access Manager
HSM = Hardware Security Module
Chapter 5: 2.2, 2.3 IAM
Root User |
Auth for expenses, launching resources. Protect w MFA, complex pass, use IAM user not root if possible. Should NEVER be assigned keys |
Best Practices |
Access keys used for remote log ins. Key pair likely required |
|
You can configure your own password policy |
|
something you know, something you have, |
|
U2F - Universal 2nd factor |
|
Users/Groups/Roles should be used for efficiency and security (trusted entity for a rolecan be a service, 3rd party IDP, or specific AWS acc) |
Access Keys (not MFA) |
AWS mngmt console can generate them, keys are only shown once. Never show in plaintext. You can deactivate keys |
SSH - Secure Shell Protocol |
tool for encrypting remote sessions. Encryption can be decrypted with a key, ssh managed both de/encryption as long as compatible keys are present at both sides of connection |
|
to luanch a new EC2 linux instance user existing or new SSH pair. only one opp to download |
|
must be invoked in connection cmd. You can launch actively in windows machines |
Federated Access |
SAML can be used, or AD. SSO can be used if prior are integrated. AWS Directory Service can be used. Can download user reports |
Encryption |
KMS - AWS Key Management Service. This will apply encryption using a CMK (customer master key). Can add/remove keys through KMS dashboard |
|
Any data managed by AWS Service can be encrypted (includes RDS, DynamoDBs, EBS attached to EC2s, S3 only works with server side encryption, not client side. encrypt data before uploading to S3 w/ KMS-managed CMK or client side master key |
AWS Artifact |
Regulatory Complaince |
|
Links and Docs describing various regulatory standards. Various reports |
|
ex: FedRAMP, GC, APRA, PCI DSS, AOC, SOC, SOX |
Chapter 4 pt 2: Domains 2.1, 3.1, 3.2
AWS Outposts (on-prem physical AWS installed&maintained server) |
Brings AWS infrastructure/services to on prem data centers/colocations. Hybrid experience, APIs/AWS services can be run locally. Helps to run low latency, local data processing, or data residency. |
Covered Services |
EC2, Elastic Block Store, and Amazon File Storage |
AWS Local Zones (diff from regions) |
33 locations. Designed to serve cities/metro areas w/ ultra low-latency access. Must be run in local zone data centers. Covered services are preferred, not all AWS services are available |
AWS Wavelength |
addresses need for ultra-low latency and high-bandwidth for mobile users. Does not extend traditional networks/comp infrastructure. Brings to 5G network. AWS co-locates physical infra with telecomms facilities |
|
deploying these at the edge of the network dev can run apps in proximity to 5g base stations, decreases net latency. Best for VR or AR deployments |
AWS Shared Responsibility Model |
See graphic in cheat sheet |
|
Customer is responsible for what's IN the cloud. AWS is responsible for the cloud itself |
|
applies to IaaS, SaaS, PaaS |
Managed vs Unmanaged |
Managed cloud service - will "hide" backend configs/admin work to run service. Allows you to focus on outcome/business |
|
RDS - stand alone database can be run in this (partially managed service). Could be managed with Elastic Beanstalk (handles instances/storage/DBs) |
|
Unmanaged - ex: EC2 - Client cares for op system and everything on it. Sliding scale |
|
If you can edit it, you own it |
Service Health Status |
Good for troubleshooting. Service Health Dashboard will report outages within 1-2mins of outage |
AUP does not tolerate illegal activity |
|
|
Of vs In the cloud |
Chapter 4 pt 1: Domains 2.1, 3.1, 3.2
Regionally based services |
The hardware for an instance will only use one AWS region, true for all instance types (Lambda, EC2, S3, EBS) Phys host must be in one region. can rul parallel resources in multiple regions (reccomended for data soverignty/durability/access). Check region status often |
|
Dividing resources among regions allows you to locate infrastucture geographically closer to you w/ low latency, meet reg complaince w/ legal and banking rules, and isolate groups of resources for greatest latency |
|
must know how to identify what region you are working in ex: ec2.us-east-1.amazonaws.com
vs rds.eu-west-3.amazonaws.com
|
Globally Based Services |
Resources are not tied to any one region. EX: IAM, CDN, S3 |
Availability Zones (AZ) |
One Region has at least 2 AZs w/ low latency network links. No two AZs will ever share resources from a single phys data center |
|
Designations: subnet/AZ combo = host environment. AZs are dispalyed out of order to ensure availability. |
|
Be familiar with subnetting. Distribute prod over multiple subnets for high availability and low fault tolerance |
|
Private IPv4 address range" 192.168.0.0
to 192.168.255.255
. Can be dividied into smaller and smaller subnets. AWS allows 200 subnets per AZ. Other range inclides 172.16.0.0
to 172.31.255.255
|
|
If you see IP address in AWS config dialog box, youre looking at IP address subnet range |
AZ cont - High Availability |
Hardware will fail at some point. Single point of failure refers to no stored backups. Redundancy is the only effective protection against failure and must also be geo parallel. Cloud resilience is often cheaper. |
|
AWS avoids app failure via auto-scaling and load balancing |
Global Infrastructure: Edge Locations |
Edge Location is a site where AWS provides low latency user access to Amazon based data by deploying physical server infrastructure. These are different because they do not offer full range of AWS services. Helps direct traffic. |
Chapter 3 Notes; Domains 2.4, 3.8, 4.3
4 Levels of Support Plans |
Basic - free plan |
|
Developer - starts at $29, includes Core TA checks, 8am-6pm local time web access, general guidance within 24 business hours, system impaired help within 12 business hours |
|
Business - starts at $100, general guidance within 24 business hours, 24/7 web chat/phone engineer access, prod sys down help within 1 hr, all TA checks. Can also have IEM for more $$ |
|
Enterprise - starts at $15k/month. general guidance within 24 business hours, 24/7 web chat/phone engineer access, prod sys down help within 1 hr, all TA checks, Business crit sys down help in 15 mins. A technical account manager (TAM) is a guide/advocate for your account. |
|
AWS Partner Network (APN) - Professional Services Team |
Documentation |
SDKs are available. Helps users to look into strategies, guides, and more |
|
Knowledge Center - FAQ page sorted by service. Discussion forums are also available re:Post |
Trusted Advisor (ONLY AVAILABLE FOR BUSINESS OR ENTERPRISE SUBSCRIBERS) |
visually confirms if account resource configs are compliant/safe w/ best practice. Alerts across 5 categories: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits |
|
Basic Support and Dev have service limits w/ some security info, whereas Business and enterprise get all alerts |
Chapter 2 Notes: Domain 4.1-4.3
Free Tier |
Can run for up to 750 hrs per month using a t2.micro EC2 instance. Can be used to run light relational database workloads with Amazin Relational Database Services (RDS). Can store up to 5GB in S3 buckets. Lasts for 12 months. Two ways to monitor user: email alerts and tracking tool at bottom of billing dashboard. PUT and GET requests in 23 buckets have limits |
|
12 month free: 30GB of magnetic or SSD from EBS, 500MB free storage with ECR, 1 TB of outbound data, 1 million API calls on API Gateway |
|
Permanently Free:10 monitoring metircs/alarms on Amazon CloudWatch, 62000 outbound emails/month w/ SES, 3.2 million seconds of compute time, one million requests w/ Lambda |
Budgeting |
Rates change with how much storage is needed, pricing varies by regions. For EC2, you can choose between pricing types (on-demand, spot, savings,reserve instances, dedicated host pricing) |
|
Can use AWS pricing calculator for estimating cost. 2 main benefits: pricing is real time and can visualize the impacts of each element fiscally |
|
Can utilize the billing dashboard, can create one of three budget types: Usage Budgets, cost budgets, reservation instance or coverage budget, or savings plan coverage |
|
Other tools: Cost explorer (visualizes account's historical usage), Cost/usage reports (show full range of activity), Cost allocation tags (resource tags, cost allocation tags), and AWS Organizations (centralizes admin of multiple AWS accounts for allocation) |
Service Limits |
Can only launch 20 reserved instances within EC2 each month so all classes of resources are reliable. Limits are adjustable |
Resource requests can be refused.
Exam study guide pgs 14-25
Notes: Domain 1.1-1.3
-AWS allows for sufficient compute, memory, network, and storage resources. Global infrastructure is also efficient |
-Lots of redundancy so that if one part fails, there is always a failover |
-Allocation of resources is automated via the metered pay model |
-CapEx (Capital Expenses) relates to on-prem solutions and hardware. Cloud solutions do not have any CapEx. |
-Server virtualization. VMs are created and access storage/computing resources from the host server. Virtualization offers two main benefits: Speed/Efficiency |
-located in a physical server: Compute to Storage to Hypervisor (VM Admin Software) to the virtual machine. Storage is attached to it |
-On prem, IaaS, PaaS, Saas |
-Serverless workloads allow for users to run on cloud servers. Provided by AWS Lambda servervices, makes code that is REACTIONARY. |
-Scalability allows apps to grow automatically based on organizational needs |
-Elasticity matches compute power w/ rising and falling demand. Ex: AWS Auto Scaling. Will operate within its limits |
|