AWS Practitioner Notes Flashcards
Describe the basic AWS Infrastructure
AWS is split into Regions (based on geography)
Regions are split into Availability Zones (2-6 per region, average 3)
Availability Zones have multiple Data Centers
In addition there are Edge Locations, Local Zones, and Outposts
What are some factors in choosing a Region
Compliance Requirements
Latency
Available Services
Pricing
Shared Responsibility Matrix - AWS Responsibilities
Security OF the cloud
Hardware
Certain Software (offered as a service)
Certain OS (of serverless services)
Networking/Firewalls of serverless services
Shared Responsibility Matrix - Customer Responsibilities
Security IN the cloud
Customer Data
Platforms, applications, IAM, network/firewall of EC2 instances
OS of EC2 instances
Networking traffic
What is IAM
IAM = Identity and Access Management
Describe IAM Users
An IAM User should be a single physical user
Users can be assigned to groups, but don’t have to be
Describe IAM Groups
An IAM Group is a collection of IAM Users
An IAM User can belong to multiple groups
Describe IAM Policies
An IAM Policy can be assigned to a user or a group
An IAM Policy is used to control access to AWS resources
What is an Inline Policy
A policy that is assigned to a user directly
What is the Least Privilege Principle
Only giving a user the bare minimum access they require
How is an IAM Policy Structured
It has a version number, an ID, and a Statement
A statement consists of an ID, Effect (Allow/Deny), Principal (account/user/role to which the statement applies), Action (list of actions the policy allows/denies), and Resources (list of AWS resources that the policy applies to)
IAM Password Policy
Allows you to define the password requirements for all accounts
What is MFA
Multi-factor Authentication - Using both a password and a security device
Can be physical (key or or keyfob that generates MFA codes)
Can be virtual
Name three ways to access AWS
The AWS Management Console (requires password/MFA)
Command Line Interface (requires access keys)
Software Development Kit - SDK (requires access keys)
What is AWS Cloudshell
It is an alternate way to access AWS - private CLI using the browser - does not require access keys
What are IAM Roles
IAM Roles are a way to assign permissions to AWS services
Name two IAM security tools
IAM Credential Reports (account level)
IAM Access Advisor (user level)
What are some IAM best practices
Don’t use the root account unless you absolutely have to - create accounts with administrative access instead
1 physical user = 1 AWS account
Assign Users to Groups, then assign permissions/policies to those groups
Use a strong password policy
Use/enforce MFA
Use roles when giving permissions to AWS services
What is EC2 stand for
Elastic Cloud Compute
Is EC2 IAAS, PAAS, SAAS?
It is IAAS - Infrastructure As A Service
What can you customize in an EC2 instance
Operating System
Number of Cores
RAM
Storage Space
Network Card
What is EC2 User Data
A Bootstrap Script - runs once when the instance starts
What are the different EC2 types
General Purpose - Good for web servers or code repositories
Compute Optimized - Good for high performance processing
Memory Optimized - Good for processing large data sets in memory
Storage Optimized - Good for high sequential r/w access to local datasets
EC2 naming convention - explain the different parts of: m5.2xlarge
m = instance class
5 = generation
2xlarge = size within the instance class
What is a security group
A set of permissions that allows traffic in or out of an EC2 instance
It only has ALLOW rules
Acts as firewall to an EC2 instance
Regulates access to ports, authorized IP ranges (IPV4 and IPV6)
Can be attached to multiple instances
Instances can have multiple security groups assigned to them
Locked to a Region/VPC combination
Lives outside the EC2 instance - if it blocks something, that something never reaches the instance
Describe Important Ports
21 = FTP
22 = SFTP and secure shell
80 = HTTP
443 = HTTPS
3389 = Remote Desktop Protocol
What is SSH
Secure Shell - used to log into Linux, MAC, and Windows (v10+) servers
What is Putty
Used to log into Windows (any version) servers
Describe the EC2 purchasing option On Demand Instances
Good for short workloads
Pricing - Windows/Linux - Pay per second after the first minute
Pricing - Other - Pay per hour
Highest cost, no upfront payment
Describe the EC2 purchasing option Reserved Instances
Good for long workloads
Can reserve for 1 or 3 years
Save up to 72%
Reserve specific instance attributes
Can pay upfront, partially upfront, no upfront
Describe the EC2 purchasing option Savings Plans
Good for long workloads
Can be for 1 or 3 year commitment
Save up to 72%
Commit to specific usage (ex $10/hour) for 100 hours
Usage beyond that is at on demand prices
Describe the EC2 purchasing option Spot Instances
Good for short workloads that can be interrupted
Up to 90% discount
Can lose instance at any time
Use for workloads resistant to failure
Describe the EC2 purchasing option Dedicated Host
Dedicated host - good for when have compliance requirements
Have all of a physical server reserved just for your use, control instance placement
Payment options are on demand or reserved - is very expensive
Describe the EC2 purchasing option Dedicated Instances
No other customer will share your hardware
Multiple instances from the same account may share the hardware
Describe the EC2 purchasing option Capacity Reservations
Reserve an amount of capacity for a specific AZ for any duration
Always have access to the capacity whenever you need it, no time commitment, no billing discounts, can combine with Regional Reserve instances and Savings Plans, charged On Demand prices whether you run instances or not
What is EBS
Elastic Block Storage - network storage
Can be attached to a single instance
Multiple EBS can be attached to a single instance
Has provisioned capacity - can select size and speed when setting up
Billed for the provisioned capacity
Use limited to an AZ
What is an EBS Snapshot
A backup image of an EBS volume
What is the EBS Snapshot Archive
75% cheaper storage tier
24-72 hours to restore from
What is AMI
Amazon Machine Image
A defined configuration for an EC2 instance
Public AMI - provided by Amazon
Private AMI - make and maintain yourself
AWS Marketplace AMI - purchased off the Marketplace
Define the process for building/using an AMI
Create EC2 instance and configure it
Stop the instance
Create the AMI from the stopped instance
Launch new instances from the AMI
What is an Instance Store
Physical storage attached to an EC2 instance
Data is lost if the EC2 instance is stopped
Backup and replication are customer’s responsibility
What is EFS
Elastic File System - network storage that can be attached to multiple EC2 - can be used across AZ’s
What is EFS Infrequent Access
Storage tier up to 92% cheaper than EFS Standard
Files automatically moved to this tier and back to Standard
What is FSx for Windows
Fully managed file system built on Windows File Server
What is FSx for Lustre
File system for high performance computing
Used for ML, analytics, video processing, and financial modeling
What is ELB
Elastic Load Balancing
Describe the two types of scalability
Vertical Scalability - increase/decrease the size of an instance - scale up/down
Horizontal Scalability - increase/decrease the number of instances - scale out/in
What is High Availability
When you are running in multiple AZ’s or Regions
What is Elasticity
The ability to scale in/out to match demand and optimize costs
What is ASG
Auto-Scaling Groups - a service that adds/removes instances automatically
Replaces unhealthy instances automatically
What are 2 types of Load Balancers
ALB - Application Load Balancers - for HTTP/HTTPS traffic (external)
NLB - Network Load Balancers - for TLS/TCP traffic (internal)
What are 4 types of ASG Dynamic Scaling Strategies
Simple/Step Scaling - based on Cloudwatch alarms targeting capacity usage
Target Tracking Scaling - based on average CPU usage
Scheduled Scaling - based on known usage patterns over a period of time
Predictive Scaling - uses ML based on past traffic patterns
What is S3
Simple Storage Service
Create buckets to store objects/files
Regional Service
S3 Bucket Naming Conventions
Must be UNIQUE across all regions/accounts
No uppercase, no underscores
3-36 characters long
Not an IP
Must start with lowercase letter
Can’t start with “xn-“
Can’t end with “-s3alias”
What are characteristics of S3 objects
Object key = is full path and file name of object
Max size is 5TB, if greater than 5GB must upload in pieces
Metadata - key and value pairs
Can tag objects
What are S3 Bucket Policies
Allows access to objects in a S3 bucket
Object Access Control List - Security Policy that details users that can access the object
Bucket Access Control List - Security Policy that details users that can access the bucket
What is the default Security Bucket Policy
As a default, an S3 bucket denies public access to its objects - overrides other specific policies
What is Static Web Hosting
Where the code for a web site is stored in an S3 bucket
Must have public access turned on
What is S3 Versioning
Where objects in S3 buckets are assigned file keys
Previous versions of objects are retained and can be restored
Deleted objects can be restored
What is S3 Replication
Copying a S3 bucket
CRR - Cross Region Replication - copying to another Region
SRR - Same Region Replication - copying to the same Region
Copying is asynchronously
What are the basic S3 Storage Classes
S3 - Standard - 99.99% Availability
S3 Infrequent Access - 99.9% Availability
S3 Zone Infrequent Access - 99.9% Availability - 1 AZ only
S3 Glacier Instant Retrieval - Millisecond retrieval
S3 Glacier Flexible Retrieval - Expedited 1-5 min, Standard 3-5 hr, Bulk 5-12 hr
S3 Glacier Deep Archive - Standard 12 hour, Bulk 48 hour
What is S3 Intelligent Tiering
Storage method where files are automatically moved from one tier to another
Frequent Access Tier (default)
Infrequent Access Tier - objects not accessed for 30 days
Archive Instant Access Tier - objects not accessed for 90 days
Archive Access Tier (optional) - objects not accessed for 90-700 days
Deep Archive Access Tier (optional) - objects not accessed for 180-700 days
What are the S3 encryption options
None
Server side - is encrypted after server receives file
Client side - file is encrypted before being uploaded
Name the 3 Snow Family Devices
Snowcone
Snowball Edge
Snowmobile
Describe Snowcone
Small box, up to 8 TB storage
Can use up to 15 at a time
Describe Snowball Edge
Large server, comes in 2 flavors
Storage optimized - 80 TB storage
Compute optimized - 43 TB storage, has more compute power
Describe Snowmobile
Semitruck, 100 PB storage
High security, 24/7 video surveillance
Temperature controlled
What is AWS Opshub
Graphical interface that allows you to use Snow family devices
What is Hybrid Cloud Storage
Using on premises and cloud storage at same time
What is AWS Gateway
bridge between on premise storage and AWS S3
Describe RDS
Relational Database Service
Fully Managed Relational Databases
Have to provision the EC2 instances
Postgres, MySQL, MariaDB, Oracle, Microsoft SQL Server, Aurora
Cannot SSH into database
What is Aurora
Proprietary database software
Supports Postgres and MySQL
Cloud optimized - better than RDS but more expensive
What are Read Replicas for RDS
Read only versions of your DBS - can have up to 5
What is Multi-AZ for RDS
Where you backup your DB to a different AZ
If main DB fails, restore from backup
What is Multi-Region for RDS
Where you have Read Only versions of your DB in different Regions
What is Elasticache
In memory database with high performance, low latency
Helps reduce load off actual DB
What is Dynamo DB
A noSQL DB managed by AWS
Is a key-value pair DB
Serverless service
Highly scalable - autoscaling
What is Dynamo DB DAX
In memory cache for Dynamo DB
What are Dynamo DB Global Tables
Tables in multiple Regions
Read/write in any Region
What is Redshift
A Postgres DB that is used for Online Analytical Processing
Has SQL interface
What is EMR
Elastic Map Reduce - creates Hadoop cluster
What is Athena
Serverless query service for objects in S3 buckets
What is Quicksight
Serverless machine learning-powered business intelligence service to create interactive dashboards
What is DocumentDB
Serverless implementation of MongoDB (noSQL)
What is Neptune
Fully managed graph DB
What is QLDB
Quantum Ledger DB
Records financial transactions
Data is immutable once entered
What is Managed Blockchain
Managed service to either join public blockchain networks or create your own blockchain network
What is GLUE
Managed Extract/Transform/Load service
What is DMS
Database Migration Service
Source DB remains available during migration
Can be to/from same type DB or different type DB
What is ECS
Elastic Container Service - Docker containers
Customer must provision/maintain EC2 instances
ECS automatically starts/stops containers
Integrated with ELB
What is EKS
Elastic Kubernetes Service
What is Fargate
Serverless service that launches Docker containers
What is the difference between ECS and Fargate
ECS requires customer to provision/maintain EC2 instances on which to run the containers, Fargate manages that for the client
What is ECR
Elastic Container Registry
Where container images are stored and accessed by ECS and Fargate
What is Lambda
Serverless compute service
Virtual functions
Usually execution triggered by event or scheduled
Cheap but powerful
What is an API Gateway
Serverless middleman between external clients and Lambda functions
What is AWS Batch
Fully managed batch processing service
Can be triggered by event or scheduled
Will dynamically launch EC2 instances
Batch jobs are defined as Docker images and run on ECS
What is the difference between Lambda and Batch
Lambda functions have limited run time and resources and is serverless
Batch has no time limit, can have greater resources, is not serverless but servers are managed by AWS
What is Lightsail
Virtual servers, storage, databases, and networking
Simpler than other AWS services, but is very limited
Good for people with little cloud experience
What is Cloud Formation
A declarative method of outlining your AWS Infrastructure, for any resources
Define the services/infrastructure you want, then Cloud Formation creates them
Infrastructure as Code
Gives ability to create and destroy infrastructure on the fly
Can create templates, get templates from Web
Supports most AWS services
Uses JSON/YAML files
What is CDK
AWS Cloud Development Kit
Use other languages
Allows you to deploy runtime code and infrastructure tool
What is Elastic Beanstalk
Developer centric view of deploying infrastructure on the internet
Uses AWS components
Platform as a Service
Beanstalk is free, but pay for resources created
Fully Managed Service
What is CloudDeploy
Hybrid service that deploys code
What is CloudCommit
Equivalent of Github for AWS
Fully managed service
What is CloudBuild
A service that compiles source code, runs tests, and produces packages ready to be deployed
Hybrid Service
Servers/EC2’s must have CloudDeploy agent installed
What is Code Pipeline
Orchestrates the steps to move Code to production
CICD
Works with CloudDeploy, CloudCommit, and CodeBuild
What is CodeArtifact
System for managing software package dependencies for software development
What is CodeStar
Unified UI to manage software development activities in one place
Uses the Code* services behind the scenes
What is Cloud9
A Virtual IDE used for collaberation
What is SSM
Systems Manager
Hybrid service that works on both EC2 or on-premise server
Suite of 10+ programs to manage servers
Servers require SSM Agent to be installed
What is SSM Sessions Manager
Secure Shell for SSM
No SSH access, bastion hosts, or SSH keys needed
Doesn’t use port 22, so is better security
What is OpsWork
Managed Chef and Puppet service
What is Route 53
AWS DNS service used to route to AWS infrastructure
What are the 4 Route 53 routing policies
Simple Routing Policy - No health checks
Weighted Routing Policy - Routing based on defined ratios for various servers
Latency Routing Policy - Routing based on the lowest latency
Failover Routing Policy - Route to main server unless down, then route to backup server
What is Cloudfront
Content Delivery Network
Data is cached at Edge Locations
Helps against DDoS attacks
What is Cloudfront Origins S3 Basket
Used to distribute files and cache them at the Edge
What is Cloudfront Origins Custom Origin
Connects to: Application Load Balancer, EC2, S3 Website, any HTTP backend
Difference Between Cloudfront and S3 Cross Region Replication
Cloudfront uses Edge Locations to make content available for a short time
S3 CRR is set up for specific Regions, works for content only needed in a few Regions
What is S3 Transfer Acceleration
S3 using Edge Locations and high speed internal network to speed up data transfer to/from S3 buckets
What is AWS Global Accelerator
AWS’s fast private network and Edge Locations used to improve global availability and performance
Compare Global Accelerator and Cloudfront
Both use AWS network and Edge Locations
Both integrate with AWS Shield
Cloudfront is a CDN, caching files at the Edge
Global Accelerator uses Edge Locations, but does not cache files
What are AWS Outposts
Hybrid Cloud system where AWS servers are emplaced at a client location in addition to client owned servers
AWS sets up and manages the AWS servers
Client responsible for physical security of AWS servers
What is AWS Wavelength
AWS Servers emplaced in telecommunications providers datacenters at the edge of 5G networks
Data stays within providers’ networks, never reaches AWS
Ultra low latency
What are AWS Local Zones
Special AWS datacenters that place certain services closer to end users to reduce latency
Describe 4 Global Application Architectures
Single Region, Single AZ
Single Region, Multiple AZ
Multiple Region, Active Passive (only 1 is read & write)
Multiple Region, Active Active (all are read & write)
What is SQS
Simple Queue Service
Allows asynchronous communication
Producers send messages to SQS
Consumers read messages from SQS and then delete them
Fully managed, serverless
Messages retained 4-14 days, unlimited messages
What is Kinesis
Real time big data streaming service
Managed service to collect, process, and analyze real time streaming data
What is SNS
Simple Notification Service
Pubsub - Publishers send messages to SNS Topic, Subscribers are then sent those messages
What is Amazon MQ
Amazon managed broker service for RabbitMQ and ActiveMQ (which are non-AWS software)
What is CloudWatch Metrics
Service that provides metrics for every service in AWS
Can create custom metrics
What is CloudWatch Alarms
Service that allows you to set up monitoring of CloudWatch Metrics which can trigger various responses: Autoscaling, EC2 actions (stop/restart/etc), SNS notifications
What is CloudWatch Logs
Collects logs from various AWS services, enables real time monitoring
What is CloudWatch Logs Agent
Software that can be installed on EC2’s or on-premise servers and feeds logs to CloudWatch Logs
What is EventBridge
Service that allows you to schedule CRON jobs
Can respond to service event triggers
What is CloudTrail
A history of events/API calls made within your AWS account
Source: CLI, console, CDK, AWS services
Good for compliance, governance, and audit
Logs can be sent to CloudWatch Logs
What is X-Ray
Diagnostic tool that can be used to trace data flow
Good for troubleshooting and tracing
What is CodeGuru
Machine learning enabled code reviewer
Also makes application performance and cost recommendations
What is the Service Health Dashboard
Shows health of all services in all regions
Has a RSS feed you can subscribe to
What is the Personal Health Dashboard
Dashboard that provides alerts and remediation advice for AWS services used by your account that are current having issues or have upcoming scheduled events
Describe VPC
Virtual Private Cloud
Private network for deploying your AWS resources
VPC’s are contained within a Region
What is a Subnet
A way of partitioning your network within a VPC
Associated within a single AZ
Public subnet - accessible to/from internet
Private subnet - not accessible to/from internet
What is an Internet Gateway
Help VPC’s connect to the internet via a public subnet
What is a NAT Gateway
NAT Gateway (AWS Managed) / NAT Instance (self managed) - allow private subnets to access the internet while remaining private
What is NACL
Network Access Control List
Firewall that controls traffic to/from a subnet
Can have ALLOW and DENY rules
Rules only contain IP addresses
Operates at subnet level
Stateless: Return traffic must be explicitly allowed
What is a Security Group
Firewall that controls traffic to/from an ENI (Elastic Network Interface) / an EC2 instance
Can only have ALLOW rules
Rules include IP addresses and other Security Groups
Operates at instance level
Stateful: Return traffic automatically allowed
What are VPC Flow Logs
Logs of all IP traffic flowing your into your instances
What is VPC Peering
Connect two VPC’s privately, using AWS’s network
Make them behave as if in the same network
Must not have overlapping CIDR (IP network range)
Is not Transitive - must be established between each pair individually
What are VPC Endpoints
Allows you to connect to AWS Services using a private network instead of the public internet
What is a VPC Endpoint Gateway
Allows you to connect to S3 or Dynamo DB (only)
What is a VPC Endpoint Interface
Allows you to connect to any AWS service other than S3/Dynamo DB
What is PrivateLink
Most secure and scalable way to expose a service to many VPC’s
Source VPC creates Network Load Balancer, target VPC creates Elastic Network Interface, then privately link the two
What is Site to Site VPN
Connect on-premise servers to AWS
Uses public internet
Fast to set up
Customer end - uses Customer Gateway
AWS end - uses Virtual Private Gateway
What is Direct Connect
Physical connection between on-premise servers and AWS
Expensive and takes long time to set up
Private, secure, fast
What is AWS Client VPN
Connect on-premise servers to AWS using OpenVPN Client
Uses public internet
What is a Transit Gateway
Transitive Peering between multiple AWS VPC’s and client VPC in a hub and spoke (star) pattern
Security - Shared Responsibility Matrix - AWS
Security OF the Cloud
Protecting infrastructure that protects AWS services
Managed services like S3, Dynamo DB, etc
Security - Shared Responsibility Matrix - Customer
Security IN the Cloud
EC2 OS patching and updates
Firewall and Network configurations
IAM
Encryption of application data
What is AWS Shield Standard
Protection against DDoS attacks: SNY/UPD Floods, Reflection attacks, other layer 3/layer 4 attacks
Free
What is AWS Shield Advanced
Optional DDoS protection
$3000/month
Protects against more sophisticated attacks on EC2, ELB, CloudFront, Global Accelerator, and Route 53
24/7 access to AWS DDoS response team during the attack
Protection against higher fees during usages spikes from DDoS
What is WAF
Web Application Firewall
Protects your web applications from common web exploits (Layer 7 = HTTP)
Deploy on Application Load Balancer, API Gateway, CloudFront
Define Web ACL (Access Control List) - can include IP Addresses, HTTP Headers, HTTP Body, or URI Strings
Web ACL protects against common attack - SQL Injection, Cross site scripting, block geographies (countries)
Can limit the number of requests per user per time period
What services can you perform penetration testing on without notice
EC2 Instances/NAT Gateways/ELB, RDS, CloudFront, Aurora, API Gateways, Lambda/Lambda Edge functions, Lightsail, Elastic Beanstalk
What security tests are prohibited by AWS
DNS Zone Walking, DDoS, simulated DDoS, Port Flooding, Protocol Flooding, Request Flooding
What is KMS
Key Management Service
Manages encryption keys
What is CloudHSM
Dedicated hardware security module attached to FIPS validated hardware
Manage your encryption keys
What is Customer Managed CMK (Customer Master Keys)
Keys created, managed, used by the customer
Can bring your own keys
What is AWS Managed CMK (Customer Master Keys)
Keys managed by AWS and used on customers behalf by AWS
Used by AWS services
What is AWS Owned CMK (Customer Master Keys)
Collections of CMK’s that an AWS service owns and manages in mulitple accounts
Used to protect customer resources, but customer doesn’t have access to them
What is ACM
AWS Certification Manager
Allows customer to provision, manage, and deploy SSL/TLS Certificates
Used to provide inflight encryption for websites (HTTPS)
Supports both public and private TLS certificates (public are free)
Automatic TLS certificate renewal
What is Secrets Manager
Store secrets, force rotation of secrets
Integrated with RDS
Secrets encrypted using KMS
What is AWS Artifact
Portal that gives you access to AWS Compliance documentation and AWS agreements
Used to support internal audit or compliance
What is GuardDuty
Uses machine learning algorithms, anomaly detection, 3rd party data to protect your account
Input data used - CloudTrail Event Logs, VPC Flow Logs, DNS Logs, Kubernetes Audit Logs
Can protect against CryptoCurrency attacks
What is Inspector
Run automated security assessments
For EC2 instances, container images, Lambda Functions
Reporting and integration is with AWS Security Hub
Send findings into Amazon EventBridge
What is Macie
Fully managed data security and data privacy service
Uses machine learning and pattern matching to discover and protect your sensitive data in AWS
What is Detective
Analyzes, investigates, and identifies the root cause of security issues or suspicious activity (using machine learning and graphs)
Automatically collects and processes events from VPC Flow Logs, CloudTrail, GuardDuty, and creates a unified view
Define AWS Abuse
Spam, port scanning, DDoS, Intrusion Attempts, Hosting objectional/copyrighted content, distributing malware
Contact the AWS Abuse Team if discovered
Name 4 actions only the Root User account can do
Change account settings
Close the account
Change or cancel support plans
Register as a seller on the AWS Marketplace
What is Rekognition
Service that finds people, objects or scenes in video
What is Transcribe
Converts speech to text
Uses deep learning process: Automatic Speech Recognition
What is Polly
Converts text to speech
What is Translate
Converts text in one language to text in another language
What is Lex
Lex is Automatic Speech Recognition
Used for Alexa
What is Connect
Virtual Call Center
What is Comprehend
Natural Language Processing
What is Sagemaker
Fully managed service for developers / data scientists to build ML models
What is Forecast
Fully managed service that uses ML to delivery highly accurate forecasts
What is Kendra
Fully managed document search service
Extract answers from within a document
What is Personalize
Fully manage ML service to build apps with real time personalized recommendations
What is TexTract
Automatically extracts text, handwriting, data from any scanned documents using AI and ML
What is AWS Organizations
Global service that allows you to create and manage all your accounts from a master account
Allows consolidated billing
Allows sharing Reserved Instances
Gives pricing benefits from aggregated usage
What are Service Control Policies
Service that whitelists or blacklists IAM actions for accounts
What is AWS Control Tower
Service that runs on top of AWS Organizations
It applies preventive and detective controls (guardrails) to help keep your organizations and accounts from divergence from best practices
What are the 4 pricing models of the Cloud
Pay As You Go
Save When You Reserve
Save When You Use More
Pay Less as AWS Grows (economies of scale)
Name some free services
IAM, VPC, Consolidated Billing, Elastic Beanstalk, CloudFormation, Auto Scaling Groups
Describe pricing data traffic
Data transferred into AWS is free
Data transferred out of AWS is not free
Data transferred within AWS Region is free if using private IP
Data transferred between Regions is not free
What is Compute Optimizer
Service that uses ML and CloudWatch Metrics to recommend optimal AWS resources for your workload to reduce costs and improve performance
What is Pricing Calculator
Tool that estimates costs for your solution architecture
What is the Billing Dashboard
Tool that shows you costs to date, forecasts for rest of month
Breaks down the costs
What are Cost Allocation Tags
Tags attached to services and resources that allow you to track costs at a detailed level
What are Cost and Usage Reports
Tool that contains most the comprehensive set of AWS cost and usage data available, including additional metadata about AWS services, pricing, reservations
What is Cost Explorer
Tool to visualize, understand, and manage your AWS costs
Forecast up to 12 months based on previous usage
What are Billing Alarms
Triggers that track your AWS spending and sends notifications
Billing data is stored in CloudWatch in us-east-1 only, aggregated for all Regions
What are AWS Budgets
Tool that allows you to set up a budget for AWS services
Can trigger Billing Alarms
Types: Usage, Cost, Reservations
What is Trusted Advisor
An assessment tool that analyzes resources in your account based on these categories: Cost Optimization, Performance, Security, Fault Tolerance, Service Limits
What are the 7 core checks for Trusted Advisor
S3 Bucket Permissions
Security Groups - Ports check
IAM Use
MFA on root account
Presence of EBS public snapshots
Presence of RDS public snapshots
Service Limits
Describe the Basic Support plan
It is free
Access to 24/7 customer service
Access to documentation, whitepapers, and support forums
Access to 7 core checks for Trusted Advisor
Access to Personal Health Dashboard
Describe the Developer Support plan
Costs greater of $29 or 3% of monthly charges
Same as Basic Support plan
Business hours email access to Cloud Support Associates
Unlimited cases, 1 primary contact
General Guidance < 24 hours
System Impaired < 12 hours
Describe the Business Support plan
Costs greater of $100 or sliding % of monthly costs
Same as Developer Support plan
Full Trusted Advisor checks
24/7 phone/email/chat access to Cloud Support Engineers
Unlimited Cases, Unlimited Contacts
Access to Infrastructure Event Management for additional fee
Production system impaired < 4 hours
Production System Down < 1 hour
Describe the Enterprise Onramp Support plan
Costs greater of $5,500 or 10% of monthly charges
Same as Business Support plan
Access to a pool of Technical Account Managers (TAM)
Concierge Support Team (for account and billing best practices)
Infrastructure Event Management, Well Architected and Operations Review
Business-critical system down < 30 minutes
Describe the Enterprise Support plan
Costs greater of $15,000 or sliding % of monthly costs
Same as Enterprise Onramp Support plan
Access to a designated TAM
Business-critical system down < 15 minutes
What is STS
Security Token Service
Enables you to create temporary limited-privileges credentials to access your AWS resources
What is Cognito
Identity for Web/Mobile application users
Don’t create individual IAM users, create users in Cognito instead
What is AWS Directory Services
AWS’s version of Microsoft Active Directory
What is Workspaces
Virtual Desktop as a Service (DaaS)
Windows or Linux desktops
What is AppStream 2.0
Desktop Application Streaming Service delivered via web browser
What is Sumerian
Service that allows you to create and run VR, AR, and 3D applications
What is IoT
Internet of Things
Allows you to easily connect IoT devices to the AWS Cloud
What is Elastic Transcorder
Convert media files stored in S3 into media file formats required by consumer playback devices
What is AppSync
Store and sync data across mobile and web applications in real time
Uses GraphQL (Facebook mobile technology)
What is Amplify
Set of tools and services that allow you to develop and deploy scalable full stack web and mobile applications
Like Elastic Beanstalk for mobile and web applications
What is Device Farm
Fully managed service that tests your web and mobile apps against desktop browsers, real mobile devices, and tablets
Real devices, not emulators
What is AWS Backup
Fully managed service to centrally manage and automate backups across AWS services
Describe 4 Disaster Recovery Strategies
Backup and Restore (Cheapest)
Pilot Light (Core Functions of the App, ready to scale)
Warm Standby (Full version of the app, but at minimum size)
Multi-site/Hot Site (Full version of the app, full size)
What is AWS Datasync
Move large amount of data from on-premise to AWS
Replication tasks can be scheduled
Incremental backup after initial backup
What is Application Discovery Service
Scan on-premise servers to get information for migration
Agentless Discovery (AWS Agentless Discovery Connector)
Agent Based Discovery (AWS Application Discovery Agent)
What is Application Migration Service (MGM)
Lift and shift (rehost) data/applications
Then at some point cut over
What is FIS
Fault Injector Service
Fully managed service to run fault injection experiments on AWS workloads
Based on Chaos Engineering
What are Step Functions
Build a serverless visual workflow to orchestrate your Lambda functions
Can integrate with EC2, ECS, on-premise servers, API Gateway, SQS Queues
Features: sequence, parallel, conditions, timeouts, error handling
What is Ground Station
Fully managed service that allows you to control satellite communications, process data, and scale your satellite operations
What is AWS Pinpoint
Scalable 2-way outbound/inbound marketing communications service
Supports email, SMS, push, voice, and in-app messaging
Is the next evolution of SNS or SES
What are the good architecture guiding principles
Stop guessing your capacity needs
Test systems at production scale
Automate to make architectural experimentation easier
Allow for evolutionary architectures
Drive architectures using data
Improve through game days (peak usage)
Name the Well Architected Frameworks 6 pillars
Operational Excellence
Security
Reliability
Performance Efficiency
Cost Optimization
Sustainability
Describe Operational Excellence (pillar 1)
Ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures
Describe Security (pillar 2)
Ability to protect information, systems, and assets, while delivering business value, through risk assessments and mitigation strategies
Describe Reliability (pillar 3)
Ability of a system to recover from infrastructure or service disruptions, dynamically acquiring computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues
Describe Performance Efficiency (pillar 4)
Ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve
Describe Cost Optimization (pillar 5)
Ability to run systems to deliver business value at the lowest price point
Describe Sustainability (pillar 6)
Focuses on minimizing environmental impact of running cloud workloads
What is AWS Well Architected Tool
Free tool to review your architectures against the 6 pillars
You select your workload and answer questions, then get advice
What is Right Sizing
Right sizing is process of matching instance types/sizes to your workload performance and capacity requirements at the lowest possible price
Describe the AWS Marketplace
Independent software vendors - buy/sell custom AMI, CloudFormation templates, Software as a Service, Containers
What is AWS Training
Digital or classroom training, private training, training/certification for US government, training/certification for enterprises, AWS Academy for universities
What is AWS Professional Services and Partner Network
Global team of networks - APN (AWS Partner Network)
Describe APN Technology Partners
Third parties that provide hardware, connectivity, and software
Describe APN Consulting Partners
Third parties that provide consulting services to help you build in AWS
Describe APN Training Partners
Third parties that provide AWS training
What is AWS Competency Program
Certification for APN Partners who have demonstrated technical proficiency and proven customer success in specialized solution areas
What is AWS Navigate Program
Service that helps AWS Partners become better partners
What is AWS Knowledge Center
Knowledge base of more frequent and common questions and requests
What is AWS IQ
Tool to find AWS Certified professional help (contractors) for AWS projects
What is AWS re:Post
AWS Managed Q&A service - offers cloud sourced, expert reviewed answers to your technical questions about AWS
Free unless purchase Premium Support (customers that don’t get a response from the community are passed on to AWS Support Engineers)
