AWS Services Flashcards
IAM Credential reports
list all account users and their credentials
Aws SDK
can be used in your code to call aws API
Cloud Shell
a CLI in the browser with a complete permanentn filesystem
IAM access advisor
Shows service permissions given to a user and last access for each service (useful for “least privilege”)
EC2 (Elastic Cloud Computing)
service to rent VMs, store data on virtual drives (EBS) distribute load on machine (ELB), auto scaling the service (ASG)
Security Groups
set of rules tha can be attached to EC2 instance. It specify which range of IP i allowe through each port and can reference other security group (even itself) to allow traffic from other EC2 instances of that group)
port 22
ssh (secure shell for accessing the terminal of EC2 linux instances) or secure file transfer protocol (SFTP)
port 21
file transfer portocol
port 80
http
port 443
https
port 3389
RDP (remote desktop protocol) used to log in EC2 windows instances
AMI (Amazon Machine Image)
Bootable image that is used to start an EC2 instance
EC2 user data
script that you can provide during Ec2 config that is run ONCE at boot up time
EC2 Image Builder
Automate creation of AMI (it create an EC2 with desire characteristics and user data, creates Amitfrom it, then runs test on the AMI, then it can distribute the AMI across regions. It can be run again to get updated packages. You only pay what you use, not the service itself.
EC2 instance store
EC2 instance with storage physically attached to the server. But the storage is lost if instance is terminated: good foe cache/temporary content. High performance storage.
EFS (Elastic File System)
File system that can be attached to 100s of EC2 in the same region to have a synced shared file system. Pay per use. You can also have the infrequent access part where file less sued are moved to save some money.
Amazon FSx
Service for handling for handling 3rd party file systems
For windows: can be accessed via windows EC2 or on premises;
For Lustre (linux+cluster): can be accessed by aws services or on premises. High performance
Application Load Balancer (ALB)
for http/gRPC protocols(layer 7), static DNS, can be deployed on 1 or more AZ. It has a security group
networl load balancer (NLB)
tcp/udp protocol (level 4) high performance, static IP
gateway load balancer (GWLB)
geneve protocol on ip packets (level3), sends traffic through security servers
scaling strategies for LB
Manual (set min max e desired number of instances)
dynamic (trigger: ec <70% per 5 min;
scheduled: at specific time create 5 instance
target: keep usage at 50%)
predictive: use ML to
s3 standard storage class
99.99 availability, cost gb/month, for frequent accessed data
s3 infrequent access (IA)
instant retrieval but, cheaper but with retrieval fee, used for backup that you need instantly. One-zone IA or multi-zone (standard) IA
s3 glacier instant retrieval
retrieval cost, min 90 giorni
s3 glacier flex retrieval/deep archive
1 min to 12 h retrieval, min 90gg/ 12-48h retrieval min 180 gg
s3 intelligent tiering
auto sihft object between frequent acces, infrequent access (>30gg last access), archive istant access (90gg), archive, deep archive (180-700gg)
s3 encryption
server side, on by default. Client side = encrypt file before uploading
s3 IAM access analyzer
analyze policies, “object access control lists (ACL)” and tells you the s3 bucket that have been shared or are acessible publicly so you can review your s3 situation
snow cone
small 10 TB 4gb ram
snow ball
big, 100TB, 100 gb ram, you pay per usage and for data moved OUT of aws
AWS storage gateway
for hibrid cloud, use to access s3 proprietary tech by on premise infrastructure
RDS (Relational DB Service)
managed service for relational DB. multi AZ setup, backed by EBS
Aurora
relational DB, proprietary, cloud optimized, higher performance and cost. Aceept mySQL and POstrgres
Serverless aurora (good for infrequent, unpredictable workloads, no management)
rds deploy options: read replicas, multi az replicas, multi region read replica
read replicas: up to 15, no write operations
multi AZ: for high availability, no read/write, just backup
multi region read replica: high avail, better local performance, no write op on replica
ElastiCache
To manage IN MEMORY DB. It’s like ana extension that can be used together with managed db to keep most used stuff in cache and improved performance.
Dynamo DB
SERVERLESS (no setup), noSQL, very fast (ms latency), high available, scalable. Cna set up global tables, so people will access sync replica of you table. Cna improve performace with DAX (Dyn accelerator( to keep stuff in cache, microseconds latancy(
DAX (Dynamo accelerator)
like elastichace but for dynamo instead of RD. Microseconds latency
Redshift
analytics and data warehousing, OLAP, SQL based (also serverless version)
Amazon EMR
HADOOP CLusters (elastic map reduce) for big data analysis , connect to 100s ec2
Athena
to analyze/access S3 buckets, serverless
Quicksight
serverless dashboard to visualize db for Business Intelligence
Neptune
graph DB, social network, wikipedia
Document Db
mongo implementation
Timestream
Time series data
QLDB
quantum ledger, for financial transaction/crypto, inmutable, centralized, cryptographic hash
Managed blockchain
Decentralize blockchain networks, hethereum, hyperledger
GLUE
for ETL (extraction, transform, load), extract data and prepare it for analysis
DMS
migration service from one db to another
lambda
SERVERLESS, REACTIVE, FaaS, quick execution. Pay per call and executioin time* RAM
ECS
Managed container manager that runs stop containers on ec2
FARGATE
run containers SERVERLESS
ECR
private container registry to keep your docker images
EKS
managed kubernetis clusters
Amazon API Gateway
create API to access lambda functions, since they are not public
AWS Batch
manages process of batches submitted on docker images: it will run them on ECS (it launches ec2 inside ecs). DIfferent from lambda bcz no time limit, not fully serverless, relies on ecs and works with docker images
lightsail
fon non cloud expert, frindly interface to manage servers, DB, networking
Cloud Formation
Platfotm as code, free (only pay the used resources). Use yaml/json template to buil and replicate your infrastructure (application composer: visual way)
AWS CDK
convert normal code in CF templates. You can deploy app code and infrastructure together
Beanstalk
Platform aaS, free, has health monitoring features. You provide the code of you app, the preferences for server (ec2 config, os, security, asg, elb, db..) and it takes care of creating and managing the infrstructure. Just worry about the code
CodeDeploy
deploy new code to your servers (on premise or cloud). Hybrid service
CodeCommit
host git repo in AWS account
CodeBUild
compile code and produce deployable artifact. SERVERLESS
CodeArtifacts
artifacts (libraries/dependencies) management service
CodePipeline
code (git) -> build -> test -> deploy to beanstalk. Base for CICD continuous integration continuos developent
AWS System manger (SSM)
run commands or patch the whole fleet of servers (cloud or on premise)
SSM session manager
acces your server’s shell w/o port 22 open
SSM Parameter Store
store pw, config, keys, strings; encrypted, serverless
Route 53
managed DNS, pay for dominio + fixed monthly fee. Routing policies: simple, weighted, latancy, failover
CloudFront
GLOBAL, CONTENT DELIVERY NETWORK (CDN). use 216 edge loc (pt of presence) to cache data for better latancy. COntent is not updated live. THe origin can be S3 bucket (secured by Origin Access Control), or any http origin (ec2, s3 website). You can also upload stuff
good for static content available world wide (s3 CRR is good for dinamic content available in some regions)
NB: CF is a new layer btw user and data, it will always be used to access data, and if it is not cached, cf will retrieve it from the origin
s3 transfer acceleration
use edge loc network instead of public network to reache the AZ of the s3 (no chachin, just using the net)
GLobal accelerator
use edge loc network instead of public network to reache the desired resurces/data (no chachin, just using the net)
AWS Outpost
for hybrid busines, request an AWS server rack in your facilities
wavelength
5G, ultra low latency, outside aws net, in the internet provider net
AWS Local zone
you can unlock a new zone in a specific area for better letancy
SQS
DECOUPLE APPS: dont have apps that comunicate directly, use something to organize their comunication. SERVERLESS queue manager. Pull Based. Producer and consumer, (if it’s not fifo the order is not guarantess). keep msg in q for upt to 14 days
Kinesis
process real time stream of big data
SNS
NOTIFICATION, PUBLISH/SUBSCRIBE. Push based, when a msg is published on a topic, all subs receive the msg notification
Amazon mq
sns, sqs but for third party protocols
CloudWatch
collects metrics from all services and can create dashboards to visualize them. default update every 5 min, can pay to get 1 min. Eg view ec2 utilization (not ram tho)
claudwatch alarms
trigger a notification/action when a certain metric of a service metts a condition (eg create new ec2 instance, terminate instance)
Claudwatch logs
collects terminal logs of all services (for ec2 you need CW log agent)
EventBridge
create rules to trigger events when a certain event happens. EG send msg when ec2 status change, or someone log into your account (you can also schedule events every tot)
AWS x-ray
trace and visualize calls btw different part of you infrastructure, useful for analysis, bottlenecks, delays
CLouTrails
used to INVESTIGATE/INSPECT/RECORD action of your account. keeps track of all actions, call, made in you account.c
codeGuru
ML code review and application performce reccomandation
Health dashboard
history of status of all services in all regions (sends alert if a service you use has a problem)
VPC
you get one for you when you create an account. COrresponds to a region, and has subnets (range of Ip). Subnet can be private (for db, can access internet via NAT gateways, but not be reached) or public.
each vpc and subnet have a specific CIDR (rang of public ip allocated)
security is managed via network ACL: rules for ip allowed/denied (security groups for ec2)
vpc flow log
record ip traffic of net/subnet/service (can be set up for different levels)
VPC peering
connect 2 vpc privately, not transitive
vpc endpoint interface
used to access service via public net instead of public internet (for s3 and dynamo: you need endpoint gateway)
private link
expose app to other vps privately, scalable secure.
site to site vpn
to connect on premise with cloud via public internet
direct connect (DX)
connect on primise stuff with cloud via phisical dedicate connection
client vpn
access stuff in you private vpc from anywhere
Transit Gateway
connect 100s of vpc, on premise stuff, vpn, everything, via a sta shaped connection
Shield
protect against DDoS attack, layer 3/4,
standard: enabled by default, gratis
advanced: response team, sofisticated
WAF (Web app Firewall)
layer 7 (http), define IP rules, protect your app from web ecploit
AWS Network firewall
protect the entire VPCfrom all traffic, layer 3 to 7
Firewall Manager
manage security groups across all account of the organization
penetration/secutiry test
allowed on your infrastructure (only on EC2, RDS, aurora, lambda, ELB, cloud Formation/front)
AWS KMS (AWS managed keys)
key manager service; encryption for AWS service. You dont get the keys. It’s autoenabled for cloudtrail, S3 glacier
AWS HSM
hardware that AWS give you ti manage encription
ACM Aws certificate manager
service for inflight encryptionfor https (ssl/tls protocol)
Secret manager
manage/rotate credentials, mainly for RDS
Aws Artifacts
portal for AWS compliance docs
GuardDuty
find vulnerabilities in your account using various logs(trail, dns, vpc flow logs). Can trigger event bridge if it finds something
Amazon Inspector
security assesment service that can run on
EC2 (checks os etc), ECR, lambda (checks the code)
can trigger eventbridge
AWS config
Check if the config of your resources satisfy some rule that you can define (eg unrestricted ssh access), and record a timeline of compliance
Macie
finds sensitive information in s3 buckets
AWS security hub
dashboard that shows secutity alert from a lot of security services
Detective
find root cause of security alert, using data from various log and ML
AWS abuse
report to them if you see stuff in AWS used/abused for illegal matter
IAM access analyzer
you define a “zone of trust”, and this service tells you which resources are accessible/shared outside of this zone.
Rekognition
find object, faces, text in img, videos: for profiling, emotion analysis, sports tracking
Transcribe
speech to text, can detect and censor personal info
Polly
text to speechr
Translate
translate stuff, useful to auto adapt website based on location
Lex
base for alexa, specch recognition and language understanding for conversational bot
Connect
virtual contact centers for call centers
Comprehend
NLP, partition/extract info from docs: analyze reviews etc
Sage Maker
help labeling, training, creating, tuning deploying ML models
Forecast
given your data, it creates amodel able to predict future data
Personalize:
service for recomendatoin based on user data (eg amazon products)
Kendra
DOCUMENT SEARCH SERVICE, scans documents for answers
Textract
Extract text from scanned/handwritten docs
AWS organization
consolidated billings, share of reserved instance, aggregate usage benefits (more you use, less you pay)
Service control policies (SCP)
enforce PCi Compliance. enabel access to various services based on account (all blocked by default)
COntrol tower
easy organization and SCP setup, guardrail for policies
Resource access Manager (RAM)
manage the sharing of resource in your org
Service Catalog
portal with template for services (grouped in portfolios), made by the admi, so everyone can use/create new resources even w/o specific knowledge
Saving plans
Commit to a certain $/h usage
different saving plans: Ec2, compute saving plans(ec2, fargate, lambda)
ML saving plans for sagemaker
AWS compute optimizer
ml to recomend aws resource config based on your workload and reduce cost/optimize performance
Pricing calculator
estimate how much a service will cost you by saying how you plan to use it
Billing dashboard
high level overview for cost in the month, and month forecast
cost and usager report
most detailed cost report, by resource category per hours
Cost explorer
visual too with desired granularity for cost analysis, Can forecast up to 12 month
billing alarm
set an alarm on the billing metric in cloud watch, most basic, aggregate all costs, no forecat
budgets
create one of these to monitor the cost of a group of resoursesand get notified when they exceed the budget (or are forecasted to exceed). 4 typesa: cost, usage, resrvation, saving plans
Cost anomaly detection
Ml to find anomalies in cost, or get periodic summary
AWS service quotas
get notified whe one of your resource get close to the service quota (limit)
Trusted advisor
analyse your account anf gives recomendation on security, service limits, cost performance, fault tolerance
support plans
Basic (custom service, healt dashboraed)
Developer : email to cloud support, 12-24h response
BUsiness: fulll trusted advisor, phone to support, 1-4h repsonse
Enterprise on Ramp: tecnical account managers, <30 min response
ENterprise: <15 min, designate technical account manager, Incident detection and response
Security Token Service (STS)
create token for short time credential with limited priviliges (for crosss accounto or temporary ec2 permission)
Cognito
create million of users for your app, not AWS users
AWS directory service
integrate Microsoft active directory in AWS
AWS IAM identity Center
Single Sign On for AWS account of same organization. Single pw for multiple accounts
design principle for architecture
Scalability, Disposable resources, Loose coupling of components, Think in service, not in servers, automation (serverless, ASG)
6 Pillars of good architecture
1) operational excellence
2) Security
3) Performance efficiency
4) Reliability
5) Cost optimization
6) Sustainability
Aws well architected tool
revie your architecture against the 6 pillars and give advice
Cloud adoption Framework: guide book that identifies capabilities for succesfull cloud transformation and group them into these 6 groups:
Business, people, Governance, platform, Security, Operation
Transformation domains (things that you can tranform with cloud)
Things that you can tranform with cloud: Technology, process, organization, product
Transformation phases:
envision, align /with 6 pillars), launch, scale
aws solution library
list of framework already made and ready for specific usecases
AWS professional services and partner network
tech partners, consultin partners, training partners, navigate program
AWS IQ
find professional help by asking and reviewing responses of experts
AWS repost- knowedge center
like stack overflow, find threads, FAQs and best practices
AWS Managed Service (AMS)
team of experts that can manage your infrastructure
