Services Flashcards
AWS Transfer Family
AWS Transfer Family is a fully managed service for transferring files over Secure File Transfer Protocol (SFTP), FTPS, and FTP
EBS
Network drive you can attach to your EC2 instance
Data remains even EC2 instance is terminated
Mounted on 1 instance at a time
Bound to an AZ
Move data from 1 instance to another
AMI
Amazon Machine Image
Launch EC2 instances from an AMI
You can add your s/w, configurations, OS, monitoring into an AMI
Build for a specific region
AMUI also creates an EC2 instance
EFS
Network file system (NFS) attached to EC2
It can be attached to more than 1 EC2 instance unlike EBS
EFS works only with your Linux EC2 instances
It works across multiple AZs.
Pay per use and not by capacity
EFS IA = Storage class is going to be cost-optimized for files that you don’t access very often
Amazon FSx
Third party high performance (HPC) file system on AWS
Fully managed service
Build on windows file server
Supports SMB and windows NTFS
Integrated with windows active directory
Accessed from AWS or on Premise
ELB
Spread load across more than 1 instance based on incoming traffic
TYPES
1. Application Load Balancer (Layer 7)(HTTP/HTTPS, uses DNS or URL)
2. Network Load Balancer (Layer 4) (TCP/UDP, users Static IP)
3. Gateway Load Balancer (Layer 3, GENEVA, used for intrusion detection and routes to third party security virtual appliances before sending it to EC2)
Snow Family
SnowCone - 8 and 14 TB, Migrate upto 24TB online and offline
SnowBall Edge - 80 TB, Migrate upto PB offline
SnowMobile - < 100 PB, Migrate upto Exabytes offline
Storage Gateway
Exposing S3 data on premises
OpsHub
Software you install on your computer to manage snow family device
ElastiCache
In Memory DB for faster read/write for all databases
DynamoDB
No SQL DB Managed DB
Serverless
Standard and IA Table Class
RedShift
Serverless(Pay for what you use) and based on Postgre SQL
Only for OLAP and not OLTP
Used for Data warehousing
Uses Massively Paraller Processing Query (MPP)
Integrate with BI tools like AWS QuickSight or Tableau
EMR (Elastic Map Reduce)
Helps create Hadoop clusters(Big Data)
Clusters are many EC2 instances
Autoscaling and integrated with spot instances
ML, Data Processing, Web Indexng, Big data
Athena
Serverless and perform anaytics on S3
Uses SQL
Used for BI, Analytics, Anaylze VPC Flow Logs, CloudTrail, ELB Logs
QuickSight
Serverless to create interactive dashboards
Integrated with all DBs
DocumentDB
Aurora for MongoDB
No SQL DB
Neptune
Fully Managed Graph DB
Social Media data
QLDB
Quantum Ledger DB
Recording Financial Transactions
To review history of all the changes made to your application data over time
Central authority
Managed Blockchain
Joins public blockchains like hyperledger fabric or Ethereum
No central authority
Glue
Serverless and does ETL
Take data from S3 or RDS, Transform and load into RedShift
DMS
Data Migration
DynamoDB Accelerator(DAX)
In Memory Cache for faster read/write for Dynamo DB
DynamoDB Global Tables
It’s a way for you to make DynamoDB table accessible with low latency in multiple regions
Docker
Software development platform to deploy apps
Apps are packaged into containers that can run on any OS
Docker images are stored in docker respositories
-Public docker respository
-Private in Amazon ECS (Elastic container repository)
ECS
Launch docker container on AWS
Provision EC2 instances in advance
Fargate
Launch docker container on AWS
No need to provision EC2 instances in advance (serverless)
ESR
Container registry to store docker images that can be run by ECS or Fargate
Lambda
Virtual functions with unlimited CPU and RAM
Time limit of 15 mins
Limited to some programming languages
API Gateway
To create, publish, maintain, monitor and secure API on AWS
e.g. Serverless HTTP API
supports RESTFul API and WebSocket API
Batch
Fully managed Batch Processing at any scale
Dynamically launch EC2 instances or Spot instances
Run as docker images on ECS
No limit of programming languages
Lightsail
Standalone services to get virtual storage, db and networking in one place
CloudFormation
Reusable template for defining AWS infrastructure
Infrastructure as Code (IaaS)
CDK
Define cloud infratuture using familiar programming languages like Java, Python, .Net, etc.
Code is finally compiled into JSON/YAML (CloudFormation) format
Deploy infrature and runtime together
Beanstalk
Developer centric view of deploying application on AWS
Platform as a service (PaaS)
CodeDeploy
Hybrid service to automatically deply your code
CodeCommit
Hosts Git respository in AWS to store your code
CodeBuild
Compiles source code, run tests, produces packages ready to be deployed by Code Build
CodePipeline
Code=>Build=>Test=>Provision=>Deploy=>EBS
It orchestrate the steps from code to deployment
CodeArtifact
Store code artifacts like dependecies
CodeStar
All code related services under one roof with unified UI
Cloud9
IDE on Browser
SSM
Manage EC2 instances and On premise systems at scale(Hybrid service)
-Automatic patching of all your instances
-Run commands across entire fleet of services
-Store parameter configuration with SSM parameter store
SSM Session Manager
Allows to start a secure shell on EC2 instances and on premise servers without SSH access or port 22 access
SSM Parameter Store
Store API keys, passwords, configurations (Serverless)
OpsWork
Gives managed Chef and Puppet in the cloud
Chef and Puppet performs server configurations automatically
DNS Route 53
Route users, to the closer to deployment with the least latency
Disaster recovery strategies
DNS, Health Checks, Routing Policy, Domain Registration
CDN CloudFront
Replicate part of our application data into some AWS Edge Locations
Cache the common request in CloudFront
Uses WAF and Shield to protect from web attacks
S3 transfer acceleration
Global uploads and downloads into Amazon S3
Leverages the Edge Locations of AWS.
AWS Global Accelerator
Improved global application availability and performance using AWS global network
Outposts
Deploy Racks on premise data centre to extend AWS services
Wavelength
AWS service within 5G networks
Local Zones
Local access closer to users locations
Extend VPC to local zones
SQS
Serverless service to decouple applications
Stores messages from 4 to 14 days
FIFO and Standard Queue
Kinesis
Real time big data streaming
Kinesis data streams, Kinesis fire hose, Kinesis data analytics and Kinesis video streams
SNS
Pub Sub integration
Sending 1 message to many applications
Send message notifications using publish and subscribe model
MQ
Managed Brocker Service for Rabbit MQ and Active MQ
CloudWatch
Provides metrics of each AWS service
Set Alarms at each service reaching a certain threshold
CloudWatch logs
Logs are not on by default for AWS service
Once on, you can see logs generated by each service here
EventBridge
To create a two types of events, cron job or rules to react to a service doing something like EC2 terminate, user logging into AWS console, etc.
The output from EventBridge can be sent to trigger a lambda function or SNS/SQS, etc
EventBus
Default Event Bus - Events happening inside AWS sent here
Partner Event Bus - Events happening outside AWS like zendesk, datadog, etc. sent here
Custome Event Bus - Events happening in custom apps sent here
CloudTrail
Provides governance, compliance and audit for your AWS accounts
This is user action logging and user actions like Console login, using SDK, using CLI, etc.
Output is sent to CloudWatch Logs or S3
AWS X-Ray
TroubleShooting, Distributed Tracing, Service Graph for distributed applications on AWS
CodeGuru
ML powered service for Automated code reviews (Code Guru Reviewer) and Application performance recommendations (Code Guru Profiler)
Code Guru Profiler - Checks the runtime code in production and identifies code inefficiences and recommends the performance, memory and cost optimization
AWS Health Dashboard
Service History - All regions, all services status
Personal Health Dashboard (PHD) - If any AWS events that impact your account (performance and availability of the services), shows up here
ElasticIP
It costs even if its not attached to an EC2 instance or EC2 instance is stopped
VPC
VPC is linked to a region
Withing VPC we have subnets
Subnet
Subnet is linked to an AZ
Used to partition your VPC
Define public and private subnets
Route Table
Define access to internet and between subnets
CIDR Range
Range of IP addresses allowed in the VPC
Internet Gateway
Helps to connect VPC to internet
Public subnet routes to internet gateway which connect to internet
NAT Gateway & NAT Instances
NAT Gateway (AWS managed)
NAT Instances (Self Managed)
Allows instances in private subnet to access internet but still remain private
Network ACL
Firewall that controls traffic from and to a subnet
Define Allow & Deny rules and rules include only IP addresses
Security Groups
Firewall that controls traffic from and to a ENI/EC2 instance
Define Allow rules only and rules include IP addresses or other SGs
VPC Peering
To connect two VPC privately using the network from AWS
IP addresses range should not overlap
VPC Endpoints
To access AWS services by a private subnet in a private network
VPC Endpoint Gateway - Connect to S3 or DynamoDB
VPN Endpoint Interface - Connect to all other AWS services
AWS PrivateLink
Allows services running in your VPC in AWS to other VPCs privately
Add Network Load Balances on premise
Add Elastic Network Interface on AWS VPC
Site to Site VPN
Connect on premise DC with VPC on AWS over public internet but enctypted
Add a Customer Gateway on premise
Add Virtual Private Gateway at VPC
Connect both using site to site VPN
Direct Connect (DX)
Connect on premise DC with VPC on AWS over private network using physical connection
Client VPN
Connect your computer to private subnet in VPC on AWS
Add AWS client VPN (OpenVPN) on the computer
Transit Gateway
To connect different VPCs, client, On premise with one solution
AWS Shield Standard
Free and enabled for all customers against DDoS attack
Provides Layer 3 and 4 attacks and reflection attacks
AWS Shield Advanced
Paid and 24/7 DDoS protection and support
AWS WAF(Web Application Firewall)
Filter requests based on rules and placed on Layer 7 like Application Load Balancer, API Gateway and CloudFront.
Protection against web exploits
Define Web ACL - filter based on IP addresses, HTTP header, body and URI strings, geo matching, rate based rules
Protects against SQL Injection and Cross Site Scripting (XSS)
CloudFront and Route 53
Provide protection at Edge location when used along with Shield
Architecture:
Route 53 is protected by shield and routes the requests to CloudFront.
CloudFront is also protected by shield and it caches the content on edge location
Use AWS WAF at CloudFront to filter the requests based on rules
Use Load Balancer on public subnet to scale the load at network level
Then behind load balancer user EC2 instances with ASG
AWS Network Firewall
Protect VPC overall from Layer 3 to 7.
This operates at VPC level unlike Web ACL that operates at subnet level
KMS
Key Management Service is the AWS encryption service and keys are managed by AWS
CloudHSM(Hardware security module)
AWS only provisions encryption hardware and encryption keys are managed by customer
CMK
Customer Master Keys
1. Customer managed CMK
2. AWS managed CMK
3. AWS owned CMK
4. Cloud HSM keys(found under custom key store)
For CloudTrail and Glacier S3 encryption is enabled by default
Secrets Manager
Store and Rotate passwords (Rotation using custom Lambda function)
Integrated with Amazon RDS
Encrypted using KMS
AWS Artifacts
Portal that provides AWS compliance and AWS agreement documents
Amazon GuardDuty
Threat Detective Service
Detects anomalies in AWS account
Input is from CloudTrail logs, VPC flow logs, DNS logs, S3 logs, EBS logs, Lambda network activity, RDS and Aurora login logs, EKS audit logs and output can be sent to EventBridge to generate SNS or Lambda function
Amazon Inspector
Run automated security assessments only on running EC2 instances, Lambda functions and Container images on ECR
Check for OS, S/w vulnerabilities and network reachability on EC2
Reports its findings into AWS Security Hub and Amazon Event Bridge
AWS Config
Helps auditing and recording compliance of the AWS resources
It records the configurations and their changes over time
AWS Macie
Fully managed data security and data privacy service uses ML
Alert agains PII
AWS Security Hub
Dashboard to manage security across several AWS accounts and automate security checks
Aggregates alerts from Config, Guard Duty, Inspector, Macie, iAM Access Analyzer, Systems Manager, Firewall, Health, Partnet Network Solutions
Amazon Detective
To analyze the root cause of security issues using ML and graphs
AWS Abuse
Report suspected AWS resources used for abuse or illegal purpose
CloudTrail
Track API calls made by users within the account
iAM Access Analyzer
To identify which resources are shared externally outside your zone of trust
Amazon Rekognition
To recognize objects, people, text and scene in images and videos
using machine learning
Amazon Transcribe
Convert Speech To Text
Polly
Convert Text to Speech
Amazon Translate
Translate text to other language
Amazon Lex
Same tech as Alexa. Uses ASR. Speech to Text and natural language understanding (NLU) to recognize the intent of the text
Helps to build ChatBots
Works with Amazon Connect (Call centre solution)
Amazon Comprehend
NLP
Analyze customer emails
Amazon SageMaker
Fully managed service for developers/data scientists to build machine learning models
Amazon Forecast
Fully managed service uses ML to forcast
Amazon Kendra
Fully managed document search service uses ML
Amazon Personlize
Build apps with real time personlized recommendations
Amazon Textracts
Extract text, handwriting, or data from any scanned document
and behind the scenes
SCP (Service control policies)
Centrally manage all users and roles permissions in your organization
Whitelist or Blacklist iAM actions
Apply at OU(Org unit) or account level and not at Master Account level
You can allow or deny access to your AWS account services to the OU or Account
AWS Control Tower
Set up and govern a secure multi-account AWS environment with best practices for your organization
Automate the setup of accounts
Automate ongoing policy management using guardrails
Detect the policy violations and remediate them
Monitor your compliance through an interactive dashboard
AWS RAM (Resource access manager)
Share resources(owned by your account) with other accounts
AWS Service Catalog
Self Service Portal to launch AWS services (pre configured by cloudformation templates) by the users
To use pre-defined tracks defined by admins
AWS Compute optimizer
Supported resources to suggest cost optimization
EC2, EC2 ASG, EBS Volumes and Lambda Fx
Pricing Calculator
To estimate cost in AWS and can be used by who does not have AWS account
Cost usage report
Used for tracking cost. Shows when, why and how much the cost was incurred
Can be integrated with Athena, QuickSight or RedShift
Cost Explorer
High level tracking compred to Cost usage report
Forcast the bill upto 12 months based on past usage
Can suggest Savings plan for reserved instances
AWS Budgets
Alarm when cost exceeds the budget or forcast exceeds the budget
AWS cost anomaly detection
Uses ML to detect cost anaomaly
Monitor cost->Get Alerted->RCA
AWS Service Quotas
Notify when you are close to your service quota value threashold
Create CloudWatch Alarms
Request to increase service quota
Trusted Advisor
High level AWS account assessment
Recommendation on 5 categories: PCSFS
-Cost Optimizations
-Performance
-Security
-Fault Tolerance
-Service Limits
7 Core checks for basic and developer plans
-S3 bucket permissions - Making sure bucket is not public
-Security group, making sure that some ports are not unrestricted, such as SSH.
-IAM Use so making sure that we have at least one,
-IAM user in our accounts.
-Ensuring we don’t have any EBS public snapshots
-Ensuring we do not have any RDS public snapshots
-Looking at service limits in AWS
Full Checks for business and enterprise plans
- Full checks in all 5 categories above
- Set cloudwatch alarms
- Programatic access to AWS Support API
AWS STS
Security token services is only to provide temporary limited credential services to a AWS services to a user
Cognito
Identity for web and mobile application users
AWS Directory services
AWS Managed Microsoft AD ((AD users both on prem and AWS)
AD Connector (AD Users onpremise)
Simple AD (AD users on AWS only)
AWS IAM Identity Center (SSO)
Amazon Workspaces
Destop as a Service (DaaS) to provision Windows and Linus desktops
AppStream
Desktop application streaming service on your web browser (no need of virtual desktop)
IoT Core
To connect IoT devices into AWS cloud
Elastic Transcoder
Convert media files on S3 to media files as required by the devices like phones, etc.
AppSync
To build a backend for your mobile and web application
To store and synchronize data for mobile and web applications in real time
Makes use of GraphQL
Amplify
Helps to develop full stack Web and Mobile applications
Device Farm
To test web and mobile apps using real devices and browsers
AWS Backup
Automate backups across AWS services into S3
Cross region and cross account backups
Disaster recovery strategies
Backup and restore (cheapest)
Pilot light
Warm standby
Multi sites/hot sites
AWS Elastic DR
To recover physical, virtual and cloud based servers into AWS
Continuous replication of on premise apps, OS and DBs into AWS low cost staging.
On failover move to higher cost production enviornment on AWS
AWS DataSync
Move large amount of data from on premise to AWS using replication
After full load the replication is incremental
Application Discovery Service and Migration
Services to migrate on premise to AWS
AWS Migration Evaluator
Install Collector on premise to collect all info with regards to data, servers, dependenscies, etc.
Input that into AWS Migration Evaluator
Output is quick insights into cost and business case
AWS Migration Hub
Central location where you can collect server and applications inventory data for the assessment, planning and tracking of migrations to AWS
Automate the process of lift and shift
Also use AWS Hub Migration Orchestrator to use pre-bulit templates for SAP, SQL Server, etc.
AWS Fault Injection Simulator (FIS)
Generate and run experiment templates to create disruptions to the application like suddeb increase in CPU or RAM, etc to see how the application reacts.
Monitor using CloudWatch or EventBridge
Step Functions
Serverless visual workflow to orchestrate Lambda functions
Ground Station
Control Satellite communication
AWS Pinpoint
2 way marketing communication service
6 Pillars
- Operational Excellence
- Security
- Reliability
- Performance Efficiency
- Cost Optimization
- Sustainability
AWS CAF (Cloud adoption framework)
- White paper that helps you to build and execute a plan for digital transformation using AWS
- It groups the capabilities under
Business - Business
- People
- Governance
Technical - Platform
- Security
- Operations
AWS CAF Transformation Domains
- Technology
- Process
- Organization
- Product
AWS IQ
Help to quickly find a professional to help you with your AWS projects
AWS re:Post
Community Forum. AWS managed Q&A service
AWS Managed Service
AWS provides a team of AWS exeprts to help you manage and operate your infrastructure for security, reliability and availability
