# AWS Cloud Practitioner Note: It appears that I'm already aware of the foundations with regard to the "cloud" in general. What I lack is the AWS specific information that this course will provide. ### Introduction - [ ] Take evaluation test to identify current understanding of AWS concepts. ### Cloud Computing #### What is Cloud Computing? General information on the cloud. This I am already keenly aware of. #### What is AWS Specifically? 3 ways to interact with AWS: - Web Console/Management Console - AWS CLI, e.g. `aws` - AWS SDK, e.g. different programming libraries #### Benefits of Cloud - Trade upfront expenses (CAPEX) for variable expenses (OPEX) - Stop focusing on data centers. - Focus on customers. - Stop guessing capacity. - Scalability, stop guessing about capacity. - Benefit from massive economies of scale. - The more you use, the more you save. - Decrease in provisioning speed & business agility. - Go global with your application. - global deployment options. #### Cloud Economics Economic Models of AWS - Free Tier - Google free tier for more info - Some services will always be free while some are free for a certain amount of time. - On-Demand - pay for the resources utilized. - size/capacity with the time used. - Reservations - 1-3 year commitment of resource usage that can save money overall. - Volume Discounts - Per unit of capacity cost is reduced the more you use. - Price Drops - As AWS becomes more efficient with their products/services, costs are reduced. Usually when a new version of a service is deployed. #### Cloud Design Principals - For future reference research "AWS Well Architected Framework". ##### Design For Failure - What happens when we have a SPOF, (single points of failure)? - Resiliency & auto recovery. Be intentional about failure & add redundancy. ##### Decouple Components - Loosely coupled components with queue or scaling layer between components. ##### Implement Elasticity - Scale up & down as needed/required. - This equates to better costs & better performance. - Optimally this should be done automatically. ##### Think Parallel - Execute concurrently to have the process complete quicker/faster & be more resilient all around. - This reduces time to execute. #### Six Advantages of Cloud Computing (Quiz) - Matched terms to definitions. #### Quiz - Cloud Computing --- ### Security & Compliance #### AWS Shared Responsibility Model for Security - You manage OS and everything within. AWS manages the HV, DC and everything outside of the OS. - IaaS: EC2 - PaaS: Lamda, Beanstalk, RDS - SaaS: WorkMail, Chime, WorkDocs #### AWS Cloud Security & Compliance - Finance, Health & Govt. must adhere to compliance & regulatory framework guidelines. - e.g. HIPPA, PCI-DSS - Reports of audits can be access via AWS Artifact. - Customer Compliance Center provides: - regulatory requirements - country specific laws - auditing & security checklist - reference architectures with best practices - AWS Audit Manager collects data from services you're using and provides information to ensure they're compliant. - AWS Config tracks resources configs & how they've changed over time. #### AWS Identity Access Management - When creating an account a unique email & CC must be provided. - Name the account, e.g. Dev - A default user will be created. By default it will be __root__. - root has access to all resources. ##### Identity & Access Management (IAM) - IAM manages access to AWS resouces. - IAM handles who is authenticated & what they're authorized to do. - Three types of identities: - Users, Groups, & Roles - IAM policies define what resources a user/group/role has access to & what actions they can perform on them. - For anyone needing access, you'll create a user for them in IAM. - By default they don't have access to any resources or actions. - Follow least privilege model. - Reference IAM documentation for Policy examples. - IAM Statement includes: - Statement ID (SID), Effect, Action(s) & Resource(s) - You'll assign a policy to a user. - Least privilege permissions. - Groups are a collection of IAM users. This makes it simpler to manage policies to users. - Roles can be assumed by users to temporarily to do actions they otherwise wouldn't be able to do. - Used for a tempory basis. ##### MFA - An additional security layer for accessing AWS. e.g. Google Authenticator, Authy - Is enabled on a per user basis. #### AWS IAM - user, groups, and roles - Demo - Go to AWS Console - To obtain Account ID, when logged in select username in top right corner. - When logging in as a normal user, you'll need the Account ID, the username provided and password defined during user creation. - Note: When creating a user you can set it to change password upon first login. - There are default AWS policies available to assign to users for permissions/access. - It's simpler to create a group and assign a policy to it for user permissions/access. - To add a role to a user, create the role & then go to the user management page. - From there select the user and then select "add permission" -> "inline policy". - Then select "STS" then choose "assume role". - You will provide the specific assume role URL to the user in order to escalate privileges for the role. - You can switch roles as well when logged in as the user and then enter the role info. #### Organizations - Are used to manage multiple AWS accounts. ##### Service Control Policies (SCP) - Are similar to IAM policies but at the account level. - SCPs can be applied to individual accounts or OUs. ##### Organizational Units - Can have Service Control Policy applied to it & this will be inherited by accounts under it. - This is similar to groups but for similar AWS accounts. #### Resources for Security of AWS ##### AWS Security Resources - __Prevention__ - AWS Web Application Firewall (WAF) - Can monitor incoming requests for attacks, (e.g. SQL injections, XSS attacks). - Supports Amazon CloudFront, Amazon API Gateway, & Application Load Balancer. - You define Web ACLs & you'll define 3 things: - The resource to monitor, (e.g. AWS API GW) - Rules - Inspection Criteria, (think of this like IPtables but for WAF) - Action - Allow, Block, Count, CAPTCHA - AWS Shield - For DDoS attacks - AWS Network Firewall - Stateful firewall for VPC access - __Detection__ - AWS Inspector - Scans workloads running on AWS for vulns & undesired network exposure. - Supports AWS EC2, AWS ECR, & AWS Lambda. - Automatically discovers the above services. - Provides a report of findings. - Automatically runs when installing a new pkg, patch or new CVE is published. - AWS GuardDuty - Is a security service that using ML automatically identifies threats within your AWS account. e.g. abnormal API activity, disabling AWS CloudFront logging, compromised S3 buckets, unauthorized deployments or compromised instances. - Detects threats & enables ability to take action via reviewing findings, event management integration or Lambda function automated remediation. - Amazon Detective - Reviews logs from other services such as VPC flow logs, GuardDuty, CloudTrail to use ML to provide visualizations/dashboards to troubleshoot issues with AWS account. - AWS Config - Tracks and audits the configurations of AWS resources over time. e.g. allowing a security group to a EC2 instance, attaching a DB to it, etc. - AWS Security Hub - Takes information from Inspector & GuardDuty & automates security checks and bring security alerts into a single location. - It can monitor all of your resources & provide validation against AWS/security best practices - CloudTrail - Tracks user activity within an AWS account. - So any action a user performs in the AWS account it will be logged. - Who did what for an acccount. - Security Lake - Can ingest logging from various services, on-prem, AWS & third-party sources. - Aggregates all these logs & stores them in Query efficient Parquet Format. - Open Security Schema Framework (OCSF). - Then whatever users can consume the data to do whatever they need to with it. - AWS Macie - Uses pattern matching to automatically discover sensitive data. - Will generate a report of S3 buckets & scan for sensitive data. - Will notify you of any sensitive data found. - __Management__ - AWS Firewall Manager - Central place to manage firewall & security rules/policies for multiple accounts. Makes it simpler to implement them across multiple accounts vs doing so independently of each other. - Resource Access Manager - Helps you share resources across multiple accounts. - AWS Cognito - Helps implement customer identity & access management for mobile & web applications. - Easy to add signup, login functionality. - Manages all user credentials. - IAM - Once again user, group, & role management. - Policies for privileges and access. - IAM Identity Center - Central place to manage IAM across multiple accounts. - AWS Secrets Manager - Centralized secrets management so you don't have to hard code credentials within the application. - Also limits access to credentials. - Can automatically rotate credentials & manage secret dynamically.A - AWS Certificate Manager - Handles management of public/private certificates. - Can be used to send encrypted data to ELB, CloudFront, API Gateway, etc. - AWS Private Certificate Authority - Manages a private CA on your behalf. - This is for internal corporate resources. - Key Management Service (KMS) - Encryption service for data at rest. - Manage access to specific users for specific keys. - Auto-rotation for keys. - Cloud Hardware Solutions Module (HSM) - All keys are stored on the HSM and never leave the device. - Performs encryption/decryption on your behalf. - A AWS managed HSM device. ### Technology - Part One #### Methods of Deploying and Operating in the Cloud - AWS Console, (web site) - AWS CLI - AWS SDK #### AWS Console - Demo #### AWS CLI - Demo - https://aws.amazon.com/cli/ - installed - Created s3 bucket: ``` (+) $ aws s3 mb s3://doompatrol-demobucket make_bucket: doompatrol-demobucket ``` #### AWS SDK - Demo #### AWS' global infrastructure - __Region__ is a geographic location where resources can be deployed. - Not all regions provide all services. - Not regions are govt. compliant. - Costs are different in regions. - Consider compliance & legal regulatory requirements. - __Availability Zones__ one or more DCs in a region. - There are multiple AZ's in a region. - __CDN__ & __Edge Locations__ - __Local Zones__ - Are extensions of AWS regions. - Allows you to select AWS services closer to end-users. - High BW to parent AWS region - Use cases, gaming, live streaming & virtual workstations. - CDN vs Local Zones - LZ is extension of regions - LZ provides subset of services - LZ isolated - CDN are well CDN #### Core AWS Services - Networking - Shared customer infra - Virtual Private Cloud (VPC) - secure, isolated network segment - isolates computing resources from other computing resources - Subnetting - Firewalls (NACLs & Security Groups) - Routing - Gateways - You can create multiple VPCs for your account. - VPCs & Regions - VPCs are specific to a single region. - VPC act as a network boundry. - VPCs have subnets, public & private. - Subnets reside within a single AZ. - External resources can use VPNs can connect to VPCs. - Subnets within a VPC must be within the CIDR range. - First 4 IPs of a subnet can't be used. - Subnets are private by default but can be changed to publicly accessible via a Internet Gateway. Is accessible via public to VPC resources & vice versa. - NAT Gateway a connection must be initiated from within the VPC. Is only accessible via internal resources to public network and responding connection only. - Virtual Private Gateway used for external corporate DC/resources are secure/encrypted. - Direct Connect Location (DX) is a direct connection but not encrypted. #### Networking - Default VPC - There are 2 VPCs, default & custom. - Default are defined & configured by AWS. - One per VPC, /16 subnet & /20. Default CIDR is 172.31.0.0/16. - Automatically attached to Internet Gateway. - By default VPC will use default ACLs/Security Groups. #### Networking - Firewall - Stateless Firewalls - Monitor traffic and allow permitted traffic by rules, (inbound & outbound rules) - Must be configured to allow both inbound & outbound. - Stateful Firewalls - Are intelligent enough to understand which request & response are part of the same response. - If a request is permitted, the response is automatically permitted as well. - Network Access Control List (NACL) - Filter traffic at the subnet level. - Do not filter traffic within the subnet. - Are stateless firewalls. - Security Group - Acts as a firewall for individual resources, (EC2, LB, RDS) - Are stateful. - Response will automatically allowed. ##### Networking - Overview - An overview video. ##### AWS Networking - Demo - Demo of AWS networking. - When creating a VPC you will define a CIDR block to associate with it, e.g. 192.160.0.0/16. - Then when creating a Subnet to associate with this VPC, you will define a subnet within the previously mentioned CIDR, e.g. 192.168.10.0/24. - By default the subnet you will not have public access until you create a Internet Gateway. - You'll need to edit the subnets route table and attach the IG to it. - Create SG - Create NACL #### Core AWS Services - Storage - Block Storage, Elastic Block Storage, (EBS) - Breaks down data into blocks & stores as separate pieces, each with a UUID. - A collection of blocks can be presented to OS as a volume & OS can create FS on top of it. - A collection of blocks can be presented as a HDD. EBS is bootable and OS' can be installed on it. - Must be in the same AZ within a VPC. - File Storage, Elastic File System (EFS) - Similar how you'd store files on your local PC. - Is remotely accessible, (think NFS). - Can be mounted but is not bootable. - Multiple clients can access data. - Object Storage - Objects are nothing more than files. - Can store any type of file. - Think similar to Dropbox/Google Drive. - Does not have a directory structure. - Can't be used to mount or boot. - Logs & media files are target for this type of storage. - Storage Classes - S3 standard (default), most expensive. - Can handle 2 AZ failures. - 99.99% durability. - Changed per GB outbound. - S3 Standard IA - Can handle 2 AZ failures. - Changed per GB outbound. - 99.99% durability. - Retrieval fee. - Minimum duration charge of 90 days. - 128KB minimum file size. - For infrequently used files. - S3 One Zone IA - Stored on 1 AZ - Changed per GB outbound. - Retrieval fee. - 128KB minimum file size. - For infrequently used files. - S3 Glacier Instant - Low cost for rarely accessed data. - Changed per GB outbound. - Retrieval fee. - Longer duration requirement. - The maximum size of a single archive stored in S3 Glacier is 40 TB - S3 Glacier Flexible - Takes a while for data to be retrieved due to it being a longer term storage. - Bulk: 5-12 hrs - Std: 1-5 mins - Standard: 3-5 hrs - Changed per GB outbound. - Retrieval fee. - Minimum 40KB per object. - S3 Glacier Deep Archive - Changed per GB outbound. - Retrieval fee. - Cheapest storage class. - Used for even longer term storage. - Bulk: 12 hrs - Std: 48 hrs. - S3 Intelligent Tiering - Automatically identifies most cost effective access tier. - All objects incur monitoring/automation cost per 1k objects. ##### AWS Storage EBS - Demo - Will have a device name automatically created for it, e.g. `/dev/sdf` or `dev/xvdf` - Use `file -s` command to identify if there is a file system on the device. I've always used `blkid`. ##### AWS Storage EFS - Demo - Create a SG to associate which VPC can access it. - Requires package: `amazon-efs-utils` - Ref. docs for `fstab` mount point options. ##### AWS Storage S3 - Demo - Remember that due to how the service works, you will need to create a uniquely named bucket. - By default buckets are not publicly accessible. - There aren't actual directories but merely a view that appears as one, (this is for human presentation). - Can't delete non-empty buckets. Must remove contents beforehand. #### Core AWS Services - Compute EC2 - AMI - Amazon Machine Image - Instance Types, various CPU, Memory, Storage & Networking capacity. - General Purpose - balance of all resources. - Compute Optimized - for compute-heavy workloads. - Memory Optimized - memory-intensive workloads, suited for DBs. - Storage Optimized - for workloads that require high R/W access to large datasets on local storage. - Accelerated Computing - utilizes HW accelerators for expensive calculations. Great for graphics processing & data pattern matching. - EC2 pricing options - on-demand pricing, no upfront payment or long term commitment. - pay by the hour, only when instance is running. - actively charged for storage attached to instance. - runs on shared hosts. - for short-term or irregular/unpredictable workloads. - Spot Pricing - Offers spare compute capacity at discounted rate. - for apps that have flexible start & end time. - apps that need low compute prices. - not suitable for workloads that can't tolerate interruptions. - Reserve Pricing - discount to save on EC2 costs. - long-term agreement, 1 or 3 year contract. - you're commiting to using an on-demand instance for a long-term period. - when deploying a on-demand instance with matching attributes as the reservation it will be charged at the reserved price. #### Core AWS Services - Compute Lambda - Is a compute service that lets you run your code w/o having to provision or manage servers. - Is a serverless offering. AWS manages maintenance, scaling, capacity provisioning & logging. - Lambda Service Reserve Pool receives an event that will have your code deployed on to a compute instance in this pool. - Lambda Use Cases - File processing - Stream processing - Web apps - Mobile/web backend - Lambda Function, is a code function in whatever programming language. - Receives a trigger to run the Lambda Function, e.g. Upload file to S3, Request to API Gateway, DynamoDB update. - Benefits of Lambda are that its managed by AWS, autoscales, pay for what you use. - Drawbacks of Lambda are that there is no local state. - Requires a separate DB to store persistent data. - Limited execution duration, code can only run at most 15 mins. - Code starts, the time it takes for a Lambda instance to be deployed & load the function. - SnapStart & provisioned concurrency helps to mitigate cold starts. - Lambda Pricing - Number of times functions ran. - How long did it run for. - How much resources it required, CPU/memory. #### Core AWS Services - Compute Containers - Elastic Container Service (ECS) & Elastic Kubernetes Service (EKS) - Container Orchestrators, e.g. K8S, Mesos, ECS - ECS is Amazons version of K8S. - Runs on EC2 or Fargate - EKS - Is a managed K8S environment. - You manage the worker nodes unless you use AWS Fargate. - EKS Benefits - Runs CP across multiple AZs. - Scales CP based on load. - Integrates with other AWS services. - IAM, ELB, ECR (Elastic Container Registry) - ECS vs EKS - ECS is proprietary so migrating outside of AWS will be difficult. - EKS is opensource and runs on any platform. However if you integrate other AWS services this may make migrating more challenging. - ECS has simpler architecture & API. - ECS has no cost for CP. - EKS you pay for CP & worker nodes. ##### AWS Compute EC2 - Demo #### AWS Compute Lambda - Demo #### Quiz - AWS Technology - Part One - Which of the following statements accurately describes an Amazon VPC subnet? - A subnet is a collection of IP addresses for routing traffic within a VPC. - Which of the following statements accurately describes a public subnet in Amazon VPC? - A public subnet is a subnet with an internet gateway attached. - What is the Default VPC in AWS? - A pre-configured VPC that is automatically created in each AWS region. ### Part One - Quizzes #### Networking Services - Quiz #### Storage Services - Quiz #### Container Services - Quiz #### Compute Services - Quiz #### Identify the Missing Data Transfer Service - Quiz ### Technology - Part Two #### Core AWS Services - Database - Types of Databases (Datastores) - Self-managed Datastores - SQL Datastores - Structured data into tables. - Relationships with the tables. - Used primarily when you have complex relationships with the data. - Think transactional (like banking) or reporting use cases for these types of data stores. - NoSQL Datastores - Means "Not Only SQL". - Different data relationships from SQL. - Used when you have simple but specific needs for data. - Consider search, high perf, documents, relationship use cases. - Structured Data vs Unstructured Data - Structured dataset, data that is related to other data within the dataset. - Multiple tables that have relationable data. - Unstructured dataset, a simple key identifier for the data being requested. - Partition Key, Sort Key, Attributes. - SQL collect data into groupings & structures. - NoSQL puts data together and is identified by one specific item, a key. - Self-managed datastores - You manage the complete datastore solution. - Fully responsible/control for the datastore & options/customizations. - Runs on EC2, ECS or EKS instance. - Can mitigate with Faregate when using EKS. - Mainly used when you have specific software or security needs. - SQL Datastores (structured) - These are managed datastores. - Relational Database Service (RDS). - MySQL, MSSQL, MariaDB, PGSQL, Oracle. - Transactional processing, (think e-commerce). - Hard to grow in size & performance, (good for reads but not writes). - __Aurora (RDS Aurora)__ - modified MySQL & PGSQL instances. - cloud natives. - managed service. - higher capacity & performance. - grows easier than main RDS service . - __Aurora Serverless v2__ - MySQL or PGSQL. - managed service. - cloud native. - higher capacity & performance. - capacity can go up & down much easier than other RDS services. - pay a little for storage but not for compute when not using it. - __Amazon RedShift__ - A data warehouse, not a transactional data store. - RedShift is the SQL data warehouse in AWS. - Petabyte scale. - serverless & "server" versions. - Consider reporting & not e-commerce or web traffic. - SQL database services - summary - RDS is the RDBMS SQL DB service in AWS. - Aurora is a sub-service of RDS that supports PGSQL & MYSQL cloud-natively. - Aurora Serverless v2 is a Aurora variation but without any VM management or autoscaling. - All RDS services feature encruption, replication & some form of scaling & more. - RedShift is unlike the others in that it is for reporting (OLAP) - RedShift has server & serverless version that can handle petabytes of data. - NoSQL Datastores (unstructured) - __Amazon DynamoDB__ - "The lighting-fast king of key-value at AWS". - I want to create blobs of data that I search for with a single keyword or phrase. - __Amazon DocumentDB (with MongoDB compatibility)__ - To store data & retrieve documents like essays, profiles, & more. - __Amazon Keyspaces (Apache Cassandra compatibility)__ - A database that can run in many different locations across the planet & I need large-scale unstructured data that has more structure to it. - Semi-structured data. - __Amazon Neptune (Graph Database)__ - A database that will detect relationships between data like fraud detection or social network relationships. - __Amazon ElastiCache (memcache or redis)__ - An in memory datastore, cache. - To store data in a location that is faster than regular DB or to store a users cart or session data. - __Amazon OpenSearch (Formally ElasticSearch)__ - To index & search through a bunch of information similar to a google search that gives relevant or related results. - __Amazon Quantum Ledger Database (QLDB)__ - A database with an immutable record of every change in the database. - Great for security consistency. - __Amazon Timestream__ - A database that captures data from various sources at high scale & maintains the timestamp. - Great for IoT devices. - AWS DB Types: [[aws-cloudpractioner-db-types.png]] - Ways to consider DB needs: [[aws-cloudpractioner-db-uses.png]] - Database Summary - Self-managed for self-reliance & control. - RDS & RedShift are the primary SQL DB systems. - RDS has five DB engines it supports: - MySQL, Oracle, MariaDB, MSSQL & PGSQL. - DynamoDB, DocumentDB & others are NoSQL services that are fully managed. - Verify the use cases for each service via the above provided images. ##### AWS Database - Demo - Aurora Serverless v2 - Offers functionality to scale down to a defined limit when service isn't being highly utilized. #### Core AWS Services - Application Integration - Applications/services that sit between your application/components that enhances/manages the communications/traffic between those applications/components. - Amazon Simple Queue Service (Amazon SQS) : [[aws-cp-app-to-app-0.png]] - Amazon ELB: [[aws-cp-app-to-app-1.png]] - Amazon Simple Notification Service (Amazon SNS): [[aws-cp-app-to-app-2.png]] - Managing the flow/quality/rate/speed of communication between components or end-users. - __Amazon Simple Notification Service__ - Used in-between two applications when you want an application to send messages to customers via text, email or mobile push. Also used when you want to copy a single message to multiple applications. - __Amazon Simple Queue Service__ - Used when you want to send a message to another application but there is a chance that a sudden increase in user traffic could generate a large amount of messages. - The messages will queue until backend can process them. - __Amazon ELB__ - A network manager that directs traffic to backend servers. - Distributes workloads across servers. - Unhealthy servers are not available if failing. - Can be used with EC2, ECS, EKS & Lamda along with others. - There are various LBs, for network traffic, application traffic, etc. - __Amazon Autoscaling__ - Many applications have autoscaling like DynamoDB & EC2. - Allows for scale up & down to numbers you specify. - Like 2 instances minimum & 4 instances max. - Scale as you need within your limits. - Application Integration - Other services - __Amazon AppFlow__ - Solves problem of copying data from 3rd party services like Salesforce. - __Amazon EventBridge__ - Acts like a post office for coordinating events across applications. - __Amazon MQ__ - Managed Queue is like SQS but uses open-soruce software such as RabbitMQ/ActiveMQ instead of AWS proprietary. - __Amazon Step Functions__ - Solves the problem of organizing serverless lambda functions so they work like a full application. - Application Integration - Summary - SNS duplicates multiple messages to many different services like email, text, or other applications. - SQS isi built to receive messages & hold them for processing. - ELB is a network traffic manager. - Autoscaling handles adding & removing capacity whether servers or read/write units. ##### AWS App Integration - Demo - SNS & SQS - In SQS application, under the __Application Policy__ they updated the __Pricipal__ to be a __Service__ to be __SNS__. #### Core AWS Services - Management Services - These services help manage other services. - These services either provision or optimize other AWS services. ##### How do we create AWS services? - Imagine needing to create AWS services but at scale, e.g. 1000 of them. - You can do so via the CloudFormation Service. - CF creates others services using files. - CF overview example: [[aws-cp-cloudformations-0.png]] ##### How do we create AWS services & install software on them? - Once we initialize the AWS EC2 we use __AWS OpsWorks__ to deploy software on to the instances. - While CF can do similar, it's not suited for it or vice-versa. ##### How do I manage all of these servers & services? - Patching & inventory management can be done via __AWS Systems Manager__. - Supports AWS & on-premise environments. ##### How do I manage all of my AWS accounts as if they are one account? - __AWS Organizations__ is used to centrally govern & manage multiple AWS accounts. ##### How do I offer my AWS services to my employees like AWS was a vending machine? - To allow employees to use certain services but provision them themselves. - So that employees can provision what they want but within your company guidelines. - __AWS Service Catalog__ enables this functionality. This allows for CloudFormation & Terraform creation templates to be turned into "vending machines" for your AWS users. ##### How do I manage multiple accounts using Organizations in a Best Practice way? - __AWS Control Tower__ is a service that helps you setup AWS Organizations in a service best practice way with auditing, logging & compliance rules in place. ##### How do I manage & audit my accounts for malicious activity & track changes? - __AWS Config__ records & evaluates all configuration changes in your AWS services. - __AWS CloudTrail__ is a service that tracks & records all user & API activity in your AWS account. ##### Management Services - A few other services of note - __Launch Wizard__ a guide for installing non-AWS like apps like SAP. - __License Manager__ allows you to track your licenses in AWS, (from 3rd party companies like RHEL). - __Computer Optimizer__ tells you when you're being inefficient in AWS with Compute resources. - __Trusted Advisor__ a best practice advisor that tells you when you're not following best practices. Business or above support plan. - __Resource Explorer__ allows you to search & discover your AWS resources. - __Resource Group & Tag Editor__ a way to group, tag & manage your services. ##### Management Summary - Many Management Services used to manage AWS services. - CloudFormation & OpsWorks are used to create AWS service objects, while Systems Manager is configuration. - Organizations & Control Tower are all about multi-account management & setup. - AWS Config & AWS CloudTrail are configuration tracking & API tracking. - Other management services also exist, but these are the main ones. ##### AWS Management - Demo - You create the json file locally & then upload it to CloudFormation via web console. #### Core AWS Services - Migration and Transfer ##### Migration & Transfer on AWS - Overview 1. AWS Cloud Adoption Framework & Migration Hub 2. Six Common Strategies for Migration 3. Transferring Data 1. Snow Family (snowball) 1. Devices that can transfer data. 2. Transfer Family (sftp) 1. Batch transferring of data. 4. Migration & Discovery Services 1. Application Discovery Service 2. Application Migration Service 3. Database Migration Service 4. Elastic Disaster Recovery Service (formerly CloudEndure) 5. Mainframe Modernization ##### The Cloud Adoption Framework 1. Business 2. People 3. Governance 4. Platform 5. Security 6. Operations ##### Tracking Migrations - __AWS Migration Hub (service)__ - Allows you to centralize and see all migrations you have in place via AWS service. ##### Migration Strategies - Rehosting (Lift-and-Shift) - Take traditional server with no real changes and migrate to AWS. Is quickest solution. ##### Migration Strategies - Replatforming (Life, Tinker, and Shift) - Some changes are performed to the application, e.g. changing OS, using managed services, or modifying the environment to suite AWS. ##### Migration Strategies - Refactoring (or Rearchitecting) - Most invasive and costly in terms of time. - Requires an overhaul of the service/application to be better suited to run on AWS. ##### Migration Strategies - Repurchasing - Buying new licenses for software that was running on-premise for AWS. ##### Migration Strategies - Retaining (Do Nothing) - Keeping traditional server on-premise until retiring it. ##### Migration Strategies - Retire - Retiring the on-premise server when no longer needed. Similar to strategy 5. ##### Migrating Data to AWS - The Snow Family - A physical device that connects within on-premise environment. - On-board computing - Tracking - Management/monitoring - Encryption - Secure erasure once complete - NFS endpoint - Anti-tamper & tamper-evident - __Snowball Edge Storage Optimized__ - Small compute - Medium data - Data transfer 80TB - __Snowball Edge Compute Optimized__ - Medium compute - Small data - Portable compute - Used to host VMs - Pedabyte referred in quiz - __Snowmobile (largest)__ - No compute - Large data - 100PB of data - Exabyte referred in quiz - __Snowcone (smallest)__ - Small compute - Small storage - Portable compute - __The Transfer Family - FTP Version__ - Supports FTP/SFTP/FTPS/AS2 to S3 or EFS. - __The Transfer Family - AS2 Version__ - Uses AS2 to send/receive messages using S3/CloudWatch as backend. - [Applicability Statement 2](https://aws.amazon.com/aws-transfer-family/as2/) - __AWS DataSync__ - Agent based file transfer service from on-premise to AWS. - __Application Discovery Service__ - Service used to discover what software you're running on-premise. - __Application Migration Service__ - Service used to move/improve on-premise software to AWS. - __Database Migration Service__ - Quick, secure & minimal downtime to continuously transfer database data to AWS database. - __Elastic Disaster Recovery__ - Copies disks of data, tracks changes into smaller EC2 instances. - Then upsizes the instances once you're ready to migrate. - Block-by-block data migration. - __Mainframe Modernization__ - Transforms components of a legacy mainframe & transforms them into suitable AWS components. - __Migration Services - Summary__ - Start with a good plan; remember Cloud Adoption Framework. - Migration Hub is centralized area for migration tools & plans on AWS. - Data transfer happens with the Snowcone, Snowball (edge) or SnowMobile services. - AWS supports FTPS/SFTP/FTP & AS2 for data transfer as well. - Application discovery is used for scanning inventory of migratable servers/apps. - Application/Database/Data Center all have Migration services available on AWS. - Mainframe Modernization is a service/framework for engineering Mainframe migration. ##### AWS Migration & Transfer - Demo - Reference __Transfer Family__ in web console. - Requires a user within the transfer server. - Uses SSH pub key. - Reference endpoint in web console. #### AWS Technology - Part Two - Quiz - Q: What is the main benefit of the re-platform migration strategy in AWS? - A: It reduces the complexity of migrating legacy applications. - Q: What is the purpose of the repurchase migration strategy in AWS? - A: To replace existing software with a different vendors solution. - Q: Which migration strategy allows for the highest level of scalability and performance optimization in AWS? - A: Replatform - Score: 88% (22 of 25 questions) #### Application Integration - Quiz - Completed, was incredibly frustrating... #### Database Services - Quiz - Completed #### Developer Tools - Quiz - **Application Composer**: A visual tool that simplifies designing and building serverless applications by allowing users to drag and drop AWS services into a workflow. It generates infrastructure-as-code templates for easy deployment. - **AWS Cloud9**: A cloud-based integrated development environment (IDE) that provides a browser-based editor, terminal, and debugging tools. It enables collaborative coding and supports multiple programming languages. - **AWS X-Ray**: A service that helps developers analyze and debug distributed applications by tracing requests as they travel through AWS services. It provides insights into performance bottlenecks and service dependencies. - **AWS CodeDeploy**: A deployment service that automates software updates across AWS compute services like EC2, Lambda, and on-premises servers. It ensures minimal downtime and rollback capabilities for safe deployments. - **AWS CodeCatalyst**: A fully managed software development service that integrates with AWS tools to streamline project collaboration, CI/CD, and application deployment. It helps teams accelerate software delivery with built-in automation. - **AWS CodePipeline**: A CI/CD service that automates the build, test, and deployment process for applications. It integrates with AWS and third-party tools to enable continuous delivery. - **AWS CodeBuild**: A fully managed build service that compiles source code, runs tests, and produces deployable artifacts. It scales automatically and eliminates the need for managing build servers. - **AWS CodeStar**: A service that provides project management, collaboration, and CI/CD capabilities for software development teams. It simplifies setting up development workflows with pre-configured templates and AWS integrations. ### Technology - Part Three #### Introduction to AI/ML Services - (AI) Artificial Intelligence - Task or system that performs human specific task. - (ML) Machine Learning - The tool that teaches AI how to perform to the task that would be normally performed by a human. #### AI/ML - Sagemaker - Build Models - Train Models - labeled/unlabeled data - Deploy Model - Fully managed service - Integrated Jupyter notebooks - Model training & deployment - General use cases of Sagemaker - Predictive analytics - Recommendation systems - Facilitating data-driven decisions - Fraud detection - Innovation & automation - Enhancing customer experience - Why Sagemaker? - Integrated into AWS ecosystem. - Scalable. - Comprehensive Toolset. - Studio/Ground Truth #### AI/ML - Lex for Chatbots - Powering Conversations with Technology - NLU & ASR. - Natural Language Understanding - Automatic Speech Recognition - Building chatbots. - Integration with AWS services. - General Use Cases - Customer service chatbots. - Voice-enabled applications. - Informational bots. - Relevance to Modern Computing - Enhancing user experience. - Automation & efficiency. - Accessibility. - Why Choose Lex? - Stands out from other NLP tools - Natural Language Processing - Building conversational interfaces with Lex. #### AI/ML - Kendra - Enterprise search service/indexing corporate documents. - Accurate - Easy - Revolutionizing Enterprise Search - 01 - Machine learning - 02 - Natural language queries - 03 - Data indexing - Consider it as a "Google Search Engine" for your enterprise/corporation. - General Use Cases of Kendra - Enterprise search - Knowledge management - Customer service - Relevance to Modern Computing - Facilitating informed decision making - Enhancing productivity - Improving customer satisfaction - internal/external customers - Why choose Kendra - Accuracy & efficiency. - Conclusion - Machine learning - Natural language queries & data indexing - Facilitating informed decision making - Enhancing productivity - Improving customer satisfaction #### AI/ML - Comprehend - Gain insights & relationships with text. - Uses Natural Language Processing (NLP) - 01 - Sentiment Analysis - 02 - Entity Recognition - 03 - Language Detection - 04 - And more(?) - General use cases - 01 - Content personalizaton - 02 - compliance monitoring - 03 - Social media monitoring - Why choose Comprehend? - Text to sentiment, relationships & private/confidential information. #### AI/ML - Polly - Turning text into speech. - Consider it a vocal coach. - Text-to-Speech Technology. - Lifelike voice. - Language & voice variety. - General Use Cases - Content narration. - Voice assistants. - Educational tools. - Accessibility. - Enhances user engagement. - Enables accessibility & inclusivity. - Aids innovation in content delivery. - Converts between languages. - Why choose Polly? - Stands out from other TTS solutions due to integration with AWS services. - Provides high-quality voice output & customization options. #### AI/ML - Rekognition - Analyzes text(?), images & videos. - Informs you of what's in the videos. - Identifies objects. - Facial analysis & recognition. - Uses deep-learning technology. - Security & surveillance. - Content moderation. - Customer engagement. - Increases accessibility. - Relevance to modern computing - Enhancing safety & security. - Automation & efficiency. - Innovation in customer experiences. - Why choose Rekognition? - Integration with AWS. - Fast & simple. - Scalability & security. #### AI/ML - Textract - Uses ML. - Text & data extraction. - Recognizes forms & tables. - General use case. - Automated data entry. - Content migration from analog to digital. - Compliance monitoring, e.g. PII or sensitive info. - Search & discovery, indexed. - Relevance to modern computing. - Enhancing efficiency. - Facilitating digital transformation. - Innovation in data management. - Why choose Textract? - AWS integration. - Accurate & efficient. - Conclusion - Image/PDF to text extraction. - Language detection. - Handwriting into standard text. - Governance & compliance. - Digital transformation. #### AI/ML - Transcribe - Audio to text conversion. - Your "soundboard". - Automatic Speech Recognition (ASR) technology. - Custom vocabulary. - Speaker diarization. - Language support. - Audio & Video transcription - converting into scripts. - Use cases - Content creation. - Subtitling & captioning. - Enhancing accessibility. - Voice analytics. - Relevance to modern computing - Facilitating content creation. - Enabling innovation in analytics. - Why use Transcribe? - Offers accuracy & customization. - AWS integration. - Wide variety of language options. - Conclusion - Transcriber from video & audio to text. #### AI/ML - Translate - Bridging Language Gaps - Neural Machine Translation (NMT) - Wide variety languages transport options. - Real time & batch translations. - Translation into text formats. - General use-cases - Content localization. - Customer support. - Social media monitoring. - Facilitating E-Learning. - Relevance to modern computing - Global reach. - Facilitating communication to a wider audience. - Innovation in content delivery. - Why use Translate? - Accuracy & customization. - Conclusion - Translation services from one language to another. - Text translation. - Content localization & customer support. - Social media monitoring. - E-Learning #### AI/ML - Summary - Consider the AL/ML as a "theme park" in that each of the services is like a ride. - Each experience is designed to solve a specific problem. - Star attractions - [[#AI/ML - Sagemaker]] - [[#AI/ML - Lex for Chatbots]] - Specialty Rides - [[#AI/ML - Polly]] - [[#AI/ML - Rekognition]] - Hidden Gems - [[#AI/ML - Textract]] - Real-world Adventures - [[#AI/ML - Translate]] - [[#AI/ML - Transcribe]] #### Demo: Sagemaker & Sagemaker Studio - Demo #### Secondary AWS Services -Analytics Services - Data Observatory - Consider each of the sub-services as a telescope. - Athena - Imports data from S3 & imports it into an inmemory SQL DB (Presto). - Log analysis. - Data Lake queries. - Must be semistructured. - Data Exchange - Data Market Exchange - To buy or sell data. - e.g. census data, firewall rules, etc - Elastic Map Reduce (EMR) - Big data compilation. - Data transformation. - Analytics. - Glue - Data Catalog - Fully managed Extract Transform Load (ETL) service. - Catalog/index data. - Makes it easier to move data between data sources. - Data preparation for analytics. - Kinesis - The Streaming Telescope - Similar to Kafka. - Real-time or near real-time streaming service. - Stream data to places you need it. - Collects, processes & does some analyzing. - Managed Service Kafka (MSK) - Specialized data streaming service. - Managed service for Apache Kafka. - Real-time analytics. - Data ingestion. - OpenSearch Service - AWS variant of Elastic Search (AWS fork) - Anything feed into this service will be searchable. - Raw NOSQL optimized for search. - Log analytics. - Real-time analytics. - Quick Sight - Business intelligence dashboards. - Data storytelling. - Redshift - Deep analysis through rich visualizations. - Historical data analysis. - Uses SQL query syntax, (based on PGSQL) - Forecasting. #### Demo: Athena - Demo #### Secondary AWS Services - Business Application Services - Communication - Simple Email Service - Marketing Emails - Transactional Emails - Informational Emails - Both sending & receiving - Bulk email - Personalized emails - Email Filtering - Customer Service - Amazon Connect - Customer Service Desk - Voice & Chat - Call routing - Interactive Voice Response (IVR) - Real-time analytics - Omnichannel support (connect to other backend systems) - Effective communication - Enhance customer service #### Demo: Amazon Connect - Demo #### Secondary AWS Services - Customer Engagement Services - Activate for Startups - Advice & free service usage, (credits). - A rapport between AWS & the users of AWS itself. - Components & structure for your idea. From concepts to production execution. - Provides credits to access AWS services. - Offers technical support & training. - Facilitates access to AWS's startup community. - Use cases - Part 1 - Early-stage startups leveraging AWS credits to build their infrastructure. - Startups utilizing technical support for scaling their services. - Use cases - Part 2 - Network & learn from the AWS startup community. - Utilizing training resources to build a skilled team. - AWS IQ - Connects you with certified AWS experts with particular clients. - Use cases - Part 1 - Startups finding experts for their AWS projects. - Businesses leveraging AWS IQ for technical guidance & project execution. - Use cases - Part 2 - AWS experts finding opportunities to work on diverse projects. - Clients receiving personalized assistance & solutions. - Connecting experts & clients together. - Finding experts for AWS projects. - Technical guidance & project execution. - AWS Managed Services (AMS) - Operations Management - Infrastructure Management - Security assurance & compliance. - Enterprise-level businesses leveraging AMS. - AMS aiding in the migration & cloud adoption. - Utilizing AMS for continuous compliance & automated operations. - AWS Support - The different levels of AWS support provided to AWS users. - Technical support & guidance. - Providing infrastructure event management. - AWS support for smooth operations. - Aiding in crisis management & resolution. - Proactive infrastructure management. #### Secondary AWS Services - Developer Tools - AppConfig - Application configuration manager. - Managing & deploying configurations. - Controlled deployments. - Validation checks. - Monitoring of configurations. - Conditional configurations e.g. per environment. - Enables application tuning. - Features flag management for applications. - Ensures safe deployments by gradually rolling out changes. - CloudShell - Browser based accessible shell. - Pre-authenticate AWS CLI. - Persistent File Storage. - Running scripts & commands directly from browser. - Managing AWS resources more efficiently. - Quick access to AWS services without any setup. - Facilitating remote work & collaboration. - Quick access to AWS services without any setup. - Cloud9 - Integrated cloud based integrated development environment (IDE). - Real-time collaborative coding. - Pre-packed development environments. - Supports many programming languages. - CloudArtifact - Managed artifact repository. - Centralized repository for built code. - Fine-grained access control. - CodeCommit - Source code repository. - Supports git. - Integration with CI/CD pipelines. - Stores code securely & privately. - CodeDeploy - Deploys built code. - Automates deployments from artifact repository. - Centralized control. - Runs on AWS or non-AWS environments, (with use of agent). - Blue/green deployments. - Automated rollbacks. - Rapid release cycles. - CodePipeline - Automated release processes. - Visual workflow. - Integrates with 3rd party platforms. - Continuous delivery service. - Reliable application updates. - CI/CD pipeline orchestration. - CodeStar - Unified & collaborative interface. - Template based project creation. - Retired product. - X-Ray - Part of CloudWatch service. - Runs traces. - Service maps. - Performance optimization. - Error debugging. - Monitoring for end-to-end of an application. - Debugging & analysis tool for diagnosing. - Improving distributed applications. - Summary & key takeaways. ![[AWS_CloudPractitioner_DeveloperTools.png]] #### Demo: AWS Cloud9 - Demo #### Secondary AWS Services - End-User Computing - AppStream 2.0 - Streams desktop applications to workstations. - Reduces the need for high-end hardware on client side. - Delivering remote applications securely. - Allows for different software versions. - Facilitating cloud-based application access. - Reduces hardware dependencies & upgrades. - WorkSpaces - Virtual desktops in the cloud. - Desktops as a service, (DaaS). - Personalized virtualizated desktop. - Secure managed desktop service. - WorkSpaces Web - Same as WorkSpaces but via a browser. - Bring your own device, (BYOD). - General use cases - Remote working. - Secure data handling. - Simplified IT management. - Streamlined computing solutions. #### Demo: AWS Workspaces - Demo #### Secondary AWS Services - Frontend Web & Mobile Services - Amplify - Tool for building dynamic web & mobile applications. - Javascript framework support primarily. - Back & front end development. - Hosting & CI/CD pipeline. - Providing real-time updates to applications. - Easy authentication. - AppSync - Simplifying app development with GraphQL - Highlighting features such as real-time updates. - Data synchronization. - Offline access. - Backend development more so than frontend. - Security & authorization. - Unified development experience. #### Demo - AWS Amplify - Demo #### Secondary AWS Services - IoT Services - IoT Core - Handles fleet management & messaging of IoT devices. - Secure device connectivity & communication. - Data processing & transformation. - Use cases - Industrial automation & predictive maintenance. - Smart home solutions. - Connections vehicles & telematics. - IoT Greengrass - Edge location service & runtime that runs on the edge devices. - Local IoT orchestrator. - Messaging & data caching. - Enables edge computing. - Local (edge) data processing & analysis. - Secure device deployment & management. - Use cases - Industrial automation. - Smart agriculture. - Healthcare. - ![[IoT_Services_0.png|400]] ### Billing & Pricing #### General Billing in AWS - Duration pricing - You pay for as long as you use the resources, (e.g. EC2, RDS, Lambda). - Request pricing - You pay for as long as you use it for the specific task, (e.g. Network usage output). - Billing tools: - calculator.aws - AWS Optimize & Save Tools - Try to use serverless services over servers. - Identify billing before you deploy & as you utilize resources. - Maximize the power of elasticity - Scale up only when needed. - Ensure to scale down then needed. - Utilize automation to delete & recreate services. - e.g. CloudFormation, Terraform - Utilize auto-scaling services & products. - Pricing models - On-Demand: No contract, pay for what you use. - Savings Plan: Pay for $100 and you'll get credit for $150 that you can use for services, (as an example). - Spot: Pay for any excess compute, but you can use it until AWS needs it. - Reservation: Become a loyalty member & pay for resources whether you use them or not. - Free Tier - Primarily for learning & testing. - Free trials - Free for 12 months, e.g. EC2. - Always free, (some services are always "free" depending on usage.) - Summary - Most services charge based on usage & capacity, (over time). - Compute, storage & requests/network are common dimensions. - Understand billing to optimize your spending. - Scale up & down as required. - Use the appropriate billing model for your workload. - Utilize the Free tier for learning. #### Specific Billing - EC2 - EC2 tools site: ec2instances.info - On-demand - Deploy a machine; use it for seconds/minutes; then terminate them when done. - Savings Plan - Pay $10k into a savings plan for EC2 & AWS will give you $12k. Then you utilize the $12k for 1 **or** 3 years. - Spot - Place a bid on a Spot machine; win the bid; get the machine for minutes to days; obtain up to 90% discount. However these resources aren't guaranteed & can be removed as AWS needs them for customers paying full prices. Thus the application must be able to be fault tolerant. - Reservations - Commit to 1 **or** 3 years & getup to 72% off on demand costs with Reserved instances. - Dedicated - Your private dedicated EC2 hosts. The most expensive plan. Mainly for security & compliance specific workloads that can't have other AWS users running on the same HV. - Fundamentals of pricing - Three general drivers of billing - Compute - Storage - Network - Licensing model (e.g. based on OS & pricing model mentioned in previous area). - Additional costs related to features - Storage - Elastic IP addresses - Load balancers/traffic managers - Hibernation - Outbound data/network transfer - Summary - EC2 pay for when the machine is running. - Compute, storage, requests/network are the common dimensions even with EC2. - Five pricing models - On-demand - Reserved - Spot - Dedicated - Both to instances & hosts. - Savings plan - Sizing is the biggest dimension. - Enabling features or service integrations can increase costs. #### Calculate the following Compute Costs - Calculator Exercise - Exercises are meant to familiarize with billing not memorize billing. - Tools Sites: - calculator.aws - ec2instances.info - Follow-up with this practice test. #### Specific Billing - RDS - 3 primary RDS sub-services - RDS "main" - Oracle, MSSQL, MySQL, Maria or PGSQL. - Can be more expensive if using Oracle or MSSQL. - Aurora - Scalable versions of MySQL & PGSQL. - Aurora Serverless - Two versions, v1 & v2, both of which allow you to use Aurora without servers to manage. - What is the DB instance size & number of DB instances. - Costs increase as you increase instance sizes. - Typically per hour. - Storage disk & storage types - General purpose - Cheapest & used for standard workloads except for the most demanding. - PIOPS (Provisioned IOPS) - Most expensive & you control how many I/O per second it supports. Up to 256k IOPS. - Features that impact costs - Backup retention - Deployment models - active/passive - clustered - Blue-green cut-over to test updated DB engine - Caching models - RDS does support reservations or reserved instances. - Does not have Spot, Dedicated or savings plan. - On-demand is common but Reserved is recommended due to discount. - Summary - Which RDS service are you running? - RDS main, Aurora, or Aurora Serverless. - What DB engine are you using? - What size of DB engine are you using? - How big & how fast are the storage disks? - Are you using On-Demand or Reservations for your RDS instances? - Did you enabled additional features that increase costs? - Multi-AZ or backup retention. #### Calculate the following Database Costs - Calculator Exercise - Same as [[#Calculate the following Compute Costs - Calculator Exercise]] #### Specific Billing - VPC - VPC is free(?) - Services network usage run within the VPC are free. - Subnets, Security Groups, NACLs & IP ranges are free. - Charges for network usage are outbound, e.g. out of AWS. - Charges for AZ to AZ are incurred as well. - Outgoing Region is charged to incoming Region. - Services within the same region are free. - Services outside of the region are charged. - Additional components to consider for costs - Amazon VPC - NAT Gateway - Charged for the GW itself, hourly. - Charged for network usage that uses the GW, per GB. - Outbound data - Summary - Most VPC components are free. - Outbound data is not free. - Same region, same AZ or with private IP is free. - Different region, AZ or public IP is charged. - Add-on components add extra costs, particularly when data is accessed through them. #### Calculate the following Network Costs - Calculator Exercise - Same as [[#Calculate the following Compute Costs - Calculator Exercise]] #### Specific Billing - Lambda - SaaS Solution - Charged based on size, duration of running & how many times it runs. - Request pricing - Duration pricing - Other features affect costs - Lambda@edge - Ephemeral function storage - Provision concurrency - Response streaming. - Summary - Lambda pricing is based on size, duration & frequency. - The more it's run, the more you pay (frequency) - The larger the instance & longer it runs, the more you pay. - Lambda functions have a max memory limit of up to 10GB & execution time of 15 mins. - Additional features can affect costs. - AWS does not test on specific billing numbers and does only general comparisons. #### Billing for other services in general - Summary - Not required to know the specifics of billing for each service. - EBS charges based on the type, size, & storage duration of the virtual hard drive. - S3 charges based on number of objects, number of requests, storage class & outbound pull. - DynamoDB charges based on table type, number of data & R/W capacity units. - CloudFront charges based on data pulled/actions against "cached" objects. - Macie charges based on the data/objects scanned. #### Calculate the following Random Service Costs - Calculator Exercise - Similar to [[#Calculate the following Compute Costs - Calculator Exercise]] #### How Account Structures can affect billing - AWS Control Tower is best practice application of AWS Organizations. - Summary - Solo accounts have their own bills, details & saving. - Two/more accounts can designate a payer account with Consolidated Billing. - Billing account ready if its part of an AWS Organization. - Control Tower is a best practiced way to deploy a multi-account "Meta" account. - All three Consolidated Billing options allow billing by account. #### Tools for Billing Analysis & Support - AWS Dashboard - Specific cost data - Show specific costs - Breakdown by service/region/usage - Overview of billing - Cost Explorer - Can get a forecast based on historical data. - Very detailed - Visual dashboards - Allows manipulation - Export data - Cost & Usage Report - Detailed breakdown of costs per resources used. - Publishes to S3 bucket - Breaks down costs by dimensions - Reports in CSV format - Reports work with other AWS services - AWS Budgets - Fixed target amount for services or account usage. - Can be used to stop deployment of resources to save costs. (Must be configured/setup) - Sets budget limits - Sets limits by default - Can be combined with other services - Summary - Billing, Cost Explorer & CUR are tools for Billing Analysis. - AWS Budgets is focused on soft & hard limits & notifications for billing. - The "bill" or billing dashboard is great for quick reference/overview. - Cost Explorer is more about visualization of billing data. - CUR is the most detailed in terms of usage report. - Modify budgets to "restrict" service deployments based on thresholds/alarms. (Must be configured/setup to do so.) - Follow up Skill Builder account. #### AWS Support Options - Basic Support - Free for all customers. No case limits via web. - Web support for cases. - Limited access to AWS Trusted Advisors checks. - Access to Personal Health Dashboard. - No phone support. - No SLA for response or remediation. - No Technical Account Manager. - Cheapest option at **free**. - Developer - Includes Basic Support. - Recommended for experimenting & testing on AWS. - Slight increase in Trusted Advisor checks. - Prioritized responses on AWS repost with primary contact. - No phone support; web only. - Response times of 24 hours for general questions & 12 hours for impacted systems. - No Technical Account Manager or Support Team. - Second cheapest at $29 or 3% of total AWS spending. - Business - Includes everything in Developer. - Minimum level if you have production workloads on AWS. - Lowest tier that has **all** Trusted Advisor checks. - Access to AWS support app in Slack; AWS support API access. - Support 24/7 on phone & web & chat access to AWS cloud support. - Same SLA as Developer plus Production impacted <4 hours vs Production down <1 hour. - No Technical Account Manager or Support Team. - Third cheapest option at $100 or Tiered % of monthly spend. - Additional support/training services can be added. - Enterprise On-Ramp - Includes everything in Business. - Recommended if you have mission-critical workloads in AWS. - **ALL** Trusted Advisor checks from business. - Infrastructure Event Incident Management. - Same as Business SLAs but Business critical system down <30 mins. - Access to pool of TAMs is available with Concierge Support Team. - Second most expensive at $5k or 10% of monthly spend. - Additional services like AWS managed services can be added. - Enterprise - Dedicated TAM/primary point of contact. - Educates & empowers the client & evolves with them along the Cloud experience. - Provides architectural guidance. - Facilitates issues & requests. - Can bring in other Subject Matter Experts (SMEs) as required. - Proactive reviews, training, architecture reviews; workshops & deep dives. - Same as Business SLAs but mission-critical system down <15 mins. - Most expensive at $5,500 or Teir % of monthly spending. - Summary - Developer - Best practice guidance. - Client-side diagnostic tools. - Building-block architecture support. - 12 hour response time. - Business - Application architecture guidance. - Infrastructure event management. - Full Trusted Advisor Checks - 1 hour response time. - Enterprise On-Ramp - Application architecture guidance. - Infrastructure event management. - Pool of TAMs. - 30 min response time. - Enterprise - Application architecture guidance. - Infrastructure event management. - Designated TAM. - 15 min response time. - AWS marketplace provides vendor configured setups for 3rd party services. - ![[BillingSummary-0.png]] #### Quiz - AWS Pricing & Billing - Score: 84% - 21/25 #### Billing Challenge - **AWS Billing Conductor**: A service that allows businesses to customize billing and cost allocation by grouping accounts and setting custom pricing models without affecting actual charges. It helps create detailed billing reports for internal cost management. - **AWS Cost Explorer**: A tool that provides interactive visualizations and reports for analyzing AWS cost and usage trends over time. It helps forecast future expenses and optimize spending based on usage patterns. - **AWS Budgets**: A cost management service that enables users to set budget thresholds for AWS usage, costs, and reservations. It provides alerts when spending exceeds predefined limits. - **AWS Cost & Usage Report (CUR)**: A comprehensive dataset that provides detailed insights into AWS resource usage and associated costs. It delivers granular data that can be used for custom cost analysis and reporting. - **AWS Savings Plans**: A flexible pricing model that offers lower rates on AWS compute services in exchange for a commitment to a consistent usage level over a 1- or 3-year term. It automatically applies discounts across EC2, Fargate, and Lambda usage. - **AWS Compute Optimizer**: A machine learning-based service that analyzes AWS compute usage and recommends optimizations for EC2 instances, Auto Scaling groups, Lambda functions, and EBS volumes to improve performance and reduce costs. ### Bringing it all together #### Summary on Cloud Computing - Cloud computing is the on-demand delivery of IT resources, particularly compute power, application hosting, database applications, networking & more. - Models of deployment: - Cloud - On-Premise - Hybrid - Works on Cloud-Server model. - Provides near instance pay-as-you-go access to compute resources/app hosting. - AWS was the first large-scale cloud provider. - Launched in 2006 with S3 as the first service. - Now has 300+ services. - Signup is free; all services are usually pay-to-use. - AWS has largest community, market positioning & growth in industry. - Cloud Benefits - Trade upfront expense for variable expense. - No longer focusing on data centers. - No longer guessing capacity; scale as you grow & scale down as required. - Benefit from economies of scale. - Increase technical speed & agility. - Reduces overhead of managing physical hardware. - Global in minutes due to AWS large global footprint. - Cloud Economics - Free tier for certain services & some are free for 12 months after new account creation. - On-Demand is full pricing and pay-as-you-go but no contact & flexible. - Reservations are contracts that you enter with Amazon for 1 or 3 years. - Volume Discounts are pay less per unit as you use more. - Price Drops are random price cuts that AWS does every few years on its services. - Cloud Native Design Pricipals - Design for failure. - Decouple components. - Implement elasticity. - Think parallel as in environments be able to compute at the same time versus serially. #### Summary on Security & Compliance - AWS Shared Responsibility Model - The shared responsibility model delineates the customer's responsibilities and AWS's responsibilities. - Unmanaged services need to be secured by users. - Managed services offload some of the security responsibility onto AWS. - Compliance and regulatory frameworks are sets of guidelines and best practices that organizations must follow. - AWS compliance reports can be accessed on-demand from AWS Artifact. - The AWS Compliance Center is a central location to research cloud location to research cloud-related regulatory requirements & how they impact your industry. - Audit manager continuously collects data to prepare for audits and ensures that you are achieving compliance with regulatory standards. - AWS config monitors the configuration state of AWS resources over time. - Shared Responsibility Model ![[CloudPractioner_SummaryCloudComputing-0.png]] - Identity Access Management (Users, Groups & Roles) - **Users** - Root user has unlimited access & no restrictions. - IAM is responsible for managing access to AWS resources. - An IAM user represents a person or application that needs access to AWS or a subset of services. - Policies are documents that either grant or deny access to specific AWS services/resources. - **Groups** - Groups are a collection of IAM users. - Role allows a user to get temporary access to a service or resource. - Least-privileged permissions. Grant users or entities the minimum level of access required to perform their specific tasks, reducing the risk of unauthorized actions or potential security breaches. - **Policy** - Policies are written in JSON format. - Policy example: - ![[CloudPractioner_SecCompliance_PolicyExample-0.png]] - **Organizations** - Organizations help manage multiple AWS accounts. - Organizational Units (OUs) allow you to group accounts with similar business or security requirements. - Service Control Policies (SCPs) restrict what an account can do. - SCPs can be applied to individual accounts or OUs. - **Security Resources** - Prevention - Web Application Firewall (WAF) prevents applications from common attacks like SQL injections & XSS attacks. - Shield prevents apps & a services from DDoS attacks. - Network Firewalls monitor traffic entering & leaving VPCs. - Detection - GuardDuty monitors & detects suspicious activity & potential threats in your AWS environment. - Detective helps analyze & investigate security related events by collecting & visualizing data. - CloudTrail logs & monitors all user & API activity within an AWS account. - AWS Config tracks & audits the configuration of AWS resources over time. - Security Hub automates security checks & brings alerts to a central location. Also performs validation on AWS best practices. - Security Lake collects logs from a variety of locations & transforms them into a query efficient format. - AWS Macie scans S3 buckets for sensitive data & notifies users of findings. - Management - Firewall Manager helps manage security configurations across multiple AWS accounts. - Resource Access Manager helps you securely share resources across accounts, organizations & OUs. - Cognito provides authentication (with social logins), authorization, & user management for web & mobile applications. - IAM enables you to manage user identities & their access to AWS resources. - Identity Center provides a central location for managing user authentication across multiple AWS accounts. - Secrets Manager allows you to securely store & manage sensitive information like passwords & credentials. - AWS Certificate Manager (ACM) provisions, manages, & deploys SSL/TLS certs for AWS resources. - Private Certificate Authority manages your own private cert authority within AWS. - Key Management Service (KMS) creates & manages encryption keys used to encrypt data. - Hardware Security Module (HSM) - AWS provides a dedicated hardware to store & operate cryptographic keys. #### Summary on Technology - Deployment Methods - AWS Console - AWS CLI - AWS SDK - Global Infrastructure - Regions are locations where certain services can be deployed. - Not all services are available in all regions. - Availability Zones (AZ) are isolated & independent DCs inside regions. - Edge locations are smaller Points of Presence (POP) where services are run closer to end customers. - Local Zones are extensions of AWS regions located near users in select metropolitan areas. - Networking - VPC isolates computing resources from each other in the cloud. - VPCs are isolated to a region. - VPC CIDR blocks define the IP addresses a VPC can use. - Subnets are a range of IP addresses within a VPC. - Subnets reside within a single AZ. - Subnets can be made public/private using Internet Gateways & NAT Gateways. - Internet Gateways allow subnets to communicate with the Internet & vice versa. - NAT Gateways allow subnets to talk to the internet but connections must be initiated from within the VPC. - Virtual Private Gateways enable secure access to private resources over the Internet. - Direct Connect (DX) is a direct connection into an AWS region that provides low latency & high speeds. - Every region has a default VPC with default subnets, Security Groups & NACLs. - The default CIDR block is `172.31.0.0/16` - By default, the default VPC & it's subnets have outbound access to the Internet. - One default subnet in each AZ. - Security Groups allow outbound & the NACLs are open in both inbound & outbound directions. - Firewalls - Stateless firewalls require traffic to be explicitly permitted inbound & outbound. - Stateful firewalls are intelligent firewalls that track requests & allow response. - NACLs filter traffic entering & leaving a subnet. - NACLs are stateless firewalls. - Security Groups act as firewalls for individual resources such as EC2, NICs & other network objects. - Security Groups are stateful firewalls. - ![[CloudPractioner_TechFirewallsSummary-0.png]] - Storage - Block Storage - A collection of blocks can be presented to the OS as a volume. - EBS vols can be mounted & booted. - EBS vols are within a AZ. - Instance Stores are removed when EC2 instances are stopped/started. - File Storage - EFS stores data in a hierarchical structure of directories & files. - Accessible over the network. - EFS can be mounted as a file system inside of OS. - It can't be used as a boot vol to install an OS. - Object Storage - Objects are merely files. - Flat file structure, (no directories); but they appear as directories. - Use cases for storing media files, logs, audit reports or any file type needed. - API storage so it can't be mounted or booted from. - Storage classes impact accessibility, resiliency & cost. - Types of Storage - ![[CloudPractioner_TechStorageTypes-0.png]] - Compute - EC2 - EC2 allows to deploy server in AWS within mins. - AMIs are templates for deploying EC2 instances. - AWS provides a variety of instance types for computing needs, (Memory, Compute, Storage optimized). - AWS supports a variety of OS', (e.g. RHEL, SUSE, Ubuntu, Amazon, Windows). - AWS supports a variety of processors, (e.g. ARM, AMD, Intel). - AWS marketplace for pre-built AMIs for various services, (NGINX, DBs, etc). - Pricing Models - OnDemand - Pay for whats used & billed only when instance is running. - Spot - discounted rates when AWS has spare capacity. - Must be able to tolerate interruptions. - Reserved - Discounted rates when reserved for long time periods, (1 or 3 years). - Dedicated Host - Reserves an entire host for you. - Dedicated Instance - Only your instances run on a server but that server can change if instances are started/stopped. - Lambda - Run code without having to deploy or manage servers. - AWS manages the server maintenance, scaling, capacity provisioning, & logging. - Use cases; file processing, mobile & web backend. - Autoscales to handle traffic spikes. - Pay per invocation, only pay for whats used. - Containers - Containers are tools that allow you to package an application & all of the required files, libs, & dependencies the app needs to run. - Container orchestrators deploy, manage & scale containerized apps. - ECS is simple managed container orchestrator provided by AWS, (proprietary). - Kubernetes is an open source container orchestrator. - EKS is a managed K8S service. AWS manages the control plane for you. - Database Services - Self-managed on EC2 instance. - RDS & Redshift are the primary SQL DBs. - RDS supports 5 engines; Oracle, MSSQL, MySQL, MariaDB & PGSQL. - NoSQL services - Managed DynamoDB, DocumentDB & others. - Review provided slide for more info. - RDS is the RDBMS SQL DB service. - Aurora is a sub-service of RDS that is a cloud native version of PGSQL & MySQL. - Aurora Serverless v2 is an Aurora variant but without VM management & autoscaling. - All RDS feature encryption, replication, autoscaling & more. - RedShift is different than the others in that it is for reporting (OLAP). - RedShift has a serverless version & can handle PB of data. - NoSQL Services - DynamoDB is primary NoSQL service. - AWS provides various NoSQL solutions for different use cases, e.g. Search, Security, etc. - DynamoDB, DocumentDB & other NoSQL services are fully managed. - ![[CloudPractioner_DBTypes-0.png]] - Application Integration - Simple Notification Service (SNS) is for duplicating multiple messages to manage different sources like email, text, other applications, etc. - Simple Queue system is build to receive messages & hold them for processing. - ELB distributes network connections over a pool of applications/servers. - Autoscaling handles adding & removing capacity whether servers or read/write units. - Various other services will be provided in the practice exams. - Management Services - There are numerous Management Services used to manage AWS services. - CloudFormation & OpsWorks are used to create AWS service objects, while Systems Manager is for configurations. - **AWS CloudFormation**: A service that enables Infrastructure as Code (IaC), allowing users to define and provision AWS resources using templates for automated and repeatable deployments. It helps manage infrastructure efficiently by treating it as code. - **AWS OpsWorks**: A configuration management service that automates server setup, deployment, and management using Chef and Puppet. It helps users maintain consistent configurations across EC2 instances and other AWS resources. - Organizations & Control Tower are related to multi-account management & setup. - AWS Config & AWS CloudTrail are configuration tracking & API tracking. - Migration Services - Migrations start with a good plan; reference the Cloud Adoption Framework. - Migration Hub allows you to centralize your migration tools & plans on AWS. - Data transfer services are Snowcone, Snowball (edge) or SnowMobile. - AWS supports FTPS, SFTP, FTP & AS2 for data transfer as well. - Application discovery is used for scanning inventory of migratable server/apps. - Application/Database/Data Center all have Migration services available on AWS. - Mainframe Modernization is a service/framework for engineering Mainframe migrations. #### Summary on Billing & Pricing - General Billing - Most services charge based on usage & capacity over time. - Common dimensions charged for are Compute, Storage & Requests/Network. - Understand billing to optimize spend. - Utilize elasticity/scaling up/down as required. - Use the appropriate billing model for your workload to optimize spend. - Use the Free tier when possible for learning purposes. - EC2 Billing - You only pay when the server is running. - Common billing dimensions are Compute, Storage, Requests/Network. - Five billing models; On-Demand, Reserved, Spot, Dedicated & Savings Plan. - Dedicated allows for both instance & host. - Sizing is the largest dimension for billing/charges. - Enabling Features or Service Integrations can increase costs. - RDS Billing - Prices vary based on which service being used. e.g. Aurora, "Main" RDS or Aurora Serverless. - What DB engine are you using? e.g. Oracle or MSSQL add licensing costs. - What size of DB instance are you using? These affect costs as well. - How large & how fast are the disks? The higher performing & larger the disks, the more expensive the charges will be. - The pricing model for the RDB instance affects cost. On-demand RDS may be more expensive than Reservations depending on your use case. - Enabling other features such as Multi-AZ failover or backup retention can increase costs. - VPC Billing - VPC components are mostly free. - Outgoing data from the DC will be charged/billed. - Different region or AZ or public IP will be charged/billed. - Same region or same AZ with private IP will be free. - Add-on components will increase costs, especially if data is traversing them. - AWS exam does not test on specific numbers but does only general comparisons. - Lambda Billing - Pricing is based on size, duration & frequency. - The more frequently the Lambda function is run, the more you are charged. - The larger the memory & the longer it runs the more the cost is. - Lambda functions have max memory limit up to 10GB & 15 mins execution time. - Additional features can be includes but is not required for Cloud Practitioner level. - AWS exam does not test on specific numbers but does only general comparisons. - Other Services Billing - Specific billing not required for exam. - EBS charges based on type, size & storage duration of virtual hard drive. - S3 charges based on number of objects, number of requests to the objects, storage class and outbound transfer. - DynamoDB is charged based on table type, number of data & read/write capacity units. - CloudFront is charged based on data pulled/actions against "cached" objects. - Kinesis charges similar to DynamoDB & Macie charges based on data scanned, (number of objects). - Billing Account Structure - Individual AWS accounts have their own bills, details & savings. - Multiple accounts can designate a payer account with Consolidated Billing. - Billing account is ready if it is part of an AWS Organization. - Control Tower is a best practiced way to deploy a multi-account "Meta" account. - All three Consolidated Billing options allow for billing by account. - Tools for Billing - Billing, Cost Explorer & CUR are tools for Billing Analysis. - AWS Budgets is focused on soft & hard limits & notifications for billing. - The "bill" or billing dashboard is great for a brief overview. - Cost Explorer is more about visualization of billing data. - CUR is the most detailed in terms of usage report. - AWS Budgets can be modified to "restrict" service launch & send notifications based on thresholds/alarms. #### What you know at the end! - Exam 1 (CLF-C02) - Failed questions: - Q: Can the commitment of an EC2 Savings Plan in AWS be adjusted multiple times throughout its term? - A: No - Q: Which of the following is true about AWS Trusted Advisor? - A: It's a tool that helps customers optimize cost, security, performance & fault tolerance through best practices. - ref: https://aws.amazon.com/trustedadvisor/ - Q: What is the behavior of Reserved Instances in AWS Organizations on each execution? - A: The Reserved Instances are shared between all accounts in the organization. - Q: Which of the following options is a benefit of using Dedicated Instances under Reserved Instances pricing? - A: Higher discounts for longer commitments. - ref: https://aws.amazon.com/ec2/pricing/reserved-instances/ - Q: In AWS, which feature allows you to define a set of permissions to determine what actions are allowed and denied by the entity assuming the role? - A: AWS IAM Roles - Q: What is the maximum size limit for a single archive in Amazon S3 Glacier? - A: 40 TB - Q: Which of the following is the correct way to use tags for cost allocation on each execution on AWS? - A: Tags show be used for all resources & services that you want to allocate costs. (ref: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-using-tags.html) - Q: Which AWS service can be used to reduce compliance scope by offloading the responsibility of managing and securing physical infrastructure, network infrastructure, and hypervisors? - A: Amazone EC2 - I overthought this and selected Managed Services... - Exam Results: 88% - 57 correct - 8 incorrect - total 65 questions #### What you know at the end! - Exam 2 (CLF-01) - Failed Questions: - Q: Which of the following best describes the principle of "Loose Coupling" in cloud design? - A: Designing systems with components that are independent & interact through specific interfaces. - Q: Which AWS Support plan provides access to AWS documentation, whitepapers, and support forums, as well as 24/7 customer service for billing, account, and technical questions? - A: Basic - Overthought this & read into it as if it was referring to Business level. - Q: A company is using multiple AWS services to host their application, and they want to ensure that they optimize the environment by adhering to AWS best practices. Which of the following services is capable of inspecting your AWS environment and making recommendations to lower expenditures, improve system performance and reliability, and close security gaps? - A: AWS Trusted Advisor - I didn't consider the "cloud security gaps" portion when answering which should have lead me to the correct answer. - Q: Which AWS service provides a platform for deploying and managing applications in a fully managed environment? - A: AWS Elastic Beanstalk - Q: Which of the following best describes the AWS Global Infrastructure? - A: A worldwide network or Regions & AZs. - Q: Which of the following benefits of cloud computing is best demonstrated by the ability to quickly scale up or scale down AWS resources based on demand? - A: Stop guessing capacity. - Q: What is AWS SDK? - A: A set of APIs for integrating AWS services with 3rd party applications. - I answered too fast without thinking & selected "programming language" as I thought it said "programming language interface". - Q: Which of the following AWS services provides a scalable, high-speed, low-latency platform for transferring data between users and data stored over the Internet? - A: Amazon CloudFront (CDN service) - Q: Which AWS Support plan provides access to a Technical Account Manager and Infrastructure Event Management? - A: Enterprise - This *includes* Infrastructure event management. - Q: Which of the following statements best describes multi-factor authentication (MFA) in the context of AWS security? - A: MFA is an optional security feature that requires users to provide 2 or more forms of authentication before accessing AWS resources. - Q: Which AWS service provides a global infrastructure consisting of multiple Regions and Availability Zones? - A: AWS Global Accelerator - Exam Results: 88% - 79 correct - 11 incorrect - total 90 questions #### The Road ahead on your AWS Journey - Review AWS Documentation - https://docs.aws.amazon.com - Next certificate -> AWS Solutions Architect Associate - Then -> AWS Solutions Architect Professional - You can take whichever you want, there is no ordering. - IaC solutions - CloudFormation - Terraform - Packer - Ansible - KodeKloud Playgrounds #### Conclusion -