AWS Cloud Practitioner cheat sheets
AWS Cloud Practitioner
Cost Explorer – Visualization tool to understand, manage your AWS costs and usage overtime , Report and Inspect
AWS Cost and Usage Report – The AWS Cost & Usage Report contains the most comprehensive set of AWS cost and usage data available , Report and Right size
AWS Command Line Interface (CLI) - The AWS Command Line Interface (AWS CLI) is a unified tool to manage your AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts.To use, it requires an IAM access key ID & secret access key
Elastic Load Balancers -Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets and virtual appliances in one or more Availability Zones (AZs)
AWS Management Console - The AWS Management Console is a web-based application that lets users access the broad range of services included in the Amazon Web Services (AWS) platform. It also provides easy navigation and centralized access to these services
AWS Marketplace - The AWS Marketplace enables qualified partners to market and sell their software to AWS Customers. AWS Marketplace is an online software store that helps customers find, buy, and immediately start using the software and services that run on AWS.
AWS Professional Services - The AWS Professional Services organization is a global team of experts that can help you realize your desired business outcomes when using the AWS Cloud. We work together with your team and your chosen member of the AWS Partner Network (APN) to execute your enterprise cloud computing initiatives.
AWS Personal Health Dashboard - Personal Health Dashboard gives you a personalized view into the performance and availability of the Amazon Web Services services underlying your Amazon Web Services resources.Alerts and remediation guidance on events that may impact you personally.
Security groups - A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.
AWS Service Catalog - AWS Service Catalog lets you centrally manage deployed IT services, applications, resources, and metadata to achieve consistent governance of your infrastructure as code (IaC) templates.
AWS Service Health Dashboard - The AWS Health Dashboard is the single place to learn about the availability and operations of AWS services. You can view the overall status of AWS services,
Service quotas - Service Quotas is an AWS service that helps you manage your quotas for many AWS services, from one location. Along with looking up the quota values, you can also request a quota increase from the Service Quotas console.
AWS software development kits (SDKs) - simplify using AWS services in your applications with an Application Program Interface (API) tailored to your programming language or platform.
AWS Support Center - AWS Support offers a range of plans that provide access to tools and expertise that support the success and operational health of your AWS solutions. All support plans provide 24/7 access to customer service, AWS documentation, technical papers, and support forums.
Virtual private networks (VPNs) - Connect your on-premises networks and remote workers to the cloud
AWS Support tiers -
TYPES OF AWS SUPPORT
Support Plans
Basic: 24x7 customer service, documentation, and forums. No email support, no support cases.
Developer: get Cloud Support Associates, open unlimited support cases
Business, Enterprise: get email, 24x7 phone, and chat with Cloud Support Engineers
AWS Concierge: billing and account experts. For Enterprise.
AWS Professional Services
AWS Partner Network (APN)
AWS Technical Account Manager (TAM): for Enterprise
AWS Trust & Safety team: to report abuse of AWS
AWS DDoS Response Team: 24/7 support for DDoS attacks for Business and Enterprise
EC2:- Elastic Cloud Compute, a highly configurable server (CPU, memory, network, OS)
EC2 is an Infrastructure-as-a-Service (IaaS) solution
An EC2 instance is ephemeral and deleted when stopped
a golden image is a snapshot of a state of the resource
can host a static website, but not a dynamic website, because it can’t allow server-side scripting
on an EC2 instance you are mainly charged for compute uptime and amount of data provisioned
Instance Purchasing Options -
On-Demand Instances - the default option, for short-term ad-hoc requirements where the job can't be interrupted
On-Demand Capacity Reservations - the only way to reserve capacity for blocks of time such as 9am-5pm daily
Spot instance - highest discount potential (50-90%) but no commitment from AWS, could be terminated with 2min notice. Could use for grid and high-performance computing.
Reserved Instances - for long-term workloads, 1 or 3 year commitment in exchange for 40-60% discount
Dedicated Instances - run on hardware dedicated to 1 customer (more $$)
Dedicated Host - fully dedicated and physically isolated server. Allows you to use your server-bound software licenses (e.g. IBM, Oracle) and addresses compliance and regulatory requirements and potentially reduce cost (note: billing is per-hour not per-instance)
Bare metal EC2 instance - for when the workload needs access to the hardware feature set (e.g. Intel hardware)
REGIONS AND AVAILABILITY ZONES
AWS Regions are large and widely dispersed into separate geographic locations.
Availability Zones (AZs) are distinct locations within a Region that are engineered to be isolated from failures in other Availability Zones.
each AZ is a data centre or group of data centres
each AZ is isolated, but AZs in a Region are connected via low-latency links
each AZ is fed from a different power grid and has redundant power
Region: A physical location where AWS has multiple data centers.
Availability Zone: A data center within a region that is isolated from other availability zones.
Amazon Machine Images (AMIs) - pre-configured EC2 snapshot that is ready to be launched
AWS services and features
Analytics:
Amazon Athena - Athena provides a simplified, flexible way to analyze petabytes of data where it lives. Analyze data or build applications from an Amazon Simple Storage Service (S3) data lake and 25-plus data sources, including on-premises data sources or other cloud systems using SQL or Python.query S3 buckets using SQL queries and analyze the data
Amazon Kinesis - Collect, process, and analyze real-time video and data streams
Amazon QuickSight - Amazon QuickSight is a very fast, easy-to-use, cloud-powered business analytics service that makes it easy for all employees within an organization to build visualizations, perform ad-hoc analysis, and quickly get business insights from their data, anytime, on any device. (BI)
Application Integration:
Amazon Simple Notification Service (Amazon SNS) - Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and consumers). Publishers communicate asynchronously with subscribers by sending messages to a topic, which is a logical access point and communication channel.( To achieve loose coupling)
Amazon Simple Queue Service (Amazon SQS)- Amazon Simple Queue Service (SQS) lets you send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. (To achieve loose coupling)
Compute and Serverless:
AWS Batch - AWS Batch is a set of batch management capabilities that enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on AWS.
Amazon EC2 - Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.
AWS Elastic Beanstalk - Elastic Beanstalk is a service for deploying and scaling web applications and services. Upload your code and Elastic Beanstalk automatically handles the deployment—from capacity provisioning, load balancing, and auto scaling to application health monitoring.
PaaS service for deploying and scaling Web Applications (e.g. Java, .NET). Upload a zip or git of code and it deploys and manages the web app for you.
In general, try to use serverless compute instead of EC2 instances so that you don't have to plan for capacity. Includes: Lambda, ELB, CloudFront, SQS, Kinesis Firehose, SES, CloudSearch.
AWS Lambda - AWS Lambda is a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. serverless way to run code. Only pay for compute time.
Amazon Lightsail - Amazon Lightsail is a virtual private server (VPS) provider and is the easiest way to get started with AWS for developers, small businesses, students, and other users who need a solution to build and host their applications on cloud.
Amazon WorkSpaces - An Amazon WorkSpace is a cloud-based virtual desktop that can act as a replacement for a traditional desktop. A WorkSpace is available as a bundle of operating system, compute resources, storage space, and software applications that allow a user to perform day-to-day tasks just like using a traditional desktop.
Containers:
Amazon Elastic Container Service (Amazon ECS) - Amazon Elastic Container Service (ECS) is a highly scalable, high performance container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon Elastic Compute Cloud (Amazon EC2) instances. Docker as a Service runs Docker containers as tasks in AWS
Amazon Elastic Kubernetes Service (Amazon EKS) - Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service that makes it easy for you to run Kubernetes on AWS and on-premises. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.(without having to install Kubernetes on EC2 instances manually )
AWS Fargate - Amazon Fargate is a serverless compute engine for ECS and EKS that can be used to run Docker containers (without managing servers)
DATABASE SERVICES:
Database on EC2: if you need full control over the database, or a specific 3rd-party database product not supported by any of AWS' managed services
Amazon RDS - managed relational DB that you choose (e.g. MySQL, Postgres, Oracle, MS SQL, Aurora).
Amazon does DB admin work: provisioning hardware, setup, patching and backups
auto-backup is on by default. Full daily snapshot to S3 and captures logs throughout the day. PITR can be configured to be as little as every 5min, then use the logs to roll back.
can enable a multi-AZ mode that replicates the DB to a standby instance in another AZ that can be used automatically in case of failover
use the “Snapshots” feature to create globally redundant DBs
RDS scales up by moving to a larger instance / more storage, then you reboot the DB.
You can sort of scale out read operations by using read replicas.
Amazon DynamoDB: NoSQL, schemaless
items (not objects) by key/value
scale dynamically without any downtime ("push-button scaling"), as opposed to RDS and EBS which you need to reboot
for in-memory performance, for high I/O needs
can do guaranteed reads/second
you can manually enable point-in-time recovery (PITR). Amazon then takes regular backups based on what you configured, and can restore to those backups
DynamoDB Accelerator (DAX) is an in-memory cache that delivers 10x performance improvement
Amazon Redshift:
data warehouse for large volumes of aggregated data
analytics DB (as opposed to RDS which is a transactional DB) using SQL queries
columnar (it reads via columns instead of rows)
Amazon ElasticCache: fast temporary storage for small amounts of data
In-memory DB
Amazon DocumentDB: NoSQL document database that is MongoDB compatible
Amazon Aurora: relational DB that is MySQL and PostgreSQL-compatible
fully managed and automatically scales
combines speed and availability of commercial DB with simplicity and cost of open source
up to 5x the throughput of MySQL DB
Note some AWS DB services can be reserved for up to 75% discount - RDS, DynamoDB, ElastiCache, Redshift
Developer Tools:
AWS CodeBuild - AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces ready-to-deploy software packages.part of CI/CD
AWS CodeCommit - AWS CodeCommit is a secure, highly scalable, managed source control service that makes it easier for teams to collaborate on code repository (of Gits)
AWS CodeDeploy - AWS CodeDeploy is a service that automates code deployments to any instance, including Amazon EC2 instances and instances running on-premises. (Deploy)
AWS CodePipeline -AWS CodePipeline is a continuous delivery service that enables you to model, visualize, and automate the steps required to release your software. (Continuous Delivery (CD) part of CI/CD.)
AWS CodeStar - quickly develop, build and deploy applications on AWS
Customer Engagement:
Amazon Connect -Amazon Connect provides a seamless omnichannel experience for agents and managers for voice, chat, and task management to ensure customers are routed with their conversation's full context or work across applications when switching channels. (Call Center)
Management, Monitoring, and Governance:
AWS Auto Scaling - Automatically increase & decrease the no. of instances based on the application requirement.
AWS Budgets - set custom budgets to track your cost and usage against specific use cases. Alerts when you exceed or are about to exceed a threshold.
AWS CloudFormation - AWS CloudFormation is a service that gives developers and businesses an easy way to create a collection of related AWS and third-party resources, and provision and manage them in an orderly and predictable fashion. (use templates to deploy architecture following a pattern)
AWS CloudTrail - CloudTrail provides visibility into user activity by recording actions taken on your account. CloudTrail records important information about each action, including who made the request, the services used, the actions performed, parameters for the actions, and the response elements returned by the AWS service. (audit trail)
Amazon CloudWatch - CloudWatch enables you to monitor your complete stack (applications, infrastructure, network, and services) and use alarms, logs, and events data to take automated actions and reduce mean time to resolution (MTTR). Includes monitoring your estimated charges.
AWS Config - tracks resource inventory, config history and config change notifications for the purpose of security and compliance. Assess, audit and evaluate the configurations of AWS resources.
AWS Cost and Usage Report - AWS Cost and Usage Reports tracks your AWS usage and provides estimated charges associated with your account. Each report contains line items for each unique combination of AWS products, usage type, and operation that you use in your AWS account.
Amazon EventBridge (Amazon CloudWatch Events) - EventBridge is a serverless service that uses events to connect application components together, making it easier for you to build scalable event-driven applications.
AWS License Manager - AWS License Manager is a service that makes it easier for you to manage your software licenses from software vendors (for example, Microsoft, SAP, Oracle, and IBM) centrally across AWS and your on-premises environments.
AWS Managed Services - AWS Managed Services is a set of services and tools that automate infrastructure management tasks for Amazon Web Services (AWS) deployments. The service is aimed at large enterprises that want a simplified way to migrate on-premises workloads to the public cloud and then manage those workloads after migration.
AWS Organizations - create and manage accounts and leverage consolidated billing
all accounts in the org are treated as 1 account, so they can share Reserved Instances
can be used to automate AWS account creation via the Organizations API
service control policies (SCPs) provide a way to centrally manage AWS account permissions in the organization
You can create member accounts and invite existing accounts to join your organization.
AWS Secrets Manager - AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
AWS Systems Manager - AWS Systems Manager allows you to safely automate common and repetitive IT operations and management tasks. With Systems Manager Automation, you use predefined playbooks, or you can build, run, and share wiki-style automated playbooks to enable AWS resource management across multiple accounts and AWS Regions.
AWS Systems Manager Parameter Store -AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plain text or encrypted data.
AWS Trusted Advisor - AWS Trusted Advisor provides recommendations that help you follow AWS best practices. It optimize your resources across 5 major areas:
Cost Optimization
Performance
Security (e.g. checks Security Groups for 0.0.0.0/0 rules that allow unrestricted access to specific ports and colors the ones that present a risk as yellow or red)
Fault Tolerance
Service Limits
Networking and Content Delivery:
Amazon API Gateway -
Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. APIs act as the "front door" for applications to access data, business logic, or functionality from your backend services.
API to access AWS services. Amazon CloudFront is the public endpoint to API Gateway to ensure reduced latency and DDoS protection
Amazon CloudFront - content delivery network (CDN)
If you had a lot of data that you needed to get to different parts of the world as fast as possible, CloudFront helps you find the shortest path. CF will take static content, then break it down to multiple edge locations
global, low latency, high transfer speeds
AWS Direct Connect -
AWS Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud services. AWS Direct Connect enables customers to have low latency, secure and private connections to AWS for workloads which require higher speed or lower latency than the internet
Private connection (not over the internet) from on-prem to VPC. Ensure consistent and dedicated performance and reduces latency since it is a direct connection.
Amazon Route 53 - DNS global service.
More than just DNS! It provides: domain registration, traffic flow, health checking, and failover
Health checking: monitor the health and performance of your web applications, web servers, and other resources
Does not do what VPC Router or Direct Connect do.
Amazon VPC - Amazon VPC enables you to build a virtual network in the AWS cloud - no VPNs, hardware, or physical datacenters required. You can define your own network space, and control how your network and the Amazon EC2 resources inside your network are exposed to the Internet.
exists within 1 region and spans all the AZs within that region
configure subnets within an AZ
configure endpoints
configure security groups (instance-level firewalls that protect EC2 instances)
VPC peering connection = connection between 2 VPCs
Security, Identity, and Compliance:
AWS Artifact - Provides access to security and compliance reports (e.g. SOC reports, PCI reports, NDAs)
AWS Certificate Manager (ACM) -AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. (create SSL/TLS certificates for use with HTTPS connections)
AWS CloudHSM - CloudHSM allows you to securely generate, store, and manage cryptographic keys used for data encryption in a way that keys are accessible only by you.
Amazon Cognito - Used as Identity Provider (IdP) e.g. like Okta. Sign-in with Facebook, Google, etc. via SAML 2.0. Provide logins on web and mobile.
Amazon Detective - Amazon Detective helps you analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Detective automatically collects log data from your AWS resources. (process terabytes of event data records, similar to a SIEM but not quite)
Amazon GuardDuty - Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
AWS Identity and Access Management (IAM) -
IAM Principles
lock root access keys
create individual IAM users
use groups to assign permissions to users
assign least privilege
get started using AWS managed policies
use customer managed policies, not inline policies
use access levels to review IAM permissions
strong password policy
MFA
use roles 1) for users who need specific permissions 2) for applications that want to run on EC2
don't share access keys
rotate credentials regularly
use policy conditions
monitor activity in your account
IAM is not used for creating accounts. You use other services like AWS Organizations to create accounts.
By default new users have no access to services except the console. You must grant them permissions.
Auth methods include
console passwords
access keys (access key ID + secret access key) --> for programmatic API calls
don't confuse access keys with key pairs! Key pairs are to login to EC2 instances.
server certificates
Amazon Inspector - Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.
Amazon Macie - Amazon Macie is a data security service that discovers sensitive data using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks.
AWS Shield - AWS Shield is a managed distributed denial of service (DDoS) protection service that safeguards applications running on AWS. It provides dynamic detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection.
AWS WAF - AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define.
Storage:
AWS Backup - AWS Backup is a fully managed backup service that makes it easy to centralize and automate the back up of data across AWS services in the cloud as well as on premises using the AWS Storage Gateway.
Amazon Elastic Block Store (Amazon EBS)- EBS: Elastic Block Storage:
stores blocks
often described as "virtual hard drive in the cloud"
can attach to 1 EC2 instance
you are charged for the amount of data provisioned, not the actual amount stored
snapshots are stored in S3
Amazon Elastic File System (Amazon EFS) - Amazon Elastic File System (Amazon EFS) is a simple, serverless, set-and-forget, elastic file system
Amazon S3 - Each object consists of data, metadata, and a key in object storage.
buckets that hold objects that are comprised of key/value pairs
unlimited data
standard storage is 99.99% availability
lowest-cost durable storage option for DB snapshots for immediate retrieval (as opposed to Glacier)
serverless
accessed via RESTful API over http(s)
Use cases: backup and storage, application hosting, media hosting, software delivery, hosting a static website
S3 comes in different storage classes
S3 Standard Storage class -> pay per GB/mo and data transfer out
Standard-IA, One Zone-IA -> also have minimum capacity charge and a data retrieval fee
Amazon S3 Glacier: low cost storage: good for backups and archives. You have to wait to get your data back (3-5 hours for Standard, 1-5min for Expedited), and there’s a cost of retrieval.
S3 utilities include
S3 Transfer Acceleration: fast transfer of files over long distances to S3 bucket
S3 Cross Region Replication (CRR)
S3 Static Websites: host static website
S3 Copy: create a copy of objects up to 5GB in a single atomic operation
Multipart Upload: speed up uploads to S3
S3 Lifecycle: configure groups of objects to move to a different storage class (e.g. move to Glacier after XX days), or delete groups of objects altogether after a certain time
AWS Snowmobile - AWS Snowmobile is an exabyte-scale data transfer service that is used to move large volumes of data to Amazon Web Services. Each Snowmobile allows transfer for up to 100PB of data.
AWS Snowball - Physically migrate many TBs of data. (80TB)
AWS Snowball Edge - bigger snowball (100 TB)
AWS Storage Gateway - Enables on-prem applications to use cloud storage ("hybrid" storage model)
Use cases: moving tape backup to cloud, reduce on-prem storage with cloud-backed files shares, low-latency access from on-prem app to cloud data, disaster recovery
3 storage interfaces supported: file (retrieve files as objects in S3), volume (block-based), tape (virtual media and tape drives) Uses local caching
Shared Responsibility Model
AWS: security OF the cloud, Customer: security IN the cloud
Shared: Patch and Config
Users fully inherit user and access management controls from AWS
SERVICES OFFERED BY AWS
encryption
automated pen testing
patching DB software for you
6 CLOUD ARCHITECTURE PRINCIPLES
There are 6 design principles for operational excellence in the cloud:
Perform operations as code
Annotate documentation
Make frequent, small, reversible changes
Refine operations procedures frequently
Anticipate failure
Learn from all operational failures
6 PILLARS OF THE WELL-ARCHITECTED AWS FRAMEWORK
1. Operational Excellence
Perform operations as code
Make frequent, small, reversible changes
Refine operations procedures frequently
Anticipate failure
Learn from all operational failures
2. Security
Implement a strong identity foundation
Enable traceability
Apply security at all layers
Automate security best practices
Protect data in transit and at rest
Keep people away from data
Prepare for security events
3. Reliability
Automatically recover from failure
Test recovery procedures
Scale horizontally to increase aggregate workload availability
Stop guessing capacity
Manage change in automation
4. Performance Efficiency
Democratize advanced technologies
Go global in minutes
Use serverless architectures
Experiment more often
Consider mechanical sympathy
5. Cost Optimization
Implement cloud financial management
Adopt a consumption model
Measure overall efficiency
Stop spending money on undifferentiated heavy lifting
Analyze and attribute expenditure
6. Sustainability
Understand your impact
Establish sustainability goals
Maximize utilization
Anticipate and adopt new, more efficient hardware and software offerings
Use managed services
Reduce the downstream impact of your cloud workloads
BENEFITS OF AWS
Reduce costs by right-sizing workload
Agility and elasticity (auto-scaling, elastic load balancing, S3 and lambda)
Increase speed and agility (speed bc you can experiment in just mins)
Moving from upfront capital expense (capex) to variable operational expense (opex).
Lower variable costs and lower upfront costs
Asset management is easier because AWS performs infrastructure discovery scans on behalf of the customer. Assets are centrally managed by AWS
Reduce project management costs of the data centres and infrastructure
BENEFITS OF AWS FOR STARTUPS
optimize your spend
keep your development costs low by making sure you revisit your architecture often, to adjust to your startup growth.
manage your cost further by leveraging different options such as S3 CloudFront for caching & offloading to reduce cost of EC2 computing, as well as Elastic Load
balancing which prepares you for massive scale, high reliability and uninterrupted growth.
another way to keep costs down is to use IAM to manage governance of your cost drivers effectively and by the right teams.
Cloud Computing
On-demand delivery of IT resources. Can scale up and down based on needs.
Fosters agility (number one reason why customers switch to cloud computing): Speed (global reach), experimentation (operations as code, templated environments with CloudFormation) and culture of innovation (experiment quickly with low cost)
Region vs Availability Zone (AZ): Region is a physical location in the world which contains multiple AZs. AZs contain one or more discrete data centers with independent resources and housed in different facilities.
Using Auto Scaling and ELB, scale up and down and only pay for what you use.
Ability to deploy systems in multiple regions (lower latency)
Ability to choose the region where data is stored
AWS is responsible for data center security
Security policy can be formalized (as code)
Ability to recover from failures
Comments
Post a Comment