Last Updated on March 15, 2025
------------------------------------
------------- EC2 IaaS -------------
------------------------------------
Security Groups
acts as a virtual firewall on EC2 level
use CIDR BLOCKS
STATEFUL, allows return traffic
ALLOW RULES ONLY (implicit denial)
------------------------------------
- On Demand Pricing
will not be interrupted
Pay as you go
no upfront payments
no long-term commitments
---------------
- Spot Instance
90% discount
can be INTERRUPTED
defines the number of instances, types, availability zones
and the max hourly rate you are willing to pay per instance
---------------
- Reserved Instances
not a physical instance
will NOT be interrupted
72% discount, billing discount
Reserve compute capacity for future use
NOT for LICENSING concerns
-----
- Zonal Reserved Instances
When you purchase a Reserved Instance for a specific Availability Zone
referred to as a Zonal Reserved Instance
Zonal Reserved Instances provide capacity reservations as well as discounts
---------------
- Dedicated Hosts
physical servers with dedicated EC2 instances
more control and security
to comply with regulations or LICENSING terms
for applications that require a high degree of ISOLATION and control
---------------
- Dedicated Instances
suitable for applications that require SINGLE-TENANT hardware
but DO NOT have LICENSING concerns
or the additional features and control offered by Dedicated Hosts
---------------
- EBS Optimized Instances
Enable EC2 instances to fully utilize provisioned IOPS on EBS volumes
with options for dedicated throughput between EC2 and EBS
---------------
Standard Reserved Instances
Will not be interrupted
Provide a more significant discount than Convertible RIs
Cannot be exchanged or modified
Can be resold on the AWS Reserved Instance Marketplace
Attributes cannot be changed (e.g., instance family, type, platform, scope, or tenancy)
---------------
Convertible Reserved Instances
Allow attributes to be modified (e.g., instance family, type, platform, scope, or tenancy)
Can be exchanged during the term for another Convertible RI with new attributes
Cannot be resold on the AWS Reserved Instance Marketplace
Can be applied to different instance family types
------------------------
------------------------
EC2 Image Builder
build, customize and deploy OS images without writing scripts
---------------
Savings Plans
Commit to 1 or 3 years
get discounts of up to 72%
EC2, Lambda, Fargate, and SageMaker
- TYPE:
Compute Savings Plan
EC2 Savings Plans
------------------------
ALB - Application Load Balancer
SAM - Serverless Application Model
CDK - Cloud Developer Kit
Constructs defines everything needed for a CDK to create the
CloudFormation stack
SES - Simple Email Service
ASL - Amazon States Language, the lang state machine definitions are written
Step Functions which are written on State Machines.
STS - Security Token Service
AMI - Amazon Machine Image
--------------------
Network Firewall &
Firewall Manager
Centrally configure and manage firewall rules across accounts and applications
--------------------
WAF & SHIELD:
WAF - NOT FREE, Layer 7,
deployed on CloudFront, ALB, API Gateway, AppSync
Charges based on number of ACLs you have.
Monitor and protect against COMMON web exploits.
USED ON => Gateway API, CloudFront, or ALB.
GEOGRAPHIC BLOCKING.
Can protect websites hosted OUTSIDE of AWS.
Can check for malicious SQL code
BLOCKS all requests except APPROVED ones
ALSO can block MALICIOUS traffic
---------
Layer 7 - HTTP/S (WAF protects)
Layer 4 - TCP/UDP (Shield protects)
Later 3 - Network (Shield protects)
---------
Shield - FREE
enbaled BY DEFAULT for EC2
Managed (DDoS) protection service that
safeguards applications running on API Gateway and Global Accelerator.
---------
Shield ADVANCED
enabled on EC2 and CloudFront
provides DDoS protection on:
Global Accelerator
Route53
protects against higher fees in the case of a DDoS
---------
Audit Manager
continuously audit AWS usage to simplify how you assess risk and compliance
with regulations and industry standards
---------
Trusted Advisor
finds unattached or UNDER-UTILIZED EBS volumes
advises on BEST PRACTICES, service limits, perfomance, security, fault tolerance
Recommends cost OPTIMIZATION tips
used on a monthly (or so) schedule
can ALERT if PORTS allow unrestricted access
can ALERT if S3 is misconfigured (like given public access)
can ALERT if you dont activate logging for cloudtrail
Included in DEVELOPER and BASIC support plans
------------------------------------
Inspector
for use on EC2, ECR
does NOT track CONFIG changes
INSTALLED agents on EC2
AUTOMATED continual checks for security VULNERABILITY
identifies DEVIATIONS from BEST PRACTICES maintenance management at scale
CHECKS for OS vulnerabilities
---------
GuardDuty
intelligent threat detection & monitoring
monitors MALICIOUS, unauthorized activity.
Uses Cloudtrail and VPC Flow Logs
does NOT check OS vulnerabilities
---------
Global Accelerator
good for NON-HTTP cases
Improve availability and performance
provides static IP addresses as fixed entry points to endpoints in single or multiple AWS Regions
uses the global network to optimize the path from your users to your app
---------
Detective
investigate, analyze, and quickly identify the root cause of potential security issues.
Uses:
CloudTrail
VPC Flow Logs
GuardDuty
------------------------------------
Availability Zone - has 1 or more data centers, All traffic beteween AZ is encrypted
------------------------------------
Regions - minimum 3 AZ's
------------------------------------
------------------------------------
Marketplace
customers can find, test, BUY/SELL SaaS
custom AMIs, SOFTWARE solutions, bundles
CANNOT buy Reserved Instances
------------------------------------
Knowledge Center
forum which contains common questions & the solutions
------------------------------------
AWS IQ
for non-tech savvy to connect with pros
advice, and implement solutions quickly
------------------------------------
----------- Databases --------------
------------------------------------
EMR
HADOOP CLUSTERS
big data platform for running large-scale
distributed data processing jobs
-----------------
Batch
run batch ON EC2/EC2 Spot
workloads of any scale
-----------------
RDS
can only SCALE UP, no horizontal scaling
automatic backups by default
aws does software patching
can enable Auto-Patching for instances in the RDS CONSOLE
can enable storage auto-scaling for RDS MySQL
no need to manage OS
SQL, managed, OLTP online transaction processing
has BETTER performance than customer-managed DB instance
Multi-AZ and read replicas can be used for disaster recovery
-----------------
RDS - Disaster Recovery
Multi-AZ for SAME region
REPLICAS for cross region
Read Replicas improve horizontal scalability
-----------------
Aurora - SQL
automatic backups by default
proprietary
relational
also good for ACTIVE/ACTIVE replication systems
-----------------
Athena - SQL
does NOT autobackup by default
MINIMUM EFFORT
serverless (auto-scale)
interactive query service to analyze data in S3
only pay for queries run
-----------------
DynamoDB - NoSQL
ok for 'recommendation engines'
HIGH AVAILABILITY, LEAST OVERHEAD
supports a DOCUMENT data model
Global Tables provide an ACTIVE/ACTIVE replication architecture
global tables allow you to replicate data seamlessly across multiple AWS Regions
automatic backups by default
unlimited scaling
DAX
caching service for DynamoDB
-----------------
MemoryDB
in-memory database service
compatible with Redis (OSS) and Valkey
ultra-fast performance and features
automatic failover, encryption
VPC support
-------------
ElastiCache
serverless memory
enables applications to scale instantly
supports Redis & Memcached
-----------------
DynamoDB Accelerator - improve performance
-----------------
DocumentDB
automatic backups by default, MongoDB compatible
MongoDB Compatible MODE
which is a fully managed document database service that supports MongoDB workloads
-----------------
Database Migration Service (DMS)
assist with on-prem to cloud
-----------------
Neptune
NoSQL, GRAPH db's
suitable for fraud detection, knowledge graphs
RECOMMENDATION engines, social networking
-----------------
Redshift - SQL
warehouse
suited for online analytic processing
is an AWS Service
-----------------
Glue
extracts, transforms, loads, prepares
moves data (if needed) for ANALYTICS
-------------
Data Exchange
find, subscribe to, and use THIRD PARTY data from a wide range of providers
-----------------
-----------------
QLDB
CENTRALIZED immutable ledger db
single entity owns and manages the application data
no need for cistomizations
-----------------
Managed Blockchain
DECENTRALIZED
open-source frameworks
Ethereum
-----------------
-----------------
-----------------
Quicksight - creates dashboards
------------------------------------
------------------------------------
STORAGE:
--------
EFS - HIGH AVAILABILITY
You PAY for read AND write
file-level storage accessed using NFS protocol
can be DIRECTLY used with ON-PREM systems
shared file system CAN be mounted across MULTIPLE AZs
EC2 can access the files across REGIONS & VPCs
can handle HUNDREDS of access connections
------------------------------------
EBS - HIGH PERFORMANCE
Can attach to SINGLE EC2 instance, per AZ
You PAY for read AND write
MUST be in same AZ
used as a physical HARD DISK in the cloud
IOPS and VOLUME TYPE affect price
SNAPSHOTS stored on S3
Both Root and Non-Root volumes can be encrypted
------------------------------------
Instance Store
offer block level storage
FAULT tolerant
HIGH Performance hardware
fast I/O
------------------------------------
EBS AND Instance Store
offer block level storage
snapshots stored incrementally
you are billed only for changed blocks
you pay for each read/write
------------------------------------
S3
objects stored as KEY VALUE pairs
supports vpc endpoint gateway for private vpc connections
good for data lakes, archives
Use "Block All Public Access" feature (account level) to ensure S3 buckets/objects are secure
data transfer OUT from SAME REGION is FREE
data transfer IN from internet is free
-------
S3 CRR
for cross region replication between regions
-------
S3TA -
secure file transfer over long distances
geographically disperse
uses CloudFront Edge Locations
-------
S3 Storage Class Options: (IA means Infrequent Access)
----------------------------
- One Zone-IA: cheap, infrequent but rapid data access, single AZ
----------------------------
- Standard: Ideal for frequently accessed data
- Standard-IA: Designed for infrequently accessed data that requires millisecond-level access
----------------------------
- Intelligent-Tiering: variable cost, automatically moves data to cheaper tiers based on access patterns
----------------------------
- Glacier
Designed for archived data that is accessed one-to-two times per year.
Expedited - 1-5 minutes.
Standard - 3-5 hours, for less time-sensitive needs, backup data, media editing, long-term analytics.
Bulk - retrievals are the lowest-cost retrieval option 5-12 hours
-------
Glacier Deep Archive: The lowest-cost storage option, designed for data rarely accessed
-------
S3 Transfer Acceleration
optimize transfer speed from dispersed locations
can be used with multi-part upload
-------
S3 NO Data Retrieval Fee:
- Intelligent-Tiering:
- S3 Standard
- key value based OBJECT storage
NO Storage transfer fee OUT if:
The S3 bucket and EC2 instance must be in the same region.
------------------------------------
ECS - Elastic Container Service
RUN, STOP, MANAGE Docker Containers
does NOT store or deploy
YOU MAINTAIN and HAVE ACCESS to underlying OS
---------------
ECR - Elastic Container Registry
STORE, MANAGE, DEPLOY
store container images to be run by ECS or Fargate
---------------
Fargate - serverless
no access to underlying OS
Runs docker containers on AWS
based on CPU/RAM needed
---------------
Amazon API Gateway
Create and manage APIs to back-end systems on EC2, AWS Lambda, or any public web service
Can call Lambda function to create front door of serverless app
Can be configured to send data to Kinesis Data Stream
------------------------------------
------------------------------------
------------------------------------
------------------------------------
CodeDeploy
automate code deploments to any instance
on prem or ec2
-------
CodePipeline
uses CloudWatch to detect changes in repos
-------
CodeStar - Code Star
holistic, not detailed view
manage access and add owners, contributors, and viewers to your projects
can track progress across your entire software development process,
from your backlog of work items to teams’ recent code deployments
-----
to develop, build, and deploy applications on AWS
SIMPLIFYING the setup of your entire development project
Automates configuration of a CD pipeline
-------
Cloud9
IDE to write, run, and debug your code in BROWSER
no configuration or software invovled
----------------------------
Elastic Beanstalk - PaaS
FREE service, automation feature
Basic Health monitor can determine if ASG is available and has at least 1 instance
Basic Health does NOT report to CloudWatch
DEPLOY and SCALE web applications
No need to learn underlying infrastructure
YOU manage data and apps and have access to UNDERLYING OS.
Upload code and ELB automatically handles
deployment,
capacity provisioning,
load balancing,
auto scaling,
app health monitoring
----------------------------
Launch Wizard
guides you through sizing, config, deployment
including SQL, SAP
----------------------------
CodeBuild - fully managed CI service that compiles, tests, and produces software packages that are ready to deploy
------------------------------------
------------------------------------
Wavelength - 5g
------------------------------------
Route53
HEALTH CHECKS and monitoring
domain registration
DNS
can perform HEALTH CHECKS
maintain route policies
Failover Routing is Active/Passive
Transit Gateway, Network Load Balanacer NLB
------------------------------------
------------------------------------
AmazonMQ - message broker service
----------------
SNS
Simple Notification, pub/sub
time critical messaging
no polling, is push based messaging service
DECOUPLE
----------------
SQS
Simple Queue, pull based, never lose msgs, scales
DECOUPLING for APP communication
----------------
Simple Workflow SWF
build, run, and scale background jobs that have parallel or sequential steps
-----
a fully-managed state tracker and task coordinator in the Cloud
coordinates tasks across distributed app components
-----
tasks are assigned once and never duplicated
-----
workflow executions can last up to one year
-----
'deciders' and 'workers' - complete the tasks
----------------
KINESIS - REAL TIME -> data in -> Stream -> Analytics -> Firehose -> data out to -> Redshift (Big Data DB warehouse) or S3 Bucket
----------------
MSK - (Managed Streaming Kafka) migrate, build, and run real-time streaming applications on Apache Kafka.
----------------
Cloudwatch
monitor resource UTILIZATION & APP PERFORMANCE
Logs Insights: interactive search to analyze logs within an ORG
Monitor, store, access log files from EC2, CloudTrail, Route53 and more
Can be triggered upon user activity like "root user sign in"
Alarms
billing alarms to monitor estimated charges
triggered on configured thresholds like billing
billing data is always in "US EAST 1"
----------------
Cloudtrail
history of MANGEMENT EVENTS and API calls
ENCRYPTED by DEFAULT
----------------
Cloudtrail Insights
Can raise alarms when resource numbers are crossed
----------------
X-Ray
helps debug distributed (microservice) apps
------------------------------------
CodeGuru
quality recommendations, automated code review
------------------------------------
Storage Data Encryption
by default only S3 and Storage Gateway
------------------------------------
------------------------------------
-------- Connection Types ----------
------------------------------------
------------------------------------
Direct Connect (Gateway)
Consistent, HIGH BANDWIDTH connection for on-prem network to cloud
use VPN, cannot EXTEND VPC
hybrid connection
AVOIDS using public internet
-------------------------
VPC Endpoint
private, encrypted
connection of VPC TO AWS services
provide reliable, SCALABLE connectivity to AWS services (like SQS and DynamoDB ???)
DOES NOT require:
Internet Gateway
NAT instance
VPN connection
----------------
VPC Interface Endpoint
private IP
privately connect VPC to SQS
since it restricts all access to inside the network,
no need for Internet Gateway, or NAT or Virtual Private Gateway
----------------
PrivateLink
private access with IP addresses
----------------
VPN
secure network connection between ON-PREM and CLOUD
----------------
NAT Gateway (Network Address Translation)
AWS managed instances
private subnets access to the internet while remaining PRIVATE
-------
NACL
can deny SPECIFIC IP
acts as a virtual firewall for vpc at the SUBNET LEVEL
controls traffic in/out of subnets
has both deny/allow rules
EVALS RULES IN ORDER to decide on traffic allowance
-------
Transit Gateway
MOST EFFICIENT way to connects thousands of vpc
on/off prem in a single gateway
in different regions
Connects multiple VPCs across regions, accounts, and on-premises networks
providing a centralized hub for network connectivity
-------
Internet Gateway
allows VPC to INTERNET connection
for instances in PUBLIC subnets
horizontally scaled high availability vpc
-------
Storage Gateway
enables SEAMLESS USE of storage BETWEEN ON-PREM and CLOUD
File Gateway, Tape Gateway, Volume Gateway
-------------------------
Site to Site VPN
contains Virtual Private Gateway
Customer Gateway
-------------------------
PrivateLink
private, encrypted communication
between ON-PREM and VPN in the cloud
------------------------------------
Customer Gateway
connects ON-PREM to AWS
a device or software application that
connects over an IPsec VPN tunnel
-------------------------
Virtual Private Gateway VGW
to connect to a managed VPN service between on/off prem
logical, fully redundant,
distributed edge routing function that sits at the edge of your VPC
-------------------------
VPC Gateway Endpoint
enables private connectivity to supported AWS services
supported by S3, EC2, DynamoDB
add target entries in the route table of the custom VPC
bypassing the public internet
------------------------------------
Peering Connection
private data sharing connection BETWEEN vpc's
Connects two VPCs within the same region or across different AWS accounts
providing a direct connection between the two VPCs
------------------------------------
VPC
a VPC spans all AZs within a single AWS Region.
a VPC cannot span across multiple Regions.
------------------------------------
Subnet
region -> vpc -> az -> subnet -> instance
is in one AZ
instances launch inside a subnet
cannot span zones
------------------------------------
Security Hub
consolidated view of your security status in AWS
----------
KMS
Key Management Service
managing and GENERATING MASTER encryption keys in YOUR ACCOUNT
AUTOMATICALLY created in your ACCOUNT used to encrypt/decrypt data
----------
CloudHSM (Hardware Security Model)
CLOUD based hardware for generating and using YOUR OWN encryption keys in the cloud
----------
Secrets Manager
is INSIDE CloudHSM
managing and ROTATING application secrets, passwords, API keys, and other sensitive data
----------
Customer Managed Key
you have control over creating and using your own keys for encryption
------------------------------------
------------------------------------
--- AI Machine Learning Services ---
------------------------------------
Rekognition
face detection, objects, text, scenes, celebrities identifier
can also identify text located spatially within an image, such as words displayed on street signs
t-shirts, or license plates
can see emotions, sex, detect inappropriate content,
train in custom labels
integrated with A2I (Augmented AI) for human review
has DetectModerationLabels API for scrutinizing data/images before returning
------------------------------------
Transcribe
audio speech to text, custom vocabularies, custom language models, toxicity detection, remove PII
------------------------------------
Personalize - uses ML to create indiviualized recommendations for users/shoppers
------------------------------------
Polly
text to audio, synthesize natural-sounding human speech
lexicons, SSML, Speech Synthesis Markup language, speech marks
------------------------------------
Translate - can translate large volumes, one language to another
------------------------------------
Lex
conversational chatbot, uses speech recognition (ASR) & natural language understanding (NLU)
integrates with Connect, Comprehend, Kendra
you set intents, it detects intent of users
fully deeply configurable
------------------------------------
Connect - cloud contact center with bots
------------------------------------
Comprehend
builds acustom classifier
-----
NER
name entity recognition, people, places, orgs, out of the box
can be customized (custom models) to recognize entities
custom models can be shared across accounts, but in same region, from comprehend console
-----
natural language processing for analyzing ticket tracking insights from text
-----
can redact PII before the tickets are processed to create the search indexes
-----
detect sentiment analysis, entity recognition, and language detection
-----
provides APIs for text analysis, such as:
Custom Entity Recognition
Custom Classification
Key Phrase Extraction
Sentiment Analysis
Entity Recognition
------------------------------------
Textract
auto tically extracts text, HANDWRITING, layout elements, and data from SCANNED documents
can interpret text of handwriting and documents and creates objects of data from it
------------------------------------
Forecast - accurate forecasting
------------------------------------
Kendra
fully managed document SEARCH service, and content extractor powered by machine learning
can add SEARCH capabilities to their applications so their end users can discover information
stored within the vast amount of content spread across their company
------------------------------------
A2I - Augmented AI (part of SageMaker)
adds human oversight to 'low confidence' predictions
reviewers could be your own team, or mechanical turk humans
------------------------------------
Lookout - fully managed anomaly detection
detectors, datasets, anomalies
optimizing is called 'measure'
features that influence measures are called 'dimensions'
----------
Fraud Detector - fully managed
customized to your data and learns over time
model variables
use case -> event type -> create model -> review performance
----------
Q Business
40+ popular enterprise data sources
----------
Q Developer
answers questions about aws services and resources
can analyze your costs, can give cli commands
code companion
------------------------------------
------------------------------------
------------------------------------
Elastic TransCoder
convert S3 media files (discontinued)
------------------------------------
Elasticsearch
popular open-source search and analytics engine
------------------------------------
CloudFront
Global CDN
prevents DDoS with Route53
pricing changes throughout the world
------------------------------------
Compute Savings Plan - most flexible up to 66%, for 1-3 year term
------------------------------------
FSx for Windows File Server
managed windows file system
SMB protocol - server message block
------------------------------------
Compute Optimizer
recommendations to identify optimal resource configuration for workloads
reduce costs, increase performance
uses Machine Learning
including:
EC2
ASG
EBS
Lambda
ECS (containers) on Fargate
------------------------------------
Bill Dashboard - high overview
----------
Billing Conductor
customize your bill computation
display your billing data in a meaningful way
group accounts with similar
generates Cost & Usage Report for each group
----------
Cost Tags
helps create detailed REPORTS by tag
used to seperate costs bt DEPARTMENT
----------
Cost Usage Reports (CUR)
comprehensive BILLING DETAILS
NOT FOR UNDER-UTILIZED items
needs configuring
----------
Cost Explorer
shows/monitors current and forecasted usage
can show under-utilized EC2s
CANNOT CHECK RESOURCE UTILIZATION
NO ALERTS
can help choose SAVINGS PLAN
----------
Bill Alarms -
----------
Budgets
can alert when ec2's are UNDER-UTILIZED
reserved, COST, RESERVATION, USAGE are the types
----------
Saving Plans
with commitments
----------
Cost Anomaly Detection
notices unusual spends using ML
------------------------------------
Service Quotas
notifies when close top thresholds
------------------------------------
Pricing Calculator - estimate architecture solution cost based on expected usage
------------
IAM
Internal AWS accounts for company users
EFFECT & ACTION are REQUIRED fields
------------
ROLES - Benefits
more ecure than storing keys within apps
easier to manage IAM roles
------------
IAM User
entity associated with an Access Key ID and Access Key
needs password for management console
------------
IAM Groups
CANNOT be nested
user can be in multiple groups
------------
IAM Identity Center
SSO, one login for multiple accts and applications
------------
AWS Organizaions -
for managing and creating MUTIPLE accounts
can restrict indiviual API action
organize by department
restrict with SCP (Service Control Policies)
consolidated billing, and discounts when LINKING accounts
------------
Cognito
SAML, users can sign in through Google, Facebook, and Amazon.
JWT token handling
user pools
-----------
IAM Credentials Report
lists all your IAM users in this account
status of their various credentials
such as passwords, access keys, MFA devices
-----------
IAM Access Analyzer
identifies and manages permissions in your AWS environment,
Inspects S3 bucket policies and IAM role policies,
searches for EXTERNALLY shared AWS resource
------------------------------------
IAM Access Advisor
review PERMISSIONS
show when last accessed
------------------------------------
STS - Security Token Service
temporary limited
credentials for AWS resources
directory services
to integrate Microsoft Active Directory in AWS
------------------------------------
------------------------------------
IoT Core
THOUSANDS or BILLIONS of vpc and on-prem networks in a SINGLE GATEWAY
------------------------------------
------------------------------------
Application Load Balancer
provides static DNS but NOT static IP
AWS wants your ELB accessible with a static endpoint even if the infrastructure changes
never resolve the IP of a load balancer as it can change with time
supports WebSockets, HTTP/S/1/2, TLS
can route to different target groups based on: URLPath, Headers & Query Strings
----------------
Network Load Balancer
provides static DNS & IP
highest performance
lowest latency
Supports TCP and UDP
----------------
ELB Sticky Sessions
ensures traffic for the same client is redirected to the same target
no lost sessions
----------------
ELB
is designed to distribute traffic within a single region
not across multiple regions
----------------
X-Forwarded-For Header - ALB adds this header to get clients IP address.
Health Checks - when enabled, do not send traffic to unhralthy EC2s
----------------
Cross Zone Load Balancing - distributes evenly across all registered instances in all AZs.
----------------
Server Name Indication SNI - allows both to load multiple SSL certs on one listener
----------------
Auto Scaling Groups - have a cooldown period after scaling activity, default is 300s (5 minutes)
------------------------------------
------------------------------------
Performance & Efficiency Design Principals:
- democratize advanced technologies
- go global in minutes
- serverless architecture
- experiment more
- mechanical sympathy
Reliability Design Principals:
- test recovery procedures
- stop guessing capacity
- manage changes in automation
------------------------------------
------------------------------------
Systems Manager
identify any issues impacting apps USING those resources
automate and centralize the management of your AWS resources and applications
platform for visibility, control, and AUTOMATION across your AWS infrastructure
view operational data from MANY SOURCES in a single view
------------------------------------
CONFIG
A view of the CHANGES in your RESOURCES associated with your AWS account
INCLUDING how they are configured
can generate an INVENTORY of AWS resources
------------------------------------
AppConfig
Create, manage, and safely deploy app config data to your targets at runtime
validation checks
no additional code need be written
no restarts
------------------------------------
AWS Backup - simple bakup to cloud
------------------------------------
Disaster Recovery
replicate between multiple REGIONS
------------------------------------
CloudEndure (Disaster Recovery)
minimize downtime, data loss, fast reliable recovery of your
physical and virtual cloud based servers
------------------------------------
Elastic Disaster Recovery
Scalable, cost-effective, minimize downtime and data loss
fast, on-premises & cloud-based apps
using affordable storage
minimal compute
point-in-time recovery
------------------------------------
DataSync
incremental backup/storage
data movement and discovery service that accelerates data migrations to AWS
moving data to and from on-premises storage, edge locations, other cloud providers
and AWS Storage services.
------------------------
Amplify:
set of tools to help you quickly start mobile/web apps
like a beanstalk for mobile / web
Gives you out of the box:
- Authentication (amplify add auth)
- Datastore (amplfy add api)
- Integrated with Cypress test suite
----------------
AppSync
flexible APIs facilitate secure, scalable mobile & web apps
publish and subscribe to REAL-TIME events over serverless WebSockets
access, manipulate, and combine data from multiple sources through a single GraphQL API endpoint
----------------
------------------------------------
SNOW FAMILY - devices to move data to the AWS Cloud or run compute and processing workloads at the edge
-----------
Snowcone
smallest device in the Snow Family
used to gather, process, and transport data online via Amazon DataSync
8TB of usable storage on high-capacity HDDs
42TB of usable storage on high-capacity SSDs
-----------
Snowball
80 TB of HDD storage for object storage
provide both block storage & S3 object storage
suited for local storage and large scale-data transfer
------
Snowball Edge - Compute Optimized
native support for EC2
42 TB of HDD for object storage,
plus 7.68 TB of NVMe SSD storage for AWS EBS block volumes
-----------
Snowmobile
large containers to transport EXABYTES of data to and from AWS
------------------------------------
Cloud Migration Strategies - "The 7-R's"
retire rehost (lift and shift)
retain replatform (lift and reshape)
relocate repurchase
refactor/rearchitect
---------------
Application Migration Service
Automatic lift and shift, conversion to AWS, many platforms/os/db
---------------
Migration Evaluator
aggregates data to build a case (insights/cost)
for moving to AWS from its current state
---------------
Migration Hub
central data collection to help accelerate migration (Orchestrator)
is integrated with Application and DB Migration Services
Application Discovery Service (?) collects data on config, usage, behavior in ON-PREM data centers
------------------------------------
Fault Injection Simulator
based on chaos engineering
create disruptive events (experiments)
------------------------------------
Step Functions
visual workflow to orchestrate Lambda funcs, ec2, API Gateway and more
used for Asynchronous integration between components
------------------------------------
Ground Station - control satellite communications
------------------------------------
EventBridge
serverless service that uses events to connect application components
for developers to build scalable EVENT-DRIVEN apps
------------------------------------
Pinpoint
Scalable 2 way communication marketing service
email, voice, in-app msg, personalize msgs, SMS msgs
---------------------------------------
Well Architected Framework Tool:
Reviews state of your workloads, compares them to AWS architectural best practices based on 6 pillars
Used on workloads to gauge if you are using best practices
Tools include: Config, Coudtrail, Cloudwatch
-------------------
Architecture Center - for examples of cloud solution designs
---------------------------------------
Six Pillars
- Operational Excellence
Automation (CloudFormation)
make small, reversible changes,
anticipate failure
scalability, monitoring
incident response
- Security
Protect data, systems from unauthorized access
malicious activity, accidental damage
USE KMS to encrypt data
- Reliability
fault-tolerant
able to recover from failures
- Performance Efficiency
meet workload requirements
including scaling, caching, and queuing
- Cost Optimization
Right-sizing resources
optimizing costs
- Sustainability
environmental sustainability
---------------------------------------
CAF - Cloud Adoption Framework (Organizationl Capabilities)
- Business investments accelerate biz outcomes
- People organize around PRODUCTS and VALUE, bridge tech and business
- Governance helps cloud initiative, maximize benefits, minimize risks
- Platform reducing business risk, improving environmental, social, and governance (ESG) performance
- Security integrity, and availability of data and cloud workloads
- Operations performance and capacity management, leverage agile methods, rapid iteration
---------------------------------------
CAF Transforamtion Phases
- Envision
- Align - identify gaps
- Launch
- Scale
---------------------------------------
Agility:
- speed resources are created
- ability to experiment quickly
---------------------------------------
---------------------------------------
APN Consulting Partner
for MIGRATING, design,
build and MANAGE APPLICATIONS
---------------------------------------
APN Technology Partner
for building services AFTER MIGRATION
---------------------------------------
AWS Professional Services
assist WITH infrastructure MIGRATION
---------------------------------------
AWS Partner Network APN
build custom solutions FOR MIGRATION
---------------------------------------
AWS Partner Solutions
uses "reference deployments" to QUICKLY deploy POPULAR tech, can be customized
---------------------------------------
---------------------------------------
---------------------------------------
Quick Start Reference Deployments
rapid deploy popular solutions, immediate use
--------------------
AWS Services Catalog
portfolios to organize your products and distribute them
upload your line of business products
Authorize users, groups, and roles to access portfolios
set governance configurations
AppRegistry provides a repository for collecting and managing your application metadata
--------------------
Session Manager - no ports to open
Instance Connect - needs port 22 open
--------------------
OpsWorks - Chef and Puppet (wtf)
--------------------
ARM64 processors - Android
x86 processors - Windows, Linux, and Unix
--------------------
OpsHub
SNOWBALL GUI app
to unlock and configure single or clustered devices
transferring files
launching and managing instances running on Snowball Edge
--------------------
Service Health Dashboard
can subscribe to RSS feed for status of AWS interruptions
GENERALIZED VIEW of outages/upgrades/maintenance
real time, open to public
historical data
part of ALL SUPPORT PLANS
--------------------
Personal Health Dashboard
relevant timely info to help manage progress
shows proactive notifications to help plan scheduled activities
alelrts triggered by changes in AWS Health of resources
gives visisbility and guidance to diagnose and resolve issues
--------
Your Account Health Dashboard - PERSONALIZED VIEW of services affecting your architecture
--------------------
Removing AWS ORG Accounts
must operate as STANDALONE account
---------------------------------------
AWS Credits are applied:
- Soonest expiring
- least number of apllicable products
- Oldest credit
---------------------------------------
U2F - USB (note the U)
plug in device for MFA
------------------
Local Zones
use certain services like compute
and storage closer to end-users
------------------
Availability Zones
each subnet is mapped to ALL AZs in a region
------------------
Penetration Testing - is OK on AWS, NETWORK stress testing is not.
------------------
Shared Responsibility Model
for 'absrtacted' services like S3
AWS controls infrastructure, OS & platform
---------------------------------------
---------------------------------------
SERVERLESS COMPUTING:
When asked serverless computing services AWS offers
EC2 is NOT one - since you are actually provisioning servers :(
Lambda and Fargate are serverless...
-----------------
Service Control Policies (SCP)
used within AWS Organizations
allows maximum permissions that identities (users and roles) within accounts in your organization
helps ensure your identities stay within the organization’s access control guidelines
-----------------
AWS Abuse Team
regarding issues on prohibited use
trustandsafety@support.aws.com
---------------------------------------
---------------------------------------
Outposts
low latency access to app components ON-PREM
for hybrid architecture
EXTENDS existing VPC to ON-PREM
---------------------------------------
EC2 Auto Scaling - can REPLACE unhealthy instances... is free
---------------------------------------
---------------------------------------
Management Console
can manage ALL AWS services
can launch ElastiCache clusters
---------------------------------------
CLI & SDK
can manage ALL AWS services
----------
Systems Manager
Automating and monitoring EC2 instances and inventory
Run commands
Config and patch servers at scale
compliance
unified UI to view operational data for "resource groups"
---------------------------------------
Resource Groups
unlimited, single-region groups in your account
use your groups to view group-related insights
automate tasks on group resource
Groups can be based on:
- resource types
- tag queries
- CloudFormation stacks.
---------------------------------------
Resource Access Manager
securely share and manage AWS resources across accounts or organization
reduce operational overhead
centrally manage access to shared resources
---------------------------------------
Root user credentials needed to change:
account name
support plans
And consists of:
email/password used to create the account
---------------------------------------
---------------------------------------
MULTI AZ = MORE AVAILABILITY
----------------------------
Cost Allocation Tags:
each tag unique, and key only one value
used for organizing and associating costs to business units
must activate GENERATED & USER DEFINED TAGS seperately
before the appear in Cost Explorer or on a cost allocation report
-------------------------
Cloud Foundations
guides for deploy, configure, secure workloads
ensuring readiness for on-going operations
-------------------------
For seperate invoices, create different accounts
-------------------------
Policy Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEveryoneReadOnlyAccess",
"Effect": "Allow",
"Principal": "The User",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::examplebucket", "arn:aws:s3:::examplebucket/*"]
}
]
}
--------------------------------
--------------------------------
--------------------------------
RPO (Recovery Point Objective)
RTO (Recovery Time Objective)
----------
Automated Backups:
Amazon RDS automatically creates and saves backups of your DB instance during a daily user-configurable 30-minute period known as the backup window. These backups are retained for a configurable number of days (called the backup retention period).
----------
Storage Volume Snapshots:
Amazon RDS creates a storage volume snapshot of your entire DB instance, backing up the entire instance and not just individual databases. This snapshot is used to create automated backups.
----------
Manual Snapshots:
You can create manual snapshots of your DB instance at any time. Manual snapshots are user-initiated backups that are stored in Amazon S3 until you explicitly delete them. You can restore a DB instance from a manual snapshot whenever you desire.
----------
Point-in-Time Recovery (PITR):
With automated backups, you can recover your DB instance to any specific time during the backup retention period, creating a new DB instance.
--------------------------------
--------------------------------
--------------------------------
Backup and Restore (HOURS)
manage backups of data and applications in DR region and restoring them when needed to recover from a disaster. RPO is measured in HOURS, and RTO is 24 hours or less.
-----------
Pilot Light (10 minutes or less)
run core services in standby mode, additional services triggered as needed in case of a disaster. RPO is measured in tens of minutes, and RTO is calculated in terms of tens of minutes or less.
-----------
Warm Standby (tens of minutes)
run full backup system in standby mode, live data replicated from prod env. RPO is measured in tens of minutes, and RTO is calculated in terms of tens of minutes or less.
-----------
Multi-Site Active/Active (seconds)
runn a full, secondary production system, ready to serve traffic when needed. RPO is measured in seconds or possibly none, and RTO is calculated in seconds.
--------------------------------
--------------------------------
--------------------------------
Services that Can be RESERVED:
EC2
RDS
DynamoDB
ElastiCache
Redshift
OpenSearch
--------------------------------
Cost sharing bill consolidation instances must be launched in the same AZ
--------------------------------
AWS Activate FOR STARTUPS
tools, resources, content and expert support
to accelerate your startup at every stage
--------------------------------
Total Cost of Ownership Calculator:
TCO Calculator - Allows for side-by-side comparison of on-premises and AWS costs
--------------------------------
Fault Injection Service - fully managed service for experiments to continuously improve an application’s performance, observability, and resiliency
-------------------------
-------------------------
SUPPORT PLANS
-------------------------
- Basic
24x7 access to customer service, documentation, whitepapers, re:Post
one on one response to acct & arc billing questions
Trusted Advisor checks and guidance
AWS Health
------------
- Developer
Cloud Support Engineers via EMAIL ONLY
CHEAPEST where UNLIMITED cases can be open
(NO enhanced SUPPORT)
For businesses with production workloads in AWS
------------
- Business
THIRD PARTY software help
Architectural GUIDANCE for your specific use-case
unlimited number of support cases
Access to Health API
most cost effective
24/7 access to Sr. Cloud Support Engineers via email, chat, and phone,
for businesses with production and/or business-critical workloads in AWS
------------
- Enterprise / On Ramp
THIRD PARTY software help
unlimited number of support cases
30 minute response time
contains AWS Concierge (for account issues)
24/7 access to SENIOR Cloud Support Engineers via email, chat, and phone,
Launch Support
Programmatic Case Management
Architectural guidance to specific use-cases
Designated Technical Account Manager (TAM)
------------
Programmatic Support Case Control - for Business, Enterprise On-Ramp, Enterprise Support plans
------------
Concierge is NOT available for:
Basic
Developer
Business Support
------------------------------------
------------------------------------
Control Tower
well-architected automated LANDING ZONE
control your AWS environment with prescriptive guidance
with BLUEPRINTS, GUARDRAILS
------------
Workspaces - global service, remote desktop service
------------
AppStream
managed, secure service to
STREAM DESKTOP applications from AWS to a BROWSER
------------
Elastic IP
assists in FALUT TOLERANCE
------------
Capital Expenditures - long term
------------
Operation Expenditures - short term
------------
AWS likes to say:
Trade CAPITAL expense for VARIABLE expense
------------
Lightsail
launch DEV/TEST low price
contains Managed SQL DB
and Virtual Private Server
------------
AWS Artifact
security and compliance reports
aws agreements