AWS CCP Complete

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

AWS GovCloud Regions

Controlled Unclassified Information andother types of regulated workloads.

Document store

NonSQL database that stores documents as its primary data strucutre, document could be in JSON, JSON like, XML etc. Is a subset of key/value stores, but instead of values it stores the document

Amazon Textract

OCR (extract text from scanned documents) service . When you have paper forms, and you want to digitally extract the data.

Massive Economies of scale: Advantages of Cloud (DEVS GC)

Share the cost with other customers to get unbeatable cost savings

Tier 2 Network

Similar to tier 1, but pays tier 1, and has a similar for tier 3 as that of tier 1 and 2. They are at the regional or country reach. Similar level ISPs allow free traffic passes to each other.

Amazon Rekognition

is image and video recognition service . Analyze images and videos to detect and label objects, people, celebrities.

State Machines (Think back to Markov Chains, Markov Decision Process): Common App Integration Patterns (6)

Abstract model which decides how one state moves to another based on a series of conditions. Think of a state machine like a flow chart.

Security Group

Acts as a firewall at the instance level

Cipher

Algo to encrypt or decrypt with a cipher text as the output

Hybrid Computing (4)

When you're able to run workloads on both your on-premise datacenter and AWS Virtual Private Cloud (VPC) 1) AWS Outposts 2) AWS Wavelength 3) VMWare Cloud 4) AWS Local Zones

Well-Architected Framework

Whitepaper created by AWS to help customers build using best-practices in architectures, evaluating architecture, and scalable designs in a consistent way contains 6 pillars or lens to applied to architecting a cloud workload

Kinesis Firehose

is serverless and a simpler version of Data Streams, You pay on demand based on how much data is consumed through the stream and you don't worry about the underlying servers.

Database: Core IAAS Components (4)

a virtual database for storing and reporting data or databases for general purpose web applications. It is easily accessed, managed, and updated

Storage: Core IAAS Components (4)

a virtual hard drive that can store files

AWS WAF - Web Application Firewall

a web application firewall that helps protect your web applications from common web exploits. Write your own allow or deny traffic rules based on contents of HTTPS requests

AWS Account

account which holds all your AWS resources

Recovery Time Objective (RTO)

is the maximum acceptable delay between the interruption of service and restoration of service. This objective determines what is considered an acceptable time window when service is unavailable How much time are you willing to go down?

Zero Trust Model/Architecture

trust no one, verify everything, instead of just a primary security perimeter that is network centric this model is all about the identity centric way. Identity cententric augments the network-centric way

Direct connect locations

trusted partnered datacenters that you can establish a dedicated high speed, low latency connection from your on premise to AWS.

OLAP (online analytical processing)

method that applies complex queries (such as pivoting, slicing, dicing, drilling, and other data analysis work) to large amounts of historical data aggregated from OLTP databases, data warehouses and other sources Emphasis on response time for complex queries

AWS Migration Acceleration Program (MAP)

migration methodology from moving large enterprise. AWS has Amazon Partners that specialize in providing professional services for MAP.

Sustainability (CROPSS)

minimizing the environmental impacts of running cloud workloads

CloudWatch Alarm

monitors a CloudWatch Metric based on a defined threshold, and can trigger a notification, auto-scaling group, and EC2

Compute Optimized (CPU): EC2 Instance Families (5)

Focused on high performance processor (CPUs) Use case for modeling, gaming servers, ad server engines, putting a machine learning model into production putting a machine learning model into production (machine learning inference) Starting with C

AWS Shield free vs advanced ($3k/year)

Free is for most common DDoS attacks and advance is for larger and more advanced attacks, including cost protection for increased costs due to scaling to meet malicious traffic, and a 24/7 support team for DDoS attacks

Amazon Athena

serverless interactive query service. It can take a bunch of CSV or JSON files in a S3 Bucket and load them into temporary SQL tables so you can run SQL queries. When you want to query CSV or JSON files

IAM policy conditions

-AWS: Sourcelp - restrict on IP address -AWS: Requested region - restrict ip address -AWS: Multifactor authentication present - restrict if MFA is turned off -AWS: CurrentTime -restrict access based on the time of day

Object Storage Cons

-Cannot lock files: -Slower performance than other storage types: -Cannot modify a single portion of a file:

3) S3 Standard IA (Infrequent Access)

-Still Fast! -Cheaper if you access files less than once a month. -Additional retrieval fee is applied. -50% less than Standard (reduced availability)

AWS Relational Database Services (4)

1) Relational database service (RDS) 2) Aurora 3) Aurora Serverless 4) RDS on VMware

Sustainability of AWS Infrastructure

1) Renewable energy 2) Cloud efficiency; 3.6 times more efficient than median enterprise data centers 3)Water stewardship

Stop spending money on running and maintaining data centers: Advantages of Cloud (DEVS GC)

Benefit of focusing on your customers and applications instead of focusing on infrastructure and servers

Dedicated Host vs Dedicated Instance Billing

Billing based on each host server vs per instance billing

AWS Service for Pub/Sub: Simple Notification Service (SNS)

Highly available, durable, secure, fully managed pub/sub messaging service enables you to decouple microservices, distributed systems, and serverless applications.

Storage gateway

Hybrid cloud storage, with local cashing, expand on prem storage capacity to the cloud

AWS 100% Free Services

IAM VPC Organizations and consolidated billing AWS Cost explorer

AWS Market Place

digital catalogue of thousands of software listings from independent software vendors you can use to find, buy, test, and deploy software.

Business Continuity Plan (BCP)

document that outlines how a business will continue operating during an unplanned disruption in services

Service Control Policies

give central control over the allowed permissions for all accounts in your organization, helping to ensure your accounts stay within your organization's guidelines.

AWS Budget

give you the ability to setup alerts if you exceed or are approaching your defined budget, cost, or reservation budget Can be used to forecast but limited vs cost explorer Access either management console or Budgets api

S3 Storage Classes (6) (trade off between retrieval time, accessibility, and durability)

going from expensive to cheap 1) S3 Standard 2) S3 Intelligent Tiering 3) S3 Standard IA (Infrequent Access) 4) S3 One Zone IA 5) S3 Glacier 6) S3 Glacier Deep Archive

AWS OpsWorks

is a configuration management service that also provides managed instances of the open source configuration managed software Chef and Puppet automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.

Amazon CloudSearch

is a fully managed full text search service . When you want add search to your website

AWS Cloud Directory

is a highly available multi tenant directory based store in AWS

Amazon Elasticsearch Service (ES)

is a managed Elasticsearch cluster . Elasticsearch is an open source full text search engine. It is more robust than CloudSearch but requires more server and operational maintenance.

AWS Service: Amazon MQ

is a managed message broker service that uses Apache ActiveMQ

AWS Key Management Service (KSM)

is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, uses a multitenant HSM Uses envelop encryption, the encryption key is encrypted with a master key

Federated identity

is a method of linking a user's identity across multiple separate identity management systems​ SSO is part of the broader Federated ID model

Amazon Personalize

is a real time recommendations service. Same technology used to make product recommendations to customers shopping on the Amazon platform

AWS Artifact

is a self serve portal for on demand access to AWS compliance reports

Amazon Connect

is a virtual call center service . You can create workflow to route callers. You can record phone calls. Manage a queue of callers.

Anatomy of an IAM Policy JSON Document

-Version policy language version -Statement container -Sid (optional) -Effect -Action -Principal account, user, role, etc. -Resource -Condition (optional)

2) Pilot Light (10 minutes)

Data is replicated to another region with the minimal services running -Less stringent RTO and RPO -Core services -Start and scale resources after event

AWS Container Services

ECS AWS Fargate Elastic Kubernetes services AWS lambda

Disaster Recovery Options

From low cost with high time to high cost and low time to recover 1) Backup and restore (hours) 2) Pilot Light (10 minutes) 3) Warm Standby (minutes) 4) Multi-site active (real time)

Cost Optimization (CROPSS)

Get the lowest price, and avoid unnecessary costs

Reserved Instances RI Attributes

Instance family and type Region Tenancy type OS platform

Directory Service

Maps the names of networks resources to their network address a directory service is a shared information infrastructure for locating, managing, administering, and organizing: volumes, folders, files, printers, users, groups, devices, telephone numbers, other objects, etc Each resource on a network is considered an object by the directory service; information about a particular resource is stored as a collection of attributes associated with that resource or object

Confidentiality, Integrity, and Availability (CIA) Triad

Mental model describing the foundation of security principles, and their trade off relationship

Dedicated: Evolution of computing (4)

- A physical server ​wholly utilized by a single customer​ - You have to guess your capacity,​ and pay for an overpay for an underutilized server ​ - You can't vertical scale, you need a manual migration​ - Replacing a server is very difficult​ - You are limited by your Host Operating System​ - Multiple apps can result in conflicts in resource sharing​ - You have a ​guarantee of security, privacy, and full utility of underlying resources

Virtual Machine: Evolution of computing (4)

- You can run ​multiple Virtual Machines on one machine, but virtualize down to the hardware level - ​Hypervisor​ is the software layer that lets you run the VMs​ - A physical server shared by multiple customers​ - You are to pay for a fraction of the server​ - You'll overpay for an underutilized Virtual Machine ​ - You are limited by your Guest Operating System​ - Multiple apps on a single Virtual Machine can result in conflicts in resource sharing​ - Easy to export or import images for migration​ - Easy to Vertically or Horizontally scale​

Solution Architect (Cloud Architect + Business Considerations)

1) Security 2) Cost

Reliable: Benefits of Cloud (FEC RSS)

Data backup, disaster recovery, data replication, fault tolerance

Regional Edge Caches

Data centers that hold much larger caches of less popular files to reduce a full round trip and also reduce the cost of transfer fees

IAM Policies

can be written explicitly deny access to specific AWS Regions. A Service Control Policy (SCP) are permissions applied organization wide.

AWS Global accelerator

can find the optimal path from the end user to your web servers by sending user traffic to edge locations instead of web app.

3 Types of Cloud Deployment Strategies

- Cloud Deployment (public cloud) - On prem (private cloud) - Hybrid Cloud

IAM Permissions

Authorization controls for API actions are represented in the IAM policy json

AWS Inspector

runs a security benchmark against specific EC2 instances.

Cloud based deployment

- All applications are on the cloud - Migrate existing applications to the cloud - Design and build new applications to the cloud - Can be lower level IaaS instead of PaaS or SaaS

Trusted Advisor Free Checks

1. MFA on Root Account 2. Security Groups Specific Ports of Unrestricted 3. Amazon S3 Bucket Permissions 4. Amazon EBS Public Snapshots 5. Amazon RDS Public Snapshots 6. IAM Use discourage the use of root access 7. Service Limits (All Service limits checks are free)

Docker image

A Docker image is like a snapshot in other types of VM environments. It is a record of a Docker container at a specific point in time, including the application within the container. Docker images are also immutable. While they can't be changed, they can be duplicated, shared or deleted.

Data Lake

A central location that holds large amounts of data in its raw format; no schema defined upfront and accepts structured or unstructured data Uses object storage for unlimited scale; unlike data warehouses, which must have the schema defined beforehand which limits what can be analyzed, Data lakes define the schema at the time of analysis allowing for new insights to be uncovered; data mining it

Technology Portfolio

A collection of workloads required for the business to operate

Interconnections between AWS Global Infrastructure ("Backbone of AWS" so is EC2)

Allows for fast movement of data between data centers. Includes edge locations and VPC endpoints

What is an Application Programming Interface (API)?

An API is software that allows two applications/services to talk to each other.

Event Bus: Common App Integration Patterns (6)

An event bus receives events from a source and routes events to a target based on rules. An event bus is

Identity Centric way

Bring your own device, remote work stations are more common and we can't trust people are in secure locations Identity based security; ex. MFA, or risk based authentication

Quicksights

Business Intelligence (BI) service . Connect multiple data sources and quickly visualize data in the form of graphs with low code

AWS Logging Services (3)

Cloud Trail Cloud Watch AWS XRay

Stop Guessing capacity needs (GGAPED)

Cloud computing you use as little or much based on demand, and scale up or down automatically

App integration in the cloud

Cloud encourages systems and services to be loosely coupled and so AWS has many services for the specific purpose of app integration

Increase speed and agility: Advantages of Cloud (DEVS GC)

Cloud makes it easier to develop and deploy applications, allowing your teams more time to experiment and innovate

Cloudtrail vs Cloudwatch

CloudWatch focuses on the activity of AWS services and resources, reporting on their health and performance. On the other hand, CloudTrail is a log of all actions that have taken place inside your AWS environment.

AWS Parallel Cluster

Cluster management tool that makes it easy for you to deploy and manage High Performance Computing (HPC) clusters on AWS.

Component

Code, Configuration and AWS Resource against a requirement. A component is often the unit of technical ownership and is decoupled from other components.

Quick sight ML insights

Detect Anomalies, Perform accurate forecasting, Generate Natural Language Narratives.

Amazon GuardDuty

Detects suspicious or malicious activity based on Cloudtrail and other logs

Route Tables

Determine where network traffic from your subnets or gateway are directed

AWS Deep Learning Containers

Docker images instances pre install with popular deep learning frameworks and interfaces such as TensorFlow, PyTorch , and Apache MXNet

Fault Tolerance

Each availability zone is an independent failure zone/fault domain

AWS Control Tower (3)

Enterprises quickly set-up a secure, AWS multi-account Provides you with a baseline environment to get started with a multi-account architecture 1) Landing Zones: 2) Account Factory: 3)Guard Rails:

Event Bridge Components

Event Bus: Holds event data, defines rules on an event bus to react to events. Producers: AWS Services that emit events Partner Sources: third party apps that can interact with the event bus Rules: Determines what events to capture and pass to targets. (100 Rules per bus) Targets: AWS services that consume events Events: data emitted by services, Json objects that travel/stream within the event bus

Scalable and high performance: Benefits of Cloud (FEC RSS)

Increase or decrease horizontally or vertically on demand using autoscaling, elastic load balancing, etc.

Aws Cloud Development Kit (CDK)

Infrastructure as Code (IaC) tool. Allows you to use your favourite programming language. Generates out CloudFormation templates as the means for IaC.

Shared Hosting

One physical Machine, Shared by hundred of businesses relies on most tenants under-utilizing their resources. Cheap, limited functionality, and poor isolation

3) Storage type (EBS, EFS, etc.): EC2 customization (4)

SSD, HDD, Virtual Magnetric tape, multiple volumes

Federated Identity Management (FIM) vs Single Sign On (SSO)

SSO is designed to authenticate a single credential across various systems within one organization Federated identity management systems offer single access to a number of applications across various enterprises

Amazon Service for API Gateway: Amazon API Gateway

Solution for creating secure APIs in your cloud environment at any scale. Once events or messages go to the gateway, you define the API calls and where the events should go to in the backend services Create APIs that act as a front door for applications to access data, business logic, or functionality from back-end services.

AWS Abuse

Spam, Port Scanning, DOS, Intrusion, Hosting prohibited content, and distributing malware

Step Functions Service

Stitch together lambdas and EC tasks

Architecture Well Architected Perspective

The framework is designed around distributed and flexible roles vs centralized teams Enterprises generally have centralized teams with specific roles where AWS has distributed teams with flexible roles. Distributed teams can come with new risks, AWS mitigates these with Practices, Mechanisms and Leadership Principles

Data Residency

The physical or geographic location of where an organization or cloud resources reside.

Cloud Computing

The practice of using a network of remote servers hosted on the internet to store, manage, and process data and applications

Primary security perimeter

The primary or new security perimeter defines the first line of defense and its security controls that protect a company's cloud resources and assets

Amazon Detective

Used to analyze, investigate, and quickly identify security issues; including findings from guard duty

Secure Shell (SSH)

network communication protocol that enables two computers to communicate

Amazon Translate

neural machine learning translation service . Uses deep learning models to deliver more accurate and natural sounding translations.

AWS DeepLens

video camera that uses deep learning

The 5 categories of AWS Trusted Advisor

• Cost Optimization: How can we save money? • Performance: How can improve performance? • Security: How we can improve security? • Fault Tolerance: How can we prevent a disaster or data loss? • Service Limits: Are we are going to hit the maximum limit for a service?

Docker

A paaS that uses OS level virtualization to deliver software in containers

AWS Core VM services (5)

1) EC2 Web-scale launch VMS 2) EC2 Spot Up to 90% off fault-tolerant from extra EC2 capacity 3) EC2 Autoscaling To meet changing demand, automatically add or remove compute capacity. 4) Lightsail create & operate a managed virtual private server; friendlier EC2 5) Batch Allows creating and run hundreds of thousands of batch processing jobs

Multiple AZ

Allows for high availability by partitioning to prevent issues such as power outages, lightning strikes, etc.

AWS 5 Support Plan (BDBE)

Basic Developer Business Enterprise

Docker CLI

CLI commands to download, upload, build run and debug containers

SaaS

Completed projects managed by a service provider. Easy to use and comes complete with a user interface. Least flexibility

Hardware Accelerators

Decoupled from the processor, and specialize in certain tasks; ex. GPU, cryptography chips, AI accelerator chips, etc...

AWS Provisioning and deployment services

Elastic Beanstalk (EB) App Runner AWS Copilot Command line interface

AWS Container Supporting Services

Elastic Container Registry (ECR) X-Ray Step functions

IDS/IPS

Intrusion Detection System and Intrusion Protection System. A device or software application that monitors a network or systems for malicious activity or policy violations.

Dedicated server

One physical machine dedicated to a single business Runs a single web-app/site, but is very expensive, high maintenance, high security

Virtual private server (VPS)

One physical machine dedicated to a single business and virtualized into sub machines to run multiple web applications, etc. Better isolation and utilization than dedicated servers.

Pub/Sub: Common App Integration Patterns (6)

Publish-Subscribe pattern, commonly found in messaging systems The sender (publisher) don't message directly to receivers (consumer) 1) Publishers messages are sent to an event bus. 2) Event buses will categorize their message into groups. 3) The receivers of the messages (subscribers) subscribe to these groups 4) When a new message appears within their subscription, the messages are immediately delivered to them

Pull service

Pull means the consumer is continuously querying the queue for new messages.

Push service

Push means that a consumer is notified when a message is available (this is also called Pub/Sub messaging)

Stop guessing capacity: Advantages of Cloud (DEVS GC)

Scale up or down to meet the current need, and don't waste resources

Cloudwatch Alarms

Triggers notifications based on metrics

AWS Local Zones

edge data centers outside of a region to allow for AWS closer to the end destination. Used for faster computing, storage, databases, in populated areas outside of an AWS region

Using asynchronous communication to mimic the synchronous experience

for example a status spinner, using asynchronous communication with a polling or push notification strategy.

Consolidated Billing

is a feature of AWS Organizations that allows you to pay for multiple AWS accounts with one bill

Elastic Compute Cloud (EC2)

launch VM instances with full customization from physical level and above

Hybrid cloud

- Connect cloud resources to on prem infrastructure -Integrate cloud base resources with legacy IT apps

Non SQL DB AWS Services (3)

1) Dynamo DB 2) Document DB 3) Amazon Keyspace

Snowmobile

100PB of storage

API Gateway: Common App Integration Patterns (6)

API Gateway is a program that sits between a single-entry point and multiple backends. API Gateway allows for throttling, logging, routing logic, or formatting of the request and response

Edge locations as on ramps

AWS Global Accelerator, S3 Transfer Acceleration - uses edge locations was onramps to reach AWS resources in other regions by traversing the fast AWS global network

AWS for government

AWS achieves this by meeting regulatory compliance programs along with specific governance and security controls

Zero Trust on AWS

AWS does not have ready to use identity controls that enable zero trust, but can be done with third parties or use a combination of services to do so

How to do Zero Trust Architecture on AWS using third parties

AWS using Single Sign On (SSO) using identity systems from Azure Active Directory, Google Beyond Corp, Jumpcloud, etc. and using their intelligent authentication and authorization tools and SSO to apply to your AWS resources

1) Scalability: Considerations for Cloud Architects (5) (SAFED)

Ability to increase your capacity based on the increasing demand of traffic, memory and computing power -Verticals scaling - larger severs -Horizontal Scaling - more similar size servers

Network Access Control List (NACLs)

Acts as a firewall at the subnet level

Dedicated Host vs Dedicated Instance Isolation Targeted instance placement

Additional control over what host your instance/VPC is running on

Flexible Benefits of Cloud (FEC RSS)

Allows the customization of OS, programming language, web app platform, database, etc.

Internet Gateway (IGW)

Allows you to grant internet access to resources inside of your VPC. But you also need a route table which routes the traffic from the VPC network out to the internet gateway

Edge locations as off ramps

Amazon CloudFront (CDN) uses edge locations as off ramp to provide at the edge storage and compute near the end user

AWS Deep Learning AMIs

Amazon EC2 instances pre installed with popular deep learning frameworks and interfaces such as TensorFlow, PyTorch , Apache MXNet , Chainer, Gluon, Horovod , and Keras

AWS Streaming Service: Amazon Kinesis

Amazon Kinesis is the AWS fully managed solution for collecting, processing, and analyzing streaming data in the cloud in REAL TIME

X-Ray Service

Analyze and debug between microservices

Quicksight Q

Ask question using natural language, on all your data, and receive answers in seconds.

Asynchronous considerations

Asynchronous messaging adds latency to end-to-end processing time due to the addition of middleware. Producers and consumers take a dependency on the middleware stack, which must also scale to meet demand and be resilient to failure. Care must be taken to appropriately configure producers, consumers, and middleware to handle errors so that messages are not lost, more monitoring is required to ensure proper operations, and multiple logs must be correlated to troubleshoot and diagnose problems.

AWS Well Architected Tool

Auditing tool to assess cloud workloads for alignment with AWS well architected framework based on questions

EC2 Autoscaling Group (ASG)

Automatically adds or remove EC2 servers to meet the current demand of traffic. Will save you money and meet capacity since you only run the amount of servers you need.​

Automate to make architecture experimentation easier (GGAPED)

Automation allows you to create and replicate your workloads at low cost and avoid the expense of manual effort. ex. CloudFormation using change sets, stack update, and drift detection. You can track changes to your automation, audit the impact, and revert to previous parameters when necessary.

AWS Free but provisioning costs $$$

Autoscaling Cloudformation Elastic Beanstalk Opsworks Amplify Appsync Codestar

Cloudwatch Dashboard

Create visualizations based on metrics

Baremetal

EC2 instance with no hypervisor running workloads directly; max performance and control and uses Bottlerocket Bare metal instances allow EC2 customers to run applications that benefit from deep performance analysis tools, specialized workloads that require direct access to bare metal infrastructure, legacy workloads not supported in virtual environments, and licensing-restricted Tier 1 business critical applications.

Risk-based adaptive policies

Each attempt to access a resource generates a risk score of how likely the request is to be from a compromised source. The risk score could be based on many factors e.g. device, user location, IP address what service is being accessed, and when. AWS at the time of this recording does not have Risk-based adaptative policies built into IAM

Basic Plan

Email Support only for Billing and Account Free 7 Trusted Advisor Checks

Secure: Benefits of Cloud (FEC RSS)

End to end approach to security to secure physical, operational, and sotware

VPC endpoints

Ensuring that your resources stay within the AWS network and don't traverse over the public internet

2) Instance type: EC2 customization (4)

Ex. t2 Nano

Drive architecture using data (GGAPED)

In the cloud, you can collect data on how your architectural choices affect the behavior of your workload. This lets you make fact-based decisions on how to improve your workload. Your cloud infrastructure is code, so you can use that data to inform your architecture choices and improvements over time.

AWS has special regions for US regulation called GovCloud

Isolated region to run fedramp workloads

Serverless Databases Ex, AWS Aurora Serverless

It automatically starts up, shuts down, and scales capacity up or down based on your application's needs. You can run your database on without managing database capacity.

AWS Serverless (1)

Lambda upload small pieces of code, choose much memory and how long function is allowed to run before timing out. You a charged based on the runtime of the serverless function rounded to the nearest 100ms.​

Bottlerock

Linux based OS specifically for AWS containers on VMs or baremetal hosts

2) S3 Intelligent Tiering

ML to analyze object usage and determine the appropriate storage class. Data is moved to the most cost-effective access tier, without any performance impact or added overhead.

Cross Cloud

Multiple clouds utilized together, to use the best cloud for the workload EX. AWS EC Anywhere (customers to deploy native Amazon ECS tasks in any environment), AWS EKS anywhere, Google Anthos, Azure Arc, etc.

Streaming: Common App Integration Patterns (6)

Multiple consumers can react to events (messages)' Events live in the stream for a long time, so complex operations can be applied real time

Cloud Hosting

Multiple physical systems that act as one system, and abstracted into multiple cloud services Flexible, scalable, secure, cost effective, high configurability

Kubernetes (K8)

Open-source container or Ochestration system for automating deployment, scaling, and management of containers across multiple The advantage of Kubernetes over Docker is the ability to run containers distributed across multiple VMs A unique component of Kubernetes are Pods. A pod is a group of one more containers with shared storage, network resources, and other shared settings.

Just-Enough-Access (JEA)

Permitting only the exact actions for the identity to perform a task

1) OS Customization: EC2 customization (4)

Red hat, unbuntu, windows linux, OSX, suse

AWS Direct Benefits (2)

Reduce network costs and increase bandwidth throughput -More consistent network experience than a typical internet based connect

Route 53

Register or manage domains you've registered with other providers -Allowing AWs to manage the domain, you can reroute traffic using routing policies (ex. based on ip address to go to subdomain in that language), applying health checks to alert you of the webapp, etc. Route 53 can route to various AWS services via Alias record (they can detect ID changes and continually keep that end point pointed to the correct resource)

Database types

Relational Databases: structured data that represents tabular data; row, table, columns Non relational databases: unstructured or semi structured that may or may not distantly resemble tabular data

Elastic Container Registry (ECR) Service

Repos for your Docker Images

Cloudwatch Metrics

Represents a time ordered set of data points. A variable to monitor ex. EC2 per instance metrics: CPU Utilization, DiskReadOps, DiskWriteOps, DiskReadBytes. DiskWriteBytes. NetworkIn. NetworkOut. NetworkPacketsIn, NetworkPacketsOut

RDS Muilti AZ

Run duplicate standby db in another AZ in case the primary fails

Dynamo DB: Non SQL DB AWS Services (3)

Serverless NoSQL key/value and document database -Designed to scale to billions of records with guaranteed consistent data return in at least a second -AWS's flagship database service; scales, is cost effective and very fast -Amazon.com moved from oracle to DynamoDB with 75PB of data; and reduced costs by 60% and latency by 40%

Serverless

Serverless architecture generally describes fully managed cloud services. Can scale to zero -DynamoDB -S3 -ECS Fargate -Lambda -Step functions -Aurora Serverless

Well-Architected 6 General Design Principles (GGAPED)

Stop Guessing capacity needs Improve through game days Automate to make architecture experimentation easier Test systems at production scale Allow for evolutionary architectures Drive architecture using data

Improve through game days (GGAPED)

Test how your architecture and processes perform by regularly scheduling game days to simulate events in production. ex simulate traffic on production or purposely kill EC2 instances to see test recovery This will help you understand where improvements can be made and can help develop organizational experience in dealing with events.

AWS Partner Network

The AWS Partner Network (APN) is a global partner program for AWS. 1) Consulting Partner you help companies utilize AWS 2) Technology Partner you build technology ontop of AWS as a service offering

Billing and Cost Management Dashboard

The Billing and Cost Management Dashboard is quick overview of your current AWS costs, and including a cost cast

Bring your own licesne (BYOL)

The process of reusing an existing software license to run vendor software on a cloud vendor's computing service. BYOL allows companies to save money since they may have purchased the license in bulk or at a time that provided a greater discount than if purchased again.

Regional and Zonal RI

To purchase an RI you need to determine the scope, which doesn't impact price 1) Regional RI: does not reserve capacity (you may not have the instance), discount for usage in AZ of the region, discount applies to instance types of a specific family, and you can queue purchases 2) Zonal RI: reserves the capacity in the specific AZ, discount is only for that AZ, no instance size flexibility and discount only applies to what you picked, you can't queue purchases for RI

Skopeo

Tool for moving container images between different types of container storages

Buildah

Tool used to build OCI images

FIPS 140-3 (Federal Information Processing Standard Publication)

U.S. government (NIST) computer security standard used to approve cryptographic modules

FIPS 140-3

US and Canadian government standards that specifies the security requirements for cryptographic modules that protect sensitive information, including hardware and software

FEDRAMP: Federal Risk and Authorization Management Program

US government wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Accelerated Optimized (Hardware accelerators and co processers): EC2 Instance Families (5)

Uses hardware accelerators or co-processers Start with P,G, F, INF, VT Use case for ML, computational finance, NLP, seismic analysis, etc.

Multifactor authentication

Using multiple categories of factors across something you know, something you have, and something you are. Ideally you use different categories of authentication and across multiple sources as to not have mutliple compromised at once

Dedicated Host vs Dedicated Instance Isolation Visibility of physical characteristics

Visiability of sockets, CPU or GPU cores, host ID, etc which is required for bring your own license models vs non

AWS Architected centre

Web portal for best practices and reference architectures

Amazon Kinesis Data Analytics

allows you to run queries against data that is flowing through your real time stream so you can create reports and analysis on emerging data.

PCI DSS (Payment Card Industry Data Security Standard)

When you want to sell things online and you need to handle credit card information.

AWS Cloud Adoption Framework (POPS BG)

Whitepaper to help support on prem to AWS migration People: how to update the staff skills and organizational processes to optimize and maintain their workforce, and ensure competencies are in place at the appropriate time. Operations: how to update the staff skills and organizational processes that are necessary to ensure system health and reliability during the move of operations to the cloud and then to operate using agile, ongoing, cloud computing best practices. Platform: how to update the staff skills and organizational processes that are necessary to deliver and optimize cloud solutions and services. Business: How to update the staff skills and organizational processes to optimize business value as they move ops to the cloud Governance: how to update the staff skills and organizational processes that are necessary to ensure business governance in the cloud, and manage and measure cloud investments to evaluate their business outcomes.

Dedicated Host vs Dedicated Instance Isolation Add capacity using allocation requests

Yes, vs no

1) Backup and restore (hours)

You backup your data and restore it to new infrastructure -For low priority use case -Restore data after event -Deploy resources after event

Billing Alerts/Alarms

You can create your own Alarms in CloudWatch Alarms to monitor spending. They are commonly called "Billing Alarms" 1) Turn on billing alerts 2) Make cloudwatch alarm and pick billing metric Much more flexible than AWS budgets and are better for more complex use cases

Cross Account Rules (Same as Azure Active Directory B2B Collaboration)

You can grant users from different AWS account access to resources in your account through a Cross-Account Role. This allows you to avoid creating a user account within your system.

Saving Plans up to 72% off (Option contract; discounts for up to maximum post discount value/hour)

You enter into a contract 1 or 3 year, and either no upfront, partial, or fully upfront will allow you to get a certain price with a specific usage commitment for up to a certain amount of $$$/hour used

Resource group

are a collection of resources that share one or more tags. Can display metrics, alarms, config settings, etc.

Local Zones

are datacenters located very close to a densely populated area to provide single digit millisecond low latency performance ( eg. 7ms) for that area. The purpose of Local Zone is the support highly demanding applications sensitive to latencies

AWS Copilot (CLI)

command line interface (CLI) that enables customers to quickly launch and easily manage containerized applications on AWS.

Databases

data store for not structured, semi-structured and structured data -Requires more complex data stores and requires formal modeling/modeling techniques -Rich in quering data, modeling strategies to optimize retrieval, more fine tune control over the transformed data into useful reports or strucutres

AWS License Manager

easier to manage your software licenses from software vendors such as Microsoft. Service that makes it easier for you to manage your software licenses from software vendors centrally across AWS and your on premises environments.

16 Amazon Leadership Principles

establishes a culture across all roles that works back from the customer. Working backward is a fundamental part of our innovation process. We start with the customer and what they want, and let that define and guide our efforts. Customer-obsessed teams build products in response to a customer need.

App integration

process of letting two independent apps to communicate and work with each other, commonly facilitated by an intermediate system

OAuth2.0​

industry-standard protocol for authorization OAuth doesn't share password data but instead uses authorization tokens to prove an identity between consumers and service providers.​ Oauth is about granting access to functionality​

Availability: CIA Triad

information needs to be made be available when needed ex. high availability, mitigating DDoS, decryption access

Single Sign On (SSO))

is an authentication scheme that allows a user to log in with a single ID and password to different systems and software.​ SSO allows IT departments to administrator a single identity that can access many machines and cloud services.​ Login for SSO is seamless, where once a user is logged​ into their primary directory, as soon as they utilize this software, they are presented with a login screen​

ConsoleMe

is an open-source Netflix project to self-serve short-lived IAM policies so an end-user can access AWS resources while enforcing JEA and JIT

VMWare Cloud

manage on-premise VM using VMWare as EC2 instances.​ The data-center must being using VMWare for Virtualization. AWS is VMware's preferred public cloud partner for VMware workloads. VMware Cloud on AWS provides you consistent and interoperable infrastructure and services between VMware-based datacenters and the AWS cloud, which minimizes the complexity and associated risks of managing diverse environments. VMware Cloud on AWS offers native access to AWS services and innovation that extends the value of enterprise applications over their lifecycle.

Redshift: AWS Other Database Services (6)

petabyte size data warehouse for OLAP; structure and semi structured Focuses on speed for complex queries x3 performance compared to other cloud data warehouses

Compliance as code

programming to automate the monitoring, enforcing and remediating changes to stay compliant with a compliance programs or expected configuration.

Security (CROPSS)

protecting and mitigating risks for information and systems.

Operational Excellence (CROPSS)

running and monitoring systems, and continually improving processes and procedures

AWS Account - User

user for common tasks that are assigned permissions

Root user differences

- Account can not be deleted - Root User account has full permissions to the account and its permissions *cannot be limited -You cannot use IAM policies to explicitly deny the root user access to resources. - You can only use an AWS Organizations service control policy (SCP) to limit the permissions of the root user -One Root user per AWS account -An AWS Root Account should not be used for daily or common tasks is instead for very specific and specialized tasks that are infrequently or rarely performed

Block Storage Pros

- Fast: When all blocks are stored locally or close together, block storage has a high performance with low latency for data retrieval, making it a common choice for business-critical data. -Reliable: Because blocks are stored in self-contained units, block storage has a low fail rate. Easy to modify: Changing a block does not require creating a new block; instead, a new version is created.

Elastic File Storage (EFS) - File

- File is stored with data and metadata -Multiple connections via a network share -Supports multiple reads, writing locks the file Use case: when you need a file share where multiple user or VM need to access the same drive

5) S3 Glacier

- Long term cold storage -Retrieval can take minutes to hours -Very cheap storage

Simple Storage Service (S3) - Object

- Object is stored with data, metadata, unique ID - Scales with limited no file limit storage limit - Supports multiple reads and writes (no locks) Use case: when you just want to upload files, and not have to worry about underlying infrastructure, and not intended for high IOPs

Service Control Policies (SCPs)

- SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU)

When to use Reserved Instance vs Savings Plan

- Savings plan for systems prone to usage changes -Reservations for systems where at least 75% of the booking is used consistently

File Storage Cons

-Challenging to manage and retrieve large numbers of files: -Hard to work with large amounts unstructured data: -Becomes expensive at large scales:

Root User Specific Authorizations

-Change account settings -Restore IAM user permission -Active IAM access to billing and cost management console -View certain tax invoices -Close your AWS account -Change or cancel AWS support plan -Register as a seller in the RI market place -Enable MFA on the S3 bucket -Edit or delete an Amazon S3 bucket policy that includes invalid VPC or VPC end point ID

File Storage Use cases

-Collaboration of documents: Backup and recovery: Cloud backup and external backup devices typically use file storage for creating copies of the latest versions of files. Archiving: Because of the ability to set permissions at a file level for sensitive data and the simplicity of management, many organizations use file storage for archiving documents for compliance or historical reasons.

EC2 Instance Families (5)

-Combo of CPU, Storage, Memory, and networking capacity to meet your requirements General Compute Optimized Memory Optimized Accelerated Optimized Storage Optimized

Elastic Block Store (EBS) - Block Storage

-Data is split into evenly split blocks -Directly accessed by the Operation System -Supports only a single write volume (drive partition) -Persistent storage Use case: when you need a virtual hard drive attached to a VM

Block storage

-Data storage in blocks of a specific size aka block size, which is reassembled when needed -Most file systems are based on a block device, However, many organizations are transitioning away from block because of the limited scale and lack of metadata.

Block Storage Use cases

-Databases: block storage has a high performance and is easily updatable, many organizations use it for transactional databases. Email servers: High performance and reliability make block storage a common solution for storing emails. Virtual machine file system (VMFS) volumes: With block storage, you can easily create and format a block-based storage volume to store the VMFS. A physical server can then attach to that block, creating multiple virtual machines. What's more, creating a block-based volume, installing an operating system and attaching to that volume enables users to share files using that native operating system.

5) Dedicated - most expensive

-Dedicated servers -When you need a guarantee of isolated hardware

Well known directory services

-Domain name service (DNS) - the directory service for the internet -Microsoft active directory -Apache directory server -Oracle internet directory (OID) -OpenLDAP -Cloudidentity -Jumpcloud

File Storage Pros

-Easy to access on a small scale: -Familiar to most users: -Users can manage their own files: -Allows access rights/file sharing/file locking to be set at user level:

List of AWS Provisioning Services

-Elastic Beanstalk -Cloud Formation -Ops works -Quickstarts -AWS Market Place -Amplify

Object Storage Pros

-Handles large amounts of unstructured data -Affordable consumption model; pay for object storage needed -Unlimited scalability -Uses metadata -Advanced search capabilities with metadata

File storage

-Hierarchical structure where files are organized by the user in folders and subfolders, which makes it easier to find and manage files. To access a file, the user selects or enters the path for the file, which includes the sub-directories and file name.

Tier 1 network

-ISPs are at the top of the hierarchy and they have a global reach they do not pay for any internet traffic through their network -Lower-tier ISPs have to pay a cost for passing their traffic from one geolocation to another which is not under the reach of that ISPs.

Object Storage Use cases

-IoT data management: quickly scale and easily retrieve data makes object storage a good choice Email: store large volumes of emails for historical and compliance purposes often turn to object storage Backup/recovery: object storage for their backup and recovery storage Video surveillance: Object storage provides an affordable option, many video recordings and keep the footage for several years.

Block Storage Cons

-Lack of metadata: Block storage does not contain metadata, making it less usable for unstructured data storage. -Not searchable: Large volumes of block data quickly become unmanageable because of limited search capabilities. -High cost: Purchasing additional block storage is expensive and often cost-prohibitive at a high scale.

1)On demand -least commitment

-Low cost and flexible -Pay per hour -Short term, spiky, and unpredictable workloads -Good for new app development or run an experiment -No upfront costs or long term contract

6) S3 Glacier Deep Archive

-Lowest cost storage -12 hours to retrieve data

Recovery Point Objective (RPO)

-Maximum acceptable amount of time since the last data recovery point. -Determines what is considered an acceptable loss of data between the last recovery point and the interruption of service How much data are you willing to lose?

AWS Lambda

-Only think about code -Short runnng tasks ( continuously run for 15 minutes or less -Can deploy custom containers

Elastic Kubernetes Service (EKS)

-Open source -Avoid vendor lock in

Elastic Beanstalk (EB)

-PaaS -Provisions AWS services, such as EC2, ECS, AWS Auto Scaling, Elastic Load Balancing -Still have control of underlying AWS services

AWS Cloud Front (CDN)

-Point your website to Cloudfront so it can route requests to the nearest edge location cache -Allows to choose an origin (web server or storage) that will be source of cashed -Cashes the contents of what origin would return to various edge locations around the world

2) Spot - cheapest 90% off

-Request spare computing capacity -Flexible start and end times -Can handle interruptions of server -For non-critical background jobs, as the spot instance can be terminated if needed by another customer -Options for load balancing work loads, flexible work loads (CI/CD jobs, or running batch jobs), or big data workloads Batch jobs are an easy and convenient way to use spot pricing

AWS Fargate

-Serverless containers -More robust than lambda -Can scale to zero cost; will charge nothing when not in use -AWS managed EC2, but has cold starts

3) Reserved - best long term 75% off

-Steady and predictable usage -Minimum of using all resources for at least 75% of the time -Can result to unused instances -1 to 3 year contracts; longer contract higher saving

4) S3 One Zone IA

-Still Fast! -Objects only exist in one AZ. -Availability (is 99.5%). but cheaper than Standard IA by 20% less (Reduce durability) -Data could get destroyed. -A retrieval fee is applied.

Object Based storage

-Store their data in its native format -Objects identified by the hashed output of the object or some unique identifier -Mostly, objects are kept in a single, large, flat namespace without any hierarchy or tree structure -These flat namespaces enable the massive scalability inherent in object storage systems -metadata is stored in metadata servers and file data is stored in object storage servers. -File system client software interacts with the distinct servers, and abstracts them to present a full file system to users and applications.

4) Savings plan - second best long term with additional flexibility 72% off

-Type of workload is prone to changing

AWS S3 - object based storage

-Unlimited storage - Serverless storage service - No need to deal with infrastructure S3 object contains data, and S3 Bucket holds many S3 objects From 0Bytes to 5 TB

Windows on AWS

-Windows on EC2 - Microsoft SQL Server on RDS - AWS Directrory Service using Active Directory - AWS License Manager - Amazon FSx for window file servers -AWS Software development Kit; supports multiple languages including.Net (SDK; not to be mixed up with CDK; cloud development kit for IaC) -Amazon Workspace; can run windows - Aws Lambdas; supports poweshell -AWS Migration Acceleration Program (MAP)

Data Lakehouse

-combines elements of the data warehouse with those of the data lake -Data lakehouses implement data warehouses' data structures and management features for data lakes, which are typically more cost-effective for data storage

AWS Ground Station

-fully managed service to control satellite communications, process data, and scale your operations •weather forecasting •surface imaging •communications •video broadcasts

Content Delivery Network (CDN)

-group of geographically distributed servers that speed up the delivery of web content -provide high availability and performance by distributing the service spatially relative to end users -CDNs cache content like web pages, images, and video in proxy servers near to your physical location.

AWS Config

-is a Policy as Code service. -You can create rules to continuous check AWS resources configuration -If they deviate from your expectations, you are alerted, or auto remediate.

Permission Boundaries

-permissions boundaries for IAM entities (users or roles) -an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity

AWS services uses PoP for content delivery and expediated upload (3)

1) AWS Cloud Front 2) AWS S3 Transfer Acceleration 3) AWS Global accelerator

Reliability Pillar Design 5 Principles (CROPSS)

1) Automate recovery from failure: monitor KPIs to trigger automation when the threshold is breached 2) Test recovery procedures: test how workloads fail, validate recovery procedures, automate to simulate failures or recreate past failures 3) Scale horizontally to increase aggregate system availability: replace large resources with multiple small resources to reduce the impact of a single failure on the overall workload. Distribute requests to ensure there is no common point of failure 4) Stop guessing capacity: on prem takes a lot of guessing, but not on cloud, we can right size 5) Manage change in automation: make changes via IaC to allow for a formal process to track and review infrastructure

Core IAAS Components (4)

1) Compute: 2) Networking: 3) Storage: 4) Databases:

7 Layers of Security (From inside outwards; defense needs to be had at every layer)

1) Data: access to customer or business data and encryption of data 2) Applications: secure and free of vulnerabilities 3) Compute: access to VMs 4) Network: Limit communication between resources using segmentation and access control 5) Perimeter: DDoS protection against large-scale attacks 6) Identity and access: controlling access to infrastructure and change control 7) Physical: limiting data centre access to authorized personnel

Evolution of computing (4)

1) Dedicated 2) Virtual Machine 3) Containers 4) Functions

Evolution of Cloud Hosting (4)

1) Dedicated server 2) Virtual private server (VPS) 3) Shared Hosting 4) Cloud Hosting

Types of Event Buses in Event Bridge Service (3)

1) Default Event Bus — An AWS account has a default event bus 2) Custom Event Bus — Scoped to multiple accounts or other AWS accounts 3) SaaS Event Bus — Scoped to with Third-party SaaS Providers

Performance Efficiency Pillar 5 Design Principles (CROPSS)

1) Democratize advanced technologies: focus on product development rather than procurement, provisioning and management of services. Take advantage of advanced technology specialized and optimized for your use case with on-demand cloud services 2) Go global in minutes: deploy workload across many regions for better latency and experience at minimal cost 3) Use serverless architecture: remove the need to run and maintain physical servers for traditional compute activities. Removes operational burden of managing physical servers and can lower transactional costs due to operating managed services at cloud scale 4) Experiment more often: virtual and automatable resources allow you to quickly comparative testing using different types of instances, storage, and configs 5) Consider mechanical sympathy: understand how cloud services are used, and always use the technology approach that best aligns with the workload goals ex. matching optimal pattern to workload

Anatomy of a pillar 4 Parts

1) Design Principles: design principles to be considered during implementation 2) Definitions: overview of best practice categories 3) Best Practices: detailed info about best practices with AWS services 4) Resources: documentation, whitepapers, etc to support implementation

Enterprise/Hybrid Networking Services

1) Direct Connect 2) Virtual Private Network 3) PrivateLinks (Virtual Private Cloud Interface Endpoint)

3 Types of Saving Plans

1) EC2 Instance Savings Plan (72% off); region and instance family locked 2) Compute Savings Plan (66% off); less savings since it applies to EC2, Lambda, and Fargate; for any region or instance family 2) Sagemaker savings plan (64% off);

Cost management/saving money methods (4)

1) EC2 spot instances, reserved instance, and savings plan 2) AWS batch 3) AWS compute optimizer 4) EC2 Autoscaling Groups (ASG)

Types of Storage Services (3)

1) Elastic Block Store (EBS) - Blocks 2) AWS Elastic File Storage (EFS) - File 3) Amazon Simple Storage Service (S3) - Object

AWS Core Container services (5)

1) Elastic Container Service (ECS) container orchestration service that support Docker containers. Launches a cluster of EC2 instances with Docker installed. 2) Elastic Container Registry (ECR) store, manage, and deploy container images 3) Elastic Kubernetes Service (EKS) fully managed Kubernetes service. Generally the standard for managing microservices. 4) Fargate serverless orchestration container service. It is the same as ECS expect you pay-on-demand per running container (With ECS you have to keep a EC2 server running even if you have no containers running)

AWS Capacity Management Methods (2)

1) Elastic Load Balancer 2) Elastic Beanstalk

Savings Plan Formula

1) For Usage Below Post Discounted Cost per hour of contract; ex. $50/hour contract, $40/hour on demand usage -> apply discount to everything 2) For Usage Above Post Discounted Cost per hour of contract; ex. $50/hour contract, with $80/hour on demand usage, first $50/hour post discount value usage is at discount rate and the remaining is at on demand pricing

AWS identity and access management (IAM) tools (4)

1) IAM Policies 2) Permission boundaries 3) Service control policies (organization wide) 4) IAM policy conditions

Cost Optimization Pillar 5 Design Principles (CROPSS)

1) Implement Cloud Financial Management: dedicate time and resources to build cloud financial management and cost optimization tools 2) Adopt a consumption Model: pay only for resources that are required to meet business requirements, and increase or decrease accordingly 3) Measure overall efficiency: measure business output of workload and costs associated to delivery. Use the metric to measure the gains from increasing output and reducing costs 4) Stop spending money on undifferentiated heavy lifting: aws does data center ops, removes burden of managing os, and apps with managed services, and allows for focus on customers and business projects than IT infra 5) Analyze and attribute expenditure: cloud makes it easier to identify usage and cost of systems and attribute them to individual workload owners. This allows for measurement of ROI and gives workload owners an opportunity to optimize their resources to reduce costs

Security Pillar Design Principles (7) (CROPSS)

1) Implement a strong identity foundation; principle of least privilege (PoLP), centralized identity, and avoid long-lived credentials 2) Traceability: monitor alerts, audit actions, and changes to environments in real time. Integrate log and metric collection, and automate investigation and remediation 3) Security at all layers: 4) Automate security best practices: 5) Protect data in transit and at rest: 6) Keep people away from data: 7) Prepare for security events: Incident management systems and investigation policy and processes. Tools to detect, investigate and recover from incidences

AWS Nitro hardware components (5)

1) Nitro cards; specialized for VPC, EBS, instance storage, and controller cards 2) Nitro security chips; Integrated into motherboard. Protects hardware resources.​ 3) Nitro hypervisor; lightweight hypervisor that manages memory, CPU allocation and delivers bare metal level performance 4) Nitro Enclaves; isolated compute environments to further protect and securely process highly sensitive data 5) Nitro TPM; trusted platform module, allowing for EX2 instances to generate, store, and use keys without having access to them

EC2 customization (4)

1) OS Customization 2) Instance type 3) Storage type (EBS, EFS, etc.) 4) Configure Instance

Data storage architecture (3)

1) Object based Storage: 2) File System: 3) Block Storage:

Operational Excellence Pillar 5 Design Principles (CROPSS)

1) Perform operations as code: apply engineering discipline to app code to cloud infrastructure to limit human error and enable consistent response to events 2) Make frequent, small, reversible changes: design workloads to allow components to be updated regularly 3) Refine operations procedures frequently: look for continuously opportunities to improve operations 4) Anticipate failure: perform post mortems on system failures to better improve, write test code, kill production servers to test recovery 5) Learn from all operational failures: share lessons learned in a knowledge base for operational events and failures across your entire organization

Common App Integration Patterns (6)

1) Queueing 2) Streaming 3) Pub/Sub 4) API Gateways 5) State Machines 6) Event Bus

AWS Other Database Services (6)

1) Redshift 2) Elasticache 3) Neptune 4)Amazon Timestreams 5) Amazon Quantum Ledger 6) Database migration service (DMS)

Reserved Instance vs Savings Plan

1) Reserved Instances are based on the commitment to use an instance at a particular price over a specific period, less flexibility more savings Ex. Pay for the price of an M5 in XZY Region for 1 year 2) Savings Plans are based on the commitment to spend a particular dollar amount per hour over a specific period, more flexibility less savings pay for Ex. Pay for a minimum spend post discount of $100/month, anything above 100/month is normal pricing

Type of Cloud Computing (3)

1) SaaS 2) PaaS 3) IaaS

Advantages of Cloud ( DEVS GC)

1) Stop spending money running and maintaining data centers 2) Benefits from massive economies of scale 3)Trade fixed for variable expense 4) Increase speed and agility 5) Go global in minutes 6) Stop guessing capacity

Sustainability Pillar 6 Design Principles (CROPSS)

1) Understand your impact: measure the direct and indirect impact of current and future cloud workload, and measure it against the units of work, resulting as a KPI for performance and change management 2) Establish sustainability goals: and work towards those goals 3) Maximize utilization: stop having idle resources 4) Anticipate and adopt new, more efficient hardware and software offerings: continuous improvement applied to sustainability 5) Use managed services: economies of scale but applied to the amount of negative impact per unit of value 6) Reduce the downstream impact of cloud workloads: ex. reduce the need for your customers to replace hardware

AWS Computing Services (3)

1) VM 2) Containers 3) Serverless offerings

VM vs Containers

1) VMs do not make the best use of space. Apps are not isolated which could cause config conflicts, security problems, or resource hogging. 2) Containers allow you to run multiple apps which are virtually isolated from each other. Launch new containers and configure OS Dependencies per container

AWS Region Considerations (4)

1) What Regulatory compliance does this region meet? 2) What is the cost of AWS services in this region 3) What services are available 4) What is the distance or latency to my end users

Database Migration Service (3): AWS Other Database Services (6)

1) on prem db to AWS 2) AWS db to another AWS db using different SQL engines 3) SQL to NoSQL database

EC2 pricing Models (5)

1)On demand -least commitment 2) Spot - cheapest 90% off 3) Reserved - best long term 75% off 4) Savings plan - second best long term with additional flexibility 72% off 5) Dedicated - most expensive

HIPAA (Health Insurance Portability and Accountability Act)

1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information.

Snowcone

2 Sizes; 8TB of HHD (hybrid hard drive; both HD and SSD) or 14Tb of SSD

Nitro system

A combination of dedicated hardware and lightweight hypervisor enabling faster innovation and enhanced security. All new EC2 instance types use the Nitro System.​

AWS App Runner

A fully managed service that makes it easily for developers to quickly deploy containerized web apps, APIs, at scale with no prior infrastructure exp required

Amazon Sagemaker

A fully-managed platform that enables developers and data scientists to quickly and easily build, train, and deploy machine learning models at any scale. Supports: • Apache MXNet on AWS, open-source deep learning framework • TensorFlow on AWS open-source machine intelligence library • PyTorch on AWS open-source machine learning framework

Logstreams

A log stream represents a sequence of events from an application or instance being monitored

Queueing System: Common App Integration Patterns (6)

A messaging system that will generally delete messages once they are consumed, simple communication, not real time, have to pull data and its not reactive

Proxy servers

A proxy server is a system or router that provides a gateway between users and the internet. Therefore, it helps prevent cyber attackers from entering a private network. It is a server, referred to as an "intermediary" because it goes between end-users and the web pages they visit online.

Compliance Boundaries

A regulatory compliance (legal requirement) by a government or organization that describes where data and cloud resources are allowed to reside

Data Warehouse

A relational data store designed for analytic workloads, which is generally a column-oriented data store, Data warehouses generally perform data aggregation from a database. Data Structure and Schema, etc. are optimized around quickly querying column data using SQL (considered designed to be HOT) Single source of truth for data

Capacity Reservations

A service to request a reserve of Ec2 instance type for a specific region and AZ but at the on-demand rate whether its running or not

Workload

A set of components that work together to deliver business value. A workload is usually the level of detail that business and technology leaders communicate about.

Identity Providers (idP)

A system entity that creates, maintains, and manages identity information for principals and also provides authentication services to applications within a federation or distributed network A trusted provider of your user identity that lets you use to authenticate to access another service such as Facebook, Amazon, Google, Twitter, Github, LinkedIn

Docker Swarm

An orchestration tool for managing deployed multi-containers architectures

Dockerhub

An orchestration tool for managing deployed multi-containers architectures

EC2 and Baremetal Reserved Instances (RI) Up to 75% off (Futures contract)

Billing discount that applies to normal EC2 on demand pricing; BASICALLY AN FUTURES CONTRACT for 1-3 years Pay up to have the right to use up to a certain capacity of on demand EC2 resources per month at a discounted rate and more is the normal rate, you are charged for the instance regardless if you use the capacity or not; There must be available on demand EC2 that meets the criteria

Cloudformation Change sets

Change sets allow you to preview how proposed changes to a cloudformation stack (deployed object that comes from a CloudFormation Template. ex template to deploy 3 ec2 instances, once deployed it will make a stack representing the 3 instances, deleting the stack will remove all 3 ec2) might impact your running resources, for example, whether your changes will delete or replace any critical resources

Snowball Edge

Comes in devices optimized for computing or pure storage; 1) Compute optimize; 39.5TB Access to powerful compute and high-speed storage for data processing before transferring it into AWS. 2) Storage Optimized; 80TB Securely and quickly transfer dozens of terabytes to petabytes of data to AWS. It is also a good fit for running general purpose analysis

Principle of least privilege (PoLP)

Computer security concept of providing a user, role, or application the least amount of permissions to perform an operation or action.

Dedicated Host vs Dedicated Instance Isolation Affinity between host and instances

Consistency to deploy the instances to the same physical server vs no control

AWS Service: State Machine Function

Coordinate multiple AWS services into a serverless workflow -Graphical console to visualize the components of your apps as a series of steps -Automatically triggers and tracks each step, and retries when there are errors, so your application executes in order and as expected, every time -logs the state of each step, so when things go wrong, you can diagnose and debug problems quickly

Well Architected Framework 6 Pillars (CROPSS)

Cost Optimization Reliability Operational Excellence Performance Efficiency Security Sustainability The business context will allow for trade-offs in certain pillars

Direct Connect

Dedicated network connection from on prem to AWS, low bandwidth 50-500mbs, and high bandwidth 1-10gbs

EC2 Tenancy (3)

Default Dedicated Instance Dedicated Host

Cloudwatch Logs

Derformance data about AWS Services eg. CPU Utilization, Memory, Network in Application Logs eg. Rails, Nginx Lambda Logs

Elastic Load Balancer (ELB)

Distributes traffic to multiple instance, can re-route traffic from unhealthy instance to healthy instances.​ Can route traffic to EC2 instances running in different Availability Zones

Docker Compose vs Kubernetes

Docker Compose and Kubernetes are both container orchestration frameworks. The key difference between Docker Compose vs Kubernetes is that Kubernetes is used to run containers of several virtual or real computers. Whereas, Docker Compose can only run containers on a single host machine.

AWS Glue

Extract, Transform, Load (ETL) service . Moving data from one location to another and where you need to perform transformations before the final destination. Similar to Database Migration Service (DMS) but more robust

Memory Optimized (RAM): EC2 Instance Families (5)

Fast performance workloads with large data sets in memory (RAM) Use cases for in memory cashes, in memory databases, streaming big data analytics Start with R, X, Z, and High memory

1) S3 Standard

Fast! 99.99% Availability, 99.999999999% Durability of data objects (11 9's) Replicated across at least three AZs

AWS Service: Simple Queueing Service (SQS)

Fully managed queuing service, asynchronous that enables you to decouple and scale microservices, distributed systems, and serverless applications Use Case: You need to queue up transaction emails to be sent e.g. Signup, Reset Password. We use queueing to decouple long-running tasks, so that if you have too task does not hang your application. By decoupling and letting a separate compute instance to handle part of it, prevents hangups.

Active Directory Domain Services (AD DS)

Gives organizations the ability to manage multiple on prem-infrastructure components and systems using identity per user OU=organizational unit OU can contain objects such as user accounts, groups, computers, printers, applications, file shares, and other OUs

Security Key

Hardware device used for second step in authentication; Yubikey

Amazon SageMaker Ground Truth

Have humans label a dataset that will be used to train machine learning models

Architecture

How components work together in a workload

Cost Management

How to save money

Salting vs Peppering

In cryptography, a pepper is a secret added to an input such as a password during hashing with a cryptographic hash function. This value differs from a salt in that it is not stored alongside a password hash, but rather the pepper is kept separate in some other medium, such as a Hardware Security Module. A pepper is similar in concept to a salt or an encryption key. It is like a salt in that it is a randomized value that is added to a password hash, and it is similar to an encryption key in that it should be kept secret. A pepper performs a comparable role to a salt or an encryption key, but while a salt is not secret (merely unique) and can be stored alongside the hashed output, a pepper is secret and must not be stored with the output. The hash and salt are usually stored in a database, but a pepper must be stored separately to prevent it from being obtained by the attacker in case of a database breach. Where the salt only has to be long enough to be unique per user, a pepper should be long enough to remain secret from brute force attempts to discover it (NIST recommends at least 112 bits).

PIPEDA (Personal Information Protection and Electronic Documents Act)

It governs how private sector organizations collect, use and disclose personal information in the course of commercial business.

Hardware Security Module on AWS - FIPS 140-2 Compliance

Its a piece of hardware designed to store encryption keys. HSM hold keys in memory and never write them to disk. 1) HSM's that are multi tenant are FIPS 140 2 Level 2 Compliant (multiple customers virtually isolated on an HSM) ex. AWS KMS 2)HSM's that are single tenant are FIPS 140 2 Level 3 Compliant (single customer on a dedicated HSM) Ex. AWS CloudHSM

Private Links

Keeps traffic within the AWS network, and not traverse the internet to keep traffic secure

Milestones

Key changes of your architecture through product life cycle

Normal EC2 Instance

Launches from a shared pool of shared resources that is in use by all customers within a given AZ. Ex. Server A (AKA host) is divided up into 5 instances for 5 different customers When the instance is turned off or terminated, the resources are released back into the shared pool of resources This violates certain regulations such as HIPAA which requires completely dedicated infrastructure for protected health info

AWS Macie

Macie is a fully managed service that continuously monitors S3 data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks.

Neptune: AWS Other Database Services (6)

Managed graph database, data is represented as interconnected nodes When you need to understand the connections between data, ex. social media relationships, and association analysis

Document DB: Non SQL DB AWS Services (3)

MongoDB compatible MongoDB is very popular NoSQL among developers. There were open-source licensing issues around using open-source MongoDB, so AWS got around it by just building their own MongoDB database.​

Why use LDAP and not SSO like SAML

Most SSO use LDAP, but LDAP is not designed for web apps Some systems only support LDAP and not SSO

IaaS

Most basic building blocks of cloud IT infrastructure. -It has the most flexibility and management control of all the different cloud computing models. -It is the closest to having a traditional on-premises data center.

Microservices Architecture

Multiple apps are each responsible for one thing Functionality is isolated and stateless. Other sources say that there are cases where a stateful process will be architected to have some of the benefits of a stateful machine

Network Access Control List (NACLs) vs Security Groups

NACLs: virtual firewall at the subnet level, with allow and deny rules; ie block specific IP known for spam Security group: virtual firewall at the instance level, and implicitiy denies all traffic; create allow rules; allow an EC2 instance access on port 22 for SSH, but you can't a single IP address

Common Pattern for EC2 Instance types

Nano Micro Small Medium Xlarge 2xlarge 4xlarge 8xlarge etc. Each change will generally double in price and key attributes

Amazon Comprehend

Natural Language Processor (NLP) service. Find relationships between text to produce Looks at data such as Customer emails, support tickets, social media and makes predictions.

ECS

No cold starts Self managed EC2; you will pay for the resource as it runs

Cost Effective: Benefits of Cloud (FEC RSS)

No long term contracts, up front commitments, and pay as you go

AWS VPN

Offers site to site vpn for on prem network to VPC and AWS client vpn for users to AWS or on prem network

Elastic Beanstalk (EB) Similar to GCP App Engine

Orchestration service for easily deploying web-applications without developers having to worry about setting up and understanding the underlying AWS Services.

App runner (Similar to Elastic Beanstalk but specialized for containers)

PaaS -SPecialized for containers but in addition, the underlying infrastructure is hidden to the user (Abstracted), so they will not have to deal with it

Co-Processors

Part of the processor, these are outside of the main processors and focus on specific purpose computations and so that the main processor can focus on its tasks Ex. FPU; floating point unit specializing in calculating floating point calculations to send to the main CPU

Exchange fixed cost for variable costs: Advantages of Cloud(DEVS GC)

Pay only when consuming resources; on demand vs in investing before knowing the demand

RI Limits

Per month you can buy 20 Regional Reserved Instances per Region You can't exceed your running on demand instance limit 20 Zonal Reserved Instances per AZ You can exceed your running on demand instance limit

Just-In-Time (JIT)

Permitting the smallest length of duration an identity can use permissions

AWS Quick Starts

Prebuilt templates by AWS and AWS Partners to help deploy a wide range of stacks Includes reference architecture, CloudFormation templates to automate deployment, and deployment guide to explain architecture and implementation

AWS Region

Primary Location to (Geographical Area) made of 2 or more availability zones (1 or more data centers in different building, but have <10ms latency between them ), fully redundant -Physically isolated from and independent of every other region (power, location, and water supply)

PaaS

Provides a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure -Less flexibility than IaaS because of pre-constructed packages.

Easy to Use: Benefits of Cloud (FEC RSS)

Quickly and securely allows for app providers, software vendors, etc. to quickly and securely host your app

AWS API (HHTP based)

Rarely do users directly send HTTP requests directly to the AWS API. Its much easier to interact with the API via a variety of Developer Tools

3) Warm Standby (minutes)

Scaled down copy of your infrastructure running ready to scale up -Business critical services -Scale resources after event

4) Multi-site active (real time)

Scaled up copy of your infrastructure in another region -Zero downtime -near zero loss -Mission critical services

AWS Secrets Manager

Secrets storage service. Store structured data for credentials. Easily rotate, manage and retrieve database credentials.

SAML​

Security Assertion Markup Language is an open standard for exchanging authentication and authorization between an identity provider and a service provider.​ An important use case for SAML is Single-Sign-On via web browser.​

4) Configure Instance: EC2 customization (4)

Security groups, key pairs, user data, IAM roles, and placement groups

Dedicated Hosts

Single tenant Ec2 instances to let you bring your on license based on machine characteristics (ex. cost per CPU, etc) You own the entire server, physically the same hardware as dedicated instances but you are the only one using that sever, and have more control of the under lying physical servers. You can make sure that all the instances you divide the host up into are all on the same host, reducing latency. Ex. Server 1 owned by CRA has 5 CRA-owned instances reducing latency since the instances are all on the exact same physical server. Ex. 2 the CRA's instance is being run on Server 1 and Server 2, and are on physically different devices. There must be a physical connection to each server, causing latency

Reserved instance types (2)

Standard 75% off - can modify RI attributes (instance family, region, dedicated or not, and platform) but can't be exchanged but it can be sold on the RI market place Convertible (54% off) - can exchange for a convertible RI based on Ri attributes of equal or higher value. Can't be bought or sold on the RI market place

State Process or App

Stateful applications and processes, however, are those that can be returned to again and again, like online banking or email. They're performed with the context of previous transactions and the current transaction may be affected by what happened during previous transactions. For these reasons, stateful apps use the same servers each time they process a request from a user. If a stateful transaction is interrupted, the context and history have been stored so you can more or less pick up where you left off. Stateful apps track things like window location, setting preferences, and recent activity. You can think of stateful transactions as an ongoing periodic conversation with the same person. The majority of applications we use day to day are stateful, but as technology advances, microservices and containers make it easier to build and deploy applications in the cloud.

AWS Snow Family (3)

Storage and compute devices used to physically move data in or out of the cloud -When moving data over the internet or private connection is too slow, difficult, or not secure enough, or costly. 1) Snowcone 2) Snowball edge 3) Snowmobile

AWS Compute Optimizer

Suggests how to reduce costs and improve performance by using machine learning to analyze you previous usage history

OLTP (online transaction processing)

System captures and maintains transaction data in a database - Each transaction involves individual database records made up of multiple fields or columns -Focuses on fast processing due to high read, write, and frequently updated

TCO (9)

TCO is a financial estimate intended to help buyers and owners determine the direct and indirect costs of a product or service. Creating a TCO report is useful when your company is looking to migrate from on premise to cloud. Hardware Taxes Licenses Security Software Training IT personnel Installation Monitoring

AWS Distributed Team Structure

Teams utilize 1) Practices 2) Mechanisms 3) Amazon Leadership Principles All 3 are supported by a virtual community of SMEs, principle engineers, etc. ex. having lunchtime talks to focus on applying best practices to real examples

Developer

Tech support via email, 24h before reply No third party support General guidance under 24h System impaired under 12h 7 trusted advisor checks $29/month

Business

Tech support via email, 24h before reply Chat and phone tech support 24/7 No third party support General guidance under 24h System impaired under 12h Production system impaired under 4h Production system down under 1h All trusted advisor checks $100/month

Enterprise

Tech support via email, 24h before reply Chat and phone tech support 24/7 No third party support General guidance under 24h System impaired under 12h Production system impaired under 4h Production system down under 1h Business critical systems down under 15min Personal concierge TAM All trusted advisor checks $15,000/month~

On prem enterprise team structure

Tech, Data, Network, Security, and solution architect using either TOGAF or Zachman

AWS Global Infrastructure

The resources owned by AWS around the globe and act as a single large resource physically networked together

Traditional Hypervisor vs Nitrosystem

Traditionally, hypervisors protect the physical hardware and bios, virtualize the CPU, storage, networking, and provide a rich set of management capabilities. With the Nitro System, we are able to break apart those functions, offload them to dedicated hardware and software, and reduce costs by delivering practically all of the resources of a server to your instances.

Docker containers

Unlike virtual machines (VMs) which each have a complete copy of a guest operating system, container isolation is done on the kernel level without the need for a guest operating system. In addition, libraries can be across containers, so it eliminates the need to have 10 copies of the same library on a server, further saving space. difference between the two is that Docker is about packaging containerized applications on a single node and Kubernetes is meant to run them across a cluster. Since these packages accomplish different things, they are often used in tandem.

Reserved Instance payment options

Upfront: full payment at the start of the term Partial: portion of the cost must be paid upfront and the remaining hours in the term are billed at a discounted hourly rate No upfront billed at a discounted hourly rate for every hour within the term, regardless of use

3) Fault tolerance: Considerations for Cloud Architects (5) (SAFED)

Your ability for your service to ensure there is no single point of failure. Preventing the chance of failure, zero down time A common example is having a copy (secondary) of your database where all ongoing changes are synced.

4) Elasticity : Considerations for Cloud Architects (5) (SAFED)

Your ability to automatically increase or decrease your capacity based on the current demand of traffic, memory and computing power

2) Availability: Considerations for Cloud Architects (5) (SAFED)

Your ability to ensure a service remains available eg. Highly Available (HA) -No single point of failure and or ensure certain level of performance; minimal downtime Ex. Using an elastic load balancer service and running workloads across multiple AZ

5) Disaster Recovery/High durable: Considerations for Cloud Architects (5) (SAFED)

Your ability to recover from a disaster and to prevent the loss of data Solutions that recover from a disaster is known as Disaster Recovery (DR) • Do you have a backup? • How fast can you restore that backup? • Does your backup still work? • How do you ensure current live data is not corrupt?

Dockerfile

a configuration file on how to provision a container

AWS FSc

a feature rich and highly performant file system which can be used for windows (SMB) or linux (Llustre)

Virtual Private Cloud (VPC)

a logically isolated section of the AWS Cloud where you can launch your AWS resources. You choose the range of IPS using CIDR range 10.0.1.0/24 = 256 ip addresses; each subset of the up is a subnet Within the VPC there are public and private subnets

Subnets

a logically visible subdivision of an IP network into multiple smaller network segments

AWS Amplify

a mobile and web application framework , that will provision multiple AWS services as your backend

The Open Container Initiative (OCI)

a public online repository for containers published by the community for download

Pub/Sub Pattern Example

a real-time chat system. - A web-hook system Publisher have no knowledge of who their subscribers are. -Subscribers do not pull for messages. -Messages are instead automatically and immediately pushed to subscribers. -Messages and events are interchangeable terms in pub/sub

Virtual private cloud (VPC)

a subset of a public cloud that has highly restricted, secure access using VPNs, private ip subnets, VLAN

AWS Organizations

allow the creation of new AWS accounts. Centrally manage billing, control access, compliance, security, and share resources across your AWS accounts

EC2 Spot instances up to 90% off

allow you to bid on spare Amazon EC2 computing capacity; up to 90% cheaper than EC2

AWS Resource Access Manager (RAM)

allows you share AWS resources with other AWS account. AWS RAM is an alternative to VPC Peering and creating Cross Account roles. AWS RAM is limited to specific AWS services.

Amazon Kinesis Video Streams

allows you to analyze or apply processing on real time streaming video.

Amazon Elastic Inference

allows you to attach low cost GPU powered acceleration to EC2 instances to reduce the cost of running deep learning inference by up to 75%.

Elastic Load Balancer

allows you to evenly distribute traffic to multiple servers If a datacenter or server becomes unavailable (unhealthy) the load balancer will route the traffic to only those available

AWS Database Migration Service (DMS)

allows you to quickly and securely migrate one database to another. DMS can be used to migrate your on premise database to AWS. Can migrate to same db or using schema conversion tool to different db schema

Organization Units

are a group of AWS accounts within an organization which can also contain other organizational units creating a hierarchy -create isolated AWS accounts for different teams under the payer account - and place them inside Organizational Units (OU) The separation of accounts into OUs allows you to set customized permission boundaries on the accounts using Service Control Policies (SCPs)

AWS Config (Compliance as Code; CaC)

as is a Compliance as Code framework that allows us to manage change in your AWS accounts on a per region basis Ex. • I want this resource to stay configured a specific way for compliance •I want to keep track of configuration changes to resources. •I want a list of all resources within a region. •I want to use analyze potential security weaknesses; I need detailed historical information.

Penetration Testing

authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. This is allowed on AWS but only certain services or require special request to AWS

AWS Data Pipeline

automates the movement of data . You can reliably move data between compute and storage

AWS Schema Conversion Tool (SCT)

automatically convert a source database schema to a target database schema. Each migration path requires a bit of research since not all combinations of sources db and target db are possible.

General: EC2 Instance Families (5)

balance of compute, memory, and networking resources use case of web servers and code repositories Starting with A, T, M, or Mac

Landing Zone

baseline environment following well-architected and best practices to start launching production-ready workloads. • AWS SSO enabled, Centralized logging for AWS CloudTrail, cross-account security auditing

AWS Wavelengths

build and launch your app in a telecom datacenter - ultra-low latency since they will be pushed over a the 5G network and be closest as possible to the end user. Use cases, Vehicle2x, stream high res media, AR/VR, IoT, real time game streaming (Google stadia), streaming analytics with near real time results

AWS CoPilot Command Line Interface Service

build, release and operate production-ready containerized applications on AWS App Runner, Amazon ECS, and AWS Fargate -WS Copilot provides a simple declarative set of commands, including examples and guided experiences to help customers deploy quickly. -After writing your application code, Copilot automates each step in the deployment lifecycle, including pushing to a registry, creating a task definition, and creating a cluster.

Amazon QuickSight

business intelligence (BI) dashboard . You can use it to create business dashboards to power business decisions. It requires little to no programming knowledge and connect and ingest to many different types of databases uses SPICE (super fast, parallel, in memory, calculation engine) to achieve blazing fast performance at scale

Volume Gateway

caches your local drives to S3 so you have a continuous backup of local files in the cloud

Private Subnet

can not reach the internet, where resources to be more secured and only accessible through tightly filtered traffic into the subnet

Public Subnet

can reach the internet

Mechanisms

carry out automated checks to ensure standards are being met.

AWS Lake Formation

centralized, curated, and secured repository that stores all your data in a datalake

AWS Security Hub

cloud posture management service. Collects logs from various AWS Security services and provides a single dashboard to determine current security posture. Ability to set alerts to take remediation. AWS Single

Shared Responsibility Model is a

cloud security framework that defines the security obligations of the customer versa the Cloud Service Provider (CSP)

AWS High Performance Computing Services (2)

cluster of 100s-1000s of servers with fast connections between each of them with the purpose of boosting computing capacity. When you need a supercomputer to perform computational problems to large to fix on a standard computers or would take to long. 1) Nitro System 2) EC2, Parallel Cluster, Batches

Confidentiality: CIA Triad

confidentiality is a component of privacy that implements to protect our data from unauthorized viewers. Ex. encryption, or encryption of symmetric key

Podman

container engine that is OCI compliant and is a drop in replacement for docker -Is daemon-less vs docker, which requires a daemon -Lets you create pods like K8, docker doesn't have pods -Replaces one part of docker, and should be used with Buildah and Skopeo

Datamart

contains a subset of data warehouse information aligned to a specific purposed; ex sales datamart

Cloud Endure Disaster Recovery

continously replicates your machines to a low cost staging area

Cloud Endure Disaster Recovery

continuously replicates your machines into a low-cost staging area in your target AWS account and preferred Region enabling fast and reliable recovery

Amazon Lex

conversion interface service. With Lex you can build voice and text chatbots

AWS Budget Report

create and send daily, weekly, or monthly reports to monitor the performance of your AWS Budget that will be emailed to specific emails.

Redshift

data warehouse - can be expensive because they are keeping data "hot". When you to quickly generate analytics or reports from a large amount of data.

4) RDS on VMware: AWS Relational Database Services (4)

deploy relational database services (RDS) supported engines to an on-premise data Data centre must be using VMware for server virtualization -automates database provisioning, operating system and database patching, backup, point-in-time restore, instance scaling, instance health monitoring, and failover.

Elastic Beanstalk

deploying web-applications with little-to-no knowledge of the underlying infrastructure so you can focus on writing application code instead of setting up an automated deployment pipeline and DevOps tasks. Choose a platform, upload your code and it runs with little knowledge of the infrastructure. Not Recommended for "large enterprise Production" applications

AWS Cost and Usage Reports (CUR)

detailed spreadsheet , enabling you to better analyze and understand your AWS costs

AWS Xray

easy for developers to analyze the behavior of their production, distributed applications with end-to-end tracing capabilities. Identify service map used by app, performance bottlenecks (latency, , edge case errors, and other hard-to-detect issues.

AWS Athena

easy to analyze data in Amazon S3 using standard SQL. Athena is serverless Simply point to your data in Amazon S3, define the schema, and start querying using standard SQL. There's no need for complex ETL jobs to prepare your data for analysis. This makes it easy for anyone with SQL skills to quickly analyze large-scale datasets.

Cloudwatch log insights

enables you to interactive search and analyze your cloud watch data logs

Amazon Kendra

enterprise machine learning search engine service . Uses natural language to suggest answers to question instead of just simple keyword matching

Migration Evaluator

estimate tool used to determine an organization existing on premise cost so it can compare it against AWS Costs for planned cloud migration Migration Evaluator uses an agentless Collector to collect data from your on premise infrastructure to extract your on premise costs

File Gateway

extends your local storage to AWS S3

Storage Optimized: EC2 Instance Families (5)

focus on high sequential read and write, and access to very large data sets on local storage. Optimized to deliver tens of thousands of low-latency, random I/O operations per second (IOPS) to applications. Use case for /O intensive and business-critical workloads such as SQL, NoSQL, in memory or transactional databases, dataware houses, data analytics etc. Start with I, D, and H

AWS Pricing Calculator

free cost estimate tool that can be used within your web browser without the need for an AWS Account to estimate the cost of a various AWS services.

Amazon Keyspace: Non SQL DB AWS Services (3)

fully managed Apache Cassandra database. Cassandra is an open-source NoSQL key/value database similar to DynamoDB in that is columnar store database but has some additional functionality.

Managed Kafka Service (MSK)

fully managed Apache Kafka service. Kafka is an open source platform for building real time streaming data pipelines and applications. It is similar to Kinesis but with more robust functionalities

AWS Services: Managed Kafka Service (MSK)

fully managed Apache Kafka service. Kafka is an open-source platform for building real-time streaming data pipelines and applications. Similar to Kinesis but more robust

2) Aurora: AWS Relational Database Services (4)

fully managed DB of either MySQL (5x faster), Postgres (PSQL) (3x faster) Use case of when you want a highly available, durable, scalable and secure relational database for PSQL or MySQL

Aws service: appsync

fully managed GraphQL service. GraphQL is an open-source agnostic query adaptor that allows you to query data from many different data sources.

Amazon Quantum Ledger Database: AWS Other Database Services (6)

fully managed ledger database that provides transparent, immutable, and graphically variable transaction logs

Amazon Timestream: AWS Other Database Services (6)

fully managed time series database, makes it easy to store and analyze trillions of events per day up to 1,000 times faster and at as little as 1/10th the cost of relational databases. lifecycle of time series data by keeping recent data in memory and moving historical data to a cost optimized storage tier

AWS S3 Transfer Acceleration

generate a special URL that end users use to upload files to a nearby edge location -Once in the edge location it can move much faster within the AWS network to reach S3

AWS Pricing API

get pricing info on AWS services

Amazon Augmented AI

human-intervention review service. When SageMaker's uses machine Learning to make a prediction is not confident it has the right answer queue up the predication for human review.

Co location (carrier hotel)

is a data center where equipment, space, and bandwidth are available for rental to retail customers

Amazon Fraud Detector

is a fully managed fraud detection a service . identify potentially fraudulent online activities such as online payment fraud and the creation of fake accounts.

Root Account User

is a single sign in identity that has complete access to all AWS services and resources in an account

AWS Trust and Safety

is a team that specifically deals with abuses occurring on the AWS platform for the following issues:

Docker Compose

is a tool and configuration file when working with multiple containers

Amazon Elastic MapReduce (EMR)

is for data processing and analysis. Its can be used for creating reports just like Redshift but is more suited when you need to transform unstructured data into structured data on the fly.

AWS Deep Composer

is machine learning enabled musical keyboard

AWS Cost Explorer

lets you visualize, understand, and manage your AWS costs and usage over time, including cost trends, cost drivers, and forecast costs

AWS Cloud Trail

logs all API calls (SDK, CLI) between AWS services (who can we blame) Easily identify which users and accounts made the call to AWS eg. •Where Source IP Address •When EventTime •Who User, UserAgent •What Region, Resource, Action

Amazon CodeGuru

machine learning code analysis service . CodeGuru performs code reviews and will suggest changes to improve the quality of code. It can show visual code profiles (show the internals of your code) to pinpoint performance.

Integrity: CIA Triad

maintaining and assuring the accuracy and completeness of data over its entire lifecycle. ex. utilizing ACID-compliant databases for valid transactions and evident or tamper-proof Hardware security modules. (HSM)

IAM Policies JSON format;

manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines its permissions.

AWS Shield

managed DDoS (Distributed Denial of Service) protection service that safeguards applications running on AWS. Route53 and Cloudfront use AWSShield

AWS Backup

managed backup service that you can use to centralize and automate the backup of data across AWS services in the cloud and on premises.

Workmail

managed business email, contacts, and calendar service with support for existing desktop and mobile email client applications. (IMAP).

Elasticache: AWS Other Database Services (6)

managed database using in memory and cashing db; redis or memcashed When you need to improve the performance of an app by adding a cashing layer in front

Pinpoint

marketing campaign management service . Pinpoint is for sending targeted email via SMS, push notifications, and voice messages. You can preform A/B testing or create Journeys (complex email response workflows)

Key value Store

non relational database (NoSQL) that uses key value to store value; think of Python dictionaries -unique key followed by the value "thisdict (key) = { "brand": "Ford", "model": "Mustang", "year": 1964}"(value) -Very basic, scalable, but fast, no aggregation, indexes, or relationships

OpenID​

open standard and decentralized authentication protocol. Eg be able to login into a different social media platform using a Google or Facebook account​ OpenID is about providing who are you​

Lightweight Directory Access Protocol (LDAP)

open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.​ a common use is to store user names and passwords and enables Same sign on

AWS Outposts

physical rack of servers that you can put in your data center fully managed service to provide an AWS experience. Your data will reside whenever the Outpost Physically resides

AWS Outposts

physical rack of servers that you can put in your data center. AWS Outposts allows you to use AWS API and Services such as EC2 right in your datacenter.

Dedicated Host vs Dedicated Instance Isolation

physical server isolation (you are the only customer on the host server) vs instance isolation (where the VPC is isolated from other VPCs)

AWS Batch

plans, schedules, and executes your batch computing workloads across the full range of AWS compute services, can utilize Spot Instance to save money.​

Guardrails

pre-packaged governance rules for security, operations, and compliance that customers can select and apply enterprise-wide or to specific groups of accounts

AWS Machine Image (AMI)

predefined config of VM

Technical Account Manager (TAM)

proactive guidance and reactive support to help you succeed with your AWS journey, ex. build solutions, give technical guidance, etc.

Asynchronous Communication

producer sends a message to the consumer and proceeds without waiting for the response. ex. message queue channel where a client publishes a message to a queue, and after the queue acknowledges receipt of the message, the publisher proceeds without waiting for the consumer to process the message. -Implemented using transportation channels such as queues, topics, and event buses to create loose coupling between producers and consumers. Loose coupling increases an architecture's resiliency to failure and ability to handle traffic spikes because it creates an indirection between producer and consumer communication, enabling them to operate independently of each other.

Messaging System

provide asynchronous communication (happens on your own time and doesn't need scheduling) and decouple processes via messages and events from a sender and receiver (producer and consumer)

AWS Codestar

provides a unified user interface, enabling you to easily manage your software development activities in one place; provides tools to quickly develop, build, and deploy applications on AWS. Easily launch common types of stacks eg. LAMP

Personal Health Dashboard

provides alerts and guidance for AWS events that might affect your environment. The Personal Health Dashboard shows recent events to help you manage active events, and shows proactive notifications so that you can plan for scheduled activities Use these alerts to get notified about changes that can affect your AWS resources, and then follow the guidance to diagnose and resolve issues.

Edge Computing

push your computing workloads outside of your networks to run close to the destination location.​ eg. Pushing computing to run on phones, IoT Devices, or external servers not within your cloud network.​

Kinesis Data Streams

real time streaming data service . Create Producers which send data to a stream. Multiple Consumers can consume data within a stream. Use for real time analytics, click streams, ingesting data from a fleet of IOT Devices

Trusted Advisor

recommendation tool that automatically and actively monitors your AWS account to provide actional recommendations across a series of categories.

Same Sign On (not to be confused with Single Sign on)

same sign-on requires you to log into each application, using the same userID and password to logon which helps end-users by reducing the number of userID and passwords to remember.

VPN

secure connection to your AWS network; - Site to site VPN: connecting on premise to your AWS network -Client VPN: to connect user clients to the AWS network

AWS Service: Event Bridge

serverless event bus service that is used for application integration by streaming real-time data to your applications.

3) Aurora Serverless: AWS Relational Database Services (4)

serverless on-demand version of Aurora, when you want the benefits of Aurora but can trade to off cold starts or don't have lots of traffic

AWS Work Docs

shared collaboration service . A centralized storage to share content and It is similar to Microsoft SharePoint. Think of it as a shared folder where the company has ownership

Service Health Dashboard

shows the general status of AWS services,

AWS Account - Root User

special account with full access that cannot be deleted

Amazon Transcribe

speech to text service . Upload your audio file and it is converted

Stateless Process or App

stateless process or application can be understood in isolation. There is no stored knowledge of or reference to past transactions. Each transaction is made as if from scratch for the first time. An example of a stateless transaction would be doing a search online to answer a question you've thought of. You type your question into a search engine and hit enter. If your transaction is interrupted or closed accidentally, you just start a new one. Think of stateless transactions as a vending machine: a single request and a response.

Tape Gateway

stores files onto virtual tapes for backing up your files on very cost-effective long-term storage.

Performance Efficiency (CROPSS)

structured and streamlined allocation of IT and computing resources.

AWS CloudWatch (5)

suite of monitoring tools built into one AWS service 1) Cloudwatch logs 2) Cloudwatch metrics 3) Cloudwatch events 4) Cloudwatch Alarms 5) Cloudwatch Dashboard

1) Relational database service (RDS): AWS Relational Database Services (4)

supports multiple SQL engines; MySQL, MariaDB, Postgres (PSQL), Oracle, Microsoft SQL server, and Aurora -Relational db are synonymous with SQL and OLTP

Tagging

tag is a key and value pair that you can assign to AWS resources Can be used to manage resources, costs, operations management ex. SLA requirements, security classifications, governance, automation, etc.

Amazon Polly

text to speech service. Upload your text and an audio file spoken by synthesized voice is generated.

AWS Guard Duty

threat detection service that continuously monitors for malicious, suspicious activity and unauthorized behavior. It uses Machine Learning to analyze the following AWS logs: •CloudTrail Logs •VPC Flow Logs •DNS logs

Asynchronous Communication Example

three-tier architecture example, a message queue can be introduced between the web, logic, and data tiers to enable each to scale independently of each other. When the application experiences a spike in client traffic, the web tier translates the traffic spike as more messages to the queue for processing, however the logic tier may continue to process messages off the queue without being directly impacted.

Synchronous communication challenges example

three-tier architecture, when the application experiences a spike in client traffic, -Web tier directly translates the traffic spike as pressure on downstream resources (the logic and data tiers), which may not scale to meet the sudden demand. -Likewise, downstream resource failure in the logic or data tier directly impacts the web tier from responding to client requests.

Amazon Forecast

time series forecasting service . Forecast business outcomes such as product demand, resource needs or financial performance.

EC2 VM Import/Export

to import Virtual Machine images into EC2. ranging from VMware, Citrix, HyperV, Windows VHD, Linux VHD from Azure 1) Prep virutal image to upload, upload to s3, use AWS CLI to import image and will generate AMI

Capacity management

to meet demand of traffic and usages through adding or upgrading servers

AWS DeepRacer

toy race car that can be powered with machine learning to perform autonomous driving

Allow for evolutionary architectures (GGAPED)

traditional environment, architectural decisions are often implemented as static, onetime events, with a few major versions of a system during its lifetime. As a business and its context continue to evolve, these initial decisions might hinder the system's ability to deliver changing business requirements. In the cloud, the capability to automate and test on demand lowers the risk of impact from design changes. This allows systems to evolve over time so that businesses can take advantage of innovations as a standard practice.

Network centric (old way)

traditional security focused on firewalls and VPNs since there were few employees or workstations outside the office or they were in specific remote offices.

Simple Email Service (SES)

transactional email service . You can integrate SES into your application to send emails . You can create common template, track open rates, keep track of your reputation.

Cloudwatch Events

trigger an event based on a condition eg. every hour take a snapshot of the server

Chime

video conference service . It is similar to Zoom or Skype. You can screenshare, have multiple people on the call. It is secure by default, and it can show you a calendar of your upcoming calls.

Compute: Core IAAS Components (4)

virtual computer that can run applications, programs, and code EX. E3 or Bracket for Quantum computing

WorkSpaces

virtual remote desktop service Secure managed service for provisioning either Windows or Linux desktops in just a few minutes, up to thousands of desktops

AWS Cloudtrail

visibility into user activity by recording API calls made on your account.

Practicies

ways of doing things, processes, standards, and accepted norms) to ensure teams have the capability but also internally, there are experts to make teams raise the bar

syncronous

when the producer sends a message to the consumer and waits for a response before the producer continues its processing logic Ex. of a point-to-point channel is when a HTTP client makes a request to a HTTP service, waits for the service to process the request, and then applies logic to the HTTP response to determine how to proceed. -More straight forward to implement but cause tight coupling between producers and consumers -Tight coupling can cause problems due to traffic spikes and failures propagating throughout the app

Fail-over

when you have a plan to shift traffic to a redundant system in case the primary system fails

AWS Single Sign On (AWS SSO)

where you create or connect, your workforce identities in AWS once and manage access centrally across your AWS organization.

Dedicated Instances

will always run on the same physical server. The server is still shared with other customers, but you can always ensure it will be in the same piece of hardware and you will not swap to a different device the next time the instance is started

Reliability (CROPSS)

workloads performing their intended functions and how to recover quickly from failure to meet demands

Test systems at production scale (GGAPED)

you can create a production-scale test environment on demand, complete your testing, and then decommission the resources. Because you only pay for the test environment when it's running, you can simulate your live environment for a fraction of the cost of testing on premises.

Account Factory

• automates provisioning of new accounts in your organization with pre-approved account configurations. network configuration and region selections • enable self-service for your builders to configure and provision new accounts using AWS Service Catalog

Failure Zone (AWS term for fault domain)

- Availability zones are isolated, but are connected to other AZ in the region -AZ are physically separated, in a low flood risk pain -Use uninterruptible power supply (UPS) and onsite backup generation facilities -Data centers located in different AZ are supplied by independent substations to reduce risk of a PowerGrid issue impacting more than one AZ

What is a Solutions Architect?

A role in a technical organization that architects a technical solution using multiple systems via researching, documentation, experimentation.

AWS Connection to Tier 1 network

Can reach every other network on the internet without purchasing IP transit or paying for peering, all AWS AZ are redundantly connected to multiple tier 1 transit providers

Data Sovereignty

Data Sovereignty is the jurisdictional control or legal authority that can be asserted over data because its physical location is within jurisdictional boundaries

Go global in minutes: Advantages of Cloud (DEVS GC)

Deploy application in multiple locations around the world, with low latency.

Benefits of Cloud (FEC RSS)

1) Flexible 2) Easy to use 3) Cost Effective 4) Reliable 5) Scalable and high performance 6) Secure

Considerations for Cloud Architects (5) (SAFED)

1) Scalability 2) Availability 3) Fault tolerance 4) Elasticity 5) Disaster Recovery/High durable

Fault Domain

A section of the network that is vulnerable to damage if critical device or system fails, if it fails it will not cascade outside the domain Ex. servers in a rack, entire data center building, etc. CSP define the domains Multiple fault domains are a fault level

Private Cloud

- Deploy using virtualization and resources management tools - Increase resource utilization by using application management and virtualization

Functions (serverless compute ex. AWS Lambda, Google App Engine): Evolution of computing (4)

- Functions are managed VMs running managed containers.​ - You upload a piece of code, choose the amount of memory and duration. ​ - Only responsible for code and data, nothing else​ - Very cost-effective, only pay for the time code is running, VMs only run when there is code to be executed​ -Cold Starts is a side-effect of this setup​

Methods to meet data residency requirements

-AWS Config -AWS Outpost -IAM policies

Edge locations

-Act as on and off ramp to the AWS global network and are datacenters that hold cached copy on the most popular files do the delivery distance to the end users are reduced -Ex. Amazon Cloudfront (CDN), Global accelerator, S3 transfer acceleration

What is a Cloud Architect?

A solutions architect that is focused solely on architecting technical solutions using cloud services.

AWS Direct Connect

AWS Direct Connect is a private/dedicated connection between your data center, office, co-location, and AWS. -Low bandwidth 50mbs-500mbs -High bandwidth 1gb-10gbs

Networking: Core IAAS Components (4)

a virtual network that allows you to define internet connections or network isolations

AWS Wavelength Zones

edge-computing on 5G Networks. -Applications will have ultra-low latency being as close as possible to the users

Auto scaling groups (ASG)

AWS feature that will automatically add or remove servers based on scaling rules you define based on metrics

Containers (virtual private severs, partitions, etc) ex docker, kubernetes: Evolution of computing (4)

- Virtual Machine running multiple containers​, unlike VMs, the virtualization only occurs above the OS layer - ​Docker Daemon​ is the name of the software layer that lets you run multiple containers.​ - You can maximize the utilization of the available capacity which is more cost-effective​ - Your containers share the same underlying OS so containers are more efficient than multiple VMs​ - Multiple apps can run side by side without being limited to the same OS requirements and will not cause conflicts during resource sharing​

AWS In China

AWS China is completely isolate intentionally from AWS Global to meet regulatory compliance -To use you need have a Chinese Business License -Not all services are available in china -Running in Mainland China means you would not need to traverse the The Great Firewall.

Points of Presence (PoP)

intermediate locations between an AWS Region and the end-user, and this location could be a datacenter or collection of hardware.​ -Owned by aws or trusted partner and utilize for content delivery or expediated upload -PoP resources include edge locations and regional edge caches


Ensembles d'études connexes

Network+ Ch 1 - Introduction to Networking

View Set

Chapter 42 Circulation and Gas Exchange

View Set