AWS Cloud Practitioner

Capital Expense (CapEx)

CapEx is defined as business expenses incurred in order to create long-term benefits in the future, such as purchasing fixed assets like a building or equipment.

Classic Load Balancer

Classic Load Balancer provides basic load balancing across multiple Amazon EC2 instances and operates at both the request level and connection level. Classic Load Balancer is intended for applications that were built within the EC2-Classic network.

Deployment Automation

Code deployment processes are integrated with cloud-native tools, improving deployment velocity and reducing manual effort (and error).

AWS Categories of Service

Compute, Storage, Network, and Database

Self-healing/Auto-correcting/self-monitoring

Configuration management scripts and monitoring tools catch anomalies and proactively correct failed/misconfigured resources.

Describe the customers responsibilities

Customer Data, Platform, Applications, Identity & Access Management, Operating System, Network & Firewall Configuration, Client0Side Data Encryption and Data Integrity Authentication, Server Side Encryption (File-System and/or Data), Networking traffic protection (Encryption, Integrity, Identity)

AWS Global Infrastructure

Data Centers are in Availability Zones, Availability Zones are in Regions. Edge Locations are outside of Regions

How do you achieve high availability?

Deploy your architecture in multiple AZ's

Design for failure

Disposability (create resources that are replaceable and easy to start and stop), Logs (treat logs as event streams) Used for trouble shooting, Dev/Prod Parity (keep dev, staging, and production as similar as possible)

ELB

Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets and virtual appliances in one or more Availability Zones (AZs).

Developer Subscription

Email and Trusted Advisor Service Quota and Basic Security Checks

What network security capabilities are available?

Native AWS tools and 3rd party security products from the AWS Marketplace

Network Load Balancer

Network Load Balancer operates at the connection level (Layer 4), routing connections to targets (Amazon EC2 instances, microservices, ,Application Balancers, and containers) within Amazon VPC, based on IP protocol data. Ideal for load balancing of both TCP and UDP traffic

How can DB's be hosted?

On an EC2 instance or as a managed Database

What are common pricing models?

On-Demand Instances, Reserved Instances, Spot Instances, Reserved Host

Operational Expense (OpEx)

OpEx is your operating costs, the expenses to run day-to-day business, like services and consumable items that get used up and are paid for according to use.

Session Policies

Pass advanced session policies when you use the AWS CLI or AWS API to assume a role or a federated user. Session policies limit the permissions that the role or user's identity-based policies grant to the session. Session policies limit permissions for a created session, but do not grant permissions.

Pay-as-you-go pricing

Pay for only the services that you need, for as long as you need them

What are the different ways of provisioning and operating in the AWS cloud?

Programmatic access, API's, SDK, AWS Management Console, AWS CLI, and Infrastructure as Code

AWS Abuse

Report AWS resources used for abusive or illegal purposes

Enterprise Subscription

TAM, less than 30 min response time for critical system down, Concierge Support Team, Full access to online self-paced labs485

AWS Support Cases

Technical support cases connect you to technical support for help with service-related technical issues and, in some cases, third-party applications.

Amazon Partner Network

The AWS Partner Network (APN) is a global community of partners that leverages programs, expertise, and resources to build, market, and sell customer offerings.

Who enables encryption?

The Customer

Reliability

The ability of a system to perform its intended function correctly and consistently

Elasticity

The ability to acquire resources as you need them and release resources when you no longer need them

Agility

The ability to change/move quickly and inexpensively

Data Center

The actual facility where the physical servers are stored

Basic Subscription

The base level of access to AWS services. Doesn't come with support.

High Availability

The percentage of time that a workload is available for use, where "available for use" means that it performs its agreed function when required. Availability (also known as service availability) is a commonly used metric to quantitatively measure reliability. High availability means that it is almost always available

Right-sized infrastructure

The process of matching instance types and sizes to your workload performance and capacity requirements at the lowest possible cost. It's also the process of looking at deployed instances and identifying opportunities to eliminate or downsize without compromising capacity or other requirements, which results in lower costs.

What are benefits of Edge Locations?

They are used in Amazon CloudFront and for the AWS Global Accelerator

TCO

Total Cost of Ownership. Costs to consider: 1. Servers (Acquisition, Virtualization Software, OS) 2. Storage (Acquisition) 3. Network (Acquisition, Maintenance) 4. Datacenter(Space, Power, Cooling, Physical Security) 5. Personnel (Server, Storage, and Network Admins)

Access control lists (ACLs)

Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure. ACLs are cross-account permissions policies that grant permissions to the specified principal. ACLs cannot grant permissions to entities within the same account.

IAM Permissions boundaries

Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity.

IAM Organizations SCPs (Service Control Policy)

Use an AWS Organizations service control policy (SCP) to define the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.

How should you protect your root account?

Using MFA and Strong Password policies

Decouple components versus monolithic architecture

With monolithic architectures, all processes are tightly coupled and run as a single service. With a microservices architecture, an application is built as independent components that run each application process as a service. Because they are independently run, each service can be updated, deployed, and scaled to meet demand for specific functions of an application

Are security checks part of AWS Trusted Advisor?

Yes

What is the labor cost associated with on-premises operations?

You have to pay: - Storage, Server, and Network Administrators - Physical Security teams to guard servers

Application Load Balancer (ALB)

layer 7(http) based balancer that route based on url/hostname. Directs traffic based on target group (EC2 Instances, IP, or Lambda)

Describe AWS' responsibilities

Software: Compute, Storage, Database, Networking updates (To managed services) Hardware/AWS Global Infrastructure: Regions, Availability Zones, Edge Locations

Partner System Integrations

Solution or Consulting partner. It helps to audit and improve design and business processes

AWS Professional Services

Supplementing your team with specialized skills and experience can help you achieve those results. The AWS Professional Services organization is a global team of experts that can help you realize your desired business outcomes when using the AWS Cloud.

AWS Premium Support

Support given to the higher support plans

Shared Responsibility Model

- AWS is responsible for security OF the cloud - Customer is responsible for security IN the cloud

What tasks require use of the root account?

- Change account settings - Restore IAM user Permissions - Activate IAM access to the Billing and Cost Management Console - View certain Tax-Invoices - Close your AWS account - Change or cancel a support plan - Register as a seller in the Reserved Instance Marketplace - Configure MFA delete for your S3 buckets - Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint id - Sign up for GovCloud

Credentials and Access Types

- Console Access - Programmatic Access - Externally Authenticate Users (Identity Federation) - Temporary Access Keys

AWS IAM Groups/Users

- Group: Collection of IAM Users. Groups let you specify permissions for multiple users at once. For example, a Finance Dev team and a Front End Dev team may be groups with different permissions. Groups cannot be nested. For example, Group2 cannot just incorporate Group1's permissions plus a few extra - User: An AWS Identity and Access Management (IAM) user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials. A user can belong to multiple groups

IAM Policy Types

- Identity-Based Policies - Resource-Based Policies - Permission Boundaries - Organizations SCPs - Access Control Lists (ACLs) - Session Policies

Benefits of automation

- Infrastructure automation - Deployment automation - Self-healing/auto-correcting/self-monitoring

AWS IAM Policies, managed and custom

- Managed Policies are default policies that have logical groupings created by AWS or the Customer. Managed Policies may be attached to multiple users, groups, or roles. - Inline policies are policies that you add to a single user, group, or role.

Technical Account Manager (TAM)

A Technical Account Manager (TAM) is your designated technical point of contact who helps you onboard, provides advocacy and guidance to help plan and build solutions using best practices, coordinates access to subject matter experts, assists with case management, presents insights and recommendations on your AWS spend, workload optimization, and event management, and proactively keeps your AWS environment healthy.

Region

A geographic area where AWS services are available. Contains groups of AZ's

Economy of scale

A proportionate saving in costs gained by an increased level of production. (There are many more users on AWS servers than there would be on your own)

Security Group

A security group acts as a virtual firewall, controlling the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance. Semi Stateful, Everything is denied at first, you only specify what you want to allow

Edge Location

A site that CloudFront uses to cache copies of your content for faster delivery to users at any location

Subnet

A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a specified subnet. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that won't be connected to the internet. To protect the AWS resources in each subnet, you can use multiple layers of security, including security groups and network access control lists (NACL).

Multi-factor authentication (MFA)

A type of authentication that requires more than just a password for account access. Multifactor authentication involves two or more of the types of authentication (something you know, something you have, something you are, something you do, and somewhere you are), not simply multiple credentials or keys of the same type.

Where can you find documentation about best practices, white papers, and official documentation

AWS Knowledge Center, Security Center, and Forums

AWS Marketplace

AWS Marketplace is a curated digital catalog that makes it easy to find, test, buy, and deploy third-party software

AWS Trusted Advisor

AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks. It checks for: - Cost Optimization - Performance - Security - Fault tolerance - Service Limits

Connectivity Options

AWS VPN, AWS Direct Connect, Public Internet

Where is AWS compliance information?

AWS WhitePapers

Reduce compliance scope

AWS helps reduce the risk associated with failing to be compliant

Programmatic Access

Access through the AWS CLI or AWS tools for PowerShell. Sign In: Verification of Access Key and Secret Key Access Key ID: Your ID Key Secret Key ID: Key available for download only when you create it. Used together to sign on

Deployment Models

All in with cloud/cloud native, Hybrid, On-Premisis

Managed Services

Allows developers to spend less time on maintenance and compliance and more time on development

What services are used for auditing and reporting?

Amazon CloudWatch, AWS Config, and AWS CloudTrail

AWS Solutions Architect

An AWS Solutions Architect designs, builds, deploys, and maintains business applications and critical infrastructure inside the AWS Cloud

AWS IAM Roles

An IAM role is an AWS Identity that has specific, temporary permissions and can be assigned to different people

Types of Load Balancers

Application, Gateway, Network, and Classic

Externally Authenticated Users (Identity Federation)

Assigning IAM Roles to members of your Corporate Identities (Like using [email protected] as their identity and assigning them specific roles that way)

IAM Resource-Based Policies

Attach inline policies to resources. The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies. Resource-based policies grant permissions to the principal that is specified in the policy. Principals can be in the same account as the resource or in other accounts.

IAM Identity-Based Policies

Attach managed and inline policies to IAM identities (users, groups to which users belong, or roles). Identity-based policies grant permissions to an identity.

How do you achieve elasticity?

Auto-Scaling

Data Center Costs

Includes data center costs, such as rack costs, power costs, cooling cost, physical security costs, and others.

Personnel Costs

Includes labor/personnel costs for managing and maintaining computer, storage, and network capabilities.

Network Costs

Includes network hardware and software purchase and maintenance cost.

Storage Costs

Includes purchase and maintenance cost for storage hardware and software.

Server Costs

Includes the cost for purchasing and maintaining compute hardware, virtualization software, and operating system costs.

What are the different compute families?

Serverful (EC2), Containerized (ECS), Serverless Containers (Fargate), Serverless (Lambda)

Infrastructure Automation

Infrastructure is structured and built into templates, where it can be versioned and easily replicated for future environments.

AWS Support Tiers (Subscription levels)

Basic, Developer, Business, Enterprise

How does AWS allow users to focus on business value?

By shifting technical resources to revenue-generating activities as opposed to managing infrastructure

What is the impact of software licensing cost when moving to the cloud?

Most customers can save by using existing licenses when moving to the cloud and then use Amazon License Manager to track those licenses

Think Parallel

Multi-threading and Concurrent requests to cloud services

Temporary Access Keys

In addition to the access key ID and secret access key, temporary security credentials include a security token that you must send to AWS when you use temporary security credentials. The advantage of temporary security credentials is that they are short term. After they expire, they're no longer valid.

Implement elasticity in the cloud versus on-premises

In the cloud it is possible to provision resources automatically and you get exactly what you need. On premises you have to buy resources to match peek usage and waste those resources the rest of the time

How can customers achieve compliance on AWS?

Following best practice standards, encryption, principle of least privilege, and performing regular audits.

Business Subscription

Full Trusted Advisor checks, call, email, and chat. Less than 4 hour response time for production system impairment, less than 1 hour for production system down

Gateway Load Balancer

Gateway Load Balancer helps you easily deploy, scale, and manage your third-party virtual appliances. It gives you one gateway for distributing traffic across multiple virtual appliances while scaling them up or down, based on demand

Principle of Least Privilege

Giving users only the access they need to do their job and nothing more.

Availability Zones

Groups of datacenters that have redundant power, internet, and protection

Global Reach

Having regions all around the world allows for low latency operations

Console Access

If you are accessing the console, you are either the root user or an IAM user. Root User Sign In: Email and Password IAM User Sign In: IAM Username and Password

When should you deploy in multiple regions?

If you want: Disaster Recovery/Business Continuity, Low Latency for End Users, or you need Data Sovereignty

What are some encryption options?

In transit and At rest

Scalability

Scale out: Add more instances Scale up: Add more resources to an instance The ability to easily adapt to meet a new level of demand

Security

Secure global infrastructure, own your data, automate security tasks, and verify security compliance