AWS Cloud Practitioner
Capital Expense (CapEx)
CapEx is defined as business expenses incurred in order to create long-term benefits in the future, such as purchasing fixed assets like a building or equipment.
Classic Load Balancer
Classic Load Balancer provides basic load balancing across multiple Amazon EC2 instances and operates at both the request level and connection level. Classic Load Balancer is intended for applications that were built within the EC2-Classic network.
Deployment Automation
Code deployment processes are integrated with cloud-native tools, improving deployment velocity and reducing manual effort (and error).
AWS Categories of Service
Compute, Storage, Network, and Database
Self-healing/Auto-correcting/self-monitoring
Configuration management scripts and monitoring tools catch anomalies and proactively correct failed/misconfigured resources.
Describe the customers responsibilities
Customer Data, Platform, Applications, Identity & Access Management, Operating System, Network & Firewall Configuration, Client0Side Data Encryption and Data Integrity Authentication, Server Side Encryption (File-System and/or Data), Networking traffic protection (Encryption, Integrity, Identity)
AWS Global Infrastructure
Data Centers are in Availability Zones, Availability Zones are in Regions. Edge Locations are outside of Regions
How do you achieve high availability?
Deploy your architecture in multiple AZ's
Design for failure
Disposability (create resources that are replaceable and easy to start and stop), Logs (treat logs as event streams) Used for trouble shooting, Dev/Prod Parity (keep dev, staging, and production as similar as possible)
ELB
Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple targets and virtual appliances in one or more Availability Zones (AZs).
Developer Subscription
Email and Trusted Advisor Service Quota and Basic Security Checks
What network security capabilities are available?
Native AWS tools and 3rd party security products from the AWS Marketplace
Network Load Balancer
Network Load Balancer operates at the connection level (Layer 4), routing connections to targets (Amazon EC2 instances, microservices, ,Application Balancers, and containers) within Amazon VPC, based on IP protocol data. Ideal for load balancing of both TCP and UDP traffic
How can DB's be hosted?
On an EC2 instance or as a managed Database
What are common pricing models?
On-Demand Instances, Reserved Instances, Spot Instances, Reserved Host
Operational Expense (OpEx)
OpEx is your operating costs, the expenses to run day-to-day business, like services and consumable items that get used up and are paid for according to use.
Session Policies
Pass advanced session policies when you use the AWS CLI or AWS API to assume a role or a federated user. Session policies limit the permissions that the role or user's identity-based policies grant to the session. Session policies limit permissions for a created session, but do not grant permissions.
Pay-as-you-go pricing
Pay for only the services that you need, for as long as you need them
What are the different ways of provisioning and operating in the AWS cloud?
Programmatic access, API's, SDK, AWS Management Console, AWS CLI, and Infrastructure as Code
AWS Abuse
Report AWS resources used for abusive or illegal purposes
Enterprise Subscription
TAM, less than 30 min response time for critical system down, Concierge Support Team, Full access to online self-paced labs485
AWS Support Cases
Technical support cases connect you to technical support for help with service-related technical issues and, in some cases, third-party applications.
Amazon Partner Network
The AWS Partner Network (APN) is a global community of partners that leverages programs, expertise, and resources to build, market, and sell customer offerings.
Who enables encryption?
The Customer
Reliability
The ability of a system to perform its intended function correctly and consistently
Elasticity
The ability to acquire resources as you need them and release resources when you no longer need them
Agility
The ability to change/move quickly and inexpensively
Data Center
The actual facility where the physical servers are stored
Basic Subscription
The base level of access to AWS services. Doesn't come with support.
High Availability
The percentage of time that a workload is available for use, where "available for use" means that it performs its agreed function when required. Availability (also known as service availability) is a commonly used metric to quantitatively measure reliability. High availability means that it is almost always available
Right-sized infrastructure
The process of matching instance types and sizes to your workload performance and capacity requirements at the lowest possible cost. It's also the process of looking at deployed instances and identifying opportunities to eliminate or downsize without compromising capacity or other requirements, which results in lower costs.
What are benefits of Edge Locations?
They are used in Amazon CloudFront and for the AWS Global Accelerator
TCO
Total Cost of Ownership. Costs to consider: 1. Servers (Acquisition, Virtualization Software, OS) 2. Storage (Acquisition) 3. Network (Acquisition, Maintenance) 4. Datacenter(Space, Power, Cooling, Physical Security) 5. Personnel (Server, Storage, and Network Admins)
Access control lists (ACLs)
Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure. ACLs are cross-account permissions policies that grant permissions to the specified principal. ACLs cannot grant permissions to entities within the same account.
IAM Permissions boundaries
Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity.
IAM Organizations SCPs (Service Control Policy)
Use an AWS Organizations service control policy (SCP) to define the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.
How should you protect your root account?
Using MFA and Strong Password policies
Decouple components versus monolithic architecture
With monolithic architectures, all processes are tightly coupled and run as a single service. With a microservices architecture, an application is built as independent components that run each application process as a service. Because they are independently run, each service can be updated, deployed, and scaled to meet demand for specific functions of an application
Are security checks part of AWS Trusted Advisor?
Yes
What is the labor cost associated with on-premises operations?
You have to pay: - Storage, Server, and Network Administrators - Physical Security teams to guard servers
Application Load Balancer (ALB)
layer 7(http) based balancer that route based on url/hostname. Directs traffic based on target group (EC2 Instances, IP, or Lambda)
Describe AWS' responsibilities
Software: Compute, Storage, Database, Networking updates (To managed services) Hardware/AWS Global Infrastructure: Regions, Availability Zones, Edge Locations
Partner System Integrations
Solution or Consulting partner. It helps to audit and improve design and business processes
AWS Professional Services
Supplementing your team with specialized skills and experience can help you achieve those results. The AWS Professional Services organization is a global team of experts that can help you realize your desired business outcomes when using the AWS Cloud.
AWS Premium Support
Support given to the higher support plans
Shared Responsibility Model
- AWS is responsible for security OF the cloud - Customer is responsible for security IN the cloud
What tasks require use of the root account?
- Change account settings - Restore IAM user Permissions - Activate IAM access to the Billing and Cost Management Console - View certain Tax-Invoices - Close your AWS account - Change or cancel a support plan - Register as a seller in the Reserved Instance Marketplace - Configure MFA delete for your S3 buckets - Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint id - Sign up for GovCloud
Credentials and Access Types
- Console Access - Programmatic Access - Externally Authenticate Users (Identity Federation) - Temporary Access Keys
AWS IAM Groups/Users
- Group: Collection of IAM Users. Groups let you specify permissions for multiple users at once. For example, a Finance Dev team and a Front End Dev team may be groups with different permissions. Groups cannot be nested. For example, Group2 cannot just incorporate Group1's permissions plus a few extra - User: An AWS Identity and Access Management (IAM) user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials. A user can belong to multiple groups
IAM Policy Types
- Identity-Based Policies - Resource-Based Policies - Permission Boundaries - Organizations SCPs - Access Control Lists (ACLs) - Session Policies
Benefits of automation
- Infrastructure automation - Deployment automation - Self-healing/auto-correcting/self-monitoring
AWS IAM Policies, managed and custom
- Managed Policies are default policies that have logical groupings created by AWS or the Customer. Managed Policies may be attached to multiple users, groups, or roles. - Inline policies are policies that you add to a single user, group, or role.
Technical Account Manager (TAM)
A Technical Account Manager (TAM) is your designated technical point of contact who helps you onboard, provides advocacy and guidance to help plan and build solutions using best practices, coordinates access to subject matter experts, assists with case management, presents insights and recommendations on your AWS spend, workload optimization, and event management, and proactively keeps your AWS environment healthy.
Region
A geographic area where AWS services are available. Contains groups of AZ's
Economy of scale
A proportionate saving in costs gained by an increased level of production. (There are many more users on AWS servers than there would be on your own)
Security Group
A security group acts as a virtual firewall, controlling the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance. Semi Stateful, Everything is denied at first, you only specify what you want to allow
Edge Location
A site that CloudFront uses to cache copies of your content for faster delivery to users at any location
Subnet
A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a specified subnet. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that won't be connected to the internet. To protect the AWS resources in each subnet, you can use multiple layers of security, including security groups and network access control lists (NACL).
Multi-factor authentication (MFA)
A type of authentication that requires more than just a password for account access. Multifactor authentication involves two or more of the types of authentication (something you know, something you have, something you are, something you do, and somewhere you are), not simply multiple credentials or keys of the same type.
Where can you find documentation about best practices, white papers, and official documentation
AWS Knowledge Center, Security Center, and Forums
AWS Marketplace
AWS Marketplace is a curated digital catalog that makes it easy to find, test, buy, and deploy third-party software
AWS Trusted Advisor
AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks. It checks for: - Cost Optimization - Performance - Security - Fault tolerance - Service Limits
Connectivity Options
AWS VPN, AWS Direct Connect, Public Internet
Where is AWS compliance information?
AWS WhitePapers
Reduce compliance scope
AWS helps reduce the risk associated with failing to be compliant
Programmatic Access
Access through the AWS CLI or AWS tools for PowerShell. Sign In: Verification of Access Key and Secret Key Access Key ID: Your ID Key Secret Key ID: Key available for download only when you create it. Used together to sign on
Deployment Models
All in with cloud/cloud native, Hybrid, On-Premisis
Managed Services
Allows developers to spend less time on maintenance and compliance and more time on development
What services are used for auditing and reporting?
Amazon CloudWatch, AWS Config, and AWS CloudTrail
AWS Solutions Architect
An AWS Solutions Architect designs, builds, deploys, and maintains business applications and critical infrastructure inside the AWS Cloud
AWS IAM Roles
An IAM role is an AWS Identity that has specific, temporary permissions and can be assigned to different people
Types of Load Balancers
Application, Gateway, Network, and Classic
Externally Authenticated Users (Identity Federation)
Assigning IAM Roles to members of your Corporate Identities (Like using [email protected] as their identity and assigning them specific roles that way)
IAM Resource-Based Policies
Attach inline policies to resources. The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies. Resource-based policies grant permissions to the principal that is specified in the policy. Principals can be in the same account as the resource or in other accounts.
IAM Identity-Based Policies
Attach managed and inline policies to IAM identities (users, groups to which users belong, or roles). Identity-based policies grant permissions to an identity.
How do you achieve elasticity?
Auto-Scaling
Data Center Costs
Includes data center costs, such as rack costs, power costs, cooling cost, physical security costs, and others.
Personnel Costs
Includes labor/personnel costs for managing and maintaining computer, storage, and network capabilities.
Network Costs
Includes network hardware and software purchase and maintenance cost.
Storage Costs
Includes purchase and maintenance cost for storage hardware and software.
Server Costs
Includes the cost for purchasing and maintaining compute hardware, virtualization software, and operating system costs.
What are the different compute families?
Serverful (EC2), Containerized (ECS), Serverless Containers (Fargate), Serverless (Lambda)
Infrastructure Automation
Infrastructure is structured and built into templates, where it can be versioned and easily replicated for future environments.
AWS Support Tiers (Subscription levels)
Basic, Developer, Business, Enterprise
How does AWS allow users to focus on business value?
By shifting technical resources to revenue-generating activities as opposed to managing infrastructure
What is the impact of software licensing cost when moving to the cloud?
Most customers can save by using existing licenses when moving to the cloud and then use Amazon License Manager to track those licenses
Think Parallel
Multi-threading and Concurrent requests to cloud services
Temporary Access Keys
In addition to the access key ID and secret access key, temporary security credentials include a security token that you must send to AWS when you use temporary security credentials. The advantage of temporary security credentials is that they are short term. After they expire, they're no longer valid.
Implement elasticity in the cloud versus on-premises
In the cloud it is possible to provision resources automatically and you get exactly what you need. On premises you have to buy resources to match peek usage and waste those resources the rest of the time
How can customers achieve compliance on AWS?
Following best practice standards, encryption, principle of least privilege, and performing regular audits.
Business Subscription
Full Trusted Advisor checks, call, email, and chat. Less than 4 hour response time for production system impairment, less than 1 hour for production system down
Gateway Load Balancer
Gateway Load Balancer helps you easily deploy, scale, and manage your third-party virtual appliances. It gives you one gateway for distributing traffic across multiple virtual appliances while scaling them up or down, based on demand
Principle of Least Privilege
Giving users only the access they need to do their job and nothing more.
Availability Zones
Groups of datacenters that have redundant power, internet, and protection
Global Reach
Having regions all around the world allows for low latency operations
Console Access
If you are accessing the console, you are either the root user or an IAM user. Root User Sign In: Email and Password IAM User Sign In: IAM Username and Password
When should you deploy in multiple regions?
If you want: Disaster Recovery/Business Continuity, Low Latency for End Users, or you need Data Sovereignty
What are some encryption options?
In transit and At rest
Scalability
Scale out: Add more instances Scale up: Add more resources to an instance The ability to easily adapt to meet a new level of demand
Security
Secure global infrastructure, own your data, automate security tasks, and verify security compliance