AWS Certified Cloud Practitioner — Notes (Part 2)

Continuation of AWS Certified Cloud Practitioner — Notes (Part 1)

Content Delivery Services

What is a content delivery network (CDN)?
A CDN is a mechanism to deliver content quickly and efficiently based on geographic location.

What is latency?
Latency simply means the time it takes to respond to a request. Low latency is good!

1. AWS CloudFront

CloudFront is a CDN that delivers data and applications globally with low latency.

• Makes content available globally or restricts it based on location
• Speeds up delivery of static and dynamic web content
• Uses edge locations to cache content

Details: https://aws.amazon.com/cloudfront/

💡If the content is already in the edge location, CloudFront delivers it immediately. If not, CloudFront retrieves the files from the origin.
CloudFront in Real World: S3 static websites; Prevent DDOS attacks; IP address blocking.

2. Amazon Global Accelerator

Global Accelerator sends your users through the AWS global network when accessing your content, speeding up delivery.

• Improves latency and availability of single-Region applications
• Sends traffic through the AWS global network infrastructure
• 60% performance boost
• Automatically re-routes traffic to healthy available regional endpoints

Details: https://aws.amazon.com/global-accelerator/

3. S3 Transfer Acceleration

S3 Transfer Acceleration improves content uploads and downloads to and from S3 buckets.

• Fast transfer of files over long distances
• Uses CloudFront’s globally distributed edge locations
• Customers around the world can upload to a central bucket

Details: https://aws.amazon.com/s3/transfer-acceleration/

💡 Things to remember

✔CloudFront — Don’t forget CloudFront allows for global distribution of content.

✔ Global Accelerator — Remember Global Accelerator provides low latency

✔ Security Features — Don’t forget CloudFront has security features like DDoS protection and geo-restriction

✔ S3 Transfer Acceleration — Remember S3 Transfer Acceleration provides fast transfer of files over long distances

Networking Services

1. Amazon VPC (Virtual Private Cloud)

VPC is a foundational service that allows you to create a secure private network in the AWS cloud where you launch your resources.

• Private Virtual Network
• Launch resources like EC2 instances inside the VPC
• Isolate and protect resources
• A VPC spans AZ in a Region

Details: https://aws.amazon.com/vpc/

To create VPC (Virtual Private Cloud), go to VPC service and click on ‘Launch VPC Wizard’.

💡 VPC — Don’t forget an internet gateway allows traffic to the public internet and peering connects 2 VPCs together.

2. Route53

Route53 is a DNS service that routes users to applications.

• Domain name registration
• Performs health checks on AWS resources
• Supports hybrid cloud architectures

Details: https://aws.amazon.com/route53/

3. Direct Connect

Direct Connect is a dedicated physical network connection from your on-premises data center to AWS.

• Dedicated physical network connection
• Connects your on-premises data center to AWS
• Data travels over a private network
• Supports a hybrid environment

Details: https://aws.amazon.com/directconnect/

Real-world examples: Large datasets, Business-critical data, Hybrid model

4. AWS VPN

Site-to-Site VPN creates a secure connection between your internal networks and your AWS VPCs.

• Similar to Direct Connect but data travels over the public internet.
• Data is automatically encrypted.
• Connects your on-premises data center to AWS
• Supports a hybrid environment

Details: https://aws.amazon.com/vpn/

5. API Gateways

API Gateway allows you to build and manage APIs.

• Share data between systems
• Integrate with services like Lambda.

Details: https://aws.amazon.com/api-gateway/

💡Things to remember

✔ Route 53 — Don’t forget Route 53 performs health checks on AWS resources and supports a hybrid model

✔ Site-to-Site VPN — Remember that a Site-to-Site VPN supports a hybrid model. Don’t forget to review components such as the virtual private gateway and customer gateway.

✔ Direct Connect — Remember that Direct Connect supports a hybrid model.

Databases

RDS

RDS is a service that makes it easy to launch and manage relational databases.

• Supports popular DB engines
• Offers high availability and fault tolerance using multi-AZ deployment option
• AWS manages the DB with automatic software patching, automated backups, OS maintenance, and more.
• Launch read replicas across Regions in order to provide enhanced performance and durability.
• Few of the supported DBs: Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle, MS SQL Server

Details: https://aws.amazon.com/rds/

2. Aurora

Aurora is a relational DB compatible with MySQL and PostgreSQL that was created by AWS.

• Supports only MySQL and PostgreSQL DB engines
• 5x faster than normal MySQL and 3x faster than normal PostgreSQL
• Scales automatically while providing durability and High Availability
• Managed by RDS

Details: https://aws.amazon.com/rds/aurora/

3. DynamoDB

DynamoDB is a fully managed NoSQL key-value and document DB

• key-value DB
• Non-relational
• Fully managed and serverless
• Scales automatically to massive workloads with fast performance

Details: https://aws.amazon.com/dynamodb/

4. DocumentDB

DocumentDB is a fully managed document database that supports MongoDB.

• Document DB (MongoDB compatible)
• Fully managed and serverless
• Non-relational

Details: https://aws.amazon.com/documentdb/

5. ElastiCache

ElastiCache is a fully managed in-memory datastore compatible with Redis or Memcached.

• In-memory datastore
• Compatible with Redis or Memcached engines
• Data can be lost
• Offers high performance and low latency

Details: https://aws.amazon.com/elasticache/

6. Neptune

Neptune is a fully managed graph database that supports highly connected datasets.

• Graph database service
• Supports highly connected datasets like social media networks
• Fully managed and serverless
• Fast and reliable

Details: https://aws.amazon.com/neptune/

Read world DB use cases and the best options available for each

1. Migrate an on-premises Oracle database to the cloud — RDS
2. Migrate an on-premises PostgreSQL database to the cloud — RDS, Aurora
3. Alleviate DB load for data that is accessed often. — ElastiCache
4. Process large sets of user-profiles and social interactions. — Neptune
5. NoSQL DB is fast enough to handle millions of requests per second. — DynamoDB
6. Operate MongoDB workloads at scale — DocumentDB

💡 Things to remember

✔ RDS — RDS is only relation database. Don’t forget the supported DB engines: Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle DB, and SQL Server

✔ Aurora — only supports PostgreSQL and MySQL

✔ Neptune — helps you create social media graphs

✔ DynamoDB — is a NoSQL DB

✔ ElastiCache — is an in-memory datastore

✔ DocumentDB — supports MongoDB

Migration and Transfer Services

1. Database Migration Service (DMS)

DMS helps you migrate databases to or within AWS

• Migrate on-premises databases to AWS
• Continuous data replication
• Supports homogeneous and heterogeneous migrations
• Virtually no downtime

Details: https://aws.amazon.com/dms/

2. Server Migration Service (SMS)

SMS allows you to migrate on-premises servers to AWS

• Migrate on-premises servers to AWS
• Server saved as a new Amazon Machine Image (AMI)
• Use AMI to launch servers as EC2 instances

Details: https://aws.amazon.com/server-migration-service/

3. Snow Family

The Snow Family allows you to transfer large amounts of on-premises data to AWS using a physical device.

Snowcone

• The smallest member of data transport devices
• 8 TB of usable storage
• Offline shipping
• Online with Data sync

Snowball and Snowball Edge

• Petabyte-scale data transport solution
• Transfer data in and out
• Cheaper than internet transfer
• Snowball Edge supports EC2 and Lambda

Snowmobile

• Multi-petabyte or exabyte scale
• Data loaded to S3
• Securely transported

4. DataSync

DataSync allows for online data transfer from on-premises to AWS storage services like S3 or EFS

• Migrates data from on-premises to AWS
• Copy data over Direct Connect or the internet
• Copy data between AWS storage services
• Replicate data cross-Region or cross-account

💡 Things to remember

✔ Snowball Edge — Natively supported by Snowball Edge, like EC2 and Lambda

✔ Snowball — Remember that Snowball transfers petabytes of data and is cheaper than transferring over the internet

✔ Snowmobile — The largest member of the transport family and supports exabyte-scale data

✔ DataSync — Transfers data online and can be used to replicate data cross-Region or cross-account

Analytics Services

What is data warehouse?
A data warehouse is a data storage solution that aggregates massive amounts of historical data from disparate sources.

What are the benefits of a data warehouse?
Data warehouses support querying, reporting, analytics, and business intelligence. They are not used for transaction processing.

RedShift

• Scalable data warehouse solution.
• Improves speed and efficiency
• Handles exabyte-scale data

When you would use RedShift in the real world?

1. Data Consolidation — When you need to consolidate multiple data sources for reporting.
2. Relational databases — When you want to run a database that doesn’t require real-time transaction processing (insert, update, and delete)

Athena

• Is a query service for Amazon S3
• Analyze S3 data using SQL
• Pay per query
• Considered serverless

Glue

• Glue prepares your data for analytics
• ETL (Extract, Transform, Load) service
• Prepare and load data
• Helps to better understand your data
• Crawler and Glue Data Catalog

Kinesis

• Allows you to analyze data and video streams in real-time (streaming data).
• Supports video, audio, application logs, website clickstreams, and IoT

Elastic MapReduce (EMR)

• Helps you process large amounts of data
• Analyze data using Hadoop
• Works with big data frameworks

Data Pipeline

• Data Pipeline helps you move data between compute and storage services running either on AWS or on-premises.
• Moves data at specific intervals
• Moves data based on conditions
• Sends notifications on success or failure

QuickSight

• Build interactive dashboards
• Embed dashboards in your applications

Machine Learning Services

Rekognition

• Allows you to automate your image and video analysis
• Identify custom labels in images and videos
• Face and text detection in images and videos

Comprehend

• It is a Natural-Language Processing (NLP) service that finds relationships in a text.
• Uncovers insights and relationships
• Analyzes text

Polly

• Polly turns text into speech
• Mimics natural-sounding human speech
• Several voices across many languages
• Can create a custom voice

SageMaker

SageMaker helps you build, train, and deploy machine learning models quickly.

• Prepare data for models
• Train and deploy models
• Provides Deep Learning AMIs

Translate

• Provides real-time and batch language translation
• Supports many languages
• Translate many content formats

Lex

Lex helps you build conversational interfaces like chatbots.

• Recognizes speech and understands the language
• Build highly engaging chatbots
• Powers Amazon Alexa

Developer Tools

Software Developers use tools to accelerate the software development and release cycle.

1. Cloud9

Cloud9 allows you to write code within an integrated development environment (IDE) from within your web browser.

• Write and debug code
• Supports popular programming languages

2. CodeCommit

It is a source control system for private Git repositories

• Create repositories to store code
• Commit, branch, and merge code
• Collaborate with other software developers

3. CodeBuild

Allows you to build and test your application source code.

• Compiles source code and runs tests
• Enables continuous integration and delivery
• Produces build artifacts ready to be deployed

4. CodeDeploy

Manages the deployment of code to compute services in the cloud or on-premises.

• Deploys code to EC2, Fargate, Lambda, and on-premises.
• Maintains application uptime

5. CodePipeline

Automates the software release process.

• Quickly delivers new features and updates
• Integrates with CodeBuild to run builds and unit tests
• Integrates with CodeCommit to retrieve source code
• Integrates with CodeDeploy to deploy your changes

6. X-Ray

Helps you debug production applications.

• Analyze and debug production applications
• Map application components
• View requests end to end

7. CodeStar

Helps developers collaboratively work on development projects.

• Developers connect their development environment
• Integrates with CodeCommit, CodeBuild, and CodeDeploy
• Contains issue tracking dashboard

Deployment and Infrastructure Management Services

These services help you quickly stand up new applications, automate the management of infrastructure, and provide real-time visibility into system health.

Have you heard of Infrastructure as Code (IaC)? — IaC allows you to write a script to provision AWS resources. The benefit is that you provision resources in a reproducible manner that saves time.

1. CloudFormation

Allows you to provision AWS resources using Infrastructure as Code (IaC).

• Provides a repeatable process for provisioning resources
• Works with most AWS services
• Create templates for the resources you want to provision

2. Elastic Beanstalk

Allows you to deploy your web applications and web services to AWS.

• Orchestration service that provisions resources.
• Automatically handles the deployment
• Monitors application health via a health dashboard

3. OpsWorks

Allows you to use Chef or Puppet to automate the configuration of your servers and deploy code.

• Deploy code and manage applications
• Manage on-premise servers or EC2 instances in AWS Cloud
• Works with Chef and Puppet automation platforms

💡Things to Remember
✔ CloudFormation — Don’t forget CloudFormation supports infrastructure automation using Infrastructure as Code (IaC)

✔ OpsWorks — Remember that OpsWorks can deploy applications on-premises, and it also automates infrastructure management using Chef or Puppet.

✔ Elastic Beanstalk — Don’t forget Elastic Beanstalk is only used to deploy applications to the AWS Cloud — it is not used to deploy applications on-premises.

Messaging and Integration Services

SQS (Simple Queue Service)
Is a message queuing service that allows you to build loosely coupled systems.

Simple Notification Service (SNS)
Allows you to send Emails and text messages from your applications

Simple Email Service (SES)
It is an Email service that allows you to send richly formatted HTML emails from your applications.
- Ideal choice for marketing campaigns or professional emails

Auditing, Monitoring, and Logging Services

1. CloudWatch

It is a collection of services that help you monitor and observe your cloud resources

• Collects metrics, logs, and events
• Detect anomalies in your environment
• Set alarms
• Visualize logs
• CloudWatch Alarms — Set high-resolution alarms
• CloudWatch Logs — Monitor Application logs
• CloudWatch Metrics — Visualize time-series data
• CloudWatch Events — Trigger an event based on a condition

2. CloudTrail

Tracks user activity and API calls within your account.

• Log and retain account activity
• Track activity through the console, SDLs, and CLI
• Identify which user made changes
• Detect unusual activity in your account

Security and Compliance

Shared Responsibility Model

In the public cloud, there is a shared security responsibility between you and AWS.
AWS’s responsibility → Security of the Cloud
Your responsibility → Security in the Cloud

AWS is responsible for protecting and securing their infrastructure
— AWS Global Infrastructure
— Building Security
— Networking Components
— Software

You are responsible for how services are implemented and for managing your application data.
— application Data
— Security Configuration
— Patching
— IAM
— Network Traffic
— installed Software

Well-Architected Framework

The 5 pillars of the Well-architected framework describe design principles and best practices for running workloads in the cloud.

1. Operation Excellence

Example, CodeCommit — You can use AWS CodeCommit for version control to enable tracking of code changes and to version-control CloudFormation templates of your infrastructure.

2. Security

Example, CloudTrail — You can configure central logging of all actions performed in your account using CloudTrail.

3. Reliability

For example, RDS — You can use Multi-AZ deployments for enhanced availability and reliability of RDS databases.

4. Performance Efficiency

For example, Lambda — You can use AWS Lambda to run code with zero administration.

5. Cost Optimization

For example, S3 — You can use S3 Intelligent Tiering to automatically move your data between access tiers based on your usage patterns.

Security Services

1. Identity and Access Management (IAM)

IAM allows you to control access to your AWS services and resources.

Service control policies (SCPs)

• AWS Organizations provides central governance and management for multiple accounts. Organization SCPs allow you to create permissions guardrails that apply to all accounts within a given organization. Service control policies (SCPs)

2. Web Application Firewall (WAF)

WAF helps protect your web application from common web attacks.

3. Shield

It is managed DDoS protection service.

• Always on detection
• Shield Standard is free. (Provides free protection against common and frequently occurring attacks)
• Shield Advanced is a paid service. (Provides enhanced protections and 24/7 access to AWS experts for a fee) Note: DDoS protection via Shield Advanced is supported on several services.
• CloudFront; Route53; Elastic Load balancing; AWS Global protector

4. Macie

Macie helps you discover and protect sensitive data.

• Uses machine-learning
• Evaluates S3 environment
• Uncovers PII data

5. Config

Config allows you to assess, audit, and evaluate the configurations of your resources.

• Track configuration changes over time
• Delivers configuration history file to S3
• Notification of SNS of every configuration change

Real World Example, Identify system-level configuration changes made to your EC2 instances. — Config allows you to record configuration changes within your EC2 instances. You can view network, software, and operating system (OS) configuration changes, system-level updates, and more.

6. GuardDuty

GuardDuty is an intelligent threat detection system that uncovers unauthorized behavior.

• Uses machine learning
• Built-in detection for EC2, S3, and IAM
• Reviews CloudTrail, VPC, Flow Logs, and DNS Logs

Real World Example, Detect unusual API calls in your account. — GuardDuty’s anomaly detection feature evaluates all API requests in your account and identifies events that are associated with common techniques used by attackers.

7. Inspector

Inspector works with EC2 instances to uncover and report vulnerabilities.

• Agent installed on EC2 instance
• Reports vulnerabilities found
• Checks access from the internet, remote root login, vulnerable software version, etc.

8. Artifact

Artifact offers on-demand access to AWS security and compliance reports.

• Central repository for compliance reports from 3rd-party auditors
• Service Organization Controls (SOC) reports
• Payment Card Industry (PCI) reports

9. Cognito

Cognito helps you control access to mobile and web applications.

• Provides authentication and authorization
• Helps you manage users
• Assists you with user sign-up and sign-in

Real World Example, You need to add a social media sign-in to your web application — Cognito provides functionality that allows your users to sign in to your application through social media accounts like Facebook and Google.

Encryption Services

1. Key Management Service (KMS)

KMS allows you to generate and store encryption keys.

• Key generator
• Store and Control keys
• AWS manages encryption keys
• Automatically enabled for certain services

Real World Example, Create encrypted Amazon EBS volumes. — When you create an encrypted Amazon EBS volume, you’re able to specify a KMS customer master key.

2. CloudHSM

CloudHSM is a hardware security module (HSM) used to generate encryption keys.

• Dedicated hardware for security
• Generate and manage your own encryption keys
• AWS does not have access to your keys.

Real World Example, Meet compliance requirements for data security by using dedicated hardware. — CloudHSM allows you to meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud.

Secrets management

Secrets Manager

Secrets Manager allows you to manage and retrieve secrets (passwords and keys)

• Rotate, manage and retrieve secrets
• Encrypt secrets at rest
• Integrates with services like RDS, RedShift, and DocumentDB

Real World Example, Retrieve database credentials needed for your application code. — Secrets Manager allows you to retrieve database credentials with a call to Secrets Manager APIs, removing the need to hardcode sensitive information in plain text within your application code.

Pricing, Billing, and Governance Services

Pricing related

Application Discovery Service — Application Discovery Service helps you plan migration projects to the AWS Cloud.

Billing related

Budgets — Budgets allow you to set custom budgets that alert you when your costs or usage exceed your budgeted amount.

Cost and Usage Reports — The Cost and Usage Report contains the most comprehensive set of cost and usage data.

Cost Explorer — Cost Explorer allows you to visualize and forecast your costs and usage over time.

Management and Governance related

Organizations — Organizations allow you to centrally manage multiple AWS accounts under one umbrella.

Control Tower — Control Tower helps you ensure your accounts conform to company-wide policies.

Systems Manager — Systems Manager gives you visibility into and controls your AWS resources.

Trusted Advisor — Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices.

Marketplace — Marketplace is a digital catalog of prebuilt solutions you can purchase or license. You may also use it to sell solutions to others.

AWS Partner Network (APN) — APN is a global community of approved partners that offer software solutions and consulting services for AWS.

Managed Services — Managed Services helps you efficiently operate your AWS infrastructure.

Professional Services — Professional Services helps enterprise customers move to a cloud-based operating model.

Support Plans

1. Basic — This is included for free for all AWS accounts.

2. Developer — Developer support starts at $29 a month and is recommended for testing and development

3. Business — Business support starts at $100 a month and is recommended for production workloads.

4. Enterprise — Enterprise support starts at $15,000 a month and is recommended for business or mission-critical production workloads.