bushel
certsaws

AWS Certified Cloud Practitioner

4/27/2024 - moon

I took these notes back in like 2022 or something. I believe the cert exam has changed a little since then and some of the services have definitely been renamed or reshuffled.

Services

  • AWS Management Console: centralized management for all AWS products
  • Amazon GuardDuty: intelligent threat detection for infrastructure and resources
  • AWS CodeCommit: hosts git-based repositories securely; fully managed source control service
  • AWS CodeStar: management of dev activities
  • CodeGuru: (been since renamed) ML-powered development tool; provides code quality improvements recommendations
  • AWS CodePipeline: automated integratabtle CI/CD pipelines
  • Amazon Macie: sensitive data discovery (think discord scanning for app tokens)
  • AWS CloudHSM: local cryto key control for sensitive data
  • AWS Cloud9: web IDE
  • AWS Systems Manager (SSM): run command EC2 instances with appropriate IAM roles plus group resources across regions
  • AWS Lightsail: easy way to get up and running with a website
  • AWS Artifact: comprehensive resource center for AWS auditor-issued reports and compliance docs
  • Amazon Inspector: assesses provisioned architecture for compliance and security
  • AWS Trusted Advisor: provides real-time guidelines in best practice implementation and maintenance
  • AWS Route53: DNS
  • AWS Lambda: serverless triggerable functions
  • Amazon DynamoDB: serverless flexible non-relational database with single digit millisecond latency
  • Elastic Load Balancing (ELB): load balancing functionality for EC2
  • AWS VPC: logically isolated parts of the cloud
  • Amazon Glacier: cheap and durable cold data storage with slow access times
  • AWS Cost Explorer: provides usage-based forecasts of estimated billing and usage to visualize, understand, and manage costs over time
  • AWS Shield: managed DDoS protection
  • AWS Web Application Firewall (WAF): protects applications from common web exploits
  • Amazon CloudFront: distributes traffic across multiple edge locations and only filters valid HTTP(S) requests through to the end hosts
  • AWS CloudTrail: monitor all the API activity conducted on all AWS services
  • AWS Direct Connect: establishes dedicated network connection from on-prem to AWS for high bandwidth and low latency
  • AWS Certificate Manager: maintain one or more SSL/TLS certs including update and renewal
  • AWS Pricing Calculator: estimated usage costs for all resources
  • Amazon Global Accelerator: networking service that optimizes user to application path
  • Amazon Athena: serverless query service for analyzing data in S3 using SQL
  • Amazon Device Farm: test on a warehouse full of devices
  • Amazon Simple Notification Service (SNS): a publish/subscribe service that can publish to web servers, emails, Lambda functions, etc.
  • Amazon Simple Queue Service (SQS): a message queuing service that can send, store, and receive messages between software components
  • Amazon Elastic Container Service (ECS): a flexible container running service
  • Amazon Elastic Kubernetes Service (EKS): a flexible container orchestration service using Kubernetes
  • AWS Fargate: serverless compute engine for containers
  • AWS Elastic Beanstalk: deploys resources automatically from provided code and configuration settings
  • AWS CloudFormation: treat infrastructure as code
  • AWS Outposts: extend AWS infrastructure and services to on-prem datacenters
  • Amazon Elastic Block Storage (EBS): Block level storage volumes that behave like physical drives
  • Amazon Elastic Compute Cloud (EC2): on-demand virtual machines
  • Amazon Simple Storage Service (S3): simple object storage using data, metadata, and a key
  • Amazon Elastic File System (EFS): scalable file system across multiple Availability Zones
  • Amazon Aurora: RDS compatible with either MySQL or PostgreSQL that replicates across Availability Zones
  • Amazon Redshift: data warehousing used for big data analytics
  • AWS Database Migration Service: migrate relational, non-relational databases, and other kinds to AWS services
  • Amazon DocumentDB: MongoDB compatible document database service
  • Amazon Neptune: graph datebase service
  • Amazon Quantum Ledger Database (QLDB): ledger database service
  • Amazon Managed Blockchain: create and manage blockchain network with open-source frameworks
  • Amazon ElastiCache: caching layers on top of databases to improve read time of common requests
  • Amazon DynamoDB Accelerator (DAX): in-memory cache for DynamoDB to get microsecond response times
  • AWS Identity and Access Management (IAM): access permissions to AWS services
  • AWS Key Management Service (KMS): create and manage cryptographic keys and their access using Envelope Encryption
  • Amazon CloudWatch: monitor and managed metrics and alarms based on data
  • AWS Budgets: create budget plans and custom alerts
  • AWS OpsWorks: fully managed automation of Chef and Puppet
  • AWS X-Ray: analyze, monitor, and debug distributed applications
  • AWS Detective: analyze and visualize security data to find the root cause of potential security issues
  • AWS PrivateLink: private connectivity between VPCs and on-prem services
  • AWS CodeDeploy: automated software deployments for AWS and on-prem services
  • AWS Config: assess, audit, and evaluate configurations of AWS resources
  • Amazon WorkSpaces: Desktop as a Service persistent cloud native desktop virtualization
  • Amazon Cognito: use sign-up, sign-in, and access control
  • AWS DataSync: agent-based data transfer service for moving data between on-prem storage and AWS
  • AWS EMR: analyze and process vast amounts of data by distributing work across cluster of virtual servers
  • Amazon Machine Image: provides info required to launch an instance

### EC2 (Elastic Compute Cloud)

Provides a secure, resizable compute capacity. With EC2 you don’t have to purchase hardware or deal with datacenter maintenance. EC2 instances can be started at stopped within minutes whenever the customer wants to.

You pay only when the instance is actually running, and cost is determined by instance type, AMI type, and region.

EC2 has multiple **instance types**

* **General purpose instances**: balance of compute, memory, and networking resources. A general purpose virtual machine that can be used for whatever.

* **Compute optimized instances**: ideal for compute-bound processes that need high-performance processors. Something like a CPU bound web server or batch processing tasks would be a good fit.

* **Memory optimized instances**: delivers fast performance for workloads processing large datasets in memory. If you need a lot of RAM, this one’s for you.

* **Accelerated compute instances**: hardware accelerated coprocessors for tasks like floating-point number calculations, graphics processing, and data pattern matching. GPUs galore.

* **Storage optimized instances**: designed specifically for workloads requiring high, sequential read and write access to large datasets on local storage. Delivers tens of thousands of IOPS (input/output operations per second) with low latency. For example, data warehouses.

Pricing is separated into several types

* **On-Demand**: ideal for short-term, irregular workloads that you need to keep running. No upfront costs and instances will run until you tell them not to.

* **Savings Plans**: either a 1-year or 3-year contract that commit you to a consistent amount of compute usage. This can net you up to 72% off On-Demand pricing.

* **Reserved Instances**: longer term contracts (1-year or 3-year) that can net you discounts compared to regular On-Demand pricing.

* **Spot Instances**: ideal for workloads with flexible start and end times. Its spare compute capacity that will sometimes be utilized for other customers with a 2-minute warning but can get you up to 90% off On-Demand pricing.

* **Dedicated Hosts**: dedicated physical servers with EC2 instance capacity. The most expensive option. These can help you address compliance requirements and allow you to use your existing server-bound software licenses.

EC2 is great at scalability. It has **EC2 Auto Scaling** which can automatically add or remove EC2 instances in response to application demand. If the demand starts hitting a threshold you specified, Auto Scaling will add new instances to keep up. This, of course, can be done in two different ways

* **Dynamic Scaling** responds to changing demand on the fly

* **Predictive Scaling** predicts the demand and schedules the right number of instances automatically

You can even use these two scaling types together to scale faster. In an Auto Scaling Group you can set a minimum, desired, and maximum of instances.

The difference between **user data** and **instance metadata** is

* **Instance metadata** is the defined parameters and attributes specified in instance config

* **User data** is information passed to the OS to automatically execute during boot time

A bastion host is an EC2 instance you can use to “jump through” and connect to databases inside VPCs

EC2 has **Instance Stores** which is a temporary block level storage. This is usually a physical disk attached to the host server, so when the EC2 instance is stopped that Instance Store is terminated and deleted. This is because EC2 instances may not start back up on the same host and thus would lose access to the Instance Store.

**Elastic Block Storage** volumes stay attached and accessible no matter how many times you start or stop an instance. These look like normal block level disks to the guest OS. You can use **EBS Snapshots** to take incremental backups of EBS volumes. EBS volumes automatically replicate inside their Availability Zone to prevent data loss.

### Elastic Load Balancing (ELB)

A single point of contact for all incoming web traffic. ELB will distribute incoming application traffic across multiple resources. It works incredibly well with EC2 Auto Scaling.

default health check is 30 seconds. if a health check returns negative or times out, ELB will label the target group as OutOfService

default time out interval is 5 seconds

If your applications are hosted on **EC2 Classic**, you’re going to need **Classic Load Balancer** (which appears to just be ELB. I dunno, ACloudGuru practice tests are weird).

**Legacy Load Balancer:** If applications are hosted on ELD

### Lambda

Lambda lets you run code in a truly serverless fashion. You upload code to Lambda and set triggers, which can be anything from events from other AWS services, mobile applications, or HTTP endpoints. When triggered Lambda will run your code.

With Lambda you only pay for the amount of time your computing took. I think its calculated by the millisecond.

### Container Based Systems

Theres a few different container systems offered AWS

* **Elastic Container Service (ECS)**: A highly scalable, high-performance container management system. It supports Docker containers (both open-source Docker Community and subscription Docker Enterprise). ECS uses API calls to launch and stop containers.

* **Elastic Kubernetes Service (EKS)**: A fully managed service to utilize Kubernetes in AWS. It helps you deploy and manage containerized applications at scale. Kubernetes handles container orchestration across a large amount of hosts and with a large amount of containers.

* **AWS Fargate**: A serverless compute engine for containers. It’s like EC2 but for containers instead of full virtual machines. It can work with both ECS and EKS and manages the actual server infrastructure for you.

### RDS

Multi-AZ allows better availability

Multi-AZ is for High Availability, whereas Read Replicas are for performance. Technically Read Replicas will fail over allowing for high availability but the difference is in replication.

Read Replicas replicate asynchronously

Multi-AZ databases replicate synchronously

### Simple Storage Service (S3)

Object level storage that stores data as objects in buckets. You can upload any file type with no overall storage limit, however individual files must be under 5TB.

You can set permission controls on files to control visibility and access.

You can set **Bucket Policies** to control visibility and access of buckets.

S3 has versioning to track changes to your objects over time.

S3 has a range of storage classes that can be selected based on how often you plan to retrieve your data and how available you need your data to be

* **Standard**: designed for frequently accessed data and is stored in a minimum of 3 Availability Zones.

* **Standard-Infrequent Access**: designed for infrequently accessed data so it has a lower price tag.

* **One Zone-Infrequent Access**: saves money because it only stores data in a single Availability Zone.

* **Intelligent-Tiering**: designed for data with unknown or changing access patterns and has a small monthly monitoring and automation fee per object. This class will automatically shift objects around to storage in the above classes depending on usage.

* **Glacier**: low-cost and designed for data archiving as retrieval can take anywhere from a few minutes to a few hours.

* **Glacier Deep Archive**: lowest-cost with retrieval times of "within 12 hours".

reports can be delivered to an S3 bucket

you must have the “master account” own the bucket

that can then be ingested into something like Amazon Athena

### Identity Access and Management (IAM)

Permissions for setting access to AWS services and APIs. IAM roles can be applied to **users**, **security groups**, and even things like **EC2 instances**.

**IAM Users** are identities that represent people that are signing in. You need to add permissions to users as they have none by default.

**IAM Policy** is a document that enables or disables the actual permission for resources.

**IAM Groups** are collections of IAM users that let you easily assign the same set of permissions to multiple users.

**IAM Roles** are identities you can assume temporarily to access permissions.

IAM supports **Multi-factor Authentication** for user sign in.

### Shield

AWS Shield is a DDoS prevention service. It has two levels of protection

* **Standard**: automatically protects all customers for free. Attempts to analyze incoming traffic to detect malicious attacks.

* **Advanced**: a paid service that provides detailed attack diagnostics and integrates with other services. You can also write custom rules to mitigate complex DDoS attacks.

### CloudWatch

You can set alarms that will automatically perform actions based on metrics.

You can also configure multiple dashboards and readings.

### CloudTrail Insights

automatically detect unusual API activities in your AWS account

### AWS Snow Family

A collection of physical devices used for physically transporting exabytes of data in and out of the AWS Cloud.

It includes

* **AWS Snowcone**: small, rugged, and secure edge computing transfer device with 2 CPUs, 4GB memory, and 8TB usable storage.

* **AWS Snowball**: has storage optimized and compute optimized with 80TB HDD + 1TB SSD, 40 vCPUs, and 80GB memory, and 42TB usable HDD + 7.68TB NVMe, 52 vCPUs, 208GB memory, and an optional NVIDIA Tesla v100 GPU respectively.

* **AWS Snowmobile**: an exabyte-scale data transfer service allowing for up to 100PB of data per 45-foot shipping container on a truck.

## Networking

**AWS Virtual Private Cloud (VPC)** allows you to provision isolated sections of the AWS Cloud. Inside of VPCs are **Subnets**, which are sections of a VPC that can contain resources such as EC2 instances.

A VPC must have an **Internet Gateway** to allow external public traffic to access your resources. If you just want access from private resources, you can use a **Virtual Private Gateway**.

### Virtual Private Gateway

This allows protected internet traffic to enter the VPC through use of a VPN connection between the VPC and a private network, such as an on-premises datacenter or internal corporate network.

### Route53

can provide different content for different geographical regions

external nameservers have a default TTL (time to live) of 24 hours meaning that AWS Route53 hosted zone changes can take 24 to 48 hours to update globally

Route53 has various routing policies

* **Latency Routing Policy**: provides the least latency to resources in multiple regions

* **Weighted Routing Policy**: distribute requests between resources based on defined weights

* **Geoproximity Routing Policy**: route traffic based on location of resource

* **Geolocation Routing Policy**: route traffic based on user location

### Web Application Firewall (WAF)

Uses **web** **ACLs** to define specific rules to block incoming traffic.

### AWS Direct Connect

This is a dedicated private connection between your datacenter and a VPC. It’s specifically built for high bandwidth, low latency operation and can help reduce network costs.

### Network Access Control List (ACL)

Every packet that crosses subnets gets checked against a network ACL to see if it has permission to leave or enter.

To control instance level security you use **Security Groups**.

### Security Groups

Every EC2 instance automatically comes with a security group which blocks all incoming access. The difference between Security Groups and network ACLs is that Security Groups are stateful while network ACLs are not. Security Groups, by default, allow all return traffic. network ACLs are stateless and don’t make any special considerations for return traffic, they still check every packet.

### VPC Peering

two VPCs in different regions can share traffic between each other

used to replicated data geographically

still uses AWS backbone infrastructure

## Processes

### Regions

Regions are geographically distinct groups of datacenters. Service prices and availability can vary per region depending on what physical hardware AWS has set up.

Regions contain multiple **Availability Zones**. They’re close enough to have low latency but far enough to reduce the chances that multiple are affected by disasters.

Plan for failure and deploy your application to multiple instances across multiple availability zones.

Amazon CloudFront can store cached copies of your static content in **Edge Locations** to increase customer access speed.

### AWS Well-Architected

Well-Architected is a framework and AWS Console tool that can help customers operate with best practices.

The pillars of the Well-Architected framework are

* **Operational Excellence** pillar: operational processes can deliver business value (responsiveness, enactment of operational standards, and automated processes to champion daily operations)

* **Security** pillar: protect information and systems with automation wherever possible

* **Reliability** pillar: ensure a workload performs its intended function correctly and consistently

* **Performance Efficiency** pillar: make informed decisions on the backdrop of processed data

* **Cost Optimization** pillar: avoid unnecessary costs by understanding and controlling where money is spent and choosing the most appropriate and right number of resources.

When building cloud-based systems you want to

* build loosely-coupled components

* assume everything will fail

A **monolithic application** would be made with tightly coupled components. If a single component fails, so does the entire application.

With a **microservices** approach, components are loosely coupled and if a single component fails, the rest of them continue to work.

### Right-Sizing

Right-sizing means selecting the best services and infrastructure that will run your environment for the lowest cost. It sounds like a no-brainer but matching instance types and sizes to your workload and capacity requirements is often overlooked.

It’s also looking at deployed resources and asking what can we eliminate and downsize without compromising capacity or other requirements.

### Shared Responsibility Model

* AWS assumes responsibility of **Security of the Cloud**

This means that AWS protects the infrastructure that runs the services.

* Customer assumes responsibility of **Security in the Cloud**

This means that the customer is responsible for what they use the services for. The depth of this depends on the service, in the case of EC2 the customer is responsible for guest OS patches and security while in the case of Aurora they are only responsible for network rules and database security.

### Multi-factor Authentication

Forces people to verify their identity with multiple separate pieces of information. Often this is a password and a randomized code sent through email, sms, or authenticator applications.

### AWS Organizations

Help organize multiple AWS accounts for the same company. AWS accounts are free and disposable so separating divisions, teams, projects, and more into their own AWS account is a good idea.

Organizations allow you to centrally control permissions for accounts in your org using **Service Control Policies (SCPs)**. These allow you to place restrictions on the AWS services, resources, and API endpoints that users and roles can access.

You can drill down and group accounts into **Organizational Units (OUs)** to manage similar accounts. OUs can be assigned policies to block AWS services that don’t meet certain regulatory requirements. OUs can only have a single parent.

### Compliance Reports

**AWS Artifact Agreements** let you sign agreements with AWS regarding use of certain types of information throughout AWS services.

**AWS Artifact Reports** can provide compliance reports from third-party auditors. This proves that AWS is in compliance of regulatory standards.

### Penetration Testing

The **Customer Service Policy for Penetration Testing** will tell you that customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for EC2 instances, NAT gateways, ELBs, “and other 7 services“

## Theory

Benefits of the cloud

* Trade upfront expense for variable expense

* Benefit from massive economies at scale

* Stop guessing capacity

* Increase speed and agility

* Stop spending money running and maintaining data centers

* Go global in minutes

### AWS Cloud Adoption Framework (CAF)

CAF has 6 areas of focus, called Perspectives

* **Business Perspective**: ensures IT aligns with business needs and investments link to key business results

* **People Perspective**: supports organization-wide change management strategy for cloud adoption

* **Governance Perspective**: focuses on aligning IT strategy with business strategy

* **Platform Perspective**: patterns for migrating and implementing new solutions on the cloud

* **Security Perspective**: ensures that organization meets security objectives

* **Operations Perspective**: defines how day-to-day, quarter-to-quarter, and year-to-year business is conducted

There are 6 strategies for migrating to the cloud

1. **Rehosting**: moving applications without changing

2. **Replanting**: make a few optimizations and move

3. **Refactoring/re-architecting**: reimagining how application is architected using cloud-native features

4. **Repurchasing**: moving from traditional license to a software-as-a-service model

5. **Retaining**: keeping mission-critical applications in the source environment

6. **Retiring**: removing applications that are no longer needed

## Pricing

With AWS you pay for what you use.

Some services have a reservation system. There are also some volume-based discounts.

AWS Free Tier has a few different options, Always Free, 12 Months Free, and Trials.

The 12 Months Free is the 12 months after you first sign up where you get some additional free services.

### AWS Pricing Calculator

The Pricing Calculator lets you explore services and their prices in a way that lets you set basic use cases to match your situation.

### AWS Billing & Cost Management Dashboard

Monitor and analyze your costs

### Consolidated Billing

Consolidate billing from multiple accounts using AWS Organizations.

Using this you can share bulk discount pricing, Savings Plans, and Reserved Instances across your organization.

## Support Plans

AWS offers multiple support plans

* **Basic**: free for all customers. Includes access to whitepapers and documentation. You can also contact AWS for billing questions and service limit increases. A limited selection of Trusted Advisor checks are accessible.

* **Developer**: additionally can open an unlimited number of support tickets as well as best practice support and building-bock architecture.

* **Business**: use-case specific guidance and all Trusted Advisor checks. Limited support for 3rd party applications.

* **Enterprise**: application architecture guidance and a consultive relationship. A Technical Account Manager and infrastructure event management.

### Trusted Advisor

Has multiple categories:

* **Security**: checks to help review permissions

* **Cost Optimization**: checks for unused or idle resources

* **Fault Tolerance**: checks to help you improve your applications’ availability and reliability

* **Performance**: checks for service limits and over-utilized instances

* **Service Quotas/Limits**: the maximum number of service resources or operations that can apply to an account or Region

### Technical Account Manager

With an Enterprise support plan you get a Technical Account Manager that is your primary point of contact.

They can provide expertise across the full range of AWS services and help design solutions to match your use-case.