Six advantages and benefits of cloud computing

● trade capital expense for variable expense

● benefit from massive economies of scale
● stop guessing capacity
● increase speed and agility
● stop spending money on running and maintaining data centers
● go global in minutes

Types of cloud computing

● SaaS: software as a service (Recognition)
● PaaS: platform as a service (Elastic Beanstalk)
● IaaS: infrastructure as a service (EC2)

AWS global infrastructure

● regions: physical location in the world with multiple availability zones
○ every region is physically isolated from and independent of every other region in
terms of location, power, water supply
○ each region has usually 3, min is 2, max is 6 Azs
○ not all services are available in every region
○ US-EAST-1 is the region where you see all your billing information
 ● availability zones: one or more discrete data centers
○ AZs are represented by a region code, followed by a letter identifier: US-EAST-
1a
○ Multi-AZ: distributing your instances across multiple AZs allows failover
configuration for handling requests when one goes down
○ < 10ms latency between AZs
● edge location: datacenter owned by a trusted partner of AWS
○ get data fast or upload data fast to AWS
○ the locations serve requests for CloudFront and Route 53. Requests going to
either of these services will be routed to the nearest edge location automatically
○ S3 Transfer Acceleration traffic and API Gateway endpoint traffic also use the
AWS Edge Network
○ this allows for low latency no matter where the end user is geographically located

GovCloud
● AWS GovCloud Regions allow customers to host sensitive Controlled Unclassified
Information and other types of regulated workloads
● GovCloud Regions are only operated by employees who are US citizens, on US soil
● They are only accessible to US entities and root account holders who pass a screening
process

IAM – Identity and Access Management

● Root account created by default, shouldn’t be used or shared
● In AWS you apply the least privilege principle
● Use Access Keys for Programmatic Access (CLI / SDK)
● To access AWS, you have three options:
○ AWS Management Console (protected by password + MFA)
○ AWS Command Line Interface (CLI): protected by access keys
○ AWS Software Developer Kit (SDK) - for code: protected by access keys

AWS Trusted Advisor

● advise you on security, saving money, performance, service limits and fault tolerance
● Cost Optimization
○ idle load balancers
○ unassociated elastic IP addresses
● Performance
○ high utilization Amazon EC2 instances
● Security
○ MFA on Root Account
○ IAM access key rotation
○ S3 bucket policy for public access
● Fault Tolerance
○ Amazon RDS backups
○ EBS snapshots
 ● Service Limits
○ VPC

AWS Support Plans

● Basic
○ email support only for billing and account
○ 7 trusted advisor checks
● Developer
○ tech support via email ~24 hours until reply
○ no third party support
○ general guidance < 24 hours
○ system impaired < 12 hours
○ 7 trusted advisor checks
● Business
○ tech support via email ~24 hours until reply
○ tech support via chat, phone anytime 24/7
○ general guidance < 24 hours
○ system impaired < 12 hours
○ production system impaired < 4 hours
○ production system down < 1 hours
○ all trusted advisor checks
○ Access to Infrastructure Event Management for additional fee.
● Enterprise
○ all that Business has
○ business-critical system down < 15 minutes
○ provides access to online training with self-paced labs
○ Infrastructure Event Management, Well-Architected & Operations Reviews
○ Concierge Support Team (for billing and account best practices)
○ TAM (Technical Account Manager)

AWS Marketplace
● a curated digital catalogue with thousands of software listings from independent software
vendors
● easily find, buy, test, and deploy software that already runs on AWS
● the product can be free to use or can have an associated charge
● products can be offered as
○ Amazon Machine Images (AMIs)
○ AWS CloudFormation templates
○ Software as a service (SaaS) offerings
○ Web ACL
○ AWS WAF rules

AWS Cost Explorer

● let you visualize, understand, and manage your AWS costs and usage over time
AWS Budgets
● plan your service usage, service costs and instance reservations
● first two budges are free
● each budgets is $0.02 per day ~ 0.60 USD/mo 20,000 budgets limit
● give you the ability to setup alerts if you exceed or are approaching your defined budget
● create Cost, Usage or Reservation budgets
● can be tracked at the monthly, quarterly, or yearly levels, with customizable start and
end dates
● alerts support EC2, RDS, Redshift, and ElastiCache reservations

TCO Calculator
● Total Cost of Ownership
● estimate how much you would save when moving to AWS from on-premise

Organizations and Accounts

● Organizations
○ Consolidated Billing across all accounts - single payment method
○ Pricing benefits from aggregated usage (volume discount for EC2, S3…)批量使
用折扣
○ Pooling of Reserved EC2 instances for optimal savings 合并
● Root Account User
● Allows to manage multiple AWS accounts
● Organization Units & Service Control Policies: Does not apply to the Master Account

AWS Networking
● VPC: private network to deploy your resources(regional resource)
● Subnets
○ a logical partition of an IP network into multiple, smaller network segments
● Internet Gateway
○ enable access to the internet
● NAT Gateways (AWS-managed) & NAT Instances (self-managed) allow your instances
in your Private Subnets to access the internet while remaining private
● NACLs
○ acts as a firewall at the subnet level
○ can have allow and deny rules
● Security Groups
○ acts as firewall at the EC2 instance level
○ Allow rules only
● Route Tables: To define access to the internet and between
subnets
● VPC Peering: Connect two VPC, privately using AWS’ network
 ● VPC Endpoints: Endpoints allow you to connect to AWS Services using a private
network instead of the public www network

● Direct Connect
○ Takes at least a month to establish
○ Goes over a private Network
● Site-to-site VPN: automatically encrypted/goes over public network

Database Services
● RDS
○ Relational Database Service
○ support multiple engines
● DynamoDB
○ NoSQL key/value database
○ fully managed/serverless
○ DynamoDB Accelerator - DAX
● DocumentDB: “AWS-implementation” of MongoDB
● Aurora: “AWS-implementation” of PostgreSQL / MySQL
○ MySQL (5x faster) and PSQL (3x faster) database fully managed
● Redshift
○ Columnar database, petabype warehouse (1pb = 1000 tb)
○ OLAP – online analytical processing (analytics and data warehousing/BI tools
apply)
● ElastiCache
○ In-memory database
○ Helps reduce load off databases for read intensive workloads
○ Redis, or Memcached database
○ a web service that makes it easy to deploy, operate, and scale an in-memory
data store or cache in the cloud
● Athena
○ Use to query data in S3
○ one-time SQL queries, serverless queries on S3, log analytics
● Neptune
○ Managed Graph Database
● EMR: Elastic MapReduce
○ Handoop clusters (Big Data)
○ The clusters can be made of hundreds of EC2 instances
● Amazon QLDB: Quantum Ledger Database
○ Review history of all the changes made to your application data over time
○ Immutable system: no entry can be removed or modified, cryptographically
verifiable
● Amazon Managed Blockchain
○ Decentralization
 ○ Hyperledger Fabric & Ethereum
● QuickSight
○ Serverless machine learning-powered business intelligence service to
create interactive dashboards
● Glue
○ extract, transform, and load (ETL)
○ serverless
● DMS – Database Migration Service

Deployment Services
● Elastic Beanstalk(PaaS)
○ service for deploying and scaling web applications and services developed with
Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker
○ Health Monitor
● CloudFormation
○ infrastructure as code, JSON or YAML
AWS CodePipeline
● Code => Build => Test => Provision => Deploy

AWS CodeCommit
● fully-managed source control service
● store code in a repository, using the Git technology
AWS CodeBuild
● a fully managed(serverless) primarily compiles source code and runs unit tests with
the output being artifacts that will be ready for deployment
AWS CodeDeploy
● Depoly application automatically
● Deploy code consistently with a known architecture: ex, ALB + EC2 + RDS
AWS CodeArtifact
● Dependencies (npm, yarn)
AWS CodeStar
● Unified UI to easily manage software development activities in one place
AWS Cloud9
● AWS Cloud9 is a cloud-based integrated development environment (IDE)
● AWS Cloud9 also allows for code collaboration in real-time (pair programming)
AWS System Manager(SSM)
 ● Hybrid service
● Patching automation for enhanced compliance
● Run commands across an entire fleet of servers
● Store parameter configuration with the SSM Parameter Store
AWS OpsWorks
● Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code
to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet
to automate how servers are configured, deployed, and managed across your Amazon
EC2 instances or on-premises compute environments.

AWS Computing
EC2: Elastic Compute Cloud, highly configurable server eg. CPU, memory, network, OS
AWS AMI: customization of an EC2 instance
○ ECS: Elastic Container Service: run Docker images on EC2
■ Docker as a Service
■ You must provision & maintain the infrastructure
○ Fargate
■ Run Docker containers without provisioning the infrastructure
■ serverless

○ ECR(Elastic Container Registry)

■ where you store your Docker images so they can be run by ECS or
Fargate
○ API Gateway: expose Lambda functions as HTTP API
■ serverless
■ Fully managed service for developers to easily create, publish, maintain,
monitor, and secure APIs
○ Lambda
■ serverless
■ Function as s Service
■ Event-Driven: functions get invoked by AWS when needed
■ pay per calls and duration
 ■ Easy monitor by CloudWatch
○ AWS Batch
■ Fully managed batch processing at any scale
■ Batch will dynamically launch EC2 instances or Spot Instances
■ Batch jobs are defined as Docker images and run on ECS
○ AWS LightSail: predictable & low pricing for simple application & DB stacks

Storage Services
● EBS: Elastic Block Storage
○ Network drive attached to EC2 instances
○ It’s locked to an Availability Zone (AZ). To move a volume across, you first need
to snapshot it
○ when you create an EBS volume in an Availability Zone, it is automatically
replicated within that zone to prevent data loss due to failure of any single
hardware component
● S3: Simple Storage Service
○ Store objects in buckets
○ globally unique name (across all regions all accounts)
○ Encryption: encrypt objects in Amazon S3 using encryption keys
● S3 Storage Classes
○ Amazon S3 Standard - General Purpose
 frequently accessed data
 Big Data analytics, mobile & gaming applications, content distribution
○ Amazon S3 Standard-Infrequent Access (IA)
 less frequently accessed, but requires rapid access when needed
 Lower cost compared to Amazon S3 Standard, but retrieval fee
 Use Cases: As a data store for disaster recovery, backups
○ Amazon S3 Intelligent Tiering
 Cost-optimized by automatically moving objects between two access tiers
(Frequent access/Infrequent Access) based on changing access patterns
 Resilient against events that impact an entire Availability Zone
○ Amazon S3 One Zone-Infrequent Access
 data is stored in a single AZ
 Use Cases: Storing secondary backup copies of on-premise data, or
storing data you can recreate
○ Amazon Glacier & Amazon Glacier Deep Archive(cheapest)
 Low-cost object storage/ longer term
 Various retrieval options of time + fees for retrieval
● Storage Gateway
○ Hybrid storage service to allow on-premises to seamlessly use the AWS Cloud
○ File Gateway, Volume Gateway, Tape Gateway
● EFS: Elastic File Storage
○ file storage mountable to multiple EC2 instances at the same time
● Snowball
 ○ Snowball Edge: move TBs or PBs of data in or out of AWS
 Snowball Edge Storage Optimized
 Snowball Edge Compute Optimized
○ Snowcone: Small, portable computing, anywhere, rugged&secure, withstands
harsh environments
 8 TBs of usable storage
 Edge Computing
○ Snowmobile
■ shipping container, pulled by a semi-trailer truck (100 PB)

EC2 pricing – Cheat Sheet

● EC2 has 4 pricing models On-Demand, Spot, Reserved Instances (RI) and Dedicated
● On-Demand (least commitment)
○ Has the highest cost but no upfront payment
○ Linux - billing per second, after the first minute/ All other operating systems (ex:
Windows) - billing per hour
○ Use case: short-term, spiky, unpredictable workloads, first time apps
○ ideal when your workloads cannot be interrupted
● Reserved Instances up to 75% off (best long-term value)
○ Use case: steady state or predictable usage(database)
○ can resell unused reserved instances (reserved instance marketplace)
○ Payment Terms: 1 year or 3 years
○ Payment Options: All Upfront, Partial Upfront, and No Upfront
○ Class Offerings
■ Standard: up to 75% reduced pricing compared to on-demand. Cannot
change RI attributes
■ Convertible: up to 45% reduced pricing can change the EC2 instance
type.
■ Scheduled: you reserve instances for specific time periods, eg. once a
week for a few hours. Savings vary
● Spot pricing up to 90% off (MOST cost-efficient)
○ request spare computing capacity
○ use case:
■ can handle interruptions (server randomly stopping and starting)
■ for non-critical background jobs(Data analysis/Image Processing)
■ flexible start and end times
○ instances can be terminated by AWS at anytime
○ if your instance is terminated by AWS, you don't get charged for a partial hour of
usage
○ if you terminate an instance you will still be charged for any hour it ran
● Dedicated Hosting (most expensive/3 years)
○ help you address compliance requirements and reduce costs by allowing you to
use your existing server-bound software licenses.
○ can be on-demand or reserved (up to 70% off)
 ○ May share hardware with other instances in same account
○ use case
■ when you need a guarantee of isolate hardware (enterprise requirements)

Free Services
● certain services are free themselves, but the resources they setup will cost you
○ IAM - identity access management
○ Amazon VPC
○ Organizations & Consolidated Billing
○ AWS Cost Explorer
○ services are free, but they can provision AWS services which cost money
■ Auto Scaling
■ CloudFormation
■ Elastic Beanstalk
■ Opsworks
■ Amplify
■ AppSync
■ CodeStar
Logging Services
● CloudTrail
○ logs all API calls (SDK, CLI) between AWS services (who we can blame)
■ who created this bucket
■ who spun up that expensive EC2 instance
■ who launched the SageMaker Notebook
○ detect developer misconfiguration
○ detect malicious actors
○ automate responses
● CloudWatch: a collection of multiple services
○ CloudWatch Logs
■ performance data about AWS Services
■ CPU utilization, memory, network
■ application logs
■ lambda logs
○ CloudWatch Metrics
■ represent a time-ordered set of data points
■ a variable to monitor
○ CloudWatch Events
■ trigger an event based on a condition
■ eg. every hour take a snapshot of server
○ CloudWatch Alarms
■ trigger notifications based on metrics
○ CloudWatch Dashboard
■ create visualizations based on metrics
Shared Responsibility Model
● customers are responsible for security in the Cloud
○ data
○ configuration
● AWs is responsible for security of the Cloud
○ hardware
○ operation of managed services
○ global infrastructure
● Shared controls:
○ Patch Management, Configuration Management, Awareness & Training

Security & Compliance Section

Artifact
● Portal that provides customers with on-demand access to AWS compliance
documentation and AWS agreements
● support internal audit or compliance

Amazon Inspector
● Automated Security Assessments for EC2 instances
Inspector vs Trusted Advisor
● both are security tools and both perform audits
● Inspector
○ audit a single EC2 instance that you've selected
○ generate a report form a long list of security checks
● Trusted Advisor
○ don't generate a PDF report
○ give you a holistic view of recommendations across multiple services and best
practices
Artifact vs Inspector
● both compile out PDFs
● Artifact
○ why should an enterprise trust AWS
○ generate a security report that's based on global compliance frameworks
● Inspector
○ how do we know this EC2 instance is secure
○ run a script that analyzes your EC2 instance, then generate a PDF report telling
you which security checks passed
○ audit tool for security of EC2 instances
AWS X-Ray
● AWS X-Ray helps developers analyze and debug production, distributed applications
● trace requests made through your distributed applications
AWS WAF
 ● Web Application Firewall
○ protect your web applications from common web exploits (Layer 7)
○ write your own rules to ALLOW or DENY traffic based on the contents of an
HTTP requests
○ use a ruleset from a trusted AWS security partner in the AWS WAF Rules
Marketplace
○ WAF can be attached to either CloudFront or an Application Load Balancer
● WAF includes Shield

AWS Shield Standard

● a DDoS protection service, for all customers at no additional costs
● when you route your traffic through Route53 or CloudFront, your are using AWS Shield
Standard
● protect you against Layer 3, 4 attacks
○ 4 transport
○ 3 network
AWS Shield Advanced
○ 24x7 access to DDoS experts for complex cases
○ available on
■ Route 53
■ CloudFront
■ ELB
■ Global Accelerator
■ Elastic IP

Penetration Testing
● PenTesting
○ an authorized simulated cyberattack on a computer system
○ performed to evaluate the security of the system
● we can perform PenTesting on AWS
● permitted services
○ EC2 intances, NAT gateways, and ELB
○ RDS
○ CloudFront
○ Aurora
○ API gateways
○ Lambda and Lambda@Edge functions
○ Lightsail resources
○ Elastic Beanstalk environments
● for some simulated events, you need to submit a request to AWS. A replay could take up
to 7 days
GuardDuty
● a threat detection service that continuously monitors for malicious, suspicious activity
and unauthorized behavior
 ● it uses Machine Learning to analyze the following AWS logs
○ CloudTrail logs
○ VPC flow logs
○ DNS logs
● Can setup CloudWatch Events to Lambda and SNS
AWS CLoudHSM: Hardware Security Module
● AWS provisions encryption hardware
Key Management Service
● AWS manages the encryption keys for us

Amazon Secrets Manager

● Secrets are encrypted using KMS
● force rotation of secrets every X days
● Integration with RDS
Amazon Macie
● Use machine learning and pattern matching to discover and protect your sensitive
data
● Can integrate with CloudWatch Event
Amazon Detective
● analyzes, investigates, and quickly identifies the root cause of security issues or
suspicious activities (using ML and graphs)
Root user privileges
• Change account settings (account name, email address, root user password,
root user access keys)
• View certain tax invoices
• Close your AWS account
• Restore IAM user permissions
• Change or cancel your AWS Support plan
• Register as a seller in the Reserved Instance Marketplace
• Configure an Amazon S3 bucket to enable MFA
• Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC
endpoint ID
 • Sign up for GovCloud
AWS Config
● used to audit and monitor configuration changes
● record configurations and changes over time
Security Groups vs NACLs
● security groups
○ act as a firewall at the instance level
○ implicitly deny all traffic, you create allow rules
○ eg.
■ allow an EC2 instance access on port 22 for SSH
● NACLs
○ Network Access Control Lists
○ act as a firewall at the subnet level
○ you create allow and deny rules
○ eg.
■ block a specific IP address known for abuse

Global Services
Amazon Route53
● Amazon Route 53 is Managed DNS (Domain Name System)
● CloudFront: Content Delivery Network
○ Improves read performance, content is cached at the edge
○ DDoS protection (because worldwide), integration with Shield, AWS Web
Application Firewall
● S3 Transfer Acceleration: Increase transfer speed by transferring file to an AWS edge
location which will forward the data to the S3 bucket in the target region
● AWS Global Accelerator: Improve global application availability and performance using
the AWS global network
SNS vs SQS
● both connect apps via messages
● SNS
○ pass along messages
○ send notifications to subscribers of topics via multiple protocol (HTTP, email,
SQS, SMS)
○ is generally used for sending plain text emails, which is triggered via other AWS
services
○ can retry sending in case of failure for HTTPS
● SQS
○ queue up messages
○ guaranteed delivery
○ place messages into a queue
○ applications pull queue using AWS SDK
○ can retain a message for up to 14 days
○ can send them in sequential order or in parallel
○ can ensure only one message is sent
○ can ensure messages are delivered at least once

Advanced Identity Section

AWS Cognito
● Identity for your Web and Mobile applications users (potentially millions)
AWS Directory Service
● AWS Directory Service for Microsoft Active Directory, also known as AWS Managed
Microsoft AD, enables your directory-aware workloads and AWS resources to use
managed Active Directory in the AWS Cloud.
AWS Single Sign-On (SSO): Centrally manage Single Sign-On to access multiple accounts
and 3rd-party business

Well Architected Framework-5 Pillars

• 1) Operational Excellence
• 2) Security
• 3) Reliability
• 4) Performance Efficiency
• 5) Cost Optimization

Reservation models for other AWS services

• Amazon RDS reserved DB instances.
• Amazon ElastiCache reserved nodes.
• Amazon Elasticsearch Service Reserved Instances.
• Amazon Redshift reserved nodes.
• Amazon DynamoDB reservations.

You can remove an account from your organization only if the account has the information that
is required for it to operate as a standalone account. 

Which AWS services are encrypted by default?

By default, all data stored by AWS Storage Gateway in S3 is encrypted server-side
with Amazon S3-Managed Encryption Keys (SSE-S3). Also, you can optionally
configure different gateway types to encrypt stored data with AWS Key Management
Service (KMS) via the Storage Gateway API.

https://aws.amazon.com/cn/serverless/
data transfer between S3 and EC2 instances within the same region is not charged

add ssm function

APN Technology Partner - APN Technology Partners provide hardware, connectivity

services, or software solutions that are either hosted on or integrated with, the AWS
Cloud. APN Technology Partners cannot help in migrating to AWS and managing
applications on AWS Cloud.
AWS Trusted Advisor - AWS Trusted Advisor is an online tool that provides you real-
time guidance to help you provision your resources following AWS best practices on
cost optimization, security, fault tolerance, service limits, and performance improvement.
Whether establishing new workflows, developing applications, or as part of ongoing
improvement, recommendations provided by Trusted Advisor regularly help keep your
solutions provisioned optimally. All AWS customers get access to the seven core Trusted
Advisor checks to help increase the security and performance of the AWS environment.
Trusted Advisor cannot be used to migrate to AWS and manage applications on AWS
Cloud.
Concierge Support Team - The Concierge Support Team are AWS billing and account
experts that specialize in working with enterprise accounts. They will quickly and
efficiently assist you with your billing and account inquiries. The Concierge Support
Team is only available for the Enterprise Support plan. Concierge Support Team cannot
help in migrating to AWS and managing applications on AWS Cloud.

The following AWS services support reservations to optimize costs:

Amazon EC2 Reserved Instances: You can use Amazon EC2 Reserved Instances to
reserve capacity and receive a discount on your instance usage compared to running
On-Demand instances.

Amazon DynamoDB Reserved Capacity: If you can predict your need for Amazon
DynamoDB read-and-write throughput, Reserved Capacity offers significant savings over
the normal price of DynamoDB provisioned throughput capacity.

Amazon ElastiCache Reserved Nodes: Amazon ElastiCache Reserved Nodes give you the
option to make a low, one-time payment for each cache node you want to reserve and,
in turn, receive a significant discount on the hourly charge for that node.

Amazon RDS RIs: Like Amazon EC2 RIs, Amazon RDS RIs can be purchased using No
Upfront, Partial Upfront, or All Upfront terms. All Reserved Instance types are available
for Aurora, MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server database engines.
Amazon Redshift Reserved Nodes: If you intend to keep an Amazon Redshift cluster
running continuously for a prolonged period, you should consider purchasing reserved-
node offerings. These offerings provide significant savings over on-demand pricing, but
they require you to reserve compute nodes and commit to paying for those nodes for
either a 1- or 3-year duration.

Exam Alert:

You may see use-cases asking you to select one of CloudWatch vs CloudTrail vs Config.
Just remember this thumb rule -

Think resource performance monitoring, events, and alerts; think CloudWatch.

Think account-specific activity and audit; think CloudTrail.

Think resource-specific change history, audit, and compliance; think Config.

Add instance store: An instance store provides temporary block-level storage for your instance.
This storage is located on disks that are physically attached to the host computer. This is a good
option when you need storage with very low latency, but you don't need the data to persist
when the instance terminates or you can take advantage of fault-tolerant architectures. For this
use-case, the computation application itself has a fault tolerant architecture, so it can
automatically handle any failures of Instance Store volumes.