ING.

GERARDO LEWIS

IT EXPERT

AAI-MCT-MCP-MCSE-MCITP-ACP-ACA

Overview of Amazon
Web Services
AWS
 AMAZON CLOUD PRACTITIONER -ELEV8

Table of Contents
Overview of Amazon Web Services ..................................................... 1
Abstract ....................................................................... 1
Introduction ................................................................... 1
What Is Cloud Computing? ............................................................ 1
Six Advantages of Cloud Computing ................................................... 3
Types of Cloud Computing ............................................................ 3
Cloud Computing Models ......................................................... 4
Infrastructure as a Service (IaaS) ...................................................... 4
Platform as a Service (PaaS) ............................................................ 4
Software as a Service (SaaS) ............................................................ 4
Cloud Computing Deployment Models .............................................. 4
Cloud ................................................................................... 4
Hybrid .................................................................................. 5
On-premises ............................................................................. 5
Global Infrastructure ............................................................... 6
Security and Compliance ............................................................. 6
Security ....................................................................... 6
Benefits of AWS Security ................................................................ 7
Compliance ..................................................................... 7
Amazon Web Services Cloud ........................................................... 9
AWS Management Console ......................................................... 9
AWS Command Line Interface .................................................... 10
Software Development Kits ..................................................... 10
Analytics ..................................................................... 10
Amazon Athena .......................................................................... 10
Amazon CloudSearch ..................................................................... 11
Amazon Elasticsearch Service ........................................................... 11
Amazon EMR ............................................................................. 11
Amazon FinSpace ........................................................................ 11
Amazon Kinesis ......................................................................... 12
Amazon Kinesis Data Firehose ........................................................... 12
Amazon Kinesis Data Analytics .......................................................... 12
Amazon Kinesis Data Streams ............................................................ 13
Amazon Kinesis Video Streams ........................................................... 13
Amazon Redshift ........................................................................ 13
Amazon QuickSight ...................................................................... 13
AWS Data Exchange ...................................................................... 14
AWS Data Pipeline ...................................................................... 14
AWS Glue ............................................................................... 14
AWS Lake Formation ..................................................................... 15
Amazon Managed Streaming for Apache Kafka (Amazon MSK) ................................. 15
Application Integration ....................................................... 16
AWS Step Functions ..................................................................... 16
Amazon AppFlow ......................................................................... 16
Amazon EventBridge ..................................................................... 17
Amazon Managed Workflows for Apache Airflow (MWAA) ..................................... 17
Amazon MQ .............................................................................. 17
Amazon Simple Notification Service ..................................................... 17
Amazon Simple Queue Service ............................................................ 18
Amazon Simple Workflow Service ......................................................... 18
AR and VR ..................................................................... 18
Amazon Sumerian ........................................................................ 18
 AWS CLOUD PRACTITIONER -ELEV8

Blockchain .................................................................... 19
Amazon Managed Blockchain .............................................................. 19
Business Applications .............................................................. 19
Alexa for Business ............................................................ 19
Amazon Chime .................................................................. 20
Amazon SES .................................................................... 20
Amazon WorkDocs ............................................................... 20
Amazon WorkMail ............................................................... 20
Cloud Financial Management ......................................................... 21
AWS Application Cost Profiler ................................................. 21
AWS Cost Explorer ............................................................. 21
AWS Budgets ................................................................... 21
AWS Cost & Usage Report ....................................................... 21
Reserved Instance (RI) Reporting .............................................. 22
Savings Plans ................................................................. 22
Compute Services ................................................................... 22
Amazon EC2 .................................................................... 23
Amazon EC2 Auto Scaling ....................................................... 24
Amazon EC2 Image Builder ...................................................... 24
Amazon Lightsail .............................................................. 24
AWS App Runner ................................................................ 24
AWS Batch ..................................................................... 24
AWS Elastic Beanstalk ......................................................... 25
AWS Fargate ................................................................... 25
AWS Lambda .................................................................... 25
AWS Serverless Application Repository ......................................... 26
AWS Outposts .................................................................. 26
AWS Wavelength ................................................................ 26
VMware Cloud on AWS ........................................................... 27
Contact Center ..................................................................... 27
Amazon Connect ................................................................ 27
Containers ......................................................................... 28
Amazon Elastic Container Registry ............................................. 28
Amazon Elastic Container Service .............................................. 28
Amazon Elastic Kubernetes Service ............................................. 28
AWS App2Container ............................................................. 29
Red Hat OpenShift Service on AWS .............................................. 29
Database ........................................................................... 29
Amazon Aurora ................................................................. 30
Amazon DynamoDB ............................................................... 30
Amazon ElastiCache ............................................................ 30
Amazon Keyspaces (for Apache Cassandra) ....................................... 31
Amazon Neptune ................................................................ 31
Amazon Relational Database Service ............................................ 32
Amazon RDS on VMware .......................................................... 32
Amazon Quantum Ledger Database (QLDB) ......................................... 32
Amazon Timestream ............................................................. 33
Amazon DocumentDB (with MongoDB compatibility) ................................ 34
Developer Tools .................................................................... 34
Amazon Corretto ............................................................... 34
AWS Cloud9 .................................................................... 34
AWS CloudShell ................................................................ 34
AWS CodeArtifact .............................................................. 35
AWS CodeBuild ................................................................. 35

iii
 AMAZON CLOUD PRACTITIONER -ELEV8

AWS CodeCommit ................................................................ 35

AWS CodeDeploy ................................................................ 35
AWS CodePipeline .............................................................. 35
AWS CodeStar .................................................................. 36
AWS Fault Injection Simulator ................................................. 36
AWS X-Ray ..................................................................... 36
End User Computing ................................................................. 37
Amazon AppStream 2.0 .......................................................... 37
Amazon WorkSpaces ............................................................. 37
Amazon WorkLink ............................................................... 37
Front-End Web & Mobile Services .................................................... 38
Amazon Location Service ....................................................... 38
Amazon Pinpoint ............................................................... 38
AWS Amplify ................................................................... 39
AWS Device Farm ............................................................... 39
AWS AppSync ................................................................... 39
Game Tech .......................................................................... 40
Amazon GameLift ............................................................... 40
Amazon Lumberyard ............................................................. 40
Internet of Things (IoT) ........................................................... 40
AWS IoT 1-Click ............................................................... 41
AWS IoT Analytics ............................................................. 41
AWS IoT Button ................................................................ 42
AWS IoT Core .................................................................. 42
AWS IoT Device Defender ....................................................... 42
AWS IoT Device Management ..................................................... 43
AWS IoT Events ................................................................ 43
AWS IoT Greengrass ............................................................ 43
AWS IoT SiteWise .............................................................. 44
AWS IoT Things Graph .......................................................... 44
AWS Partner Device Catalog .................................................... 45
FreeRTOS ...................................................................... 45
Machine Learning ................................................................... 46
Amazon Augmented AI ........................................................... 46
Amazon CodeGuru ............................................................... 46
Amazon Comprehend ............................................................. 47
Amazon DevOps Guru ............................................................ 47
Amazon Elastic Inference ...................................................... 48
Amazon Forecast ............................................................... 48
Amazon Fraud Detector ......................................................... 49
Amazon HealthLake ............................................................. 49
Amazon Kendra ................................................................. 49
Amazon Lex .................................................................... 50
Amazon Lookout for Equipment .................................................. 50
Amazon Lookout for Metrics .................................................... 50
Amazon Lookout for Vision ..................................................... 51
Amazon Monitron ............................................................... 51
Amazon Personalize ............................................................ 51
Amazon Polly .................................................................. 52
Amazon Rekognition ............................................................ 52
Amazon SageMaker .............................................................. 53
Amazon SageMaker Ground Truth ................................................. 53
Amazon Textract ............................................................... 54
Amazon Transcribe ............................................................. 54
 AWS CLOUD PRACTITIONER -ELEV8

Amazon Translate .............................................................. 55

Apache MXNet on AWS ........................................................... 55
AWS Deep Learning AMIs ........................................................ 55
AWS DeepComposer .............................................................. 55
AWS DeepLens .................................................................. 56
AWS DeepRacer ................................................................. 56
AWS Inferentia ................................................................ 56
TensorFlow on AWS ............................................................. 56
Management and Governance .......................................................... 57
Amazon CloudWatch ............................................................. 57
AWS Auto Scaling .............................................................. 57
AWS Chatbot ................................................................... 58
AWS Compute Optimizer ......................................................... 58
AWS Control Tower ............................................................. 58
AWS CloudFormation ............................................................ 59
AWS CloudTrail ................................................................ 59
AWS Config .................................................................... 60
AWS Launch Wizard ............................................................. 60
AWS Organizations ............................................................. 60
AWS OpsWorks .................................................................. 60
AWS Proton .................................................................... 61
AWS Service Catalog ........................................................... 61
AWS Systems Manager ........................................................... 61
AWS Trusted Advisor ........................................................... 63
AWS Personal Health Dashboard ................................................. 63
AWS Managed Services .......................................................... 63
AWS Console Mobile Application ................................................ 63
AWS License Manager ........................................................... 64
AWS Well-Architected Tool ..................................................... 64
Media Services ..................................................................... 64
Amazon Elastic Transcoder ..................................................... 65
Amazon Interactive Video Service .............................................. 65
Amazon Nimble Studio .......................................................... 65
AWS Elemental Appliances & Software ........................................... 65
AWS Elemental MediaConnect .................................................... 65
AWS Elemental MediaConvert .................................................... 66
AWS Elemental MediaLive ....................................................... 66
AWS Elemental MediaPackage .................................................... 66
AWS Elemental MediaStore ...................................................... 67
AWS Elemental MediaTailor ..................................................... 67
Migration and Transfer ............................................................. 67
AWS Application Migration Service ............................................. 67
AWS Migration Hub ............................................................. 68
AWS Application Discovery Service ............................................. 68
AWS Database Migration Service ................................................ 68
AWS Server Migration Service .................................................. 69
AWS Snow Family ............................................................... 69
AWS DataSync .................................................................. 70
AWS Transfer Family ........................................................... 71
Networking and Content Delivery .................................................... 71
Amazon API Gateway ............................................................ 71
Amazon CloudFront ............................................................. 71
Amazon Route 53 ............................................................... 72
Amazon VPC .................................................................... 72

v
 AMAZON CLOUD PRACTITIONER -ELEV8

AWS App Mesh .................................................................. 73

AWS Cloud Map ................................................................. 73
AWS Direct Connect ............................................................ 74
AWS Global Accelerator ........................................................ 74
AWS PrivateLink ............................................................... 75
AWS Transit Gateway ........................................................... 75
AWS VPN ....................................................................... 75
Elastic Load Balancing ........................................................ 75
Quantum Technologies ............................................................... 76
Amazon Braket ................................................................. 76
Robotics ........................................................................... 77
AWS RoboMaker .......................................................................... 77
Satellite ..................................................................... 77
AWS Ground Station ..................................................................... 77
Security, Identity, and Compliance ............................................ 78
Amazon Cognito ......................................................................... 79
Amazon Cloud Directory ................................................................. 79
Amazon Detective ....................................................................... 79
Amazon GuardDuty ....................................................................... 80
Amazon Inspector ....................................................................... 80
Amazon Macie ........................................................................... 81
AWS Artifact ........................................................................... 81
AWS Audit Manager ...................................................................... 81
AWS Certificate Manager ................................................................ 82
AWS CloudHSM ........................................................................... 82
AWS Directory Service .................................................................. 82
AWS Firewall Manager ................................................................... 83
AWS Identity and Access Management ..................................................... 83
AWS Key Management Service ............................................................. 83
AWS Network Firewall ................................................................... 83
AWS Resource Access Manager ............................................................ 84
AWS Secrets Manager .................................................................... 84
AWS Security Hub ....................................................................... 85
AWS Shield ............................................................................. 85
AWS Single Sign-On ..................................................................... 86
AWS WAF ................................................................................ 86
Storage ....................................................................... 86
Amazon Elastic Block Store ............................................................. 87
Amazon Elastic File System ............................................................. 87
Amazon FSx for Lustre .................................................................. 87
Amazon FSx for Windows File Server ..................................................... 88
Amazon Simple Storage Service .......................................................... 88
Amazon S3 Glacier ...................................................................... 88
AWS Backup ............................................................................. 89
AWS Storage Gateway .................................................................... 89
Next Steps ......................................................................... 89
Conclusion .................................................................... 90
Resources .......................................................................... 91
Document Details ......................................... Error! Bookmark not defined.
Contributors ........................................ Error! Bookmark not defined.
Document Revisions .................................. Error! Bookmark not defined.
AWS glossary ....................................................................... 93
 AWS-Elev8 Education

Overview of Amazon Web

Services

Abstract
Amazon Web Services offers a broad set of global cloud-based products including
compute, storage, databases, analytics, networking, mobile, developer tools,
management tools, IoT, security, and enterprise applications: on-demand,
available in seconds, with pay-as-you-go pricing. From data warehousing to
deployment tools, directories to content delivery, over 200 AWS services are
available. New services can be provisioned quickly, without the upfront capital
expense. This allows enterprises, start-ups, small and medium-sized businesses,
and customers in the public sector to access the building blocks they need to
respond quickly to changing business requirements. This whitepaper provides you
with an overview of the benefits of the AWS Cloud and introduces you to the
services that make up the platform.

Introduction
In 2006, Amazon Web Services (AWS) began offering IT infrastructure services to
businesses as web services—now commonly known as cloud computing. One of the key
benefits of cloud computing is the opportunity to replace upfront capital
infrastructure expenses with low variable costs that scale with your business.
With the cloud, businesses no longer need to plan for and procure servers and
other IT infrastructure weeks or months in advance. Instead, they can instantly
spin up hundreds or thousands of servers in minutes and deliver results faster.

Today, AWS provides a highly reliable, scalable, low-cost infrastructure platform

in the cloud that powers hundreds of thousands of businesses in 190 countries
around the world.

What Is Cloud Computing?

Cloud computing is the on-demand delivery of compute power, database, storage,
applications, and other IT resources through a cloud services platform via the
Internet with pay-as-you-go pricing. Whether you are running applications that
share photos to millions of mobile users or you’re supporting the critical
operations of your business, a cloud services platform provides rapid access to
flexible and low-cost IT resources. With cloud computing, you don’t need to make

1
AWS - Elev8 Education
large upfront investments in hardware and spend a lot of time on the heavy
lifting of managing that hardware. Instead, you can provision exactly the right
type and size of computing resources you need to power your newest bright idea
or operate your IT department. You can access as many resources as you need,
almost instantly, and only pay for what you use.

Cloud computing provides a simple way to access servers, storage, databases and a
broad set of application services over the Internet. A cloud services platform
such as Amazon Web Services owns and maintains the network-connected hardware
required for these application services, while you provision and use what you
need via a web application.

2
 AWS-Elev8 Education

Six Advantages of Cloud

Computing
• Trade capital expense for variable expense – Instead of having to invest
heavily in data centers and servers before you know how you’re going to use
them, you can pay only when you consume computing resources, and pay only for
how much you consume.
• Benefit from massive economies of scale – By using cloud computing, you can
achieve a lower variable cost than you can get on your own. Because usage from
hundreds of thousands of customers is aggregated in the cloud, providers such
as AWS can achieve higher economies of scale, which translates into lower pay
as-you-go prices.
• Stop guessing capacity – Eliminate guessing on your infrastructure capacity
needs. When you make a capacity decision prior to deploying an application, you
often end up either sitting on expensive idle resources or dealing with limited
capacity. With cloud computing, these problems go away. You can access as much
or as little capacity as you need, and scale up and down as required with only
a few minutes’ notice.
• Increase speed and agility – In a cloud computing environment, new IT resources
are only a click away, which means that you reduce the time to make those
resources available to your developers from weeks to just minutes. This results
in a dramatic increase in agility for the organization, since the cost and time
it takes to experiment and develop is significantly lower.
• Stop spending money running and maintaining data centers – Focus on projects
that differentiate your business, not the infrastructure. Cloud computing lets
you focus on your own customers, rather than on the heavy lifting of racking,
stacking, and powering servers.
• Go global in minutes – Easily deploy your application in multiple regions
around the world with just a few clicks. This means you can provide lower
latency and a better experience for your customers at minimal cost.
Cloud Computing Models

Types of Cloud Computing

Cloud computing provides developers and IT departments with the ability to focus
on what matters most and avoid undifferentiated work such as procurement,
maintenance, and capacity planning. As cloud computing has grown in popularity,
several different models and deployment strategies have emerged to help meet
specific needs of different users. Each type of cloud service and deployment
method provides you with different levels of control, flexibility, and
management. Understanding the differences between Infrastructure as a Service,
Platform as a Service, and Software as a Service, as well as what deployment

3
AWS - Elev8 Education
strategies you can use, can help you decide what set of services is right for
your needs.

Cloud Computing Models

Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) contains the basic building blocks for cloud
IT and typically provides access to networking features, computers (virtual or
on dedicated hardware), and data storage space. IaaS provides you with the
highest level of flexibility and management control over your IT resources and
is most similar to existing IT resources that many IT departments and developers
are familiar with today.

Platform as a Service (PaaS)

Platform as a Service (PaaS) removes the need for your organization to manage
the underlying infrastructure (usually hardware and operating systems) and
allows you to focus on the deployment and management of your applications. This
helps you be more efficient as you don’t need to worry about resource
procurement, capacity planning, software maintenance, patching, or any of the
other undifferentiated heavy lifting involved in running your application.

Software as a Service (SaaS)

Software as a Service (SaaS) provides you with a completed product that is run
and managed by the service provider. In most cases, people referring to Software
as a Service are referring to end-user applications. With a SaaS offering you do
not have to think about how the service is maintained or how the underlying
infrastructure is managed; you only need to think about how you will use that
particular piece of software. A common example of a SaaS application is web-
based email which you can use to send and receive email without having to manage
feature additions to the email product or maintain the servers and operating
systems that the email program is running on.

Cloud Computing Deployment

Models
Cloud
A cloud-based application is fully deployed in the cloud and all parts of the
application run in the cloud. Applications in the cloud have either been created
in the cloud or have been migrated from an existing infrastructure to take
advantage of the benefits of cloud computing. Cloud-based applications can be
built on low-level infrastructure pieces or can use higher level services that
provide abstraction from the management, architecting, and scaling requirements
of core infrastructure.

4
 Overview of Amazon Web Services AWS Whitepaper

Hybrid

Hybrid
A hybrid deployment is a way to connect infrastructure and applications between
cloud-based resources and existing resources that are not located in the cloud.
The most common method of hybrid deployment is between the cloud and existing
on-premises infrastructure to extend, and grow, an organization's
infrastructure into the cloud while connecting cloud resources to the internal
system. For more information on how AWS can help you with your hybrid
deployment, visit our Hybrid Cloud with AWS page.

On-premises
The deployment of resources on-premises, using virtualization and resource
management tools, is sometimes called the “private cloud.” On-premises
deployment doesn’t provide many of the benefits of cloud computing but is
sometimes sought for its ability to provide dedicated resources. In most cases
this deployment model is the same as legacy IT infrastructure while using
application management and virtualization technologies to try and increase
resource utilization. For more information on how AWS can help, see Use case:
Cloud services on-premises.

5
 Overview of Amazon Web Services AWS Whitepaper

Global Infrastructure
AWS serves over a million active customers in more than 240 countries and
territories. We are steadily expanding global infrastructure to help our
customers achieve lower latency and higher throughput, and to ensure that their
data resides only in the AWS Region they specify. As our customers grow their
businesses, AWS will continue to provide infrastructure that meets their global
requirements.

The AWS Cloud infrastructure is built around AWS Regions and Availability
Zones. An AWS Region is a physical location in the world where we have multiple
Availability Zones. Availability Zones consist of one or more discrete data
centers, each with redundant power, networking, and connectivity, housed in
separate facilities. These Availability Zones offer you the ability to operate
production applications and databases that are more highly available, fault
tolerant, and scalable than would be possible from a single data center. The
AWS Cloud operates in 80 Availability Zones within 25 geographic Regions around
the world, with announced plans for more Availability Zones and Regions. For
more information on the AWS Cloud Availability Zones and AWS Regions, see AWS
Global Infrastructure.

Each Amazon Region is designed to be completely isolated from the other Amazon
Regions. This achieves the greatest possible fault tolerance and stability. Each
Availability Zone is isolated, but the Availability Zones in a Region are
connected through low-latency links. AWS provides you with the flexibility to
place instances and store data within multiple geographic regions as well as
across multiple Availability Zones within each AWS Region. Each Availability
Zone is designed as an independent failure zone. This means that Availability
Zones are physically separated within a typical metropolitan region and are
located in lower risk flood plains (specific flood zone categorization varies by
AWS Region). In addition to discrete uninterruptible power supply (UPS) and
onsite backup generation facilities, data centers located in different
Availability Zones are designed to be supplied by independent substations to
reduce the risk of an event on the power grid impacting more than one
Availability Zone. Availability Zones are all redundantly connected to multiple
tier-1 transit providers.
Security

Security and Compliance

Security
Cloud security at AWS is the highest priority. As an AWS customer, you will
benefit from a data center and network architecture built to meet the
requirements of the most security-sensitive organizations. Security in the cloud
is much like security in your on-premises data centers—only without the costs of
maintaining facilities and hardware. In the cloud, you don’t have to manage

6
 Overview of Amazon Web Services AWS Whitepaper

physical servers or storage devices. Instead, you use software-based security

tools to monitor and protect the flow of information into and out of your cloud
resources.

An advantage of the AWS Cloud is that it allows you to scale and innovate, while
maintaining a secure environment and paying only for the services you use. This
means that you can have the security you need at a lower cost than in an on-
premises environment.

As an AWS customer you inherit all the best practices of AWS policies,
architecture, and operational processes built to satisfy the requirements of our
most security-sensitive customers. Get the flexibility and agility you need in
security controls.

The AWS Cloud enables a shared responsibility model. While AWS manages security
of the cloud, you are responsible for security in the cloud. This means that you
retain control of the security you choose to implement to protect your own
content, platform, applications, systems, and networks no differently than you
would in an on-site data center.

AWS provides you with guidance and expertise through online resources,
personnel, and partners. AWS provides you with advisories for current issues,
plus you have the opportunity to work with AWS when you encounter security
issues.

You get access to hundreds of tools and features to help you to meet your
security objectives. AWS provides security-specific tools and features across
network security, configuration management, access control, and data encryption.

Finally, AWS environments are continuously audited, with certifications from

accreditation bodies across geographies and verticals. In the AWS environment,
you can take advantage of automated tools for asset inventory and privileged
access reporting.

Benefits of AWS Security

• Keep Your Data Safe: The AWS infrastructure puts strong safeguards in place to
help protect your privacy. All data is stored in highly secure AWS data
centers.
• Meet Compliance Requirements: AWS manages dozens of compliance programs in its
infrastructure. This means that segments of your compliance have already been
completed.
• Save Money: Cut costs by using AWS data centers. Maintain the highest standard
of security without having to manage your own facility
• Scale Quickly: Security scales with your AWS Cloud usage. No matter the size of
your business, the AWS infrastructure is designed to keep your data safe.

Compliance
AWS Cloud Compliance enables you to understand the robust controls in place at
AWS to maintain security and data protection in the cloud. As systems are built
on top of AWS Cloud infrastructure,

7
 Overview of Amazon Web Services AWS Whitepaper

Compliance

compliance responsibilities will be shared. By tying together governance-focused,

audit-friendly service features with applicable compliance or audit standards,
AWS Compliance enablers build on traditional programs. This helps customers to
establish and operate in an AWS security control environment.

The IT infrastructure that AWS provides to its customers is designed and managed
in alignment with best security practices and a variety of IT security standards.
The following is a partial list of assurance programs with which AWS complies:

• SOC 1/ISAE 3402, SOC 2, SOC 3

• FISMA, DIACAP, and FedRAMP
• PCI DSS Level 1
• ISO 9001, ISO 27001, ISO 27017, ISO 27018

AWS provides customers a wide range of information on its IT control environment

in whitepapers, reports, certifications, accreditations, and other third-party
attestations. More information is available in the Risk and Compliance whitepaper
and the AWS Security Center.

8
 Overview of Amazon Web Services AWS

AWS Management Console

Amazon Web Services Cloud

Topics
• AWS Management Console (p. 9)
• AWS Command Line Interface (p. 9)
• Software Development Kits (p. 10)
• Analytics (p. 10)
• Application Integration (p. 14)
• AR and VR (p. 16)
• Blockchain (p. 17)
• Business Applications (p. 17)
• Cloud Financial Management (p. 19)
• Compute Services (p. 20)
• Contact Center (p. 24)
• Containers (p. 25)
• Database (p. 26)
• Developer Tools (p. 29)
• End User Computing (p. 31)
• Front-End Web & Mobile Services (p. 32)
• Game Tech (p. 34)
• Internet of Things (IoT) (p. 34)
• Machine Learning (p. 39)
• Management and Governance (p. 48)
• Media Services (p. 54)
• Migration and Transfer (p. 57)
• Networking and Content Delivery (p. 60)
• Quantum Technologies (p. 64)
• Robotics (p. 64)
• Satellite (p. 65)
• Security, Identity, and Compliance (p. 65)
• Storage (p. 72)

AWS Management Console

Access and manage Amazon Web Services through the AWS Management Console, a
simple and intuitive user interface. You can also use the AWS Console Mobile
Application to quickly view resources on the go.

9
 Overview of Amazon Web Services AWS Whitepaper

AWS Command Line Interface

The AWS Command Line Interface (CLI) is a unified tool to manage your AWS
services. With just one tool to download and configure, you can control multiple
AWS services from the command line and automate them through scripts.
Software Development Kits

Software Development Kits

Our Software Development Kits (SDKs) simplify using AWS services in your
applications with an Application Program Interface (API) tailored to your
programming language or platform.

Analytics
Topics
• Amazon Athena (p. 10)
• Amazon CloudSearch (p. 10)
• Amazon Elasticsearch Service (p. 11)
• Amazon EMR (p. 11)
• Amazon FinSpace (p. 11)
• Amazon Kinesis (p. 11)
• Amazon Kinesis Data Firehose (p. 12)
• Amazon Kinesis Data Analytics (p. 12)
• Amazon Kinesis Data Streams (p. 12)
• Amazon Kinesis Video Streams (p. 12)
• Amazon Redshift (p. 12)
• Amazon QuickSight (p. 13)
• AWS Data Exchange (p. 13)
• AWS Data Pipeline (p. 13)
• AWS Glue (p. 13)
• AWS Lake Formation (p. 14)
• Amazon Managed Streaming for Apache Kafka (Amazon MSK) (p. 14)

Amazon Athena
Amazon Athena is an interactive query service that makes it easy to analyze data
in Amazon S3 using standard SQL. Athena is serverless, so there is no
infrastructure to manage, and you pay only for the queries that you run.

Athena is easy to use. Simply point to your data in Amazon S3, define the schema,
and start querying using standard SQL. Most results are delivered within seconds.
With Athena, there’s no need for complex extract, transform, and load (ETL) jobs
to prepare your data for analysis. This makes it easy for anyone with SQL skills
to quickly analyze large-scale datasets.

10
 Overview of Amazon Web Services AWS

Athena is out-of-the-box integrated with AWS Glue Data Catalog, allowing you to
create a unified metadata repository across various services, crawl data sources
to discover schemas and populate your Catalog with new and modified table and
partition definitions, and maintain schema versioning.

Amazon CloudSearch
Amazon CloudSearch is a managed service in the AWS Cloud that makes it simple
and cost-effective to set up, manage, and scale a search solution for your
website or application. Amazon CloudSearch

Amazon Elasticsearch Service

supports 34 languages and popular search features such as highlighting,

autocomplete, and geospatial search.

Amazon Elasticsearch Service

Amazon Elasticsearch Service makes it easy to deploy, secure, operate, and scale
Elasticsearch to search, analyze, and visualize data in real-time. With Amazon
Elasticsearch Service, you get easy-to-use APIs and real-time analytics
capabilities to power use-cases such as log analytics, full-text search,
application monitoring, and clickstream analytics, with enterprise-grade
availability, scalability, and security. The service offers integrations with
open-source tools like Kibana and Logstash for data ingestion and visualization.
It also integrates seamlessly with other AWS services such as Amazon Virtual
Private Cloud (Amazon VPC), AWS Key Management Service (AWS KMS), Amazon Kinesis
Data Firehose, AWS Lambda, AWS Identity and Access Management (IAM), Amazon
Cognito, and Amazon CloudWatch, so that you can go from raw data to actionable
insights quickly.

Amazon EMR
Amazon EMR is the industry-leading cloud big data platform for processing vast
amounts of data using open source tools such as Apache Spark, Apache Hive,
Apache HBase, Apache Flink, Apache Hudi, and Presto. Amazon EMR makes it easy to
set up, operate, and scale your big data environments by automating time-
consuming tasks like provisioning capacity and tuning clusters. With EMR you can
run petabyte-scale analysis at less than half of the cost of traditional on-
premises solutions andover 3x faster than standard Apache Spark. You can run
workloads on Amazon EC2 instances, on Amazon Elastic Kubernetes Service (EKS)
clusters, or on-premises using EMR on AWS Outposts.

Amazon FinSpace
Amazon FinSpace is a data management and analytics service purpose-built for the
financial services industry (FSI). FinSpace reduces the time you spend finding
and preparing petabytes of financial data to be ready for analysis from months to
minutes.

Financial services organizations analyze data from internal data stores like
portfolio, actuarial, and risk management systems as well as petabytes of data
from third-party data feeds, such as historical securities prices from stock

11
 Overview of Amazon Web Services AWS Whitepaper

exchanges. It can take months to find the right data, get permissions to
access the data in a compliant way, and prepare it for analysis.

FinSpace removes the heavy lifting of building and maintaining a data management
system for financial analytics. With FinSpace, you collect data and catalog it by
relevant business concepts such as asset class, risk classification, or
geographic region. FinSpace makes it easy to discover and share data across your
organization in accordance with your compliance requirements. You define your
data access policies in one place and FinSpace enforces them while keeping audit
logs to allow for compliance and activity reporting. FinSpace also includes a
library of 100+ functions, like time bars and Bollinger bands, for you to prepare
data for analysis.

Amazon Kinesis
Amazon Kinesis makes it easy to collect, process, and analyze real-time,
streaming data so you can get timely insights and react quickly to new
information. Amazon Kinesis offers key capabilities to costeffectively process
streaming data at any scale, along with the flexibility to choose the tools
that best suit the requirements of your application. With Amazon Kinesis, you
can ingest real-time data such as video, audio, application logs, website
clickstreams, and IoT telemetry data for machine learning, analytics, and other
applications. Amazon Kinesis enables you to process and analyze data as it
arrives and respond instantly instead of having to wait until all your data is
collected before the processing can begin.
Amazon Kinesis Data Firehose

Amazon Kinesis currently offers four services: Kinesis Data Firehose, Kinesis
Data Analytics, Kinesis Data Streams, and Kinesis Video Streams.

Amazon Kinesis Data Firehose

Amazon Kinesis Data Firehose is the easiest way to reliably load streaming data
into data stores and analytics tools. It can capture, transform, and load
streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service,
and Splunk, enabling near real-time analytics with existing business
intelligence tools and dashboards you’re already using today. It is a fully
managed service that automatically scales to match the throughput of your data
and requires no ongoing administration. It can also batch, compress, transform,
and encrypt the data before loading it, minimizing the amount of storage used
at the destination and increasing security.

You can easily create a Firehose delivery stream from the AWS Management
Console, configure it with a few clicks, and start sending data to the stream
from hundreds of thousands of data sources to be loaded continuously to AWS—all
in just a few minutes. You can also configure your delivery stream to
automatically convert the incoming data to columnar formats like Apache Parquet
and Apache ORC, before the data is delivered to Amazon S3, for cost-effective
storage and analytics.

Amazon Kinesis Data Analytics

Amazon Kinesis Data Analytics is the easiest way to analyze streaming data, gain
actionable insights, and respond to your business and customer needs in real
time. Amazon Kinesis Data Analytics reduces the complexity of building, managing,

12
 Overview of Amazon Web Services AWS

and integrating streaming applications with other AWS services. SQL users can
easily query streaming data or build entire streaming applications using
templates and an interactive SQL editor. Java developers can quickly build
sophisticated streaming applications using open source Java libraries and AWS
integrations to transform and analyze data in real-time.

Amazon Kinesis Data Analytics takes care of everything required to run your
queries continuously and scales automatically to match the volume and throughput
rate of your incoming data.

Amazon Kinesis Data Streams

Amazon Kinesis Data Streams is a massively scalable and durable real-time data
streaming service. KDS can continuously capture gigabytes of data per second from
hundreds of thousands of sources such as website clickstreams, database event
streams, financial transactions, social media feeds, IT logs, and location-
tracking events. The data collected is available in milliseconds to enable real-
time analytics use cases such as real-time dashboards, real-time anomaly
detection, dynamic pricing, and more.

Amazon Kinesis Video Streams

Amazon Kinesis Video Streams makes it easy to securely stream video from
connected devices to AWS for analytics, machine learning (ML), playback, and
other processing. Kinesis Video Streams automatically provisions and elastically
scales all the infrastructure needed to ingest streaming video data from millions
of devices. It also durably stores, encrypts, and indexes video data in your
streams, and allows you to access your data through easy-to-use APIs. Kinesis
Video Streams enables you to playback video for live and on-demand viewing, and
quickly build applications that take advantage of computer vision and video
analytics through integration with Amazon Rekognition Video, and libraries for ML
frameworks such as Apache MxNet, TensorFlow, and OpenCV.

Amazon Redshift
Amazon Redshift is the most widely used cloud data warehouse. It makes it fast,
simple and costeffective to analyze all your data using standard SQL and your
existing Business Intelligence (BI) tools.
Amazon QuickSight

It allows you to run complex analytic queries against terabytes to petabytes of

structured and semistructured data, using sophisticated query optimization,
columnar storage on high-performance storage, and massively parallel query
execution. Most results come back in seconds. You can start small for just $0.25
per hour with no commitments and scale out to petabytes of data for $1,000 per
terabyte per year, less than a tenth the cost of traditional on-premises
solutions.

Amazon QuickSight
Amazon QuickSight is a fast, cloud-powered business intelligence (BI) service
that makes it easy for you to deliver insights to everyone in your organization.
QuickSight lets you create and publish interactive dashboards that can be
accessed from browsers or mobile devices. You can embed dashboards into your
applications, providing your customers with powerful self-service analytics.

13
 Overview of Amazon Web Services AWS Whitepaper

QuickSight easily scales to tens of thousands of users without any software to

install, servers to deploy, or infrastructure to manage.

AWS Data Exchange

AWS Data Exchange makes it easy to find, subscribe to, and use third-party data
in the cloud. Qualified data providers include category-leading brands such as
Reuters, who curate data from over 2.2 million unique news stories per year in
multiple languages; Change Healthcare, who process and anonymize more than 14
billion healthcare transactions and $1 trillion in claims annually; Dun &
Bradstreet, who maintain a database of more than 330 million global business
records; and Foursquare, whose location data is derived from 220 million unique
consumers and includes more than 60 million global commercial venues.

Once subscribed to a data product, you can use the AWS Data Exchange API to
load data directly into Amazon S3 and then analyze it with a wide variety of
AWS analytics and machine learning services. For example, property insurers can
subscribe to data to analyze historical weather patterns to calibrate insurance
coverage requirements in different geographies; restaurants can subscribe to
population and location data to identify optimal regions for expansion;
academic researchers can conduct studies on climate change by subscribing to
data on carbon dioxide emissions; and healthcare professionals can subscribe to
aggregated data from historical clinical trials to accelerate their research
activities.

For data providers, AWS Data Exchange makes it easy to reach the millions of AWS
customers migrating to the cloud by removing the need to build and maintain
infrastructure for data storage, delivery, billing, and entitling.

AWS Data Pipeline

AWS Data Pipeline is a web service that helps you reliably process and move data
between different
AWS compute and storage services, as well as on-premises data sources, at
specified intervals. With AWS Data Pipeline, you can regularly access your data
where it’s stored, transform and process it at scale, and efficiently transfer
the results to AWS services such as Amazon S3 (p. 74), Amazon RDS (p. 28), Amazon
DynamoDB (p. 26), and Amazon EMR (p. 11).

AWS Data Pipeline helps you easily create complex data processing workloads that
are fault tolerant, repeatable, and highly available. You don’t have to worry
about ensuring resource availability, managing inter-task dependencies, retrying
transient failures or timeouts in individual tasks, or creating a failure
notification system. AWS Data Pipeline also allows you to move and process data
that was previously locked up in on-premises data silos.

AWS Glue
AWS Glue is a fully managed extract, transform, and load (ETL) service that makes
it easy for customers to prepare and load their data for analytics. You can
create and run an ETL job with a few clicks in the
AWS Lake Formation

AWS Management Console. You simply point AWS Glue to your data stored on AWS, and
AWS Glue discovers your data and stores the associated metadata (e.g. table

14
 Overview of Amazon Web Services AWS

definition and schema) in the AWS Glue Data Catalog. Once cataloged, your data is
immediately searchable, queryable, and available for ETL.

AWS Lake Formation

AWS Lake Formation is a service that makes it easy to set up a secure data
lake in days. A data lake is a centralized, curated, and secured repository
that stores all your data, both in its original form and prepared for
analysis. A data lake enables you to break down data silos and combine
different types of analytics to gain insights and guide better business
decisions.

However, setting up and managing data lakes today involves a lot of manual,
complicated, and timeconsuming tasks. This work includes loading data from
diverse sources, monitoring those data flows, setting up partitions, turning on
encryption and managing keys, defining transformation jobs and monitoring their
operation, re-organizing data into a columnar format, configuring access control
settings, deduplicating redundant data, matching linked records, granting access
to data sets, and auditing access over time.

Creating a data lake with Lake Formation is as simple as defining where your data
resides and what data access and security policies you want to apply. Lake
Formation then collects and catalogs data from databases and object storage,
moves the data into your new Amazon S3 data lake, cleans and classifies data
using machine learning algorithms, and secures access to your sensitive data.
Your users can then access a centralized catalog of data which describes
available data sets and their appropriate usage. Your users then leverage these
data sets with their choice of analytics and machine learning services, like
Amazon EMR for Apache Spark, Amazon Redshift, Amazon Athena, SageMaker, and
Amazon QuickSight.

Amazon Managed Streaming for Apache

Kafka (Amazon MSK)
Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed
service that makes it easy for you to build and run applications that use
Apache Kafka to process streaming data. Apache Kafka is an open-source platform
for building real-time streaming data pipelines and applications. With Amazon
MSK, you can use Apache Kafka APIs to populate data lakes, stream changes to
and from databases, and power machine learning and analytics applications.

Apache Kafka clusters are challenging to setup, scale, and manage in production.
When you run Apache Kafka on your own, you need to provision servers, configure
Apache Kafka manually, replace servers when they fail, orchestrate server patches
and upgrades, architect the cluster for high availability, ensure data is durably
stored and secured, setup monitoring and alarms, and carefully plan scaling
events to support load changes. Amazon MSK makes it easy for you to build and run
production applications on Apache Kafka without needing Apache Kafka
infrastructure management expertise. That means you spend less time managing
infrastructure and more time building applications.

With a few clicks in the Amazon MSK console you can create highly available
Apache Kafka clusters with settings and configuration based on Apache Kafka’s
deployment best practices. Amazon MSK automatically provisions and runs your
Apache Kafka clusters. Amazon MSK continuously monitors cluster health and
automatically replaces unhealthy nodes with no downtime to your application. In

15
 Overview of Amazon Web Services AWS Whitepaper

addition, Amazon MSK secures your Apache Kafka cluster by encrypting data at
rest.

Application Integration
Topics
AWS Step Functions

• AWS Step Functions (p. 15)

• Amazon AppFlow (p. 15)
• Amazon EventBridge (p. 15)
• Amazon Managed Workflows for Apache Airflow (MWAA) (p. 15)
• Amazon MQ (p. 16)
• Amazon Simple Notification Service (p. 16)
• Amazon Simple Queue Service (p. 16)
• Amazon Simple Workflow Service (p. 16)

AWS Step Functions

AWS Step Functions is a fully managed service that makes it easy to coordinate
the components of distributed applications and microservices using visual
workflows. Building applications from individual components that each perform a
discrete function lets you scale easily and change applications quickly. Step
Functions is a reliable way to coordinate components and step through the
functions of your application. Step Functions provides a graphical console to
arrange and visualize the components of your application as a series of steps.
This makes it simple to build and run multi-step applications. Step Functions
automatically triggers and tracks each step, and retries when there are errors,
so your application runs in order and as expected. Step Functions logs the
state of each step, so when things do go wrong, you can diagnose and debug
problems quickly. You can change and add steps without even writing code, so
you can easily evolve your application and innovate faster.

Amazon AppFlow
Amazon AppFlow is a fully managed integration service that enables you to
securely transfer data between Software-as-a-Service (SaaS) applications like
Salesforce, Zendesk, Slack, and ServiceNow, and AWS services like Amazon S3 and
Amazon Redshift, in just a few clicks. With Amazon AppFlow, you can run data
flows at enterprise scale at the frequency you choose - on a schedule, in
response to a business event, or on demand. You can configure data transformation
capabilities like filtering and validation to generate rich, ready-to-use data as
part of the flow itself, without additional steps. Amazon AppFlow automatically
encrypts data in motion, and allows users to restrict data from flowing over the
public Internet for SaaS applications that are integrated with AWS PrivateLink,
reducing exposure to security threats.

16
 Overview of Amazon Web Services AWS

Amazon EventBridge
Amazon EventBridge is a serverless event bus that makes it easier to build
event-driven applications at scale using events generated from your
applications, integrated Software-as-a-Service (SaaS) applications, and AWS
services. EventBridge delivers a stream of real-time data from event sources
such as Zendesk or Shopify to targets like AWS Lambda and other SaaS
applications. You can set up routing rules to determine where to send your data
to build application architectures that react in real-time to your data sources
with event publisher and consumer completely decoupled.

Amazon Managed Workflows for Apache

Airflow (MWAA)
Amazon Managed Workflows for Apache Airflow (MWAA) is a managed orchestration
service for Apache
Airflow that makes it easier to set up and operate end-to-end data pipelines in
the cloud at scale. Apache
Airflow is an open-source tool used to programmatically author, schedule, and
monitor sequences of
Amazon MQ

processes and tasks referred to as “workflows.” With Managed Workflows, you can
use Airflow and Python to create workflows without having to manage the
underlying infrastructure for scalability, availability, and security. Managed
Workflows automatically scales its workflow execution capacity to meet your
needs, and is integrated with AWS security services to help provide you with fast
and secure access to data.

Amazon MQ
Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ
that makes it easy to set up and operate message brokers in the cloud. Message
brokers allow different software systems–often using different programming
languages, and on different platforms–to communicate and exchange information.
Amazon MQ reduces your operational load by managing the provisioning, setup, and
maintenance of ActiveMQ and RabbitMQ, popular open-source message brokers.
Connecting your current applications to Amazon MQ is easy because it uses
industry-standard APIs and protocols for messaging, including JMS, NMS, AMQP,
STOMP, MQTT, and WebSocket. Using standards means that in most cases, there’s no
need to rewrite any messaging code when you migrate to AWS.

Amazon Simple Notification Service

Amazon Simple Notification Service (Amazon SNS) is a highly available, durable,
secure, fully managed pub/sub messaging service that enables you to decouple
microservices, distributed systems, and serverless applications. Amazon SNS
provides topics for high-throughput, push-based, many-to-many messaging. Using
Amazon SNS topics, your publisher systems can fan out messages to a large number
of subscriber endpoints for parallel processing, including Amazon SQS queues, AWS
Lambda functions, and HTTP/S webhooks. Additionally, SNS can be used to fan out
notifications to end users using mobile push, SMS, and email.

17
 Overview of Amazon Web Services AWS Whitepaper

Amazon Simple Queue Service

Amazon Simple Queue Service (Amazon SQS) is a fully managed message queuing
service that enables you to decouple and scale microservices, distributed
systems, and serverless applications. SQS eliminates the complexity and overhead
associated with managing and operating message oriented middleware, and empowers
developers to focus on differentiating work. Using SQS, you can send, store, and
receive messages between software components at any volume, without losing
messages or requiring other services to be available. Get started with SQS in
minutes using the AWS console, Command Line Interface or SDK of your choice, and
three simple commands.

SQS offers two types of message queues. Standard queues offer maximum throughput,
best-effort ordering, and at-least-once delivery. SQS FIFO queues are designed to
guarantee that messages are processed exactly once, in the exact order that they
are sent.

Amazon Simple Workflow Service

Amazon Simple Workflow Service (Amazon SWF) helps developers build, run, and
scale background jobs that have parallel or sequential steps. You can think of
Amazon SWF as a fully-managed state tracker and task coordinator in the cloud. If
your application’s steps take more than 500 milliseconds to complete, you need to
track the state of processing. If you need to recover or retry if a task fails,
Amazon SWF can help you.

AR and VR
Topics
Amazon Sumerian

• Amazon Sumerian (p. 17)

Amazon Sumerian
Amazon Sumerian lets you create and run virtual reality (VR), augmented reality
(AR), and 3D applications quickly and easily without requiring any specialized
programming or 3D graphics expertise. With Sumerian, you can build highly
immersive and interactive scenes that run on popular hardware such as Oculus Go,
Oculus Rift, HTC Vive, HTC Vive Pro, Google Daydream, and Lenovo Mirage as well
as Android and iOS mobile devices. For example, you can build a virtual classroom
that lets you train new employees around the world, or you can build a virtual
environment that enables people to tour a building remotely. Sumerian makes it
easy to create all the building blocks needed to build highly immersive and
interactive 3D experiences including adding objects (e.g. characters, furniture,
and landscape), and designing, animating, and scripting environments. Sumerian
does not require specialized expertise and you can design scenes directly from
your browser.

18
 Overview of Amazon Web Services AWS

Blockchain
Topics
• Amazon Managed Blockchain (p. 17)

Amazon Managed Blockchain

Amazon Managed Blockchain is a fully managed service that makes it easy to create
and manage scalable blockchain networks using the popular open source frameworks
Hyperledger Fabric and Ethereum.

Blockchain makes it possible to build applications where multiple parties can

execute transactions without the need for a trusted, central authority. Today,
building a scalable blockchain network with existing technologies is complex to
set up and hard to manage. To create a blockchain network, each network member
needs to manually provision hardware, install software, create and manage
certificates for access control, and configure networking components. Once the
blockchain network is running, you need to continuously monitor the
infrastructure and adapt to changes, such as an increase in transaction requests,
or new members joining or leaving the network.

Amazon Managed Blockchain is a fully managed service that allows you to set up
and manage a scalable blockchain network with just a few clicks. Amazon Managed
Blockchain eliminates the overhead required to create the network, and
automatically scales to meet the demands of thousands of applications running
millions of transactions. Once your network is up and running, Managed Blockchain
makes it easy to manage and maintain your blockchain network. It manages your
certificates, lets you easily invite new members to join the network, and tracks
operational metrics such as usage of compute, memory, and storage resources. In
addition, Managed Blockchain can replicate an immutable copy of your blockchain
network activity into Amazon Quantum Ledger Database (QLDB), a fully managed
ledger database. This allows you to easily analyze the network activity outside
the network and gain insights into trends.

Business Applications
Topics
• Alexa for Business (p. 18)
• Amazon Chime (p. 18)
Alexa for Business

• Amazon SES (p. 18)

• Amazon WorkDocs (p. 18)
• Amazon WorkMail (p. 18)

Alexa for Business

Alexa for Business is a service that enables organizations and employees to use
Alexa to get more work done. With Alexa for Business, employees can use Alexa as
their intelligent assistant to be more productive in meeting rooms, at their
desks, and even with the Alexa devices they already have at home.

19
 Overview of Amazon Web Services AWS Whitepaper

Amazon Chime
Amazon Chime is a communications service that transforms online meetings with a
secure, easy-to-use application that you can trust. Amazon Chime works seamlessly
across your devices so that you can stay connected. You can use Amazon Chime for
online meetings, video conferencing, calls, chat, and to share content, both
inside and outside your organization.

Amazon Chime works with Alexa for Business, which means you can use Alexa to
start your meetings with your voice. Alexa can start your video meetings in large
conference rooms, and automatically dial into online meetings in smaller huddle
rooms and from your desk.

Amazon SES
Amazon Simple Email Service (Amazon SES) is a cost-effective, flexible, and
scalable email service that enables developers to send mail from within any
application. You can configure Amazon SES quickly to support several email use
cases, including transactional, marketing, or mass email communications. Amazon
SES's flexible IP deployment and email authentication options help drive higher
deliverability and protect sender reputation, while sending analytics measure
the impact of each email. With Amazon SES, you can send email securely,
globally, and at scale.

Amazon WorkDocs
Amazon WorkDocs is a fully managed, secure enterprise storage and sharing service
with strong administrative controls and feedback capabilities that improve user
productivity.

Users can comment on files, send them to others for feedback, and upload new
versions without having to resort to emailing multiple versions of their files as
attachments. Users can take advantage of these capabilities wherever they are,
using the device of their choice, including PCs, Macs, tablets, and phones.
Amazon WorkDocs offers IT administrators the option of integrating with existing
corporate directories, flexible sharing policies and control of the location
where data is stored. You can get started using Amazon WorkDocs with a 30-day
free trial providing 1 TB of storage per user for up to 50 users.

Amazon WorkMail
Amazon WorkMail is a secure, managed business email and calendar service with
support for existing desktop and mobile email client applications. Amazon
WorkMail gives users the ability to seamlessly access their email, contacts, and
calendars using the client application of their choice, including Microsoft
Outlook, native iOS and Android email applications, any client application
supporting the IMAP protocol, or directly through a web browser. You can
integrate Amazon WorkMail with your existing corporate directory, use email
journaling to meet compliance requirements, and control both the keys that
encrypt your data and the location in which your data is stored. You can also set
up interoperability with Microsoft Exchange Server, and programmatically manage
users, groups, and resources using the Amazon WorkMail SDK.
Cloud Financial Management

20
 Overview of Amazon Web Services AWS

Cloud Financial Management

Topics
• AWS Application Cost Profiler (p. 19)
• AWS Cost Explorer (p. 19)
• AWS Budgets (p. 19)
• AWS Cost & Usage Report (p. 19)
• Reserved Instance (RI) Reporting (p. 20)
• Savings Plans (p. 20)

AWS Application Cost Profiler

AWS Application Cost Profiler provides you the ability to track the consumption
of shared AWS resources used by software applications and report granular cost
breakdown across tenant base. You can achieve economies of scale with the shared
infrastructure model, while still maintaining a clear line of sight to detailed
resource consumption information across multiple dimensions.

With the proportionate cost insights of shared AWS resources, organizations

running applications can establish the data foundation for accurate cost
allocation model, and ISV selling applications can better understand your
profitability and customize pricing strategies for your end customers.

AWS Cost Explorer

AWS Cost Explorer has an easy-to-use interface that lets you visualize,
understand, and manage your AWS costs and usage over time. Get started quickly
by creating custom reports (including charts and tabular data) that analyze
cost and usage data, both at a high level (e.g., total costs and usage across
all accounts) and for highly-specific requests (e.g., m2.2xlarge costs within
account Y that are tagged “project: secretProject”).

AWS Budgets
AWS Budgets gives you the ability to set custom budgets that alert you when your
costs or usage exceed (or are forecasted to exceed) your budgeted amount. You can
also use AWS Budgets to set RI utilization or coverage targets and receive alerts
when your utilization drops below the threshold you define. RI alerts support
Amazon EC2, Amazon RDS, Amazon Redshift, and Amazon ElastiCache reservations.

Budgets can be tracked at the monthly, quarterly, or yearly level, and you can
customize the start and end dates. You can further refine your budget to track
costs associated with multiple dimensions, such as AWS service, linked account,
tag, and others. Budget alerts can be sent via email and/or Amazon Simple
Notification Service (SNS) topic.

Budgets can be created and tracked from the AWS Budgets dashboard or via the
Budgets API.

AWS Cost & Usage Report

The AWS Cost & Usage Report is a single location for accessing comprehensive
information about your AWS costs and usage.

21
 Overview of Amazon Web Services AWS Whitepaper

The AWS Cost & Usage Report lists AWS usage for each service category used by
an account and its IAM users in hourly or daily line items, as well as any tags
that you have activated for cost allocation purposes. You can also customize
the AWS Cost & Usage Report to aggregate your usage data to the daily or
monthly level.
Reserved Instance (RI) Reporting

Reserved Instance (RI) Reporting

AWS provides a number of RI-specific cost management solutions out-of-the-box to
help you better understand and manage your RIs. Using the RI Utilization and
Coverage reports available in AWS Cost Explorer, you can visualize your RI data
at an aggregate level or inspect a particular RI subscription. To access the most
detailed RI information available, you can leverage the AWS Cost & Usage Report.
You can also set a custom RI utilization target via AWS Budgets and receive
alerts when your utilization drops below the threshold you define.

Savings Plans
Savings Plans is a flexible pricing model offering lower prices compared to On-
Demand pricing, in exchange for a specific usage commitment (measured in $/hour)
for a one or three-year period. AWS offers three types of Savings Plans – Compute
Savings Plans, EC2 Instance Savings Plans, and Amazon SageMaker Savings Plans.
Compute Savings Plans apply to usage across Amazon EC2, AWS Lambda, and AWS
Fargate. The EC2 Instance Savings Plans apply to EC2 usage, and Amazon SageMaker
Savings Plans apply to Amazon SageMaker usage. You can easily sign up a 1- or 3-
year term Savings Plans in AWS Cost Explorer and manage your plans by taking
advantage of recommendations, performance reporting, and budget alerts.

Compute Services
Topics
• Amazon EC2 (p. 20)
• Amazon EC2 Auto Scaling (p. 21)
• Amazon EC2 Image Builder (p. 21)
• Amazon Lightsail (p. 22)
• AWS App Runner (p. 22)
• AWS Batch (p. 22)
• AWS Elastic Beanstalk (p. 22)
• AWS Fargate (p. 22)
• AWS Lambda (p. 23)
• AWS Serverless Application Repository (p. 23)
• AWS Outposts (p. 23)
• AWS Wavelength (p. 23)
• VMware Cloud on AWS (p. 24)

22
 Overview of Amazon Web Services AWS

Amazon EC2
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure,
resizable compute capacity in the cloud. It is designed to make web-scale
computing easier for developers.

The simple web interface of Amazon EC2 allows you to obtain and configure
capacity with minimal friction. It provides you with complete control of your
computing resources and lets you run on Amazon’s proven computing environment.
Amazon EC2 reduces the time required to obtain and boot new server instances
(called Amazon EC2 instances) to minutes, allowing you to quickly scale capacity,
both up and down, as your computing requirements change. Amazon EC2 changes the
economics of computing by allowing you to pay only for capacity that you actually
use. Amazon EC2 provides developers and system administrators the tools to build
failure resilient applications and isolate themselves from common failure
scenarios.
Amazon EC2 Auto Scaling

Instance Types
Amazon EC2 passes on to you the financial benefits of Amazon’s scale. You pay a
very low rate for the compute capacity you actually consume. See Amazon EC2
Instance Purchasing Options for a more detailed description.

• On-Demand Instances— With On-Demand instances, you pay for compute capacity
by the hour or the second depending on which instances you run. No longer-
term commitments or upfront payments are needed. You can increase or decrease
your compute capacity depending on the demands of your application and only
pay the specified per hourly rates for the instance you use. On-Demand
instances are recommended for:
• Users that prefer the low cost and flexibility of Amazon EC2 without any up-
front payment or longterm commitment
• Applications with short-term, spiky, or unpredictable workloads that cannot
be interrupted
• Applications being developed or tested on Amazon EC2 for the first time
• Spot Instances—Spot Instances are available at up to a 90% discount compared
to On-Demand prices and let you take advantage of unused Amazon EC2 capacity
in the AWS Cloud. You can significantly reduce the cost of running your
applications, grow your application’s compute capacity and throughput for the
same budget, and enable new types of cloud computing applications. Spot
instances are recommended for:
• Applications that have flexible start and end times
• Applications that are only feasible at very low compute prices
• Users with urgent computing needs for large amounts of additional capacity
• Reserved Instances—Reserved Instances provide you with a significant discount
(up to 72%) compared to On-Demand instance pricing. You have the flexibility
to change families, operating system types, and tenancies while benefitting
from Reserved Instance pricing when you use Convertible Reserved Instances.
• Savings Plans—Savings Plans are a flexible pricing model that offer low
prices on EC2 and Fargate usage, in exchange for a commitment to a consistent
amount of usage (measured in $/hour) for a 1 or 3 year term.
• Dedicated Hosts—A Dedicated Host is a physical EC2 server dedicated for your
use. Dedicated Hosts can help you reduce costs by allowing you to use your
existing server-bound software licenses, including Windows Server, SQL

23
 Overview of Amazon Web Services AWS Whitepaper

Server, and SUSE Linux Enterprise Server (subject to your license terms), and
can also help you meet compliance requirements.

Amazon EC2 Auto Scaling

Amazon EC2 Auto Scaling helps you maintain application availability and allows
you to automatically add or remove EC2 instances according to conditions you
define. You can use the fleet management features of Amazon EC2 Auto Scaling to
maintain the health and availability of your fleet. You can also use the dynamic
and predictive scaling features of Amazon EC2 Auto Scaling to add or remove EC2
instances. Dynamic scaling responds to changing demand and predictive scaling
automatically schedules the right number of EC2 instances based on predicted
demand. Dynamic scaling and predictive scaling can be used together to scale
faster.

Amazon EC2 Image Builder

EC2 Image Builder simplifies the building, testing, and deployment of Virtual
Machine and container images for use on AWS or on-premises.

Keeping Virtual Machine and container images up-to-date can be time consuming,
resource intensive, and error-prone. Currently, customers either manually update
and snapshot VMs or have teams that build automation scripts to maintain images.
Amazon Lightsail

Image Builder significantly reduces the effort of keeping images up-to-date and
secure by providing a simple graphical interface, built-in automation, and AWS-
provided security settings. With Image Builder, there are no manual steps for
updating an image nor do you have to build your own automation pipeline.

Image Builder is offered at no cost, other than the cost of the underlying AWS
resources used to create, store, and share the images.

Amazon Lightsail
Amazon Lightsail is designed to be the easiest way to launch and manage a virtual
private server with AWS. Lightsail plans include everything you need to jumpstart
your project – a virtual machine, SSDbased storage, data transfer, DNS
management, and a static IP address – for a low, predictable price.

AWS App Runner

AWS App Runner is a fully managed service that makes it easy for developers to
quickly deploy containerized web applications and APIs, at scale and with no
prior infrastructure experience required. Start with your source code or a
container image. App Runner automatically builds and deploys the web application
and load balances traffic with encryption. App Runner also scales up or down
automatically to meet your traffic needs. With App Runner, rather than thinking
about servers or scaling, you have more time to focus on your applications.

AWS Batch
AWS Batch enables developers, scientists, and engineers to easily and
efficiently run hundreds of thousands of batch computing jobs on AWS. AWS Batch
dynamically provisions the optimal quantity and type of compute resources

24
 Overview of Amazon Web Services AWS

(e.g., CPU or memory-optimized instances) based on the volume and specific

resource requirements of the batch jobs submitted. With AWS Batch, there is no
need to install and manage batch computing software or server clusters that you
use to run your jobs, allowing you to focus on analyzing results and solving
problems. AWS Batch plans, schedules, and runs your batch computing workloads
across the full range of AWS compute services and features, such as Amazon EC2
and Spot Instances.

AWS Elastic Beanstalk

AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web
applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby,
Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and Internet
Information Services (IIS).

You can simply upload your code, and AWS Elastic Beanstalk automatically handles
the deployment, from capacity provisioning, load balancing, and auto scaling to
application health monitoring. At the same time, you retain full control over the
AWS resources powering your application and can access the underlying resources
at any time.

AWS Fargate
AWS Fargate is a compute engine for Amazon ECS that allows you to run containers
without having to manage servers or clusters. With AWS Fargate, you no longer
have to provision, configure, and scale clusters of virtual machines to run
containers. This removes the need to choose server types, decide when to scale
your clusters, or optimize cluster packing. AWS Fargate removes the need for you
to interact with or think about servers or clusters. Fargate lets you focus on
designing and building your applications instead of managing the infrastructure
that runs them.

Amazon ECS has two modes: Fargate launch type and EC2 launch type. With Fargate
launch type, all you have to do is package your application in containers,
specify the CPU and memory requirements,
AWS Lambda

define networking and IAM policies, and launch the application. EC2 launch type
allows you to have server-level, more granular control over the infrastructure
that runs your container applications. With EC2 launch type, you can use Amazon
ECS to manage a cluster of servers and schedule placement of containers on the
servers. Amazon ECS keeps track of all the CPU, memory and other resources in
your cluster, and also finds the best server for a container to run on based on
your specified resource requirements. You are responsible for provisioning,
patching, and scaling clusters of servers. You can decide which type of server
to use, which applications and how many containers to run in a cluster to
optimize utilization, and when you should add or remove servers from a cluster.
EC2 launch type gives you more control of your server clusters and provides a
broader range of customization options, which might be required to support some
specific applications or possible compliance and government requirements.

AWS Lambda
AWS Lambda lets you run code without provisioning or managing servers. You pay
only for the compute time you consume—there is no charge when your code is not
running. With Lambda, you can run code for virtually any type of application or

25
 Overview of Amazon Web Services AWS Whitepaper

backend service—all with zero administration. Just upload your code, and Lambda
takes care of everything required to run and scale your code with high
availability. You can set up your code to automatically trigger from other AWS
services, or you can call it directly from any web or mobile app.

AWS Serverless Application Repository

The AWS Serverless Application Repository enables you to quickly deploy code
samples, components, and complete applications for common use cases such as web
and mobile back-ends, event and data processing, logging, monitoring, IoT, and
more. Each application is packaged with an AWS Serverless Application Model (SAM)
template that defines the AWS resources used. Publicly shared applications also
include a link to the application’s source code. There is no additional charge to
use the Serverless Application Repository - you only pay for the AWS resources
used in the applications you deploy.

You can also use the Serverless Application Repository to publish your own
applications and share them within your team, across your organization, or with
the community at large. To share an application you've built, publish it to the
AWS Serverless Application Repository.

AWS Outposts
AWS Outposts bring native AWS services, infrastructure, and operating models to
virtually any data center, co-location space, or on-premises facility. You can
use the same APIs, the same tools, the same hardware, and the same functionality
across on-premises and the cloud to deliver a truly consistent hybrid experience.
Outposts can be used to support workloads that need to remain on-premises due to
low latency or local data processing needs.

AWS Outposts come in two variants: 1) VMware Cloud on AWS Outposts allows you to
use the same
VMware control plane and APIs you use to run your infrastructure, 2) AWS native
variant of AWS Outposts allows you to use the same exact APIs and control plane
you use to run in the AWS cloud, but on-premises.

AWS Outposts infrastructure is fully managed, maintained, and supported by AWS to

deliver access to the latest AWS services. Getting started is easy, you simply
log into the AWS Management Console to order your Outposts servers, choosing from
a wide range of compute and storage options. You can order one or more servers,
or quarter, half, and full rack units.

AWS Wavelength
AWS Wavelength is an AWS Infrastructure offering optimized for mobile edge
computing applications. Wavelength Zones are AWS infrastructure deployments that
embed AWS compute and storage
VMware Cloud on AWS

services within communications service providers’ (CSP) datacenters at the edge

of the 5G network, so application traffic from 5G devices can reach application
servers running in Wavelength Zones without leaving the telecommunications
network. This avoids the latency that would result from application traffic
having to traverse multiple hops across the Internet to reach their destination,
enabling customers to take full advantage of the latency and bandwidth benefits
offered by modern 5G networks.

26
 Overview of Amazon Web Services AWS

VMware Cloud on AWS

VMware Cloud on AWS is an integrated cloud offering jointly developed by AWS and
VMware delivering a highly scalable, secure and innovative service that allows
organizations to seamlessly migrate and extend their on-premises VMware vSphere-
based environments to the AWS Cloud running on next-generation Amazon Elastic
Compute Cloud (Amazon EC2) bare metal infrastructure. VMware Cloud on AWS is
ideal for enterprise IT infrastructure and operations organizations looking to
migrate their on-premises vSphere-based workloads to the public cloud,
consolidate and extend their data center capacities, and optimize, simplify and
modernize their disaster recovery solutions. VMware Cloud on AWS is delivered,
sold, and supported globally by VMware and its partners with availability in the
following AWS Regions: AWS Europe (Stockholm), AWS US East (Northern Virginia),
AWS US East (Ohio), AWS US West (Northern
California), AWS US West (Oregon), AWS Canada (Central), AWS Europe (Frankfurt),
AWS Europe (Ireland),
AWS Europe (London), AWS Europe (Paris), AWS Europe (Milan), AWS Asia Pacific
(Singapore), AWS Asia
Pacific (Sydney), AWS Asia Pacific (Tokyo), AWS Asia Pacific (Mumbai) Region, AWS
South America (Sao Paulo), AWS Asia Pacific (Seoul), and AWS GovCloud (US West).
With each release, VMware Cloud on AWS availability will expand into additional
global regions.

VMware Cloud on AWS brings the broad, diverse and rich innovations of AWS
services natively to the enterprise applications running on VMware's compute,
storage and network virtualization platforms. This allows organizations to easily
and rapidly add new innovations to their enterprise applications by natively
integrating AWS infrastructure and platform capabilities such as AWS Lambda,
Amazon Simple Queue Service (SQS), Amazon S3, Elastic Load Balancing, Amazon RDS,
Amazon DynamoDB, Amazon Kinesis, and Amazon Redshift, among many others.

With VMware Cloud on AWS, organizations can simplify their Hybrid IT operations
by using the same VMware Cloud Foundation technologies including vSphere, vSAN,
NSX, and vCenter Server across their on-premises data centers and on the AWS
Cloud without having to purchase any new or custom hardware, rewrite
applications, or modify their operating models. The service automatically
provisions infrastructure and provides full VM compatibility and workload
portability between your on-premises environments and the AWS Cloud. With
VMware Cloud on AWS, you can leverage AWS's breadth of services, including
compute, databases, analytics, Internet of Things (IoT), security, mobile,
deployment, application services, and more.

Contact Center
Topics
• Amazon Connect (p. 24)

Amazon Connect
Amazon Connect is a self-service, omnichannel cloud contact center service that
makes it easy for any business to deliver better customer service at lower cost.
Amazon Connect is based on the same contact center technology used by Amazon
customer service associates around the world to power millions of customer
conversations. The self-service graphical interface in Amazon Connect makes it
easy for nontechnical users to design contact flows, manage agents, and track

27
 Overview of Amazon Web Services AWS Whitepaper

performance metrics – no specialized skills required. There are no up-front

payments or long-term commitments and no infrastructure to manage with Amazon
Connect; customers pay by the minute for Amazon Connect usage plus any associated
telephony services.
Containers

Containers
Topics
• Amazon Elastic Container Registry (p. 25)
• Amazon Elastic Container Service (p. 25)
• Amazon Elastic Kubernetes Service (p. 25)
• AWS App2Container (p. 25)
• Red Hat OpenShift Service on AWS (p. 26)

Amazon Elastic Container Registry

Amazon Elastic Container Registry (ECR) is a fully-managed Docker container
registry that makes it easy for developers to store, manage, and deploy Docker
container images. Amazon ECR is integrated with Amazon Elastic Container Service
(Amazon ECS), simplifying your development to production workflow. Amazon ECR
eliminates the need to operate your own container repositories or worry about
scaling the underlying infrastructure. Amazon ECR hosts your images in a highly
available and scalable architecture, allowing you to reliably deploy containers
for your applications. Integration with AWS Identity and Access Management (IAM)
(p. 69) provides resource-level control of each repository. With Amazon ECR,
there are no upfront fees or commitments. You pay only for the amount of data
you store in your repositories and data transferred to the Internet.

Amazon Elastic Container Service

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-
performance container orchestration service that supports Docker containers and
allows you to easily run and scale containerized applications on AWS. Amazon
ECS eliminates the need for you to install and operate your own container
orchestration software, manage and scale a cluster of virtual machines, or
schedule containers on those virtual machines.

With simple API calls, you can launch and stop Docker-enabled applications,
query the complete state of your application, and access many familiar features
such as IAM roles, security groups, load balancers, Amazon CloudWatch Events,
AWS CloudFormation templates, and AWS CloudTrail logs.

Amazon Elastic Kubernetes Service

Amazon Elastic Kubernetes Service (Amazon EKS) makes it easy to deploy, manage,
and scale containerized applications using Kubernetes on AWS.

Amazon EKS runs the Kubernetes management infrastructure for you across multiple
AWS availability zones to eliminate a single point of failure. Amazon EKS is
certified Kubernetes conformant so you can use existing tooling and plugins from
partners and the Kubernetes community. Applications running on any standard

28
 Overview of Amazon Web Services AWS

Kubernetes environment are fully compatible and can be easily migrated to Amazon
EKS.

AWS App2Container
AWS App2Container (A2C) is a command-line tool for modernizing .NET and Java
applications into containerized applications. A2C analyzes and builds an
inventory of all applications running in virtual machines, on-premises or in
the cloud. You simply select the application you want to containerize, and A2C
packages the application artifact and identified dependencies into container
images, configures the network ports, and generates the ECS task and Kubernetes
pod definitions. A2C provisions, through CloudFormation, the cloud
infrastructure and CI/CD pipelines required to deploy the containerized .NET
Red Hat OpenShift Service on AWS

or Java application into production. With A2C, you can easily modernize your
existing applications and standardize the deployment and operations through
containers.

Red Hat OpenShift Service on AWS

Red Hat OpenShift Service on AWS (ROSA) provides an integrated experience to use
OpenShift. If you are already familiar with OpenShift, you can accelerate your
application development process by leveraging familiar OpenShift APIs and tools
for deployments on AWS. With ROSA, you can use the wide range of AWS compute,
database, analytics, machine learning, networking, mobile, and other services to
build secure and scalable applications faster. ROSA comes with pay-as-you-go
hourly and annual billing, a 99.95% SLA, and joint support from AWS and Red Hat.

ROSA makes it easier for you to focus on deploying applications and

accelerating innovation by moving the cluster lifecycle management to Red Hat
and AWS. With ROSA, you can run containerized applications with your existing
OpenShift workflows and reduce the complexity of management.

Database
Topics
• Amazon Aurora (p. 26)
• Amazon DynamoDB (p. 26)
• Amazon ElastiCache (p. 27)
• Amazon Keyspaces (for Apache Cassandra) (p. 27)
• Amazon Neptune (p. 27)
• Amazon Relational Database Service (p. 28)
• Amazon RDS on VMware (p. 28)
• Amazon Quantum Ledger Database (QLDB) (p. 28)
• Amazon Timestream (p. 29)
• Amazon DocumentDB (with MongoDB compatibility) (p. 29)

29
 Overview of Amazon Web Services AWS Whitepaper

Amazon Aurora
Amazon Aurora is a MySQL and PostgreSQL compatible relational database engine
that combines the speed and availability of high-end commercial databases with
the simplicity and cost-effectiveness of open source databases.

Amazon Aurora is up to five times faster than standard MySQL databases and three
times faster than standard PostgreSQL databases. It provides the security,
availability, and reliability of commercial databases at 1/10th the cost. Amazon
Aurora is fully managed by Amazon Relational Database Service (Amazon RDS), which
automates time-consuming administration tasks like hardware provisioning,
database setup, patching, and backups.

Amazon Aurora features a distributed, fault-tolerant, self-healing storage

system that auto-scales up to 128TB per database instance. It delivers high
performance and availability with up to 15 low-latency read replicas, point-in-
time recovery, continuous backup to Amazon S3, and replication across three
Availability Zones (AZs).

Amazon DynamoDB
Amazon DynamoDB is a key-value and document database that delivers single-digit
millisecond performance at any scale. It's a fully managed, multiregion,
multimaster database with built-in security,
Amazon ElastiCache

backup and restore, and in-memory caching for internet-scale applications.

DynamoDB can handle more than 10 trillion requests per day and support peaks of
more than 20 million requests per second.

Many of the world's fastest growing businesses such as Lyft, Airbnb, and Redfin
as well as enterprises such as Samsung, Toyota, and Capital One depend on the
scale and performance of DynamoDB to support their mission-critical workloads.

Hundreds of thousands of AWS customers have chosen DynamoDB as their key-value

and document database for mobile, web, gaming, ad tech, IoT, and other
applications that need low-latency data access at any scale. Create a new table
for your application and let DynamoDB handle the rest.

Amazon ElastiCache
Amazon ElastiCache is a web service that makes it easy to deploy, operate, and
scale an in-memory cache in the cloud. The service improves the performance of
web applications by allowing you to retrieve information from fast, managed, in-
memory caches, instead of relying entirely on slower disk-based databases.

Amazon ElastiCache supports two open-source in-memory caching engines:

• Redis - a fast, open-source, in-memory key-value data store for use as a

database, cache, message broker, and queue. Amazon ElastiCache for Redis is a
Redis-compatible in-memory service that delivers the ease-of-use and power of
Redis along with the availability, reliability, and performance suitable for
the most demanding applications. Both single-node and up to 15-shard clusters
are available, enabling scalability to up to 3.55 TiB of in-memory data.
ElastiCache for Redis is fully managed, scalable, and secure. This makes it an
ideal candidate to power high-performance use cases such as web, mobile apps,
gaming, ad-tech, and IoT.

30
 Overview of Amazon Web Services AWS

• Memcached - a widely adopted memory object caching system. ElastiCache for

Memcached is protocol compliant with Memcached, so popular tools that you use
today with existing Memcached environments will work seamlessly with the
service.

Amazon Keyspaces (for Apache Cassandra)

Amazon Keyspaces (for Apache Cassandra) is a scalable, highly available, and
managed Apache Cassandra–compatible database service. With Amazon Keyspaces, you
can run your Cassandra workloads on AWS using the same Cassandra application code
and developer tools that you use today. You don’t have to provision, patch, or
manage servers, and you don’t have to install, maintain, or operate software.
Amazon Keyspaces is serverless, so you pay for only the resources you use and the
service can automatically scale tables up and down in response to application
traffic. You can build applications that serve thousands of requests per second
with virtually unlimited throughput and storage. Data is encrypted by default and
Amazon Keyspaces enables you to back up your table data continuously using point-
in-time recovery. Amazon Keyspaces gives you the performance, elasticity, and
enterprise features you need to operate business-critical Cassandra workloads at
scale.

Amazon Neptune
Amazon Neptune is a fast, reliable, fully-managed graph database service that
makes it easy to build and run applications that work with highly connected
datasets. The core of Amazon Neptune is a purposebuilt, high-performance graph
database engine optimized for storing billions of relationships and querying the
graph with milliseconds latency. Amazon Neptune supports popular graph models
Property Graph and W3C's RDF, and their respective query languages Apache
TinkerPop Gremlin and SPARQL, allowing you to easily build queries that
efficiently navigate highly connected datasets. Neptune powers graph use cases
such as recommendation engines, fraud detection, knowledge graphs, drug
discovery, and network security.

31
 Overview of Amazon Web Services AWS Whitepaper
Amazon Relational Database Service

Amazon Neptune is highly available, with read replicas, point-in-time recovery,

continuous backup to Amazon S3, and replication across Availability Zones.
Neptune is secure with support for encryption at rest. Neptune is fully-managed,
so you no longer need to worry about database management tasks such as hardware
provisioning, software patching, setup, configuration, or backups.

Amazon Relational Database Service

Amazon Relational Database Service (Amazon RDS) makes it easy to set up,
operate, and scale a relational database in the cloud. It provides cost-
efficient and resizable capacity while automating timeconsuming administration
tasks such as hardware provisioning, database setup, patching and backups. It
frees you to focus on your applications so you can give them the fast
performance, high availability, security and compatibility they need.

Amazon RDS is available on several database instance types - optimized for

memory, performance or
I/O - and provides you with six familiar database engines to choose from,
including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL
Server. You can use the AWS Database Migration Service to easily migrate or
replicate your existing databases to Amazon RDS.

Amazon RDS on VMware

Amazon Relational Database Service (Amazon RDS) on VMware lets you deploy
managed databases in on-premises VMware environments using the Amazon RDS
technology enjoyed by hundreds of thousands of AWS customers. Amazon RDS
provides cost-efficient and resizable capacity while automating time-consuming
administration tasks including hardware provisioning, database setup,
patching, and backups, freeing you to focus on your applications. RDS on
VMware brings these same benefits to your on-premises deployments, making it
easy to set up, operate, and scale databases in VMware vSphere private data
centers, or to migrate them to AWS.

Amazon RDS on VMware allows you to utilize the same simple interface for managing
databases in on-premises VMware environments as you would use in AWS. You can
easily replicate RDS on VMware databases to RDS instances in AWS, enabling low-
cost hybrid deployments for disaster recovery, read replica bursting, and
optional long-term backup retention in Amazon Simple Storage Service (Amazon
S3).

Amazon Quantum Ledger Database (QLDB)

Amazon QLDB is a fully managed ledger database that provides a transparent,
immutable, and cryptographically verifiable transaction log owned by a central
trusted authority. Amazon QLDB tracks each and every application data change and
maintains a complete and verifiable history of changes over time.

Ledgers are typically used to record a history of economic and financial activity
in an organization. Many organizations build applications with ledger-like
functionality because they want to maintain an accurate history of their
applications' data, for example, tracking the history of credits and debits in
banking transactions, verifying the data lineage of an insurance claim, or

32
 Overview of Amazon Web Services AWS Whitepaper

tracing movement of an item in a supply chain network. Ledger applications are

often implemented using custom audit tables or audit trails created in
relational databases. However, building audit functionality with relational
databases is timeconsuming and prone to human error. It requires custom
development, and since relational databases are not inherently immutable, any
unintended changes to the data are hard to track and verify. Alternatively,
blockchain frameworks, such as Hyperledger Fabric and Ethereum, can also be used
as a ledger. However, this adds complexity as you need to set-up an entire
blockchain network with multiple nodes, manage its infrastructure, and require
the nodes to validate each transaction before it can be added to the ledger.

Amazon QLDB is a new class of database that eliminates the need to engage in the
complex development effort of building your own ledger-like applications. With
QLDB, your data’s change history is immutable – it cannot be altered or deleted
– and using cryptography, you can easily verify
Amazon Timestream

that there have been no unintended modifications to your application’s data. QLDB
uses an immutable transactional log, known as a journal, that tracks each
application data change and maintains a complete and verifiable history of
changes over time. QLDB is easy to use because it provides developers with a
familiar SQL-like API, a flexible document data model, and full support for
transactions. QLDB is also serverless, so it automatically scales to support the
demands of your application. There are no servers to manage and no read or write
limits to configure. With QLDB, you only pay for what you use.

Amazon Timestream
Amazon Timestream is a fast, scalable, fully managed time series database service
for IoT and operational applications that makes it easy to store and analyze
trillions of events per day at 1/10th the cost of relational databases. Driven
by the rise of IoT devices, IT systems, and smart industrial machines, time-
series data — data that measures how things change over time — is one of the
fastest growing data types. Time-series data has specific characteristics such
as typically arriving in time order form, data is append-only, and queries are
always over a time interval. While relational databases can store this data,
they are inefficient at processing this data as they lack optimizations such as
storing and retrieving data by time intervals. Timestream is a purpose-built
time series database that efficiently stores and processes this data by time
intervals. With Timestream, you can easily store and analyze log data for
DevOps, sensor data for IoT applications, and industrial telemetry data for
equipment maintenance. As your data grows over time, Timestream’s adaptive query
processing engine understands its location and format, making your data simpler
and faster to analyze. Timestream also automates rollups, retention, tiering,
and compression of data, so you can manage your data at the lowest possible
cost. Timestream is serverless, so there are no servers to manage. It manages
time-consuming tasks such as server provisioning, software patching, setup,
configuration, or data retention and tiering, freeing you to focus on building
your applications.

33
 Overview of Amazon Web Services AWS Whitepaper

Amazon DocumentDB (with MongoDB

compatibility)
Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, highly
available, and fully managed document database service that supports MongoDB
workloads.

Amazon DocumentDB (with MongoDB compatibility) is designed from the ground-up to

give you the performance, scalability, and availability you need when operating
mission-critical MongoDB workloads at scale. Amazon DocumentDB (with MongoDB
compatibility) implements the Apache 2.0 open source MongoDB 3.6 and 4.0 APIs by
emulating the responses that a MongoDB client expects from a MongoDB server,
allowing you to use your existing MongoDB drivers and tools with Amazon
DocumentDB (with MongoDB compatibility) .

Developer Tools
Amazon Corretto
Amazon Corretto is a no-cost, multiplatform, production-ready distribution of the
Open Java Development Kit (OpenJDK). Corretto comes with long-term support that
will include performance enhancements and security fixes. Amazon runs Corretto
internally on thousands of production services and Corretto is certified as
compatible with the Java SE standard. With Corretto, you can develop and run
Java applications on popular operating systems, including Amazon Linux 2,
Windows, and macOS.

AWS Cloud9
AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets
you write, run, and debug your code with just a browser. It includes a code
editor, debugger, and terminal. Cloud9 comes prepackaged with essential tools
for popular programming languages, including JavaScript, Python, PHP,
AWS CloudShell

and more, so you don’t need to install files or configure your development
machine to start new projects. Since your Cloud9 IDE is cloud-based, you can
work on your projects from your office, home, or anywhere using an internet-
connected machine. Cloud9 also provides a seamless experience for developing
serverless applications enabling you to easily define resources, debug, and
switch between local and remote execution of serverless applications. With
Cloud9, you can quickly share your development environment with your team,
enabling you to pair program and track each other's inputs in real time.

AWS CloudShell
AWS CloudShell is a browser-based shell that makes it easy to securely manage,
explore, and interact with your AWS resources. CloudShell is pre-authenticated
with your console credentials. Common development and operations tools are pre-
installed, so no local installation or configuration is required. With
CloudShell, you can quickly run scripts with the AWS Command Line Interface
(AWS CLI), experiment with AWS service APIs using the AWS SDKs, or use a range

34
 Overview of Amazon Web Services AWS Whitepaper

of other tools to be productive. You can use CloudShell right from your browser
and at no additional cost.

AWS CodeArtifact
AWS CodeArtifact is a fully managed artifact repository service that makes it
easy for organizations of any size to securely store, publish, and share
software packages used in their software development process. CodeArtifact can
be configured to automatically fetch software packages and dependencies from
public artifact repositories so developers have access to the latest versions.
CodeArtifact works with commonly used package managers and build tools like
Maven, Gradle, npm, yarn, twine, pip, and NuGet making it easy to integrate into
existing development workflows.

AWS CodeBuild
AWS CodeBuild is a fully managed build service that compiles source code, runs
tests, and produces software packages that are ready to deploy. With CodeBuild,
you don’t need to provision, manage, and scale your own build servers. CodeBuild
scales continuously and processes multiple builds concurrently, so your builds
are not left waiting in a queue. You can get started quickly by using
prepackaged build environments, or you can create custom build environments that
use your own build tools.

AWS CodeCommit
AWS CodeCommit is a fully managed source control service that makes it easy for
companies to host secure and highly scalable private Git repositories. AWS
CodeCommit eliminates the need to operate your own source control system or
worry about scaling its infrastructure. You can use AWS CodeCommit to securely
store anything from source code to binaries, and it works seamlessly with your
existing Git tools.

AWS CodeDeploy
AWS CodeDeploy is a service that automates code deployments to any instance,
including EC2 instances and instances running on premises. CodeDeploy makes it
easier for you to rapidly release new features, helps you avoid downtime during
application deployment, and handles the complexity of updating your
applications. You can use CodeDeploy to automate software deployments,
eliminating the need for error-prone manual operations. The service scales with
your infrastructure so you can easily deploy to one instance or thousands.

AWS CodePipeline
AWS CodePipeline is a fully managed continuous delivery service that helps you
automate your release pipelines for fast and reliable application and
infrastructure updates. CodePipeline automates the build,
AWS CodeStar

test, and deploy phases of your release process every time there is a code
change, based on the release model you define. This enables you to rapidly and
reliably deliver features and updates. You can easily integrate CodePipeline
with third-party services such as GitHub or with your own custom plugin. With

35
 Overview of Amazon Web Services AWS Whitepaper

AWS CodePipeline, you only pay for what you use. There are no upfront fees or
long-term commitments.

AWS CodeStar
AWS CodeStar enables you to quickly develop, build, and deploy applications on
AWS. AWS CodeStar provides a unified user interface, enabling you to easily
manage your software development activities in one place. With AWS CodeStar, you
can set up your entire continuous delivery toolchain in minutes, allowing you to
start releasing code faster. AWS CodeStar makes it easy for your whole team to
work together securely, allowing you to easily manage access and add owners,
contributors, and viewers to your projects. Each AWS CodeStar project comes with
a project management dashboard, including an integrated issue tracking
capability powered by Atlassian JIRA Software. With the AWS CodeStar project
dashboard, you can easily track progress across your entire software development
process, from your backlog of work items to teams’ recent code deployments. For
more information, see AWS CodeStar features.

AWS Fault Injection Simulator

AWS Fault Injection Simulator is a fully managed service for running fault
injection experiments on AWS that makes it easier to improve an application’s
performance, observability, and resiliency. Fault injection experiments are used
in chaos engineering, which is the practice of stressing an application in
testing or production environments by creating disruptive events, such as sudden
increase in CPU or memory consumption, observing how the system responds, and
implementing improvements. Fault injection experiment helps teams create the
real-world conditions needed to uncover the hidden bugs, monitoring blind spots,
and performance bottlenecks that are difficult to find in distributed systems.

Fault Injection Simulator simplifies the process of setting up and running

controlled fault injection experiments across a range of AWS services so teams
can build confidence in their application behavior. With Fault Injection
Simulator, teams can quickly set up experiments using pre-built templates that
generate the desired disruptions. Fault Injection Simulator provides the
controls and guardrails that teams need to run experiments in production, such
as automatically rolling back or stopping the experiment if specific conditions
are met. With a few clicks in the console, teams can run complex scenarios with
common distributed system failures happening in parallel or building
sequentially over time, enabling them to create the real world conditions
necessary to find hidden weaknesses.

AWS X-Ray
AWS X-Ray helps developers analyze and debug distributed applications in
production or under development, such as those built using a microservices
architecture. With X-Ray, you can understand how your application and its
underlying services are performing so you can identify and troubleshoot the root
cause of performance issues and errors. X-Ray provides an end-to-end view of
requests as they travel through your application, and shows a map of your
application’s underlying components. You can use XRay to analyze both
applications in development and in production, from simple three-tier
applications to complex microservices applications consisting of thousands of
services.

36
 Overview of Amazon Web Services AWS Whitepaper

End User Computing

Topics
• Amazon AppStream 2.0 (p. 32)
• Amazon WorkSpaces (p. 32)
Amazon AppStream 2.0

• Amazon WorkLink (p. 32)

Amazon AppStream 2.0

Amazon AppStream 2.0 is a fully managed application streaming service. You
centrally manage your desktop applications on AppStream 2.0 and securely
deliver them to any computer. You can easily scale to any number of users
across the globe without acquiring, provisioning, and operating hardware or
infrastructure. AppStream 2.0 is built on AWS, so you benefit from a data
center and network architecture designed for the most security-sensitive
organizations. Each user has a fluid and responsive experience with your
applications, including GPU-intensive 3D design and engineering ones, because
your applications run on virtual machines (VMs) optimized for specific use
cases and each streaming session automatically adjusts to network conditions.

Enterprises can use AppStream 2.0 to simplify application delivery and complete
their migration to the cloud. Educational institutions can provide every student
access to the applications they need for class on any computer. Software vendors
can use AppStream 2.0 to deliver trials, demos, and training for their
applications with no downloads or installations. They can also develop a full
software-as-a-service (SaaS) solution without rewriting their application.

Amazon WorkSpaces
Amazon WorkSpaces is a fully managed, secure cloud desktop service. You can use
WorkSpaces to provision either Windows or Linux desktops in just a few minutes
and quickly scale to provide thousands of desktops to workers across the globe.
You can pay either monthly or hourly, just for the WorkSpaces you launch, which
helps you save money when compared to traditional desktops and on-premises VDI
solutions. WorkSpaces helps you eliminate the complexity in managing hardware
inventory, OS versions and patches, and Virtual Desktop Infrastructure (VDI),
which helps simplify your desktop delivery strategy. With WorkSpaces, your users
get a fast, responsive desktop of their choice that they can access anywhere,
anytime, from any supported device.

Amazon WorkLink
Amazon WorkLink is a fully managed service that lets you provide your employees
with secure, easy access to your internal corporate websites and web apps using
their mobile phones. Traditional solutions such as Virtual Private Networks
(VPNs) and device management software are inconvenient to use on the go, and
often require the use of custom browsers that have a poor user experience. As a
result, employees often forgo using them altogether.

With Amazon WorkLink, employees can access internal web content as easily as they
access any public website, without the hassle of connecting to their corporate
network. When a user accesses an internal website, the page is first rendered in

37
 Overview of Amazon Web Services AWS Whitepaper

a browser running in a secure container in AWS. Amazon WorkLink then sends the
contents of that page to employee phones as vector graphics while preserving the
functionality and interactivity of the page. This approach is more secure than
traditional solutions because internal content is never stored or cached by the
browser on employee phones, and employee devices never connect directly to your
corporate network.

With Amazon WorkLink, there are no minimum fees or long-term commitments. You pay
only for users that connect to the service each month, and there is no
additional charge for bandwidth consumption.

Front-End Web & Mobile Services

Topics
• Amazon Location Service (p. 33)
Amazon Location Service

• Amazon Pinpoint (p. 33)

• AWS Amplify (p. 33)
• AWS Device Farm (p. 34)
• AWS AppSync (p. 34)

Amazon Location Service

Amazon Location Service makes it easy for developers to add location
functionality to applications without compromising data security and user
privacy.

Location data is a vital ingredient in today’s applications, enabling

capabilities ranging from asset tracking to location-based marketing. However,
developers face significant barriers when integrating location functionality
into their applications. This includes cost, privacy and security compromises,
and tedious and slow integration work.

Amazon Location Service provides affordable data, tracking and geofencing

capabilities, and native integrations with AWS services, so you can create
sophisticated location-enabled applications quickly, without the high cost of
custom development. You retain control of your location data with Amazon
Location, and you can combine proprietary data with data from the service.
Amazon Location provides cost-effective location-based services (LBS) using
high-quality data from global, trusted providers Esri and HERE.

Amazon Pinpoint
Amazon Pinpoint makes it easy to send targeted messages to your customers through
multiple engagement channels. Examples of targeted campaigns are promotional
alerts and customer retention campaigns, and transactional messages are messages
such as order confirmations and password reset messages.

You can integrate Amazon Pinpoint into your mobile and web apps to capture usage
data to provide you with insight into how customers interact with your apps.
Amazon Pinpoint also tracks the ways that your customers respond to the messages

38
 Overview of Amazon Web Services AWS Whitepaper

you send—for example, by showing you the number of messages that were delivered,
opened, or clicked.

You can develop custom audience segments and send them pre-scheduled targeted
campaigns via email, SMS, and push notifications. Targeted campaigns are useful
for sending promotional or educational content to re-engage and retain your
users.

You can send transactional messages using the console or the Amazon Pinpoint REST
API. Transactional campaigns can be sent via email, SMS, push notifications, and
voice messages. You can also use the API to build custom applications that
deliver campaign and transactional messages.

AWS Amplify
AWS Amplify makes it easy to create, configure, and implement scalable mobile
applications powered by AWS. Amplify seamlessly provisions and manages your
mobile backend and provides a simple framework to easily integrate your backend
with your iOS, Android, Web, and React Native frontends. Amplify also automates
the application release process of both your frontend and backend allowing you
to deliver features faster.

Mobile applications require cloud services for actions that can’t be done
directly on the device, such as offline data synchronization, storage, or data
sharing across multiple users. You often have to configure, set up, and manage
multiple services to power the backend. You also have to integrate each of those
services into your application by writing multiple lines of code. However, as
the number of application
AWS Device Farm

features grow, your code and release process becomes more complex and managing
the backend requires more time.

Amplify provisions and manages backends for your mobile applications. You just
select the capabilities you need such as authentication, analytics, or offline
data sync and Amplify will automatically provision and manage the AWS service
that powers each of the capabilities. You can then integrate those capabilities
into your application through the Amplify libraries and UI components.

AWS Device Farm

AWS Device Farm is an app testing service that lets you test and interact with
your Android, iOS, and web apps on many devices at once, or reproduce issues on
a device in real time. View video, screenshots, logs, and performance data to
pinpoint and fix issues before shipping your app.

AWS AppSync
AWS AppSync is a serverless back-end for mobile, web, and enterprise
applications.

AWS AppSync makes it easy to build data driven mobile and web applications by
handling securely all the application data management tasks like online and
offline data access, data synchronization, and data manipulation across multiple
data sources. AWS AppSync uses GraphQL, an API query language designed to build

39
 Overview of Amazon Web Services AWS Whitepaper

client applications by providing an intuitive and flexible syntax for describing

their data requirement.

Game Tech
Topics
• Amazon GameLift (p. 34)
• Amazon Lumberyard (p. 34)

Amazon GameLift
Amazon GameLift is a managed service for deploying, operating, and scaling
dedicated game servers for session-based multiplayer games. Amazon GameLift
makes it easy to manage server infrastructure, scale capacity to lower latency
and cost, match players into available game sessions, and defend from
distributed denial-of-service (DDoS) attacks. You pay for the compute resources
and bandwidth your games actually use, without monthly or annual contracts.

Amazon Lumberyard
Amazon Lumberyard is a free, cross-platform, 3D game engine for you to create the
highest-quality games, connect your games to the vast compute and storage of the
AWS Cloud, and engage fans on Twitch. By starting game projects with Lumberyard,
you can spend more of your time creating great gameplay and building communities
of fans, and less time on the undifferentiated heavy lifting of building a game
engine and managing server infrastructure.

Internet of Things (IoT)

Topics
AWS IoT 1-Click

• AWS IoT 1-Click (p. 35)

• AWS IoT Analytics (p. 35)
• AWS IoT Button (p. 36)
• AWS IoT Core (p. 36)
• AWS IoT Device Defender (p. 36)
• AWS IoT Device Management (p. 37)
• AWS IoT Events (p. 37)
• AWS IoT Greengrass (p. 37)
• AWS IoT SiteWise (p. 37)
• AWS IoT Things Graph (p. 38)
• AWS Partner Device Catalog (p. 38)
• FreeRTOS (p. 38)

40
 Overview of Amazon Web Services AWS Whitepaper

AWS IoT 1-Click

AWS IoT 1-Click is a service that enables simple devices to trigger AWS Lambda
functions that can execute an action. AWS IoT 1-Click supported devices enable
you to easily perform actions such as notifying technical support, tracking
assets, and replenishing goods or services. AWS IoT 1-Click supported devices
are ready for use right out of the box and eliminate the need for writing your
own firmware or configuring them for secure connectivity. AWS IoT 1-Click
supported devices can be easily managed. You can easily create device groups and
associate them with a Lambda function that runs your desired action when
triggered. You can also track device health and activity with the pre-built
reports.

AWS IoT Analytics

AWS IoT Analytics is a fully-managed service that makes it easy to run and
operationalize sophisticated analytics on massive volumes of IoT data without
having to worry about the cost and complexity typically required to build an IoT
analytics platform. It is the easiest way to run analytics on IoT data and get
insights to make better and more accurate decisions for IoT applications and
machine learning use cases.

IoT data is highly unstructured which makes it difficult to analyze with

traditional analytics and business intelligence tools that are designed to
process structured data. IoT data comes from devices that often record fairly
noisy processes (such as temperature, motion, or sound). The data from these
devices can frequently have significant gaps, corrupted messages, and false
readings that must be cleaned up before analysis can occur. Also, IoT data is
often only meaningful in the context of additional, third party data inputs. For
example, to help farmers determine when to water their crops, vineyard
irrigation systems often enrich moisture sensor data with rainfall data from the
vineyard, allowing for more efficient water usage while maximizing harvest
yield.

AWS IoT Analytics automates each of the difficult steps that are required to
analyze data from IoT devices. AWS IoT Analytics filters, transforms, and
enriches IoT data before storing it in a time-series data store for analysis.
You can setup the service to collect only the data you need from your devices,
apply mathematical transforms to process the data, and enrich the data with
device-specific metadata such as device type and location before storing the
processed data. Then, you can analyze your data by running ad hoc or scheduled
queries using the built-in SQL query engine, or perform more complex analytics
and machine learning inference. AWS IoT Analytics makes it easy to get started
with machine learning by including pre-built models for common IoT use cases.

You can also use your own custom analysis, packaged in a container, to execute on
AWS IoT Analytics. AWS IoT Analytics automates the execution of your custom
analyses created in Jupyter Notebook or your own tools (such as Matlab, Octave,
etc.) to be executed on your schedule.
AWS IoT Button

AWS IoT Analytics is a fully managed service that operationalizes analyses and
scales automatically to support up to petabytes of IoT data. With AWS IoT
Analytics, you can analyze data from millions of devices and build fast,
responsive IoT applications without managing hardware or infrastructure.

41
 Overview of Amazon Web Services AWS Whitepaper

AWS IoT Button

The AWS IoT Button is a programmable button based on the Amazon Dash Button
hardware. This simple
Wi-Fi device is easy to configure, and it’s designed for developers to get
started with AWS IoT Core,
AWS Lambda, Amazon DynamoDB, Amazon SNS, and many other Amazon Web Services
without writing device-specific code.

You can code the button's logic in the cloud to configure button clicks to count
or track items, call or alert someone, start or stop something, order services,
or even provide feedback. For example, you can click the button to unlock or
start a car, open your garage door, call a cab, call your spouse or a customer
service representative, track the use of common household chores, medications or
products, or remotely control your home appliances.

The button can be used as a remote control for Netflix, a switch for your
Philips Hue light bulb, a check-in/check-out device for Airbnb guests, or a
way to order your favorite pizza for delivery. You can integrate it with
third-party APIs like Twitter, Facebook, Twilio, Slack or even your own
company's applications. Connect it to things we haven’t even thought of yet.

AWS IoT Core

AWS IoT Core is a managed cloud service that lets connected devices easily and
securely interact with cloud applications and other devices. AWS IoT Core can
support billions of devices and trillions of messages, and can process and route
those messages to AWS endpoints and to other devices reliably and securely. With
AWS IoT Core, your applications can keep track of and communicate with all your
devices, all the time, even when they aren’t connected.

AWS IoT Core makes it easy to use AWS services like AWS Lambda, Amazon Kinesis,
Amazon S3, Amazon SageMaker, Amazon DynamoDB, Amazon CloudWatch, AWS CloudTrail,
and Amazon QuickSight to build Internet of Things (IoT) applications that
gather, process, analyze and act on data generated by connected devices, without
having to manage any infrastructure.

AWS IoT Device Defender

AWS IoT Device Defender is a fully managed service that helps you secure your
fleet of IoT devices. AWS IoT Device Defender continuously audits your IoT
configurations to make sure that they aren’t deviating from security best
practices. A configuration is a set of technical controls you set to help keep
information secure when devices are communicating with each other and the
cloud. AWS IoT Device Defender makes it easy to maintain and enforce IoT
configurations, such as ensuring device identity, authenticating and
authorizing devices, and encrypting device data. AWS IoT Device Defender
continuously audits the IoT configurations on your devices against a set of
predefined security best practices. AWS IoT Device Defender sends an alert if
there are any gaps in your IoT configuration that might create a security risk,
such as identity certificates being shared across multiple devices or a device
with a revoked identity certificate trying to connect to AWS IoT Core.

AWS IoT Device Defender also lets you continuously monitor security metrics from
devices and AWS IoT Core for deviations from what you have defined as
appropriate behavior for each device. If something doesn’t look right, AWS IoT
Device Defender sends out an alert so you can take action to remediate the
issue. For example, traffic spikes in outbound traffic might indicate that a
device is participating in a DDoS attack. AWS IoT Greengrass and FreeRTOS

42
 Overview of Amazon Web Services AWS Whitepaper

automatically integrate with AWS IoT Device Defender to provide security metrics
from the devices for evaluation.

AWS IoT Device Defender can send alerts to the AWS IoT Console, Amazon
CloudWatch, and Amazon SNS. If you determine that you need to take an action
based on an alert, you can use AWS IoT Device Management to take mitigating
actions such as pushing security fixes.
AWS IoT Device Management

AWS IoT Device Management

As many IoT deployments consist of hundreds of thousands to millions of devices,
it is essential to track, monitor, and manage connected device fleets. You need
to ensure your IoT devices work properly and securely after they have been
deployed. You also need to secure access to your devices, monitor health, detect
and remotely troubleshoot problems, and manage software and firmware updates.

AWS IoT Device Management makes it easy to securely onboard, organize, monitor,
and remotely manage IoT devices at scale. With AWS IoT Device Management, you
can register your connected devices individually or in bulk, and easily manage
permissions so that devices remain secure. You can also organize your devices,
monitor and troubleshoot device functionality, query the state of any IoT device
in your fleet, and send firmware updates over-the-air (OTA). AWS IoT Device
Management is agnostic to device type and OS, so you can manage devices from
constrained microcontrollers to connected cars all with the same service. AWS
IoT Device Management allows you to scale your fleets and reduce the cost and
effort of managing large and diverse IoT device deployments.

AWS IoT Events

AWS IoT Events is a fully managed IoT service that makes it easy to detect and
respond to events from IoT sensors and applications. Events are patterns of data
identifying more complicated circumstances than expected, such as changes in
equipment when a belt is stuck or connected motion detectors using movement
signals to activate lights and security cameras. To detect events before AWS IoT
Events, you had to build costly, custom applications to collect data, apply
decision logic to detect an event, and then trigger another application to react
to the event. Using AWS IoT Events, it’s simple to detect events across
thousands of IoT sensors sending different telemetry data, such as temperature
from a freezer, humidity from respiratory equipment, and belt speed on a motor,
and hundreds of equipment management applications. You simply select the
relevant data sources to ingest, define the logic for each event using simple
‘if-then-else’ statements, and select the alert or custom action to trigger when
an event occurs. AWS IoT Events continuously monitors data from multiple IoT
sensors and applications, and it integrates with other services, such as AWS IoT
Core and AWS IoT Analytics, to enable early detection and unique insights into
events. AWS IoT Events automatically triggers alerts and actions in response to
events based on the logic you define. This helps resolve issues quickly, reduce
maintenance costs, and increase operational efficiency.

AWS IoT Greengrass

AWS IoT Greengrass seamlessly extends AWS to devices so they can act locally on
the data they generate, while still using the cloud for management, analytics,
and durable storage. With AWS IoT Greengrass, connected devices can run AWS
Lambda functions, execute predictions based on machine learning models, keep

43
 Overview of Amazon Web Services AWS Whitepaper

device data in sync, and communicate with other devices securely – even when not
connected to the Internet.

With AWS IoT Greengrass, you can use familiar languages and programming models
to create and test your device software in the cloud, and then deploy it to
your devices. AWS IoT Greengrass can be programmed to filter device data and
only transmit necessary information back to the cloud. You can also connect to
third-party applications, on-premises software, and AWS services out-of-the-
box with AWS IoT Greengrass Connectors. Connectors also jumpstart device
onboarding with pre-built protocol adapter integrations and allow you to
streamline authentication via integration with AWS Secrets Manager.

AWS IoT SiteWise

AWS IoT SiteWise is a managed service that makes it easy to collect, store,
organize and monitor data from industrial equipment at scale to help you make
better, data-driven decisions. You can use AWS IoT SiteWise to monitor
operations across facilities, quickly compute common industrial performance
AWS IoT Things Graph

metrics, and create applications that analyze industrial equipment data to

prevent costly equipment issues and reduce gaps in production. This allows you
to collect data consistently across devices, identify issues with remote
monitoring more quickly, and improve multi-site processes with centralized data.

Today, getting performance metrics from industrial equipment is challenging

because data is often locked into proprietary on-premises data stores and
typically requires specialized expertise to retrieve and place in a format that
is useful for analysis. AWS IoT SiteWise simplifies this process by providing
software running on a gateway that resides in your facilities and automates the
process of collecting and organizing industrial equipment data. This gateway
securely connects to your on-premises data servers, collects data, and sends the
data to the AWS Cloud. AWS IoT SiteWise also provides interfaces for collecting
data from modern industrial applications through MQTT messages or APIs.

You can use AWS IoT SiteWise to model your physical assets, processes and
facilities, quickly compute common industrial performance metrics, and create
fully managed web applications to help analyze industrial equipment data, reduce
costs and make faster decisions. With AWS IoT SiteWise, you can focus on
understanding and optimizing your operations, rather than building costly in-
house data collection and management applications.

AWS IoT Things Graph

AWS IoT Things Graph is a service that makes it easy to visually connect
different devices and web services to build IoT applications.

IoT applications are being built today using a variety of devices and web
services to automate tasks for a wide range of use cases, such as smart homes,
industrial automation, and energy management. Because there aren't any widely
adopted standards, it's difficult today for developers to get devices from
multiple manufacturers to connect to each other as well as with web services.
This forces developers to write lots of code to wire together all of the devices
and web services they need for their IoT application. AWS IoT Things Graph
provides a visual drag-and-drop interface for connecting and coordinating
devices and web services, so you can build IoT applications quickly. For
example, in a commercial agriculture application, you can define interactions

44
 Overview of Amazon Web Services AWS Whitepaper

between humidity, temperature, and sprinkler sensors with weather data services
in the cloud to automate watering. You represent devices and services using pre-
built reusable components, called models, that hide low-level details, such as
protocols and interfaces, and are easy to integrate to create sophisticated
workflows.

You can get started with AWS IoT Things Graph using these pre-built models for
popular device types, such as switches and programmable logic controllers
(PLCs), or create your own custom model using a GraphQL-based schema modeling
language, and deploy your IoT application to AWS IoT Greengrassenabled devices
such as cameras, cable set-top boxes, or robotic arms in just a few clicks. IoT
Greengrass is software that provides local compute and secure cloud connectivity
so devices can respond quickly to local events even without internet
connectivity, and runs on a huge range of devices from a Raspberry Pi to a
server-level appliance. IoT Things Graph applications run on IoT Greengrass-
enabled devices.

AWS Partner Device Catalog

The AWS Partner Device Catalog helps you find devices and hardware to help you
explore, build, and go to market with your IoT solutions. Search for and find
hardware that works with AWS, including development kits and embedded systems
to build new devices, as well as off-the-shelf-devices such as gateways, edge
servers, sensors, and cameras for immediate IoT project integration. The choice
of AWS enabled hardware from our curated catalog of devices from APN partners
can help make the rollout of your IoT projects easier. All devices listed in
the AWS Partner Device Catalog are also available for purchase from our
partners to get you started quickly.

FreeRTOS
FreeRTOS is an operating system for microcontrollers that makes small, low-
power edge devices easy to program, deploy, secure, connect, and manage.
FreeRTOS extends the FreeRTOS kernel, a popular
Machine Learning

open source operating system for microcontrollers, with software libraries that
make it easy to securely connect your small, low-power devices to AWS cloud
services like AWS IoT Core or to more powerful edge devices running AWS IoT
Greengrass.

A microcontroller (MCU) is a single chip containing a simple processor that can

be found in many devices, including appliances, sensors, fitness trackers,
industrial automation, and automobiles. Many of these small devices could
benefit from connecting to the cloud or locally to other devices. For example,
smart electricity meters need to connect to the cloud to report on usage, and
building security systems need to communicate locally so that a door will unlock
when you badge in. Microcontrollers have limited compute power and memory
capacity and typically perform simple, functional tasks. Microcontrollers
frequently run operating systems that do not have built-in functionality to
connect to local networks or the cloud, making IoT applications a challenge.
FreeRTOS helps solve this problem by providing both the core operating system
(to run the edge device) as well as software libraries that make it easy to
securely connect to the cloud (or other edge devices) so you can collect data
from them for IoT applications and take action.

45
 Overview of Amazon Web Services AWS Whitepaper

Machine Learning
Topics
• Amazon Augmented AI (p. 40)
• Amazon CodeGuru (p. 40)
• Amazon Comprehend (p. 40)
• Amazon DevOps Guru (p. 40)
• Amazon Elastic Inference (p. 41)
• Amazon Forecast (p. 41)
• Amazon Fraud Detector (p. 42)
• Amazon HealthLake (p. 42)
• Amazon Kendra (p. 42)
• Amazon Lex (p. 42)
• Amazon Lookout for Equipment (p. 43)
• Amazon Lookout for Metrics (p. 43)
• Amazon Lookout for Vision (p. 43)
• Amazon Monitron (p. 43)
• Amazon Personalize (p. 44)
• Amazon Polly (p. 44)
• Amazon Rekognition (p. 44)
• Amazon SageMaker (p. 45)
• Amazon SageMaker Ground Truth (p. 45)
• Amazon Textract (p. 46)
• Amazon Transcribe (p. 46)
• Amazon Translate (p. 46)
• Apache MXNet on AWS (p. 46)
• AWS Deep Learning AMIs (p. 47)
• AWS DeepComposer (p. 47)
• AWS DeepLens (p. 47)
• AWS DeepRacer (p. 47)
• AWS Inferentia (p. 47)
• TensorFlow on AWS (p. 48)
Amazon Augmented AI

Amazon Augmented AI
Amazon Augmented AI (Amazon A2I) is a machine learning service which makes it
easy to build the workflows required for human review. Amazon A2I brings human
review to all developers, removing the undifferentiated heavy lifting
associated with building human review systems or managing large numbers of
human reviewers whether it runs on AWS or not.

Amazon CodeGuru
Amazon CodeGuru is a developer tool that provides intelligent recommendations to
improve code quality and identify an application’s most expensive lines of code.
Integrate CodeGuru into your existing software development workflow to automate

46
 Overview of Amazon Web Services AWS Whitepaper

code reviews during application development and continuously monitor

application's performance in production and provide recommendations and visual
clues on how to improve code quality, application performance, and reduce
overall cost.

CodeGuru Reviewer uses machine learning and automated reasoning to identify

critical issues, security vulnerabilities, and hard-to-find bugs during
application development and provides recommendations to improve code quality.

CodeGuru Profiler helps developers find an application’s most expensive lines of

code by helping them understand the runtime behavior of their applications,
identify and remove code inefficiencies, improve performance, and significantly
decrease compute costs.

Amazon Comprehend
Amazon Comprehend is a natural language processing (NLP) service that uses
machine learning to find insights and relationships in text. No machine learning
experience required.

There is a treasure trove of potential sitting in your unstructured data.

Customer emails, support tickets, product reviews, social media, even
advertising copy represents insights into customer sentiment that can be put to
work for your business. The question is how to get at it? As it turns out,
Machine learning is particularly good at accurately identifying specific items
of interest inside vast swathes of text (such as finding company names in
analyst reports), and can learn the sentiment hidden inside language
(identifying negative reviews, or positive customer interactions with customer
service agents), at almost limitless scale.

Amazon Comprehend uses machine learning to help you uncover the insights and
relationships in your unstructured data. The service identifies the language of
the text; extracts key phrases, places, people, brands, or events; understands
how positive or negative the text is; analyzes text using tokenization and parts
of speech; and automatically organizes a collection of text files by topic. You
can also use AutoML capabilities in Amazon Comprehend to build a custom set of
entities or text classification models that are tailored uniquely to your
organization’s needs.

For extracting complex medical information from unstructured text, you can use
Amazon Comprehend Medical. The service can identify medical information, such as
medical conditions, medications, dosages, strengths, and frequencies from a
variety of sources like doctor’s notes, clinical trial reports, and patient
health records. Amazon Comprehend Medical also identifies the relationship among
the extracted medication and test, treatment and procedure information for
easier analysis. For example, the service identifies a particular dosage,
strength, and frequency related to a specific medication from unstructured
clinical notes.

Amazon DevOps Guru

Amazon DevOps Guru is a Machine Learning (ML) powered service that makes it easy
to improve an application’s operational performance and availability. DevOps
Guru detects behaviors that deviate from normal operating patterns so you can
identify operational issues long before they impact your customers.
Amazon Elastic Inference

47
 Overview of Amazon Web Services AWS Whitepaper

DevOps Guru uses machine learning models informed by years of Amazon.com and AWS
operational excellence to identify anomalous application behavior (e.g.
increased latency, error rates, resource constraints, etc.) and surface critical
issues that could cause potential outages or service disruptions. When DevOps
Guru identifies a critical issue, it automatically sends an alert and provides a
summary of related anomalies, the likely root cause, and context about when and
where the issue occurred. When possible DevOps Guru, also provides
recommendations on how to remediate the issue.

DevOps Guru automatically ingests operational data from your AWS applications
and provides a single dashboard to visualize issues in your operational data.
You can get started with DevOps Guru by selecting coverage from your
CloudFormation stacks or your AWS account to improve application availability
and reliability with no manual setup or machine learning expertise.

Amazon Elastic Inference

Amazon Elastic Inference allows you to attach low-cost GPU-powered acceleration
to Amazon EC2 and Amazon SageMaker instances to reduce the cost of running
deep learning inference by up to 75%. Amazon Elastic Inference supports
TensorFlow, Apache MXNet, PyTorch, and ONNX models.

In most deep learning applications, making predictions using a trained model—a

process called inference
—can drive as much as 90% of the compute costs of the application due to two
factors. First, standalone GPU instances are designed for model training and are
typically oversized for inference. While training jobs batch process hundreds of
data samples in parallel, most inference happens on a single input in real time
that consumes only a small amount of GPU compute. Even at peak load, a GPU's
compute capacity may not be fully utilized, which is wasteful and costly.
Second, different models need different amounts of GPU, CPU, and memory
resources. Selecting a GPU instance type that is big enough to satisfy the
requirements of the least used resource often results in under-utilization of
the other resources and high costs.

Amazon Elastic Inference solves these problems by allowing you to attach just the
right amount of GPU-powered inference acceleration to any EC2 or SageMaker
instance type with no code changes.
With Amazon Elastic Inference, you can now choose the instance type that is best
suited to the overall CPU and memory needs of your application, and then
separately configure the amount of inference acceleration that you need to use
resources efficiently and to reduce the cost of running inference.

Amazon Forecast
Amazon Forecast is a fully managed service that uses machine learning to deliver
highly accurate forecasts.

Companies today use everything from simple spreadsheets to complex financial

planning software to attempt to accurately forecast future business outcomes
such as product demand, resource needs, or financial performance. These tools
build forecasts by looking at a historical series of data, which is called time
series data. For example, such tools may try to predict the future sales of a
raincoat by looking only at its previous sales data with the underlying
assumption that the future is determined by the past. This approach can struggle
to produce accurate forecasts for large sets of data that have irregular trends.
Also, it fails to easily combine data series that change over time (such as

48
 Overview of Amazon Web Services AWS Whitepaper

price, discounts, web traffic, and number of employees) with relevant

independent variables like product features and store locations.

Based on the same technology used at Amazon.com, Amazon Forecast uses machine
learning to combine time series data with additional variables to build
forecasts. Amazon Forecast requires no machine learning experience to get
started. You only need to provide historical data, plus any additional data that
you believe may impact your forecasts. For example, the demand for a particular
color of a shirt may change with the seasons and store location. This complex
relationship is hard to determine on its own, but machine learning is ideally
suited to recognize it. Once you provide your data, Amazon Forecast will
automatically examine it, identify what is meaningful, and produce a forecasting
model capable of making predictions that are up to 50% more accurate than
looking at time series data alone.
Amazon Fraud Detector

Amazon Forecast is a fully managed service, so there are no servers to provision,

and no machine learning models to build, train, or deploy. You pay only for what
you use, and there are no minimum fees and no upfront commitments.

Amazon Fraud Detector

Amazon Fraud Detector is a fully managed service that uses machine learning
(ML) and more than 20 years of fraud detection expertise from Amazon, to
identify potentially fraudulent activity so customers can catch more online
fraud faster. Amazon Fraud Detector automates the time consuming and expensive
steps to build, train, and deploy an ML model for fraud detection, making it
easier for customers to leverage the technology. Amazon Fraud Detector
customizes each model it creates to a customer’s own dataset, making the
accuracy of models higher than current one-size fits all ML solutions. And,
because you pay only for what you use, you avoid large upfront expenses.

Amazon HealthLake
Amazon HealthLake is a HIPAA-eligible service that healthcare providers, health
insurance companies, and pharmaceutical companies can use to store, transform,
query, and analyze large-scale health data.

Health data is frequently incomplete and inconsistent. It's also often

unstructured, with information contained in clinical notes, lab reports,
insurance claims, medical images, recorded conversations, and time-series data
(for example, heart ECG or brain EEG traces).

Healthcare providers can use HealthLake to store, transform, query, and analyze
data in the AWS Cloud. Using the HealthLake integrated medical natural language
processing (NLP) capabilities, you can analyze unstructured clinical text from
diverse sources. HealthLake transforms unstructured data using natural language
processing models, and provides powerful query and search capabilities. You can
use HealthLake to organize, index, and structure patient information in a
secure, compliant, and auditable manner.

Amazon Kendra
Amazon Kendra is an intelligent search service powered by machine learning.
Kendra reimagines enterprise search for your websites and applications so your
employees and customers can easily find the content they are looking for, even

49
 Overview of Amazon Web Services AWS Whitepaper

when it’s scattered across multiple locations and content repositories within
your organization.

Using Amazon Kendra, you can stop searching through troves of unstructured data
and discover the right answers to your questions, when you need them. Amazon
Kendra is a fully managed service, so there are no servers to provision, and no
machine learning models to build, train, or deploy.

Amazon Lex
Amazon Lex is a service for building conversational interfaces into any
application using voice and text. Lex provides the advanced deep learning
functionalities of automatic speech recognition (ASR) for converting speech to
text, and natural language understanding (NLU) to recognize the intent of the
text, to enable you to build applications with highly engaging user experiences
and lifelike conversational interactions. With Amazon Lex, the same deep
learning technologies that power Amazon Alexa are now available to any
developer, enabling you to quickly and easily build sophisticated, natural
language, conversational bots (“chatbots”).

Speech recognition and natural language understanding are some of the most
challenging problems to solve in computer science, requiring sophisticated deep
learning algorithms to be trained on massive amounts of data and
infrastructure. Amazon Lex democratizes these deep learning technologies by
putting the power of Alexa within reach of all developers. Harnessing these
technologies, Amazon Lex enables you to define entirely new categories of
products made possible through conversational interfaces.
Amazon Lookout for Equipment

Amazon Lookout for Equipment

Amazon Lookout for Equipment analyzes the data from the sensors on your
equipment (e.g. pressure in a generator, flow rate of a compressor, revolutions
per minute of fans), to automatically train a machine learning model based on
just your data, for your equipment – with no ML expertise required. Lookout for
Equipment uses your unique ML model to analyze incoming sensor data in real-
time and accurately identify early warning signs that could lead to machine
failures. This means you can detect equipment abnormalities with speed and
precision, quickly diagnose issues, take action to reduce expensive downtime,
and reduce false alerts.

Amazon Lookout for Metrics

Amazon Lookout for Metrics uses machine learning (ML) to automatically detect and
diagnose anomalies (i.e. outliers from the norm) in business and operational
data, such as a sudden dip in sales revenue or customer acquisition rates. In a
couple of clicks, you can connect Amazon Lookout for Metrics to popular data
stores like Amazon S3, Amazon Redshift, and Amazon Relational Database Service
(RDS), as well as third-party SaaS applications, such as Salesforce, Servicenow,
Zendesk, and Marketo, and start monitoring metrics that are important to your
business. Amazon Lookout for Metrics automatically inspects and prepares the
data from these sources to detect anomalies with greater speed and accuracy than
traditional methods used for anomaly detection. You can also provide feedback on
detected anomalies to tune the results and improve accuracy over time. Amazon
Lookout for Metrics makes it easy to diagnose detected anomalies by grouping
together anomalies that are related to the same event and sending an alert that

50
 Overview of Amazon Web Services AWS Whitepaper

includes a summary of the potential root cause. It also ranks anomalies in order
of severity so that you can prioritize your attention to what matters the most
to your business.

Amazon Lookout for Vision

Amazon Lookout for Vision is a machine learning (ML) service that spots defects
and anomalies in visual representations using computer vision (CV). With Amazon
Lookout for Vision, manufacturing companies can increase quality and reduce
operational costs by quickly identifying differences in images of objects at
scale. For example, Amazon Lookout for Vision can be used to identify missing
components in products, damage to vehicles or structures, irregularities in
production lines, miniscule defects in silicon wafers, and other similar
problems. Amazon Lookout for Vision uses ML to see and understand images from
any camera as a person would, but with an even higher degree of accuracy and at
a much larger scale. Amazon Lookout for Vision allows customers to eliminate the
need for costly and inconsistent manual inspection, while improving quality
control, defect and damage assessment, and compliance. In minutes, you can begin
using Amazon Lookout for Vision to automate inspection of images and objects–
with no machine learning expertise required.

Amazon Monitron
Amazon Monitron is an end-to-end system that uses machine learning (ML) to detect
abnormal behavior in industrial machinery, enabling you to implement predictive
maintenance and reduce unplanned downtime.

Installing sensors and the necessary infrastructure for data connectivity,

storage, analytics, and alerting are foundational elements for enabling
predictive maintenance. However, in order to make it work, companies have
historically needed skilled technicians and data scientists to piece together a
complex solution from scratch. This included identifying and procuring the right
type of sensors for their use cases and connecting them together with an IoT
gateway (a device that aggregates and transmits data). As a result, few
companies have been able to successfully implement predictive maintenance.

Amazon Monitron includes sensors to capture vibration and temperature data from
equipment, a gateway device to securely transfer data to AWS, the Amazon
Monitron service that analyzes the data for abnormal machine patterns using
machine learning, and a companion mobile app to set up the devices
Amazon Personalize

and receive reports on operating behavior and alerts to potential failures in

your machinery. You can start monitoring equipment health in minutes without any
development work or ML experience required, and enable predictive maintenance
with the same technology used to monitor equipment in Amazon Fulfillment
Centers.

Amazon Personalize
Amazon Personalize is a machine learning service that makes it easy for
developers to create individualized recommendations for customers using their
applications.

Machine learning is being increasingly used to improve customer engagement by

powering personalized product and content recommendations, tailored search

51
 Overview of Amazon Web Services AWS Whitepaper

results, and targeted marketing promotions. However, developing the machine-

learning capabilities necessary to produce these sophisticated recommendation
systems has been beyond the reach of most organizations today due to the
complexity of developing machine learning functionality. Amazon Personalize
allows developers with no prior machine learning experience to easily build
sophisticated personalization capabilities into their applications, using
machine learning technology perfected from years of use on Amazon.com.

With Amazon Personalize, you provide an activity stream from your application –
page views, signups, purchases, and so forth – as well as an inventory of the
items you want to recommend, such as articles, products, videos, or music. You
can also choose to provide Amazon Personalize with additional demographic
information from your users such as age, or geographic location. Amazon
Personalize will process and examine the data, identify what is meaningful,
select the right algorithms, and train and optimize a personalization model
that is customized for your data.

All data analyzed by Amazon Personalize is kept private and secure, and only used
for your customized recommendations. You can start serving your personalized
predictions via a simple API call from inside the virtual private cloud that the
service maintains. You pay only for what you use, and there are no minimum fees
and no upfront commitments.

Amazon Personalize is like having your own Amazon.com machine learning

personalization team at your disposal, 24 hours a day.

Amazon Polly
Amazon Polly is a service that turns text into lifelike speech. Polly lets you
create applications that talk, enabling you to build entirely new categories of
speech-enabled products. Polly is an Amazon artificial intelligence (AI) service
that uses advanced deep learning technologies to synthesize speech that sounds
like a human voice. Polly includes a wide selection of lifelike voices spread
across dozens of languages, so you can select the ideal voice and build speech-
enabled applications that work in many different countries.

Amazon Polly delivers the consistently fast response times required to support
real-time, interactive dialog. You can cache and save Polly’s speech audio to
replay offline or redistribute. And Polly is easy to use. You simply send the
text you want converted into speech to the Polly API, and Polly immediately
returns the audio stream to your application so your application can play it
directly or store it in a standard audio file format, such as MP3.

With Polly, you only pay for the number of characters you convert to speech, and
you can save and replay Polly’s generated speech. Polly’s low cost per character
converted, and lack of restrictions on storage and reuse of voice output, make
it a cost-effective way to enable Text-to-Speech everywhere.

Amazon Rekognition
Amazon Rekognition makes it easy to add image and video analysis to your
applications using proven, highly scalable, deep learning technology that
requires no machine learning expertise to use. With
Amazon SageMaker

Amazon Rekognition, you can identify objects, people, text, scenes, and
activities in images and videos, as well as detect any inappropriate content.

52
 Overview of Amazon Web Services AWS Whitepaper

Amazon Rekognition also provides highly accurate facial analysis and facial
search capabilities that you can use to detect, analyze, and compare faces for a
wide variety of user verification, people counting, and public safety use cases.

With Amazon Rekognition Custom Labels, you can identify the objects and scenes in
images that are specific to your business needs. For example, you can build a
model to classify specific machine parts on your assembly line or to detect
unhealthy plants. Amazon Rekognition Custom Labels takes care of the heavy
lifting of model development for you, so no machine learning experience is
required. You simply need to supply images of objects or scenes you want to
identify, and the service handles the rest.

Amazon SageMaker
Amazon SageMaker is a fully-managed service that enables developers and data
scientists to quickly and easily build, train, and deploy machine learning
models at any scale. SageMaker removes all the barriers that typically slow down
developers who want to use machine learning.

Machine learning often feels a lot harder than it should be to most developers
because the process to build and train models, and then deploy them into
production is too complicated and too slow. First, you need to collect and
prepare your training data to discover which elements of your data set are
important. Then, you need to select which algorithm and framework you’ll use.
After deciding on your approach, you need to teach the model how to make
predictions by training, which requires a lot of compute. Then, you need to tune
the model so it delivers the best possible predictions, which is often a tedious
and manual effort. After you’ve developed a fully trained model, you need to
integrate the model with your application and deploy this application on
infrastructure that will scale. All of this takes a lot of specialized
expertise, access to large amounts of compute and storage, and a lot of time to
experiment and optimize every part of the process. In the end, it's not a
surprise that the whole thing feels out of reach for most developers.

SageMaker removes the complexity that holds back developer success with each of
these steps. SageMaker includes modules that can be used together or
independently to build, train, and deploy your machine learning models.

Amazon SageMaker Ground Truth

Amazon SageMaker Ground Truth helps you build highly accurate training datasets
for machine learning quickly. SageMaker Ground Truth offers easy access to
public and private human labelers and provides them with built-in workflows and
interfaces for common labeling tasks. Additionally, SageMaker Ground Truth can
lower your labeling costs by up to 70% using automatic labeling, which works by
training Ground Truth from data labeled by humans so that the service learns to
label data independently.

Successful machine learning models are built on the shoulders of large volumes of
high-quality training data. But, the process to create the training data
necessary to build these models is often expensive, complicated, and time-
consuming. The majority of models created today require a human to manually
label data in a way that allows the model to learn how to make correct
decisions. For example, building a computer vision system that is reliable
enough to identify objects - such as traffic lights, stop signs, and pedestrians
- requires thousands of hours of video recordings that consist of hundreds of
millions of video frames. Each one of these frames needs all of the important

53
 Overview of Amazon Web Services AWS Whitepaper

elements like the road, other cars, and signage to be labeled by a human before
any work can begin on the model you want to develop.

Amazon SageMaker Ground Truth significantly reduces the time and effort
required to create datasets for training to reduce costs. These savings are
achieved by using machine learning to automatically label data. The model is
able to get progressively better over time by continuously learning from labels
created by human labelers.

Where the labeling model has high confidence in its results based on what it has
learned so far, it will automatically apply labels to the raw data. Where the
labeling model has lower confidence in its results,
Amazon Textract

it will pass the data to humans to do the labeling. The human-generated labels
are provided back to the labeling model for it to learn from and improve. Over
time, SageMaker Ground Truth can label more and more data automatically and
substantially speed up the creation of training datasets.

Amazon Textract
Amazon Textract is a service that automatically extracts text and data from
scanned documents. Amazon Textract goes beyond simple optical character
recognition (OCR) to also identify the contents of fields in forms and
information stored in tables.

Many companies today extract data from documents and forms through manual data
entry that’s slow and expensive or through simple optical character recognition
(OCR) software that is difficult to customize. Rules and workflows for each
document and form often need to be hard-coded and updated with each change to
the form or when dealing with multiple forms. If the form deviates from the
rules, the output is often scrambled and unusable.

Amazon Textract overcomes these challenges by using machine learning to

instantly “read” virtually any type of document to accurately extract text and
data without the need for any manual effort or custom code. With Textract you
can quickly automate document workflows, enabling you to process millions of
document pages in hours. Once the information is captured, you can take action
on it within your business applications to initiate next steps for a loan
application or medical claims processing. Additionally, you can create smart
search indexes, build automated approval workflows, and better maintain
compliance with document archival rules by flagging data that may require
redaction.

Amazon Transcribe
Amazon Transcribe is an automatic speech recognition (ASR) service that makes it
easy for developers to add speech-to-text capability to their applications.
Using the Amazon Transcribe API, you can analyze audio files stored in Amazon S3
and have the service return a text file of the transcribed speech. You can also
send a live audio stream to Amazon Transcribe and receive a stream of
transcripts in real time.

Amazon Transcribe can be used for lots of common applications, including the
transcription of customer service calls and generating subtitles on audio and
video content. The service can transcribe audio files stored in common formats,
like WAV and MP3, with time stamps for every word so that you can easily locate

54
 Overview of Amazon Web Services AWS Whitepaper

the audio in the original source by searching for the text. Amazon Transcribe is
continually learning and improving to keep pace with the evolution of language.

Amazon Translate
Amazon Translate is a neural machine translation service that delivers fast,
high-quality, and affordable language translation. Neural machine translation is
a form of language translation automation that uses deep learning models to
deliver more accurate and more natural sounding translation than traditional
statistical and rule-based translation algorithms. Amazon Translate allows you
to localize content such as websites and applications - for international users,
and to easily translate large volumes of text efficiently.

Apache MXNet on AWS

Apache MXNet on AWS is a fast and scalable training and inference framework with
an easy-to-use, concise API for machine learning.

MXNet includes the Gluon interface that allows developers of all skill levels
to get started with deep learning on the cloud, on edge devices, and on
mobile apps. In just a few lines of Gluon code, you can build linear
regression, convolutional networks and recurrent LSTMs for object detection,
speech recognition, recommendation, and personalization.
AWS Deep Learning AMIs

You can get started with MxNet on AWS with a fully-managed experience using
SageMaker, a platform to build, train, and deploy machine learning models at
scale. Or, you can use the AWS Deep Learning AMIs to build custom environments
and workflows with MxNet as well as other frameworks including TensorFlow,
PyTorch, Chainer, Keras, Caffe, Caffe2, and Microsoft Cognitive Toolkit.

AWS Deep Learning AMIs

The AWS Deep Learning AMIs provide machine learning practitioners and researchers
with the infrastructure and tools to accelerate deep learning in the cloud, at
any scale. You can quickly launch Amazon EC2 instances pre-installed with
popular deep learning frameworks such as Apache MXNet and Gluon, TensorFlow,
Microsoft Cognitive Toolkit, Caffe, Caffe2, Theano, Torch, PyTorch, Chainer, and
Keras to train sophisticated, custom AI models, experiment with new algorithms,
or to learn new skills and techniques.

AWS DeepComposer
AWS DeepComposer is the world’s first musical keyboard powered by machine
learning to enable developers of all skill levels to learn Generative AI while
creating original music outputs. DeepComposer consists of a USB keyboard that
connects to the developer’s computer, and the DeepComposer service, accessed
through the AWS Management Console. DeepComposer includes tutorials, sample
code, and training data that can be used to start building generative models.

55
 Overview of Amazon Web Services AWS Whitepaper

AWS DeepLens
AWS DeepLens helps put deep learning in the hands of developers, literally, with
a fully programmable video camera, tutorials, code, and pre-trained models
designed to expand deep learning skills.

AWS DeepRacer
AWS DeepRacer is a 1/18th scale race car which gives you an interesting and fun
way to get started with reinforcement learning (RL). RL is an advanced machine
learning (ML) technique which takes a very different approach to training
models than other machine learning methods. Its super power is that it learns
very complex behaviors without requiring any labeled training data, and can
make short term decisions while optimizing for a longer term goal.

With AWS DeepRacer, you now have a way to get hands-on with RL, experiment, and
learn through autonomous driving. You can get started with the virtual car and
tracks in the cloud-based 3D racing simulator, and for a real-world experience,
you can deploy your trained models onto AWS DeepRacer and race your friends, or
take part in the global AWS DeepRacer League. Developers, the race is on.

AWS Inferentia
AWS Inferentia is a machine learning inference chip designed to deliver high
performance at low cost. AWS Inferentia will support the TensorFlow, Apache
MXNet, and PyTorch deep learning frameworks, as well as models that use the ONNX
format.

Making predictions using a trained machine learning model–a process called

inference–can drive as much as 90% of the compute costs of the application.
Using Amazon Elastic Inference, developers can reduce inference costs by up to
75% by attaching GPU-powered inference acceleration to Amazon EC2 and SageMaker
instances. However, some inference workloads require an entire GPU or have
extremely low latency requirements. Solving this challenge at low cost requires
a dedicated inference chip.

AWS Inferentia provides high throughput, low latency inference performance at an

extremely low cost. Each chip provides hundreds of TOPS (tera operations per
second) of inference throughput to allow complex models to make fast
predictions. For even more performance, multiple AWS Inferentia chips can
TensorFlow on AWS

be used together to drive thousands of TOPS of throughput. AWS Inferentia will be

available for use with SageMaker, Amazon EC2, and Amazon Elastic Inference.

TensorFlow on AWS
TensorFlow enables developers to quickly and easily get started with deep
learning in the cloud. The framework has broad support in the industry and has
become a popular choice for deep learning research and application development,
particularly in areas such as computer vision, natural language understanding
and speech translation.

You can get started on AWS with a fully-managed TensorFlow experience with
SageMaker, a platform to build, train, and deploy machine learning models at
scale. Or, you can use the AWS Deep Learning AMIs to build custom environments

56
 Overview of Amazon Web Services AWS Whitepaper

and workflows with TensorFlow and other popular frameworks including Apache
MXNet, PyTorch, Caffe, Caffe2, Chainer, Gluon, Keras, and Microsoft Cognitive
Toolkit.

Management and Governance

Topics
• Amazon CloudWatch (p. 48)
• AWS Auto Scaling (p. 49)
• AWS Chatbot (p. 49)
• AWS Compute Optimizer (p. 49)
• AWS Control Tower (p. 49)
• AWS CloudFormation (p. 50)
• AWS CloudTrail (p. 50)
• AWS Config (p. 50)
• AWS Launch Wizard (p. 51)
• AWS Organizations (p. 51)
• AWS OpsWorks (p. 51)
• AWS Proton (p. 51)
• AWS Service Catalog (p. 51)
• AWS Systems Manager (p. 52)
• AWS Trusted Advisor (p. 53)
• AWS Personal Health Dashboard (p. 53) • AWS Managed Services (p. 53)
• AWS Console Mobile Application (p. 53)
• AWS License Manager (p. 54)
• AWS Well-Architected Tool (p. 54)

Amazon CloudWatch
Amazon CloudWatch is a monitoring and management service built for developers,
system operators, site reliability engineers (SRE), and IT managers. CloudWatch
provides you with data and actionable insights to monitor your applications,
understand and respond to system-wide performance changes, optimize resource
utilization, and get a unified view of operational health. CloudWatch collects
monitoring and operational data in the form of logs, metrics, and events,
providing you with a unified view of AWS resources, applications and services
that run on AWS, and on-premises servers. You can use CloudWatch to set high
resolution alarms, visualize logs and metrics side by side, take automated
AWS Auto Scaling

actions, troubleshoot issues, and discover insights to optimize your

applications, and ensure they are running smoothly.

AWS Auto Scaling

AWS Auto Scaling monitors your applications and automatically adjusts capacity to
maintain steady, predictable performance at the lowest possible cost. Using AWS

57
 Overview of Amazon Web Services AWS Whitepaper

Auto Scaling, it’s easy to setup application scaling for multiple resources
across multiple services in minutes. The service provides a simple, powerful
user interface that lets you build scaling plans for resources including Amazon
EC2 instances and Spot Fleets, Amazon ECS tasks, Amazon DynamoDB tables and
indexes, and Amazon Aurora Replicas. AWS Auto Scaling makes scaling simple with
recommendations that allow you to optimize performance, costs, or balance
between them. If you’re already using Amazon EC2 Auto Scaling to dynamically
scale your Amazon EC2 instances, you can now combine it with AWS Auto Scaling to
scale additional resources for other AWS services. With AWS Auto Scaling, your
applications always have the right resources at the right time.

AWS Chatbot
AWS Chatbot is an interactive agent that makes it easy to monitor and interact
with your AWS resources in your Slack channels and Amazon Chime chat rooms. With
AWS Chatbot you can receive alerts, run commands to return diagnostic
information, invoke AWS Lambda functions, and create AWS support cases.

AWS Chatbot manages the integration between AWS services and your Slack channels
or Amazon Chime chat rooms helping you to get started with ChatOps fast. With
just a few clicks you can start receiving notifications and issuing commands in
your chosen channels or chat rooms, so your team doesn’t have to switch contexts
to collaborate. AWS Chatbot makes it easier for your team to stay updated,
collaborate, and respond faster to operational events, security findings, CI/CD
workflows, budget, and other alerts for applications running in your AWS
accounts.

AWS Compute Optimizer

AWS Compute Optimizer recommends optimal AWS resources for your workloads to
reduce costs and improve performance by using machine learning to analyze
historical utilization metrics. Overprovisioning resources can lead to
unnecessary infrastructure cost, and under-provisioning resources can lead to
poor application performance. Compute Optimizer helps you choose optimal
configurations for three types of AWS resources: Amazon EC2 instances, Amazon
EBS volumes, and AWS Lambda functions, based on your utilization data.

By applying the knowledge drawn from Amazon’s own experience running diverse
workloads in the cloud, Compute Optimizer identifies workload patterns and
recommends optimal AWS resources. Compute Optimizer analyzes the
configuration and resource utilization of your workload to identify dozens of
defining characteristics, for example, if a workload is CPU-intensive, if it
exhibits a daily pattern, or if a workload accesses local storage frequently.
The service processes these characteristics and identifies the hardware
resource required by the workload. Compute Optimizer infers how the workload
would have performed on various hardware platforms (e.g. Amazon EC2 instances
types) or using different configurations (e.g. Amazon EBS volume IOPS
settings, and AWS Lambda function memory sizes) to offer recommendations.

Compute Optimizer is available to you at no additional charge. To get started,

you can opt in to the service in the AWS Compute Optimizer Console.

AWS Control Tower

AWS Control Tower automates the set-up of a baseline environment, or landing
zone, that is a secure, well-architected multi-account AWS environment. The
configuration of the landing zone is based on

58
 Overview of Amazon Web Services AWS Whitepaper

AWS CloudFormation

best practices that have been established by working with thousands of enterprise
customers to create a secure environment that makes it easier to govern AWS
workloads with rules for security, operations, and compliance.

As enterprises migrate to AWS, they typically have a large number of applications

and distributed teams. They often want to create multiple accounts to allow
their teams to work independently, while still maintaining a consistent level of
security and compliance. In addition, they use AWS’s management and security
services, like AWS Organizations, AWS Service Catalog and AWS Config, that
provide very granular controls over their workloads. They want to maintain this
control, but they also want a way to centrally govern and enforce the best use
of AWS services across all the accounts in their environment.

Control Tower automates the set-up of their landing zone and configures AWS
management and security services based on established best practices in a
secure, compliant, multi-account environment. Distributed teams are able to
provision new AWS accounts quickly, while central teams have the peace of mind
knowing that new accounts are aligned with centrally established, company-wide
compliance policies. This gives you control over your environment, without
sacrificing the speed and agility AWS provides your development teams.

AWS CloudFormation
AWS CloudFormation gives developers and systems administrators an easy way to
create and manage a collection of related AWS resources, provisioning and
updating them in an orderly and predictable fashion.

You can use the AWS CloudFormation sample templates or create your own
templates to describe your AWS resources, and any associated dependencies or
runtime parameters, required to run your application. You don’t need to figure
out the order for provisioning AWS services or the subtleties of making those
dependencies work. CloudFormation takes care of this for you. After the AWS
resources are deployed, you can modify and update them in a controlled and
predictable way, in effect applying version control to your AWS infrastructure
the same way you do with your software. You can also visualize your templates
as diagrams and edit them using a drag-and-drop interface with the AWS
CloudFormation Designer.

AWS CloudTrail
AWS CloudTrail is a web service that records AWS API calls for your account and
delivers log files to you. The recorded information includes the identity of
the API caller, the time of the API call, the source IP address of the API
caller, the request parameters, and the response elements returned by the AWS
service.

With CloudTrail, you can get a history of AWS API calls for your account,
including API calls made using the AWS Management Console, AWS SDKs, command
line tools, and higher-level AWS services (such as AWS CloudFormation (p. 50)).
The AWS API call history produced by CloudTrail enables security analysis,
resource change tracking, and compliance auditing.

59
 Overview of Amazon Web Services AWS Whitepaper

AWS Config
AWS Config is a fully managed service that provides you with an AWS resource
inventory, configuration history, and configuration change notifications to
enable security and governance. The Config Rules feature enables you to create
rules that automatically check the configuration of AWS resources recorded by
AWS Config.

With AWS Config, you can discover existing and deleted AWS resources, determine
your overall compliance against rules, and dive into configuration details of a
resource at any point in time. These capabilities enable compliance auditing,
security analysis, resource change tracking, and troubleshooting.
AWS Launch Wizard

AWS Launch Wizard

AWS Launch Wizard offers a guided way of sizing, configuring, and deploying AWS
resources for third party applications, such as Microsoft SQL Server Always On
and HANA based SAP systems, without the need to manually identify and provision
individual AWS resources. To start, you input your application requirements,
including performance, number of nodes, and connectivity on the service console.
Launch Wizard then identifies the right AWS resources, such as EC2 instances and
EBS volumes, to deploy and run your application. Launch Wizard provides an
estimated cost of deployment, and lets you modify your resources to instantly
view an updated cost assessment. Once you approve the AWS resources, Launch
Wizard automatically provisions and configures the selected resources to create
a fully-functioning, production-ready application.

AWS Launch Wizard also creates CloudFormation templates that can serve as a
baseline to accelerate subsequent deployments. Launch Wizard is available to you
at no additional charge. You only pay for the AWS resources that are provisioned
for running your solution.

AWS Organizations
AWS Organizations helps you centrally manage and govern your environment as you
grow and scale your AWS resources. Using AWS Organizations, you can
programmatically create new AWS accounts and allocate resources, group accounts
to organize your workflows, apply policies to accounts or groups for governance,
and simplify billing by using a single payment method for all of your accounts.

In addition, AWS Organizations is integrated with other AWS services so you can
define central configurations, security mechanisms, audit requirements, and
resource sharing across accounts in your organization. AWS Organizations is
available to all AWS customers at no additional charge.

AWS OpsWorks
AWS OpsWorks is a configuration management service that provides managed
instances of Chef and Puppet. Chef and Puppet are automation platforms that
allow you to use code to automate the configurations of your servers.
OpsWorks lets you use Chef and Puppet to automate how servers are configured,
deployed, and managed across your Amazon EC2 instances or on-premises compute
environments. OpsWorks has three offerings, AWS OpsWorks for Chef Automate,
AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks.

60
 Overview of Amazon Web Services AWS Whitepaper

AWS Proton
AWS Proton is the first fully managed delivery service for container and
serverless applications. Platform engineering teams can use AWS Proton to
connect and coordinate all the different tools needed for infrastructure
provisioning, code deployments, monitoring, and updates.

Maintaining hundreds – or sometimes thousands – of microservices with constantly

changing infrastructure resources and continuous integration/continuous delivery
(CI/CD) configurations is a nearly impossible task for even the most capable
platform teams.

AWS Proton solves this by giving platform teams the tools they need to manage
this complexity and enforce consistent standards, while making it easy for
developers to deploy their code using containers and serverless technologies.

AWS Service Catalog

AWS Service Catalog allows organizations to create and manage catalogs of IT
services that are approved for use on AWS. These IT services can include
everything from virtual machine images, servers, software, and databases to
complete multi-tier application architectures. AWS Service Catalog allows you to
AWS Systems Manager

centrally manage commonly deployed IT services and helps you achieve consistent
governance and meet your compliance requirements, while enabling users to
quickly deploy only the approved IT services they need.

AWS Systems Manager

AWS Systems Manager gives you visibility and control of your infrastructure on
AWS. Systems Manager provides a unified user interface so you can view
operational data from multiple AWS services and allows you to automate
operational tasks across your AWS resources. With Systems Manager, you can group
resources, like Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS
instances, by application, view operational data for monitoring and
troubleshooting, and take action on your groups of resources. Systems Manager
simplifies resource and application management, shortens the time to detect and
resolve operational problems, and makes it easy to operate and manage your
infrastructure securely at scale.

AWS Systems Manager contains the following tools:

• Resource groups: Lets you create a logical group of resources associated with a
particular workload such as different layers of an application stack, or
production versus development environments. For example, you can group
different layers of an application, such as the frontend web layer and the
backend data layer. Resource groups can be created, updated, or removed
programmatically through the API.
• Insights Dashboard: Displays operational data that the AWS Systems Manager
automatically aggregates for each resource group. Systems Manager eliminates
the need for you to navigate across multiple AWS consoles to view your
operational data. With Systems Manager you can view API call logs from AWS
CloudTrail, resource configuration changes from AWS Config, software inventory,
and patch compliance status by resource group. You can also easily integrate
your Amazon CloudWatch Dashboards, AWS Trusted Advisor notifications, and AWS

61
 Overview of Amazon Web Services AWS Whitepaper

Personal Health Dashboard performance and availability alerts into your Systems
Manager dashboard. Systems Manager centralizes all relevant operational data,
so you can have a clear view of your infrastructure compliance and performance.
• Run Command: Provides a simple way of automating common administrative tasks
like remotely executing shell scripts or PowerShell commands, installing
software updates, or making changes to the configuration of OS, software, EC2
and instances and servers in your on-premises data center.
• State Manager: Helps you define and maintain consistent OS configurations such
as firewall settings and anti-malware definitions to comply with your policies.
You can monitor the configuration of a large set of instances, specify a
configuration policy for the instances, and automatically apply updates or
configuration changes.
• Inventory: Helps you collect and query configuration and inventory information
about your instances and the software installed on them. You can gather details
about your instances such as installed applications, DHCP settings, agent
detail, and custom items. You can run queries to track and audit your system
configurations.
• Maintenance Window: Lets you define a recurring window of time to run
administrative and maintenance tasks across your instances. This ensures that
installing patches and updates, or making other configuration changes does not
disrupt business-critical operations. This helps improve your application
availability.
• Patch Manager: Helps you select and deploy operating system and software
patches automatically across large groups of instances. You can define a
maintenance window so that patches are applied only during set times that fit
your needs. These capabilities help ensure that your software is always up to
date and meets your compliance policies.
• Automation: Simplifies common maintenance and deployment tasks, such as
updating Amazon Machine Images (AMIs). Use the Automation feature to apply
patches, update drivers and agents, or bake applications into your AMI using a
streamlined, repeatable, and auditable process.
• Parameter Store: Provides an encrypted location to store important
administrative information such as passwords and database strings. The
Parameter Store integrates with AWS KMS to make it easy to encrypt the
information you keep in the Parameter Store.
AWS Trusted Advisor

• Distributor: Helps you securely distribute and install software packages, such
as software agents. Systems Manager Distributor allows you to centrally store
and systematically distribute software packages while you maintain control over
versioning. You can use Distributor to create and distribute software packages
and then install them using Systems Manager Run Command and State Manager.
Distributor can also use AWS Identity and Access Management (IAM) policies to
control who can create or update packages in your account. You can use the
existing IAM policy support for Systems Manager Run Command and State Manager
to define who can install packages on your hosts.
• Session Manager: Provides a browser-based interactive shell and CLI for
managing Windows and Linux EC2 instances, without the need to open inbound
ports, manage SSH keys, or use bastion hosts. Administrators can grant and
revoke access to instances through a central location by using AWS Identity and
Access Management (IAM) policies. This allows you to control which users can
access each instance, including the option to provide non-root access to
specified users. Once access is provided, you can audit which user accessed an
instance and log each command to Amazon S3 or Amazon CloudWatch Logs using AWS
CloudTrail.

62
 Overview of Amazon Web Services AWS Whitepaper

AWS Trusted Advisor

AWS Trusted Advisor is an online resource to help you reduce cost, increase
performance, and improve security by optimizing your AWS environment. Trusted
Advisor provides real-time guidance to help you provision your resources
following AWS best practices.

AWS Personal Health Dashboard

AWS Personal Health Dashboard provides alerts and remediation guidance when AWS
is experiencing events that might affect you. While the Service Health Dashboard
displays the general status of AWS services, Personal Health Dashboard gives you
a personalized view into the performance and availability of the AWS services
underlying your AWS resources. The dashboard displays relevant and timely
information to help you manage events in progress, and provides proactive
notification to help you plan for scheduled activities. With Personal Health
Dashboard, alerts are automatically triggered by changes in the health of AWS
resources, giving you event visibility and guidance to help quickly diagnose and
resolve issues.

AWS Managed Services

AWS Managed Services provides ongoing management of your AWS infrastructure so
you can focus on your applications. By implementing best practices to maintain
your infrastructure, AWS Managed Services helps to reduce your operational
overhead and risk. AWS Managed Services automates common activities such as
change requests, monitoring, patch management, security, and backup services,
and provides full-lifecycle services to provision, run, and support your
infrastructure. Our rigor and controls help to enforce your corporate and
security infrastructure policies, and enables you to develop solutions and
applications using your preferred development approach. AWS Managed Services
improves agility, reduces cost, and unburdens you from infrastructure operations
so you can direct resources toward differentiating your business.

AWS Console Mobile Application

The AWS Console Mobile Application lets customers view and manage a select set
of resources to support incident response while on-the-go.

The Console Mobile Application allows AWS customers to monitor resources through
a dedicated dashboard and view configuration details, metrics, and alarms for
select AWS services. The Dashboard provides permitted users with a single view a
resource's status, with real-time data on Amazon CloudWatch, Personal Health
Dashboard, and AWS Billing and Cost Management. Customers can view ongoing
issues and follow through to the relevant CloudWatch alarm screen for a detailed
view with
AWS License Manager

graphs and configuration options. In addition, customers can check on the status
of specific AWS services, view detailed resource screens, and perform select
actions.

63
 Overview of Amazon Web Services AWS Whitepaper

AWS License Manager

AWS License Manager makes it easier to manage licenses in AWS and on-premises
servers from software vendors such as Microsoft, SAP, Oracle, and IBM. AWS
License Manager lets administrators create customized licensing rules that
emulate the terms of their licensing agreements, and then enforces these rules
when an instance of Amazon EC2 gets launched. Administrators can use these rules
to limit licensing violations, such as using more licenses than an agreement
stipulates or reassigning licenses to different servers on a short-term basis.
The rules in AWS License Manager enable you to limit a licensing breach by
physically stopping the instance from launching or by notifying administrators
about the infringement. Administrators gain control and visibility of all their
licenses with the AWS License Manager dashboard and reduce the risk of non-
compliance, misreporting, and additional costs due to licensing overages.

AWS License Manager integrates with AWS services to simplify the management of
licenses across multiple AWS accounts, IT catalogs, and on-premises, through a
single AWS account. License administrators can add rules in AWS Service Catalog,
which allows them to create and manage catalogs of IT services that are approved
for use on all their AWS accounts. Through seamless integration with AWS Systems
Manager and AWS Organizations, administrators can manage licenses across all the
AWS accounts in an organization and on-premises environments. AWS Marketplace
buyers can also use AWS License Manager to track bring your own license (BYOL)
software obtained from the Marketplace and keep a consolidated view of all their
licenses.

AWS Well-Architected Tool

The AWS Well-Architected Tool helps you review the state of your workloads and
compares them to the latest AWS architectural best practices. The tool is based
on the AWS Well-Architected Framework, developed to help cloud architects build
secure, high-performing, resilient, and efficient application infrastructure.
This Framework provides a consistent approach for customers and partners to
evaluate architectures, has been used in tens of thousands of workload reviews
conducted by the AWS solutions architecture team, and provides guidance to help
implement designs that scale with application needs over time.

To use this free tool, available in the AWS Management Console, just define
your workload and answer a set of questions regarding operational excellence,
security, reliability, performance efficiency, and cost optimization. The AWS
Well-Architected Tool then provides a plan on how to architect for the cloud
using established best practices.

Media Services
Topics
• Amazon Elastic Transcoder (p. 55)
• Amazon Interactive Video Service (p. 55)
• Amazon Nimble Studio (p. 55)
• AWS Elemental Appliances & Software (p. 55)
• AWS Elemental MediaConnect (p. 55)
• AWS Elemental MediaConvert (p. 56)
• AWS Elemental MediaLive (p. 56)

64
 Overview of Amazon Web Services AWS Whitepaper

• AWS Elemental MediaPackage (p. 56)

• AWS Elemental MediaStore (p. 56)
Amazon Elastic Transcoder

• AWS Elemental MediaTailor (p. 56)

Amazon Elastic Transcoder

Amazon Elastic Transcoder is media transcoding in the cloud. It is designed to be
a highly scalable, easyto-use, and cost-effective way for developers and
businesses to convert (or transcode) media files from their source format into
versions that will play back on devices like smartphones, tablets, and PCs.

Amazon Interactive Video Service

Amazon Interactive Video Service (Amazon IVS) is a managed live streaming
solution that is quick and easy to set up, and ideal for creating interactive
video experiences. Send your live streams to Amazon IVS using streaming software
and the service does everything you need to make low-latency live video
available to any viewer around the world, letting you focus on building
interactive experiences alongside the live video. You can easily customize and
enhance the audience experience through the Amazon IVS player SDK and timed
metadata APIs, allowing you to build a more valuable relationship with your
viewers on your own websites and applications.

Amazon Nimble Studio

Amazon Nimble Studio empowers creative studios to produce visual effects,
animation, and interactive content entirely in the cloud, from storyboard sketch
to final deliverable. Rapidly onboard and collaborate with artists globally and
create content faster with access to virtual workstations, high-speed storage,
and scalable rendering across AWS’s global infrastructure.

AWS Elemental Appliances & Software

AWS Elemental Appliances and Software solutions bring advanced video processing
and delivery technologies into your data center, co-location space, or on-
premises facility. You can deploy AWS Elemental Appliances and Software to
encode, package, and deliver video assets on-premises and seamlessly connect
with cloud-based video infrastructure. Designed for easy integration with AWS
Cloud media solutions, AWS Elemental Appliances and Software support video
workloads that need to remain on-premises to accommodate physical camera and
router interfaces, managed network delivery, or network bandwidth constraints.

AWS Elemental Live, Server, and Conductor come in two variants: ready-to-deploy
appliances, or AWSlicensed software that you install on your own hardware. AWS
Elemental Link is a compact hardware device that sends live video to the cloud
for encoding and delivery to viewers.

AWS Elemental MediaConnect

AWS Elemental MediaConnect is a high-quality transport service for live video.
Today, broadcasters and content owners rely on satellite networks or fiber

65
 Overview of Amazon Web Services AWS Whitepaper

connections to send their high-value content into the cloud or to transmit it to

partners for distribution. Both satellite and fiber approaches are expensive,
require long lead times to set up, and lack the flexibility to adapt to changing
requirements. To be more nimble, some customers have tried to use solutions that
transmit live video on top of IP infrastructure, but have struggled with
reliability and security.

Now you can get the reliability and security of satellite and fiber combined
with the flexibility, agility, and economics of IP-based networks using AWS
Elemental MediaConnect. MediaConnect enables you to build mission-critical live
video workflows in a fraction of the time and cost of satellite or fiber
services. You can use MediaConnect to ingest live video from a remote event site
(like a stadium), share video with a partner (like a cable TV distributor), or
replicate a video stream for processing (like an over-the-
AWS Elemental MediaConvert

top service). MediaConnect combines reliable video transport, highly secure

stream sharing, and realtime network traffic and video monitoring that allow you
to focus on your content, not your transport infrastructure.

AWS Elemental MediaConvert

AWS Elemental MediaConvert is a file-based video transcoding service with
broadcast-grade features. It allows you to easily create video-on-demand (VOD)
content for broadcast and multiscreen delivery at scale. The service combines
advanced video and audio capabilities with a simple web services interface and
pay-as-you-go pricing. With AWS Elemental MediaConvert, you can focus on
delivering compelling media experiences without having to worry about the
complexity of building and operating your own video processing infrastructure.

AWS Elemental MediaLive

AWS Elemental MediaLive is a broadcast-grade live video processing service. It
lets you create highquality video streams for delivery to broadcast televisions
and internet-connected multiscreen devices, like connected TVs, tablets, smart
phones, and set-top boxes. The service works by encoding your live video streams
in real-time, taking a larger-sized live video source and compressing it into
smaller versions for distribution to your viewers. With AWS Elemental MediaLive,
you can easily set up streams for both live events and 24x7 channels with
advanced broadcasting features, high availability, and payas-you-go pricing. AWS
Elemental MediaLive lets you focus on creating compelling live video experiences
for your viewers without the complexity of building and operating broadcast-
grade video processing infrastructure.

AWS Elemental MediaPackage

AWS Elemental MediaPackage reliably prepares and protects your video for delivery
over the Internet. From a single video input, AWS Elemental MediaPackage creates
video streams formatted to play on connected TVs, mobile phones, computers,
tablets, and game consoles. It makes it easy to implement popular video features
for viewers (start-over, pause, rewind, etc.), like those commonly found on
DVRs.
AWS Elemental MediaPackage can also protect your content using Digital Rights
Management (DRM). AWS Elemental MediaPackage scales automatically in response to

66
 Overview of Amazon Web Services AWS Whitepaper

load, so your viewers will always get a great experience without you having to
accurately predict in advance the capacity you’ll need.

AWS Elemental MediaStore

AWS Elemental MediaStore is an AWS storage service optimized for media. It gives
you the performance, consistency, and low latency required to deliver live
streaming video content. AWS Elemental MediaStore acts as the origin store in
your video workflow. Its high performance capabilities meet the needs of the
most demanding media delivery workloads, combined with long-term, cost-effective
storage.

AWS Elemental MediaTailor

AWS Elemental MediaTailor lets video providers insert individually targeted
advertising into their video streams without sacrificing broadcast-level
quality-of-service. With AWS Elemental MediaTailor, viewers of your live or on-
demand video each receive a stream that combines your content with ads
personalized to them. But unlike other personalized ad solutions, with AWS
Elemental MediaTailor your entire stream – video and ads – is delivered with
broadcast-grade video quality to improve the experience for your viewers. AWS
Elemental MediaTailor delivers automated reporting based on both client and
server-side ad delivery metrics, making it easy to accurately measure ad
impressions and viewer behavior. You can easily monetize unexpected high-demand
viewing events with no up-front costs using AWS Elemental MediaTailor. It also
improves ad delivery rates, helping you make more money from every video, and it
works with a wider variety of content delivery networks, ad decision servers,
and client devices.
Migration and Transfer

See also Amazon Kinesis Video Streams (p. 12)

Migration and Transfer

Topics
• AWS Application Migration Service (p. 57)
• AWS Migration Hub (p. 57)
• AWS Application Discovery Service (p. 57)
• AWS Database Migration Service (p. 58)
• AWS Server Migration Service (p. 58)
• AWS Snow Family (p. 58)
• AWS DataSync (p. 59)
• AWS Transfer Family (p. 59)

AWS Application Migration Service

AWS Application Migration Service (AWS MGN) allows you to quickly realize the
benefits of migrating applications to the cloud without changes and with minimal
downtime.

67
 Overview of Amazon Web Services AWS Whitepaper

AWS Application Migration Service minimizes time-intensive, error-prone manual

processes by automatically converting your source servers from physical,
virtual, or cloud infrastructure to run natively on AWS. It further simplifies
your migration by enabling you to use the same automated process for a wide
range of applications.

And by launching non-disruptive tests before migrating, you can be confident that
your most critical applications such as SAP, Oracle, and SQL Server will work
seamlessly on AWS.

AWS Migration Hub

AWS Migration Hub provides a single location to track the progress of
application migrations across multiple AWS and partner solutions. Using
Migration Hub allows you to choose the AWS and partner migration tools that
best fit your needs, while providing visibility into the status of migrations
across your portfolio of applications. Migration Hub also provides key metrics
and progress for individual applications, regardless of which tools are being
used to migrate them. For example, you might use AWS Database Migration
Service, AWS Server Migration Service, and partner migration tools such as
ATADATA ATAmotion, CloudEndure Live Migration, or RiverMeadow Server Migration
Saas to migrate an application comprised of a database, virtualized web
servers, and a bare metal server. Using Migration Hub, you can view the
migration progress of all the resources in the application. This allows you to
quickly get progress updates across all of your migrations, easily identify and
troubleshoot any issues, and reduce the overall time and effort spent on your
migration projects.

AWS Application Discovery Service

AWS Application Discovery Service helps enterprise customers plan migration
projects by gathering information about their on-premises data centers.

Planning data center migrations can involve thousands of workloads that are often
deeply interdependent. Server utilization data and dependency mapping are
important early first steps in the migration process. AWS Application Discovery
Service collects and presents configuration, usage, and behavior data from your
servers to help you better understand your workloads.
AWS Database Migration Service

The collected data is retained in encrypted format in an AWS Application

Discovery Service data store. You can export this data as a CSV file and use it
to estimate the Total Cost of Ownership (TCO) of running on AWS and to plan your
migration to AWS. In addition, this data is also available in AWS Migration Hub,
where you can migrate the discovered servers and track their progress as they
get migrated to AWS.

AWS Database Migration Service

AWS Database Migration Service helps you migrate databases to AWS easily and
securely. The source database remains fully operational during the migration,
minimizing downtime to applications that rely on the database. The AWS Database
Migration Service can migrate your data to and from most widely used commercial
and open-source databases. The service supports homogeneous migrations such as
Oracle to Oracle, as well as heterogeneous migrations between different

68
 Overview of Amazon Web Services AWS Whitepaper

database platforms, such as Oracle to Amazon Aurora or Microsoft SQL Server to

MySQL. It also allows you to stream data to Amazon Redshift from any of the
supported sources including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle,
SAP ASE, and SQL Server, enabling consolidation and easy analysis of data in
the petabyte-scale data warehouse. AWS Database Migration Service can also be
used for continuous data replication with high availability.

AWS Server Migration Service

AWS Server Migration Service (SMS) is an agentless service which makes it easier
and faster for you to migrate thousands of on-premises workloads to AWS. AWS SMS
allows you to automate, schedule, and track incremental replications of live
server volumes, making it easier for you to coordinate large-scale server
migrations.

AWS Snow Family

The AWS Snow Family helps customers that need to run operations in austere, non-
data center environments, and in locations where there's lack of consistent
network connectivity. The Snow Family comprises AWS Snowcone, AWS Snowball, and
AWS Snowmobile and offers a number of physical devices and capacity points, most
with built-in computing capabilities. These services help physically transport
up to exabytes of data into and out of AWS. Snow Family devices are owned and
managed by AWS and integrate with AWS security, monitoring, storage management,
and computing capabilities.

AWS Snowcone
AWS Snowcone is the smallest member of the AWS Snow Family of edge computing edge
storage, and data transfer devices, weighing in at 4.5 pounds (2.1 kg) with 8
terabytes of usable storage. Snowcone is ruggedized, secure, and purpose-built
for use outside of a traditional data center. Its small form factor makes it a
perfect fit for tight spaces or where portability is a necessity and network
connectivity is unreliable. You can use Snowcone in backpacks on first
responders, or for IoT, vehicular, and drone use cases. You can execute compute
applications at the edge, and you can ship the device with data to AWS for
offline data transfer, or you can transfer data online with AWS DataSync from
edge locations.

Like AWS Snowball, Snowcone has multiple layers of security and encryption. You
can use either of these services to run edge computing workloads, or to collect,
process, and transfer data to AWS. Snowcone is designed for data migration needs
up to 8 terabytes per device and from space-constrained environments where AWS
Snowball devices will not fit.

AWS Snowball
AWS Snowball is an edge computing, data migration, and edge storage device that
comes in two options.
Snowball Edge Storage Optimized devices provide both block storage and Amazon S3-
compatible object
AWS DataSync

storage, and 40 vCPUs. They are well suited for local storage and large scale-
data transfer. Snowball Edge Compute Optimized devices provide 52 vCPUs, block

69
 Overview of Amazon Web Services AWS Whitepaper

and object storage, and an optional GPU for use cases like advanced machine
learning and full motion video analysis in disconnected environments. You can
use these devices for data collection, machine learning and processing, and
storage in environments with intermittent connectivity (like manufacturing,
industrial, and transportation) or in extremely remote locations (like military
or maritime operations) before shipping them back to AWS. These devices may also
be rack mounted and clustered together to build larger temporary installations.

Snowball supports specific Amazon EC2 instance types and AWS Lambda functions, so
you can develop and test in the AWS Cloud, then deploy applications on devices
in remote locations to collect, preprocess, and ship the data to AWS. Common use
cases include data migrati

AWS Snowmobile
AWS Snowmobile is an exabyte-scale data transfer service used to move
extremely large amounts of data to AWS. You can transfer up to 100 PB per
Snowmobile, a 45-foot long ruggedized shipping container, pulled by a semi-
trailer truck. Snowmobile makes it easy to move massive volumes of data to
the cloud, including video libraries, image repositories, or even a complete
data center migration. Transferring data with Snowmobile is secure, fast, and
cost effective.

After an initial assessment, a Snowmobile will be transported to your data

center, and AWS personnel will configure it for you so it can be accessed as a
network storage target. When your Snowmobile is on site, AWS personnel will
work with your team to connect a removable, high-speed network switch from the
Snowmobile to your local network. Then you can begin your high-speed data
transfer from any number of sources within your data center to the Snowmobile.
After your data is loaded, the Snowmobile is driven back to AWS where your
data is imported into Amazon S3 or S3 Glacier.

AWS Snowmobile uses multiple layers of security designed to protect your data
including dedicated security personnel, GPS tracking, alarm monitoring, 24/7
video surveillance, and an optional escort security vehicle while in transit.
All data is encrypted with 256-bit encryption keys managed through AWS KMS (p.
70) and designed to ensure both security and full chain of custody of your data.

AWS DataSync
AWS DataSync is a data transfer service that makes it easy for you to automate
moving data between on-premises storage and Amazon S3 or Amazon Elastic File
System (Amazon EFS). DataSync automatically handles many of the tasks related to
data transfers that can slow down migrations or burden your IT operations,
including running your own instances, handling encryption, managing scripts,
network optimization, and data integrity validation. You can use DataSync to
transfer data at speeds up to 10 times faster than open-source tools. DataSync
uses an on-premises software agent to connect to your existing storage or file
systems using the Network File System (NFS) protocol, so you don’t have write
scripts or modify your applications to work with AWS APIs. You can use DataSync
to copy data over AWS Direct Connect or internet links to AWS. The service
enables one-time data migrations, recurring data processing workflows, and
automated replication for data protection and recovery. Getting started with
DataSync is easy: Deploy the DataSync agent on premises, connect it to a file
system or storage array, select Amazon EFS or S3 as your AWS storage, and start
moving data. You pay only for the data you copy.

70
 Overview of Amazon Web Services AWS Whitepaper

AWS Transfer Family

AWS Transfer Family provides fully managed support for file transfers directly
into and out of Amazon
S3 or Amazon EFS. With support for Secure File Transfer Protocol (SFTP), File
Transfer Protocol over SSL (FTPS), and File Transfer Protocol (FTP), the AWS
Transfer Family helps you seamlessly migrate your file transfer workflows to
AWS by integrating with existing authentication systems, and providing DNS
routing with Amazon Route 53 so nothing changes for your customers and
partners, or their applications. With your data in Amazon S3 or Amazon EFS, you
can use it with AWS services for
Networking and Content Delivery

processing, analytics, machine learning, archiving, as well as home directories

and developer tools. Getting started with the AWS Transfer Family is easy; there
is no infrastructure to buy and set up.

Networking and Content Delivery

Topics
• Amazon API Gateway (p. 60)
• Amazon CloudFront (p. 60)
• Amazon Route 53 (p. 60)
• Amazon VPC (p. 61)
• AWS App Mesh (p. 61)
• AWS Cloud Map (p. 62)
• AWS Direct Connect (p. 62)
• AWS Global Accelerator (p. 62)
• AWS PrivateLink (p. 63)
• AWS Transit Gateway (p. 63)
• AWS VPN (p. 63)
• Elastic Load Balancing (p. 63)

Amazon API Gateway

Amazon API Gateway is a fully managed service that makes it easy for developers
to create, publish, maintain, monitor, and secure APIs at any scale. With a few
clicks in the AWS Management Console, you can create an API that acts as a
“front door” for applications to access data, business logic, or functionality
from your back-end services, such as workloads running on Amazon EC2, code
running on AWS Lambda, or any web application. Amazon API Gateway handles all
the tasks involved in accepting and processing up to hundreds of thousands of
concurrent API calls, including traffic management, authorization and access
control, monitoring, and API version management.

Amazon CloudFront
Amazon CloudFront is a fast content delivery network (CDN) service that securely
delivers data, videos, applications, and APIs to customers globally with low

71
 Overview of Amazon Web Services AWS Whitepaper

latency, high transfer speeds, all within a developer-friendly environment.

CloudFront is integrated with AWS – both physical locations that are directly
connected to the AWS global infrastructure, as well as other AWS services.
CloudFront works seamlessly with services including AWS Shield for DDoS
mitigation, Amazon S3, Elastic Load Balancing or Amazon EC2 as origins for your
applications, and Lambda@Edge to run custom code closer to customers’ users and
to customize the user experience.

You can get started with the Content Delivery Network in minutes, using the same
AWS tools that you're already familiar with: APIs, AWS Management Console, AWS
CloudFormation, CLIs, and SDKs. Amazon's CDN offers a simple, pay-as-you-go
pricing model with no upfront fees or required long-term contracts, and support
for the CDN is included in your existing AWS Support subscription.

Amazon Route 53
Amazon Route 53 is a highly available and scalable cloud Domain Name System
(DNS) web service. It is designed to give developers and businesses an
extremely reliable and cost-effective way to route end
Amazon VPC

users to Internet applications by translating human readable names, such as

www.example.com, into the numeric IP addresses, such as 192.0.2.1, that
computers use to connect to each other. Amazon Route 53 is fully compliant with
IPv6 as well.

Amazon Route 53 effectively connects user requests to infrastructure running in

AWS—such as EC2 instances, Elastic Load Balancing load balancers, or Amazon S3
buckets—and can also be used to route users to infrastructure outside of AWS.
You can use Amazon Route 53 to configure DNS health checks to route traffic to
healthy endpoints or to independently monitor the health of your application and
its endpoints. Amazon Route 53 traffic flow makes it easy for you to manage
traffic globally through a variety of routing types, including latency-based
routing, Geo DNS, and weighted round robin—all of which can be combined with DNS
Failover in order to enable a variety of low-latency, fault-tolerant
architectures. Using Amazon Route 53 traffic flow’s simple visual editor, you
can easily manage how your end users are routed to your application’s endpoints—
whether in a single AWS Region or distributed around the globe. Amazon Route 53
also offers Domain Name Registration—you can purchase and manage domain names
such as example.com and Amazon Route 53 will automatically configure DNS
settings for your domains.

Amazon VPC
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated
section of the AWS Cloud where you can launch AWS resources in a virtual network
that you define. You have complete control over your virtual networking
environment, including selection of your own IP address range, creation of
subnets, and configuration of route tables and network gateways. You can use
both IPv4 and IPv6 in your VPC for secure and easy access to resources and
applications.

You can easily customize the network configuration for your VPC. For example, you
can create a publicfacing subnet for your web servers that has access to the
Internet, and place your backend systems, such as databases or application
servers, in a private-facing subnet with no Internet access. You can leverage

72
 Overview of Amazon Web Services AWS Whitepaper

multiple layers of security (including security groups and network access

control lists) to help control access to EC2 instances in each subnet.

Additionally, you can create a hardware virtual private network (VPN) connection
between your corporate data center and your VPC and leverage the AWS Cloud as an
extension of your corporate data center.

AWS App Mesh

AWS App Mesh makes it easy to monitor and control microservices running on AWS.
App Mesh standardizes how your microservices communicate, giving you end-to-end
visibility and helping to ensure high-availability for your applications.

Modern applications are often composed of multiple microservices that each

perform a specific function. This architecture helps to increase the
availability and scalability of the application by allowing each component to
scale independently based on demand, and automatically degrading functionality
when a component fails instead of going offline. Each microservice interacts
with all the other microservices through an API. As the number of microservices
grows within an application, it becomes increasingly difficult to pinpoint the
exact location of errors, re-route traffic after failures, and safely deploy
code changes. Previously, this has required you to build monitoring and control
logic directly into your code and redeploy your microservices every time there
are changes.

AWS App Mesh makes it easy to run microservices by providing consistent

visibility and network traffic controls for every microservice in an
application. App Mesh removes the need to update application code to change how
monitoring data is collected or traffic is routed between microservices. App
Mesh configures each microservice to export monitoring data and implements
consistent communications control logic across your application. This makes it
easy to quickly pinpoint the exact location of errors and automatically re-route
network traffic when there are failures or when code changes need to be
deployed.
AWS Cloud Map

You can use App Mesh with Amazon ECS and Amazon EKS to better run
containerized microservices at scale. App Mesh uses the open source Envoy
proxy, making it compatible with a wide range of AWS partner and open source
tools for monitoring microservices.

AWS Cloud Map

AWS Cloud Map is a cloud resource discovery service. With Cloud Map, you can
define custom names for your application resources, and it maintains the updated
location of these dynamically changing resources. This increases your
application availability because your web service always discovers the most up-
to-date locations of its resources.

Modern applications are typically composed of multiple services that are

accessible over an API and perform a specific function. Each service interacts
with a variety of other resources such as databases, queues, object stores, and
customer-defined microservices, and they also need to be able to find the
location of all the infrastructure resources on which it depends, in order to
function. You typically manually manage all these resource names and their
locations within the application code. However, manual resource management
becomes time consuming and error-prone as the number of dependent

73
 Overview of Amazon Web Services AWS Whitepaper

infrastructure resources increases or the number of microservices dynamically

scale up and down based on traffic. You can also use third-party service
discovery products, but this requires installing and managing additional
software and infrastructure.

Cloud Map allows you to register any application resources such as databases,
queues, microservices, and other cloud resources with custom names. Cloud Map
then constantly checks the health of resources to make sure the location is up-
to-date. The application can then query the registry for the location of the
resources needed based on the application version and deployment environment.

AWS Direct Connect

AWS Direct Connect makes it easy to establish a dedicated network connection
from your premises to AWS. Using AWS Direct Connect, you can establish private
connectivity between AWS and your data center, office, or co-location
environment, which in many cases can reduce your network costs, increase
bandwidth throughput, and provide a more consistent network experience than
Internet-based connections.

AWS Direct Connect lets you establish a dedicated network connection between your
network and one of the AWS Direct Connect locations. Using industry standard
802.1Q virtual LANS (VLANs), this dedicated connection can be partitioned into
multiple virtual interfaces. This allows you to use the same connection to
access public resources, such as objects stored in Amazon S3 using public IP
address space, and private resources such as EC2 instances running within a VPC
using private IP address space, while maintaining network separation between the
public and private environments. Virtual interfaces can be reconfigured at any
time to meet your changing needs.

AWS Global Accelerator

AWS Global Accelerator is a networking service that improves the availability and
performance of the applications that you offer to your global users.

Today, if you deliver applications to your global users over the public
internet, your users might face inconsistent availability and performance as
they traverse through multiple public networks to reach your application. These
public networks are often congested and each hop can introduce availability and
performance risk. AWS Global Accelerator uses the highly available and
congestion-free AWS global network to direct internet traffic from your users to
your applications on AWS, making your users’ experience more consistent.

To improve the availability of your application, you must monitor the health of
your application endpoints and route traffic only to healthy endpoints. AWS
Global Accelerator improves application
AWS PrivateLink

availability by continuously monitoring the health of your application endpoints

and routing traffic to the closest healthy endpoints.

AWS Global Accelerator also makes it easier to manage your global

applications by providing static IP addresses that act as a fixed entry point
to your application hosted on AWS which eliminates the complexity of managing
specific IP addresses for different AWS Regions and Availability Zones. AWS
Global Accelerator is easy to set up, configure and manage.

74
 Overview of Amazon Web Services AWS Whitepaper

AWS PrivateLink
AWS PrivateLink simplifies the security of data shared with cloud-based
applications by eliminating the exposure of data to the public Internet. AWS
PrivateLink provides private connectivity between VPCs, AWS services, and on-
premises applications, securely on the Amazon network. AWS PrivateLink makes it
easy to connect services across different accounts and VPCs to significantly
simplify the network architecture.

AWS Transit Gateway

AWS Transit Gateway is a service that enables customers to connect their Amazon
Virtual Private Clouds (VPCs) and their on-premises networks to a single
gateway. As you grow the number of workloads running on AWS, you need to be able
to scale your networks across multiple accounts and Amazon VPCs to keep up with
the growth. Today, you can connect pairs of Amazon VPCs using peering. However,
managing point-to-point connectivity across many Amazon VPCs, without the
ability to centrally manage the connectivity policies, can be operationally
costly and cumbersome. For on-premises connectivity, you need to attach your AWS
VPN to each individual Amazon VPC. This solution can be time consuming to build
and hard to manage when the number of VPCs grows into the hundreds.

With AWS Transit Gateway, you only have to create and manage a single connection
from the central gateway in to each Amazon VPC, on-premises data center, or
remote office across your network. Transit Gateway acts as a hub that controls
how traffic is routed among all the connected networks which act like spokes.
This hub and spoke model significantly simplifies management and reduces
operational costs because each network only has to connect to the Transit
Gateway and not to every other network. Any new VPC is simply connected to the
Transit Gateway and is then automatically available to every other network that
is connected to the Transit Gateway. This ease of connectivity makes it easy to
scale your network as you grow.

AWS VPN
AWS Virtual Private Network solutions establish secure connections between your
on-premises networks, remote offices, client devices, and the AWS global
network. AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS
Client VPN. Each service provides a highly-available, managed, and elastic cloud
VPN solution to protect your network traffic.

AWS Site-to-Site VPN creates encrypted tunnels between your network and your
Amazon Virtual Private Clouds or AWS Transit Gateways. For managing remote
access, AWS Client VPN connects your users to AWS or on-premises resources using
a VPN software client.

Elastic Load Balancing

Elastic Load Balancing (ELB) automatically distributes incoming application
traffic across multiple targets, such as Amazon EC2 instances, containers, and
IP addresses. It can handle the varying load of your application traffic in a
single Availability Zone or across multiple Availability Zones. Elastic Load
Balancing offers four types of load balancers that all feature the high
availability, automatic scaling, and robust security necessary to make your
applications fault tolerant.

75
 Overview of Amazon Web Services AWS Whitepaper

• Application Load Balancer is best suited for load balancing of HTTP and HTTPS
traffic and provides advanced request routing targeted at the delivery of
modern application architectures, including
Quantum Technologies

microservices and containers. Operating at the individual request level (Layer

7), Application Load Balancer routes traffic to targets within Amazon Virtual
Private Cloud (Amazon VPC) based on the content of the request.
• Network Load Balancer is best suited for load balancing of TCP traffic where
extreme performance is required. Operating at the connection level (Layer 4),
Network Load Balancer routes traffic to targets within Amazon Virtual Private
Cloud (Amazon VPC) and is capable of handling millions of requests per second
while maintaining ultra-low latencies. Network Load Balancer is also optimized
to handle sudden and volatile traffic patterns.
• Gateway Load Balancer makes it easy to deploy, scale, and run third-party
virtual networking appliances. Providing load balancing and auto scaling for
fleets of third-party appliances, Gateway Load Balancer is transparent to the
source and destination of traffic. This capability makes it well suited for
working with third-party appliances for security, network analytics, and other
use cases.
• Classic Load Balancer provides basic load balancing across multiple Amazon EC2
instances and operates at both the request level and connection level. Classic
Load Balancer is intended for applications that were built within the EC2-
Classic network.

Quantum Technologies
Amazon Braket
Amazon Braket is a fully managed quantum computing service that helps researchers
and developers get started with the technology to accelerate research and
discovery. Amazon Braket provides a development environment for you to explore
and build quantum algorithms, test them on quantum circuit simulators, and run
them on different quantum hardware technologies.

Quantum computing has the potential to solve computational problems that are
beyond the reach of classical computers by harnessing the laws of quantum
mechanics to process information in new ways. This approach to computing could
transform areas such as chemical engineering, material science, drug discovery,
financial portfolio optimization, and machine learning. But defining those
problems and programming quantum computers to solve them requires new skills,
which are difficult to acquire without easy access to quantum computing
hardware.

Amazon Braket overcomes these challenges so you can explore quantum computing.
With Amazon Braket you can design and build your own quantum algorithms from
scratch or choose from a set of prebuilt algorithms. Once you have built your
algorithm, Amazon Braket provides a choice of simulators to test, troubleshoot
and run your algorithms. When you are ready, you can run your algorithm on your
choice of different quantum computers, including quantum annealers from D-Wave,
and gate-based computers from Rigetti and IonQ. With Amazon Braket you can now
evaluate the potential of quantum computing for your organization, and build
expertise.

76
 Overview of Amazon Web Services AWS Whitepaper

Robotics
AWS RoboMaker
AWS RoboMaker is a service that makes it easy to develop, test, and deploy
intelligent robotics applications at scale. RoboMaker extends the most widely
used open-source robotics software framework, Robot Operating System (ROS), with
connectivity to cloud services. This includes AWS machine learning services,
monitoring services, and analytics services that enable a robot to stream data,
navigate, communicate, comprehend, and learn. RoboMaker provides a robotics
development environment for application development, a robotics simulation
service to accelerate application testing, and a robotics fleet management
service for remote application deployment, update, and management.
Satellite

Robots are machines that sense, compute, and take action. Robots need
instructions to accomplish tasks, and these instructions come in the form of
applications that developers code to determine how the robot will behave.
Receiving and processing sensor data, controlling actuators for movement, and
performing a specific task are all functions that are typically automated by
these intelligent robotics applications. Intelligent robots are being
increasingly used in warehouses to distribute inventory, in homes to carry out
tedious housework, and in retail stores to provide customer service. Robotics
applications use machine learning in order to perform more complex tasks like
recognizing an object or face, having a conversation with a person, following a
spoken command, or navigating autonomously. Until now, developing, testing, and
deploying intelligent robotics applications was difficult and time consuming.
Building intelligent robotics functionality using machine learning is complex
and requires specialized skills. Setting up a development environment can take
each developer days and building a realistic simulation system to test an
application can take months due to the underlying infrastructure needed. Once an
application has been developed and tested, a developer needs to build a
deployment system to deploy the application into the robot and later update the
application while the robot is in use.

AWS RoboMaker provides you with the tools to make building intelligent
robotics applications more accessible, a fully managed simulation service for
quick and easy testing, and a deployment service for lifecycle management. AWS
RoboMaker removes the heavy lifting from each step of robotics development so
you can focus on creating innovative robotics applications.

Satellite
AWS Ground Station
AWS Ground Station is a fully managed service that lets you control satellite
communications, downlink and process satellite data, and scale your satellite
operations quickly, easily and cost-effectively without having to worry about
building or managing your own ground station infrastructure. Satellites are used
for a wide variety of use cases, including weather forecasting, surface imaging,
communications, and video broadcasts. Ground stations are at the core of global
satellite networks, which are facilities that provide communications between the
ground and the satellites by using antennas to receive data and control systems
to send radio signals to command and control the satellite. Today, you must

77
 Overview of Amazon Web Services AWS Whitepaper

either build your own ground stations and antennas, or obtain long-term leases
with ground station providers, often in multiple countries to provide enough
opportunities to contact the satellites as they orbit the globe. Once all this
data is downloaded, you need servers, storage, and networking in close proximity
to the antennas to process, store, and transport the data from the satellites.

AWS Ground Station eliminates these problems by delivering a global Ground

Station as a Service. We provide direct access to AWS services and the AWS
Global Infrastructure including our low-latency global fiber network right where
your data is downloaded into our AWS Ground Station. This enables you to easily
control satellite communications, quickly ingest and process your satellite
data, and rapidly integrate that data with your applications and other services
running in the AWS Cloud. For example, you can use Amazon S3 to store the
downloaded data, Amazon Kinesis Data Streams for managing data ingestion from
satellites, SageMaker for building custom machine learning applications that
apply to your data sets, and Amazon EC2 to command and download data from
satellites. AWS Ground Station can help you save up to 80% on the cost of your
ground station operations by allowing you to pay only for the actual antenna
time used, and relying on our global footprint of ground stations to download
data when and where you need it, instead of building and operating your own
global ground station infrastructure. There are no long-term commitments, and
you gain the ability to rapidly scale your satellite communications on-demand
when your business needs it.

Security, Identity, and

Compliance
Topics
Amazon Cognito

• Amazon Cognito (p. 66)

• Amazon Cloud Directory (p. 66)
• Amazon Detective (p. 67)
• Amazon GuardDuty (p. 67)
• Amazon Inspector (p. 67)
• Amazon Macie (p. 68)
• AWS Artifact (p. 68)
• AWS Audit Manager (p. 68)
• AWS Certificate Manager (p. 68)
• AWS CloudHSM (p. 69)
• AWS Directory Service (p. 69)
• AWS Firewall Manager (p. 69)
• AWS Identity and Access Management (p. 69)
• AWS Key Management Service (p. 70)
• AWS Network Firewall (p. 70)
• AWS Resource Access Manager (p. 70)
• AWS Secrets Manager (p. 71)
• AWS Security Hub (p. 71)

78
 Overview of Amazon Web Services AWS Whitepaper

• AWS Shield (p. 71)

• AWS Single Sign-On (p. 72)
• AWS WAF (p. 72)

Amazon Cognito
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web
and mobile apps quickly and easily. With Amazon Cognito, you also have the
option to authenticate users through social identity providers such as Facebook,
Twitter, or Amazon, with SAML identity solutions, or by using your own identity
system. In addition, Amazon Cognito enables you to save data locally on users’
devices, allowing your applications to work even when the devices are offline.
You can then synchronize data across users’ devices so that their app experience
remains consistent regardless of the device they use.

With Amazon Cognito, you can focus on creating great app experiences instead of
worrying about building, securing, and scaling a solution to handle user
management, authentication, and sync across devices.

Amazon Cloud Directory

Amazon Cloud Directory enables you to build flexible, cloud-native directories
for organizing hierarchies of data along multiple dimensions. With Cloud
Directory, you can create directories for a variety of use cases, such as
organizational charts, course catalogs, and device registries. While traditional
directory solutions, such as Active Directory Lightweight Directory Services (AD
LDS) and other LDAP-based directories, limit you to a single hierarchy, Cloud
Directory offers you the flexibility to create directories with hierarchies that
span multiple dimensions. For example, you can create an organizational chart
that can be navigated through separate hierarchies for reporting structure,
location, and cost center.

Amazon Cloud Directory automatically scales to hundreds of millions of objects

and provides an extensible schema that can be shared with multiple applications.
As a fully-managed service, Cloud Directory eliminates time-consuming and
expensive administrative tasks, such as scaling infrastructure
Amazon Detective

and managing servers. You simply define the schema, create a directory, and then
populate your directory by making calls to the Cloud Directory API.

Amazon Detective
Amazon Detective makes it easy to analyze, investigate, and quickly identify the
root cause of potential security issues or suspicious activities. Amazon
Detective automatically collects log data from your AWS resources and uses
machine learning, statistical analysis, and graph theory to build a linked set
of data that enables you to easily conduct faster and more efficient security
investigations.

AWS security services like Amazon GuardDuty, Amazon Macie, and AWS Security Hub
as well as partner security products can be used to identify potential security
issues, or findings. These services are really helpful in alerting you when
something is wrong and pointing out where to go to fix it. But sometimes there

79
 Overview of Amazon Web Services AWS Whitepaper

might be a security finding where you need to dig a lot deeper and analyze more
information to isolate the root cause and take action. Determining the root
cause of security findings can be a complex process that often involves
collecting and combining logs from many separate data sources, using extract,
transform, and load (ETL) tools or custom scripting to organize the data, and
then security analysts having to analyze the data and conduct lengthy
investigations.

Amazon Detective simplifies this process by enabling your security teams to

easily investigate and quickly get to the root cause of a finding. Amazon
Detective can analyze trillions of events from multiple data sources such as
Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and
automatically creates a unified, interactive view of your resources, users, and
the interactions between them over time. With this unified view, you can
visualize all the details and context in one place to identify the underlying
reasons for the findings, drill down into relevant historical activities, and
quickly determine the root cause.

You can get started with Amazon Detective in just a few clicks in the AWS
Console. There is no software to deploy, or data sources to enable and maintain.

Amazon GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors for
malicious or unauthorized behavior to help you protect your AWS accounts and
workloads. It monitors for activity such as unusual API calls or potentially
unauthorized deployments that indicate a possible account compromise. GuardDuty
also detects potentially compromised instances or reconnaissance by attackers.

Enabled with a few clicks in the AWS Management Console, Amazon GuardDuty can
immediately begin analyzing billions of events across your AWS accounts for
signs of risk. GuardDuty identifies suspected attackers through integrated
threat intelligence feeds and uses machine learning to detect anomalies in
account and workload activity. When a potential threat is detected, the service
delivers a detailed security alert to the GuardDuty console and Amazon
CloudWatch Events. This makes alerts actionable and easy to integrate into
existing event management and workflow systems.

Amazon GuardDuty is cost effective and easy. It does not require you to deploy
and maintain software or security infrastructure, meaning it can be enabled
quickly with no risk of negatively impacting existing application workloads.
There are no upfront costs with GuardDuty, no software to deploy, and no threat
intelligence feeds required. Customers pay for the events analyzed by GuardDuty
and there is a 30-day free trial available for every new account to the service.

Amazon Inspector
Amazon Inspector is an automated security assessment service that helps improve
the security and compliance of applications deployed on AWS. Amazon Inspector
automatically assesses applications for exposure, vulnerabilities, and
deviations from best practices. After performing an assessment, Amazon Inspector
produces a detailed list of security findings prioritized by level of severity.
These findings
Amazon Macie

can be reviewed directly or as part of detailed assessment reports which are

available via the Amazon Inspector console or API.

80
 Overview of Amazon Web Services AWS Whitepaper

Amazon Inspector security assessments help you check for unintended network
accessibility of your Amazon EC2 instances and for vulnerabilities on those EC2
instances. Amazon Inspector assessments are offered to you as pre-defined rules
packages mapped to common security best practices and vulnerability definitions.
Examples of built-in rules include checking for access to your EC2 instances
from the internet, remote root login being enabled, or vulnerable software
versions installed. These rules are regularly updated by AWS security
researchers.

Amazon Macie
Amazon Macie is a security service that uses machine learning to automatically
discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes
sensitive data such as personally identifiable information (PII) or intellectual
property, and provides you with dashboards and alerts that give visibility into
how this data is being accessed or moved. The fully managed service continuously
monitors data access activity for anomalies, and generates detailed alerts when
it detects risk of unauthorized access or inadvertent data leaks.

AWS Artifact
AWS Artifact is your go-to, central resource for compliance-related information
that matters to you.
It provides on-demand access to AWS’ security and compliance reports and select
online agreements.
Reports available in AWS Artifact include our Service Organization Control
(SOC) reports, Payment Card Industry (PCI) reports, and certifications from
accreditation bodies across geographies and compliance verticals that validate
the implementation and operating effectiveness of AWS security controls.
Agreements available in AWS Artifact include the Business Associate Addendum
(BAA) and the Nondisclosure Agreement (NDA).

AWS Audit Manager

AWS Audit Manager helps you continuously audit your AWS usage to simplify how you
assess risk and compliance with regulations and industry standards. Audit
Manager automates evidence collection to reduce the “all hands on deck” manual
effort that often happens for audits and enable you to scale your audit
capability in the cloud as your business grows. With Audit Manager, it is easy
to assess if your policies, procedures, and activities – also known as controls
– are operating effectively. When it is time for an audit, AWS Audit Manager
helps you manage stakeholder reviews of your controls and enables you to build
audit-ready reports with much less manual effort.

AWS Audit Manager’s prebuilt frameworks help translate evidence from cloud
services into auditorfriendly reports by mapping your AWS resources to the
requirements in industry standards or regulations, such as CIS AWS Foundations
Benchmark, the General Data Protection Regulation (GDPR), and the Payment Card
Industry Data Security Standard (PCI DSS). You can also fully customize a
framework and its controls for your unique business requirements. Based on the
framework you select, Audit Manager launches an assessment that continuously
collects and organizes relevant evidence from your AWS accounts and resources,
such as resource configuration snapshots, user activity, and compliance check
results.

81
 Overview of Amazon Web Services AWS Whitepaper

You can get started quickly in the AWS Management Console. Just select a prebuilt
framework to launch an assessment and begin automatically collecting and
organizing evidence.

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and
deploy Secure Sockets
Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services
and your internal
AWS CloudHSM

connected resources. SSL/TLS certificates are used to secure network

communications and establish the identity of websites over the Internet as well
as resources on private networks. AWS Certificate Manager removes the time-
consuming manual process of purchasing, uploading, and renewing SSL/TLS
certificates.

With AWS Certificate Manager, you can quickly request a certificate, deploy it on
ACM-integrated AWS resources, such as Elastic Load Balancing, Amazon CloudFront
distributions, and APIs on API Gateway, and let AWS Certificate Manager handle
certificate renewals. It also enables you to create private certificates for
your internal resources and manage the certificate lifecycle centrally. Public
and private certificates provisioned through AWS Certificate Manager for use
with ACM-integrated services are free. You pay only for the AWS resources you
create to run your application. With AWS Certificate Manager Private Certificate
Authority, you pay monthly for the operation of the private CA and for the
private certificates you issue.

AWS CloudHSM
The AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you
to easily generate and use your own encryption keys on the AWS Cloud. With
CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3
validated HSMs. CloudHSM offers you the flexibility to integrate with your
applications using industry-standard APIs, such as PKCS#11, Java Cryptography
Extensions (JCE), and Microsoft CryptoNG (CNG) libraries.

CloudHSM is standards-compliant and enables you to export all of your keys to

most other commercially-available HSMs, subject to your configurations. It is a
fully-managed service that automates time-consuming administrative tasks for
you, such as hardware provisioning, software patching, high-availability, and
backups. CloudHSM also enables you to scale quickly by adding and removing HSM
capacity on-demand, with no up-front costs.

AWS Directory Service

AWS Directory Service for Microsoft Active Directory, also known as AWS Managed
Microsoft AD, enables your directory-aware workloads and AWS resources to use
managed Active Directory in the AWS Cloud. AWS Managed Microsoft AD is built on
actual Microsoft Active Directory and does not require you to synchronize or
replicate data from your existing Active Directory to the cloud. You can use
standard Active Directory administration tools and take advantage of built-in
Active Directory features such as
Group Policy and single sign-on (SSO). With AWS Managed Microsoft AD, you can
easily join Amazon EC2 and Amazon RDS for SQL Server instances to a domain, and

82
 Overview of Amazon Web Services AWS Whitepaper

use AWS Enterprise IT applications such as Amazon WorkSpaces with Active

Directory users and groups.

AWS Firewall Manager

AWS Firewall Manager is a security management service that makes it easier to
centrally configure and manage AWS WAF rules across your accounts and
applications. Using Firewall Manager, you can easily roll out AWS WAF rules for
your Application Load Balancers and Amazon CloudFront distributions across
accounts in AWS Organizations. As new applications are created, Firewall Manager
also makes it easy to bring new applications and resources into compliance with
a common set of security rules from day one. Now you have a single service to
build firewall rules, create security policies, and enforce them in a
consistent, hierarchical manner across your entire Application Load Balancers
and Amazon CloudFront infrastructure.

AWS Identity and Access Management

AWS Identity and Access Management (IAM) enables you to securely control access
to AWS services and resources for your users. Using IAM, you can create and
manage AWS users and groups, and use permissions to allow and deny their access
to AWS resources. IAM allows you to do the following:
AWS Key Management Service

• Manage IAM users and their access: You can create users in IAM, assign them
individual security credentials (access keys, passwords, and multi-factor
authentication devices), or request temporary security credentials to provide
users access to AWS services and resources. You can manage permissions in order
to control which operations a user can perform.
• Manage IAM roles and their permissions: You can create roles in IAM and manage
permissions to control which operations can be performed by the entity, or AWS
service, that assumes the role. You can also define which entity is allowed to
assume the role.
• Manage federated users and their permissions: You can enable identity
federation to allow existing identities (users, groups, and roles) in your
enterprise to access the AWS Management Console, call AWS APIs, and access
resources, without the need to create an IAM user for each identity.

AWS Key Management Service

AWS Key Management Service (KMS) makes it easy for you to create and manage keys
and control the use of encryption across a wide range of AWS services and in
your applications. AWS KMS is a secure and resilient service that uses FIPS 140-
2 validated hardware security modules to protect your keys. AWS KMS is
integrated with AWS CloudTrail to provide you with logs of all key usage to help
meet your regulatory and compliance needs.

AWS Network Firewall

AWS Network Firewall is a managed service that makes it easy to deploy essential
network protections for all of your Amazon Virtual Private Clouds (VPCs). The
service can be setup with just a few clicks and scales automatically with your
network traffic, so you don't have to worry about deploying and managing any

83
 Overview of Amazon Web Services AWS Whitepaper

infrastructure. AWS Network Firewall’s flexible rules engine lets you define
firewall rules that give you fine-grained control over network traffic, such as
blocking outbound Server Message Block (SMB) requests to prevent the spread of
malicious activity. You can also import rules you’ve already written in common
open source rule formats as well as enable integrations with managed
intelligence feeds sourced by AWS partners. AWS Network Firewall works together
with AWS Firewall Manager so you can build policies based on AWS Network
Firewall rules and then centrally apply those policies across your VPCs and
accounts.

AWS Network Firewall includes features that provide protections from common
network threats. AWS Network Firewall’s stateful firewall can incorporate
context from traffic flows, like tracking connections and protocol
identification, to enforce policies such as preventing your VPCs from accessing
domains using an unauthorized protocol. AWS Network Firewall’s intrusion
prevention system (IPS) provides active traffic flow inspection so you can
identify and block vulnerability exploits using signature-based detection. AWS
Network Firewall also offers web filtering that can stop traffic to known bad
URLs and monitor fully qualified domain names.

It’s easy to get started with AWS Network Firewall by visiting the Amazon VPC
Console to create or import your firewall rules, group them into policies, and
apply them to the VPCs you want to protect. AWS Network Firewall pricing is
based on the number of firewalls deployed and the amount of traffic inspected.
There are no upfront commitments and you pay only for what you use.

AWS Resource Access Manager

AWS Resource Access Manager (RAM) helps you securely share your resources across
AWS accounts, within your organization or organizational units (OUs) in AWS
Organizations, and with IAM roles and IAM users for supported resource types.
You can use AWS RAM to share transit gateways, subnets, AWS License Manager
license configurations, Amazon Route 53 Resolver rules, and more resource types.

Many organizations use multiple accounts to create administrative or billing

isolation, and to limit the impact of errors. With AWS RAM, you don’t need to
create duplicate resources in multiple AWS accounts.
AWS Secrets Manager

This reduces the operational overhead of managing resources in every account

that you own. Instead, in your multi-account environment, you can create a
resource once, and use AWS RAM to share that resource across accounts by
creating a resource share. When you create a resource share, you select the
resources to share, choose an AWS RAM managed permission per resource type, and
specify whom you want to have access to the resources. AWS RAM is available to
you at no additional charge.

AWS Secrets Manager

AWS Secrets Manager helps you protect secrets needed to access your applications,
services, and IT resources. The service enables you to easily rotate, manage,
and retrieve database credentials, API keys, and other secrets throughout their
lifecycle. Users and applications retrieve secrets with a call to Secrets
Manager APIs, eliminating the need to hardcode sensitive information in plain
text. Secrets Manager offers secret rotation with built-in integration for
Amazon RDS for MySQL, PostgreSQL, and Amazon Aurora. Also, the service is

84
 Overview of Amazon Web Services AWS Whitepaper

extensible to other types of secrets, including API keys and OAuth tokens. In
addition, Secrets Manager enables you to control access to secrets using fine-
grained permissions and audit secret rotation centrally for resources in the AWS
Cloud, third-party services, and on-premises.

AWS Security Hub

AWS Security Hub gives you a comprehensive view of your high-priority security
alerts and compliance status across AWS accounts. There are a range of powerful
security tools at your disposal, from firewalls and endpoint protection to
vulnerability and compliance scanners. But oftentimes this leaves your team
switching back-and-forth between these tools to deal with hundreds, and
sometimes thousands, of security alerts every day. With Security Hub, you now
have a single place that aggregates, organizes, and prioritizes your security
alerts, or findings, from multiple AWS services, such as Amazon GuardDuty,
Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions. Your
findings are visually summarized on integrated dashboards with actionable graphs
and tables. You can also continuously monitor your environment using automated
compliance checks based on the AWS best practices and industry standards your
organization follows. Get started with AWS Security Hub just a few clicks in the
Management Console and once enabled, Security Hub will begin aggregating and
prioritizing findings.

AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service
that safeguards web applications running on AWS. AWS Shield provides you with
always-on detection and automatic inline mitigations that minimize application
downtime and latency, so there is no need to engage AWS Support to benefit from
DDoS protection. There are two tiers of AWS Shield: Standard and Advanced.

All AWS customers benefit from the automatic protections of AWS Shield Standard,
at no additional charge. AWS Shield Standard defends against most common,
frequently occurring network and transport layer DDoS attacks that target your
website or applications. When you use AWS Shield Standard with Amazon CloudFront
and Amazon Route 53 , you receive comprehensive availability protection against
all known infrastructure (Layer 3 and 4) attacks.

For higher levels of protection against attacks targeting your applications

running on Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing
(ELB), Amazon CloudFront, and Amazon Route 53 resources, you can subscribe to
AWS Shield Advanced. In addition to the network and transport layer protections
that come with Standard, AWS Shield Advanced provides additional detection and
mitigation against large and sophisticated DDoS attacks, near real-time
visibility into attacks, and integration with AWS WAF, a web application
firewall. AWS Shield Advanced also gives you 24x7 access to the AWS DDoS
Response Team (DRT) and protection against DDoS related spikes in your Amazon
Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (ELB), Amazon
CloudFront, and Amazon Route 53 charges.

AWS Shield Advanced is available globally on all Amazon CloudFront and Amazon
Route 53 edge locations. You can protect your web applications hosted anywhere
in the world by deploying Amazon CloudFront in front of your application. Your
origin servers can be Amazon S3, Amazon Elastic Compute
AWS Single Sign-On

85
 Overview of Amazon Web Services AWS Whitepaper

Cloud (Amazon EC2), Elastic Load Balancing (ELB), or a custom server outside of
AWS. You can also enable AWS Shield Advanced directly on an Elastic IP or
Elastic Load Balancing (ELB) in the following AWS Regions: Northern Virginia,
Ohio, Oregon, Northern California, Montreal, São Paulo, Ireland, Frankfurt,
London, Paris, Stockholm, Singapore, Tokyo, Sydney, Seoul, and Mumbai.

AWS Single Sign-On

AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally
manage SSO access to multiple AWS accounts and business applications. With just
a few clicks, you can enable a highly available SSO service without the upfront
investment and on-going maintenance costs of operating your own SSO
infrastructure. With AWS SSO, you can easily manage SSO access and user
permissions to all of your accounts in AWS Organizations centrally. AWS SSO also
includes built-in SAML integrations to many business applications, such as
Salesforce, Box, and Microsoft Office 365. Further, by using the AWS SSO
application configuration wizard, you can create Security Assertion Markup
Language (SAML) 2.0 integrations and extend SSO access to any of your SAML-
enabled applications. Your users simply sign in to a user portal with
credentials they configure in AWS SSO or using their existing corporate
credentials to access all their assigned accounts and applications from one
place.

AWS WAF
AWS WAF is a web application firewall that helps protect your web applications
from common web exploits that could affect application availability, compromise
security, or consume excessive resources. AWS WAF gives you control over which
traffic to allow or block to your web application by defining customizable web
security rules. You can use AWS WAF to create custom rules that block common
attack patterns, such as SQL injection or cross-site scripting, and rules that
are designed for your specific application. New rules can be deployed within
minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF
includes a full-featured API that you can use to automate the creation,
deployment, and maintenance of web security rules.

Storage
Topics
• Amazon Elastic Block Store (p. 72)
• Amazon Elastic File System (p. 73)
• Amazon FSx for Lustre (p. 73)
• Amazon FSx for Windows File Server (p. 73)
• Amazon Simple Storage Service (p. 74)
• Amazon S3 Glacier (p. 74)
• AWS Backup (p. 74)
• AWS Storage Gateway (p. 74)

86
 Overview of Amazon Web Services AWS Whitepaper

Amazon Elastic Block Store

Amazon Elastic Block Store (Amazon EBS) provides persistent block storage
volumes for use with Amazon EC2 instances in the AWS Cloud. Each Amazon EBS
volume is automatically replicated within its Availability Zone to protect you
from component failure, offering high availability and durability. Amazon EBS
volumes offer the consistent and low-latency performance needed to run your
workloads. With Amazon EBS, you can scale your usage up or down within minutes—
all while paying a low price for only what you provision.
Amazon Elastic File System

Amazon Elastic File System

Amazon Elastic File System (Amazon EFS) provides a simple, scalable, elastic file
system for Linux-based workloads for use with AWS Cloud services and on-premises
resources. It is built to scale on demand to petabytes without disrupting
applications, growing and shrinking automatically as you add and remove files,
so your applications have the storage they need – when they need it. It is
designed to provide massively parallel shared access to thousands of Amazon EC2
instances, enabling your applications to achieve high levels of aggregate
throughput and IOPS with consistent low latencies. Amazon EFS is a fully managed
service that requires no changes to your existing applications and tools,
providing access through a standard file system interface for seamless
integration. Amazon EFS is a regional service storing data within and across
multiple Availability Zones (AZs) for high availability and durability. You can
access your file systems across AZs and AWS Regions and share files between
thousands of Amazon EC2 instances and on-premises servers via AWS Direct Connect
or AWS VPN.

Amazon EFS is well suited to support a broad spectrum of use cases from highly
parallelized, scale-out workloads that require the highest possible throughput
to single-threaded, latency-sensitive workloads. Use cases such as lift-and-
shift enterprise applications, big data analytics, web serving and content
management, application development and testing, media and entertainment
workflows, database backups, and container storage.

Amazon FSx for Lustre

Amazon FSx for Lustre is a fully managed file system that is optimized for
compute-intensive workloads, such as high performance computing, machine
learning, and media data processing workflows. Many of these applications
require the high-performance and low latencies of scale-out, parallel file
systems. Operating these file systems typically requires specialized expertise
and administrative overhead, requiring you to provision storage servers and tune
complex performance parameters. With Amazon FSx, you can launch and run a Lustre
file system that can process massive data sets at up to hundreds of gigabytes
per second of throughput, millions of IOPS, and sub-millisecond latencies.

Amazon FSx for Lustre is seamlessly integrated with Amazon S3, making it easy to
link your longterm data sets with your high performance file systems to run
compute-intensive workloads. You can automatically copy data from S3 to FSx for
Lustre, run your workloads, and then write results back to S3. FSx for Lustre
also enables you to burst your compute-intensive workloads from on-premises to
AWS by allowing you to access your FSx file system over Amazon Direct Connect or
VPN. FSx for Lustre helps you cost-optimize your storage for compute-intensive
workloads: It provides cheap and performant nonreplicated storage for processing

87
 Overview of Amazon Web Services AWS Whitepaper

data, with your long-term data stored durably in Amazon S3 or other low-cost
data stores. With Amazon FSx, you pay for only the resources you use. There are
no minimum commitments, upfront hardware or software costs, or additional fees.

Amazon FSx for Windows File Server

Amazon FSx for Windows File Server provides a fully managed native Microsoft
Windows file system so you can easily move your Windows-based applications that
require file storage to AWS. Built on Windows Server, Amazon FSx provides shared
file storage with the compatibility and features that your Windowsbased
applications rely on, including full support for the SMB protocol and Windows
NTFS, Active Directory (AD) integration, and Distributed File System (DFS).
Amazon FSx uses SSD storage to provide the fast performance your Windows
applications and users expect, with high levels of throughput and IOPS, and
consistent sub-millisecond latencies. This compatibility and performance is
particularly important when moving workloads that require Windows shared file
storage, like CRM, ERP, and .NET applications, as well as home directories.

With Amazon FSx, you can launch highly durable and available Windows file systems
that can be accessed from up to thousands of compute instances using the
industry-standard SMB protocol. Amazon FSx eliminates the typical administrative
overhead of managing Windows file servers. You pay for only the resources used,
with no upfront costs, minimum commitments, or additional fees.
Amazon Simple Storage Service

Amazon Simple Storage Service

Amazon Simple Storage Service (Amazon S3) is an object storage service that
offers industry-leading scalability, data availability, security, and
performance. This means customers of all sizes and industries can use it to
store and protect any amount of data for a range of use cases, such as websites,
mobile applications, backup and restore, archive, enterprise applications, IoT
devices, and big data analytics. Amazon S3 provides easy-to-use management
features so you can organize your data and configure finely-tuned access
controls to meet your specific business, organizational, and compliance
requirements. Amazon S3 is designed for 99.999999999% (11 9's) of durability,
and stores data for millions of applications for companies all around the world.

Amazon S3 Glacier
Amazon S3 Glacier is a secure, durable, and extremely low-cost storage service
for data archiving and long-term backup. It is designed to deliver 99.999999999%
durability, and provides comprehensive security and compliance capabilities that
can help meet even the most stringent regulatory requirements. Amazon S3 Glacier
provides query-in-place functionality, allowing you to run powerful analytics
directly on your archive data at rest. You can store data for as little as $1
per terabyte per month, a significant savings compared to on-premises solutions.
To keep costs low yet suitable for varying retrieval needs, Amazon S3 Glacier
provides three options for access to archives, from a few minutes to several
hours, and S3 Glacier Deep Archive provides two access options ranging from 12
to 48 hours.

88
 Overview of Amazon Web Services AWS Whitepaper

AWS Backup
AWS Backup enables you to centralize and automate data protection across AWS
services. AWS Backup offers a cost-effective, fully managed, policy-based
service that further simplifies data protection at scale. AWS Backup also helps
you support your regulatory compliance or business policies for data protection.
Together with AWS Organizations, AWS Backup enables you to centrally deploy data
protection policies to configure, manage, and govern your backup activity across
your organization’s AWS accounts and resources, including Amazon Elastic Compute
Cloud (Amazon EC2) instances, Amazon
Elastic Block Store (Amazon EBS) volumes, Amazon Relational Database Service
(Amazon RDS) databases
(including Amazon Aurora clusters), Amazon DynamoDB tables, Amazon Elastic File
System (Amazon EFS) file systems, Amazon FSx for Lustre file systems, Amazon FSx
for Windows File Server file systems, and AWS Storage Gateway volumes.

AWS Storage Gateway

The AWS Storage Gateway is a hybrid storage service that enables your on-premises
applications to seamlessly use AWS cloud storage. You can use the service for
backup and archiving, disaster recovery, cloud data processing, storage tiering,
and migration. Your applications connect to the service through a virtual
machine or hardware gateway appliance using standard storage protocols, such as
NFS, SMB and iSCSI. The gateway connects to AWS storage services, such as Amazon
S3, S3 Glacier, and Amazon EBS, providing storage for files, volumes, and
virtual tapes in AWS. The service includes a highly-optimized data transfer
mechanism, with bandwidth management, automated network resilience, and
efficient data transfer, along with a local cache for low-latency on-premises
access to your most active data.
Conclusion

Next Steps
Reinvent how you work with IT by signing up for the AWS Free Tier, which enables
you to gain hands-on experience with a broad selection of AWS products and
services. Within the AWS Free Tier, you can test workloads and run applications
to learn more and build the right solution for your organization. You can also
contact AWS Sales and Business Development.

By signing up for AWS, you have access to Amazon’s cloud computing services.
Note: The sign-up process requires a credit card, which will not be charged
until you start using services. There are no long-term commitments and you can
stop using AWS at any time.

To help familiarize you with AWS, view these short videos that cover topics like
creating an account, launching a virtual server, storing media and more. Learn
about the breadth and depth of AWS on our general AWS Channel and AWS Online
Tech Talks. Get hands on experience from our self-paced labs.

89
 Overview of Amazon Web Services AWS Whitepaper

Conclusion
AWS provides building blocks that you can assemble quickly to support virtually
any workload. With AWS, you’ll find a complete set of highly available services
that are designed to work together to build sophisticated scalable applications.

You have access to highly durable storage, low-cost compute, high-performance

databases, management tools, and more. All this is available without up-front
cost, and you pay for only what you use. These services help organizations move
faster, lower IT costs, and scale. AWS is trusted by the largest enterprises and
the hottest start-ups to power a wide variety of workloads, including web and
mobile applications, game development, data processing and warehousing, storage,
archive, and many others.

90
91

Resources
• AWS Architecture Center
• AWS Whitepapers
• AWS Architecture Monthly
• AWS Architecture Blog
• This Is My Architecture videos
• AWS Documentation

91
AWS-ELEV8 EDUCATION

92
93

AWS glossary
For the latest AWS terminology, see the AWS glossary in the AWS General
Reference.

93