AWS Certified Cloud Practitioner 2nd Edition - AWS Official Training Notes

• AWS Cloud Practitioner
  • Module 1 - Introduction to AWS Cloud
    • Key Benefits of AWS Cloud:
    • AWS Infrastructure
      • Fault Tolerance/High Availability
      • Customer Data Security
    • Accessing and Using aws resources
  • Module 2 - AWS Core Services
    • AWS EC2 - Elastic Compute Cloud
      • Overview
      • Demo - Create an EC2 Instance
    • AWS EBS - Elastic Block Storage
      • Overview
      • Demo - Create an EBS volume and attache it to EC2 Instance
    • AWS S3 - Simple Storage Service
      • S3 Common Usages
      • Global Infrastructure
    • AWS VPC - Virtual Private Cloud
      • Features
    • Security Groups
  • Module 3 - Integrated Services
    • Application Load Balancer
      • Overview:
      • Use Cases
    • Auto Scaling
      • Components
      • Dynamic Auto Scaling
      • Demo
    • Amazon Route 53
      • Overview
      • Create a Hosted Zone
    • Amazon RDS - Relational Database Service
      • Challenges of running own Relational Data bases
      • Why Amazon RDS
      • Amazon RDS - Overview
      • RDS Read Replicas
      • RDS Use cases
      • RDS Benefits
    • AWS LAMBDA
      • Overview
      • When to use AWS Lambda
      • Demo
      • Use Cases
    • EBS - Elastic BeanStalk Service
      • Components
      • Deployment and Updates
      • Demo
    • Amazon SNS - Simple Notification Service
      • Types of Messaging
      • Demo
    • Amazon CloudWatch
      • Introduction
      • Architecture
      • Common Use Cases
      • Components
      • Demo
    • Amazon CloudFront - Content Delivery Network - CDN
      • Use Cases
      • Demo
    • AWS CloudFormation
      • Components
      • CloudFormation Requirements
      • Demo
  • Module 4 - Architecture
    • The AWS Well-Architected Framework
      • Security Pillar
      • Security Pillar: Design Principles
      • Reliability Pillar
      • Reliability Pillar: Design Principles
      • Performance Efficiency Pillar
      • Performance Efficiency Pillar: Design Principles
      • Cost Optimization Pillar
      • Cost Optimization Pillar: Design Principle
      • Operational Excellence Pillar
    • Fault Tolerance and High Availability
      • Fault Tolerant Tools
    • Web Hosting
  • Module 5 - AWS Security
    • The Shared Responsibility Model
    • Identity and Access Management - IAM
    • Amazon Inspector
      • Intro to Amazon Inspector
    • AWS Shield
    • Security Compliance
      • AWS Compliance Approach
  • Module 6 - Pricing and Support
    • Pricing Fundamentals
    • AWS Pricing Details
      • Pricing Characteristics for commonly used products:
    • AWS Trusted Advisor
      • Introduction
      • Benefits
      • Customer Case Study - Hungama Digital Media
      • How Trusted Advisor Works:
      • Demo
      • Summary
    • AWS Support Plans
      • AWS Support
      • AWS Support Plans
  • Cloud Practictioner Course Summary

AWS Cloud Practitioner

Module 1 - Introduction to AWS Cloud

Cloud computing refers to the on-demand delivery of IT resources and applications via the internet. More agile and efficient cloud infrastructure than on-premise data-centers structure

we can reduce risks, automatically scale and reliable coverage even in the case of disaster. Agile and quickly adapt to change, this reduces the cost of change.

Scalability, agility and innovation is facilitated.

Key Benefits of AWS Cloud:

• ability to use your services at your own pace.
• Scalability means the ability to resize your resources as necessary.
• Increased agility factors -
  • increasing speed
  • ease of experimentation
  • and cultivating a culture of innovation
  • Global reach with a click within minutes.
  • Spend less time focusing on the infrastructure
  • AWS Cloudformation automates infrastructure creation.
• Elasticity is also a powerful advantage in cloud computing
  • Power to scale computing resources up or down quickly.
  • Elastic Infra
    • Auto-scaling and Elastic Load Balancing
• Any workload can be support
• Reliability means being able to acquire computing resources to meet demand and mitigate disruptions.

AWS Infrastructure

• AWS Regions - Data centers are hosted all over the world in what we call Region
  • Each region is a separate geographical area that has multiple isolated locations known as Availability Zones (AZ)
  • Each Availability Zones (AZ) consist of one or more discrete data centers, with each with redundant power, networking and connectivity, housed in separate facilities.
  • Multi location deployment of same resources ensures high availability, fault-tolerant and scalability
• Using Availability Zones, lets you operate prod applications and databases that are more highly available, fault-tolerant and scalable.
  • The structure of availability zones is intentional and directly related to fault tolerance

Fault Tolerance/High Availability

• Fault Tolerance - a system can remain operational even if some of the components of that system fail. Think of it as the built-in redundancy of an application’s components.
• High Availability - Ensures that your system are always functioning and accessible, and that downtime is minimized as much as possible, without the need for human intervention.

Customer Data Security

• complete control and ownership of your data
• how you handle encryption and who holds encryption keys
• auditing and security management is easy with cloud.
• How AWS data centers are secure:
  • AWS uses state-of-the-art electronic surveillance and multi-factor access control systems.
  • data-centers staffed 24/7 by trained security guards, and access is strictly regulated.

Accessing and Using aws resources

• Using AWS management console
  • Via Web/Mobile App
  • Services shortcuts
  • Resource Groups
  • Frequently accessed resources can be grouped at user level
    • Can be shared with aws identities in the same account
    • Tag Editor
• AWS CLI
  • Automate and repeat the deployment of AWS Resources
• AWS SDK using applications
  • use in your applications

Module 2 - AWS Core Services

High level intro to core services

AWS EC2 - Elastic Compute Cloud

Overview

• Elastic refers to the fact that if properly configured, you can increase or decrease resources automatically.
• Compute refers to the compute or server resources
• Cloud refers to the fact that these are cloud hosted compute resources
• Pay as you go
• Broad selection of HW/SW
• global hosting

Demo - Create an EC2 Instance

• Login to AWS Console
• Choose a region
• Launch EC2 Wizard
• Select the AMI - Amazon Machine Image (SW) - OS image
• Select the Instance type (HW) - vCpu and RAM.
• Configure Network - select VPC, subnet and auto assign DHCP
• Configure Storage - add storage EBS (Elastic Block Storage) - SSD/HDD
• Configure Security Group - select who/which IP can connect to ec2 instance.
• Key Pairs Selection (EC2 SSH Connectivity) - create new and down ssh private key

AWS EBS - Elastic Block Storage

Overview

• EBS volumes can be used as the storage units for your EC2 Instances
• HDD/SSD devices types - performance
• Persistent and customizable block storage for EC2
• Replicated across multiple servers running in the same availability zone
• Backup using snapshots
• Easy and transparent encryption
• Elastic Volumes
• durable because of Block level replication
• Point in time snapshots - greater disaster recovery protection
• Encrypt and share your snapshots
• Encrypted EBS at no additional cost.
• The encryption occurs on the EC2 side, so the data moving between the EC2 instance and the EBS volume inside AWS data centers will be encrypted in transit.
• Change/resize EBS volume type (SSD/HDD/Magnetic) on the fly without needing to stop the instances

Demo - Create an EBS volume and attache it to EC2 Instance

• go to EC2 Service in console
• check instances on instances link
• check volumes link under EBS link group
• EBS volume must be created in the same availability zone as per the EC2 instance
• Can restore from snapshot while creating volume.
• volumes in available state, can only be attached to EC2 instances
• EBS Volume states
  • in-use
  • available
• Tagging can be done for volume, for specifying type of volume
• tagging can be done for billing and performing grouped operations

AWS S3 - Simple Storage Service

• managed cloud storage service
• storage unlimited number of objects
• Access any time, from any where
• Fine grained security controls
• Encrypt your data in transit
• Data Redundantly Stored in a region
  • stored across multiple aws facilities within your selected region
  • Designed for seamless scaling
  • Auto scale for high volume access
  • Access S3 by management console, AWS CLI, and AWS SDK
  • Also objects can be accessed via rest endpoints (https)
  • S3 Bucket names must be globally unique and dns name compliant

S3 Common Usages

• Storing Application Assets - media files, server logs, other static files. Offload serving content
• Static Web Hosting
• High durability of S3
  • Cross region replication can be useful for buckup and disaster recovery
  • Staging Area for big data - can be used with Bigdata tools
  • Import/Export large volumes of data into S3 using AWS Import Export devices like SNOWBALL

Global Infrastructure

Broken down into 3 topics:

• AWS Regions
  • Geographic areas that host 2 or more availability zones.
  • They are the organizing levels for AWS Services
  • while using regions, consider the region which help us to optimizing latency while minimizing the cost and adhering to the regulatory requirements like PCI-DSS
  • We can deploy resources in multiple regions to better suite our resources
  • Regions are completely separate entities from one another.
  • Resources in one region are not automatically replicated to other regions, and not all services are available in all regions - though some of the most common AWS Services are available in all regions, like S3,EC2.
• Availability Zones
  • Availability zones are a collection of data centers within a specific region.
  • Each Availability zone is physically isolated from the others, but connected together by a fast, low latency network.
  • Each Availability Zone is a physically distinct, independent infrastructure. They are physically and logically separate. They also have their own discrete, uninterruptible power supply; onsite backup generators; cooling equipment; and networking and connectivity. They are supplied by different grids, from independent utility companies for power and are networked through multiple tier-1 transit providers.
  • Isolating Availability Zones means they are protected from failures in other zones, which ensures high availability.
  • Data Redundancy with a region means that if one zone goes down the other zones can handle requests.
  • AWS recommends provisioning your data across multiple availability zone as a best practice.
• Edge Locations
  • AWS Edge locations host a content delivery network, or CDN, called Amazon CloudFront.
  • CloudFront is used to deliver content to your customers. Requests for content are automatically routed to nearest edge location so that the content is delivered faster to the end users.
  • When you use the global network of edge locations, your customers have access to quicker content delivery.
  • Edge locations are typically located in highly populated areas similar to regions or availability zones.

AWS VPC - Virtual Private Cloud

• is the Networking AWS Service that will meet your networking requirements
• Allows you to create a private network within the aws cloud that use many of the same concepts and constructs as on-premise network.
• much of the complexity of setting up a network has been abstracted without sacrificing control, security and usability.
• Amazon VPC also gives you the complete control of the network configuration.
• Customer can define normal networking configuration such as IP Address spaces, subnets, and routing tables. This allows you to control what you expose to the internet and what you isolate within the AMAZON VPC.
• You can deploy your Amazon VPC in a way to layer security controls in the network. this includes isolating subnets, defining access control lists, and customizing routing rules. You have complete control to allow and deny both incoming and outgoing traffic.
• There are numerous aws services that deploy into your VPC that then inherit and take advantage of the security that you have built into your cloud network.

Features

• Builds upon high availability of AWS Regions and Availability Zones (AZ)
  • Amazon VPC lives within a Region and can span across multiple AZs.
  • Multiple VPCs per AWS account
• A VPC Defines an IP Address Space that is then divided by subnets
• these subnets deployed within AZs
• Can create many subnets, fewer is recommended to limit the complexity of the network topology
• Can configure route tables
  • control the traffic between subnets and the internet
  • By default all subnets within a vpc can communicate with each other.
  • Subnet can be classified as:
    • Public - having direct access to the internet
    • private - not having direct access to the internet
• For a subnet to be Public, we need to attach an Internet gateway to the VPC and update the route table of the public subnet to send non-local traffic to the internet gateway
• Example of vpc design:

Security Groups

• Act as built-in firewalls
• Control accessibility to instances
• filter traffic to your instances
• Security Group Rules:
  • anywhere - 0.0.0.0/0
• Virtual Firewall

Module 3 - Integrated Services

Application Load Balancer

Overview:

• Part of ELB - Elastic Load Balancer Service
  • Classic Load Balancer
  • Network Load Balancer
  • Application Load Balancer
• Enhanced version of Classic Load Balancer
  • Additional Supported request protocols
    • http,https, http2 and websockets
  • Enhanced cloudwatch matrics and access logs
  • more target Health checks
• Additional Features of ALB
  • ability to enable additional routing mechanisms for your requests using path or host based routing
  • Native IPV6 support in a VPC,
  • AWS Web Application Firewall Integration and more

Use Cases

• ability to use containers to host your microservices and route to those apps from a single Load Balancer

Auto Scaling

• helps you ensure that you have the correct number if EC2 instances available to handle to load for your application.
• Add or remove instances based on specified conditions
• Scalability and automation

Components

• Launch Configuration - What
  • AMI
  • Instance Type
  • Security Group
  • Roles
• Auto Scaling Group - Where
  • VPC and Subnets
  • Which Load Balancer
  • Min Instances - 2
  • Max Instances - 8
  • Desired Capacity - start with number
• Auto Scaling Policy - When
  • Scheduled
  • On-demand - threshold based conditions
  • Scale-out Policy
  • Scale-in Policy
  • Best Practices - at least one scale-in and scale-out policy

Dynamic Auto Scaling

• One common configuration is to create CloudWatch alarms based on performance information from your EC2 Instances or a load balancer. When a performance threshold is breached a CloudWatch alarm triggers an Auto Scaling Event which either scales out or scales in EC2 Instances in the environment.

Demo

• Create a Launch Configuration
• Create an Auto Scaling Group
• Create an Auto Scaling Policy
• Trigger Auto Scaling

Amazon Route 53

Overview

• Domain Name System Service
• Route 53 does the translation

Create a Hosted Zone

• 4 name servers are assigned to you.
• Record Sets
• Global , highly available DNS
• public and private DNS Names
• Multiple Routing Algorithms
• Both IPV4 and IPV6
• integrated with other AWS Cloud Services

Amazon RDS - Relational Database Service

Challenges of running own Relational Data bases

• Server Maintenance
• Software Installation and Patches
• Database backups and high availability
• Scalability
• Data Security
• OS Installation and Patches

  Why Amazon RDS

• AWS Managed Service with cost efficient, highly available, scaling, power, Server Maintenance.
• Reduces operational overhead

Amazon RDS - Overview

• Databsae Instance
  • Can have multiple user created databases
• Supports various DB
  • Amazon Aurora, mariadb, mysql, oracle, postgres sql, MS SQL server
• Practices : Use a VPC with private subnet to deploy RDS Instance and is only made directly accessible to indicated application instances.
• One of the most powerful feature of Amazon RDS is the ability to configure your database instance for high availability with a Multi-AZ deployment.
• Once configured, RDS automatically generates a stand by copy of the database instance in another AZ within the same VPC. **transactions are synchronously replicated to the stand by copy.
• automatic failover

RDS Read Replicas

• creation of read replicas is spported for mysql, mariadb, postgres sql, and aurora
• Async replication method used
• offload read queries from the master db instance
• ideal for read heavy database workloads
• read replica can be promoted to master if needed
  • due to async replication manual intervention required
• read replicas can be created in a different region than the master database.
  • this feature can help satisfy disaster recovery requirements or cutting down on latency by directly reads to a read replica closer to the user.

RDS Use cases

• ideal for web and mobile applications
  • high throughput
  • massive storage scalability
  • high availability
• e-commerce applications
  • low-cost database
  • data security
  • fully managed solution
• mobile and online games
  • Rapid grow capacity
  • automatic scaling
  • database monitoring

RDS Benefits

• highly scalable
• high performance - storage options (ssd types)
• easy to administer - console/cli
• available and durable
• secure and complaint - can deploy within VPC

AWS LAMBDA

• Event driven serverless compute service

Overview

• aws lambda is compute service that lets you run code without provisioning or managing service.
• Event Driven Execution
• Automatic Scaling - sub second metering
• Multi Language supported
• only pay for executed requests
• No Server to Manage
• Continuous Scaling
• Ideal for variable and intermittent workloads
• with Zero Administration
• runs code on highly available compute infrastructure

When to use AWS Lambda

• for event driven computing
• can run code in response to events like changes to a S3 Bucket or dynamo db table.
• Can respond to HTTP Requests using AWS API Gateway
• Can invoke your code using api calls made using the AWS SDKs
• automatically deploy code using AWS CodePipline and CodeDeploy.
• AWS Lambda is intended to support serverless and micro-services applications.

Demo

Image recognition app -

Mobile App -> Upload Image to S3 -> based on upload event Lambda function is triggered and calls recognition code -> Recognition retrieves the Image from S3 and returns labels for detected property and amenities.

Use Cases

• automated backups
• processing objects uploaded to S3
• Event-driven log analysis
• Event-driven transformations
• Internet of things
• Operating server-less websites
• Real Time Image Processing Use Case Uploads an image on S3 -> Lambda is triggered -> Lambda generates thumbnails
• Analysis of Streaming Social Media Data Kinesis (social media stream is loaded into kinesis in real time) -> Lambda is triggered -> Lambda runs code that generates hashtag trend data and stores it in DynamoDB -> Social Media Trend Data is immediately available for business users to query.
• We can use lambda function to process real time streaming data.

Ecommerce Website -> Order Placed -> Stored data in Dynamo DB -> Lambda is triggered -> Lambda runs data transformation code and loads the result into Dataware house -> redshift (analytics generated from data)

• We can use AWS Lambda to build ETL(Extract, Transform and Loading) Pipeline

IOT Use case - Sensors in Tractor Detect Need for a Spare Part and automatically Place Order Tractor Sensor -> sends data to Kinesis -> Lambda Function is triggered -> Lambda runs code to detect trends in sensor data, identify anomalies and Order Replacements for Faulty Parts.

Web Backends

Front-end code for weather app hosted in S3 -> User clicks to get local weather info on web app -> App makes REST API Call to end point via API Gateway -> Lambda is triggered -> Lambda runs code to retrieve local weather info and returns data back to user.

EBS - Elastic BeanStalk Service

• Type of Cloud Platfor: PAAS - Platform as a service
• Benefits
  • Platform As a Service
  • Simply put your deploy-able artifact on it, Quick Deployment of application
  • Reduces Management Complexity
  • Control in your hands
    • Choose your instance type
    • Choose your database
    • Set/Adjust auto scaling according to your needs
    • Update your Applications
    • Access server log files
      • Enable HTTPs on load balancer
    • Support a large range of Platforms
      • Packer Builder
      • Single Container, Multi Container, or PreConfigured Docker
      • Go
      • Java SE
      • Java with Tomcat
      • .NET on Windows Server with IIS
      • Node.js
      • PHP
      • Python
      • Ruby
    • Easily Implemented

      Components

• Application Service
• HTTP Service
• Operating System
• Language Interpreter
• Host

Deployment and Updates

• Update your application as easily as you deploy it

Demo

Use EBS to host your java app

Amazon SNS - Simple Notification Service

• Flexible fully managed pub/sub messaging and mobile communication service
• Coordinates the delivery of messages to subscribing endpoints and clients
• Easy to Setup, operate and send reliable communications.
• Decouple and scale micro-services, distributed systems and server-less applications.

Types of Messaging

• Amazon SNS Pub/Sub Messaging
  • Publisher -> SNS Topic -> AWS Services (AWS Lambda/HTTP/Amazon SQS)
• Amazon SNS Mobile Notifications
  • Publisher -> SNS Topic -> Different Mobile Systems (ADM/APNS/Baidu/GCM/MPNS/WNS)

Demo

• Go to SNS Service
• Create Topic
• Edit Topic Policy to change security settings
• Create Subscription with email type
• Attach SNS with S3 Bucket object creation/deletion
• you will receive an email when any object is created/deleted in your s3 bucket

Amazon CloudWatch

Introduction

Amazon Cloud Watch is a monitoring service that monitors your AWS Resources and the applications you run on AWS in real time.

Features:

• Collecting and track metrics like CPU Utilization/Data Transfer/ Disk I/O Utilization
• Collect and monitor log files - cloud resources and applications
• Set Alarms on any of the metrics
  • send notification
  • take other automated actions like ec2 auto scaling
  • Automatically react to changes
  • it could send system, application and custom log files to CloudWatch Logs.
• Overall this allows you to gain a system wide visibility into your resource utilization, application performance as well as operational health.

Architecture

• It includes AWS Resources that support CloudWatch such as CloudWatch Metrics
  • CPU Utilization as well as status checks
• Custom Application Specific Metrics All of these metrics can be reported to AWS and it can trigger an cloud watch Alarm
• Alarm can trigger autoscaling event / send notification mail

Common Use Cases

• Respond to state changes in your AWS resources
• Automatically invoke an AWS Lambda function to update DNS entries when an event notifies that Amazon EC2 instance enters running state.
• Direct specific API records from CloudTrail to a Kinesis stream for detailed analysis of potential security or availability risks (TO UNDERSTAND)
• Take a snapshot of an Amazon EBS Volume on a schedule
• Log S3 Object Level operations using CloudWatch Events.

Components

• Metrics
  • Data about the performance of the systems.
  • Represents a time-ordered set of data points that are published to CloudWatch
  • By default, several services provide free metrics for resources:
    • such as Amazon EC2 instances, EBS volumes, RDS DB Instances
  • Publish your own application metrics for additional fees
  • Loaded all the metrics in your account for search, graphing and alarms.
• Alarms
  • Watches a single metric
  • Performs one or more actions
    • based on the value of the metric relative to a threshold over a number of time periods.
  • This action can be:
    • An Amazon EC2 action - stop/start/terminate
    • An Auto Scaling action
    • A Notification sent to an Amazon SNS Topic
  • Invokes actions for sustained state changes only.
  • Ex: if cpu utilization is > 60% for 5 Minutes
• Events
  • Near real-time stream of system events that describe changes in AWS resources
  • Use simple rules to match events and route them to one or more target functions/streams.
  • Aware of operational changes as they occur
  • Respond to these operational changes and take corrective action as necessary.
  • Schedule automated actions that self-trigger at certain times using Cron or rate expressions.

Example: How to detect and automatically revoke unintended IAM access with Amazon CloudWatch Events?

IAM–API Call Events–> Aws CloudWatch Events –Deliver event when a rule matches–>AWS Lambda -> Lambda function revoke IAM access for the unauthorized user.

• CloudWatch Logs
  • Monitor and troubleshoot systems and applications using existing log files.
    • Monitor logs for specific phrases, values or patterns
  • Retrieve the associated log data from CloudWatch Logs
  • Includes an installable agent for Ubuntu/amazon Linux, and windows at no additional charge.
  • CloudWatch Logs Features:
    • Monitor logs from EC2 Instances in Real-time
    • Monitor AWS CloudTrail(AWS Account actions logs via console/CLI/API) Logged Events.
    • Archive Log Data
  • Store and Monitor Application Log Files:
    • Your Metrics can be stored durably in CloudWatch as CloudWatch Logs
    • Admins and other parties can review CloudWatch logs directly in the AWS Management Console.
    • Logs can be stored in S3, to be accessed by other services or another User.
    • Logs can be streamed in real time to data processing solutions like Amazon Kinesis or AWS Lambda.
• CloudWatch Dashboards
  • Customization home pages in the CloudWatch Console to monitor your resource in single view.
    • Even those resources that are spread across diffrent regions
  • Create Customized views of the metric and alarms for your aws resources
    • Each dashboard can display multiple metrics, and can be accessed with text and images.
  • Create dashboards by using the console, AWS CLI, or by using the PutDashboard API.

Demo

• Go to CloudWatch Service
• Go to Events
• Click on Create Rule
• Select Event Source: (Event Pattern/Schedule)

Log the State of an EC2 Instance using CloudWatch Events

• Create a Lambda function to log the state change events
  • you will specify this function when you create your event rule.
• Create a rule to run your lambda function whenever you launch an EC2 instance.
• Choose Add target and then choose Lambda function
• For function, select the Lambda function that you created.

Create a CloudWatch Alarm for an EC2 Instance:

• Setup a alarm actions from the EC2 or CloudWatch tabs of the AWS Management Console.

Adding Custom Dashboard

• line or stacked area
• number
• text

Amazon CloudFront - Content Delivery Network - CDN

• To deliver content to your users, AWS Global network of more than 80 edge locations and more than 10 regional edge caches for content delivery.
• Edge locations are located in multiple countries around the world, and this number frequently increases.
• deliver your content on lower latecy

Use Cases

• Static Asset Caching
• Live and On-Demand Video Streaming
• Security and DDos Protection
• Dynamic and Customized Content
• API Acceleration
• Software Distribution

Demo

Try it with HTML page and change the cached data.

AWS CloudFormation

• CloudFormation simplifies the task of repeatedly and predictably creating groups of related resources that power your application
• it is all about automating resource provisioning
• AWS Access using
  • AWS Management Console
  • AWS CLI
  • AWS SDK/API
• How can I automate the provisioning of AWS Resources?
• Fully Managed Service
• Create, Update and Delete resources in sets known as Stacks

Components

• Template File -> AWS CloudFormation -> Creates stack based on provided Template File
• AWS CloudFormation Stacks
  • stacks are the resources generated by template
  • Unit of Deployment
  • Create Stack
  • Delete Stack
  • Delete Stack
  • Most Organizations modularize stack by creating separate templates for networking, security and applications
• Templates
  • Templates describe the resources to provision
  • Text file written in JSON/YAML Format
  • it becomes form of documentation of your environment.
  • Template is same way of steps we perform on AWS Console.
  • Template benefit: we do not have to list our resources in the template in the exact order of creation.
  • We can use the DependsOn attribute to control the order of CloudFormation will create the resources so we can build a sequence of events, like when a database server needs to created before web server can be created.
  • Parameters and Conditions can be useful to use same template for different environments.
• Infrastructure as Code
  • Template Lib Management

CloudFormation Requirements

• Template should be error free
• Permissions should be there whoever is creating stack.

Demo

• Open CloudFormation via Management Console
• Open Cloud Formation Designer
• Create a new Template
• Add entries to create a new VPC to the template
• Create a new stack using the new template
• View the new VPC Resource

Module 4 - Architecture

The AWS Well-Architected Framework

To Help Customers on below: aws has developed number of questions to help customers analyze and think about the architecture

• Access and Improve architectures
• Understand how design decisions impact business
• Learn five pillars and design principles

5 Pillars

Security Pillar

Protects your info and assets - AWS IAM - Identity and Access Management - authorized and authenticated users only can access your resources. - Detective Controls - can be used to identify a potential security incident by considering approaches such as: - Capturing or analysing logs and integrating auditing controls - Infrastructure Protection - ensures that systems and services within your architecture are protected against unintended and unauthorized access. - user can create network boundaries, hardening and patching, users/keys/access levels and application firewalls or gateways. - Data Protection - data classification - data encryption - protecting your data at rest and in transit. - data backup - replication and recovery - Incident Response - to respond and mitigate any potential security incidents. - it will ensure that your architecture is updated to accommodate a timely investigation in recovery.

Security Pillar: Design Principles

• Implement security at all layers
• Enable traceability
  • logging and auditing all actions/changes on your environment
• Apply Principle of least privilege
  • authorization is appropriate with least required privilege only
• Focus on securing your system
  • secure your application with the AWS Shared Responsibility Model
• Automate
  • Automate Security Best Practices
  • Automate the response to both routine and normal security events**

Reliability Pillar

• Recover from issues/failures
  • dynamically acquire required resources
• **Apply best practices in **
  • Foundations
  • Change Management
  • Failure Management
    • automation through monitoring, replace systems in environment and later troubleshoot failed systems
    • automatic healing in case of problems
• Anticipate, Respond and Prevent Failures

Reliability Pillar: Design Principles

• Testing Recovery Procedures
  • test how systems fails, simulate the system failures and test the recovery procedures
• Automatically Recover
  • automated responses when cloudwatch threshold breaches.
• Scale Horizontally
  • divide monolith into small micro-services
• Stop Guessing Capacity
  • monitor demand and your system utilization and then automate the addition or removal of resources. it will satisfy your demand with cost effective way without over or under provisioning of resources.
• **Manage Change in Automation **
  • Changes to your architecture and infrastructure should be made using automation.
  • You only need to manage changes to the automation system not to any individual system or resource

Performance Efficiency Pillar

• Select Customizable Solutions
  • choose the best solution to optimize the architecture
  • get the right tool for the right job
• Review to Continually Innovate
  • Review the solutions and innovate architecture design
  • Check all new released aws services and all new technologies
  • It may improve the performance
• Monitor AWS Services
  • Need to monitor performance
  • Can use automation to monitor the architecture using services like AWS CloudWatch, Kinesis, SQS, AWS Lambda and many other services.
• Consider the Trade-offs
  • Ensures an optimal approach is trading consistency, durability, and space versus time or latency to ensure that you deliver higher performance.

Performance Efficiency Pillar: Design Principles

• Democratize advanced Technologies
  • Consume advanced tech as a service
• Go in global in minutes
  • deploy your system in multiple regions specifically where the customer resides. all comes with a minimal cost
• Use a serverless architecture
  • we can remove the need to run and maintain traditional servers for compute activities.
  • this will also remove the operational burden and can lower transactional cost.
• Experiment more often
  • with virtualization, we can carry out experiment and testing more to enhance our architecture efficiency with less cost,
• Have mechanical sympathy
  • you can use the technology approach that best aligns to what you are trying to achieve.

Cost Optimization Pillar

• It includes continual process of refinement and improvement of a system throughout its entire life-cycle.
• This pillar encompasses the idea that you can build and operate cost-aware systems and maximize its return on investment
• Use cost-effective resources
  • it will use all the resource to achieve the best outcome at the lowest possible price points.
  • use appropriate services resources and configurations
  • focus on the details such as provisioning, sizing, purchasing options, and other specifics to ensure that you have the best architecture for your needs.
• Matching supply with demands
  • You can leverage the elasticity of the cloud architecture that meet demands as they change.
  • You can auto-scale and be notified by other services to adjust your supply due to demand changes.
• Increases expenditure awareness
  • Being fully aware and cognizant of what spending and cost drivers are happening with your business is critical, so having the ability to see, understand, and break down the current costs, predict future costs and plan accordingly only enhance the cost optimization of your architecture in the cloud.
• Optimize over time
  • With all the tools and different approaches, you can measure, monitor and improve your architecture from the data you collected in the AWS Platform.

    Cost Optimization Pillar: Design Principle

• Adopt a consumption Model
  • you pay only for what resources you use
• Measure overall efficiency
  • important to measure the business output of the systems and cost associated with delivering it, then take this measurement to understand how gains are made from increasing output and reducing cost.
• Reduce spending on data center operations
  • stop using self managed data centers
• Analyse and Attribute Expenditure
  • identify the usage and cost of the system
• Use Managed Services
  • to reduce the cost of management

Operational Excellence Pillar

it focuses on Running and monitoring systems to deliver business value in continually improving processes and procedures for you. Some of the key Ideas behind Operational Excellence:

• Manage and automate changes
• Responding to Events
• Define the standards to successfully manage daily operations.

Fault Tolerance and High Availability

Fault Tolerant refers to: - Ability of a system to remain Operational even if some of the components of that system fail. - Built-in redundancy of an application’s components.

High Availability is a concept regarding the entire system, it ensures that - Systems are generally functioning and accessible - Downtime is minimized as much as possible - Minimal human intervention is required - Minimal up-front financial investment

High Availability: On Premises vs AWS

High Availability On Premise	High Availability on AWS Cloud
Very Expensive	Multiple Servers, Availability Zones, Regions
Only ensured on Mission Critical Applications	Access Fault Tolerant Services to use as you Please

**High Availability Service Tools **

• ELB - Elastic Load Balancers
  • Distributes incoming load/traffic among your instances
  • Sends metrics to Amazon CloudWatch
  • ELB Triggers/Notifies
    • high latency
    • Over utilization
  • ELBs can be customized:
    • can configure to recognize unhealthy EC2 Instances
    • it can use multiple different protocols
• Elastic IP addresses
  • Provides greater fault tolerance
  • Static IPs designed for dynamic cloud computing
  • It allows you to mask a failure of an instance or software by allowing your users to use the same IP Addresses with replacement resources.
  • Using Elastic IP Addresses ensures high availability - Continues to access applications even if instance fails.
• Amazon Route 53
  • Authoritative DNS Service
    • Translates domain names to IP Addresses
  • Supports:
    • Simple Routing
    • Latency based rating
    • Health Checks
    • DNS Fail-overs
    • GEO-location routing
  • all of these characteristics increase the availability of your customer-facing applications.
• Auto Scaling
  • Terminates and launches instances based on specific conditions
  • Assists with adjusting or modifying capacity.
  • Creates new resources on demand
  • Automatic Scale in or out based on defined policies
• Amazon Cloud Watch
  • Distributed Statistics gathering system
  • Collects and tracks your metrics of your applications.
  • Create and Use your own custom metrics
  • Can be used with Auto Scaling based on conditions provided in metrics to ensure high availability of your architecture

Fault Tolerant Tools

• Amazon SQS - Simple Queue Service
  • backbone of your fault tolerant application
  • highly reliable distributed messaging system.
  • SQS can help you ensure that your queue is always available.
• Amazon Simple Storage Service - S3
  • Provides highly durable and fault-tolerant data storage.
  • Only pay for the storage that you use
  • S3 stores all of the your data redundantly on multiple different devices across multiple facilities in a Region. So if there was ever a failure, you will still have access to all of your information.
• **Amazon Relational Database Service - RDS **
  • it provides high availability and fault tolerance by offering several features to enhance the reliability of your critical databases. features includes:
    • automated backups
    • snapshots
    • Multi Availability Zone (Multi-AZ) deployments

All of these services are highly reliable, highly durable, and fault-tolerant tools for your applications to ensure high availability and fault-tolerant systems.

Web Hosting

• Fast, easy and low-cost
• Can host a company website, content management systems, social media apps, or an internal SharePoint site.
• On demand provision of resources for required peak hours.
• Supports Cost effective, scalable and on demand solutions on AWS

Module 5 - AWS Security

• Access Control and Management
  • Identity and Access Management - IAM
  • Multi-factor Authentication (MFA)
  • Integration and federation with corporate directories
  • Amazon Cognito
  • AWS SSO
• Monitoring and Logging
  • Tools and Features to reduce your risk profile

The Shared Responsibility Model

• AWS is responsible for :
  • Physical
  • Network
  • Hypervisor
• Customer is responsible for:
  • Guest OS (EC2)
  • Application
  • User Data

    Identity and Access Management - IAM

• USER
  • Permanent named operator (app/person)
  • credentials are permanent
• Group
  • collection of Users
• Role
  • is not your permissions
  • is an operator, credentials with a role are temporary.
  • authentication method for your user/operator
• Policy Documents
  • Set of Permissions
  • a JSON Documents
  • attaches to a user/group/role
  • Explicit deny overrides allow statements.

** USERS/GROUP/ROLE - Authentication ** ** Policy Documents - Authorization **

Amazon Inspector

A Tool that helps you improve the security and compliance of applications deployed on AWS

• IT Security Challenges: IT Security matters, and securing IT Infrastructure is:
  • complex
  • Expensive
  • Time Consuming - build/configure/maintain
  • Difficult to track all the changes in IT Environment
  • Hard to do effectively

Intro to Amazon Inspector

• it is an automated security assessment service that helps to improve the security and compliance of applications deployed on AWS
• Automatically Assesses applications for:
  • Vulnerabilities
  • Deviations from Best Practices
• After Assessment, Amazon Inspector produces a detailed report with:
  • Security Findings
  • Prioritized steps remediation

AWS does not guarantee that following the provided recommendation will resolve every potential security issue.

• Amazon inspector is agent-based, API-driven, and delivered as a service.
• Integrating (Amazon Inspector) security into Devops Deployment Pipeline
• Reduce the security risk during dev and deployment, proactively identifying vulnerabilities.
• Leverage AWS Security Expertise
• Streamline security compliance
• Enforce Security Standards

How to access Inspector:

• Amazon Inspector Console
• AWS SDK
• Amazon Inpector HTTPS API
• AWS CLI Tools - can be faster and more convenient

Built in Rules:

• Includes a knowledge base with hundreds of rules that are mapped to:
  • common security compliance standards
  • Vulnerability Definitions
• Regularly updates by AWS Security Researchers
• Examples of built-in Rules
  • Remote root login being enabled
  • Vulnerable Software versions installed

Summary

• Quickly and easily assess your AWS Resources for forensics, troubleshooting or active auditing purposes at your own space.
• Offload Security assessments so you can focus on more complex security issues.
• Gain a deeper understanding of your AWS Resources because Amzon Inspector findings are produced through the analysis of the real activity and configuration data of your AWS Resources.

AWS Shield

• Managed Distrubuted Denial of Service (DDos) protection service that safeguards applications running on AWS.
• always on detection and automatic inline mitigations that minimize application downtime and latency.
• DoS - Denial of Service
  • a deliberate attempt to make your website or application unavailable to users.
• DDos - Distributed Denial of Service
  • Multiple sources are used to attack target; infrastructure and application layers can be affected.
  • sources may includes distributed groups of malware infected computers, routers, IOT Devices, and other endpoints
• AWS Shield protects from all these type of attacks
  • AWS Shield Standard
    • provides automatic protection for all AWS Customers with no additional charge
  • AWS Shield Advanced
    • Paid Services for higher level of protection, features and benefits

Summary

• Seamless integration and deployment
• With Standard AWS Shield, AWS Resources are automatically protected on network and transport layer DDos Attacks
• Higher Level of protection can be achieved by AWS Shield Advanced.
• Cost Efficient
• DDos Cost Protection with AWS Advanced.
• Shild provides built-in protection against DDoS Attack
• Access to tools, services and expertise to help you protect your AWS Applications.

Security Compliance

AWS Compliance Approach

-Shared Responsibility and Control - AWS Responsibility - Provide highly secure and controlled platform - provide wide array of security features - Customer Responsibility - Configure their IT environment in secured and controlled manner.

AWS Security Information

• Obtaining Industry Certifications
• Publishing security and control practices
• Compliance Reports

Assurance Programs - Aws provides compliance information and resources:

• Certifications/attestations
• Legal/Regulatory Support
• Alignments/framework

Customer are responsible for following compliance laws and regulations.

Module 6 - Pricing and Support

• Pricing for the AWS Cloud
• Actual Pricing Characteristics

Pricing Fundamentals

• Pay only for the individual services that you need for as long as you need them
• pay as you use the services
• only pay for the services that you consume
• no additional licensing fees
• no termination fees/no additional cost
• PAY AS YOU GO
• **Pay LESS when you reserve **
• **PAY EVEN LESS PER UNIT WHEN USING MORE **
• Pay even less as AWS grows
• EC2 and RDS - reserved capacity - Upfront 75%
  • all upfront
  • partial upfront
  • no upfront
  • to maximize discount - pay all upfront

Custom Pricing for high volume projects with unique requirements

Free usage tier - 1 year EC2 micro instance for year, S3, EBS, ELB, AWS Data Transfer

multple aws accounts -> consolidated billing -> get tiering benefits

At end of the each month, you pay only what you use. you can start or stop using a product at any time, with no long term contract.

AWS Pricing Details

• Pay For:
  • Compute Capacity
  • Storage
  • Outbound data transfer - aggregated across EC2, S3, RDS, SimpleDB, SQS, SNS, VPC and then charged at the outbound data transfer Rate.
• No charge for:
  • Inbound Data transfer
  • data transfer between other services within the same region.

Pricing Characteristics for commonly used products:

• Amazon EC2 - Elastic Compute Cloud
  • Charges only for capacity used
  • Cost Factors:
    • Clock-second/hourly billing
      • Resources incur charges only when running
    • Instance Configuration:
      • Physical capacity of the instance
      • Pricing varies with:
        • AWS Region
        • OS
        • Instance Type
        • Instance Size
  • Purchase Types:
    • On-Demand Instances
      • Compute capacity by the hour and second
      • Minimum of 60 Seconds
    • Reserved Instances
      • Low or no upfront payment instances reserved
      • Discount on hourly charge for that instance
    • Spot Instances
      • Bid for unused Amazon EC2 Capacity
  • Number of Instances
    • Provision multiple instances to handle peak loads
  • Load Balancing
    • Use Elastic Load Balancing to distribute traffic
    • Monthly cost based on:
      • No. Hours load balancer runs
      • Data load balancer processes
  • **Monitoring **
    • Use CloudWatch to monitor instances
    • Basic Monitoring (default)
    • Detailed Monitoring (fixed monthly rate/7 preselected metrics recorded once a minute;prorated partial months)
  • Auto Scaling
    • Automatically adjust the number of instances
    • No additional charge beyond the cloudWatch Fees.
  • Elastic IP Addresses
    • No charge when associated with a running instance
  • OS and Software
    • OS price is included in your instance price
    • Software
      • Partnership with other vendors
      • Vendor Licenses Required
      • Existing licenses accepted through specific vendor programs.
• Amazon Simple Srotage Service - S3 -Storage for the internet -Cost Factors: -Number and size of objects -Type of Storage - i.e Storage Class - each class has different rates - Prices based on: - Requests: - No. of Requests - Type of Requests - different rates for GET Requests - Data Transfer - Amount of data transferred out of the Amazon S3 Region
• Amazon Elastic Block Storage - EBS - block level storage volumes for using within your EC2 Instances. -EBS Volumes persist independently from the instance -Analogous to vitual disks in the cloud -Three Volume Types: (performance/characteristics and price) - General Purpose SSD - Provisioned IOPS SSD - Magnetic Spinning Platters - HDD -Cost Factors - Volumes - All types charged by the amount provisioned per month - IOPS (Input Output Operations Per Second) - General Purpose (SSD): included in price - Magnetic: Charged by the number of requests - Provisioned IOPS (SSD): Charged by the amount you provision in IOPS - Snapshots: added cost per GB-month of data stored - Data Transfer: - inbound data transfer has no charge - Outbound data transfer charges are tiered

• Amazon Relational Database Service - RDS -Relational DB in the Cloud -Cost efficient and resizable capacity -Management of time-consuming administrative tasks -Cost Factors - Clock hour billing - Resources incur charges when running - Database charactristics: Engine, size and memory class imapcts cost - DB Purchase Type: - On-demand database instances are charged by hour - Reserved databse instances require up-front payment for database instances reserved - Provision multiple DB instances to handle peak loads. - Provisioned Storage: - No charge for backup storage upto 100% of database storage - Backup storage for terminated DB instances billed at GB/month - Additional Storage: backup storage in addition to provisioned storaged billed at GB/month. - Requests - the number of input and out requests to the database - Deployment Type - storage and I/O Charges variable - Single Availability Zone - Multiple Availability Zones - Data Transfer - No Charges for inbound data transfer - Tiered charges for outbound data transfer

• Amazon CloudFront - Content Delivery Network - CDN -Cost Factors -Pricing varies across geograpic regions - pricing is based on the edge location through which your content is served. - Pricing is also based on: - Requests - Data transfer out

Summary

• Examine the fundamental chractristics of product
• Estimate Usage
• Map the usage to prices

AWS Trusted Advisor

Introduction

• Account can have to many orphan resources and not optimized in terms of costs.
• Not track of all the resources, you need something to keep track of your resources. here Trusted Advisor Comes in.
• Trusted Advisor provides best practices/checks in four categories:
  • Cost Optimization
  • Performance
  • Security
  • Fault Tolerance

Benefits

• Over 50 million recommendations provided to AWS Customers
• Resulted in $500M+ in cost savings for users of Trusted Advisor

Customer Case Study - Hungama Digital Media

We estimate an average 33 percent monthly savings on our total AWS spends - Amit Vora, CTO for Humgama

Trusted advisor helped by highlighting:

• Underutilized EC2 Instances
• Amazon EC2 Reserved Instances
• Underutilized Amazon EBS Volumes

How Trusted Advisor Works:

• Trusted Advisor Compares your account resources with established best practices, and wends out data in form of checks
• Now, Trusted Advisor not only surfaces these best practices in the form of a console, but also has an API.
• You can get notifications of specific checks when they are failing so that you can take action on them
• You can also bring in automation, because trusted advisor is integrated with Amazon CloudWatch Events, which can use services like AWS Lambda so that you can take automatic actions and automate the optimization of your resources.

Demo

Trusted Advisor in AWS Management Console

Summary

Trusted Advisor can help you to optimize your costs, improve performance, improve fault tolerance, and implement security.

AWS Support Plans

Provide unique combination of tools/expertise

AWS Support

Support is provided for

• Experimenting with AWS
• Production use of AWS
• Business critical use of AWS
• Proactive Guidance
  • Technical Account Manager (TAM)
    • Primary Point of contant
    • your TAM is your Advocate and your dedicated voice within AWS
  • Best Practices
    • Trusted Advisor - Customized Cloud Expert
  • Account Assistance
    • AWS Support Concierge - billing and account expert - addresses all non-technical billing and account level inquiries

AWS Support Plans

AWS Support offers four support plans

• Basic Support Plan
• Develper Support Plan
• Business Support Plan
• Enterprise Support Plan

Cloud Practictioner Course Summary

• Foundational knowledge
  • Define what the AWS Cloud is and its basic global infrastructure
  • Describe basic AWS Cloud Architectural principles
  • Understand the AWS cloud value proposition
  • Talk about key AWS Services and their common use cases
  • Describe basic security and compliance aspects of the AWS Platform and the shared security model
  • Define the billing, account management, and pricing models
  • Identify sources of documentation or technical assistance
  • And Describe basic charactristics of deploying and operating in the AWS Cloud.