Contents

Amazon Web Services Solutions Architect Associate ................................................................................... 4

AWS Infrastructure: .................................................................................................................................. 4
Compute: .................................................................................................................................................. 4
Storage: ..................................................................................................................................................... 4
Databases:................................................................................................................................................. 4
Migration Services: ................................................................................................................................... 5
Analytics: ................................................................................................................................................... 5
Management Tools: .................................................................................................................................. 6
Applications Services: ............................................................................................................................... 6
Developer Tools: ....................................................................................................................................... 6
Mobile Services: ........................................................................................................................................ 7
Business Productivity: ............................................................................................................................... 7
Internet of Things:..................................................................................................................................... 7
Desktop & App Streaming:........................................................................................................................ 7
Artificial Intelligence: ................................................................................................................................ 7
Messaging: ................................................................................................................................................ 7
Review:...................................................................................................................................................... 7
Identify Access Management 101:................................................................................................................ 8
IAM – Recap: ............................................................................................................................................. 8
S3 – Exam Tips for S3 101 ......................................................................................................................... 9
EC2 101 ....................................................................................................................................................... 12
EC2 – Summary & Exam Tips .................................................................................................................. 12
Route53 ....................................................................................................................................................... 16
Geolocation ............................................................................................................................................. 16
DNS Exam Tips......................................................................................................................................... 16
Databases – Read RDS-FAQ ........................................................................................................................ 16
AWS Database Types – Summary ........................................................................................................... 16
Aurora Scaling ......................................................................................................................................... 17
Read the RDS FAQ – Understand Redshift/ElastiCache/RDS ...................................................................... 18
VPC Overview – Don’t take the exam until you can build out a VPC by Memory ...................................... 18
What is a VPC? ........................................................................................................................................ 18
 Exam tips – .............................................................................................................................................. 18
NAT Instance ....................................................................................................................................... 18
NAT Gateway ...................................................................................................................................... 19
Network Access Control Lists .............................................................................................................. 19
Ephemeral ports.................................................................................................................................. 19
Exam Tips – Network ACLs .................................................................................................................. 19
VPC Flow Logs ......................................................................................................................................... 20
NAT vs Bastion ........................................................................................................................................ 21
Exam Tips – NAT vs Bastions ............................................................................................................... 21
Application Services .................................................................................................................................... 22
SQS – Simple Queue Service – Read the FAQ ......................................................................................... 22
What is SQS? ....................................................................................................................................... 22
Travel Website: ................................................................................................................................... 22
SQS – Key Facts ................................................................................................................................... 22
Simple Workflow Service ........................................................................................................................ 23
SWF vs SQS .......................................................................................................................................... 23
SWF Actors .......................................................................................................................................... 23
SNS – Simple Notification Service ........................................................................................................... 23
SNS vs SQS ........................................................................................................................................... 23
Elastic Transcoder ................................................................................................................................... 23
What is elastic transcoder? ................................................................................................................. 23
Kinesis Summary ..................................................................................................................................... 24
What is Kinesis Streams? .................................................................................................................... 24
Kinesis Firehose................................................................................................................................... 25
Building a Fault Tolerant WorkPress Site .................................................................................................... 26
Overview of AWS Whitepaper .................................................................................................................... 27
Security ................................................................................................................................................... 28
Compliance ............................................................................................................................................. 28
Overview of Security Processes (Part 1) – Most Important White Paper (READ THIS) .............................. 29
Shared Security Model ............................................................................................................................ 30
AWS Security Responsibilities ................................................................................................................. 30
Customer Security Responsibilities ......................................................................................................... 30
Storage Decommissioning ...................................................................................................................... 30
 Network Security .................................................................................................................................... 31
Network Monitoring & Protection .......................................................................................................... 31
AWS Trusted Advisor .............................................................................................................................. 31
Instance Isolation .................................................................................................................................... 32
Design for Failure .................................................................................................................................... 34
Decouple your components .................................................................................................................... 34
Secure your application .......................................................................................................................... 34
Well Architected Framework ...................................................................................................................... 35
Structure of each pillar ........................................................................................................................... 35
General Design Principles ....................................................................................................................... 35
Well Architected Framework – Pillar One Security................................................................................. 36
Design Principles ................................................................................................................................. 36
Definition ............................................................................................................................................ 36
Well Architected Framework – Pillar Two Reliability.............................................................................. 37
Design Principles ................................................................................................................................. 37
Definition ............................................................................................................................................ 37
Well Architected Framework –Pillar Three Performance Efficiency ...................................................... 38
Design Principles ................................................................................................................................. 38
Definition ............................................................................................................................................ 38
Well Architected Framework – Pillar four Cost Optimization ................................................................ 38
Design Principles ................................................................................................................................. 38
Definition ............................................................................................................................................ 38
Well Architected Framework – Pillar Five Operational Excellence ......................................................... 39
Design Principles ................................................................................................................................. 39
Definition ............................................................................................................................................ 39
Amazon Web Services Solutions Architect Associate
AWS Infrastructure:
Region – is a geographic location
Availability Zone – datacenter or multiple – they are isolated
Edge Location – CDN (Content Delivery Network) points of presence for Cloud Front – caches media files.
VPC – Virtual Private Cloud – Virtual Datacenter: Where assets will be deployed; they can be tied to each
region and can be connected to each other.
Route53 – Amazon’s DNS service
Direct Connect – connecting office/physical locations to AWS – usually for security or a reliable internet
connection – dedicated pipe.

Compute:
EC2 – Elastic Compute Cloud – virtual machines in the cloud; (similar to VMware).

EC2 Container Service – highly scalable to run VM’s on a managed cluster. (Docker).

Elastic Beanstalk – upload code to EB – MySQL/PHP – it will then provision the infra as needed.

Lambda – serverless; no OS access; host doesn’t matter; code is directly uploaded to the lambda
instance. Every time you speak with amazon echo you’re speaking with lambda.

LightSail – out of the box cloud; WordPress/Joomla etc.

Storage:
(Simple Storage Service) S3 - virtual disk in the cloud; object based storage for files; not block-
based storage (installation of applications). Dropbox is an example of s3 customer.

Glacier – regulatory requirements – 7-year storage; if files can wait for 4/5-hours they would be
stored here; low cost.

EFS – Elastic file service; file based storage that can be shared. Databases/applications can be
stored here.

Storage Gateway – virtual machine installed on premise; this communicates with S3 – this is used
to migrate local storage to AWS.

EBS – Elastic block store

Databases:
RDS – Relational database service; MySQL Postgres; Maria DB; SQL Server; Oracle; Aurora
(MySQL/Postgres)

Dynamo DB – non-relational DB; NoSQL database;

Redshift – Amazon data warehouse solution; query only when reports need to be
created/generated; move prod databases to redshift – good idea; “reporting server”.
 Elasticache – this is the most accessed data in a particular database.

Migration Services:
Snowball – allowed for the moving of TB of data/briefcase; storage would move onto the device
and be sent to amazon. Snowball edge; isn’t just a data/storage appliance; now it has compute
capacity (on premise) AWS server.

DMS – Database migration services; allows for on–premise databases to be moved to the AWS
cloud. Databases on the AWS cloud can be moved to other regions. You don’t have to stay with
the database you’re migrating from. You can migrate your Oracle Database to another database.
No down-time/ using replication. Supports, Oracle/SQL/MySQL/Aurora/PostgreSQL/SAP ASC

SMS – Server Migration Services, same as DMS; this targets VMware; this will replicate to the
AWS cloud; up to 50 at the same time.

Analytics:
Athena – allows to run SQL queries on S3; announced at re: invent 2016; if a lot of JSON files; it
can make flat files; searchable databases.

EMR – Elastic Map Reduce; big data processing. Understand high level; how to access etc. Log
analysis; web indexing; analyze financial markets; using Hadoop; can also use apache spark
apache h-space; spark. Big Data.

Cloud Search – fully managed service; provided by AWS

Elastic Search – service using open source framework; allows for search in application

Kinesis – streaming and analyzing real-time data – or social media streams;

Data Pipeline – allows the movement of data from one place to another. Move from S3 possibly
into Dynamo DB – or vice versa

Quick Sight – Visualizations/rich dashboards. Business analytics tool; analyze data in S3/Dynamo
DB/RDS/Redshift.

Security & Identity:

IAM (Identity access management); used for every cert. How to setup users/set permissions; admin
groups/dev groups read only groups.

Inspector – agent running on VM’s; does security/reporting on what’s going on.

Certificate manager – Free SSL for domain names;

Directory service – can use AD with AWS;

WAF – Web Application Firewall; application level protection to your website; this stops SQL
injections/cross site scripting at the application layer.
 Artifacts – Where the documentation in the AWS console lives; “Compliance Reports” AWS
Artifacts; ISO certs; PCI certification/compliance documents.

Management Tools:
Cloud Watch: Used to monitor performance in the AWS environment; EC2; manage disk/CPU etc.
Cloud watch event can kick off something based on an action.

Cloud Formation: Turns infra into code; instead of having physical devices; you apply a cloud
formation templates to your environment; 1-command that can provision a 50 server
environment that has multiple availability zones and auto-scaling; turns infra into code. Gonna
create a fault tolerant WordPress site.

Cloud Trail: Used for auditing AWS resources; if a new user is created cloud trail keeps track of
that.

Opsworks: Automating deployments using chef

Configuration Manager: Automatically monitors environment (watches for particular

configurations); this can be used to set alerts. (Policy control).

Service Catalog: Services/images, pre-configured “standards” that are authorized to be used

within the environment. This also defines what’s not authorized.

Trusted Advisor: Automation of recommendations for cost optimization and performance

optimizations; security recommendations.

Applications Services:
Step Function: Way of visualizing what’s going on in an applications; displays what micro services
are being used.

SWF (Simple workflow Services): Coordinating automated tasks and human tasks. Amazon uses this
for package picking.

API Gateway: A door that allows you to create publish and monitor API’s at scale; can access
business logic and back end data via lambda;

AppStream: Streaming desktop applications to users (Citrix?)

Elastic Transcoder: Video formatting for custom devices (iPad vs Laptop). Upload 1-video and
multiple outputs are created.

Developer Tools:
Code Commit: Basically GitHub this can be open or closed.

Code Build: A way to compile code. This is paid by the minute.

Code Deploy: A way of deploying code to EC2 instances

Code Pipeline: Keeping track of the different code.

Mobile Services:
Mobile Hub: Add deliver and design features for your mobile apps; user authentication/data
storage/backend logic/push notifications/analytics.

Cognito: Easy for sign-up and sign into apps; this allows people to sign in w/Gmail etc.

Device Farm: Improve quality of applications to test on real phones. All physical devices in AWS
datacenter.

Mobile Analytics: A way to analyze mobile data

Pinpoint: Understand and engage with users; google analytics for mobile apps. Where they are,
different purchases, user behavior. When to send notifications for marketing campaigns, google
analytics with targeted marketing campaigns.

Business Productivity:
WorkDocs: Storing work documents online.

WorkMail: Exchange for AWS – sending/receiving e-mail.

Internet of Things:
IOT: Keeping track of devices.

Desktop & App Streaming:

Workspaces: VDI: A way of having a desktop in the cloud; thin client.

AppStream 2.0: Streaming desktop applications to users.

Artificial Intelligence:
Alexa: Amazon voice service in the cloud.

Lex: Alexa embedded into other devices

Polly: text to speech.

Machine Learning: Data set gets reviewed/analyze; predict outcomes.

Rekognition: Analyze a photo and provide tags identified from within the image.

Messaging:
SNS: Simple Notification Services; E-mail or text; can publish to http or https endpoints.

SQS: A way of decoupling applications; jobs can be posted to a queue.

SES: Simple E-mail Services; sending e-mail via AWS

Review:
In order to pass the AWS Certified Solutions Architect Associate exam I will need to know the following
sections:

Messaging -
Desktop & App Streaming – workspaces; virtual desktop in the cloud.
Security & Identify
Management Tools – Cloud Formations
Storage
Databases
Networking & Content Delivery
Compute
AWS Global Infrastructure – Difference between a region and an availability zone:

Region: Geographical area. (Not all regions have the same services).

Availability Zone: Datacenter (Physical location)

Identify Access Management 101:

IAM – Recap:
IAM consists of Users, Groups, and groups are used to combine users and policy documents are applied
to the User/Group/Roles/

Policy documents can be applied to Users/Groups/Roles. JSON value; key value pair;

{“Version”: 2012-10-17”,
“Statement”:
[
{“Effect”: “Allow”,
“Action”: “*”,
“Resource”: “*”}
]
}

IAM is universal; the region doesn’t matter. The “root” account is created when first creating the AWS
account.

New Users have NO permissions when first created.

New Users are assigned Access Key ID & Secret Access Keys when first created – SAVE THIS
INFROMATION SOMEWHERE; IT WON’T BE ACCESSABLE AGAIN.

These are not the same as a password, and you cannot use the Access key ID & Secret Access Key to
Login to the console. You can use this to access AWS via the APIs and Command Line however.

Always setup MFA (Multi-Factor Authentication) on the root account; this removes IAM warning
message. The password rotation policy has been customized to meet security policy.
S3 – Exam Tips for S3 101
 S3 is Object based; i.e. allows you to upload files, not Block based.
 Files can be from 0Bytes to 5TB.
 There is unlimited storage.
 By default an account is allowed 100 S3 buckets
 Files are stored in Buckets (folders).
o Buckets have universal namespace, they must be unique globally

Examples:
http://bucket.example.com/foo.txt
http://bucket.example.com.s3.amazonaws.com/foo.txt
http://bucket.example.com.s3[-region].amazonaws.com/foo.txt
http://s3[-region].amazonaws.com/bucket.example.com/foo.txt
 Read after Write consistency for PUTS of new Objects.
 Eventual Consistency for overwrite PUTS and DELETES (can take some time to propagate)
 S3 Storage Classes/Tiers
o S3 (durable, immediately available, frequently accessed)
o S3-IA (durable, immediately available, infrequently accessed)
o S3-Reduced Redundancy Storage (data that is easily reproducible, such as thumb nails
etc.).
o Glacier – Archived data, where you can wait 3 – 5 hours before accessing.
 Remember the core fundamentals of S3;
o Key (name)
o Value (data)
o Version ID
o Metadata
o Access control lists
 Object based storage only (for files).
 NOT SUITABLE TO INSTALL AN OPERATING SYSTEM ON.
 Stores all versions of an object (including all writes and even if you delete an object). All
versions paid for.
 Great backup tool.
 Once enabled, Versioning cannot be disabled, only suspended.
 Integrates with Lifecycle rules
 Versioning’s MFA Delete capability, which uses multi-factor authentication, can be used to
provide an additional layer of security.
 S3 Lifecycle Management
o Can be used in conjunction with versioning.
o Can be applied to current versions and previous versions
o Following actions can now be done;
 Transition to the Standard – Infrequent Access Storage Class (128Kb and 30
days after the creation)
 Archive to Glacier Storage Class (30 days after IA, if relevant) – 60-days from
first creation.
  Permanently delete
 CloudFront
o Edge Location – this is the location where content will be cached. This is separate to an
AWS Region/AZ
o Origin – This is the origin of all the files that the CDN will distribute. This can be either an
S3 bucket, an EC2 instance, an Elastic Load Balancer or Route53.
o Distribution – this is the name given to the CDN which consists of a collection of Edge
Locations.
 Web Distribution – Typically used for Websites.
 RTMP – Used for Media Streaming.
 Edge locations are not just READ only, you can write to them.
 Objects are cached for the life of the TTL (Time to Live – in seconds); by default
24-hours.
 You can clear cached objects, but you will be charged.
 Security & Encryption
o By default, all newly created buckets are PRIVATE.
o You can setup ACL to your buckets;
 Bucket policies
 ACL
o S3 bucket can be configured to create access logs which log all requests made to the S3
bucket, this can be done to another bucket.
o Encryption
 In Transit
 SSL/TLS
 At Rest
 Service Side Encryption
o S3 Managed Keys – SSE – S3 – AES 256
o AWS Key Management Service, Managed Keys – SSE – KMS
o Server Side Encryption with a Customer Provided Key – SSE – C
 Client Side Encryption
 Storage Gateway
o File Gateway – for flat files stored on S3
o Volume Gateway (iSCSI) –Block Based
 Stored Volumes – Entire Dataset is stored on site and is asynchronously backed
up to S3.
 Cached Volumes – Entire Dataset is stored on S3 and the most frequently
accessed data is cached on site.
o Gateway Virtual Tape Library (VTL)
 Used for backup and uses popular backup applications like NetBackup, Backup
Exec, Veam etc.
 Snowball
o Standard – 50TB – 80TB
o Snowball Edge (Storage + Compute); mini AWS datacenter.
o Snowmobile – 100PB of storage; can come with armored guards.
 o What a Snowball is
o Understand what Import/Export is
o Snowball can import to S3 and export
 S3 Transfer Acceleration
o You can speed up information by putting it in edge locations.
 S3 Static Websites
o You can host static sites;
o Server less
 When writing to S3 – HTTP 200 code for successful write
 You can load files to S3 much faster by enabling multipart upload –
 Read the S3 FAQ before taking the exam.
EC2 101
EC2 – Summary & Exam Tips
 Know the differences between;
o On Demand
o Spot
o Reserved
o Dedicated Hosts
 Remember with spot instances;
o If you terminate the instance, you pay for the hour
o If AWS terminates the spot instance, you get the hour it was terminated in for
free.

Dr. Mc. GIFT PX (D2; R4; M4; C4; G2; I2; F1; T2; P2; X1)
EBS consists of;

o SSD, General Purpose – GP2 – (Up to 10,000 IOPS)

o SSD, Provisioned IOPS – IO1 – (More than 10,000 IOpS)
o HDD, Throughput Optimized – ST1 – frequently accessed workloads
o HDD, Cold – SC1 – less frequently accessed data.
o HDD, Magnetic – Standard – cheap, infrequently accessed storage
 You cannot mount 1 EBS volume to multiple EC2 instances instead use EFS.
 Termination protection is turned off by default, you must turn it on.
 On an EBS-backed instance, the default action is for the root EBS volume to be deleted
when the instance is terminated.
 Root Volumes cannot be encrypted by default, you need a third part tool (such as bit
locker etc.) to encrypt the root volume.
 Additional volumes can be encrypted.

Volumes vs Snapshots

 Volumes exist on EBS

o Virtual Hard Disk
 Snapshots exist on S3
 You can take a snapshot of a volume, this will store that volume on S3.
 Snapshots are point in time copies of Volumes.
 Snapshots are incremental, this means that only the blocks that have changed since
your last snapshot are moved to S3.
 Snapshots of encrypted volumes are encrypted automatically.
 Volumes restored from encrypted snapshots are encrypted automatically.
 You can share snapshots, but only if they are unencrypted.
o These snapshots can be shared with other AWS accounts or can be made public
in the AWS marketplace.
 To create a snapshot for Amazon EBS volumes that serve as root devices, you should
stop the instance before taking the snapshot.
 Instance store volumes are sometimes called Ephemeral storage.
 Instance store volumes cannot be stopped. If the underlying host fails, you will lose your
data.
 EBS backed instances can be stopped. You will not lose the data on this instance if it is
stopped.
 You can reboot both, you will not lose your data.
 By default, both ROOT volumes will be deleted on termination, however with EBS
volumes, you can tell AWS to keep the root device volume.
 Problem – take a snapshot, the snapshot excludes data held in the cache by applications
and the OS. This tends not to matter on a single volume, however using multiple
volumes in a RAID array, this can be a problem due to interdependencies of the array.
 Solution – Take an application consistent snapshot.
 Stop the application from writing to disk.
 Flush the caches to the disk.
 How can we do this
o Freeze the file system
o Unmount the RAID Array
o Shutting down the associated EC2 instance.
 Amazon machines Images:
o AMI’s are regional. You can only launch an AMI from the region in which it is
stored. However you can copy AMI’s to other regions using the console,
command line or the Amazon EC2 API.
 CloudWatch
o Standard Monitoring = 5 minutes
o Detailed Monitoring = 1 Minute
o CloudWatch is for performance monitoring
o CloudTrail is for auditing
 Dashboards – Creates awesome dashboards to see what is happening with your AWS
environment.
 Alarms – Allows you to set Alarms that notify you when particular thresholds are hit.
 Events – CloudWatch Events helps you to respond to state changes in your AWS
resources.
 Logs – CloudWatch Logs helps you to aggregate, monitor, and store logs.
Roles Lab:

 Roles are more secure than storing your access key and secret access key on individual
EC2 instances.
 Roles are easier to manage.
 Roles can be assigned to an EC2 instance AFTER it has been provisioned using both the
CLI and the AWS console.
 Roles are universal, you can use them in any region.

Instance Meta-data

 Used to get information about an instance (such as public ip)

 Curl http://169.254.169.254/latest/meta-data

EFS Features

 Supports the Network File System version 4 (NFSv4) protocol

 You only pay for the storage you use (no pre-provisioning required)
 Can scale up to the petabyte.
 Can support thousands of concurrent NFS connections
 Data is stored across multiple AZ’s within a region
 Read After Write Consistency

What is Lambda?

What is Lambda? AWS Lambda is a compute service where you can upload your code and create a
Lambda function. AWS Lambda takes care of provisioning and managing the servers that you use to run
the code. You don’t have to worry about operating systems, patching, scaling, etc. You can use Lambda
in the following ways.

 As an event-driven compute service where AWS Lambda runs your code in response to
events. These events could be changes to data in an Amazon S3 bucket or an Amazon
DynamoDB table.
 As a compute service to run your code in response to HTTP requests using Amazon API
Gateway or API calls made using AWS SDKs. This is what we use at A Cloud Guru.
 Function cannot take longer than 5-minutes to execute; if it does then it needs to be
broken apart into multiple Lambda calls.
Route53
Geolocation
DNS Exam Tips
 ELB’s do not have pre-defined IPv4 addresses, you resolve to them using a DNS name.
 Understand the difference between an Alias Record and a CNAME. The difference is that
an alias can resolve individual AWS resources (ELB/CloudFront distro).
 Given the choice, always choose an Alias Record over a CNAME.

Remember the different routing policies and their use cases.

 Simple – Round Robin

 Weighted – A/B testing % of traffic to a specific site
 Latency – Based on ping – fastest site
 Failover – Production/DR
 Geolocation – Customer location based

Databases – Read RDS-FAQ

AWS Database Types – Summary
 RDS – OLTP (On-Line Transaction Processing)
o SQL
o MySQL
o PostgreSQL
o Oracle
o Aurora
o MariaDB
 DynamoDB – No SQL
 RedShift – OLAP (On-Line Analytics Processing)
 Elasticache – In memory caching.
o Memcached
Aurora Scaling
 2 Copies of your data is contained in each availability zone, with minimum of 3 availability zones.
6 copies of your data.
 Aurora is designed to transparently handle the loss of up to two copies of data without affecting
database write availability and up to three copies without affecting read availability.
 Aurora storage is also self-healing. Data blocks and disks are continuously scanned for errors and
repaired automatically.
 2 types of Replicas available
  Aurora Replicas (currently 15)
 MySQL Read Replicas (5)

DynamoDB vs RDS
DynamoDB offers “push button” scaling, meaning that you can scale your database on the fly, without
any down time.
RDS is not so easy – you usually have to use a bigger instance size or to add a read replica.

 Stored on SSD storage

 Spread Across 3 geographically distinct data centers
 Eventual consistent reads (default)
 Strongly consistent read (faster/more expensive)

Redshift Configuration (data warehouse)

 Single node (160Gb)

 Multi-Node
o Leader Node (manages client connections and receives queries)
o Compute Node (store data and perform queries and computations). Up to 128 compute
nodes.

Elasticache is a web service that makes it easy to deploy, operate, and scale an in-memory cache in the
cloud. The service improves the performance of web applications by allowing you to retrieve
information from fast, managed, in-memory caches, instead of relying entirely on slower disk-based
databases. ElastiCache supports two open-source in-memory caching engines:

 MemcahceD
 Redis

Read the RDS FAQ – Understand Redshift/ElastiCache/RDS

VPC Overview – Don’t take the exam until you can build out a VPC by
Memory
What is a VPC?
Exam tips –
NAT Instance
 When creating a NAT instance, disable source/destination check on the instance.
 NAT instances must be in a public subnet.
 There must be a route out of the private subnet to the NAT instance, in order for this to work.
 The amount of traffic that NAT instances can support depends on the instance size. If you are
bottlenecking, increase the instance size.
 You can create high availability using AutoScaling groups, multiple subnets in different AZs, and
a script to automate failover.
 Behind a Security Group
NAT Gateway
 Preferred by the enterprise
 Scale automatically up to 10Gbps
 No need to patch
 Not associated with security groups
 Automatically assigned a public ip address
 Remember to update your route tables
 No need to disable source/destination checks
 More secure than a NAT instance

Network Access Control Lists

 You can only associate a subnet to once ACL.
 NACL’s can only be deployed into one VPC; they cannot be connected to multiple VPCs
 By default all newly created NACLs (not default) block all traffic.
 They are stateless; when configuring inbound rules the outbound rules are not automatically
opened.

Ephemeral ports
An ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications.
Ephemeral ports are allocated automatically from a predefined range by the IP stack software. An
ephemeral port is typically used by the Transmission Control Protocol (TCP), User Datagram Protocol
(UDP), or the Stream Control Transmission Protocol (SCTP) as the port assignment for the client end of a
client–server communication to a well-known port on a server.

Exam Tips – Network ACLs

 Your APC automatically comes a default network ACL, and by default it allows all outbound and
inbound traffic.
 You can create custom network ACLs. By default, each custom network ACL denies all inbound
and outbound traffic until you add rules.
 Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate
a subnet with a network ACL, the subnet is automatically associated with the default network
ACL.
 You can associate a network ACL with multiple subnets; however, a subnet can be associated
with only one network ACL at a time. When you associate a network ACL with a subnet, the
previous association is removed.
 Your VPC automatically comes with a default network ACL, and by default it allows all outbound
and inbound traffic.
 You can create custom network ACLs. By default, each custom network ACL denies all inbound
and outbound traffic until you add rules.
 Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate
a subnet with a network ACL, the subnet is automatically associated with the default network
ACL.
  You can associate a network ACL with multiple subnets; however, a subnet can be associated
with only one network ACL at a time. When you associate a network ACL with a subnet, the
previous association is removed.
 Network ACLs contain a numbered list of rules that is evaluated in order, starting with the
lowest numbered rule.
 Network ACLs have separate inbound and outbound rules, and each rule can either allow or
deny traffic.
 Network ACLs are stateless; responses to allow inbound traffic are subject to the rules for
outbound traffic (and vice versa.)
 Block IP addresses using network ACLs not Security Groups

VPC Flow Logs

VPC Flow logs is a feature that enables you to capture information about the IP traffic going to and from
network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch logs. After you’ve
created a flow log, you can view and retrieve its data in Amazon CloudWatch logs.

Flow logs can be created at 3 levels;

 VPC
 Subnet
 Network Interface Level

VPC Flow Logs Exam Tips

 You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in
your account.
 You cannot tag a flow log.
 After you’ve created a flow log, you cannot change its configuration; for example, you can’t
associate a different IAM role with the flow log.
 Not all IP traffic is monitored;
 Traffic generated by instances when they contact the Amazon DNS server. If you use your own
DNS server, then all traffic to that DNS server is logged.
 Traffic generated by a Windows instance for Amazon Windows License activation.
 Traffic to and from 169.254.169.254 for instance meta data.
 DHCP Traffic.
 Traffic to the reserved IP address for the default VPC router.
NAT vs Bastion

Exam Tips – NAT vs Bastions

 A NAT is used to provide internet traffic to EC2 instances in private subnets
 A Bastion is used to securely administer EC2 instance (using SSD or RDP) in private subnets
Application Services
SQS – Simple Queue Service – Read the FAQ
What is SQS?
Amazon SQS is a web service that gives you access to a message queue that can be used to store
messages while waiting for a computer to process them.

Travel Website:

SQS – Key Facts

 SQS is pull based, not pushed base
 Messages are 256KB in size
 Messages can be kept in the queue from 1 minute to 14-Days. The default is 4-Days.
 Visibility Time Out is the amount of time that the message is invisible in the SQS queue after a
reader picks up that message. Provided the job is processed before the visibility time out
expires, the message will then be deleted from the queue. If the job is not processed within that
time, the message will become visible again and another reader will process it. This could results
in the same message being delivered twice.
 Visibility time out maximum is 12 hours
 SQS guarantees that your messages will be processed at least once.
 Amazon SQS long polling is a way to retrieve messages from your Amazon SQS queues. While
the regular short polling returns immediately, even if the message queue being polled is empty,
long polling doesn’t return a response until a message arrives in the message queue, or the long
poll times out.
 Queues can either be standard or FIFO
Simple Workflow Service
SWF vs SQS
 SQS has a retention period of 14 days, SWD up to 1 year for workflow executions.
 Amazon SWF presents a task-oriented API, whereas Amazon SQS offers a message-oriented API.
 Amazon SWF ensures that a task is assigned only once and is never duplicated. With Amazon
SQS, you need to handle duplicated messages and may also need to ensure that a message is
processed only once.
 Amazon SWF keeps track of all the tasks and events in an application. With Amazon SQS, you
need to implement your own application-level tracking, especially if your application uses
multiple queues.

SWF Actors
 Workflow Starters – An application that can initiate (start) a workflow. Could be your e-
commerce website when placing an order or a mobile app searching for bus times.
 Deciders – Control the flow of activity tasks in a workflow execution. If something has finished in
a workflow (or fails) a Decider decides what to do next.
 Activity Workers – Carry out the activity tasks.

SNS – Simple Notification Service

SNS Subscribers

 HTTP
 HTTPS
 Email
 Email-JSON
 SQS
 Application
 Lambda

SNS vs SQS
 Both messaging services in AWS
 SNS-Push
 SQS – Polls (Pulls)

Elastic Transcoder
What is elastic transcoder?
Media Transcoder in the cloud.

Convert media files from their original source format in to different formats that will play on
smartphones, tables, PC’s etc.

Provides transcoding preset for popular output formats, which means that you don’t need to guess
about which settings work best on particular devices. Pay based on the minutes that you transcode and
the resolution at which you transcode.
Kinesis Summary
What is Kinesis Streams?
Kinesis Firehose

What is Kinesis Firehose?

No automatic data retention window. As soon as the data comes in its analyzed using Lambda or sent to
S3

Kinesis 101 – Exam Tips

  Know the difference between Kinesis Streams and Kinesis Firehose. You will be given scenario
questions and you must choose the most relevant service.
 Understand what Kinesis Analytics is.

Building a Fault Tolerant WorkPress Site

 Created S3 Role (allow EC2 instances to access S3)

 Security Groups for WebDMZ and RDS –
 Created ALB’s
 Created S3 buckets; for code and media assets
 Created CloudFront distro based on S3 buckets
 Created RDS instance
Overview of AWS Whitepaper
What is Cloud Computing?

Advantages of cloud

 Trade capital expense for variable expense (operating expense)

 Benefit from massive economies of scale.
 Stop guessing about capacity
 Increase speed and agility
 Stop spending money running and maintaining data centers
 Go global in minutes
Security
 State of the art electronic surveillance and multi-factor access control systems
 Staffed 24 x 7 by security guards
 Access is authorized on a “least privilege basis”

Compliance
 SOC 1/SSAW 16/ISAE 3402 (formerly SAS 70 Type II)
 SOC2
 SOC3
 FISMA, DIACAP, AND FedRAMP
 PCI DSS Level 1
 ISO 27001
 ISO 9001
 ITAR
 FIPS 140-2
 HIPPA
 Cloud Security Alliance (CSA)
 Motion Picture Association of America (MPAA)
Overview of Security Processes (Part 1) – Most Important White Paper
(READ THIS)
Shared Security Model
AWS is responsible for securing the underlying infrastructure that supports the cloud, and you’re
responsible for anything you put on the cloud or connect to the cloud

AWS Security Responsibilities

Amazon Web Services is responsible for protecting the global infrastructure that runs all of the services
offered in the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and
facilities that run AWS services.

AWS is responsible for the security configuration of its products that are considered managed services.
Examples of these types of services include Amazon DynamoDB, Amazon RDS, Amazon Redshift,
Amazon Elastic MapReduce, and Amazon WorkSpaces.

Customer Security Responsibilities

IAAS – such as Amazon EC2, Amazon VPC, and Amazon S3 are completely under your control and require
you to perform all the necessary security configuration and management tasks.

Managed Services, AWS is responsible for patching, antivirus etc., however you are responsible for
account management and user access. It’s recommended that MFA be implemented, communicate to
these services using SSL/TLS and that API/user activity logging be setup with CloudTrail.

Storage Decommissioning
When a storage device has reached the end of its useful life, AWS procedures include a
decommissioning process that is designed to prevent customer data from being exposed to
unauthorized individuals.

AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating
Manual”) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the
decommissioning process.
All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance
with industry-standard practices.

Network Security
Transmission Protection – you can connect to an AWS access point via HTTP or HTTPS using SSL. For
customer who require additional layers of security can use a VPC and the ability to use an IPsec VPN
device to provide an encrypted tunnel to your AWS environment.

Amazon Corporate Segregation – Logically, the AWS Production network is segregated from the Amazon
Corporate network by means of a complex series of network security/segregation devices.

Network Monitoring & Protection

 DDoS
 Man in the middle attacks (MITM)
 IP Spoofing –
o Unauthorized port scans by Amazon EC2 customers are a violation of the AWS
Acceptable Use Policy. You may request permission to conduct vulnerability scans as
required to meet your specific compliance requirements.
 Port Scanning
 Packet Sniffing by other tenants

AWS Trusted Advisor

Trusted Advisor inspects your AWS environment and makes recommendations when opportunities may
exist to save money, improve system performance, or close security gaps.

It provides alerts on several of the most common security misconfigurations that can occur, including
leaving certain ports open that make you vulnerable to hacking and unauthorized access, neglecting to
create IAM accounts for your internal users, allowing public access to Amazon S3 buckers, not turning on
user activity logging (AWS CloudTrail), or not using MFA on your root AWS Account.

Instance Isolation
Different instances running on the same physical machine are isolated from each other via the Xen
hypervisor. In addition, the AWS firewall resides within the hypervisor layer, between the physical
network interface and the instance’s virtual interface. RAM also works the same way.

Customer instances have no access to raw disk devices, but instead are presented with virtualized disks.
The AWS proprietary disk virtualization layer automatically resets every block of storage used by the
customer, so that one customer’s data is never unintentionally exposed to another. In addition, memory
allocated to guests is scrubbed (set to zero) by the hypervisor when it is unallocated to a guest.

Other considerations

Guest OS is controlled by the customer, AWS has no back door.

Firewall – Amazon EC2 provides you with complete firewall control.

Guest OS – Encryption of sensitive data is generally a good security practice, and AWS provides the
ability to encrypt EBS volumes and their snapshots with AES – 256. The encryption occurs on the servers
that host the EC2 instances, providing encryption of data as it moves between EC2 instances and EBS
storage. In order to be able to do this efficiently and with low latency, the EBS encryption feature is only
available on EC2’s more powerful instance types (e.g. M3, C3, R3, and G2).

ELB – SSL termination is supported.

Direct Connect – Bypass ISP in your network path. You can procure rack space within the facility housing
the AWS Direct Connect location and deploy your equipment nearby. Once deployed, you can connect
this equipment to AWS Direct Connect using a cross-connect.

Business Benefits of Cloud

 Almost zero upfront infra investment

 JIT Infra
 More efficient resource utilization
 Usage-based costing
 Reduced time to market

Technical Benefits of Cloud

 Automation – “Scriptable Infra”

 Auto-scaling
 Proactive Scaling
 More Efficient Development lifecycle
 Improved testability
 Disaster Recovery and Business Continuity
 “Overflow” the traffic to the cloud
Design for Failure
Rule of thumb: be a pessimist when designing architectures in the cloud; assume things will fail. Always
design and deploy for automated recovery from failure. In particular assume your hardware will fail.

Decouple your components

The key is to build components that to not have tight dependencies on each other, so that if one
component were to die (fail), sleep (not respond) or remain busy (slow to respond) for some reason, the
other components in the system are built so as to continue to work as if no failure is happening.

Implement Elasticity

1. Proactive Cyclic Scaling; periodic scaling that occurs at fixed interval (daily, weekly, monthly,
quarterly).
2. Proactive Event-based Scaling: Scaling just when you are expecting a big surge of traffic requests
due to a scheduled business event (new product launch, marketing campaigns).
3. Auto-scaling based on demand

Secure your application

Well Architected Framework
 Security
 Reliability
 Performance Efficiency
 Cost Optimization
 Operational Excellence

Structure of each pillar

 Design Principles
 Definition
 Best Practice
 Key AWS Services

General Design Principles

 Stop guessing your capacity needs
 Test systems at production scale
 Automate to make architectural experimentation easier
 Allow for evolutionary architectures
 Data-Driven Architectures
 Improve through game days
Well Architected Framework – Pillar One Security

Design Principles
 Apply security at all layers
 Enable Traceability
 Automate responses to security events
 Focus on security your system
 Automate security best practices

Definition
 Data protection
o Organize and classify your data into segments such as public/private. Determine who
should have access to specific data, users/devices/etc. Implement a least privilege
access system. Encrypt everything where possible, at rest and in transit.
 Privilege management
o This ensures that only authorized and authenticated users are able to access your
resources.
 ACL
 Role Based Access Controls
 Password Management (such as password rotation policies)
 Manage AWS root account
 Roles & Responsibilities of system users to access to AWS Management console
and API’
  How are you limiting automation?
 Infrastructure protection
o This is at a VPC level.
o NACLs in place.
o Subnet public or private
 Detective controls
o Detect or identify a security breach such as the following
 AWS CloudTrail
 AWS CloudWatch
 AWS Congif
 Amazon S3
 Amazon Glacier
o How are logs analyzed?

Well Architected Framework – Pillar Two Reliability

Design Principles
 Test recovery procedures
 Automatically recover from failure – monitor system for KPI’s for auto notification
 Scale horizontally to increase aggregate system availability
 Stop guessing capacity

Definition
 Foundations
o Before architecting make sure you have the prerequisite foundations.
 Change Management
 Failure Management
 AWS Services
 Foundations
o IAM, VPC
 Change Management
o AWS CloudTrail
 Failure Management
o AWS CloudFormation
Well Architected Framework –Pillar Three Performance Efficiency
Design Principles
 Democratize advanced technologies
 Go global in minutes
 Use server-less architectures
 Experiment more often

Definition
 Compute
 Storage
o Access method
o Patterns of access – Random or Sequential
o Throughput required
o Frequency of access
 Databases
 Space-time tradeoff
 AWS Services
o Compute
 AutoScaling
o Storage
 EBS, S3, Glacier
o Database
 RDS, DynamoDB, Redshift
o Space-Time Trade-Off
 CloudFront, ElasticCache, Direct Connect, RDS Read Replicas etc.

Well Architected Framework – Pillar four Cost Optimization

Design Principles
 Transparently attribute expenditure
 Use Managed services to reduce cost of ownership
 Trade capital expense for operating expense
 Benefit from economies of scale
 Stop spending money on data center operations

Definition
 Matched supply and demand
 Cost-effective resources
 Expenditure awareness
 Optimizing over time
 AWS Services
o Matched supply and demand
 AutoScaling
o Cost-effective resources
 EC2 (reserved instances), AWS Trusted Advisor
 o Expenditure awareness
 CloudWatch Alarms, SNS
o Optimizing over time
 AWS Blog, AWS Trusted Advisor

Well Architected Framework – Pillar Five Operational Excellence

Design Principles
 Perform operations with code
 Align operations processes to business objectives
 Make regular, small, incremental changes
 Test for responses to unexpected events
 Learn from operational events and failures
 Keep operations procedu`res current

Definition
 Preparation
o Runbooks
o Playbooks
 Operation
 Response