AWS Instance types :

● General purpose
● Compute optimized
● Memory optimized
● Storage optimized

AWS Edge locations : these are the datacenters that hold the cached on the
most popular files, so that delivery of distance to the end user will reduce.

Regional edge locations : these are the datacenters that hold the much
larger caches of less popular files.

AWS IAM :

IAM user : represent a person or services that interacts with AWS services.

IAM Role : It allows AWS services (like EC2, Lambda) or users to do specific
tasks without needing a username or password.

Only one role can be assigned to an EC2 instance at a time.

A role can be assigned at the EC2 instance creation time or at any time
afterwards.

Policies: Policies are documents that define permissions and can be applied
to users, groups, and roles.
What’s the difference between a group and attaching policies directly to
the user?----- >Attaching policies to a group is more scalable and
manageable, especially when multiple users need the same permissions.

When you create an IAM user, group, role, or policy, it applies to your entire
AWS account.
It is not tied to any specific AWS region.

What is the maximum number of IAM users you can create per AWS
account? You can create up to 5,000 IAM users per AWS account (soft limit,
can be increased upon request).

NETWORKING :
CIDR (Classless Inter-Domain Routing) is a method to define IP address
ranges more flexibly than the old "class-based" system (Class A, B, C).

For example,
CIDR notation might look like: 192.168.129.23/17 -- with 17 being the number
of bits in the address.
1. IPv4 addresses support a maximum of 32 bits.
2. In IPv6, a CIDR block always gets 64 bits for specifying network
addresses.
3. IPv4 addresses are 32-bit addresses. Each byte, or 8-bit segment of the
address, is divided by a period and typically expressed as a number 0–
255.
4. The lowest value in each octet is a 0, and the highest value is 255.
How does a NAT Gateway work?

It allows private subnet instances to access the internet outbound (for

updates, etc.), but blocks inbound traffic.

What is an Internet Gateway?

highly available gateway attached to your VPC to allow internet access.

What are VPC Endpoints?

They let you privately connect to AWS services like S3 or DynamoDB without
using an Internet Gateway or NAT.

What is the CIDR range for maximum IPs in a subnet? - /16

Elastic Network Interface (ENI)
An Elastic Network Interface (ENI) is a logical networking component in a VPC
that represents a virtual network card.

a. Primary ENI (eth0)

● Created automatically with every EC2 instance.

● Cannot be detached unless you terminate the instance.

● Stays with the instance during its lifecycle.

● Always uses device index 0.

b. Secondary ENIs

● You can manually create and attach them to an instance.

● Useful for hosting multiple IPs, routing traffic from different subnets,
or multi-tenancy scenarios.

● Detachable and can move between instances.

c. Trunk ENIs

● Only used with EC2 instances in a Nitro-based environment (e.g.,

C5, M5, R5, etc.)v

maximum number of security groups that can be assigned to a single ENI - 5

We can not detach default ENI from an instance.

● Public subnet – The subnet has a direct route to an internet gateway.

Resources in a public subnet can access the public internet.
● Private subnet – The subnet does not have a direct route to an internet
gateway. Resources in a private subnet require a NAT device to access
the public internet.

Reserved IP Addresses in Subnets

In each subnet, AWS reserves five IP addresses that cannot be assigned to

instances:

1. Network Address: The first IP address of the subnet (e.g., 10.0.0.0 in a

10.0.0.0/24 subnet) is reserved as the network identifier.

2. VPC Router: The second IP address (e.g., 10.0.0.1) is reserved for the
VPC router.

3. DNS Server: The third IP address (e.g., 10.0.0.2) is reserved for the
Amazon-provided DNS server.

4. Reserved for Future Use: The fourth IP address (e.g., 10.0.0.3) is

reserved for future use.

5. Broadcast Address: The last IP address of the subnet (e.g., 10.0.0.255 in

a 10.0.0.0/24 subnet) is reserved as the broadcast address. Note that
AWS does not support broadcast in a VPC, but this address is still reserved.
SG are stateful : Security groups act as a firewall for associated instances,
controlling both inbound and outbound traffic at the instance level.

if we allow incoming traffic on port, the response from your server going back to the
user, is automatically allowed. No need to create separate rules for outgoing traffic.

● Can be attached to multiple instance

● If your application is not accessible (timeout), then its security group issue.
 ●

NACLs are stateless : if you allow incoming traffic on some port we must
allow outgoing traffic on that port, otherwise the response will be blocked.

NAT Gateway : A NAT gateway is a Network Address Translation (NAT)

service.
You can use a NAT gateway so that instances in a private subnet can connect
to services outside your VPC.

Public NAT Gateway:

Has a public IP.

Used by private servers (no public IPs) to access the internet.

Private NAT Gateway (rare):

No public IP.
Used for private-to-private communication, like between VPCs — no internet
access.

HOW IT WORKS :
A NAT Gateway is deployed in a public subnet and acts as a bridge
between instances in the private subnet and the internet.

When an instance in a private subnet sends a request to the

internet, the request is forwarded to the NAT Gateway, which
replaces the instance’s private IP address with the NAT Gateway’s
public IP address and sends the request to the internet.

When the response is received, the NAT Gateway translates the

response back to the instance’s private IP address and sends it
back to the instance.

VPC with servers in private subnets and NAT

● Regions are separate geographic areas.

● Availability Zones are multiple, isolated locations within each Region.
By launching EC2 instances in multiple Availability Zones, you can
protect your applications from the failure of a single location in the
Region.

The VPC has public subnets and private subnets in two Availability Zones.

Each public subnet contains a NAT gateway and a load balancer node.
Choose an Application Load Balancer when you need a flexible feature set for your
applications with HTTP and HTTPS traffic.
The servers run in the private subnets, are launched and terminated by using an
Auto Scaling group, and receive traffic from the load balancer.

The servers can connect to the internet by using the NAT gateway. acts as a bridge
between instances in the private subnet and the internet.When an instance in a
private subnet sends a request to the internet, the request is forwarded to the NAT
Gateway, which replaces the instance’s private IP address with the NAT Gateway’s
public IP address and sends the request to the internet.

The servers can connect to Amazon S3 by using a gateway VPC endpoint.

Egress-Only Internet Gateway (EOIGW) : An egress-only internet gateway

allows IPv6 traffic to go out to the internet, but blocks all incoming traffic from the
internet.

When to Use EOIGW?

Use an egress-only internet gateway when:

● You have IPv6-enabled EC2 instances

● You want them to access the internet (like for updates)

● But you don’t want the internet to initiate a connection back

Carrier Gateway : A Carrier Gateway is used in AWS Wavelength Zones to let

EC2 instances send traffic to the internet using the telecom network (like 5G), but
block incoming internet traffic.

An AWS Wavelength Zone is a part of AWS placed inside telecom networks (like
5G towers), so your applications run closer to mobile users with very low latency.

Elastic IP : An Elastic IP is a static public IPv4 address in AWS that you can
assign to your EC2 instance, and it doesn’t change when you stop or restart the
instance.

VPC Peering Connection : A VPC Peering Connection allows two VPCs to

communicate with each other privately — as if they were on the same network, using
private IPs, without needing NAT or internet.
Route servers : To automatically manage routes between AWS and other networks.

>>Virtual private network (VPN) :

VPN connection: It is a secure connection between an on-premises network and

your VPC.

A VPN tunnel is a secure, encrypted path used to send data between your on-
premises network and your AWS VPC.

Tunnel 1 : Main encrypted connection

Tunnel 2 : Backup in case Tunnel 1 fails

Site-to-Site VPN setup :

1. Create a Virtual Private Gateway (VGW) : Attach VGW to your VPC

2. Create a Customer Gateway (CGW) : Add on prem details like public ip

3. Create a Site-to-Site VPN Connection.

4. Download VPN Configuration : Choose Openswan/Generic (for Linux-based VPN

on customer end)

5. Update VPC Route Table : Route Propagation → Enable propagation

from VGW

Customer Gateway : It is the entry point from your on-premises network into AWS
when creating a VPN connection.

Virtual Private Gateway : It is the AWS side of a VPN connection.

>> AWS Transit Gateway : is a network transit hub that allows you to connect
multiple VPCs, on-premises networks.
Steps to Connect 3 VPCs using Transit Gateway

1. Create Transit Gateway (TGW)

○ Go to VPC Console → Transit Gateways → Create

○ Give a name (e.g., My-TGW)

○ Leave default settings → Click Create

Attach VPCs to TGW

2. Create TGW Attachment for VPC-1

○ Go to Transit Gateway Attachments → Create Attachment

○ Select My-TGW, then choose VPC-1 and its private subnet

3. Repeat Step 2 for VPC-2 and VPC-3

○ Create separate attachments for each

Route Table Updates

5. Update Route Tables in Each VPC

○ Go to VPC Route Tables → Select private route table

○ Add routes:
 ■ VPC-2 CIDR → Target: Transit Gateway

■ VPC-3 CIDR → Target: Transit Gateway

■ 🔁 Do this in each VPC for the other two VPCs

Update Transit Gateway Route Table

● Go to Transit Gateway Route Tables

● Add entries:

○ VPC-1 CIDR → VPC-1 attachment

○ VPC-2 CIDR → VPC-2 attachment

○ VPC-3 CIDR → VPC-3 attachment

Test the Setup

7. Launch EC2 in each VPC

○ Make sure Security Groups allow ICMP (ping) or SSH

○ Ping EC2s across VPCs to confirm connectivity

Summary :

● Create 1 Transit Gateway

● Attach all 3 VPCs

● Update VPC route tables and TGW route table

● Test with EC2 instances

>> AWS Firewall :

AWS Firewall helps you protect your cloud resources like EC2, VPC, ALB, etc.,
by controlling the traffic that flows in and out.

● Best for deep traffic inspection

● Detect and block:

○ Malware

○ Suspicious patterns
 ○ Bad IPs/domains

● Used at the VPC level

VPC Endpoint :
A VPC Endpoint lets your resources (like EC2) in a private subnet securely connect
to AWS services (like S3, DynamoDB) without using the internet.

No need for:

● Internet Gateway

● NAT Gateway

● Public IP

Scenario Based on VPC :

1) VPC Endpoints: When and Why to Use Them

You use VPC Endpoints when you want your private EC2 instances (no internet
access) to securely access AWS services without using the internet or a NAT
Gateway.

>> If your EC2 instance is in a public subnet :

1. Attach proper im role to an instance

2. Bucket should be private : no need to make it public

Q : An EC2 instance in a public subnet with a public IP has an IAM role with
AmazonS3FullAccess.
The S3 bucket is private with “Block All Public Access” enabled.
Will it be able to access the bucket?

Answer: ✅ Yes.

Q : You can access S3 from EC2 in a public subnet without attaching any IAM role.

Answer: ✅ True — only if:

● The bucket is public, and

● You use signed URLs or allow anonymous access via bucket policy

>> If your EC2 instance is in a private subnet and is using a NAT Gateway, you do
not need a VPC endpoint to access Amazon S3 - it will work without it.

>> You need at least one of these for endpoints

1. ✅ IAM Role attached to EC2 (best practice)

2. ✅ Manually configured AWS CLI credentials (via aws configure)

3. ✅ Environment variables set with AWS_ACCESS_KEY_ID and

AWS_SECRET_ACCESS_KEY

>> In Route Table :

1. Explicit subnet associations : You manually connect a subnet to a route table.

 2. Subnets without explicit associations : Subnet automatically uses the main
route table.
3. Edge Association : An Edge Association connects a route table to a Virtual
Private Gateway (VGW) — not to a subnet. Controls traffic between VPC and
on-prem.
4. Route Propagation : It allows a Virtual Private Gateway (VGW) to
automatically add routes to your VPC route table — instead of you adding
them manually.

Example Scenario:

You created a VPN connection between:

● Your AWS VPC and

● Your on-premises network

Now:

● You attach the VGW to the VPC

● Then you create or choose a route table

● You associate the route table with the VGW (this is Edge Association)

That route table now controls traffic between VPC and on-prem.

Why Edge Association?

● A subnet uses a route table via subnet association

● A VGW uses a route table via edge association

They Often Work Together:

● 🔁 Route Propagation adds the on-prem routes

● 🔗 Edge Association defines which route table those routes go into

To use Dynamic vs Static routing in AWS VPN connections:

Dynamic Routing (BGP) – Use When:

 1. You have many on-premises networks (multiple CIDR blocks).

2. You want routes to update automatically when on-prem changes.

3. Your on-premises router supports BGP.

4. You need high availability (e.g., dual VPN tunnels with auto failover).

5. You want to avoid manual route configuration.

6. You're building a scalable or production-grade setup.

Static Routing – Use When:

1. You have only 1–2 fixed on-prem CIDRs to connect

2. Your on-premises device does not support BGP.

3. You prefer manual control over routes.

4. It's a lab, demo, or test setup — quick and simple.

5. You don’t expect frequent changes in routing.

What is BGP?
BGP stands for Border Gateway Protocol.

It is the routing protocol used to exchange routes between different networks,

especially over the internet or between AWS and your on-premises network.
Amazon EBS

Amazon Elastic Block Store provides scalable, high-performance block storage

resources that can be used with Amazon Elastic Compute Cloud (Amazon EC2)
instances.

● Amazon EBS volumes — These are storage volumes that you attach to
Amazon EC2 instances.
It allows your instances to persist data, even after their termination.
We can detach from one instance and can attach to another instance easily.

● Amazon EBS snapshots — These are backups of Amazon EBS volumes that
persist independently from the volume itself. You can create snapshots to
back up the data on your Amazon EBS volumes. You can then restore new
volumes from those snapshots at any time.
>> EC2 image builder : used to automate the creation of virtual machines or
container images.
Automate the creation, maintain, validate and test EC2 AMls.

>>EFS - Elastic File System : Managed NFS (network file system) that can be
mounted on 100s of EC2 & EFS works with Linux EC2 instances in multi-AZ.

EBS is not supported in the multi availability zone. ( possible through snapshots )
We can achieve that in EFS.

NoSQL data example: JSON : JSON = JavaScript Object Notation

{
"name": "John"
"age": 30,
"cars": [
"Ford"
"BMW"
"Fiat"
"address": (
"type": "house",
"number": 23,
"street": "Dream Road"
}

Advantage over using RDS versus deploying DB on EC2

RDS is a managed service:

○ Automated provisioning, OS patching

○ Continuous backups and restore to specific timestamp (Point in Time
Restore)!
○ Monitoring dashboards
○ Read replicas for improved read performance
○ Multi AZ setup for DR (Disaster Recovery)
○ Maintenance windows for upgrades
○ Scaling capability (vertical and horizontal)
○ Storage backed by EBS

BUT you can't SSH into your instances

Amazon ElastiCache Overview :

The same way RDS is to get managed Relational Databases...

ElastiCache is to get managed Redis or Memcached

Caches are in-memory databases with high performance, low latency

Helps reduce load off databases for read intensive workloads

AWS takes care of OS maintenance / patching, optimizations, setup, configuration,

monitoring, failure recovery and backups

DynamoDB :

○ Fully Managed Highly available with replication across 3 AZ

○ NoSQL database - not a relational database
 ○ Scales to massive workloads, distributed "serverless" database
○ Millions of requests per seconds, trillions of row, 100s of TB of storage
○ Fast and consistent in performance
○ Single-digit millisecond latency - low latency retrieval
○ Integrated with IAM for security, authorization and administration
○ Low cost and auto scaling capabilities
○ Standard & Infrequent Access (IA) Table Class

DynamoDB Accelerator - DAX

○ Fully Managed in-memory cache for DynamoDB

○ I0x performance improvement - single-digit millisecond latency to
microseconds latency - when accessing your DynamoDB tables
○ Secure, highly scalable & highly available
○ Difference with ElastiCache at the CCP level: DAX is only used for and is
integrated with DynamoDB, while ElastiCache can be used for other
databases.

Redshift Overview

○ Redshift is based on PostgreSQL, but it's not used for OLTP

○ It's OLAP - online analytical processing (analytics and data warehousing)
○ Load data once every hour, not every second
○ 10x better performance than other data warehouses, scale to PBs of data
○ Columnar storage of data (instead of row based)
○ Massively Parallel Query Execution (MPP), highly available
○ Pay as you go based on the instances provisioned
○ Has a SQL interface for performing the queries
○ Bl tools such as AWS Quicksight or Tableau integrate

Amazon EMR

○ EMR stands for "Elastic MapReduce"

○ EMR helps creating Hadoop clusters (Big Data) to analyze and process vast
amount of data
○ The clusters can be made of hundreds of EC2 instances
○ Also supports Apache Spark, HBase, Presto, Flink...
 ○ EMR takes care of all the provisioning and configuration
○ Auto-scaling and integrated with Spot instances
○ Use cases: data processing, machine learning, web indexing, big data...

ALB and auto-scaling group :

In this task I have worked on an application load balancer.

First we will get to know about ELB :

Elastic Load Balancing automatically distributes your incoming traffic across multiple
targets, such as EC2 instances, containers, and IP addresses, in one or more
Availability Zones.

Using a load balancer increases the availability. It monitors the health of its
registered targets, and routes traffic only to the healthy targets.
How ELB Works

1. Client Request: A client sends a request to your application using the DNS name of
the load balancer.

2. DNS Resolution: Amazon's DNS service resolves the load balancer's domain name
to one or more IP addresses, directing the client's request to a load balancer node.

3. Listener Processing: The load balancer uses listeners—configured with specific

protocols and ports—to check for incoming connection requests from clients.

4. Routing Decision: Upon receiving a request, the load balancer evaluates listener
rules to determine how to route the request:

○ Application Load Balancer (ALB): Operates at the application layer (Layer

7) and routes traffic based on content, such as URL path or host headers.

○ Network Load Balancer (NLB): Operates at the transport layer (Layer 4) and
routes traffic based on network-level information, handling millions of requests
per second with ultra-low latency.

5. Health Checks: ELB continuously monitors the health of registered targets using
configurable health checks, ensuring traffic is only routed to healthy instances.

6. Traffic Distribution: The load balancer distributes incoming traffic across healthy
targets.

When integrated with Auto Scaling Groups, ELB automatically registers new
instances as they are launched and deregisters instances as they are terminated,
ensuring seamless traffic distribution without manual intervention.

Elastic Load Balancing supports multiple load balancer types :

Application Load Balancers
Network Load Balancers
Gateway Load Balancers
Classic Load Balancers
An Application Load Balancer (ALB) in AWS operates at the application layer
(Layer 7) of the OSI model, intelligently distributing HTTP and HTTPS traffic across
multiple targets.

An AWS Network Load Balancer (NLB) operates at the Transport Layer (Layer 4)
of the OSI model. It is designed to handle millions of requests per second while
maintaining ultra-low latencies, making it ideal for applications that require high
performance and scalability.
It supports TCP, UDP, TCP_UDP, and TLS protocols, allowing for flexible traffic
routing.

Quick Decision Guide

● Choose ALB: For web applications requiring and when we need to route
HTTP/HTTPS traffic based on content, such as URL paths or hostnames.
● Choose NLB: For high-performance applications needing low latency, static
IPs, or handling non-HTTP protocols.Stack Overflow

Combined Usage

In some architectures, both ALB and NLB can be used together to leverage the
strengths of each. For example, an NLB can handle high-performance, low-latency
traffic, while an ALB manages HTTP/HTTPS traffic with advanced routing

AWS Gateway Load Balancer (GWLB) : GWLB is designed to manage and

distribute network traffic to third-party virtual appliances, such as firewalls or intrusion
detection systems.

AWS Classic Load Balancer (CLB) : CLB is an older load balancing service that
distributes incoming traffic across multiple Amazon EC2 instances.

Supports HTTP/HTTPS and TCP traffic.

Operates at both Layer 4 (transport) and Layer 7 (application) of the OSI model.
Provides basic load balancing features like SSL termination and sticky sessions.
Suitable for legacy applications.

>> A legacy application in AWS refers to an older software system originally

designed for on-premises environments, often built with outdated technologies, that
is still in use and may be migrated to the cloud for modernization.

>> If health checks of all the instances in the target group are failed it will show 503
service is unavailable.
Q: What are the components of Auto Scaling?

1. Launch Template / Configuration – defines how instances are created

2. Auto Scaling Group (ASG) – manages a group of EC2 instances

3. Scaling Policies – rules to scale in/out (like based on CPU)

Q: What is an Auto Scaling Group (ASG)?

ASG is a group of EC2 instances managed together. It automatically maintains the
desired number of healthy instances.

Q: What are the types of scaling?

1. Dynamic Scaling – automatic scale in/out based on metrics

2. Predictive Scaling – uses ML to forecast traffic and scale

3. Manual Scaling – you manually set capacity

4. Scheduled Scaling – scales based on a specific time

Q: How does dynamic scaling work?

Using CloudWatch alarms based on metrics like CPU or network, ASG adds or
removes instances automatically.

Q: How do you scale based on CPU usage?

 1. Create a CloudWatch alarm (e.g., CPU > 60%)

2. Attach it to a scaling policy in ASG

3. Auto Scaling will launch more instances when triggered.

Q: One of your EC2 instances in the ASG fails. What happens?

ASG automatically detects the unhealthy instance via EC2 status checks,
terminates it, and launches a new one to maintain the desired capacity.

Amazon S3 :

Amazon Simple Storage Service (Amazon S3) is an object storage service that
offers scalability, data availability, security, and performance.

Storage classes :

you can store mission-critical production data in S3 Standard

save costs by storing infrequently accessed data in S3 Standard-IA , S3 standard-

IA one zone

archive data at the lowest costs in S3 Glacier Instant Retrieval, S3 Glacier

Flexible Retrieval, and S3 Glacier Deep Archive.

S3 intelligent - tiering

>> A bucket is a container for objects.

>> Each object has a key (or key name), which is the unique identifier for the object
within the bucket. Use the key to access or download the object.

>> S3 looks like a global service but buckets are created in the region.

>> Max. object size is 5 TB.

Amazon S3 offers three types of buckets, each designed for specific use cases:
 ● General Purpose Buckets: suitable for most applications, supporting various
storage classes and offering high durability across multiple Availability Zones.
● Directory Buckets: A new S3 bucket type that acts like a folder system,
designed for very fast access.Good for real-time apps like AI/ML and video
processing.
● Table Buckets: An S3 bucket designed to store and query data like a table
(rows and columns). Mainly used for data analytics.

Low latency refers to the minimal delay between a user's action and the system's
response

Bucket policy : A bucket policy is a resource-based AWS Identity policy that we can
use to grant access permissions to your bucket and the objects in it. Only the bucket
owner can associate a policy with a bucket.
Explanation of the Components:

● Version: Specifies the policy language version. "2012-10-17" is the current version.

● Statement: Contains the permissions to apply.

○ Sid: An optional identifier for the statement.

○ Effect: Determines whether the action is allowed or denied. In this case, it's
"Allow".

○ Principal: Specifies the user, account, service, or other entity that is allowed
or denied access to a resource. "*" means everyone (public access).

○ Action: Specifies the actions that are allowed or denied. "s3:GetObject"

allows users to retrieve objects from the bucket.

○ Resource: Specifies the bucket and objects the policy applies to. Replace
"your-bucket-name" with your actual bucket name.

S3 Versioning :
S3 Versioning lets you keep multiple versions of an object in a bucket.

Recover accidentally deleted files.

Restore previous versions of a file.

>> What Happens When You DELETE an Object in a Versioned S3 Bucket?

A : When you run a DELETE operation on an object

 ● The object is not permanently deleted.

● Instead, S3 adds a Delete Marker.

● When you remove it, the most recent real version becomes active again.

Lifecycle Rules: Automate transitions between storage classes or schedule

deletions to optimize costs.

Important Considerations

● Versioning Status: Once enabled, versioning cannot be disabled, only

suspended.
● Permanent Deletion: To permanently delete a specific version, you must
explicitly delete that version using its version ID.

Amazon S3 Batch Operations :

Amazon S3 Batch Operations is a feature that lets you automate actions (like
copy, delete, tag, restore, or run a Lambda function) on millions or billions of S3
objects using a single job, without writing custom code or scripts.

S3 Object Lambda Access Point :

It is a special access point that lets you change (transform) S3 object data while
it's being read, without changing the actual file in the bucket.’

S3 Replication : ( SRR & CRR ) : Must be enabled versioning in the source and
destination .
>> IMP

>> while hosting the static website on the s3 the public access should be enabled.

>> How do you restrict access to an S3 bucket?

You can restrict access using:

● Bucket Policies

● IAM Policies

● ACLs (Access Control Lists) (legacy, not recommended) & Block Public
Access settings

How do you make a bucket private?

● Enable Block Public Access (all four options).

● Remove any public ACLs or public bucket policies.

● Use IAM roles/policies for fine-grained access.

A developer needs to upload files to a bucket, but must not delete

anything. What will you do?

Create an IAM policy:

Your EC2 in a private subnet needs to access a private S3 bucket. No
internet. What do you do?

● Create a VPC Endpoint for S3 (Gateway type)

● Attach a policy to allow access to your bucket

● Use IAM role on EC2 for S3 access

How do you copy log files from EC2 to S3 every day automatically?

Create the Bash Script :

Make the Script Executable : chmod +x /home/ubuntu/upload_logs.sh

Ensure IAM Role Has Access :

Set Up the Cron Job :

>> AWS Snowball :

AWS Snowball is a physical data transport solution designed for secure, high-volume
transfers to AWS without relying on internet bandwidth.

It has the capacity to move terabytes—or petabytes—of data securely and fast,

OpsHub : desktop application to manage snow family devices .

AWS route53:

DNS :
DNS is the hostname to an ip address. It's an application layer protocol.
There are three main types of domains commonly used in networking and the
internet.
>>Root DNS Server

The first-level DNS server in the internet’s DNS hierarchy. It helps direct the query
to the correct top-level domain (like .com, .org, etc.) servers.

>>Recursive DNS Resolver

A DNS server that takes your query (like google.com) and finds the answer by
contacting other DNS servers, then returns the IP address to your computer.

>>Authoritative DNS Server

A DNS server that holds the official records (like IP addresses) for a domain
name. It gives the final answer to DNS queries.

>>Name Server

A general term for any server that translates domain names into IP addresses.
This includes recursive and authoritative DNS servers.

OPEN : Route 53

What is AWS Lambda?

AWS Lambda is a popular serverless computing service from Amazon Web Services
(AWS). It enables developers to run their code without managing or provisioning
servers directly.
AWS Lambda uses a serverless model known as "Function as a Service" (FaaS).
This approach means that AWS handles server provisioning, infrastructure
management, and resource scaling transparently behind the scenes. Developers
only supply the code, which gets executed automatically whenever needed.

AWS Lambda automatically scales your functions based on the number of triggering
events. As more requests come in, the service will handle scaling seamlessly.

How Does AWS Lambda Work?

Developers first upload code packaged into functions and select the runtime
environment (Python, JavaScript, Java, C#, Go, Ruby, and others).

The code remains idle until a predefined event invokes its execution, such as a web
request, data upload, or scheduled event.

When triggered, Lambda allocates resources instantly, executes the function, and
then terminates the resource after completion, billing you only for the exact
computing resources and execution duration consumed.

What is AWS Lambda Used For?

● Building scalable APIs and backend environments with Amazon API Gateway.
● Processing and transforming data uploaded to storage services, such as
Amazon S3 and DynamoDB.
● Automating workflows, scheduling tasks, sending notifications, and routine
database maintenance.

Benefits and Limitations of AWS Lambda

● Reduced infrastructure overhead

● Auto-scaling
● Cost-efficiency
● Faster development cycles
 ● Easy integration

Limitations :

Limited execution duration: Lambda functions have a maximum execution limit

of 15 minutes, posing challenges when performing complex or long-running tasks.

How does AWS Lambda charge users?

AWS Lambda charges based on the number of function invocations and the
compute time your code consumes,

What are the different ways to invoke a Lambda Function?

We can invoke Lambda functions in several ways:

1. Synchronous invocation: The client waits for the function to complete and
return a response.]
2. Asynchronous invocation: The client doesn't wait for a response—Lambda
executes the function in the background.
3. Event source mapping: Lambda automatically polls services like DynamoDB
or Kinesis and invokes functions based on events.

Amazon CloudWatch
CloudWatch is a monitoring and observability service by AWS. It lets you:

● Collect metrics (CPU, disk, memory, etc.)

● Monitor logs from EC2, Lambda, RDS, and other AWS services

● Create Alarms and notifications

● Set up Dashboards for visualization

‘Monitor EC2 Metrics (CPU, Disk, Network) >> Default EC2 metrics are sent to
CloudWatch every 5 minutes.
TASK >> Install and Configure CloudWatch Agent on EC2

1. If we're going to use the agent on Amazon EC2 instances, you must create an
IAM role. If you're going to use the agent on on-premises servers, you must
create an IAM user.

Add this CloudWatchAgentServe policy to role

Attach the role to ec2 instance .

2. Install the agent : sudo apt update

From aws doc : wget

https://amazoncloudwatch-agent.s3.amazonaws.com/ubuntu/arm64/latest/
amazon-cloudwatch-agent.deb

Install the package :

sudo dpkg -i -E ./amazon-cloudwatch-agent.deb

3. Create the CloudWatch Agent Configuration File :

The agent configuration file wizard, amazon-cloudwatch-agent-config-wizard,

asks a series of questions.

Run: /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-
config-wizard

We can skip these two option for memory metric.

 We can check json file under /opt/aws/amazon-cloudwatch-agent/bin/config.json

Now check the status of CW agent.

/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -m ec2 -a
status

Status is stopped now, so start it & check status after that.

/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-
config -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

TASK : Create a private S3 bucket and allow only EC2s in a VPC to

access it.
Step 1: Create a Private S3 Bucket.

Step 2 : Attach an IAM Role to EC2.

Step 3 : Create a VPC Endpoint for S3.

>> index.html path: var/www/html/index.html