Scaling

ELB
ALB
- Works at applica on layer (layer 7)
- ALB target groups can be:
- EC2 instances
- ECS tasks
- Lambda func ons
- Private IP addresses
-ALB have listeners with speci c protocols and each listener can route
the tra c to di erent target groups using listener rules
- health check is done at the target group level using HTTP and HTTPS protocols
- cross zone load balancing is enabled by default
- Cannot a ach elas c IP to ALB
- ALB must be in a public subnet to work
- Also supports gRPC protocol
- supports Weighted Target Groups rou ng

NLB
- Works at transport layer (layer 4)
- extreme performance (can handle millions of requests per second)
- TCP and UDP protocols
- has one sta c IP per AZ which can also be elas c IP
- NLB target groups can be:
- EC2 instances
- Private IP addresses
- ALBs
- health check can be done via TCP, HTTP, HTTPs protocols
- cross zone load balancing is disabled by default

GWLB
- Works at network layer (layer 3)
ffi
tt
ti
ti
ff
ti
ti
fi
ti
ti
 - Route tra cs to 3rd party virtual appliances to do processes like security analysis rst
before rou ng to the servers
- Uses geneve protocol on port 6081
- GWLB target groups can be:
- EC2 instances
- Private IP addresses
- Cross zone load balancing is disabled by default

Cross-zone Load Balancing

Distribute the tra c evenly across target groups in di erent regions

ELBs have security groups too

ELBs are region bound

S cky Sessions
- to make sure the same client will always be routed to the same instance
- support for CLB, ALB and NLB
- ALB uses cookies which have expira on date that can be controlled

Cookies

- Applica on based cookies

- custom cookies: de ned by applica on and name cannot be AWSALB, AWSALBAPP or
AWSALBTG
- applica on cookies: de ned by load balancer and name is AWSALBAPP

- Load balancer generated cookies / Dura on based cookies:

- generated by load balancer
- name is AWSALB

SSL/TLS
Server name indica on (SNI) is the extension of TLS protocol that enables
client to specify the domain name it wants to reach through a single
server endpoint
ti
ti
ti
ti
ffi
ffi
ti
fi
fi
ti
ti
ti
ff
fi
 Connec on Draining / Deregistra on Delay
- me to allow instances to nish on the y requests before deregistering
- new requests are not sent to the draining instance but instead routed to other healthy
instances
- can set between 0-3600 seconds (default is 300)
- can be disabled by se ng it to 0

ASG
- ASG uses launch templates to manage ec2 instances
- it scales using scaling policy
- ASG can use cloudwatch alarms as triggers to scale the instances
- EC2 instances can be put into standby state to temporarily remove them from ASG

Scaling Policies
- Dynamic scaling
- Target tracking policy
- Simple/step scaling
- Scheduled scaling
- Predic ve scaling

Launch template
Only a launch template can be used to provision capacity across mul ple instance types
using both On-Demand Instances and Spot Instances to
achieve the desired scale, performance, and cost

Termina on Policy in order

- Based on instance alloca on strategy
- Oldest Launch Con gura on
- Oldest Launch Template
- Next Billing Hour
Instance states
- Pending
- InService
- Termina ng
- Terminated
ti
ti
ti
ti
ti
fi
tti
ti
ti
fi
ti
fl
ti
 - Standby

Lifecycle Hooks
- autoscaling:EC2_INSTANCE_LAUNCHING
- autoscaling:EC2_INSTANCE_TERMINATING

autoscaling:EC2_INSTANCE_LAUNCHING
- When Amazon EC2 Auto Scaling responds to a scale-out event, it launches one or more
instances
- These instances start in the Pending state
- If you added an autoscaling:EC2_INSTANCE_LAUNCHING lifecycle hook to
your Auto Scaling group, the instances move from the Pending state to
the Pending:Wait state
- A er you complete the lifecycle ac on, the instances enter the Pending:Proceed state
- When the instances are fully con gured, they are a ached to the Auto Scaling group
and they enter the InService state
autoscaling:EC2_INSTANCE_TERMINATING
- When Amazon EC2 Auto Scaling responds to a scale-in event, it terminates one or more
instances
- These instances are detached from the Auto Scaling group and enter the Termina ng
state
- If you added an autoscaling:EC2_INSTANCE_TERMINATING lifecycle hook to
your Auto Scaling group, the instances move from the Termina ng state
to the Termina ng:Wait state
- A er you complete the lifecycle ac on, the instances enter the Termina ng:Proceed
state
- When the instances are fully terminated, they enter the Terminated state

Cooldown period
-ensures that the Auto Scaling group does not launch or terminate
addi onal EC2 instances before the previous scaling ac vity takes
e ect
- default is 300secs (5mins)

Databases

DynamoDB
- Serverless
ff
ft
ft
ti
ti
fi
ti
ti
tt
ti
ti
ti
ti
 - Fully managed, highly available NoSQL database with replica on across mul ple AZs
- Millions of requests per seconds, trillions of row, 100s of TB of storage

DataTypes
- Scalar Types: String, Number, Binary, Boolean, Null
- Document Types: List, Map
- Set Types: String Set, Number Set, Binary Set

Capacity Modes
- Provisioned Mode
- On-demand Mode

Provisioned Mode
- Pay for provisioned Read Capacity Units (RCU) & Write Capacity Units (WCU)
- Can add autoscaling for RCU and WCU too (within set lower and upper bounds)
- For predictable workloads

On-demand Mode
- Automa c read/write scale up/down
- Great for unpredictable workloads, steep sudden spikes

DynamoDB Accelerator (DAX)

- Fully-managed, highly available, seamless in-memory cache for DynamoDB
- Help solve read conges on by caching
- Microseconds latency for cached data
- Default of 5 minutes TTL for cache
DynamoDB Streams
- Captures a me-ordered sequence of changes (insert, update, and delete) made to
items in a DynamoDB table

DynamoDB Global Tables

- Make a DynamoDB table accessible with low latency in mul ple-regions
- Ac ve-Ac ve replica on
- Applica ons can READ and WRITE to the table in any region
- Must enable DynamoDB Streams as a pre-requisite
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
 DynamoDB TTL
DynamoDB feature to delete items a er expiry mestamp

Backup
- Con nuous backups using point-in- me recovery (PITR)
- On-demand backups

Integra on with S3
- Can import/export tables to/from s3
- must enable PITR

Par on Key Cardinality

- It is recommended to use par on keys with high-cardinality
a ributes, which have a large number of dis nct values for each item

High-cardinality a ributes
- A ributes with many unique values (e.g., user IDs, UUIDs, order IDs)
- Each unique par on key is hashed to determine its storage par on
- High-cardinality a ributes produce many dis nct hash values, spreading data across
more par ons
Low-cardinality a ributes
- A ributes with few unique values (e.g., boolean ags, small sets like "status" with
values like "ac ve," "inac ve")
If a par on key has low cardinality (few unique values), data may
concentrate on a small number of par ons, crea ng 'hot par ons’
RDS
- RDS storage scales automa cally within set maximum storage threshold
- Automa cally scales the storage if:
- free storage is less than 10% of allocated storage
- low storage lasts at least 5 mins
- 6 hrs have passed since last modi ca on

Read Replicas
- up to 15 replicas
- support within AZ, cross AZ or cross region
- replica on is ASYNC and can have some replica on delay
tt
tt
tt
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
tt
tt
tt
ti
ti
ti
ti
ti
fi
ti
ft
ti
ti
ti
ti
ti
ti
ti
ti
fl
ti
ti
ti
ti
 - each replica can be promoted to their own db
- each replica has di erent endpoint so applica on have to manage the endpoint calling
- for RDS, read replicas dont charge data transfer fees if within same region
- Read replicas can also be used as disaster recovery although replica on is ASYNC

Mul -AZ
- RDS db can be replicated mul AZ for disaster recovery
- same DNS endpoint for all mul -AZ replicas
- automa c failover standby
- can’t be used as read scaling cause mul -AZ replicas are for standby
replica on is SYNC

RDS Custom
- Managed Oracle and Microso SQL Server Database with OS and database
customiza on
- RDS: en re database and the OS to be managed by AWS
- RDS Custom: full admin access to the underlying OS and the database
- Can SSH into underlying EC2 instance

Backup
- Auto backup
- daily full backup
- transac on logs are backup every 5 mins
- restore to any point in me oldest to last 5 mins
- can set 1 to 35 days of reten on, 0 to disable backup
- Manual backup
- take db snapshot
- reten on as long as user want
- Can create backup and snapshots in mul -AZ

Stopped RDS db also charge cost

Encryp ng un-encrypted RDS database

- Take a snapshot of the database
ti
ti
ti
ti
ti
ti
ti
ti
ff
ti
ti
ti
ft
ti
ti
ti
ti
ti
 - Copy it as an encrypted snapshot
- Restore a database from the encrypted snapshot
- Terminate the previous database
Enhanced Monitoring
- Monitor the opera ng system of your DB instance in real me
- When you want to see how di erent processes or threads use the CPU, Enhanced
Monitoring metrics are useful

IAM DB Authen ca on
- works with MySQL and PostgreSQL
- An authen ca on token is a string of characters that you use instead of a password
- it's valid for 15 minutes before it expires
Ways to use SSL encryp on
- Force SSL
- Encrypt from client side

Force SSL
- Set the rds.force_ssl parameter to true to force connec ons to use SSL
- The rds.force_ssl parameter is sta c, so a er you change the value,
you must reboot your DB instance for the change to take e ect

Encrypt from client side

- This sets up an SSL connec on from a speci c client computer, and you must do work
on the client to encrypt connec ons
- Must obtain cer cates for the client computer, import cer cates
on the client computer, and then encrypt the connec ons from the client
computer

RDS Proxy for RDS and Aurora

- Serverless, autoscaling, highly available (mul -AZ)
- RDS Proxy is never publicly accessible (must be accessed from VPC)

Aurora
- proprietary of AWS
- Aurora storage automa cally grows in increments of 10GB, up to 128 TB
- up to 15 replicas
- sub 10ms replica lag
- Aurora costs around 20% more than RDS
- shared storage volume with up to 6 copies of the data across 3 AZs
ti
ti
ti
ti
fi
ti
ti
ti
ti
ti
ff
ti
ti
ft
fi
ti
ti
ti
ff
ti
ti
fi
 - self-healing with peer-to-peer replica on
- Master(read-write) + up to 15 read-only replicas
- 1 write endpoint + 1 load balanced reader endpoint
- support cross region replica on
- support read replica auto scaling

Custom Endpoint
- can create custom endpoint from subset of read replicas
- good for analy cs or dev tes ng env

Aurora Serverless
- Automated database instan a on and auto- scaling based on actual usage
- pay per second
- Cannot change from provisioned to serverless

Global Aurora
- 1 primary read-write region
- up to 5 secondary read-only regions
- less than 1 second replica on lag
- up to 16 read replicas per each secondary region
- Promo ng another region (for disaster recovery) has an RTO of < 1 minute

DB Cloning
- faster than snapshot-and-restore
- ini ally, cloned DB access data from the same storage volume as original DB
- when new data or updated data come, use new storage volume
useful for staging db crea on from the original prod db
Backup
- Auto backup
- 1 to 35 days (can’t be disabled)
- Manual backup
- take db snapshot
- reten on as long as user want
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
 Read replicas failover priority
1. Watch the er (smaller number, higher priority)
2. Watch the size (larger, the higher priority)

Aurora MySQL Na ve Func on

Can create a na ve func on or a stored procedure that invokes a Lambda
func on whenever a row in a table is modi ed in the database
Failover Scenerios

Single Instance
- Aurora will a empt to create a new DB Instance in the same Availability Zone as the
original instance
-This replacement of the original instance is done on a best-e ort
basis and may not succeed, for example, if there is an issue that is broadly a ec ng the
Availability Zone

Read Replica
- Amazon Aurora ips the canonical name record (CNAME) for your DB
Instance to point at the healthy replica, which in turn is promoted to
become the new primary
- Start-to- nish failover typically completes within 30 seconds

Aurora Serverless
- Aurora will automa cally recreate the DB instance in a di erent AZ

IAM DB Authen ca on
- works with MySQL and PostgreSQL
- An authen ca on token is a string of characters that you use instead of a password
- it's valid for 15 minutes before it expires

Elas cCache
- to get managed Redis or Memcached
- Redis: used for gaming leaderboards, applica on cache, geospa al data
- Memcached: used for use cases like DB cache or user session store
- Redis’s sorted set can be used for leaderboard ranking use cases
- HIPAA-compa ble
- Have mul -AZ con gura o- Can have up to 5 read replicas across mul ple AZs
ti
ti
ti
fi
ti
ti
tt
ti
ti
ti
ti
fl
ti
fi
ti
ti
ti
ti
ti
fi
ti
ff
ff
ti
ti
ff
ti
Neptune
- Graph DB

DocumentDB
- AWS service for MongoDB

KeySpaces
- AWS service for Apache Cassandra

DNS

Route53
- A highly available, scalable, fully managed and Authorita ve DNS
- The only AWS service which provides 100% availability SLA

Record Types
- A - map to ipv4
- AAAA - map to ipv6
- CNAME - map to another domain name (can’t be root or top node namespace or zone
apex)
- Alias - can map root or top nodes to AWS resources (eg; alb endpoints) (extension of A
or AAAA type)
- NS - name servers for the hosted zones (for dns tra c rou ng)

Name Servers
- Physical servers that resolve the DNS requests by looking at the records stored in
hosted zones
- NS record in a hosted zone route the DNS request tra c to name servers

Cost
$0.50 per month per hosted zone

Hosted Zones
- Public
- Private (within VPC)
ffi
ffi
ti
ti
 Rou ng Policies
- Simple
- Weighted
- Latency-based
- Failover
- Geoloca on
- Geoproximity
- IP-based rou ng
- Mul -value

Failover
- ac ve-ac ve
- ac ve-passive

ac ve-ac ve
Both systems are running and can be served as failover

ac ve-passive
Only one system is serving and another one is standby as failover occurs

s3 sta c website rou ng

To route s3 sta c website using Route53, name of the s3 bucket must be the same as
domain name

Containeriza on

ECS

Launch Types
- EC2
- Fargate

EC2 Launch Type

- Must provision & maintain the infrastructure (the EC2 instances)
- Each EC2 Instance must run the ECS Agent to register in the ECS Cluster
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
 Fargate Launch Type
- No need to provision the infrastructure (no EC2 instances to manage)

IAM Roles
- EC2 Instance Pro le
- ECS Task Role

Data Volumes
- EBS volumes of each EC2 instance
- Can use EFS
- Fargate+EFS = Serverless

AWS Applica on Auto Scaling

Automa cally increase/decrease the desired number of ECS tasks

Scaling Methods
- Target Tracking
- Step Scaling
- Scheduled Scaling
Cluster Capacity Auto Scaling
- Use ECS Cluster Capacity Provider to automa cally provision and scale the
infrastructure for your ECSTasks
- Capacity Provider paired with an Auto Scaling Group
ECR
- Store and manage Docker images on AWS
- Fully integrated with ECS, backed by Amazon S3

EKS
- EKS supports EC2 if you want to deploy worker nodes or Fargate to deploy serverless
containers

Node Types
- Managed Node Group
ti
ti
fi
ti
 - Self-managed Nodes
- Fargate

Data Volumes
- EBS
- EFS
- FSx for Lustre
- FSx for NetApp

Karpenter
automa cally adjust the number of nodes in the EKS cluster when pods fail or are
rescheduled onto other nodes

Horizontal Pod Autoscaler

- automa cally scales the number of Pods in a deployment, replica on
controller, or replica set based on that resource’s CPU u liza on
- it Installs the Kubernetes Metrics Server to the Amazon EKS cluster

ECS Anywhere and EKS Anywhere

-Extends AWS ECS and EKS func onality to run containers on any
infrastructure, including on-premises servers, edge devices, or virtual
machines outside AWS
- Allows organiza ons to use ECS and EKS as the orchestra on layer for hybrid or mul -
cloud deployments

AWS App Runner

-Fully managed service designed to automa cally deploy and scale web
applica ons and APIs from source code or a container image, with
minimal con gura on
- No infrastructure experience required, just need source code or container image
- Automa c code building, deploying, scaling, highly available, load balancer, encryp on

AWS Elas cBeanStalk

- Pla orm-as-a-Service (PaaS) that makes it easy to deploy, manage, and scale web
applica ons and services
tf
ti
ti
ti
ti
ti
ti
fi
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
 - Manages the infrastructure (compute, storage, networking) but s ll allows
customiza on if needed
- Provides real- me monitoring of applica on health, resource usage, and logs

Serverless

Services
- Lambda
- Dynamodb
- Cognito
- API Gateway
- S3
- SNS and SQS
- Kinesis
- Aurora Serverless
- Step Func ons
- Fargate

Lambda
- Pay per request and compute me
- Free er of 1,000,000 AWS Lambda requests and 400,000 GBs of compute me
- Outside of a VPC by default
- If assigned a VPC and subnet, lambda will create ENI in the subnet/VPC
- Can be invoked by using lambda func on URL

Pricing
=====
Pay per call
- First 1,000,000 requests are free
- $0.20 per 1 million requests therea er ($0.0000002 per request)
Pay per dura on
- 400,000 GB-seconds of compute me per month for FREE
ti
ti
ti
ti
ti
ti
ti
ft
ti
ti
ti
ti
 - 400,000 seconds if func on is 1GB RAM
- 3,200,000 seconds if func on is 128 MB RAM
- A er that $1.00 for 600,000 GB-seconds

Execu on
- Memory alloca on: 128 MB – 10GB (1 MB increments)
- Maximum execu on me: 900 seconds (15 minutes)
- Environment variables (4 KB)
- Disk capacity in the “func on container” (in /tmp): 512 MB to 10GB
- Concurrency execu ons: 1000 (can be increased) per region

Deployment
- Lambda func on deployment size (compressed .zip): 50 MB
- Size of uncompressed deployment (code + dependencies): 250 MB
- Can use the /tmp directory to load other les at startup
- Size of environment variables: 4 KB

Lambda SnapStart for JAVA

- Lambda ini alizes the func on at publish me
- Takes a snapshot of memory and disk state of the ini alized func on
- Snapshot is cached for low-latency access

Running Container Images

- Container image must be built using AWS provided base image tailored speci cally for
AWS Lambda

API Gateway

Endpoint Types
- Edge-op mized
- Regional
- Private
Edge-op mized
ft
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
fi
ti
ti
ti
fi
 - Requests are routed through the CloudFront Edge loca ons (improves latency)
- The API Gateway s ll lives in only one region

Regional
- For clients within the same region
- Could manually combine with CloudFront (more control over the caching strategies and
the distribu on)

Private
- Can only be accessed from own VPC using an interface VPC endpoint (ENI)
- Have to use a resource policy to de ne access

User Authen ca on
IAM Roles (useful for internal applica ons)
Cognito (iden ty for external users – example mobile users)
- Custom Authorizer (your own logic)
- Custom Domain Name HTTPS security through integra on with AWS Cer cate
Manager (ACM)

Supports API Caching and Request Thro ling too

Step Func ons

Build serverless visual work ow to orchestrate your Lambda func ons

AWS Cognito
- Give users an iden ty to interact with the web or mobile applica on on AWS

Cognito User Pool

Sign in func onality for app users
- Create a serverless database of user for the web & mobile apps
- Integrate with API Gateway & Applica on Load Balancer

Cognito Iden ty Pool (Federated Iden ty)

- Provide AWS creden als to users so they can access AWS resources directly
- Integrate with Cognito User Pools as an iden ty provider
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
fl
fi
ti
ti
ti
tt
ti
ti
ti
ti
ti
ti
fi
 - Get iden es for “users” so they obtain temporary AWS creden als

Data Analy cs

Amazon Athena
- Serverless query service to analyze data stored in Amazon S3
- Supports CSV, JSON, ORC, Avro, and Parquet
- $5.00 per TB of data scanned
- Commonly used with Amazon Quicksight for repor ng/dashboards

Federated Query
- To run SQL queries across data stored in rela onal, non-rela onal, object, and custom
data sources (AWS or on-premises)
- Uses Data Source Connectors that run on AWS Lambda to run Federated Queries
- Store the results back in Amazon S3

Performance Improvement
- Use columnar data (Apache Parquet or ORC) for cost-savings
- Compress data for smaller retrievals
- Par on datasets in S3 for easy querying on virtual columns
- Use larger les (> 128 MB) to minimize overhead

RedShi
- based on Postgresql but OLAP: online analy cal processing (analy cs and data
warehousing)
- 10x be er performance than other data warehouses, scale to PBs of data
- Columnar storage of data (instead of row based) & parallel query engine

Modes
- Provisioned Cluster
- Serverless Cluster

Provisioned Cluster
ti
ti
f
tt
ti
ti
ti
fi
ti
ti
ti
ti
ti
ti
 - Choose instance types in advance
- Can reserve instances for cost savings

Redshi Clusters
- Leader Node
- Compute Node

Leader Node
for query planning, results aggrega on

Compute Node
for performing the queries, send results to leader

Snapshots and DR
- Snapshots are point-in- me backups of a cluster, stored internally in S3
- can restore a snapshot into a new cluster
- Automa cally every 8 hours, every 5 GB or can be scheduled
- Set reten on between 1 to 35 days
- Can manually take snapshots too
- Can enable cross-region snapshots

Data Loading into RedShi

- with Kinesis Data Firehose
- s3 using copy command
- without enhanced VPC rou ng
- with enhanced VPC rou ng
- EC2 Instance JDBC driver
RedShi Spectrum
- to run query on data stored in s3 without loading the data

Amazon OpenSearch
- Successor to Elas cSearch
- common to use OpenSearch as a complement to another database as a database
search API
ft
ft
ti
ti
ti
ti
ti
f
ti
ti
 - Inges on from Kinesis Data Firehose, AWS IoT, and CloudWatch Logs
- Comes with OpenSearch Dashboards for visualiza on

Modes
- Managed Cluster
- Serverless Cluster

Amazon EMR
- Amazon Elas c MapReduce
- The clusters can be made of hundreds of EC2 instances with autoscaling and can be
integrated with spot instances
- EMR comes bundled with Apache Spark, HBase, Presto, Flink
- EMR takes care of all the provisioning and con gura on

Node Types
- Master Node
- Core Node
- Task Node

Master Node
Manage the cluster, coordinate, manage health – long running

Core Node
Run tasks and store data – long running

Task Node
Just to run tasks – usually Spot

Purchasing Op ons
- On demand
- Reserved (min 1 yr)
- Spot Instances

Modes
ti
ti
ti
fi
ti
ti
 - Long running cluster
- Transient cluster

Amazon QuickSight
- Serverless machine learning-powered BI service to create interac ve dashboards
- In-memory computa on using SPICE engine if data is imported into QuickSight
- De ne Users and Groups (separate from IAM)

AWS Glue
- managed ETL service

Glue Job Bookmarks

prevent re-processing old data

Glue Elas c Views

- Combine and replicate data across mul ple data stores using SQL
- No custom code, Glue monitors for changes in the source data, serverless
- Leverages a “virtual table” (materialized view)

Glue DataBrew
- Prebuilt transforma ons

Glue Studio
- GUI for ETL jobs

Glue Streaming ETL

- for streaming data
- built on Apache Spark Structured Streaming
- compa ble with Kinesis Data Streaming, Ka a, MSK

AWS LakeForma on
- To build data lake
fi
ti
ti
ti
ti
ti
ti
fk
ti
 - Created data lakes are stored in s3
- Built on top of AWS Glue
- Can be used to consolidate data from mul ple accounts into a single account as a
central datalake

MSK (Amazon Managed Streaming for Ka a)

- Alterna ve to Amazon Kinesis

MSK Serverless
- Run Apache Ka a on MSK without managing the capacity
- MSK automa cally provisions resources and scales compute & storage

AWS Data Exchange

service that makes it easy to nd, subscribe to, and use third-party data in the AWS
cloud

AWS Data Pipeline

- enables you to automate the movement, transforma on, and processing of
data across di erent AWS services and on-premises data sources
- useful for crea ng complex data work ows that involve scheduling, dependency
management, and data transforma ons

Monitoring

CloudWatch

CloudWatch Metrics
- CloudWatch provides metrics for every services in AWS
- Metrics belong to namespaces (eg: S3, ECS, EC2,...)
- Dimension is an a ribute of a metric (eg: instance id, environment, etc...)
- Up to 30 dimensions per metric
- Can create CloudWatch Custom Metrics

Metric Streams
-Con nually stream CloudWatch metrics to a des na on of your choice,
with near-real- me delivery and low latency (to Kinesis Data Firehose,
ti
ti
ti
ff
ti
ti
fk
tt
fi
ti
fl
fk
ti
ti
ti
ti
 3rd party service providers)
-Op on to lter metrics to only stream a subset of them

Cloudwatch Logs
- organized into log groups and log streams
- Can de ne log expira on policies (never expire, 1 day to 10 years...)
- Logs are encrypted by default
- Can setup KMS-based encryp on with your own keys

Can send logs to

- Amazon S3 (exports)
- Kinesis Data Streams
- Kinesis Data Firehose
- AWS Lambda
- OpenSearch

Log sources
- SDK, CloudWatch Logs Agent, CloudWatch Uni ed Agent
- Elas c Beanstalk: collec on of logs from applica on
- ECS: collec on from containers
- AWS Lambda: collec on from func on logs
- VPC Flow Logs: VPC speci c logs - API Gateway
- CloudTrail based on lter
- Route53: Log DNS queries

Log Insights
- Search and analyze log data stored in CloudWatch Logs

S3 Export
- Log data can take up to 12 hours to become available for export
- The API call is CreateExportTask
- use Logs Subscrip ons
ti
ti
fi
fi
ti
ti
ti
fi
ti
ti
fi
ti
ti
fi
ti
 Log Subscrip ons
- Get a real- me log events from CloudWatch Logs for processing and analysis
- Send to Kinesis Data Streams, Kinesis Data Firehose, or Lambda
- Subscrip on Filter: lter which log events are delivered to the des na on
- Can do cross-account subscrip on

CloudWatch Agents
- To collect logs from EC2 instances or on-premise servers

Log Agents
- Older version
Can only collect logs

Uni ed Agents
- Can collect logs and also the instance metrics (eg: CPU, RAM, Disk info, etc)

CloudWatch Alarms
Alarms are used to trigger no ca ons for any metric
Alarm States
- OK
- Insu cient Data
- In Alarm

Alarm Target Ac ons

- EC2 instances (stop, terminate, reboot, etc)
- EC2 Auto Scaling
- Amazon SNS

Composite Alarm
- Can trigger mul ple alarms in conjunc on
- AND and OR condi ons

EC2 Recovery
fi
ffi
ti
ti
ti
ti
ti
ti
fi
ti
fi
ti
ti
ti
ti
ti
 - CloudWatch alarm can trigger the recovery of the Amazon EC2 instance, in case the
instance fails.
- The instance, however, should only be con gured with an Amazon EBS volume
-
Recovered instance is iden cal to the original instance, including the
instance ID, private IP addresses, Elas c IP addresses, and all
instance metadata

CloudWatch Insights
- CloudWatch Container Insights
- CloudWatch Lambda Insights
- CloudWatch Contributor Insights
CloudWatch Applica on Insights
CloudWatch Container Insights
ECS, EKS, Kubernetes on EC2, Fargate, needs agent for Kubernetes

CloudWatch Lambda Insights

Detailed metrics to troubleshoot serverless applica ons
CloudWatch Contributors Insights
Find “Top-N” Contributors through CloudWatch Logs

CloudWatch Applica on Insights

Automa c dashboard to troubleshoot your applica on and related AWS services

CloudTrail
- Provides governance, compliance and audit for your AWS Account
- Can be integrated with EventBridge to trigger AWS services based on CloudTrail events
- Cloudtrail log les are encrypted by default

CloudTrail Events
- Management Events
- Data Events
- CloudTrail Insights Events
ti
fi
ti
ti
ti
ti
fi
ti
ti
 Management Events
- Opera ons that are performed on resources in your AWS account
- By default, trails are con gured to log management events.

Data Events
- Granula data object ac vi es like Amazon S3 object-level ac vity, AWS Lambda
func on execu on ac vity

CloudTrail Insights Events

- Analyze anomalies in write events to detect unusual pa erns
Events reten on
- Events are stored for 90 days in CloudTrail
- To keep events beyond this period, log them to S3 and use Athena

AWS Con g
- Helps with audi ng and recording compliance of your AWS resources
- Helps record con gura ons and changes over me
- AWS Con g is a per-region service
- Can be aggregated across regions and accounts

Con g Rules
- Can use AWS managed con g rules
- Can make custom con g rules
- no free er, $0.003 per con gura on item recorded per region, $0.001 per con g rule
evalua on per region

Con g Resource
- View compliance of a resource over me
- View con gura on of a resource over me
- View CloudTrail API calls of a resource over me

Remedia on
- Automate remedia on of non-compliant resources using SSM Automa on Documents
fi
fi
ti
ti
ti
ti
ti
fi
fi
fi
ti
ti
ti
ti
fi
ti
ti
fi
ti
ti
fi
ti
fi
fi
ti
ti
ti
ti
ti
tt
ti
ti
fi
 - Use AWS-Managed Automa on Documents or create custom Automa on Documents
- Can set Remedia on Retries if the resource is s ll non-compliant a er auto-
remedia on

No ca on
- Use EventBridge to trigger no ca ons when AWS resources are non-compliant
- Ability to send con gura on changes and compliance state
no ca ons to SNS (all events – use SNS Filtering or lter at
client-side)
AWS Trusted Advisor
- op mize costs, increase performance, improve security and resilience, and operate at
scale in the cloud
- recommends ac ons to remediate any devia ons from best prac ces
- can do service quota checks by wri ng an AWS Lambda func on that
refreshes the AWS Trusted Advisor Service Limits checks and set it to
run every 24 hours

AWS X-ray
X-Ray
collects data about the requests and responses, tracks latency,
iden es performance bo lenecks, and detects errors, helping
developers and opera ons teams understand how their applica ons behave
in real- me

Service Map
X-Ray- generates a service map that visualizes the rela onships and
interac ons between the services in your applica on. This map
highlights performance bo lenecks, latency issues, and error rates.

Disaster Recovery

RPO and RTO

- Recovery Point Objec ve: Time between disaster and last backup point
- Recovery Time Objec ve: Time between disaster and system recover me

DR Strategies
- Backup and Restore
- Pilot Light
ti
ti
ti
fi
ti
fi
fi
ti
ti
ti
ti
ti
ti
ti
fi
ti
ti
ti
ti
tt
tt
ti
ti
fi
ti
ti
ti
ti
ti
fi
ti
ti
ti
ti
ft
ti
ti
 - Warm Standby
- Hot Site / Mul Site Approach

Backup and Restore

- Cheapest
- High RPO, High RTO

Pilot Light
A most-minimal version of the app is always running in the cloud

Warm Standby
A scaled-down version of the full system is always up and running

Hot Site/ Mul Site

Full Produc on Scale is running both on AWS and On Premise

AWS Database Migra on Service (DMS)

-Can migrate databases both heterogeneously and homogeneously from
di erent sources to targets (eg: from on-premise Oracle to AWS Aurora)
- Must create an EC2 instance to perform the replica on tasks
- If the source and target db uses di erent db engines (eg: Oracle and Postgresql),
Schema Conversion Tool (SCT) must be used
- AWS DMS supports mul -AZ deployment
- In addi on to databases, s3 and kinesis can also be the source or target
- full load and change data capture (CDC) replica on task can be used to migrate and
also track the on-going data changes

RDS and Aurora DB Migra on

- MySQL
- PostgreSQL

MySQL
- RDS to Aurora:
1. DB Snapshots from RDS MySQL restored as MySQL Aurora DB
ff
ti
ti
ti
ti
ti
ti
ti
ff
ti
ti
 2. Create an Aurora Read Replica from your RDS MySQL, and when the replica on lag is
0, promote it as its own DB cluster
- External to Aurora:
1. Backup onto s3 and import from s3 to Aurora
2. Use mysqldump u lity to directly migrate into Aurora
Can also use DMS

PostgreSQL
- RDS to Aurora:
1. DB Snapshots from RDS PostgreSQL restored as PostgreSQL Aurora DB
2. Create an Aurora Read Replica from your RDS PostgreSQL, and when
the replica on lag is 0, promote it as its own DB cluster
- External to Aurora:
Create a backup, put it in Amazon S3 and import it using the aws_s3 Aurora extension
Can also use DMS

AWS Backup
- Centrally manage and automate backups across AWS services
- Supports cross-region backups
- Supports cross-account backups

Supported Services
- Amazon EC2 / Amazon EBS
- Amazon S3
- Amazon RDS (all DBs engines) / Amazon Aurora / Amazon DynamoDB
- Amazon DocumentDB / Amazon Neptune
- Amazon EFS / Amazon FSx (Lustre & Windows File Server)
- AWS Storage Gateway (Volume Gateway)
Features
- PITR for supported services
- On-demand and scheduled backups
- Tag based backup policies
ti
ti
ti
 - Backup Plans
- Backup Vault Lock

Backup Plans
Can con gure:
- Backup frequency
- Backup window
- Transi on to cold storage
- Reten on period
Backup Vault Lock
- WORM (Write Once Read Many)
- Even the root user cannot delete backups inside the locked Vault

AWS ADS and MGN

- Applica on Discovery Service (ADS)
- Applica on Migra on Service (MGN)

ADS
-Plan migra on projects by gathering informa on about on-premises data
centers like server u liza on data and dependency mapping
- Resul ng data can be viewed within AWS Migra on Hub

Agentless Discovery
- Uses AWS Agentless Discovery Connector
- Discover VMinventory, con gura on, and performance history such as CPU, memory,
and disk usage

Agent-based Discovery
- Uses AWS Applica on Discovery Agent
- System con gura on, system performance, running processes, and details of the
network connec ons between systems

MGN
ti
ti
ti
fi
ti
ti
ti
fi
ti
ti
ti
ti
ti
ti
fi
ti
ti
ti
 - The "AWS evolu on" of CloudEndure Migra on, replacing AWS Server Migra on
Service (SMS)
- Li -and-shi (rehost) solu on
- Converts physical, virtual, and cloud-based servers to run na vely on AWS
- Migrate data by installing AWS Replica on Agent on source servers

Compute

EC2
Storage
- EBS
- EFS
- EC2 Instance Store

EBS
- bound to speci c AZs
- by default, root volume is set to delete on termina on
- Only gp2/gp3 and io1/io2 can be used as boot volumes
-EBS volumes support live con gura on changes while in produc on
which means that you can modify the volume type, volume size, and IOPS
capacity without service interrup ons

EBS Volume Types

- gp2 (SSD)
- gp3 (SSD)
- io1 (SSD)
- io2 block express (SSD)
- st1 (HDD)
- sc1 (HDD)

gp2
- 1 GiB - 16TiB
ft
ft
fi
ti
ti
fi
ti
ti
ti
ti
ti
ti
ti
ti
 - can burst IOPS to 3,000
- Size of the volume and IOPS are linked
- max IOPS is 16,000
- if 3 IOPS per GB, max IOPS at 5,334 GB

gp3
- 1 GiB - 16TiB
- Baseline of 3,000 IOPS and throughput of 125 MiB/s
- Can increase IOPS up to 16,000 and throughput up to 1000 MiB/s independently
io1
- 4 GiB - 16TiB
- Max IOPS: 64,000 for Nitro EC2 instances & 32,000 for other
- Can increase IOPS independently from storage size

io2 Block Express

- 4 GiB - 64 TiB
- Sub-millisecond latency
- Max IOPS: 256,000 with an IOPS:GiB ra o of 1,000:1

Snapshots
- snapshots can be copied across AZs
- snapshots can be moved to snapshot archives which is 75% cheaper but can take 24 to
72 hrs to restore
- snapshots can be moved to recycle bins and reten on period can be set from 1 day to 1
year
- fast snapshot restore: Force full ini aliza on of snapshot to have no latency on the rst
use
- snapshots can be created automatedly using Amazon Data Lifecycle Manager (DLM)
- The EBS volume can be used while the snapshot is in progress

EBS Encryp on
- Copying an unencrypted snapshot allows encryp on
ti
ti
ti
ti
ti
ti
fi
 - Snapshots of encrypted volumes are encrypted

Encrypt an Unencrypted EBS Volume

- Create an EBS snapshot of the volume
- Encrypt the EBS snapshot ( using copy )
- Create new EBS volume from the snapshot ( the volume will also be encrypted )

Copying encrypted snapshots across regions

- Take snapshot of the encrypted volume
- Copy the snapshot and encrypt using key B in region B
- Restore the volume

Copying encrypted snapshots cross accounts

- Create snapshot encrypted with own KMS key
- A ach KMS key policy to authorize cross account decrypt access
- Share encrypted snapshot
- Encrypt the snapshot using KMS key B in account B
- Restore the volume

EBS Mul A ach

- only io1/io2 volume types can support mul a ach
- one volume can be a ached to mul ple instances within same AZ
- up to 16 instances at the same me

EFS
- network le system (NFS) that can be mounted on many EC2 instances
- EFS can be a ached to EC2 instances in mul ple AZs
- have to use security group to control access to EFS
- can only be used with linux based AMIs
- pay per use, no capacity planning

Performance Modes
- General purpose
tt
ti
fi
tt
tt
tt
ti
ti
ti
ti
tt
 - Max I/O

Throughput Modes
- Burs ng
- Provisioned
- Elas c

Burs ng
- scales with storage
- burst up to 100MiB/s

Provisioned
- set the throughput regardless of storage size

Elas c
- automa cally scales throughput up or down based on the workloads
- Up to 3GiB/s for reads and 1GiB/s for writes

Storage Tiers
- Standard
- IA
- Archive

Storage Life Cycle

- Maximum day that can be con gured using storage life cycle is 365 days

Availability Modes
- standard (Mul -AZ)
- one zone (Single-AZ)

EFS One Zone IA

- IA storage er with one zone availability mode

Instance Store
- closely a ached to EC2 instance
ti
ti
ti
ti
ti
tt
ti
ti
fi
 - be er I/O than EBS
- destroyed when the instance is stopped
RAID 0 vs RAID 1
EBS and Instance Store supports RAID 0 con gura on

RAID 0
- Data are spread across mul ple EBS or Instance store volumes and all volumes act as
single storage
- Increased throughput
RAID 1
- Data are duplicated in all the EBS and Instance store volumes
- For data redundancy

Instance Types
- General Purpose (M, T)
- Compute op mized (C)
- Memory op mized (R)
- Accelerated (G, P)
- Storage op mized (I)

Compute Op mized (C)

- Batch processing
- HPC
- Media transcoding
- Scien c modeling
- Dedicated gaming servers

Memory Op mized (R)

- High performance databases
- Cache stores
- In memory BIs
- In memory big data processing
tt
ti
fi
ti
ti
ti
ti
ti
ti
fi
ti
 Storage Op mized (I)
- High performance OLTP
- For high sequen al I/O

Tenancy
- default
- dedicated
- host

default
shared tenancy

dedicated
dedicated tenancy (eg: dedicated instances)
host
dedicated host

Security Group
- Control ins/outs of the instance
- VPC bound
- Can a ach to mul ple instances
- Only contains 'Allow' rules
- Can reference by IP or by other SGs
- Inbound tra cs are blocked by default
- Outbound tra cs are allowed by default
Purchasing Op ons
- On-demand Instances
- Reserved Instances
Saving Plan
Spot Instances
- Dedicated Hosts
tt
ti
ffi
ti
ffi
ti
ti
 - Dedicated Instances
- Capacity Reserva on

On-demand Instances
- Pay by second a er 1 min

Reserved Instances
- Reserved for 1 or 3 years
Payments: upfront, no upfront, par al upfront
- Conver ble reserved instance: can change instance a ributes

Saving Plans
- Reserved to a certain type of usage ($/hr)
- Reserved for 1 or 3 years
- Locked to an instance family and region
- Usage beyond saving plans are charge at on-demand price

Spot Instances
- Can get up to 90% discount
- Can lose the instance when the current price gets larger than max price you pay
- have 2 mins grace period at termina on me
- Cancelling a spot request does not terminate the instances
- First cancel the request and then terminate the instances
- Spot eets: spot instances + op onal on-demand instances
- Spot eet alloca on strategies:
- lowestPrice
- diversi ed
- capacityOp mized
- priceCapacityOp mized
Dedicated Host
- most expensive op on
- book en re server
- visibility down to port level
fl
fl
fi
ti
ti
ti
ft
ti
ti
ti
ti
ti
ti
ti
ti
tt
 - can do instance placement
- op ons:
- on demand
- reserved
Dedicated Instances
- own hardware within account
- cannot do instance placement

Capacity Reserva on
- Pay whether use the instances or not within reserved period
- Capacity Reserva ons enable you to reserve compute capacity for your
EC2 instances in a speci c AZ for any dura on (can also be in hourly
dura on)

Elas c IP
- Can a ach to one instance at a me
- Can only have 5 IPs per account (can ask AWS to increase)

Placement Groups
- Cluster
- Spread
- Par on

Cluster
- Cluster instances into a low latency group within a single AZ
- It is recommended that you launch the number of instances that you need in the
placement group in a single launch request
- use the same instance type for all instances in the placement group
- If you try to add more instances to the placement group later, or if
you try to launch more than one instance type in the placement group,
you increase your chances of ge ng an insu cient capacity error
- Need to re-launch the cluster when insu cient capacity error occurs

Spread
ti
ti
ti
ti
ti
tt
ti
ti
fi
tti
ti
ffi
ti
ffi
 - Spread instances across di erent hardwares across AZs
- Only 7 instances per group per AZ
Par on
- Many instances can share a par on (a rack of hardware) and par ons are distributed
across AZs
- Only 7 par ons per AZ

Elas c Network Interface (ENI)

- One instance can have mul ple ENIs a ached with one primary private IPv4 and many
secondary private IPv4s
- ENIs are bound to speci c AZs
- Public IPv4 is assigned to an ENI according to ip assign rule of the subnet that the ENI
belongs to
- One elas c IP address per one private IP

EC2 Instance Stages

- Stop
- Terminate
- Hibernate
Stop
- Data on non-root EBS volume are preserved
- All data on the a ached instance-store devices will be lost
- Underlying host can be changed when restarted
- Elas c IP and ENIs are s ll a ached

Terminate
If the EBS volume is set to be destroyed, all the data are lost
Hibernate
- Data and states on RAM are saved on EBS and restart from the saved state
- Instance ram size must be less than 150GB
- Root volume must be EBS and encrypted
- An instance cannot be hibernated for more than 60 days
ti
ti
ti
ti
ti
ti
ti
tt
ti
fi
ff
ti
tt
ti
ti
tt
ti
ti
 -
It is not possible to enable or disable hiberna on for an instance
a er it has been launched; Have to con gure at launch me

AMI
- AMIs can be accessed using:
- AWS public AMIs
- Custom made AMIs
- AMIs found/sold on AWS marketplace
- AMIs can be used to copy instances across AZs, Regions and Accounts
- AMI includes one or more snapshots, so if AMI is copied, snapshots are copied along
with it
- Copying an AMI backed by an encrypted snapshot cannot result in an unencrypted
target snapshot

EC2 Enhanced Networking

- Elas c Network Adapter (ENA)
- Elas c Fabric Adapter (EFA)

ENA
- up to 100 Gbps
- can support windows instances

EFA
- Improved ENA for HPC
- only works for Linux

Automa on and Orchestra on

- AWS Batch
- AWS ParallelCluster

AWS Batch
- Managed service that helps you e ciently run batch processing jobs at scale
- AWS Batch handles the provisioning, scaling, and management of compute resources
required for batch jobs
ft
ti
ti
ti
ti
ffi
fi
ti
ti
 AWS ParallelCluster
Open-source
cluster management tool provided by AWS that simpli es the deployment,
con gura on, and management of high-performance compu ng (HPC)
clusters on the AWS Cloud

There is vCPU-based On-Demand Instance limit per region

EC2 Billing
- Pending: will not be billed
- Running: will be billed
- Stopping: will not be billed
- Terminated: will not be billed
- Stopping (to hibernate): will be billed
- Terminated (reserved instance): will be billed

AWS Outposts
- Fully managed service that extends AWS infrastructure, services, APIs,
and tools to your on-premises data center or edge loca on
- Brings AWS infrastructure (hardware and so ware) to your physical data center or on-
premises environment
- Supports core AWS services like Amazon EC2, ECS/EKS, RDS, S3, and EBS locally

AWS Wavelength
- Brings AWS compute and storage services to the edge of
telecommunica ons (telco) 5G networks, enabling developers to build
applica ons that require ultra-low latency for end users and devices
-
AWS Wavelength extends AWS infrastructure into Wavelength Zones, which
are zones within telco provider data centers connected to 5G networks
-
Applica ons deployed in these zones process data close to users,
reducing the latency introduced by rou ng to tradi onal AWS regions

Access Control
IAM
fi
ti
ti
ti
ti
ti
ft
ti
fi
ti
ti
 - IAM users can be grouped into IAM groups
- Permission policies can be assigned to IAM groups
(or)
- Can be assigned to users by mean of inline policy
- Least privilege permission
- One user can belong to mul ple di erent groups, thus can have mul ple permission
policies
- Groups can only contain users (cannot contain other groups)
- Admin can set password policy for IAM users
- AWS cloudshell is not available in every region
- AWS services can do ac ons on behalf of user by being assigned IAM roles which
include one or more IAM policies
- Access is allowed only if explicit "Allow" permission is de ned

MFA Op ons
- Authen cator apps
- Universal 2nd Factor (U2F)

MFA Op ons Security Key

- Hardware key fob MFA device
Hardware key fob MFA device for AWS GovCloud
IAM security tools
- Can generate IAM security creden als report of IAM users (account level)
- IAM access adviser (user level)

AWS Organiza ons

- Allows to manage mul ple AWS accounts
- The main account is the management account
- Other accounts are member accounts
- Member accounts can only be part of one organiza on

Organiza on Units (OUs)

- Accounts in the organiza on are organized into OUs
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ff
ti
fi
ti
 - OUs can be nested

Security Control Policy (SCP)

- IAM policies applied to OU or Accounts to restrict Users and Roles
- They do not apply to the management account (full admin power)
- They do not a ect the service-linked roles

Resource-based Policy vs IAM Roles

- Some services provide resource-based policy but some only IAM role
- Cross-account resource access can be done either by account A assuming role in
account B or by de ning resource-based policy for the resource in account B
- Trust policy is also a type of resource-based policy

AWS Services with Resource-based Policy

- Lambda
- SNS
- SQS
- S3
- API Gateway
- KMS
AWS Services with IAM Roles
- Kinesis streams
- ECS tasks

IAM Permission Boundaries

- Advanced feature to use a managed policy to set the maximum permissions an IAM
en ty can get
- IAM Permission Boundaries are supported for users and roles only (not groups)

IAM Iden ty Center

-One login (single sign-on) for all AWS accounts in AWS Organiza ons,
business applica ons, and third-party applica ons (e.g., Salesforce,
O ce 365, etc.)
- IAM users in Iden ty Center management account can be assigned with
permission sets which allow them to access accounts and also speci c
resources in OUs
ffi
ti
ti
ff
ti
ti
fi
ti
ti
fi
 -Can manage users and groups directly within AWS Iden ty Center or
integrate with external iden ty providers like Microso Ac ve
Directory, Okta, or Azure AD
AWS ControlTower
- Easy way to set up and govern a secure and compliant mul -account AWS environment
based on best prac ces
- AWS Control Tower uses AWS Organiza ons to create accounts

Preven ve Guardrail
- using SCPs (e.g., Restrict Regions across all your accounts)

Detec ve Guardrail
- using AWS Con g (e.g., iden fy untagged resources)

AWS Resource Access Manager (RAM)

- To easily and securely share your resources with your AWS accounts

AWS Ac veDirectory (AD)

- AWS Managed Microso AD
- AD Connector
- Simple AD

AWS Managed Microso AD

- Create your own AD in AWS to manage users
- Establish "trust" connec ons with your on-premises AD

AD Connector
- Proxy for on-premise AD

Simple AD
- AWS managed
- Cannot be joined with on-prem ADs

AWS Federated Access

Federated
Access in AWS refers to the ability to grant users from external
iden ty providers (IdPs) access to AWS resources without having to
create and manage AWS-speci c IAM (Iden ty and Access Management)
ti
ti
ti
ti
fi
ti
ft
ft
ti
ti
ti
fi
ti
ti
ft
ti
ti
ti
 users for each individual

Types
- Federa on with IAM Iden ty Center
- Federa on with IAM
- Federa on with Amazon Cognito iden ty pools

Federa on with IAM Iden ty Center

- Users in IAM Iden ty Center are granted short-term creden als to your AWS resources
-
IAM Iden ty Center supports iden ty federa on with SAML (Security
Asser on Markup Language) 2.0 to provide federated single sign-on
access for users who are authorized to use applica ons within the AWS
access portal
-
Users can then single sign-on into services that support SAML,
including the AWS Management Console and third-party applica ons, such
as Microso 365, SAP Concur, and Salesforce

Federa on with IAM Role

- For single, standalone AWS account
- User Logs In to IdP
- IdP Sends Authen ca on Token to AWS
- AWS Grants Temporary Creden als through STS
- User Accesses AWS Services

CDN

Cloudfront
- Cloudfront is a CDN service that caches the cloud contents at POPs (216 currently)
- Cloudfront origin can be:
- S3
- EC2
- ALB
- any HTTP endpoint
ti
ti
ti
ti
ti
ti
ti
ft
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
 - Cloudfront can do geo restric on to allow or block users from speci c countries using
allowlist and blocklist
- Should use in front of S3 if the le size is less than 1GB
- Can use eld level encryp on to protect sensi ve data for speci c content
- Can route to mul ple origins based on the content type
- Can use an origin group with primary and secondary origins to con gure for high-
availability and failover
- Can generate Signed URL and Signed cookies

Price Classes
- price class all regions - all regions, most expensive
- price class 200 - exclude most expensive regions
- price class 100 - only least expensive regions
Cache Invalida on
origins can invalidate the cloudfront cache when new content is updated so the
cloudfront cache will be invalid and user request will go straight to
the updated content in the origin instead
CloudFront Func ons
- Used to change Viewer requests and responses
- Sub-ms startup mes, millions of requests/second
- Na ve feature of CloudFront (manage code en rely within CloudFront)
- javascript only

Lambda@Edge
- Scales to 1000s of requests/second
- Used to change CloudFront requests and responses
- Author your func ons in one AWS Region, then CloudFront replicates to its loca ons

Origin Access Iden ty (OAI)

- Serves as the iden ty of a cloudfront distribu on
- Origins can use this OAI of the cloudfront distribu on in their access control policies to
give access to the distribu on
- Cannot set OAI if the S3 bucket is con gured as a website endpoint
Origin Access Control (OAC)
ti
fi
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
fi
fi
ti
ti
ti
ti
fi
fi
fi
ti
 - A more preferred way (compared with OAI) to restrict access to an Amazon S3 origin
-
Enables CloudFront customers to easily secure their Amazon S3 Origins
by permi ng only designated CloudFront distribu ons to access their
Amazon S3 buckets

DDoS Mi ga on
AWS- services that operate at edge loca ons, such as AWS CloudFront, AWS
Global Accelerator, and Amazon Route 53 can be used to mi gate DDoS
a acks

Global Accelerator
- 2 anycast IPs are created
- anycast IPs send the tra c to the edge loca ons and edge loca ons send the tra c to
the applica on endpoint
- Uses internal AWS network
- Can be used to distribute a por on of tra c to a par cular deployment using enpoint
weights
- Good for gaming, IoT or voice over IP services

Cloudfront vs Global Accelerator

- Cloudfront caches the contents at the edge loca on and serve the content from the
edge loca on
- global accelerator uses TCP or UDP to route the tra cs through the edge loca on to
the applica on
- global accelerator doesn’t have cache service like cloudfront
- both have DDoS protec on using AWS shield

Storage

S3
- max size of an object is 5TB
- if an object is more than 5GB, have to use mul -part upload
- blocking public access se ng can be set at account level
Versioning
- if versioning is enabled for a bucket, previous versions of the object are preserved
when overwri en
-
if an object is deleted, it is not truly deleted but marked with the
tt
tti
ti
ti
ti
ti
ti
tt
ti
ffi
tti
ti
ti
ffi
ti
ti
ti
ti
ffi
ti
ti
ti
ti
ffi
 delete marker and then previous versions can be restored by dele ng the
delete marker
- Once versioning is enabled for a bucket, it cannot be disabled, can only be suspended
Replica on
- replica on is done by crea ng replica on rule at the source s3 bucket
- both source and des na on bucket have to enable bucket versioning
- only new objects are replicated
- have to use s3 batch replicate to replicate exis ng and failed replica on objects
- can replicate buckets in di erent regions

Storage Classes
- standard
- standard IA
- good for once a month access
- one-zone IA
- good for once a month access
- glacier instant retrieval
- millisec retrieval
- good for data accessed once a quarter
- min storage dura on of 90 days
- glacier exible retrieval
- expedited (1-5 mins), standard (3-5 hrs), bulk (5-12 hrs)
- min storage dura on of 90 days
- glacier deep archive
- standard (12 hrs), bulk (48 hrs)
- min storage dura on of 180 days
- intelligent ering
- frequent access
- infrequent access: objects not accessed for 30 days
- archive instant access: objects not accessed for 90 days
- archive access (op onal): con gurable from 90 to 700+ days
ti
ti
fl
ti
ti
ti
ti
ti
ti
ti
ff
ti
fi
ti
ti
ti
ti
 - deep archive access (op onal): con gurable from 180 to 700+ days

Provisioned Capacity (for Glacier Flexible Expedited Retrieval)

- ensures that your retrieval capacity for expedited retrievals is available when you need
it
- unit of capacity provides that at least three expedited retrievals can
be performed every ve minutes and provides up to 150 MB/s of retrieval
throughput
Lifecycle Rules / Lifecycle Policies
- Transi on rule: to move objects from one class to another
- Expira on rule: to delete expired objects
- Object level rules

Requester Pay
- requester of the object pays for the network costs
- requester have to be an authen cated IAM user of an AWS account
- A er a bucket is con gured to be a Requester Pays bucket, requesters must include x-
amz-request-payer
in their API request header, for DELETE, GET, HEAD, POST, and PUT
requests, or as a parameter in a REST request to show that they
understand that they will be charged for the request and the data
download

Event No ca ons
-send messages/events to SNS, SQS (only standard queue) or Lambda
func on when an object ac on is triggered (eg: ObjectCreated:Put,
ObjectCreated:Post, …)
- receiving services have to be con gured with IAM policy to receive event no ca on
from s3

Performance
- each s3 pre x can achieve 3500 put/copy/post/delete requests/sec and 5500 get/head
requests/sec
- if objects are distributed across 4 pre x, user can have 22000
get/head requests/sec and 14000 put/copy/post/delete requests/sec
- how to further op mize s3 performance:
- mul -part upload
- s3 transfer accelera on
ft
ti
ti
ti
ti
ti
fi
fi
ti
ti
fi
ti
fi
ti
ti
ti
fi
fi
fi
ti
fi
ti
 - s3 byte range fetches

Batch Opera ons

- to perform bulk opera ons on exis ng s3 objects with a single request
- to get the list of objects:
- use s3 inventory
- lter using s3 select
- and use s3 batch opera on to do processings
Encryp on
- Server side encryp on (SSE)
- SSE-S3: encrypt with aws managed key
- SSE-KMS: encrypt with KMS key
- SSE-C: encrypt with customer provided key
- Client side encryp on (CSE)

CORS
Need to be enabled to access objects from web browsers

MFA Delete
Only root account can enable/disable MFA delete of a S3 bucket
Access Logs
- To capture detailed records of requests made to the S3 bucket
- Provide insights into who accessed the bucket, from where, and how they interacted
with the objects
Presigned URLs
Time-limited URL that grants temporary access to an S3 object
Glacier Vault Lock
- write once read many model
- glacier vault lock has policy and that policy cannot be changed a er set once
- if an object is moved to glacier vault, it cannot be deleted anymore

S3 Object Lock
- write once read many model
fi
ti
ti
ti
ti
ti
ti
ti
ft
 - bucket versioning must be enabled
- block an object version dele on for a period of me

Reten on Modes
- compliance - no one can delete the object or change the reten on policy
governance - some(admin) users can delete the object or change the reten on policy
Legal Hold
- protect the object inde nitely
- independent from reten on period
- legal hold can be placed and removed on an object by using s3:PutObjectLegalHold
IAM permission

S3 Access Points
- each AP points to each bucket
- s3 access points can have own DNS names
- can be internet origin or vpc origin
- can have policy of it’s own
- so the bucket policy can be simple

S3 Objects Lambda Access Points

Object- lambda access points enable users to have modi ed s3 object by
poin ng to the lambda func on which access the original s3 object and
do modi ca ons before sending to the object lambda access point

AWS Snow Family

- snowcone and snowball edge are devices used for o ine data migra on
-order the snowcone or snowball edge devices from AWS, load the devices
with data, send back the devices to AWS and AWS will transfer the data
from devices to s3 buckets
- snowcone can handle 8TB hdd - 14TB ssd, migra on size up to terabytes
- snowball edge can handle 80TB - 210TB, migra on size up to petabytes
- snowball edge supports storage clustering
- can do edge compu ng on snow devices by running lambda func ons or ec2 instances
at the edge
- snowcone is capable with 2 cpu and 4gb of ram
ti
ti
fi
ti
ti
fi
ti
ti
ti
ti
ti
ti
ffl
fi
ti
ti
ti
ti
 - snowball edge on the other hand is compute-op mized and storage-op mized
- snowball cannot transfer the data directly to s3 glacier
- snowmobile is used to move petabytes to exabytes of data, transfer data with
container-sized trucks

AWS FSx
- fully-managed high performance le systems on AWS
Types
- FSx for Lustre
- FSx for Windows le server
- FSx for NetApp ONTAP
- FSx for openZFS

AWS Storage Gateway

Bridge between on-premises data and cloud data

Types
- s3 le gateway
- FSx le gateway
- Volume gateway (cached or stored)
- Tape gateway

Volume Gateway Cached Mode

Only subset of data is stored in on-premise volume gateway

Volume Gateway Stored Mode

Full and redundant data is stored in on-premise volume gateway

AWS Transfer Family

A fully-managed service for le transfers into and out of Amazon S3 or Amazon EFS using
the FTP protocol

Supported Protocols
- AWS Transfer for FTP (File Transfer Protocol)
fi
fi
fi
fi
fi
ti
ti
 - AWS Transfer for FTPS (File Transfer Protocol over SSL)
- AWS Transfer for SFTP (Secure File Transfer Protocol)

AWS DataSync
- Move large amount of data to and from (can be scheduled using agent tasks)
- On-premise/Other clouds to AWS
- AWS to AWS
- Only AWS data transfer service that can directly transfer the data to S3 Glacier

Supported Storage Services

- S3
- S3 Glacier
- EFS
- FSx

Machine Learning

Rekogni on
- for CV
- labeling
- content modera on
- Face Detec on and Analysis (gender, age range, emo ons...)
- Face Search and Veri ca on
- Celebrity Recogni on
- Pathing (ex: for sports game analysis)

Amazon Transcribe
- Speech to text

Features
- Automa cally remove Personally Iden able Informa on (PII) using Redac on
- Automa c Language Iden ca on for mul -lingual audio
ti
ti
ti
ti
ti
ti
fi
ti
ti
fi
ti
ti
fi
ti
ti
ti
ti
 Amazon Polly
- Text to speech
Features
- Lexicon upload for acronyms and stylized words
- Speech customiza on with Speech Synthesis Markup Language (SSML)

Amazon Translate
- Language transla on

Amazon Lex
- Chatbots
- Call center bots
- Natural Language Understanding to recognize the intent of text, callers

Amazon Connect
- Cloud contact center

Amazon Comprehend
- Fully managed NLP service

Amazon Comprehend Medical

- Uses NLP to detect Protected Health Informa on (PHI)

Amazon SageMaker
- Fully managed service for developers / data scien sts to label data, build and deploy
ML models

Amazon Forecast
- For meseries analysis

Amazon Kendra
- Fully managed document search service powered by Machine Learning
- Sources can be text, pdf, HTML, PowerPoint, MS Word, databases
ti
ti
ti
ti
ti
 Amazon Personalize
- Recommenda on system service

Amazon Textract
- For OCR and IE

Applica on Integra on/Messaging

SQS
Producer/Consumer Model

Standard Queue
- Unlimited throughput, unlimited number of messages in queue
- Default reten on of messages: 4 days, maximum of 14 days
- Low latency (<10 ms on publish and receive)
- Limita on of 256KB per message sent
- Can have duplicate messages
- Can have out of order messages
- Default visibility meout of 30 sec
- Cannot set priority value to each message

FIFO Queue
- Limited throughput: 300 msg/s without batching, 3000 msg/s with
- Exactly-once send capability (by removing duplicates)
- Messages are processed in order by the consumer
- Use deduplica on ID and message group ID to ensure exactly-once capability

Encryp on
- In- ight encryp on using HTTPS API
- At-rest encryp on using KMS keys
- Client-side encryp on if the client wants to perform encryp on/decryp on itself
Access Policy
Similar to s3 bucket policy to control the access to the queue
fl
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
 Long Polling
-When a consumer requests messages from the queue, it can op onally
“wait” for messages to arrive if there are none in the queue
- The wait me can be between 1 sec to 20 sec (20 sec preferable)
- Can con gure by se ng ReceiveMessageWaitTimeSeconds to a number greater than
zero

Dead Le er Queues
Dead-le er
queues can be used by other queues (source queues) as a target for
messages that can't be processed (consumed) successfully

Delay Queue
- Delay queues let you postpone the delivery of new messages to a queue for several
seconds
- The default (minimum) delay for a queue is 0 sec
- The maximum is 15 minutes

SNS
Pub/Sub Model

Topics
- Publisher pushes events to a topic and each subscriber to the topic will get all the
events
- Up to 12,500,000 subscrip ons per topic
- 100,000 topics limit

FIFO SNS
- Similar features as SQS FIFO
- Can have SQS Standard and FIFO queues as subscribers
- same throughput as SQS FIFO
Encryp on
- In- ight encryp on using HTTPS API
- At-rest encryp on using KMS keys
fl
ti
tt
tt
fi
ti
ti
ti
tti
ti
ti
 - Client-side encryp on if the client wants to perform encryp on/decryp on itself

Access Policy
Similar to s3 bucket policy to control the access to the queue

Message Filtering
- JSON policy used to lter messages sent to SNS topic’s subscrip ons
- If a subscrip on doesn’t have a lter policy, it receives every message

Fan-out (SNS+SQS)
- Push once in SNS, receive in all SQS queues that are subscribers
- Cross-Region Delivery: works with SQS Queues in other regions

Kinesis
Producer/Consumer Model

Kinesis Data Streams

- Streaming service for ingest at scale
- data contain par on key and data blob
- data with same par on keys always go into same shard
- Once data is inserted in Kinesis, it can’t be deleted (immutability)
- Ability to reprocess (replay) data
- Reten on between 1 day to 365 days, default of 1 day
- Cannot autoscale, have to be pre-provisioned

Capacity Modes
- Provisioned Mode
- On-demand Mode
Provisioned Mode
- choose the number of shards provisioned, scale manually or using API
- Each shard gets 1MB/s in (or 1000 records per second)
- Each shard gets 2MB/s out (classic or enhanced fan-out consumer)
ti
ti
ti
ti
ti
ti
fi
ti
fi
ti
ti
ti
 - Pay per shard provisioned per hour

On-demand Mode
- Default capacity provisioned (4 MB/s in or 4000 records per second)
- Scales automa cally based on observed throughput peak during the last 30 days
- Pay per stream per hour & data in/out per GB

Security
- In- ight encryp on using HTTPS API
- At-rest encryp on using KMS keys
- Client-side encryp on if the client wants to perform encryp on/decryp on itself
- VPC Endpoints available for Kinesis to access from within the VPC

Enhanced Fan-out
- Standard: 2MB/s per shard (shared between mul ple consumers)
- Enhanced fan-out: 2MB/s per shard per consumer

Kinesis Data Firehose

- Load streaming data into S3 / Redshi / OpenSearch / 3rd party / custom HTTP
- Fully Managed Service, no administra on, automa c scaling, serverless
- Pay for data going through Firehose
- Near real- me
- Supports custom data transforma ons using AWS Lambda
- Doesn't guarantee the order of message delivery and processing

Kinesis Data Analy cs

- Real- me analy cs on Kinesis Data Streams & Firehose using SQL
- Add reference data from Amazon S3 to enrich streaming data
- Fully managed, no servers to provision
- Automa c scaling

Kinesis Video Streams

EventBridge
fl
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ft
ti
ti
ti
ti
ti
 - Trigger AWS services based on events sent by other AWS services or 3rd party
integra ons
- Can archive and replay events for debugging purposes

Trigger Types
- Schedule
- Event Pa erns

Schedule
Cron jobs (scheduled scripts)

Event Pa erns
Event rules to react to a service doing something

Event Buses
- Default event bus (AWS services)
- Partner event bus (3rd par es)
- Custom event bus

Schema Registry
- The Schema Registry allows you to generate code for your applica on,
that will know in advance how data is structured in the event bus
- Schema can be versioned

Resource-based Policy
- Manage permissions for a speci c Event Bus
- Allow/deny events from another AWS account or AWS region
- Aggregate all events from your AWS Organiza on in a single AWS account or AWS
region

Amazon MQ
Service for on-premise message broker protocols such as: MQTT, AMQP, STOMP,
Openwire, WSS

Amazon Simple Work ow Service (SWF)

ti
tt
tt
fl
ti
fi
ti
ti
 Amazon SWF is a web service that makes it easy to coordinate work across distributed
applica on components

AWS AppFlow
- To transfer and integrate data between AWS services and external SaaS pla orms
- Keeping SaaS data synchronized with AWS resources

AWS AppSync
- A managed service for building real- me GraphQL APIs to power data-driven
applica ons
- Simpli es building GraphQL APIs for querying, muta ng, and subscribing to data
- Allows combining mul ple data sources (e.g., DynamoDB, RDS, Lambda) into a single
uni ed API

Security

Encryp on
- In- ight encryp on
- Server-side encryp on
- Client-side encryp on

In- ight encryp on

- Data is encrypted before sending and decrypted a er receiving
- TLS cer cate is used in HTTPS

Server-side encryp on
- Data is encrypted a er receiving by server and decrypted before sending to the client
Client-side encryp on
- Data is encrypted by the client and never decrypted by the server

KMS
- Fully integrated with IAM for authoriza on
- Able to audit KMS Key usage using CloudTrail
- KMS Key Encryp on also available through API calls (SDK, CLI)
- Have to pay for API call to KMS ($0.03 / 10,000 calls)
fl
fi
fl
ti
ti
ti
fi
ti
fi
ti
ti
ti
ti
ti
ti
ti
ft
ti
ti
ti
ft
ti
tf
 - If a KMS key is deleted, it is in 'pending dele on' state for 7–30 days, with a default of
30 days and can be recovered

Asymmetric vs Symmetric Keys

- Symmetric Keys (AES-256)
- Asymmetric Keys (RSA & ECC key pair)

Symmetric Keys
- Single key for both encryp on and decryp on
- AWS services integrated with KMS use symmetric keys
- Never get access to the KMS Key unencrypted (must call KMS API to use)

Asymmetric Keys
- Public (Encrypt) and Private Key (Decrypt) pair
- The public key is downloadable, but the Private Key can't be accessed unencrypted
KMS Key Types
- AWS Owned Keys (free): SSE-S3, SSE-SQS, SSE-DDB (default key)
- AWS Managed Keys (free): (aws/service-name, example: aws/rds or aws/ebs)
- Customer managed keys created in KMS: $1 / month
- Customer managed keys imported: $1 / month

Automa c Key Rota on

- AWS-managed KMS Key: automa c every 1 year
- Customer-managed KMS Key: automa c (must be enabled) or on-demand
- Imported KMS Key: only manual rota on possible using alias

Key Policies
- Control access to KMS keys, “similar” to S3 bucket policies

Default Key Policy

- Created if you don’t provide a speci c KMS Key Policy
- Complete access to the key to the root user

Custom Key Policy

ti
ti
ti
ti
fi
ti
ti
ti
ti
 - De ne users, roles that can access the KMS key
- De ne who can administer the key

Mul -region Keys

- MRK is bound to a single region but replicas are replicated to mul ple regions
- To be able to decrypt the data encrypted in a di erent region
- For the use cases of global client-side encryp ons like global
dynamodb client-side encryp on, global aurora client-side encryp on

Replica ng encrypted S3 objects

- For objects encrypted with SSE-KMS:
- Specify which KMS Key to encrypt the objects within the target bucket
- Adapt the KMS Key Policy for the target key
- An IAM Role with kms:Decrypt for the source KMS Key and kms:Encrypt for the target
KMS Key
- You might get KMS thro ling errors, in which case you can ask for a Service Quotas
increase

AWS CloudHSM
- Fully managed service that provides customers with dedicated hardware
security modules to securely generate and use encryp on keys
- AWS CloudHSM is a fully managed service, meaning AWS takes care of hardware
maintenance, updates, and availability
- Customer retains full control over the cryptographic key management and security
con gura ons
AWS System Manager (SSM) Parameter Store
- Secure storage for con gura on and secrets
- Op onal Encryp on using KMS
- Parameters can be stored in hierarchies

Tiers
- Standard
- Advanced

Parameter Policies
Allow to assign a TTL to a parameter (expira on date) to force upda ng or dele ng
sensi ve data such as passwords
fi
fi
fi
ti
ti
ti
ti
ti
ti
fi
tt
ti
ti
ti
ti
ff
ti
ti
ti
ti
ti
 AWS SecretsManager
- Secure storage of secrets
- Capability to force rota on of secrets every X days
- Automate genera on of secrets on rota on (uses Lambda)
- Integra on with database services like RDS, Aurora, Redshi , DocumentDB
- Secrets are encrypted using KMS

Mul -region secrets

- Replicate Secrets across mul ple AWS Regions
- Secrets Manager keeps read replicas in sync with the primary Secret
- Ability to promote a read replica Secret to a standalone Secret

AWS Cer cate Manager

- Easily provision, manage, and deploy TLS Cer cates
- Supports both public and private TLS cer cates
- Free of charge for public TLS cer cates
- Can generate cer cates too
- Cer cates generated with ACM are automa cally renewed

Integra ons
- ELB
- Cloudfront distribu ons
- APIs on API Gateway
- Cannot use from EC2

API Gateway
- Edge-op mized
- Regional
- Private (cannot use ACM)

Edge-op mized
- ACM is integrated with Cloutdfront distribu on
- The TLS Cer cate must be in the same region as CloudFront
ti
ti
fi
ti
ti
ti
ti
ti
fi
ti
fi
ti
ti
fi
ti
ti
ti
ti
fi
ti
ti
fi
ti
ti
ti
fi
ft
 Regional
- The TLS Cer cate must be imported on API Gateway, in the same region as the API
Stage

Web Applica on Firewall (WAF)

- Protects your web applica ons from common web exploits (Layer 7)

Integra ons
- ALB
- API Gateway
- Cloudfront
- AppSync GraphQL API
- Cognito User Pool

Web Access Control List (Web ACL)

- IP Set: up to 10,000 IP addresses
- HTTP headers, HTTP body, or URI strings Protects from common a ack - SQL injec on
and Cross-Site Scrip ng (XSS)
- Size constraints
- geo-match (block countries)
- Rate-based rules (to count occurrences of events) – for DDoS protec on
- Web ACL are Regional except for CloudFront
- A rule group is a reusable set of rules that can be added to a web ACL
AWS Shield
Protect from DDoS A acks

Modes
- Standard
- Advanced

Standard
- Free service that is ac vated for every AWS customer
ti
ti
ti
fi
ti
tt
ti
ti
tt
ti
ti
 - Provides protec on from a acks such as SYN/UDP Floods, Re ec on a acks and other
layer3/4 a acks

Advanced
- Op onal DDoS mi ga on service
- $3,000 per month per organiza on
- 24/7 access to AWS DDoS response team (DRP)
- Shield Advanced automa c applica on layer DDoS mi ga on
automa cally creates, evaluates and deploys AWS WAF rules to mi gate
layer 7 a acks

Supported Services
- EC2
- ELB
- CloudFront
- Global Accelerator
- Route 53
Elas c IP
AWS Network Firewall
- Detail in VPC sec on
AWS Firewall Manager
- Manage rewall rules in all accounts of an AWS Organiza on
-Rules are applied to new resources as they are created (good for
compliance) across all and future accounts in your Organiza on

Security Policies
- common set of security rules
- WAF rules (ALB, API Gateways, CloudFront)
- AWS Shield Advanced (ALB, CLB, NLB, Elas c IP, CloudFront)
- Security Groups for EC2, ALB and ENI resources in VPC
- AWS Network Firewall (VPC Level)
- Route 53 Resolver DNS Firewall
- Policies are created at the region level
ti
ti
ti
tt
fi
tt
ti
ti
ti
ti
ti
tt
ti
ti
ti
ti
ti
ti
ti
fl
ti
ti
tt
 AWS GuardDuty
- Managed threat detec on service
- Analyze threat from input data like CloudTrail events, VPC ow logs, etc
- No fy the ndings through EventBridge

Founda onal Data Sources

- CloudTrail Events Logs
- VPC Flow Logs
- DNS Logs

Other Data Sources

- S3 data event logs
- EKS audit logs
- Lambda network ac vity logs
- RDS login ac vity logs
- EBS volume data

AWS Inspector
- Automated Security Assessments for:
- EC2
- Container Images push to Amazon ECR
- Lambda Func ons
- Repor ng & integra on with AWS Security Hub
- Send ndings to Amazon Event Bridge

EC2
- Leveraging the AWS System Manager (SSM) agent
- Analyze against unintended network accessibility
- Analyze the running OS against known vulnerabili es

Container Images push to Amazon ECR

- Assessment of Container Images as they are pushed
ti
fi
ti
ti
fi
ti
ti
ti
ti
ti
ti
fl
 Lambda Func ons
- Iden es so ware vulnerabili es in func on code and package dependencies
- Assessment of func ons as they are deployed

AWS Macie
Find sensi ve Personally Inden able Informa on (PII) in data stored on S3

AWS Ar fact
To view, assess and manage the security reports as well as other AWS compliance-
related informa on
AWS Security Hub
- Security service that provides a comprehensive view of your security posture across
AWS accounts
-Security Hub collects and aggregates security ndings from mul ple
AWS services such as Amazon GuardDuty, Amazon Macie, Amazon Inspector,
and AWS Con g, as well as from third-party security solu ons
AWS Security Token Service (STS)
-Service that you can use to create and provide trusted users with
temporary security creden als that can control access to your AWS
resources
- Temporary security creden als work almost iden cally to the long-term access key
creden als that your IAM users can use

VPC

Default VPC
- Default VPC has Internet connec vity through internet gateway and all EC2 instances
inside it have public IPv4 addresses

Own VPC
- Can create max 5 per region (but so limit)
- Max CIDR per VPC is 5

CIDR size
Min: /28 (16 IP addresses)
Max: /16 (65536 IP addresses)

Allowed CIDR ranges (private)

ti
ti
fi
ti
ti
ft
fi
ti
ti
ti
ti
ti
ti
ti
fi
ti
ft
ti
ti
fi
ti
ti
ti
 - 10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
- 172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
- 192.168.0.0 – 192.168.255.255 (192.168.0.0/16)
Subnets
- AWS reserves 5 IP addresses ( rst 4 & last 1) in each subnet
- x.x.x.0 – Network Address
- x.x.x.1 – reserved by AWS for the VPC router
- x.x.x.2 – reserved by AWS for mapping to Amazon-provided DNS
- x.x.x.3 – reserved by AWS for future use
- x.x.x.255 – Network Broadcast Address. AWS does not support broadcast in a VPC,
therefore the address is reserved
- Each subnet maps to single AZ
- Every subnet created is automa cally associated with the main route table for the VPC.

IPv6-only Subnet
- Can only support Nitro instances

Internet Gateway
- Allows resources (e.g. EC2 instances) in a VPC connect to the Internet
- It scales horizontally and is highly available and redundant
- Must be created separately from a VPC and a ach to a VPC
- Subnet route tables must be con gured to route the tra c to internet gateway to
access the internet
- Subnet becomes public subnet when it is connected to and routed through an internet
gateway

Bas on Host
- BH is an instance in a public subnet which have access to other instances in the private
subnet
To be able to ssh into private instances via BH
SG of the BH have to allow port 22 from internet and SG of private instances must allow
ssh from SG of the bas on host
NAT Instance
- An instance in the public subnet through which the private instances can access to the
internet
- Must have Elas c IP a ached to it
ti
ti
ti
tt
fi
ti
fi
tt
ffi
 - Must disable EC2 se ng: Source / des na on Check
- An instance can be NAT instance by con guring using NAT AMIs
- Route tables of private subnets must be con gured to route tra c from private subnets
to the NAT Instance
NAT Instance SG rules
- Inbound:
- Allow HTTP / HTTPS tra c coming from Private Subnets
- Allow SSH from source network (access is provided through Internet Gateway)
- Outbound:
- Allow HTTP / HTTPS tra c to the Internet
NAT Gateway
- AWS-managed NAT instance
- Higher bandwidth, high availability, no administra on
- Pay per hour for usage and bandwidth
- NAT GW is AZ-bound
- Uses an Elas c IP
- Can’t be used by EC2 instance in the same subnet (only from other subnets)
- Private Subnet => NATGW => IGW
- 5 Gbps of bandwidth with automa c scaling up to 100 Gbps

SGs and NACLs

SGs
- Operates at instance level
- Stateful (always allow return tra c)
- Only support 'Allow' rules
- Evaluate all the rules before deciding to allow
- Newly created SG will 'Deny' every inbound tra c and 'Allow' every outbound tra c
NACLs
- Operates at subnet level
- Stateless
- Supports both 'Allow' and 'Deny' rules
- One NACL per subnet, new subnets are assigned the Default NACL
ti
tti
ffi
ffi
ffi
ti
ti
fi
ti
fi
ffi
ti
ffi
ffi
- NACLs and subnets are decoupled and NACLs live in VPC
- Default NACL is "allow all"
- Newly created NACLs will deny everything (inbound or outbound)
NACL have to be con gured to allow inbound and outbound ephemeral ports since it is
stateless

NACL Rules
- Rules have a number (1-32766), higher precedence with a lower number
- First rule match will drive the decision
- The last rule is an asterisk (*) and denies a request in case of no rule match

VPC Peering
- Privately connect two VPCs using AWS network
- Peer VPCs must not have overlapping CIDRs
- VPC Peering connec on is NOT transi ve
- Route tables of subnets in both VPC have to be updated to route the tra c to other
VPC through peer connec on
Can create VPC Peering connec on between VPCs in di erent AWS accounts/regions-
Can reference a security group in a peered VPC (cross accounts but same region)

VPC End Points

-VPC Endpoints (powered by AWS PrivateLink) allows to connect to AWS
services using a private network instead of using the public Internet
- Remove the need of IGW, NATGW, ... to access AWS Services

Types
- Interface Endpoint
- Gateway Endpoint
Interface Endpoint
- Provisions an ENI (private IP address) as an entry point (must a ach a Security Group)
- Supports most AWS services
- $ per hour + $ per GB of data processed
- Can be used to connect to another VPC
- Uses AWS PrivateLink to connect the endpoint to services
fi
ti
ti
ti
ti
ff
tt
ffi
 Gateway Endpoint
- Provisions a gateway and must be used as a target in a route table (does not use
security groups)
- Free
- Supports S3 and DynamoDB
- If S3 or DynamoDB is not in the same region as the subnet, Gateway
Endpoint cannot be used since Gateway Endpoint is a regional service
(use NAT gateway or Interface Endpoint instead)
- can a ach an endpoint policy that controls access to the service to which you are
connec ng
does not use AWS PrivateLink
Flow Logs
- Capture informa on about IP tra c going into your interfaces
- Can query VPC ow logs using Athena on S3 or CloudWatch Logs Insights

Flow Logs data can go into:

- S3
- Cloudwatch logs
- Kinesis Data Firehose

Site-to-site VPN Connec on

- To connect VPC with on-prem servers through private VPN connec on over public
network
- Site-to-site VPN connec on can be used as a backup connec on to Dx connec on
Need 2 things:
- Virtual Private Gateway (VGW)
- Customer Gateway (CGW)

VGW
- VPN concentrator on the AWS side of the VPN connec on
- VGW is created and a ached to the VPC from which you want to create the Site-to-Site
VPN connec on
- Need to enable Route Propaga on for the VGW in the route table that is associated
with the subnets in the VPC
tt
ti
ti
fl
ti
tt
ti
ti
ti
ffi
ti
ti
ti
ti
 CGW
- So ware applica on or physical device on customer side of the VPN connec on
- Need public Internet-routable IP address for the Customer Gateway device
If CGW is private, need NAT device to enable public rou ng
VPN Cloudhub
- Provide secure communica on between mul ple sites, if you have mul ple VPN
connec ons
- To set it up, connect mul ple VPN connec ons on the same VGW, setup dynamic
rou ng and con gure route tables

Direct Connect (Dx)

- Provides a dedicated private connec on from a remote network to your VPC
- Dedicated connec on must be setup between the data center and AWS Direct Connect
loca ons
- Need to setup a VGW at VPC side
- Lead mes are o en longer than 1 month to establish a new connec on

Connec on Flows
- Private VPC Connec on
- Public Resources Connec on

Private Connec on Flow

VGW => Dx Connector in Dx loca ons => Customer router in Dx loca ons => Customer
router in customer network
Public Connec on Flow
Public
AWS resources (like s3) => Dx Connector in Dx loca ons =>
Customer router in Dx loca ons => Customer router in customer
network
Direct Connect Gateway
- If you want to setup a Direct Connect to one or more VPC in many
di erent regions (same account), you must use a Direct Connect Gateway
- Dx connec on connects to Direct Connect Gateway and Direct Connect Gateway
connects to mul ple VGWs

Connec on Types
ff
ti
ft
ti
ti
ti
ti
ti
ti
ti
ti
fi
ti
ft
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
 - Dedicated Connec ons
- Hosted Connec ons

Dedicated Connec ons

- 1Gbps,10 Gbps and 100 Gbps capacity
- Physical ethernet port dedicated to a customer
- Request made to AWS rst, then completed by "AWS Direct Connect Partners"

Hosted Connec ons

- 50Mbps, 500 Mbps, to 10 Gbps
- Connec on requests are made via "AWS Direct Connect Partners"
- Capacity can be added or removed on demand
- 1, 2, 5, 10 Gbps available at select AWS Direct Connect Partners

Encryp on
- Data in transit is not encrypted but is private
- AWS Direct Connect + VPN provides an IPsec-encrypted private connec on

Resiliency
- High resiliency
- Max resiliency

High resiliency
One connec on at mul ple Dx loca ons

Max resiliency
Maximum resilience is achieved by separate connec ons termina ng on separate
devices in more than one loca on.
Transit Gateway
- Transit Gateway sits in the middle to connect mul ple VPCs
transi vely and can also connect to Dx Gateway and Site-to-site VPN
connec ons
- Regional resource
- Share cross-account using Resource Access Manager (RAM)
ti
ti
ti
ti
ti
ti
ti
ti
ti
ti
fi
ti
ti
ti
ti
ti
ti
 - You can peer Transit Gateways across regions
- Route Tables: limit which VPC can talk with other VPC
- Supports IP Mul cast
- Can peer mul ple transit gateways in mul ple regions

Site-to-site VPN ECMP (Equal Cost Mul ple Paths)

- Rou ng strategy to allow to forward a packet over mul ple best path
- Use case: create mul ple Site- to-Site VPN connec ons to increase the bandwidth of
your connec on to AWS

VPC Tra c Mirroring

- Capture and mirror the tra c to send the mirrored tra c into own security appliances
to analyze, monitor or troubleshoot
- Source and Target can be in the same VPC or di erent VPCs (VPC Peering)
Egress-only Internet Gateway
- Used for IPv6 only
- Similar to a NAT Gateway but for IPv6
- Must update the Route Tables
- Allows instances in your VPC outbound connec ons over IPv6 while
preven ng the internet to ini ate an IPv6 connec on to your instances

AWS Network Firewall

- Protect en re VPC
- From Layer 3 to Layer 7 protec on
- Internally uses AWS Gateway Load Balancer
- Rules can be centrally managed cross- account by AWS Firewall Manager to apply to
many VPCs
- Can send logs of rule matches to Amazon S3, CloudWatch Logs, Kinesis Data Firehose

Protect direc ons

- VPC to VPC tra c
- Outbound to internet
- Inbound from internet
- To/from Direct Connect & Site-to-Site VPN
ti
ti
ffi
ti
ti
ti
ti
ffi
ti
ti
ffi
ti
ti
ti
ti
ti
ff
ti
ti
ffi
ti
 Fine-grained Controls
- IP & port - example: 10,000s of IPs ltering
- Protocol – example: block the SMB protocol for outbound communica ons
- Stateful domain list rule groups: only allow outbound tra c to *.mycorp.com or third-
party so ware repo
- General pa ern matching using regex
- etc

Cost

Cost Explorer
- Visualize, understand, and manage AWS costs and usage over me
- Create custom reports that analyze cost and usage data
- Monthly, hourly, resource level granularity
- Forecast usage up to 12 months based on previous usage
- Have API support with pagina on

Cost Anomaly Detec on

- Con nuously monitor cost and usage using ML to detect unusual spends
- Monitor AWS services, member accounts, cost alloca on tags, or cost categories
- Sends the anomaly detec on report with root-cause analysis
- Get no ed with individual alerts or daily/weekly summary (using SNS)
ti
ti
ft
fi
tt
ti
ti
ti
fi
ti
ffi
ti
ti