#Keep Learning Keep Growing

AWS - Cloud Practitioner Part 1

Problem with Traditional IT Approach

- Pay rent for data centers
- Power Cooling and Maintenance
- Adding and Replacing of Hardware
- Limited Scaling
- 24*7 Support

This is where Cloud Computing comes to play.

Cloud Computing
On demand delivery of computer power, database storage , applications and other IT services.

Benefits :-
- Pay as you use
- Highly scalable
- Simple access
- High Elasticity

Types of Cloud
● Private Cloud - Only for a particular organization. Not for the public. Highly sensitive data.
High security. Ex - rackspace
● Public Cloud - Owned and operated by a third party. Ex Azure GCP AWS
● Hybrid Cloud - Comprising of both public and private

Cloud Charecteristics
- On demand self-service
- Elastically scalable
- Multitenancy & Resource pooling
- Broad network access

Six advantages of Cloud Computing

- Trade Capex for Opex
- Benefit from massive economies of scale
- Incredible elasticity
- Low Cost
- High speed and agility
- Go global in minutes
AWS - Amazon Web Services
Currently the leading cloud service provider in the world.

81 Availability Zones & 25 Geographic regions

Each Region has min 2 and max 6 Availability zones

Regions are interconnected.

Regions have their own codes. They are clusters of data centers.

Choosing of an AWS region factors :-

- Compliance (Country wise)
- Proximity - Latency( Fast delivery )
- Region wise services vary
- Cost variability as per regions

Availability Zones - One or more data centers isolated from each other to prevent from disasters
Interconnected via High - Bandwidth & Low latency.

Edge Locations - 216 points of presence in 84 cities and 42 countries.

Content delivery at low latency.

Simply create an aws account -> Link credit card and you are ready.

Always choose a region geographically close to you to facilitate least latency.

Global Services does not require region selection.

Most services are regional.(Region specific services)

Shared Responsibility
Customer -> Responsibility for security in the cloud(configuring firewalls & all)
AWS -> Responsibility of Cloud
Services

IAM
Identity Access Management.
Root account create by default, shouldn’t be used or shared
Users - people within org
Groups - collection of users
Users can belong to single or multiple groups or neither of them.

Policies - Json doc → shows what an user is allowed to do.

Select IAM in services
Create an User.--> Set new password→ You can create a group or add to existing → Add
permissions as required → Add tags ( IAM tags are key-value pairs you can add to your user. Tags
can include user information, such as an email address, or can be descriptive, such as a job title. You
can use the tags to organize, track, or control access for this user.)
Finally create the user → Close

Go to dashboard and you can customize the sign-in Url for IAM users. Ex
-https://chitu-test.signin.aws.amazon.com/console
IAM policy structure

Version
Id
Statement
Sid
Effect
Principal
Action
Resource
Condition

Inheritance of policies → Groups & Individual

You can attach existing policies and also create your own policy.
IAM Password Policies
Set length, letters (upper and lower case)
Change passwords
Password expiry( Time bound 90days)

MFA - Multi Factor Authentication

MFA - password you know + security device you own = successful login

MFA devices on AWS

Google Authenticator , Authy(multi device)(from amazon)

U2F Security key -> Security physical device -> Yubikey by Yubico(3rd party)
Plugin and ensure successful login

Hardware Key Fob MFA Device

Hardware Key Fob MFA Device for AWS GovCloud

Changing password policy for IAM user

Account Settings → Change password policy → Set → save

Change password for root users
Your account name --> Security Credentials → You activate MFA

AWS CLI
Enables you interact with AWS services via command line interface.
Direct acces to public API’s of AWS services
You can develop script to manage your resources.

AWS SDK
Software Development Kit that contains a set of libraries which allows you access and manage
AWS services programmatically, Embed within your app. Supports multiple programming
languages. Ex - Java script, python, php,)
Mobile SDK’s (Android, iOS)
Iot Devices(Arduino, Embedded C)

Set up AWS CLI on windows → Download from AWS MSI installer 2.0 latest
You can create access keys for management console users
Never use root user for CLI. Go to Users → Security Credentials → Generate Access key.
You can download the CSV

Access Keys mainly used for CLI and SDK

Interacting using AWS CLI

Type → aws configure - in cli

Give Access key ID→ Access secret key → select region
And you are signed in now
Type
aws iam list-users

It will list all users in your account.

AWS Cloudshell

Web browser based CLI via which you can interact with AWS without installing cli config in your
local machine.It provides command line access to AWS resources and tools.

This service is region specific not global. I am using us-east-2

Click on the cloudshell icon beside the bell

In cloud shell you have a full repository.

All files created will stay.
You can download and upload file.
Preparing two cloud shell environments.

AWS IAM Roles for Services

Some aws service wants to perform actions on your behalf for that we need roles for services.

You can create roles for specific services provided by AWS

Go to roles → Create Role → Add permissions

IAM Security Tools

Iam credential report(account level) - shows the list of all accounts of your users along with their
credentials status

Iam access driver(user level) - shows the service permissions granted to a user when those
services were last accessed.

Download credential report for auditing

A csv report is downloaded

These reports are extremely useful for security purposes.

Access Adviser

You can remove permissions that a user isn’t using

Best Practices
Do not use root account except for AWS console setup
Use MFA
Use strong password policy
DO not share creds to friend. Create a separate user account for then
Create and use roles
ALways generate access key for AWS CLI
Use reports
AWS Billing

Go to Your account → Check Billing information → You will get everything

Set up your monthly budget as per the cost you want to spend per months, create threshold
alerts as per the cost you want.

Amazon EC2

It is basically elastic cloud compute. Serves as a virtual PC with configuration of your choice.
It is Infrastructure As a Service
Capabilities :-
Renting VM’s EC2
Store data is virtual drives EBS(Elastic Bean Stalk)
Distributing load using ELB(Elastic Load Balancing)
Scaling services using ASG(Auto Scaling Group)

EC2 sizing and configuration options

OS : Windows, Linux or MacOS

Compute power & cores(CPU)
RAM as per needs
Storage - Network Attached(EBS & EFS)/ Physical (EC2 Instance Store)
Network Cars - Speeding up of the card, public IP you want
Security groups → Firewall rules
Bootstrap Script EC2 user data

Bootstrapping instances using EC2 user data script

Bootstrapping means launching commands when a machine starts
It only runs once while the machine starts
This is used to automate boot task:-
Installing updates, softwares, download common files for internet while start up, anything you
want
EC2 user script data runs with the root user

Instances :-

Select area close to you Mumbai in my case

Steps to Create EC2 instance

Select EC2 services

1 Select AMI or Amazon Machine Image(for selecting OS)

2 Choose Instance Type (CPU, RAM)

3 Configure Instance Details (No instances you want, network, IAM, User Data script)

User data script :-

#!/bin/bash
# Use this for user data script(from top to bottom)
# install httpd(Linux 2 version
yum update -y
yum install -y httpd
systemctl start -httpd
systemctl enable httpd
echo "<h1>Hello World from $(hostname -f)</h1>" /var/www/html/index.html

This launches a web server in our EC2 instance and write a file to it
4 Add Storage
As per the storage you want, free tier eligible upto 30 gb free(EBS)

5. Add Tags
6. Configure Security Group

Add Rules as per you needs, HTTP in may case to allow browsing websites from my EC2
instance from anywhere.

7. All set → Review your configs and Launch

Generate Key Pair

Download it and do not lose the file

And your instance is launched

This is your instance dashboard where you can see all the instances you have created and
check their details. You change the instance states, Start Stop Reboot, Terminate

Always stop while you are not using it.

EC2 Instance Types

You can use different types of instance foe different optimisation purposes.

Naming Convention
m5.2xlarge
m: instance class
5: Generation of instance
2xlarge: size of instance

General Purpose Instances :-]

Diversity of workloads such as web servers and code repositories.
Good balance b/w
Compute
Memory
Netwoking

We use t2.micro in this course (free tier 750 hrs /month)

Compute optimized

Ex C5

Memory Optimized

Storage Optimized
Introduction to Security Groups

Firewall and Security

They control the traffic that is allowed inside the EC2 instance
They contain only allow rules
They can be referred by IP or security groups

They regulate ports

Takes care of the authorise IP ranges IPV4 or IPV6
Control inbound and outbound network(other instances to this instance and vice versa)

Security groups can be attached to multiple Instances

They are region specific, if you change regions you need change security and Vpc

If a traffic is blocked EC2 instance won't be able to see that.

Good to maintain one separate security group for SSH
By default all inbound traffic is blocked
All outbound traffic is authorised

If Security groups attached to instances are same they can communicate with each other.

Ports you need to know

SSH - 22(Log into linux EC2 instance) HTTP - 80 Browse unsecured websites
FTP - 21(File Share) HTTPS - 443 Browse Secured websites
SFTP - 22(File Share on SSH) RDP - 3389 (Remote Desktop Protocol for Windows)
When you want to access you instance IP from browser and see endless loading, the problem
has to be with your security group.
From Action you can edit network, manage security groups for your particular instance

SSH Overview

CLI utility that can connect windows on mac or linux or on windows above windows 10 with you
instance
Below 10 you can use putty→ Allows you to use SSH protocol
EC2 instance connect uses web browser to connect to your EC2 instance only works with
amazon nx2

SSH allows you to control a ec2 instance using command line

You need to provide the key file while remotely accessing your instance.
If key is not protected do chmod <key> 0400
ssh -i <key> ec2-user@<public IP>

And after that you will be in your machine and access it

Getting into my EC2 instance using command prompt / windows powershell

Ping wasn’t stopping till Control C

SSH Troubleshooting

Always ensure SSH is set to port 22 to avoid connection timeout

If your security group is properly configured as above, and you still have connection timeout
issues, then that means a corporate firewall or a personal firewall is blocking the connection.

SSH cannot be found on versions lower than windows 10

If connection refused → Restart your instance if it doesn't work create a new one
Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

This means either two things:

● You are using the wrong security key or not using a security key. Please
look at your EC2 instance configuration to make sure you have assigned
the correct key to it.
● You are using the wrong user. Make sure you have started an Amazon
Linux 2 EC2 instance, and make sure you're using the user ec2-user.
This is something you specify when doing ec2-user@<public-ip> (ex:
ec2-user@35.180.242.162) in your SSH command or your Putty
configuration.

Using ps and top command in my Linux EC2 instance, Tried out many more commands
Exit to logout

Accessing EC2 instances using EC2 instance Connect. It works with SSH make your SSH port22
is enabled in Security groups
Does Not work with every AMI

EC 2 instances using IAM roles

Never ever enter your access key and id in ec2 instance connect because other users will be
able to retrieve it and run the instance

Use IAM roles to let users access the instance

AWS Instance Launch Types
EBS(Elastic Block Storage)

A network drive that you can attach to your instances while they run.
Allows instances to persist data evenafter termination
At CCP level you can only attach one EBS for (for artchitect devops level), you can attach a EBS
to different instances but you can add multiple EBS to one instance.
Bound to specific availability zone

It is a network drive, it can connected to other instances quickly, there might be a bit of latency as
network is involved, you cannot connect to different availability zone for that you need snapshots,
you get billed for the capacity

An EBS can be left unattached.

Delete on termination can be enabled or disabled for an EBS

Go to Instance → Click Instance → Select EBS storage → Create Volume (give the size and
other parameters) → Attach EBS to your instance,
Make a Back up Snapshot of your EBS volume and try to detach it while creating the snapshot.
Copy snapshots across AZ region

You can restore and attach the EBS snapshot in different Availability Zone
Creating a Demo Snapshot of EBS
Right click EBS storage → Create snapshot

Snapshot created
You can move snapshots and attach it in different AZ

AMI

Amazon machine image overview

They are the customization of your EC2 instance.
You select your (OS, s/w, config, monitoring, fasterboot, etc.
AMI can be built for specific regions and can be copied across regions
AWS provides → public AMI
You can create your own AMI
People can create AMI’s and and Sale AMIs in AWS marketplace.

Createte Instance→ Left click → image → create template → give names

Name AMI
Go To AMIs and check the one you created
Launch an instance with you AMI

EC2 Image Builder

Used to Automate Creation of VMs or container images

Automate the creation, and maintain and Validate and test EC2 Amis
EC 2 image builder → Build EC2 instance → New AMI → Test EC2 instance
You can run via schedules
Choose Service → Create Image
Specify name

Build Schedule
Add tags

Create New Recipe

Select Image
Select Image name

Select Components you want to install

Create New Infrastructure Configuration

Create and add role

Select AWS Infrastructure

Create Distribution Settings

You add more regions for your Image

Review and Create Pipeline

Run Pipeline

Check EC2 instances

Go to and Launch a instance like before.

EC2 Instance Store

Ebs volumes are networking drives → Limited performance

But if you want something more powerful use EC2 instance Store
It is the hard drive attached to the physical server
Better I/O performance → high disk performance
If you stop your instance data is lost that’s why is called ephemeral storage
Used for Buffer/cache/temporary content → for long term use EBS
If Hardware fails possibility of data loss

Elastic File System

Managed network file system(NFS) that can be attached to 100s of EC2s in different availability
zones works with Linux
Highly available, scalable and costly

EBS is copy not in-sync

EFS is in-sync
Allows Shared file system across all zones→ Same files across all zones

EFS IA - Infrequent access → Storage class for files that you don't access often
92 percent lower cost for storing data
It will automatically move your files to IA as per the last time you accesses as per life cycle policy

Move files that are not accesses for 60 days

Amazon FSX for Windows File Server

Highly reliable windows nativeshared file system.
Built on windows file server
Supports SMB and Windows NTFS
Integrated with Microsoft AD

Fsx for Lustre

For high performance computing HPC
Linux and cluster -> Lustre
ML, Analytics, Video processing
Scale upto 100Gb/s, millions iops
Elastic Load Balancing

Scalability means adapting as per load requirements.

Two types of Scalability

● Horizontal - Increasing the number of Instance(Scale in/out)
● Vertical - means increasing size of instance(Scale up/down)

High Availability - running apps/system in two Availability zones by chance if one goes down.
Survive data loss and disaster

Elasticity - related to auto-scaling

Load balancers are servers that forward incoming traffic to multiple EC2 instances downstream.

Why use?

● Spreading load
● Single point of access (DNS) to your app
● Seamlessly handle failures
● Daily Health Check of instances
● Provide SSL termination
● High Availability across all Zones
● Less expensive

Types of balancers :-

● Application Load Balancer HTTP/HTTPS - Layer 7

● Network Load Balancer(ultra high performance for TCP) - Layer 4 - HighLoads
● CLassic Load Balancer (End of Life) Both Layer 4 and 7
● Gateway Load Balancer
Setup Load Balancer

Step 1→ Navigate to Load Balancer → Create Load Balancer

Step 2 → Select Load Balancer you want (Application Load Balancer

Step 3 → Configure LB Check All AZs for better availability.

Step 4 - Configure Security Settings

Step 5 - Configure Security Groups (Set up ports and protocols)

Step 6 - Configure Routing (Ensure Health Checks)

Step 7 - Register Targets

Step 8- Next Review and Launch

USE DNS Name to check working of load balancer

Check out your created ELB
Auto Scaling Groups

In a real life scenario the load of your websites can change drastically.

● This is where ASG comes into play by scaling in and out as per the needs.
● Replace unhealthy instances
● Automatically Register new Instances
● Cost Saving - Running at optimal capacity

You can define the min and max capacity

It works hand in hand with ELB

Creating ASG

Step 1- Navigate to ASG → Create Auto Scaling Groups

Step 2 - Start Configuring

Step 1.1 - Create Launch Template (The types instances you want while load balancing →
Configure it as per your needs).
Step 2 - Configure Settings

Select all AZs for better scaling

Step 3 - Configure options for Load balancing

Step 4 - Setup Group Scaling → Min, Max and Desired

Enable Target Tracking to scale automatically as per metrics

Step 5 - Add Notifications as needed

Step 6 - Add Tags

Step 7 - Review and Launch ASG

You will see instances getting automatically created as per your configuration in the ASG

Even if an instance gets terminated, ASG automatically starts another instance as per
requirement specified

You can edit capacity as per needs from details→ edit

Scaling Strategies

● Manual Scaling - Change manually in ASG

● Dynamic scaling - Change as per demand → Cloudwatch alarm for usage
○ Simple
○ Target Tracking
○ Scheduled Scaling

● Predictive Scaling - Use machine learning to predict future traffic based on past patterns,
Automatically provision large numbers of EC2 instances as per needs. Use when your
load has time based patterns

So these are some of the scaling strategies that need to be implemented as required.

S3 (Simple Storage Services)

● Main building block of AWS

● Infinitely scaling storage

Use cases - Backup and Recovery, Storage, Hybrid cloud strategy, data lake, App hosting,etc.

S3 Buckets

● Amazon S3 allow people to store objects in buckets

● Buckets must have globally unique name(across all regions all accounts)
● Buckets must be created at region level
● Object files have a key. The key is the full path of the destination of the object
● Key is composed of prefix(folders and subfolders) +object
● Max object size 5TB (5000 GB)
● Uploading more than 5GB must be uploaded using multi-part(splitting into parts)

Step 1 Select S3 in console → Create bucket

Step 2 Select a unique name to create a bucket and fill up the features as required.

Step 3 Bucket created and now click

On your bucket
Step 4 - Click Upload

Step 5 - Add files

Step 6 Finally after uploading the file is stored as an object in the bucket

Step7 Click on your object to see stats → You can make your bucket public by using object
actions, you can also create folder and upload files there
S3 Security

User Based → IAM policies

Resource Based → Bucket Policies, Object ACL

If you have access to S3 via IAM policy or Bucket policy, you can access it

Encryption happens in S3 using keys

S3 Bucket Policies

Json based policies

Use bucket policies to grant access, set of API to allow or deny
Principal → account user

Use S3 bucket policies, Grant public access, force objects to be encrypted, grant cross account
access

Handson
Step 1 → Open bucket
Step 2 → Go to permissions → Disable all public block access settings

Step 3 → Go to edit bucket policy → Policy Generator

Step 4 -> Setup Policy → Select policy -> Set principa all(*)--> Select action as needed →
provide ARN
(copy from edit bucket policy)

Step 5 Add Statement → Generate policy

Step 6 Copy and paste the bucket policy created above and click save changes

Finally anyone can access the object using public URL as per the policy

S3 Websites

S3 can host static websites

The website url would look like this :- <bucketname>.s3-website-<AWS
Region>.amazonaws.com or <bucketname>.s3-website.<AWS Region>.amazonaws.com
Get S3 bucket policy in place to make the website public.
Step 1 Upload index.html file in your bucket

Step 2 Open bucket and go properties → Scroll down to static web hosting
Step 3 Edit static website hosting

Step 4 - Scroll down and check your static website url

http://myfirstbucketchintu.s3-website.ap-south-1.amazonaws.com/
S3 Bucket versioning

Versioning is enabled in AWS S3 at bucket level

Anytime you overwrite a file version increases
It is mainly used to protect accidental deletes and roll back to previous version in case of faulty
upgrade

Any file not versioned prior to enabling version will have version null

Go to permissions and Enable bucket versioning

Modify a file and upload it again

You can see and delete specific versions

Incase of versioning when you delete files it doesn’t get permanently deleted, A delete marker is
added beside it.

S3 Server Access logs

What’s happening in S3 buckets

We use it for audit purposes → authorized and denied logins, data analysis tools, suspicious
patterns, etc. Helpful for RCA

Step 1 create a bucket for logging of another bucket

Step 2 - Select the bucket you want logs for → Go to properties → Scroll to Server access
logging → Enable → Give bucket name where you want to store logs → Save changes

After an hour logs will be delivered

S3 Replication
SRR(Same Region Replication)
CRR(Cross Region Replication)

Buckets can be in different account

Copying is asynchronous
Must give proper IAM permissions

Use case CRR - compliance , low latency access

Use case SRR- live replication between prod and test accounts, log aggregation
Step 1 Create a bucket for replication and enable versioning(mandatory)

Step 2 → Go the bucket you want to replicate → Click management Tab → Create Replication
rule
Step 3 → Upload a file in the main bucket after creating replication rule and see the same file
getting populated in the repli bucket.

S3 Storage Classes

General Purpose - High availability low latency and high throughput

Infrequent Access - Disaster recovery fee during retrieval
One Zone Infrequent Access - 1 AZ
Intelligent Tiering -
Glacier - archived data , frozen or kept for longer period fee during retrieval
Glacier Deep Archive -Cheapest → S3 Glacier Vault Lock allows you to easily deploy and
enforce compliance controls for individual S3 Glacier vaults with a vault lock policy. You
can specify controls such as “write once read many” (WORM) in a vault lock policy and
lock the policy from future edits. Once locked, the policy can no longer be changed.
S3 Redundancy Srorage
S3 high durability(no scope of loosing file )
High Availability
Low Latency High throughput
Handson

Step 1 - Add files in a bucket

Step 2 After adding scroll down to Properties there you will find the storage classes

Step 3 You can select the Storage class per your needs and upload the file

You can move object to different storage classes by applying Lifecyce rule
Step 1 Go the Bucket → Navigate to Management Tab

Step 2 Create Lifecycle Rule → Add Lifecycle rule actions as per choice
Step 3 Add Transitions → Create Rule

Step 4 And its created

S3 object block and glacier vault block -> Adopted a WORM(Write Once Read Many) → Object
cannot be deleted
Good for audits

AWS Snow Family

Highly secure portable Physical devices for data transfers at edge and migrate data to aws

Data migration → SnowCone Snowball Edge, Snowmobile

Edge Computing → SnowCone Snowball Edge

Edge Location → Area that doesn’t have internet or far away from cloud(Truck on Road, Ship on
sea) produces data

For this we need edge computing.

AWS OpsHub → CLI to use Snow Family

Step 1 → Search Snow Family in console

Step 2 → Order an AWS Snow family

Step 3 → Plan your job

It is very costly
Try out and fill other fields but don’t create
AWS bill is going to be very heavy.

AWS Storage Gateway