AWSome Day

Dennis Adams
Sr AWS Technical Instructor

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Databases

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Purpose-built databases

Relational Nonrelational Nonrelational Nonrelational Nonrelational Nonrelational

database key–value document in-memory graph ledger

Amazon Amazon Amazon Amazon Amazon Amazon Amazon

RDS Aurora DynamoDB DocumentDB ElastiCache Neptune QLDB

Amazon
Redshift
DIY vs. AWS database services

Databases on AWS database

Amazon EC2 services
• Operating system access • Easy to set up, manage, maintain

• Need features of specific application • Push-button high availability

• Focus on performance
• Managed infrastructure
AWS database options
SQL NoSQL

Transactional
databases
Amazon RDS Amazon DynamoDB

Data analytics
or relationships
Amazon Redshift Amazon Neptune

In-memory data
store and cache
Amazon ElastiCache
Amazon RDS

Set up, operate, and scale a relational database in the cloud with just
a few clicks

Easy to set up Amazon RDS Scales

and operate

Microsoft
ORACLE MySQL
SQL Server
Amazon Aurora

Database engines
Postgres, PostgreSQL and the Slonik Logo are trademarks or registered trademarks of
the PostgreSQL Community Association of Canada, and used with their permission
Amazon Aurora
MySQL- and PostgreSQL-compatible relational database built for the cloud

High Compatible
availability
and durability

Amazon Aurora

High Multi-Region
performance
High
scalability
Amazon DynamoDB

Fast and flexible NoSQL database service for any scale

Fine-grained
Fully access control
managed

Amazon DynamoDB
Fast,
Flexible
consistent
performance
Amazon DynamoDB use cases

Leaderboards
and scoring
Players Game servers Leaderboard

Works well for applications that

Need extreme horizontal Have simple Need to scale quickly Don’t need
scaling capability high-volume data and with ease complex joins
Knowledge check

Which of the following services can be used to deploy

NoSQL workloads?

A. Amazon Aurora
B. Amazon RDS
C. Amazon DynamoDB
D. Amazon Redshift
Knowledge check

Which of the following services can be used to deploy

NoSQL workloads?

A. Amazon Aurora
B. Amazon RDS
C. Amazon DynamoDB
D. Amazon Redshift

Answer: C
Networking

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Virtual Private Cloud (Amazon VPC)

AWS Cloud

VPC
Dev Test

Your private Provides logical Allows custom access

network space in isolation for controls and security
Amazon the AWS Cloud your workloads settings for your resources
VPC
Layered network defense for VPCs

VPC

1: VPC route tables

2: Subnet ACLs: Inbound/outbound

OS 3: EC2/elastic network interface security

groups: Inbound/outbound Security at
all layers
4: Third-party host-based protection

“Defense in depth”
Using subnets to divide your VPC
VPC
10.0.0.0/21 (10.0.0.0-10.0.7.255)
A subnet is a segment or partition of
a VPC’s IP address range where you
can isolate a group of resources
Subnets define internet accessibility
Private subnets Public subnet Public subnet

• No routing table entry to an

internet gateway
• Not directly accessible from the
public internet
Private subnet Private subnet

Availability Zone A Availability Zone B

Structure your infrastructure
VPC

EC2
Internet Route table Network ACL Subnet SG instance 1
gateway 10.1.1.6

Network access control lists (ACLs) Security groups

• Allow/deny traffic in and out of subnets • Used to allow traffic to/from at the
network interface (instance) level
• Hardens security as a secondary level of • Usually administered by
defense at the subnet level application developers
Elastic Load Balancing (ELB)
A managed load balancing service that distributes
incoming application traffic across multiple Amazon EC2
instances, containers, and IP addresses

High App
availability

Health App
Elastic Load checks
Balancing
Security ELB App
features User
traffic
Amazon Route 53

Route 53 is a highly available and scalable cloud

Domain Name System (DNS) service
• DNS translates domain names
into IP addresses
www.example.com
• Able to purchase and manage
domain names and automatically
configure DNS settings VPC VPC
Amazon • Provides tools for flexible, high-
Route 53 performance, highly available
architectures on AWS
• Multiple routing options
N. Virginia Singapore
Putting it all together

Amazon
Route 53 AWS Cloud
Amazon EC2
Auto Scaling group

Clients Internet ELB

gateway
EC2 instances
Knowledge check

Which of the following are layers of network defense for VPCs?

(choose three)

A. Amazon Machine Images (AMIs)

B. Network access control lists (subnet level)
C. Security groups (instance level)
D. S3 lifecycle policies
E. VPC route tables
Knowledge check

Which of the following are layers of network defense for VPCs?

(choose three)

A. Amazon Machine Images (AMIs)

B. Network access control lists (subnet level)
C. Security groups (instance level)
D. S3 lifecycle policies
E. VPC route tables

Answer: B, C, E
Security

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security is our top priority

Designed for Constantly Highly Highly Highly

security monitored automated available accredited
Shared responsibility model
Customer data

Platform, applications, identity and access management

Customer
Operating system, network, and firewall configuration
responsibility
Client-side data Network traffic
Server-side encryption
encryption and data protection (encryption,
(file system and/or data)
integrity authentication integrity, identity)

AWS foundation services

Compute Storage Databases Networking
AWS
responsibility AWS global infrastructure

Regions Availability Zones Edge locations

AWS Identity and Access Management (IAM)

Securely control access to your AWS resources

• Assign granular permissions to users, groups,
or roles
• Share temporary access to your AWS account
• Federate users in your corporate network or
with an internet identity provider
IAM
IAM components
Create
Users
A person or application
Defines permissions
that interacts with AWS
to control which AWS
Groups resources users can access
Collection of users with
identical permissions
Roles
Temporary privileges that Helps you to meet identity
an entity can assume and access control standards
IAM
• Authentication
• Authorization

Permissions Policies
IAM users

IAM users are not separate

AWS accounts; they are users
within your account

Each user has their

own credentials
IAM user
IAM users are authorized to
perform specific AWS actions
based on their permissions
Amazon S3 access control: General
Some services support resource-based policies, such as S3 bucket policies

Default Public Access policy

Owner Owner Owner

User A
Controlled
Private Public
access
Anyone Anyone User B
else else
AWS CloudTrail
Track user activity and API usage in your AWS account
• Continuously monitor user activities and record
API calls
• Useful for compliance auditing, security analysis,
and troubleshooting
• Log files are delivered to Amazon S3 buckets

AWS
CloudTrail Who? What? When? Where?

API security-relevant information

What is AWS Trusted Advisor?

A service providing guidance to help you reduce cost,

increase performance, and improve security
Knowledge check

Which of the following are components of IAM?

A. Group – collection of users with identical permissions

B. Bucket – container for stored objects
C. User – person or application that interacts with AWS
D. Instance – copy of an AMI running as a virtual server
E. Policy – formal statement of one or more permissions
Knowledge check

Which of the following are components of IAM?

A. Group – collection of users with identical permissions

B. Bucket – container for stored objects
C. User – person or application that interacts with AWS
D. Instance – copy of an AMI running as a virtual server
E. Policy – formal statement of one or more permissions

Answer: A, C, E
Thank you!

© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved.