Professional Documents
Culture Documents
2
Welcome
• Should not betaken as the sole source of study to perform the exam AWS CCP.
4
Knowledge Check
Question 1
Which of the below mentioned services is equivalent to hosting
virtual servers on an on-premise location?
A) Amazon EC2
B) AWS Regions
C)AWS IAM
D) AWS Server
7
Question 2
You have a set of EC2 Instances and get a DDos attack from the
internet which of the following can help in reducing the overall
threat to your EC2 Instances. Choose 2 answers from the options
given below
8
Question 3
Which service allows for the collection and tracking of metrics for
AWS services?
A) Amazon CloudFront
B) Amazon CloudSearch
C)Amazon CloudWatch
D) Amazon Machine Learning (Amazon ML)
9
Question 4
Which service should an administrator use to register a new
domain name with AWS?
A) Amazon Route 53
B) Amazon CloudFront
C)Elastic Load Balancing
D) Amazon Virtual Private Cloud (Amazon VPC)
10
Question 5
Which of the following services uses AWS edge locations?
11
Question 6
Which AWS services can be used to store files? Choose 2 answers
from the options given below
A) Amazon CloudWatch
B) Amazon Simple Storage Service (Amazon S3)
C)Amazon Elastic Block Store (Amazon EBS)
D) AWS Config
E) Amazon Athena
12
Question 7
Who has control of the data in an AWS account?
13
AWS Certified Cloud Practitioner
.
AWS Certified Cloud Practitioner
Multiple-responses:
About the Exam What are AWS services? :
• 90 minutes
( • ) IAM
• US$ 100,00 ( • ) CloudFront
• Immediate Result ( ) AWSGames
( ) ForCloud
• Score : 100 to 1000 (Minimum 700 PASS) ( ) Discovery Tiers
• 65 questions
Multiple-Choice:
CloudFront Service Infrastructure:
( • ) EdgeLocations
( ) Data Centers
( ) AWSTransceivers
( ) Cloud Content
( ) External DNS
15
AWS Certified Cloud Practitioner
Exam Topics
https://aws.amazon.com/certification/certified-cloud-practitioner/
16
How to add30min (1/2)
Non-native English speaking countries are eligible to add 30min to exam time.
How to do this?
Go to certification portal (aws.training/Certification)
17
AWS Certified Cloud Practitioner
Resources apn-portal.com
• AWS Training (aws.amazon.com/training)
– AWS Business Professional (Digital)
– AWS TCO and Cloud Economics(Digital)
• Whitepapers on AWS
– Overview of Amazon WebServices
– Architecting for the Cloud: AWS Best Practices
– How AWS Pricing Works
– Cost Managementin the AWS Cloud
– AWS support plan comparison
19
.
AWS Certified Cloud Practitioner
To Do
• Review this material.
• Goto AWS site and read about the main services https://aws.amazon.com
• Understand Cloud AWS value proposition, principles andadvantages.
• Security in the cloud:AUP, SRM, Compliance,IAM,MFA.
• Global AWS Infrastructure, multi-AZ architectures, services scope.
• Pricing models and organizational structure.
20
Module 1:
Understanding the AWS Cloud
What is Cloud Computing
22
Why Customers are Moving to AWS
Trade Capital
Expense for Variable
Expense
ScaleGlobally
IncreaseSpeed
& Agility
Increase
Streamline & Innovation
Enhance
Infrastructure
Decisions Accelerate Time
to Business
Reduce Value
Expenses
23
Transitioning from aSelf-Managed to aFully ManagedService
24
What Sets AWS Apart?
25
AWS Global Infrastructure
22 Geographical Regions, 1 Local Region, 69 Availability Zones, 160+ PoPs
Region & Number of Availability Zones (AZs)
GovCloud (US) Europe
US-East (3), US-West (3) Frankfurt (3)
Ireland (3)
US West London (3)
Oregon (4) Paris (3)
Northern California (3) Stockhol m (3)
Middle East
Bahrain (3)
Announced Regions
F ourRegions and 12 AZs in Bahrain, Cape Town, Jakarta and Milan
26
AWS Region Design
AWS Regions are comprised of multiple AZs for high availability, high scalability, and
high fault tolerance. Applications and data are replicated in real time and consistent in
the different Azs
AWS Availability Zone (AZ)
AWS Region
Transit AZ
AZ AZ
Transit AZ
ARegion is aphysical location in the Availability Zones consist of one or more discrete data
world where wehavemultiple Availability centers, eachwith redundant power, networking, and
Zones. connectivity, housed in separate facilities.
27
Amazon CloudFront
Content Delivery Network (CDN)
• Netflix
28
AWS Platform Services
Over 165 Services
Advanced
Services
Analytics Artificial Internetof Game AWS
Intelligence Mobile Things Development Marketplace
Business Process
Services
Technical and
Developer Management Business Application Desktop and App
Streaming Business Support
Tools Tools Productivity Services
Foundational
Services
Compute Storage Databases Networking/ HybridCloud Messaging
Cont.Delivery Architecture
29
Introducing Amazon Enterprise Applications
WorkMail WorkDocs
Productivity
30
.
Services Availability per Region
Region Table
• Service values
vary by region.
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/
31
AWS Marketplace Overview
AWS Marketplace is an
online store that supports:
0
Over 1,400 participatingISVs
1
0
190,000+ activecustomers
2
0
4,200+ softwarelistings
3
0 Over 570M hours of software per
4 month
32
AWS Hybrid Architecture Support
79%
Almost every AWS customer with on-premises
01. of existing Enterprise
infrastructure is running ahybrid architecture.
workloads run on VMware*
33
Module 2:
Security and Compliance
Customers Benefit from AdvancedSecurity Controls
36
AWS Built-In Security
Security Focus Security Services and Features
Amazon VPC
AWS WAF
Infrastructure Security Encryption in-transit with TLS with all services
AWS Artifact
AWS Identity and Access Management (IAM)
Identity and Access Control AWS Multi-Factor Authentication
AWS Directory Service
AWS Trusted Advisor
AWS CloudTrail
Monitoring and Logging Amazon CloudWatch
Amazon Macie
Amazon Inspector
Inventory and Configuration AWS Config
AWS CloudFormation
AWS Shield
Auto Scaling
DDoS Mitigation Amazon CloudFront
Amazon Route 53
Encryption with all AWS storage and database services
Data Encryption AWS KMS
AWS CloudHSM
40
AWS Trusted Advisor
How it works
https://aws.amazon.com/premiumsupport/technology/trusted-advisor/
41
AWS Organizations
Root Organization
Master
Root
Master account
BU1_Prod BU2_Prod SS_Prod
(member accounts)
Member accounts
BU1_Test BU2_Test SS_Dev
Organizational unit
42
Amazon Inspector
Vulnerability Assessment Service
Inspector Inspector
Agent Agent
https://aws.amazon.com/inspector/
44
AWS Shield and AWS Shield Advanced
DDoS : Distributed Denial of Service.
Botnets, massive attacks
45
AWS Assurance Programs:
58+ Certifications
46 https://aws.amazon.com/compliance/
On-Demand Access to Compliance Reports
AWS Artifact
47
Module 3:
AWS Architecture and Services
Mapping On-premises Services to AWS
Elastic Load
Balancing
LDAP server
AWS Directory
Service
Web Web
server server
Elastic Load
Balancing
SAN
App server App server App server
Amazon
Elastic
Block Store
DB RDS
Amazon DB RDS
Amazon Back-ups on
(Master)
(Master) (Slave)
(Standby) Backups
tapes to
Amazon S3 or
Amazon Glacier
50
AWS Cloud Hierarchy
Global Services >Regional >VPC >AZ >Host
Route 53 – DNS
CloudFront
Buckets S3
Region
AMI Images
Instances EC2/RDS
AZ Volumes EBS
Conteiners
51
Use Multi-AZ Patterns to Increase Reliability
52
Tools for Migrations
• Server Migration
Service
VMware AWS
• Database Migration
Service
Source DB Target DB
Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail
Amazon
Auto Scaling AWS Amazon Application Amazon Amazon Amazon AWSKMS AWS Shield AWS AWS
EFS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer
54
AWS Compute Services
How will you deliver the application executables?
• Instances
– Amazon EC2
• Containers
– Amazon ECS, AmazonEKS
– AWS Fargate
• Serverless
– AWS Lambda
55
Amazon EC2
Amazon Elastic Compute Cloud (Amazon EC2)
• Virtual machine instance running on an AWS hypervisor
• Support numerous distributions of Linux or Microsoft Windows
• Complete control of your host operating system with root and administrator accounts
• Responsible for all installed applications
• Multiple types and sizes of instances
• Remote access via SSH or Remote Desktop
https://aws.amazon.com/ec2/
56
Amazon Machine Image(AMI)
AMI Content
– Defines which OS to use (Linux, Windows)
– Public and private AMI’s
– Defined at instance launch process
EC2 AMI
57
Amazon EC2 - Instance Types
General Compute Storage and I/O GPU Memory
purpose optimized optimized enabled optimized
M5d C5d D2 P3
H1 X1 & X1e
I3
P2 R5 & R5d
M5 t3 C5
G2 z1d
M4 t2 C4
F1 R4
Burst CPU
58
AWS Instance Access
Amazon EC2 Instance Launch:
AWS CLI
AWS SDK
59
AWS CLI
How to use the AWS CLI tool:
IAM > Users > ‘user’ > Security Credentials > Access keys
60
Amazon EC2 –Remote Access
At the moment of creation of the instance it is defined which key-
pair will be used to access the instance.
AWS
“A key pair consists of a public key that AWS
stores, and a private key file stored by the user.”
61
Auto Scaling
Automatically launch or terminate Amazon EC2 instances
• User-defined policies driven by CloudWatch
• Health status checks
• Schedules
• Manually using set-desired-capacity in the CLI
62
How Does Auto Scaling Work?
What Where When
Auto Scaling
AMI EC2
policy
64
Amazon Container
Elastic Container Service (ECS)
Elastic Container Service for Kubernetes (EKS)
• AWS runs the EC2 cluster management
• Eliminates the complexity of operating container infrastructure
• Microservices
65 https://aws.amazon.com/ecs/
AWS Lambda: Serverless Compute
No servers to manage Continuous Scaling Pay only for compute time used
66
AWS Lambda
Use Cases:
• Building modular, scalable, lightweight applications
• Serverless data processing on demand
• Perform data validation, filtering, sorting, or other transformations.
• Imagethumb-nailing, in-app activity, website clicks, or output from devices
67 https://aws.amazon.com/lambda/
Compute – KnowledgeCheck
Question 1
You are currently hosting an infrastructure and most of the EC2
instances are near 90 - 100% utilized. What is the type of EC2
instances you would utilize to ensure costs are minimized?
A. Reserved instances
B. On-demand instances
C.Spot instances
D. Regular instances
72
Question 2
You work for acompany that is planning on using the AWS EC2
service. They currently create golden images of their deployed
operating system. Which of the following correspond to agolden
image in AWS?
A.EBS Volumes
B. EBS Snapshots
C.Amazon Machines Images
D. EC2 Copies
73
Question 3
Which of the following services relates the concept of "scaling up
resources based on demand"?
A. Auto Scaling
B. Elastic Load Balancer
C.VPC
D. Subnet
74
AWS Storage Services
Compute Storage Networking Databases Security Management
Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail
Amazon
Auto Scaling AWS Amazon Application Amazon Amazon Amazon AWSKMS AWS Shield AWS AWS
EFS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer
75
Storage Options
Amazon EC2
Amazon EFS Amazon EBS Instance Store Amazon S3 Amazon Glacier
File Block Object
Data Transfer
EBS
Availability Zone
volume
AWS region
77
EBS Volume Types
SSD HDD
78
EBS Encryption
79
Amazon EBS Snapshot
• Point-in-time backup
• Stored in Amazon S3 (low cost and
high durability backup of data)
Amazon EBS
snapshot
80
Amazon EFS
Amazon Elastic File System
• Fully managed EC2-Inst1 EC2-Inst3
EC2-Inst2
• No hardware, network, file layer
• No needto provision storage in
advance
• Create ascalable file system in
seconds!
• Simple pricing = Pay for actual storage
consumed
• Multiple EC2 instances accessing at File System
the same time as a Service
81
Amazon S3 – Simple Storage Service
99.999999999% durability and 99.99% availability of objects over agiven year
82
Amazon S3 Features
S3 Features
84
How fast is S3 Transfer Acceleration?
S3 Transfer Acceleration Public Internet
Try it at s3speedtest.com
1 2 3 4 5 6 7 8 9 10 11 12
86
Storage Tiered to Your Requirements
Durable
“Hot” Data 99.999999999
Active and/or %
TemporaryData
$0.023/GB per month > 0K ≥ 0 Days
S3-Std Available
S3: 99.99%
≥ 128K ≥ 30 Days S3-IA: 99.9%
“Warm” Data $0.0125/GB per month
S3-IA-1Z: 99.5%
Infrequently
Accessed Data $0.01/GB retrieval
S3-IA Performant
Low Latency
$0.0100/GB permonth ≥ 128K ≥ 30 Days High Throughput
“Warm” Data
Infr. Accessed Data
Non-critical Data $0.01/GB retrieval
S3-IA-1Zone Scalable
Elastic capacity
No preset limits
1~5min
“Cold”Data $0.03/GB
3~5hs
Archive and $0.004/GB per month > 0K ≥ 90 Days $0.01/GB
Compliance Data
Glacier
5~12hs
$0.0025/GB
“Cold”Data 3 – 12 Hrs
Archive and $0.00099/GB per
> 0K ≥ 180 Days $0.02/GB
Compliance Data month $0.025/GB
87 Glacier DeepArchive
Amazon S3 Security
88
Amazon S3 Glacier
Long term storage solution
• Long term archiving, backup
• Low cost
• Data are extracted by executing retrieval jobs
Ready to download!
✓ Object ID 001
✓ Object ID 025 ID ID
ID150
✓ Object ID 150 001 025
✓ Object ID 400 Archive retrieval job
….
❑ Expedited: 1~5min
ID400
❑ Standard: 3~5hs
❑ Bulk: 5~12hs
89
99.999999999% durability of objects over agiven year
What is AWS Storage Gateway?
Service connecting an on-premises software appliance
with cloud-based storage
Gateway VM
MEDIA
VT
S
INITIATOR
91
Storage – Knowledge Check
Question 1
Which AWS services can be used to store files? Choose 2 answers
A. Amazon CloudWatch
B. Amazon Simple Storage Service (Amazon S3)
C.Amazon Elastic Block Store (Amazon EBS)
D. AWS Config
E. Amazon Athena
94
Question 2
A company wants to store data that is not frequently accessed.
What is the best and cost-efficient solution that should be
considered?
95
Question 3
There is arequirement for storage of objects. The objects should be
able to be downloaded via aURL. Which storage option would you
choose?
A. Amazon S3
B. Amazon Glacier
C.Amazon Storage Gateway
D. Amazon EBS
96
Question 4
Which of the following is the amount of storage that can bestored
in the Simple Storage service?
A.1 TB
B. 5 TB
C.1 PB
D. Virtually unlimited storage
97
Question 5
A company is deploying atwo-tier, highly available web application
to AWS. Which service provides durable storage for static content
while utilizing lower Overall CPU resources for the web tier?
98
AWS Networking Services
Compute Storage Networking Databases Security Management
Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail
Amazon
Auto Scaling AWS Amazon Application Amazon Amazon Amazon AWSKMS AWS Shield AWS AWS
EFS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer
99
Amazon VPC
Provision a logically isolated section of the AWS cloud
• Control your virtual networking environment
– Subnets
– Route tables
– Security groups
– Network ACLs
• Connect to your on-premises network via VPN or Direct
Connect
• Control if and how your instances accessthe Internet
103
Amazon Elastic Load Balancing (ELB)
ELB increases application resiliency
• Automatically distributes incoming applicationtraffic
• Health Checks for application highavailability
• Integrates with other AWS services
– Route 53 Load balancer
– Internet Gateway
– Identity and AccessManagement Rule Listener
Target Target
Target Group Health
Check
https://aws.amazon.com/elasticloadbalancing/
104
Amazon CloudFront
https://aws.amazon.com/cloudfront/
107
How You Configure CloudFront to Deliver Content
Developer
2 Edge
1 3 locations
Objects/ http://d111111abcdef8.cloudfront.
data net
Web 4
distribution
Your
distribution’s
configuration
CloudFront
S3 bucket or HTTP
108
server
Amazon Route 53
https://aws.amazon.com/route53/
109
Network – Knowledge Check
Question 1
Which of the following services helps provide adedicate connection
from on-premise infrastructure to resources hosted in the AWS
Cloud?
A. AWS VPC
B. AWS VPN
C.AWS Direct Connect
D. AWS Subnets
114
Question 2
You are planning on deploying avideo-based application onto the
AWS Cloud. These videos will be accessed by users across the world.
Which of the below services canhelp stream the content in an
efficient manner to the users across the globe?
A. Amazon SES
B. Amazon CloudTrail
C.Amazon CloudFront
D. Amazon S3
115
Question 3
Which of the following service is most useful when aDisaster
Recovery method is triggered in AWS?
A. Amazon Route53
B. Amazon SNS
C.Amazon SQS
D. Amazon Inspector
116
Question 4
Which of the following networking component can be used to host
EC2 resources in the AWS Cloud?
117
Question 5
Which of the following can be used to protect EC2 Instances hosted
in AWS? Choose 2 answers from the options givenbelow:
118
AWS Database Services
Compute Storage Networking Databases Security Management
Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail
Amazon
Auto Scaling AWS Amazon Application Amazon Amazon Amazon AWSKMS AWS Shield AWS AWS
EFS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer
119
Amazon RDS
• Relational databases
• Fully managed and secure
• Fast, predictable performance
Amazon
• Simple and fast to scale Aurora
Amazon
• Low cost, pay for what you use
RDS
https://aws.amazon.com/rds/
120
Amazon Aurora
Delivered as a managed service on top of RDS
122
Amazon DynamoDB
Fully managed NoSQL database
Fast, consistent performance
Highly scalable
Flexible
Event-driven programming
Fine-grained access control
123
Amazon Redshift: Data Warehousing
Amazon Redshift is afast, scalable data warehouse
124
Amazon ElastiCache
A fully-managed in-memory data store or cache environment in
the cloud.
• Improves performance by retrieving data from high-throughput and low-latency, in-
memory data stores.
• Use Cases:
– Gaming
– Ad-Tech
– Financial Services
– Healthcare
– IoT
https://aws.amazon.com/elasticache/
125
Databases – KnowledgeCheck
Question 1
Which of the following is afully managed NoSQL databaseservice
available with AWS?
A. AWS RDS
B. AWS DynamoDB
C.AWS Redshift
D. AWS MongoDB
129
Question 2
Which AWS service automates infrastructure provisioning and
administrative tasks for an analytical data warehouse?
A. Amazon Redshift
B. Amazon DynamoDB
C.Amazon ElastiCache
D. Amazon Aurora
139
Question 3
Which of the following is acompatible MySQL database which also
cangrow in storage size on its own?
A. Aurora
B. DynamoDB
C.RDS Microsoft SQL Server
D. RDS MySQL
131
Question 4
Which of the following features of Amazon RDS allows for better
availability of databases. Choose 2 answers from the options given
below:
A. VPC Peering
B. Multi-AZ
C.Read Replicas
D. Multi-Region
132
AWS Security Services
Compute Storage Networking Databases Security Management
Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail
Amazon
Auto Scaling AWS Amazon Application Amazon Amazon Amazon AWSKMS AWS Shield AWS AWS
EFS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer
133
The Layered Security Approach
• Secured Infrastructure
– Secured endpoints
– Compliance alignments and
frameworks
– Certifications and attestations Instance
• VPC Firewall
– Workload isolation
Security group
• Security Group
– Port/protocol filtering Subnet
• Instance Firewall VPC
– Rule-based protection at the OS
level
134
AWS Identity & Access Management
A core AWS securityservice.
https://aws.amazon.com/iam/
135
AWS Principals
Account Owner ID (RootAccount)
• Access to all subscribedservices.
• Access to billing.
• Access to console andAPIs.
• Access to Customer Support.
136 https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
IAM Root Account Best Practices
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
137
IAM Roles Best Practices
IAM identity that canbe assumable by anyone who needs it.
Ex.: users, applications, services, federated users
API Call
Apps. Assuming IAM Role [credentials]
codes Create, delete, change bucket
139
AWS Key Management Service (AWS KMS)
Data encryption with KMS
• Managedservice to use encryption keys
• Integrated with many AWS services
• Integrated with AWS CloudTrail
– provide auditable logs of key usage
140 https://aws.amazon.com/kms/
AWS Web Application Firewall (AWS WAF)
https://aws.amazon.com/waf/
141
AWS Shield (Standard or Advanced)
https://aws.amazon.com/shield/
142
Security – Knowledge Check
Question 1
Which service allows an administrator to create and modify AWS
user permissions?
A. AWS Config
B. AWS Cloud Trail
C.AWS Key Management Service (AWS KMS)
D. AWS Identity and Access Management(IAM)
144
Question 2
Which of the following is the responsibility of the AWS customer
according to the Shared Security Model?
145
Question 3
Which of the following security requirements are managed by AWS
customers? Select 2 answers from the options given below.
A. Password Policies
B. User permissions
C.Physical security
D. Disk disposal
E. Hardware patching
146
Question 4
How can the AWS Management Console be secured against
unauthorized access?
147
Question 5
When giving permission to users via the AWS Identity and Access
Management tool, which of the following principles should be
applied when granting permissions?
148
AWS Management Services
Compute Storage Networking Databases Security Management
Amazon Amazon ECS Amazon Amazon EBS Elastic Load Amazon Amazon Amazon IAM AWS WAF Amazon AWS
EC2 Glacier Balancing* Route 53 RDS Aurora CloudWatch CloudTrail
Amazon
Auto Scaling AWS Amazon Application Amazon Amazon Amazon AWSKMS AWS Shield AWS AWS
EFS
Lambda S3 Load VPC* DynamoDB ElastiCache CloudFormation Config
Balancer
149
AWS CloudWatch
https://aws.amazon.com/cloudwatch/
150
AWS CloudWatch Alarms
Amazon
CloudWatch
PageViewCount
Available
statistics
Custom CloudWatch Metrics
Auto Scaling
Application-
Specific Metrics
AWS Statistics
Management Consumer
Console
151
CloudWatch Metrics Examples
152
AWS CloudTrail
CloudTrail provides the event history of AWS account activity
• Permits governance, compliance,audit. Who did
that?!
• Logs API calls.
• Security analysis.
• Tracking of resource changes.
• Problems solution.
153
Benefits of AWS CloudFormation
154
AWS CloudFormation Designer
• Visualize template resources
155
AWS Config
Managed service for tracking AWS inventory and configuration, and
configuration change notification.
AWS Config
Amazon Amazon
EC2 EBS
Amazon AWS
VPC CloudTrail
156
Management Services – KnowledgeCheck
Question 1
You want to monitor the CPU utilization of an EC2 resource in AWS.
Which of the below services canhelp in this regard?
A. AWS CloudTrail
B. AWS Inspector
C.AWS Trusted Advisor
D. AWS CloudWatch
160
Question 2
Which of the following services helps in governance, compliance,
and risk auditing in AWS?
A. AWS Config
B. AWS CloudTrail
C.AWS CloudWatch
D. AWS SNS
161
Question 3
A company needs to know which user was responsible for
terminating several critical Amazon Elastic Compute Cloud (Amazon
EC2) Instances. Where canthe customer find this information?
162
Question 4
You have aDevOps team in your current organization structure.
They are keen to know if there is any service available in AWS which
canbe used to manage infrastructure as code. Which of the
following canbe met with such arequirement?
A.Using AWS CloudFormation
B. Using AWS Config
C.Using AWS Inspector
D. Using AWS Trusted Advisor
163
Module 4:
Pricing, TCO and Cost Optimization on
AWS
Cloud ValueFramework
165
TCO the way customers typically see it
illustrative
Software - OS, Virtualization Licenses
1 Server Costs Hardware – Server, (+Maintenance)
(+Maintenance)
166
TCO the way it really is Overhead
On-prem.
Colocation
illustrative
Hardware – Server, Rack Software - OS, Facilities Cost
1 Server Costs Chassis PDUs, ToR Switches Virtualization Licenses
(+Maintenance) (+Maintenance) Space Power Cooling
4 IT LaborCosts Server Admin, Virtualization Admin, Storage Admin, Network Admin, Support Team
167
Resources to get started
168
Tools for Cost Visibility
Cost Explorer T AGs
169
AWS Pricing Philosophy
01 02 03
170
On-Demand and Reserved
172
Convertible Reserved Instances
Convertible – Reserved Reduced price during For customers lacking Steady-state but can
Instance Reserved Instance understanding of future change
term workloads
Change Reserved
Instance family, type,
Example
OS, or tenancy
C3 RI C4 RI
173
Spot Instances
174
.
Dedicated Instance Instances run on For workloads that Data isolation required
hardware dedicated to require dedicated
you only hardware to meet
unique security and
compliance needs
Customer must pay an hourly instance fee Customer must pay a dedicated per region fee
Dedicated Host Instances run on For existing server- Data isolation required
hardware dedicated to bound software License dependent
you only licenses that are bound applications or
License portability to VMs, sockets, or services
physical cores
Fine grain control of
hardware
175
Billing Comparison
N.Virginia, 30thJan2019.
Reserved
Convertible
176
Estimating Cost Savings
Simple Monthly Calculator
177
Module 5:
AWS Well-Architected Framework
The AWS Well-Architected Framework
Design Principles
• Stop guessing your capacityneeds
• Test systems at productionscale
• Automate to make architectural experimentationeasier
• Allow for evolutionary architectures
• Data-Driven Architectures
• Improve through gamedays
179
Pillars of AWS Well-Architected
189
Operational Excellence
The ability to run and monitor systems to deliver business value and continually improve supporting
processes and procedures.
Principles
•Perform operations with code
•Align operations processes to business objectives
•Make regular, small, incremental changes
•Test for responses to unexpectedevents
•Learn from operational events and failures
•Keep operations procedures current
Coverage Area
• Preparation
• Operation
• Response
181
Operational Excellence: AWS Services
Prepare
• AWS Config rules
Operate
• Amazon CloudWatch
Evolve
• Amazon ElastiSearch Services (AmazonES)
182
Applying Operational Excellence
Availability Zone A
Public Web Tier App Tier Data Tier 2. Use of CodeStar
1. Use of (Private (Private
Subnet
Subnet) Subnet)
Amazon to deploy
CloudWatch to users
x.x.x.x/x
Aurora
x.x.x.x/x x.x.x.x/x Infrastructure as
achieve visibility Example
Services: Code
in the cloud RDGW Reserved Reserved
NAT
ISD/W AF
On-Demand On-Demand
Auto
replication
Auto
Scaling Scaling
Group Group
internet
Public Web Tier App Tier Data Tier
Subnet (Private (Private
x.x.x.x/x Subnet) Subnet) Amazon
x.x.x.x/x x.x.x.x/x Aurora
Example
Services:
RDGW Reserved Reserved
NAT
IDS/W AF
admin
W eb App DB
On-Demand Security On-Demand Security Security
Group Group Group
Availability Zone B
183
Security
The ability to protect information, systems, and assets while delivering business value through risk
assessments and mitigation strategies.
Principles
•Apply security at all layers
• Enable traceability
• Implement aprinciple of least privilege
• Focus on securing your system
•Automate security best practices
Coverage Areas
• Identity and accessmanagement
• Detective controls
• Infrastructure protection
• Data protection
• Incident response
184
Security: AWS Services
185
Applying Security Best Practices
S
3. The use of CloudTrail
1. Public and private Availability Zone A
and Config to maintain
subnets
Public Web Tier App Tier Data Tier a known infrastructure
• ELB and other edge Subnet (Private (Private Amazon
x.x.x.x/x Subnet) Subnet) state
devices are the only users x.x.x.x/x x.x.x.x/x Aurora
things the public can Example
Services:
reach RDGW Reserved Reserved
• The application of NAT
ISD/W AF
WAF, and Shield at On-Demand On-Demand
the edge to control 4. Using IAM to create
traffic Auto
replication
Auto
Scaling Scaling
roles that ensure that
Group Group only the App tier can
talk to the database
internet
Public Web Tier App Tier
Data Tier
Subnet (Private (Private
x.x.x.x/x Subnet) Subnet) Amazon
x.x.x.x/x x.x.x.x/x Aurora
Example
Services:
RDGW Reserved Reserved
NAT
IDS/W AF
admin
W eb App DB
On-Demand Security On-Demand Security Security
Group Group Group
2. The use of IAM (Dive
deep – Understand the Availability Zone B
roles and users.)
186 AWS
CloudFormation
Reliability
The ability of a system to recover from infrastructure or service failures, dynamically acquire
computing resources to meet demand, and mitigate disruptions such as misconfigurations or
transient network issues.
Principles
•Test recovery procedures
•Automatically recoverfrom failure
•Scale horizontally to increaseaggregate system availability
•Stop guessing capacity
•Managechange in automation
Coverage Areas
• Foundations
• Change Management
• Failure Management
187
Reliability: AWS Services
Foundations
•AWS Trusted Advisor , IAM, Amazon VPC, DirectConnect
Change Management
• AWS CloudTrail, AWS Config, Auto Scaling, CloudWatch
Failure Management
• AWS CloudFormation, Amazon S3, Amazon Glacier, AWS KMS
188
Applying Reliability
Availability Zone A 3. Scalable ELB
Public Web Tier App Tier Data Tier instances
Subnet (Private (Private Amazon • Independent
x.x.x.x/x Subnet) Subnet)
users x.x.x.x/x x.x.x.x/x RDS resource scalability.
Example
Services:
• Independent service
1. Multi-AZ
RDGW recovery – when
NAT
ISD/W AF used with auto-
scaling
2. Database • This will be relevant
replication
replication when we talk about
between the “Performance
two AZs Efficiency” as well.
internet
Public Web Tier App Tier Data Tier
Subnet (Private (Private Amazon
x.x.x.x/x Subnet) Subnet)
x.x.x.x/x x.x.x.x/x RDS
Example
Services:
RDGW
NAT
IDS/W AF
admin
Availability Zone B
189
Performance Efficiency
The ability to use computing resources efficiently to meet system requirements, andto
maintain that efficiency as demandchanges andtechnologiesevolve.
Principles
•Democratize advanced technologies
•Goglobal in minutes
•Use serverless architectures
•Experiment more often
•Mechanical sympathy
Coverage Areas
• Selection
• Review
• Tradeoffs
190
Performance Efficiency: AWS Services
Selection
• Compute: Auto Scaling
• Storage: Amazon EBS, Amazon S3
• Database: Amazon RDS, Amazon DynamoDB
• Network: Amazon Route 53, Amazon VPC, AWS Direct Connect
Review
• AWS Blog
Monitoring
• Amazon CloudWatch, AWS Lambda
Tradeoffs
• Amazon ElastiCache, Amazon CloudFront, AWS Snowball, Read replicas for RDS
191
Applying Performance Efficiency
Availability Zone A
Public Web Tier App Tier Data Tier
Subnet (Private (Private Amazon
x.x.x.x/x Subnet) Subnet)
users x.x.x.x/x x.x.x.x/x Aurora
Example
Services:
RDGW
NAT
ISD/W AF
2. CloudFormation
replication
Auto Auto
Scaling Scaling as a tool to
1. Auto Scaling Group Group
facilitate
groups repeatability and
internet
Web Tier App Tier Data Tier
Public
(Private
global
Subnet (Private Amazon
x.x.x.x/x Subnet) Subnet)
x.x.x.x/x Aurora deployment
x.x.x.x/x
Example
Services:
RDGW
NAT
IDS/W AF
admin
Availability Zone B
192 AWS
CloudFormation
Cost Optimization
The ability to avoid or eliminate unneeded cost or suboptimalresources
Principles
•Adopt aconsumptionmodel
•Benefit from economies of scale
•Stop spending money on data center operations
•Analyze andattribute expenditure
•Use managedservices to reducecost of ownership
Coverage Areas
• Cost-Effective Resources
• Matching Supply and Demand
• Expenditure Awareness
• Optimizing Over Time
193
Cost Optimization: AWS Services
Cost-Effective Resources
• AWS Well-Architected Framework
Matching Supply and Demand
• Auto Scaling
Expenditure Awareness
• Amazon CloudWatch, Amazon Simple Notification Services(SNS)
Optimizing Over Time
• AWS Blogs, AWS Trusted Advisor, AWS Cost Explorer
194
Applying Cost Optimization
Availability Zone A
Public Web Tier App Tier Data Tier
Subnet (Private (Private Amazon
x.x.x.x/x Subnet) Subnet)
users x.x.x.x/x x.x.x.x/x Aurora
Example
Services:
RDGW
NAT Reserved Reserved
ISD/W AF
On-Demand On-Demand
2. The use of
replication
Auto Auto
1. combination of Scaling Scaling Aurora as the
reserved and Group Group
relational
on-demand database layer
internet
instances Public Web Tier App Tier Data Tier
Subnet (Private (Private Amazon
x.x.x.x/x Subnet) Subnet)
x.x.x.x/x x.x.x.x/x Aurora
Example
Services:
RDGW
Reserved Reserved
NAT
IDS/W AF
admin
On-Demand On-Demand
Availability Zone B
195 AWS
CloudFormation
Value Proposition
Help Customers:
• Consistent approachto reviewing architectures
• Understand and reduce risk in yourarchitecture
• Learn best practices
• Influence future architectures
• Generate additional opportunities
196