Professional Documents
Culture Documents
Global Accelerator
o Allows you to improve availability and performance of your applications for global users
Network Access Control Lists (NACL) and security group
o used to control the traffic, NACL are stateless, unlike with security groups, you can block IP
addresses with a NACL, unlike with security groups
Interface Endpoint (ENI)
o allows your VPC to privately connect to services using private link, same region only, IPv4,
associate a security group with ENI
Gateway Endpoint
o used to privately access supported service, one is required per VPC, cannot be associated with a
security group, region specific
IPv6 Egress-only (internet) Gateway
o It allows IPv6 traffic from within the VPC out, but prevent traffic initiated from internet to
access your VPC’s IPv6 sources
Transit Gateway
o Can simplify communication requirements as the number of VPCs grow, regional source,
Supports IPv4 & IPv6
VPC Peering
o allow routing between two VPCs, N(N-1)/2
VPN CloudHub
o Operates over public internet, but all traffic is encrypted, securely connect sites
Bastion Host
o launched in public subnet, use elastic IP not public IP, NACLs & Security groups
NAT gateway
o fully managed, highly available, elastic IP address, cannot be associated with security group
Internet gateway (IGW)
o Allows your VPC to communicate with the internet, fully managed, one IGW can be attached to
a VPC
========================================= S3
====================================================
S3
o highly scalable, secure, performant, highly durable, Object Based, unlimited storage, integrates
with CloudWatch and CloudTrail, send notifications to SNS, SQS and lambda, Cheaper storage,
Items larger than 400 KB
Cross Region Replication
Cross-Origin Resource Sharing (CORS)
o allowing clients to access resources from different servers (Origins) simultaneously
S3 sharing
o Sharing S3 bucket with two accounts in the same organization
S3 Transfer Acceleration
o chargeable service, Utilize CloudFront, enables fast and secure transfers (https) of files over
long distance between clients and S3
S3 requester pays
o owner pay for storage and requesters pay for data transfer
S3 access policies
o User policies
Resource based policies (ACL (Object ACL, Bucket ACL), Bucket Policies )
S3 Pre-Signed URL
o Object owner can share objects through signed URLs, different from CloudFront signed URL,
S3 lock Policies
o block objects from being deleted or modified,
o ways to enable object lock
Retention Period (Governance Mode, Compliance Mode[even root])
Legal Hold -> Lock has no expiration until the hold is removed
o Glacier Vault Lock -> Enforce compliance controls on individual S3 Glacier
Server Access Logging
o records of requests, disabled by default, No extra charge
S3 static Website Hosting
S3 gateway
o Allows on-premises applications to access virtually unlimited cloud storage
o 3 types of storage gateways (File gateway, Volume gateway, Tape gateway)
CloudFront
o Securely deliver web application, data, Video and other web content over system distribution
servers to users based on their geographic location, with Low latency and high transfer speed,
integrates with Amazon CloudTrail
o Origin Access Identity (OAI)
OAI is a special CloudFront user, can be used as a principle in S3 bucket to provide
access
o Signed URL & Signed Cookies with CloudFront
restrict access to cashed content at edge
o Geo Restrictions (Or Geo Blocking) CloudFront Feature
restrict access to the edge content to certain countries, WhiteList, BlackList
Route 53
o highly available, universal (not region specific) and scalable DNS service, perform domain
registration, DNS routing and health checking
o Routing Policies (Simple, Failover, Latency, Weighted, Geolocation, Multi Value Answer)
Global Accelerator
o network layer service , horizontally scaled , highly available, improve applications’ availability
and performance for the global user base, UDP & TCP are supported, AWS Shield for DDos
protection
Route 53 GEO-Proximity Routing
o shift traffic from resources in one location to resources in another
Route 53 resolver
o Streamlining DNS queries in hybrid cloud environment
==========================================================================================
===
============================= Serverless Computing =========================
Lambda
o fully managed, Serverless, highly available, scales automatically, pay for the compute
time, push based, or Poll based
o CloudFront & Lambda@Edge
Lambda@Edge will significantly reduce latency and improve user experience
API gateway
o API is a set of rules that allow program to talk to each other, fully managed service, Can
throttle and monitor requests to protect the backend
o Integrates with CloudFront and can provide for DDOS protection and low latency
response
CloudHSM
o HW security module in the cloud, AWS does not manage cryptographic key operations of
functions (Customer does), It is pay as you go, CloudHSM cluster contains one or more
CloudHSM device, multiple availability zones, ENIs
AWS Shield
o Access to DDoS response team 24*7. And DDoS attack visibility, standard(free),
Advanced(chargeable) , dashboard, Automatic baselining of web traffic, Sensitive detection
threshold, Cost protection
WAF
o Web ACLs are rules/filters required to effectively filter web traffic, IPv6, geolocation filter
GuardDuty
o continuous security monitoring service, produces findings, analyzes VPC flow logs, DNS logs,
and CloudTrail management and S3 data event logs, findings can be viewed in GuardDuty
console or through CloudWatch events
Inspector
o security assessment service, NW vulnerabilities, security exposure and any deviation from
security best practice, Assessment can be configured to run once or weekly (recommended)
Macie
o fully managed data security and data privacy service, It uses machine learning and pattern
matching, provides an inventory of S3 buckets that are unencrypted, Macie findings can be
sent to Amazon EventBridge, which can then trigger step functions to activate remediation
actions, across multiple accounts from a single Macie account
Cognito
o provides authentication, authorizations, and user management for web and mobile
applications, Cognito user pools & Cognito identity pools, Authentication with 3 rd party (like
google, Facebook) and access AWS services with identity pool
======================== Organizations=================================
Organizations
o account management, build hierarchies and group accounts with similar policies , a free of
charge, highly available, eventually consistent, modes(All features, Consolidated Billing),
Service Control Policies (SCPs - not grant permissions, they only filter permission,
Whitelisting, blacklisting),
CloudFormation
o help create and set up AWS resources, template (JSON or YAML), result is called a
CloudFormation stack, Updating a stack is possible using change sets,
o StackSets -> allow us to create, update, or delete stacks across multiple accounts and regions
using single template and single operation
Elastic Beanstalk
o for deploying, managing, and scaling web applications, free of charge. However, customers
pay for underlying service launched, supports the deployment of containerized applications,
supports docker platform configurations, EB will monitor your application’s health,
OpsWorks
o Chef and Puppet automation tools to configure, Operate, and manage Applications in AWS or
on-premises, The stack is the core component in AWS OpsWorks, supports Linux and
Windows
AWS System Manager
o provides visibility and control of client’s infrastructures on AWS or on-premises, automate
operational tasks across AWS resources, Resource groups make it easier to
manage/automate tasks on large number of resources at one time, requires SSM agent
SSM – Parameter Store
o AWS parameter store is one of SSM’s shared resources, serverless, Secure, Durable, Highly
Available, Hierarchical, Store sensitive data (as plain text or encrypted) such as passwords,
AMI IDs, Access keys, DB string, License codes
Secrets Manger
o helps in protecting access to applications, service and IT resources, Passwords for supported
DB on AWS can be rotated on-schedule or on-demand, lambda function is required to rotate
other DBs credentials or OAuth refresh tokens, Pay as you go rates: 0.4 $ per secrets/month,
and 0.05$ per 10K API calls
Config
o a fully managed service that provides AWS resource inventory, configuration history, and
configuration change notifications, tracks the configuration changes to ensure compliance,
Each rule is associated with lambda
Trusted Advisor
o online tool, provides real time guidance, help provision resource according to AWS best
practice, makes recommendations on cost, performance, security, fault tolerance, and service
limits optimization
ElasticSearch,
o fully managed, popular open source, near real-time, scalable search and analytics engine, Pay
as you Go, Elastic stack (ELK stack) includes Elasticsearch with kibana for visualization and
logstash for data collection and log ingestion
Transcoder,
o convert/ transcoding video and audio (media) files stored at S3 into supported format, Pay as
you go (has a free tier)
AppSync,
o fully managed, data synchronization between web and mobile apps and servers, GraphQL
Workspace,
o way to provide clients access to virtual desktop, Pay per user hourly or monthly, MFA, rest&
transit, Can whitelist corporate network IP range
WorkDocs,
o fully managed, Is a Secure enterprise storage and collaboration service, Users can preview and
comment on different supported files
X-Ray,
o to view, filter and gain insight into the application flows, To understand how application and its
underling services are performing, troubleshoot application, AWS config, at rest
DMS,
o web service, used to migrate data from source to target DB, one time migration and ongoing
migration, Pay as you go, transit& rest, Types (Homogenous, Heterogenous)
RAM,
o allows customers to share resources with any AWS account also with organizational unit (OUs),
free, IAM and policies and SCPs
Cost explorer
o Allow customers to Visualize, understand and manage AWS costs and usage over time