Summary of Summery

One line about every concept

======================== VPC =====================================

 Global Accelerator
o Allows you to improve availability and performance of your applications for global users
 Network Access Control Lists (NACL) and security group
o used to control the traffic, NACL are stateless, unlike with security groups, you can block IP
addresses with a NACL, unlike with security groups
 Interface Endpoint (ENI)
o allows your VPC to privately connect to services using private link, same region only, IPv4,
associate a security group with ENI
 Gateway Endpoint
o used to privately access supported service, one is required per VPC, cannot be associated with a
security group, region specific
 IPv6 Egress-only (internet) Gateway
o It allows IPv6 traffic from within the VPC out, but prevent traffic initiated from internet to
access your VPC’s IPv6 sources
 Transit Gateway
o Can simplify communication requirements as the number of VPCs grow, regional source,
Supports IPv4 & IPv6
 VPC Peering
o allow routing between two VPCs, N(N-1)/2
 VPN CloudHub
o Operates over public internet, but all traffic is encrypted, securely connect sites
 Bastion Host
o launched in public subnet, use elastic IP not public IP, NACLs & Security groups
 NAT gateway
o fully managed, highly available, elastic IP address, cannot be associated with security group
 Internet gateway (IGW)
o Allows your VPC to communicate with the internet, fully managed, one IGW can be attached to
a VPC

========================================= S3
====================================================

 S3
o highly scalable, secure, performant, highly durable, Object Based, unlimited storage, integrates
with CloudWatch and CloudTrail, send notifications to SNS, SQS and lambda, Cheaper storage,
Items larger than 400 KB
 Cross Region Replication
 Cross-Origin Resource Sharing (CORS)
o allowing clients to access resources from different servers (Origins) simultaneously
 S3 sharing
 o Sharing S3 bucket with two accounts in the same organization
 S3 Transfer Acceleration
o chargeable service, Utilize CloudFront, enables fast and secure transfers (https) of files over
long distance between clients and S3
 S3 requester pays
o owner pay for storage and requesters pay for data transfer
 S3 access policies
o User policies
 Resource based policies (ACL (Object ACL, Bucket ACL), Bucket Policies )
 S3 Pre-Signed URL
o Object owner can share objects through signed URLs, different from CloudFront signed URL,
 S3 lock Policies
o block objects from being deleted or modified,
o ways to enable object lock
 Retention Period (Governance Mode, Compliance Mode[even root])
 Legal Hold -> Lock has no expiration until the hold is removed
o Glacier Vault Lock -> Enforce compliance controls on individual S3 Glacier
 Server Access Logging
o records of requests, disabled by default, No extra charge
 S3 static Website Hosting
 S3 gateway
o Allows on-premises applications to access virtually unlimited cloud storage
o 3 types of storage gateways (File gateway, Volume gateway, Tape gateway)

================================= CDN & DNS

=================================================

 CloudFront
o Securely deliver web application, data, Video and other web content over system distribution
servers to users based on their geographic location, with Low latency and high transfer speed,
integrates with Amazon CloudTrail
o Origin Access Identity (OAI)
 OAI is a special CloudFront user, can be used as a principle in S3 bucket to provide
access
o Signed URL & Signed Cookies with CloudFront
 restrict access to cashed content at edge
o Geo Restrictions (Or Geo Blocking) CloudFront Feature
 restrict access to the edge content to certain countries, WhiteList, BlackList
 Route 53
o highly available, universal (not region specific) and scalable DNS service, perform domain
registration, DNS routing and health checking
o Routing Policies (Simple, Failover, Latency, Weighted, Geolocation, Multi Value Answer)
 Global Accelerator
 o network layer service , horizontally scaled , highly available, improve applications’ availability
and performance for the global user base, UDP & TCP are supported, AWS Shield for DDos
protection
 Route 53 GEO-Proximity Routing
o shift traffic from resources in one location to resources in another
 Route 53 resolver
o Streamlining DNS queries in hybrid cloud environment

==========================================================================================
===
============================= Serverless Computing =========================

 Lambda
o fully managed, Serverless, highly available, scales automatically, pay for the compute
time, push based, or Poll based
o CloudFront & Lambda@Edge
 Lambda@Edge will significantly reduce latency and improve user experience
 API gateway
o API is a set of rules that allow program to talk to each other, fully managed service, Can
throttle and monitor requests to protect the backend
o Integrates with CloudFront and can provide for DDOS protection and low latency
response

=========================== Storage Services ====================================

 Elastic File System (EFS)

o Highly available, durable, Auto Scaling, consistent performance, Shared, concurrent file
access, Network files system (not object storage), Linux instance only (POSIX),
hierarchical directory, Hight throughput to EC2 instance, Strong data consistency,
integrates with CloudWatch & CloudFront, one ENI per AZ, scale to Petabytes
o Modes
 Performance Mode (General mode, Max I/O)
 Throughput Mode (Bursting mode, Provisioned mode)
 Amazon FSX
o FSX used for windows file server, fully managed, scale up to 64 TB, MS active
directory, ENI with security group (at AZ)
o Single AZ, Multi AZ
o DataSync to migrate from on-premises windows
o FSX for Lustre
 Lustre is open-source, Object -based, distributed, parallel, Clustered file system,
FSX for Lustre Scratch and persistent file system, Supports file locking
 Amazon Storage Gateway
o allows us to use S3 and Glacier as file, uses compression and HTTPs, 3 configurations
(File gateway, Tape gateway, Volume gateway)
 Amazon Snow Family
o offline data transfer, services (Snowball, Snowball Edge, Snowmobile, Snowcone)
 AWS backup
 o fully managed backup service, centralizes and automate all backup,
 AWS DataSync
o used to transfer online data, used to move data that changes frequently, speed is ten
times faster than available tools

======================== Security, Identity, Compliance=================

 CloudHSM
o HW security module in the cloud, AWS does not manage cryptographic key operations of
functions (Customer does), It is pay as you go, CloudHSM cluster contains one or more
CloudHSM device, multiple availability zones, ENIs
 AWS Shield
o Access to DDoS response team 24*7. And DDoS attack visibility, standard(free),
Advanced(chargeable) , dashboard, Automatic baselining of web traffic, Sensitive detection
threshold, Cost protection
 WAF
o Web ACLs are rules/filters required to effectively filter web traffic, IPv6, geolocation filter
 GuardDuty
o continuous security monitoring service, produces findings, analyzes VPC flow logs, DNS logs,
and CloudTrail management and S3 data event logs, findings can be viewed in GuardDuty
console or through CloudWatch events
 Inspector
o security assessment service, NW vulnerabilities, security exposure and any deviation from
security best practice, Assessment can be configured to run once or weekly (recommended)
 Macie
o fully managed data security and data privacy service, It uses machine learning and pattern
matching, provides an inventory of S3 buckets that are unencrypted, Macie findings can be
sent to Amazon EventBridge, which can then trigger step functions to activate remediation
actions, across multiple accounts from a single Macie account
 Cognito
o provides authentication, authorizations, and user management for web and mobile
applications, Cognito user pools & Cognito identity pools, Authentication with 3 rd party (like
google, Facebook) and access AWS services with identity pool

======================== Organizations=================================

 Organizations
 o account management, build hierarchies and group accounts with similar policies , a free of
charge, highly available, eventually consistent, modes(All features, Consolidated Billing),
Service Control Policies (SCPs - not grant permissions, they only filter permission,
Whitelisting, blacklisting),
 CloudFormation
o help create and set up AWS resources, template (JSON or YAML), result is called a
CloudFormation stack, Updating a stack is possible using change sets,
o StackSets -> allow us to create, update, or delete stacks across multiple accounts and regions
using single template and single operation
 Elastic Beanstalk
o for deploying, managing, and scaling web applications, free of charge. However, customers
pay for underlying service launched, supports the deployment of containerized applications,
supports docker platform configurations, EB will monitor your application’s health,
 OpsWorks
o Chef and Puppet automation tools to configure, Operate, and manage Applications in AWS or
on-premises, The stack is the core component in AWS OpsWorks, supports Linux and
Windows
 AWS System Manager
o provides visibility and control of client’s infrastructures on AWS or on-premises, automate
operational tasks across AWS resources, Resource groups make it easier to
manage/automate tasks on large number of resources at one time, requires SSM agent
 SSM – Parameter Store
o AWS parameter store is one of SSM’s shared resources, serverless, Secure, Durable, Highly
Available, Hierarchical, Store sensitive data (as plain text or encrypted) such as passwords,
AMI IDs, Access keys, DB string, License codes
 Secrets Manger
o helps in protecting access to applications, service and IT resources, Passwords for supported
DB on AWS can be rotated on-schedule or on-demand, lambda function is required to rotate
other DBs credentials or OAuth refresh tokens, Pay as you go rates: 0.4 $ per secrets/month,
and 0.05$ per 10K API calls
 Config
o a fully managed service that provides AWS resource inventory, configuration history, and
configuration change notifications, tracks the configuration changes to ensure compliance,
Each rule is associated with lambda
 Trusted Advisor
o online tool, provides real time guidance, help provision resource according to AWS best
practice, makes recommendations on cost, performance, security, fault tolerance, and service
limits optimization

===================== Management, Monitor, Audit ============================

o CloudWatch
o metric repository, exist only in the region where they are created, have a VPC interface
endpoint, Alarm can perform one or more actions, Alarm cannot invoke a Lambda function
directly
 o facilitates log viewing, sort/query/archive logs, visualize logs at dashboard, use CloudWatch
insight to make custom queries to logs
o CloudWatch agent
o It delivers a near real-time stream of system events
o EventBridge
o Serverless, to build event-driven architecture, builds on CloudWatch events, delivers event
data from sources to targets near real-time

============================ Containers ====================================

 Elastic Containers Service (ECS)

o highly available, Fast, container management service, which makes it is easy to run,
stop, schedule placement, and manage docker containers on EC2 instance in AWS,
need an IAM role, uses Auto Scaling Group to scale underlying compute instance
o Launch types
 Fargate launch type (Serverless)
 ECS launch type (Server-based)
o Both ECS & Fargate support EFS, ECS supports FSX for windows
 Elastic Kubernetes Service (EKS)
o managed AWS service, is a full standard Kubernetes implementation, migrate to EKS
without any issues, components (control plane, worker node), EKS storage options are
EBS, EFS, FSX for luster

============================== Notification & Messaging =========================

o Simple Queue Service (SQS) 101.
o fast, reliable, durable, secure, and fully managed web-based hosted message queue service,
across multi-AZ in one region, SQS is poll-based service, unlimited number of messages,
message size only up to 256 KB, EC2 instance or Lambda function can be us, CloudWatch can
be used to monitor the messages, types (Standard[Unlimited throughput, Duplicate messages],
FIFO[No duplicates, Grouping messages]), polling types (Short[Default, immediately, Cost
more], Long[wait up to 20 second, lower costs]), SQS messages can remain in the queue up to
14 days, Visibility timeout is the duration the message is locked, Delay queue, Dead Letter
Queues (DLQs), IAM policies, in-transit, at-rest
o Simple Notification Service (SNS) 101.
o Fast, Flexible, durable (Store data in Multi-AZ), Fully managed push notification service,
producer& Consumer, in-transit, and at-rest, Fanout (Sending identical copies of a message
parallel), Message Filtering, SNS DLQ, SNS FIFO
o Amazon MQ.
o managed Apache ActiveMQ message broker, to migrate on-premises deployments that are
using Apache, server-based not serverless, security groups
o AWS Step Functions
o fully managed serverless, makes it easy to coordinate components of distributed applications
and microservices using visual workflows, Step function tracks each step, retries if error,
maintain the execution order

===================== Analytics Services =============================

  RedShift Spectrum,
o Serverless, for complex queries, in-VPC redshift, Spectrum nodes outside VPC, rest & in transit,
Charge is per number of bytes scanned
 Elastic Map Reduce EMR,
o managed service (Cluster Server Based), root access, run big data such as Hadoop, not Real-
Time, single AZ, rest & in transit, Charge pays for compute, For complex queries EMR get very
slow as data size, But redshift spectrum is more efficient
 Athena,
o Serverless, Can query unstructured, semi-structured and structured data in CSV and JSON at S3,
standard SQL, used schema-on-read, interactive query, QuickSight for data visualization,
 Glue,
o Serverless, ETL & warehouse, rest & in transit, makes simple scan, clean, enrich data, Move
data between data stores in AWS, Charges pay-as -you-go
 Kinesis Data Streams (KDS),
o managed real-time streaming date services , fully managed, types(Video Stream, Data Stream,
Firehose, Analytics), Used for IOT and big data analytics, Shards (Only Data streams have
shards)
o Kinesis Data analytics -> process and analyze real-time streaming data, Feed real time
dashboard
o Kinesis Data firehose -> fully managed, capture real-time streaming data from producers to
destinations (like S3), compress, transform, and batch data to minimize the amount of storage,
use a lambda function
 quick sight,
o business analytics tool, Build visualization, perform ad-hoc analysis, provide business insights
 Pipline
o fully managed, automate data movement and transformation, ETL of unstructured data (like
logs)

======================== Additional services ================================

 ElasticSearch,
o fully managed, popular open source, near real-time, scalable search and analytics engine, Pay
as you Go, Elastic stack (ELK stack) includes Elasticsearch with kibana for visualization and
logstash for data collection and log ingestion
 Transcoder,
o convert/ transcoding video and audio (media) files stored at S3 into supported format, Pay as
you go (has a free tier)
 AppSync,
o fully managed, data synchronization between web and mobile apps and servers, GraphQL
 Workspace,
o way to provide clients access to virtual desktop, Pay per user hourly or monthly, MFA, rest&
transit, Can whitelist corporate network IP range
 WorkDocs,
o fully managed, Is a Secure enterprise storage and collaboration service, Users can preview and
comment on different supported files
  X-Ray,
o to view, filter and gain insight into the application flows, To understand how application and its
underling services are performing, troubleshoot application, AWS config, at rest
 DMS,
o web service, used to migrate data from source to target DB, one time migration and ongoing
migration, Pay as you go, transit& rest, Types (Homogenous, Heterogenous)
 RAM,
o allows customers to share resources with any AWS account also with organizational unit (OUs),
free, IAM and policies and SCPs
 Cost explorer
o Allow customers to Visualize, understand and manage AWS costs and usage over time

======================== DataBase ===============================================

 Relational Database Service (RDS 101) – SQL
o a fully managed Relational DB, can’t log in to the OS or SSH in, RDS is not serverless, at rest& transit,
SNS, standalone or Multi AZ Recovery, supports autoscaling with zero downtime, Up to 5 read replicas of
any database, no automatic failover, Automated Point in time Backups, Manual Database Snapshot,
snapshots can be copied in same region or across AWS regions, Automated backups can not be shared
with other account
 Aurora – SQL
o Provide 5x MySQL & 3x PostgresSQL performance, Fully managed RDS, Muli-AZ, fault-tolerant, up to 15
read replicas in different AZ in same AWS region, Aurora DB backtracking, Multi Master clusters / Multi
writer, Aurora Serverless
o Aurora Global DB -> Up to 5 secondary read-only cluster regions, Cross region Replication, latency < 1
sec,
 RedShift – SQL
o fully managed, Petabyte scale data, Powerful data warehouse, designed for OLAP rather than for OLTP,
Can work with structured (columns and rows) or semi-structured data (like CSV and JSON), Single-node
or multi-node cluster in single AZ, Advanced compression, Columns to store data rather than rows,
which is 10x faster, pay as you go (no upfront commitment),
 ElastiCache – NO SQL
o Fully managed, in-memory, Key-value data store, Improves the performance of web applications, for
stateless applications, types (Memcached[not persistent, Not support replication or multi-AZ],
Redis[persistent, Multi-AZ through read replicas in different AZs])
 DocumentDB - NO SQL
o Fully managed, fast, reliable, document
 Neptune - NO SQL
o Fully managed, fast, reliable, Graph DB (NoSQL), it supports Gremlin and SPARQL query langue
 DynamoDB - NO SQL
o Is OLTP DB, not support complex joins or queries, NoSQL database, Fully managed, fast predictable
performance, seamless scalability, Supports semi-structured data and unstructured data (like audio and
videos), Supports both document and key-value data model, RCU/WCU, DynamoDB Time-To-Live(TTL),
Stored on SSD Storage
o DynamoDB Accelerator (DAX) -> cashing solution Only for DynamoDB, micro-second latency, eventually
consistent reads
o DynamoDB streams -> Is a real time ordered flow of data about changes to item in a table
o DynamoDB Global tables -> Build massively scaled applications with global user base
================================================================================