Introduction

1. Region: a physical location in the world that consists of two or more Availability Zones (AZs).
2. An Availability Zone: One or more discrete data centers – each with redundant power
networking, and connectivity – housed in separate facilities.
3. An Edge Location: these are endpoints for AWS that are used for caching content. Typically,
this consists of CloudFront and Amazon’s CDN.

1. Storage
a. S3
b. EBS
c. EFS
d. FSx
e. Storage Gateway
2. Databases
a. RDS
b. DynamoDB
c. Redshift
3. Networking
a. VPCs
b. Direct Connect
c. Route 53
d. API Gateway
e. AWS Global Accelerator

AWS Whitepapers

Read through

AWS Well-Architected Framework:

1. Operational Excellence: Running and monitoring systems to deliver business value, and
continually improving processes and procedures
2. Performance Efficiency: Using IT and computing resources efficiently
3. Security: Protecting information and systems
4. Cost Optimization: Avoiding unnecessary costs
5. Reliability: Ensuring a workload performs its intended functions correctly and consistently
when it’s expected to.
6. Sustainability: Minimizing the environmental impacts of running cloud workloads.

Identity and Access Management:

allows you to manage users and their level of access to the AWS console

1. Create users and grant permissions to those users

2. Create groups and roles
 3. Control access to AWS resources

The root account is the email address you used to sign up for AWS. The root account has full
administrative access.

Exam Tips

1. Turn on MFA on the root account

2. Create an admin group for administrators and assign the appropriate permissions to this
group.
3. Create users accounts for your admins
4. Add users to your admin groups

Controlling users’ actions with IAM policy documents

JavaScript Object Notation = JSON

Policy Documents are made of JSON

IAM Policy Documents can be assigned to Groups, Users, and Roles.

Exam Tips

1. Assign Permissions Using IAM Policy Documents Consisting of JSON

Permanent Identity and Access Management Credentials

The building blocks:

1. Users: A physical person. One user is equal to one person. Never share user accounts with
different people
2. Groups: Functions, such as admins, developers, etc. Contains users.
3. Roles: Internal usage within AWS.

It’s best practice for users to inherit permissions from groups

The Principle of Least Privilege

Only assign a user the minimum number of privileges they need to do their job.

Exam Tips
 1. IAM is Universal: It does not apply to regions
2. The root account: the account created when you first set up your AWS account and which
has complete admin access. Secure it as soon as possible and do not use it to log in day to
day.
3. New Users: No permissions when first created.
4. Access Key ID and secret access key are not the same as usernames and passwords
5. You only get to view these once: If you lose them, you regenerate them. So, save them in a
secure location.
6. Always set up password rotations: You can create and customize your password rotation
policies.
7. IAM Federation: You can combine your existing user account with AWS. For example, when
you log on to your PC (usually using Microsoft Active Directory), you can use the same
credentials to log in to AWS if you set up the federation.
8. Identity Federations: Uses the SAML standard, which is Active Directory.

S3
S3 Overview

1. Object Storage: S3 provides secure, durable, highly scalable object storage.

2. Scalable: S3 allows you to store and retrieve any amount of data from anywhere on the web
at a very low cost
3. Simple: Amazon S3 is easy to use, with a simple web service interface.

S3 Basics

Manages data as objects rather than in file systems or data blocks.

1. Unlimited storage:
2. Objects up to 5TB in Size: O bytes to 5 TB
3. S3 Buckets: Folders inside S3

Working with S3 Buckets:

1. Universal Namespace: All AWS accounts share the S3 namespace. Each S3 Bucket name is
globally unique
2. Example S3 URLs: https://bucket-name.s3.Region.amazonaws/key-name
3. Uploading files: When you upload a file to S3 you receive an HTTP 200 code regarding the
successful upload

S3 file features

1. Key: name of the object

2. Version Id: For multiple versions of the same object
3. Value: the data itself
4. Meta Data: The data about the data.

S3 buckets are spread across the globe to cover high availability and high durability.

1. Built for availability

2. Designed for durability
S3 Standard

1. Default version of S3 when you store a file.

2. Designed for Frequent access to data
3. Suitable for Most Workloads

Tiered Storage

S3 offers a range of storage classes designed for different use cases

Lifecycle Management

Defines rules to automatically transition objects to a cheaper storage tier or delete objects that are
no longer required after a set period of time

Versioning

With versioning, all versions of an object are stored and can be retrieved including deleted objects.

Securing your data

1. Server-side Encryption
a. U can set default encryption on a bucket to encrypt all new objects when are stored
2. Access Control Lists
a. Define which AWS accounts or groups are granted access and the type of access. U
can attach S3 ACLs to individual objects within a bucket
3. Bucket Policies
a. S3 bucket policies specify what actions are allowed or deleted. JSON policies

Strong Read After Write Consistency

- After a successful write of a new object (PUT) or an overwrite of an existing object, any
subsequent read request immediately receives the latest version of the object
- Strong consistency for list operations, so after a write, you can immediately perform a list
operation and your file will be there.

Securing your S3 Bucket.

Object ACLS vs Bucket Policies

- Object ACLS work on an individual object level.

- Bucket Policy work on an entire bucket level.

S3 operates across a global-space, thus a unique name is needed.

 - Buckets are private by default: When you create an S3 bucket, it is private by default
(including all objects within it). You have to allow public access on both the bucket and its
objects in order to make the bucket public.
- Object ACLs: You can make individual objects public by using ACLs.
- Bucket policies: You can make an entire bucket public using bucket policies.
- HTTP status code: When you upload an object to S3 and its successful, you will receive an
HTTP 200 code.

Hosting a Static Website on S3

- You can use S3 to host static websites, such as .html sites.

- Dynamic websites, such as those that require database connections, cannot be hosted on
S3.
- S3 Scales Automatically to meet demand.
- Bucket policies: Make entire bucket public
- Static Content: Use S3 to host static content only. NOT DYNAMIC

What is Versioning?

You can enable versioning in S3 so you can have multiple versions of an object within S3.

Advantages of Versioning

1. All Versions: All versions of an object are stored in S3. This includes all writes and even if
you delete an object.
2. Backup: Can be a great backup tool
3. Cannot be Disabled: Once enabled, versioning cannot be disabled – only suspended.
4. Lifecycle Rules: Can be integrated with lifecycle rules.
5. Support MFA

S3 Storage Classes

1. S3 Standard
a. High Availability and Durability: Data is stored redundantly across multiple devices
in multiple facilities (>= 3 AZs):
i. 99.99% in availability
ii. 99.9999999% durability (11 9’s)
b. Designed for Frequent Access: Perfect for frequently accessed data.
c. Suitable for Most Workloads
i. The default storage class.
ii. Use cases include websites, content distribution, mobile and gaming
applications, and big data analytics.
2. S3 Standard-Infrequent Access (S3 Standard-IA)
a. Rapid Access: Used for data that is accessed less frequently but requires rapid
access when needed.
b. You pay to access the data. There is a low per-GB storage price and per-GB retrieval
fee
 c. Use Cases: Great for long-term storage, backups, and as a data store for disaster
recovery files.
3. S3 One Zone-Infrequent Access
a. Like S3 Standard-IA, but data is stored redundantly within a single AZ.
b. Costs 20% less than regular S3 Standard-IA
c. Great for long-lived, infrequently accessed, non-critical data.
4. S3 Intelligent Tiering
a. Frequent and Infrequent Access: Automatically moves your data to the most cost-
effective tier based on how frequently you access each object.
b. Optimize Costs: 0.0025 per 1,000 objects

Glacier Options

- You pay each time you access your data

- Use only for archiving data
- Glacier is cheap storage
- Optimized for data that is very infrequently accessed.
1. Glacier Instant Retrieval: Provided long-term data archiving with instant retrieval time for
your data. Once a year access.
2. Glacier Flexible Retrieval: Ideal storage class for archive data that does not require
immediate access but needs the flexibility to retrieve large sets of data at no cost, such as
backup or disaster recovery use cases. Can be minutes or up to 12 hours.
3. Glacier Deep Archive (Cheapest Storage Class): Cheapest storage class and designed for
customers that retain data sets for 7-10 years or longer to meet customers’ needs and
regulatory compliance requirements. The standard retrieval time is 12hrs, and the bulk
retrieval time is 48hrs.
Exam Tips

- If we’re working on any type of archival data then we choose S3 Glacier

- Look at how fast you want to retrieve the data and what’s the cheapest option.
- In terms of the cost, understand how it is priced both S3 and Glacier
- S3 standard is the most expensive one
- If you want to cost optimized then use S3 Intelligent Tiering
- Infrequently accessed is Glacier for retrieval fee
- S3 Glacier is the most expensive in Glacier

Lifecycle Management with S3

- Lifecycle Management automates moving your objects between different storage tiers,
thereby maximizing cost effectiveness.
- S3 Standard: Keep for 30 Days
- S3 IA: After 30 days
- Glacier: After 90 days

Combining Lifecycle Management with Versioning: You can use lifecycle management to move
different versions of objects to different storage tiers.

Exam Tips:

- Automates moving objects between storage tiers

- Can be used in conjunction with versioning
- Can be applied to current and non-current versions

S3 Object Lock and Glacier Vault

1. S3 Object Lock: You can use S3 Object Lock to store objects using a write once, read many
(WORM) models. It can help prevent objects from being deleted or modified for a fixed
 amount of time or indefinitely. You can use S3 Object Lock to meet regulatory requirements
that require WORM storage, or add an extra layer of protection against changes and
deletion. S3 Object Modes:
a. Governance Mode: Users can’t overwrite or delete an object version or alter its
lock settings unless they have special permissions. With governance mode, you
protect objects against being deleted by most users, but you can still grant some
users permission to alter the retention settings or delete the object if necessary
b. Compliance Mode: a protected object version can’t be overwritten or deleted by
any user, including the root user in your AWS account. When an object is locked in
compliance mode, its retention mode can’t be changed and its retention period
can’t be shortened. Compliance mode ensures an object version can’t be
overwritten or deleted for the duration of the retention period.
2. Retention Period: Protects an object version for a fixed amount of time. When you place a
retention period on an object version S3 stores a timestamp in the object version’s metadata
to indicate when the retention period expires. After the retention period expires, the object
version can be overwritten or deleted unless you also placed a legal hold on the object.
3. Legal Hold: S3 Object Lock also enable you to place a legal hold on an object version. Like a
retention period, a legal hold prevents an object version from being overwritten or deleted.
However, a legal hold doesn’t have an associated retention period and remains in effect until
removed. Legal holds can be freely placed and removed by a user who has the
s3:PutObjectLegalHold permission.

Glacier Vault Lock: allows you to easily deploy and enforce compliance controls for individual
S3 Glacier vaults with a vault lock policy. You can specify controls, such as WORM, in a vault
lock policy and lock the policy from future edits. Once locked, the policy can no longer be
changed.

Encrypting S3 Objects

Types of Encryptions

1. Encryption in Transit: When sending objects to and from buckets

a. SSL/TLS
b. HTTPS
2. Encryption at Rest: Server-Side Encryption
a. SSE-S3: S3 managed keys, using AES 256-bit encryption
b. SSE-KMS: AWS Key Management service-managed keys
c. SSE-C: Customer provided keys
3. Encryption at Rest: Client-Side Encryption: you can encrypt the files yourself before you
upload them to S3.

Enforcing Server-Side Encryption

1. Console: Select the encryption setting on your S3 bucket. The easiest way is just a checkbox
in the console.
 2. Bucket Policy: You can enforce encryption using a bucket policy. This method sometimes
comes up in the exam. You can create a bucket policy that denies any S3 PUT request that
doesn’t include x-amz-server-side-encryption parameter in the request header.

Optimizing S3 Performance.

S3 Prefixes

- mybucketname/folder1/subfolder1/myfile.jpg > prefix: /folder1/subfolder1

- mybucketname/folder2/subfolder1/myfile.jpg > prefix: /folder2/subfolder1
- mybucketname/folder3/ myfile.jpg > prefix: /folder3
- mybucketname/folder4/subfolder4/myfile.jpg > prefix: /folder4/subfolder4

S3 Performance

- S3 has extremely low latency. You can get the first byte out of S3 within 100-200
milliseconds.
- You can also achieve a high number of requests: 3.500 PUT/COPY/POST/DELETE and 5,500
GET/HEAD requests per second, per prefix

The more prefixes the higher performance we will get.

- You can get better performance by spreading your reads across different prefixes. For
example, if you’re using 2 prefixes you will achieve 11,000 requests per second
- If we used all 4 prefixes in the last example then we’d get 22,000 requests per second

Limitations with KMS

- If you are using SSE-KMS to encrypt your objects in S3, you must keep in the KMS Limits
- When you upload a file, you will call a GenerateDataKey in KMS API
- When you download a file, you will call a Decrypt in the KMS API

Multipart Upload for Uploads

- Recommended for files over 100MB

- Required for files over 5 GB
- Parallelize uploads (increase efficiency)

S3 Byte-Range Fetches for downloads

- Parallelize downloads by specifying byte ranges

- If there’s a failure in the download, its only for a specific byte range.
- Can be used to speed-up downloads
- Can be used for partial downloads
Backing up Data with S3 Replication

S3 Replication:

1. You can replicate objects from one bucket to another.

a. Versioning must be enabled on both the source and destination buckets
2. Objects in an existing bucket replicated automatically.
a. Once replication is turned on, all subsequent updated objects will be replicated
automatically.

EC2
EC2 = Elastic Compute Cloud: Secure, resizable compute capacity in the cloud.

- Like a VM, only hosted in AWS instead of your own data center
- Designed to make web-scale cloud computing easier for developers
- The capacity you want when you need it
- You are in complete control of your own instances

Pricing Options

1. On Demand: Pay by the hour or the second, depending on the type of instances you run.
a. Flexible: Low cost and flexibility of Amazon EC2 without any upfront payment or
long-term commitment
b. Short-Term: Applications with short-term, spiky, or unpredictable workloads that
cannot be interrupted
c. Testing the Water: Applications being developed or tested on Amazon EC2 for the
first time
2. Reserved: Reserved Capacity for 1 to 3 years. Up to 72% discount on the hourly charge
a. Predictable Usage: Application with steady state or predictable usage
b. Specific Capacity Requirements: Applications that require reserved capacity
c. Pay up Front: You can make upfront payments to reduce the total computing costs
even further
d. Standard Ris: up to 72% off the on-demand prices by paying 3 years upfront
e. Convertible Ris: up to 54% off the on-demand price. Has the option to change to a
different RI type of equal or greater value
f. Scheduled Ris: Launch within the time window you define. Match your capacity
reservation to a predictable recurring schedule that only requires a fraction of a day,
week, or month.
g. Reserved instances operate at a regional level.
h. Savings Plans with Reserved Instances
i. Save up to 72%: All AWS compute usage regardless of instance type or
Region
ii. Commit to 1 to 3 years: Commit to use a specific amount of compute power
(measured by the hour) for a 1-year or 3-year period
 iii. Super Flexible: Not only EC2, but this also includes serverless technologies
like LAMBDA and FARGATE
3. Spot: Purchase unused capacity at a discount of up to 90%. Prices fluctuate with supply and
demand.
a. Applications that have flexible start and end times
b. Applications that are only feasible at a very low compute price
c. Users with an urgent need for large amounts of additional computing capacity
d. Examples of usage:
i. Image Rendering
ii. Genomic sequencing
iii. Algorithmic trading engines
4. Dedicated: A physical EC2 server dedicated for your use. The most expensive option.
a. Compliance: Regulatory requirements that may not support multi-tenant
virtualization (Not let underlying hardware sharing).
b. Licensing: Great for licensing that does not support multi-tenancy or cloud
deployments
c. On-Demand: Can be purchased on-demand (hourly)
d. Reserved: Can be reserved with up to 70% discount