Becoming a Cloud Practitioner

Part 2

Participant Workbook

Instructions
This is the participant workbook you can use throughout this course. You will find valuable
terminology and acronym definitions explained here. There is space for you to take notes and even
additional links for you to dive deeper into the information you will learn in class today.

Table of Contents
Module 1: Security ................................................................................................................................................. 2
Module 2: Block and File Storage ....................................................................................................................... 9
Module 3: Compute in the Cloud ...................................................................................................................... 12

Version 1.3 Last updated 2-2-2024 © 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Becoming a Cloud Practitioner Part 2

Module 1: Security
Helpful Terms
Term Definition
An authentication method that requires a user to provide two methods of
Multi-factor Authentication identification.
(MFA)
- Text codes, email codes, USB devices
Web Application Firewall A service that filters and monitors HTTP traffic between your application and the
(WAF) internet.
A process of replacing plain text with text created using a secret code that only you
Encryption
have the key to decipher.
Server-side encryption is the encryption of data at its destination by the
Server-side encryption
application or service that receives it.
Client-side encryption is the encryption of data at its source by the application or
Client-side encryption
service that receives it.
A site that CloudFront uses to cache copies of your content for faster delivery to
Edge location
users at any location.
Entity An individual (person), organization, device or process.
A Firewall is a network security device that monitors and filters incoming and
Firewall outgoing network traffic based on a network.
- Packet filtering, network, and application.
The process of determining that a connection was created by who or what they
Authentication claim to be.
Who you are
The process of granting permission to an authenticated entity.
Authorization
What you can/can’t do
Something that an entity has to prove their identity.
Credentials - Username and password, security key, or one-time use passcode.
What you have

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2 of 15
 Becoming a Cloud Practitioner Part 2

Topic A: Shared responsibility model

Security and Compliance is a shared responsibility between AWS and the customer. This shared model
can help relieve the customer’s operational burden as AWS operates, manages and controls the
components from the host operating system and virtualization layer down to the physical security of
the facilities in which the service operates. The customer assumes responsibility and management of
the guest operating system (including updates and security patches), other associated application
software as well as the configuration of the AWS provided security group firewall. The nature of this
shared responsibility also provides the flexibility and customer control that permits the deployment.
As shown in the chart below, this differentiation of responsibility is commonly referred to as Security
“of” the Cloud versus Security “in” the Cloud.

For more information on the shared responsibility model, see

https://aws.amazon.com/compliance/shared-responsibility-model/.
Notes:

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3 of 15
 Becoming a Cloud Practitioner Part 2

Topic B: AWS Identity and Access Management

AWS Identity and Access Management (IAM) provides fine-grained access control across the entire
AWS platform. You can use IAM to specify who can access which services and resources, and under
which conditions. IAM policies let you manage permissions to your workforce and systems to ensure
least privilege permissions. Least privilege is an AWS Well-Architected Framework best practice for
building securely in the cloud.

AWS Identity and Access Management (AWS IAM)

With AWS Identity and Access Management (IAM), you can specify who or what can access services and
resources in AWS, centrally manage fine-grained permissions, and analyze access to refine permissions
across AWS.
For more information on AWS IAM, see https://aws.amazon.com/iam.

AWS IAM Features

AWS IAM has numerous features to help you successfully secure users and roles within the AWS
services that you use.
For more information on AWS IAM features, see https://aws.amazon.com/iam/features/.

AWS IAM permission policies

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of
users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or
resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role)
makes a request. Permissions in the policies determine whether the request is allowed or denied.
For more information on policies and permission in IAM, see
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html.

Notes:

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4 of 15
 Becoming a Cloud Practitioner Part 2

Topic C: AWS Organizations

AWS Organizations lets you create new AWS accounts at no additional charge. With accounts in an
organization, you can easily allocate resources, group accounts, and apply governance policies to
accounts or groups.
For more information, see
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html.

The following diagram is discussed here:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html.

Notes:

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 5 of 15
 Becoming a Cloud Practitioner Part 2

Consolidated billing for AWS Organizations

You can use the consolidated billing feature in AWS Organizations to consolidate billing and payment
for multiple AWS accounts or multiple Amazon Web Services India Private Limited (Amazon Web
Services India) accounts. Every organization in AWS Organizations has a management account that
pays the charges of all the member accounts.

• One bill – You get one bill for multiple accounts.

• Easy tracking – You can track the charges across multiple accounts and download the
combined cost and usage data.
• Combined usage – You can combine the usage across all accounts in the organization
to share the volume pricing discounts, Reserved Instance discounts, and Savings Plans.
This can result in a lower charge for your project, department, or company than with
individual standalone accounts. For more information, see Volume discounts.
• No extra fee – Consolidated billing is offered at no additional cost.

Notes:

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6 of 15
 Becoming a Cloud Practitioner Part 2

Topic D: Application security

AWS Web Application Firewall (AWS WAF)

AWS WAF helps protect your web applications or APIs against common web exploits and bots that
may affect availability, compromise security, or consume excessive resources.
AWS WAF sits in front of services like Amazon Cloud Front, Application Load Balancer, Amazon API
Gateway, and AWS AppSync.
For more information on AWS WAF, see https://aws.amazon.com/waf/.

What is a DoS or DDoS attack?

A Denial of Service (DoS) attack is a malicious attempt to affect the availability of a targeted system,
such as a website or application, to legitimate end users. Typically, attackers generate large volumes of
packets or requests ultimately overwhelming the target system. In case of a Distributed Denial of
Service (DDoS) attack, and the attacker uses multiple compromised or controlled sources to generate
the attack.
In general, DDoS attacks can be segregated by which layer of the Open Systems Interconnection (OSI)
model they attack. They are most common at the Network (layer 3), Transport (Layer 4), Presentation
(Layer 6) and Application (Layer 7) Layers.
For more information on these types of attacks, see https://aws.amazon.com/shield/ddos-attack-
protection/.

AWS Shield
AWS Shield Advanced is a tailored protection program that identifies threats using exabyte-scale
detection to aggregate data across AWS.
AWS Shield provides two levels of protection: Standard and Advanced.
• AWS Shield Standard automatically protects all AWS customers at no cost.
• AWS Shield Advanced is a paid service that provides detailed attack diagnostics and the ability
to detect and mitigate sophisticated DDoS attacks
For more information on this service, see https://aws.amazon.com/shield/features/.
Notes:

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7 of 15
 Becoming a Cloud Practitioner Part 2

Encryption
AWS offers you the ability to add a layer of security to your data at rest in the cloud, providing scalable
and efficient encryption features. These include:
• Data at rest encryption capabilities available in most AWS services, such as Amazon EBS,
Amazon S3, Amazon RDS, Amazon Redshift, Amazon ElastiCache, AWS Lambda, and Amazon
SageMaker
• Flexible key management options, including AWS Key Management Service, that allow you to
choose whether to have AWS manage the encryption keys or enable you to keep complete
control over your own keys
• Dedicated, hardware-based cryptographic key storage using AWS CloudHSM, allowing you to
help satisfy your compliance requirements
• Encrypted message queues for the transmission of sensitive data using server-side encryption
(SSE) for Amazon SQS
AWS Key Management Service (AWS KMS)
AWS KMS gives you centralized control over the cryptographic keys used to protect your data. The
service is integrated with other AWS services making it easier to encrypt data you store in these
services and control access to the keys that decrypt it.
For more information on AWS KMS, see https://aws.amazon.com/kms/features/.

Amazon GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and
unauthorized behavior to protect your AWS accounts, Amazon EC2 workloads, container applications,
Amazon Aurora databases, and data stored in Amazon S3. GuardDuty combines machine learning,
anomaly detection, network monitoring, and malicious file discovery, using both AWS and industry-
leading third-party sources to help protect workloads and data on AWS.
For more information on Amazon GuardDuty, see https://aws.amazon.com/guardduty/features/.

Notes:

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 8 of 15
 Becoming a Cloud Practitioner Part 2

Module 2: Block and File Storage

Topic A: Block storage with Amazon EBS

Amazon Elastic Block Store

Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for use with EC2
instances. EBS volumes behave like raw, unformatted block devices. You can mount these volumes as
devices on your instances. EBS volumes that are attached to an instance are exposed as storage
volumes that persist independently from the life of the instance.
For more information on the benefits of Amazon EBS, see
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volumes.html#EBSFeatures.

Amazon EBS volume types

Amazon EBS provides the following volume types, which differ in performance characteristics and
price, so that you can tailor your storage performance and cost to the needs of your applications.

For more information on EBS volumes, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-

volume-types.html.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9 of 15
 Becoming a Cloud Practitioner Part 2

Amazon EBS Snapshots

You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time
snapshots. Snapshots are incremental backups, which means that only the blocks on the device that
have changed after your most recent snapshot are saved. This minimizes the time required to create
the snapshot and saves on storage costs by not duplicating data.
For more information on EBS snapshots, see
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html.

Notes:

Topic B: File storage with Amazon EFS

In file storage, multiple clients (such as users, applications, servers, and so on) can access data that is
stored in shared file folders. In this approach, a storage server uses block storage with a local file
system to organize files. Clients access data through file paths.
Compared to block storage and object storage, file storage is ideal for use cases in which a large
number of services and resources need to access the same data at the same time.

Amazon Elastic File System

Amazon Elastic File System provides a simple, serverless, set-and-forget elastic file system. With
Amazon EFS, you can create a file system, mount the file system on an Amazon EC2 instance, and then
read and write data to and from your file system.
For more information on Amazon EFS, see https://docs.aws.amazon.com/efs/latest/ug/how-it-works.html.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10 of 15
 Becoming a Cloud Practitioner Part 2

Notes:

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 11 of 15
 Becoming a Cloud Practitioner Part 2

Module 3: Compute in the Cloud

Topic A: Amazon EC2

Amazon Elastic Compute Cloud (Amazon EC2) provides on-demand, scalable computing capacity in the
Amazon Web Services (AWS) Cloud. Using Amazon EC2 reduces hardware costs so you can develop
and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as
you need, configure security and networking, and manage storage. You can add capacity (scale up) to
handle compute-heavy tasks, such as monthly or yearly processes, or spikes in website traffic. When
usage decreases, you can reduce capacity (scale down) again.

Step 1: Launch an instance

Step 2: Connect to your instance
Step 3: Clean up your instance

For more information on launching Amazon EC2 instances, see

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html .

Notes:

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 12 of 15
 Becoming a Cloud Practitioner Part 2

Amazon EC2 instance types

When you launch an instance, the instance type that you specify determines the hardware of the host
computer used for your instance. Each instance type offers different compute, memory, and storage
capabilities, and is grouped in an instance family based on these capabilities. Select an instance type
based on the requirements of the application or software that you plan to run on your instance.

Sixth generation and later Amazon EC2 instance types

• General purpose
• Compute optimized
• Memory optimized
• Storage optimized
• Accelerated computing

Amazon EC2 pricing

Amazon EC2 is free to try. There are multiple ways to pay for EC2 instances: On-Demand, Savings
Plans, Reserved Instances, and Amazon EC2 Spot Instances.

For more information on Amazon EC2 pricing, see https://aws.amazon.com/ec2/pricing.

Notes:

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 13 of 15
 Becoming a Cloud Practitioner Part 2

Topic B: Amazon EC2 Auto Scaling

Amazon EC2 Auto Scaling helps you maintain application availability and lets you automatically add or
remove EC2 instances using scaling policies that you define. Dynamic or predictive scaling policies let
you add or remove EC2 instance capacity to service established or real-time demand patterns. The
fleet management features of Amazon EC2 Auto Scaling help maintain the health and availability of
your fleet.

For more information on Amazon EC2 Auto Scaling features, see

https://aws.amazon.com/ec2/autoscaling/features/?refid=cf28fddb-12ed-4ffd-981b-b89c14793bf1.

Notes:

Topic C: Elastic Load Balancing

Elastic Load Balancing (ELB) automatically distributes incoming application traffic across multiple
targets and virtual appliances in one or more Availability Zones (AZs).
• Application Load Balancer
• Gateway Load Balancer
• Network Load Balancer

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 14 of 15
 Becoming a Cloud Practitioner Part 2

Comparing types of load balancing

You can select the appropriate load balancer based on your application needs. If you need flexible
application management, we recommend that you use an Application Load Balancer. If extreme
performance and static IP is needed for your application, we recommend that you use a Network Load
Balancer. If you have an existing application that was built within the EC2-Classic network, then you
should use a Classic Load Balancer.

For more information on Elastic Load Balancing features, see

https://aws.amazon.com/elasticloadbalancing/features.

Feature Application Network Load Gateway Load Classic Load

Load Balancer Balancer Balancer Balancer
Load Balancer type Layer 7 Layer 4 Layer 3 Gateway + Layer 4/7
Layer 4 Load
Balancing
Target type IP, Instance, IP, Instance, IP, Instance -
Lambda Application Load
Balancer
Protocol listeners HTTP, HTTPS, TCP, UDP, TLS IP TCP, SSL/TLS, HTTP,
gRPC HTTPS
Reachable via VIP VIP Route table entry -
Health Checks HTTP, HTTPS, TCP, HTTP, HTTPS TCP, HTTP, HTTPS TCP, SSL/TLS, HTTP,
gRPC HTTPS
Security
Security Groups ✔ ✔ ✔
Logging and monitoring
CloudWatch Metrics ✔ ✔ ✔ ✔
Logging ✔ ✔ ✔ ✔

Notes:

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved. 15 of 15