Friday, October 15, 2021

Raw Notes

 What is Cloud Computing

  • Cloud Computing - the practice of using a network of remote servers hosted on the internet to store, manage, and process data, rather than on a local server or personal computer
    • Traditional Approach (On-premise)
      • You own the servers
      • You hire the IT people
      • You pay or rent the real-estate
      • You take all of the risk
    • Cloud Providers
      • Someone else owns the servers
      • Someone else hires the IT people
      • Someone else pays or rents the real-estate
      • You are responsible for configured cloud services and code, and someone else takes care of the rest



  • 6 Advantages of Cloud Computing
    • Trade capital expense for variable expense
      • No upfront cost
        • Instead of paying for data centers and servers
      • Pay on-demand
        • Pay only when you consume computing resources 
    • Benefit from massive economies of scale
      • Usage from hundreds of thousands of customers aggregated in the cloud
      • You are sharing the cost with other customers to save money
    • Stop Guessing Capacity
      • Eliminate guesswork about infrastructure capacity needs 
      • Instead of paying for idle or under-utilized servers, scale up and down to meet requirements
    • Increase Speed and Agility
      • Launch resources within a few clicks in minutes instead of days or weeks on site
    • Stop spending money on running and maintaining data centers
      • Focus on your own customers, rather than racking, stacking, and powering servers
    • Go global in minutes
      • Deploy your app in multiple regions around the world immediately
      • Provide lower latency and a better experience for your customers at minimal cost

 

Types of Cloud Computing

o   SaaS - a complete product that is run and managed by the service provider (Salesforce, Gmail, Office 365)

§  You don’t have to worry about how to the service is maintained, it just works and remains available

o   PaaS (Platform as a Service) - Removes the need to manage the underlying infrastructure and allows you to focus on deployment and managing your applications

§  Don’t worry about provisioning, configuring, or understanding the hardware or OS

§  Heroku, AWS Elastic Beanstalk, Engines for Google

o   IaaS (Infrastructure as a Service) - the basic building blocks for cloud IT. Provides access to networking features, computers, and data storage space

§  Don’t worry about IT staff, data centers, or hardware

 

Cloud Computing Deployment Models

  • Cloud - fully utilizing cloud computing
    • Squarespace, Basecamp, Dropbox
    • Good for startups, SaaS offerings, new projects and companies
  • Hybrid - using both Cloud and On-Premise
    • Good for banks, Fintech, Large Professional Service providers, Legacy on-premise (sensitive data)
  • On-Premise - deploying resources on-premises, using virtualization and resource management tools, sometimes called “private cloud”
    • Good for public sector (government), sensitive data (hospitals), large enterprises with heavy regulation (insurance companies)

 

AWS Global Infrastructure

  • 69 Availability Zones (with way more Edge locations than AZs)
    • AZs are one or more discrete data centers 
  • 22 Geographic Regions
    • Regions are a physical location in the world with multiple AZs
  • Serves over a million active customers in more than 190 countries
  • AWS is expanding global infrastructure to help customers achieve lower latency and higher throughput
  • Edge Location is a datacenter owned by a trusted AWS partner

 

Regions

  • A geographically distinct location with multiple AZs (data centers)
    • Every region is physically isolated from and independent of every other region in terms of location, power, and water supply
  • Each region has at least 2 AZs
  • New services almost always become available in the US-EAST first
  • Not all services are available in all regions
  • US-EAST-1 is the region where you see all of the billing information
  • Most companies have to operate in at least 3 AZs
    • Amazon is working on this

 

AZs

  • An AZ is a datacenter owned and operated by AWS
  • Each region has at least 2 AZs
  • AZs are represented by a Region Code, followed by a letter identifier 
    • Ex. us-east-1a
  • Multi-AZ Distributing spreads your instances across multiple AZs, and allows failover configuration for handling requests when one instance goes down
  • There is less than 10ms latency between AZs

 

Edge Locations (EL)

  • Used for getting or uploading data fast to AWS
  • EL is a datacenter owned by a trusted partner of AWS and has a direct connection to the AWS network
  • These locations serve requests for CloudFront and Route53
    • Requests going to either of these services will be routed to the nearest EL automatically
  • S3 Transfer Acceleration traffic and API Gateway endpoint traffic also use the AWS Edge Network
  • ELs allow for low latency, no matter where the end user is geographically located

 

GovCloud Regions (GCR)

  • AWS GovCloud Regions allow customers to host sensitive Controlled Unclassified Information and other types of regulated workloads
  • GCRs are only operated by employees who are US citizens on US soil
  • GCRs are only accessible to US entities and root account holders who pass a screening process
  • Customers can architect secure cloud solutions that comply with
    • FedRAMP High baseline
    • DOJ Criminal Justice Information Systems (CJIS) Security Policy
    • US International Traffic in Arms Regulation (ITAR)
    • Export Administration Regulations (EAR)
    • Department of Defense Cloud Computing Security Requirements Guide

 

PowerUsers 

  • Provides full access to AWS services and resources, but does not allow the user to manage other Users and groups

 

When Creating a New Instance

  • Add permissions through IAM Management Console
    • AmazonEC2RoleforSSM
    • Simple Systems Manager (SSM)
  • You can STOP an instance to save money (not the same as terminating)

 

Sessions Manager

  • Under SSM in AWS
  • Advantage: it logs every time someone creates a session

 

Amazon Machine Image (AMI)

  • Snapshot or copy of the entire server
  • In EC2 > Instances, do Actions > Image > Create Image
  • Once we have an AMI, we can launch another copy of this server/instance

 

CloudFront 

  • Used as a CDN (content distribution network)
  • Can share static files across the globe by copying them to multiple edge locations across the world and will be accessible from those ELs
  • Traffic will hit the domain name, and then it will route the traffic to the nearest EL

 

Relational Database Service (RDS) 

  • Amazon Aurora is one of the most-expensive options
  • Has 3 templates
    • Production 
    • Dev/Test
    • Free tier
  • If you do not specify the initial database name, the db is not created 
  • Turn backup retention period to 0 days
  • Turn off performance insights 

 

Lambda

  • Create a function in the preferred language
  • With Lambda, you don’t have to worry about servers, you just have to run your code
  • Has integration with third-party Amazon partners

 

EC2 Pricing Model

  • On-Demand
  • Spot
  • Reserved
  • Dedicated

 

On-Demand Pricing (LEAST COMMITMENT)

  • When you launch an EC2 instance, it is by default using On-Demand
  • On-Demand has no upfront payment and no long-term contract
  • You are charged by the hour or by the minute (varies based on EC2 Instance Types)
  • On-Demand is for applications where the workload is short-term, spikey, or unpredictable
    • When you have a new app for development or you want to run an experiment 

 

(RI) Reserved Instances (BEST LONG-TERM)

  • Best long term savings
  • Reserved Instances can be shared between multiple accounts within an organization
    • Unused Reserved instances can be sold in the Reserved Instance Marketplace
  • Designed for applications that have a steady-state, predictable usage, or require reserved capacity
  • Reduced pricing is based on Term x Class Offering x Payment Option
  • Terms 
    • You commit to a 1 or 3 year contract
      • The longer the contract, the more savings
  • Payment Options (greater upfront, greater savings)
    • All upfront
    • Partial upfront
    • No upfront
      • Good way to save money 
  • Class Offerings
    • Standard - up to 75% reduced pricing compared to on-demand
      • Cannot change RI Attributes (ex. cannot change the number of instances)
    • Convertible - up to 54% reduced pricing compare to on-demand
      • Allows you to change RI Attributes if greater or equal in value
    • Scheduled - reserve instances for specific time periods, e.g. once a week for a few hours
      • Savings vary

 

Spot Instances (BIGGEST SAVINGS) 

  • Designed for applications that have flexible start and end times or applications that are only feasible at very low compute costs
  • AWS Batch is an easy way to use Spot Pricing
  • AWS has unused compute capacity that they want to maximize the utility of for their idle servers
    • Similar to when a hotel offers discounts to fill vacant rooms
  • Spot instances provide a discount of 90% as compared to On-Demand Pricing
  • Spot Instances can be terminated if the computing capacity is needed by on-demand customers
  • Termination Conditions
    • Instances can be terminated by AWS at anytime
    • If your instance is terminated by AWS, you don’t get charged for a partial hour of usage
    • If you terminate, you will still be charged for any hours in which it ran

 

Dedicated Host Instances (MOST EXPENSIVE)

  • Designed to meet regulatory requirements when you have strict server-bound licensing that won’t support multi-tenancy or cloud deployments
  • Offered in both On-Demand and Reserved (70% off On-Demand Pricing)
  • Enterprises and large orgs may have security concerns or obligations about sharing the same hardware with other AWS customers

 

Multi-Tenant vs Single Tenant

  • Multi Tenant
    • When multiple customers are running workloads on the same hardware. Virtual Isolation is what separates customers
  • Single Tenant
    • When a single customer has dedicated hardware. Physical Location is what separates customers 

 

 

Billing and Pricing - Free Services 

  • The following services are free, but can provision AWS services that DO cost money
    • The resources they setup will cost you
  • Examples (in bold are ones to focus on)
    • IAM
    • Amazon VPC
    • Auto Scaling
    • CloudFormation
      • The service itself is free, but it can provision other services 
    • Elastic Beanstalk
    • Opsworks
    • Amplify
    • AppSync
    • CodeStar
    • Organizations and Consolidated Billing
    • AWS Cost Explorer

 

Billing and Pricing - AWS Support Plans

  • Four Support Plans 
    • Basic (default)
      • Email support only for billing and account management
      • NO third-party support (Express, Django, Node, etc.)
    • Developer
      • $20/month
    • Business 
      • $100/month
    • Enterprise
      • $15,000/month
      • Personal Concierge
      • Personal Technical Account Manager (TAM)
      • Respond in less than 15 mins for critical issues
  • **Advisor Checks

 

For Exam

  • Know difference in pricing for different tiers
  • Know response times
  • Know when people are assigned to your account (only in enterprise)
  • Know when third-party support is available in each tier (business and enterprise)

 


 

Billing and Pricing - AWS Marketplace

  • AWS Marketplace is a curated digital catalog with thousands of software listings from independent software vendors
  • Easy to find, buy, test, and deploy software that already runs on AWS
  • The product can be free, or have an associated charge
    • The charge is added to the AWS bill, and, once you pay, AWS Marketplace pays the provider
  • The sales channel for ISVs (independent software vendors) and Consulting Partners allows you to sell your solutions to other AWS customers
  • Products can be offered as 
    • AMIs
    • AWS CloudFormation templates
    • SaaS offerings 
    • Web ACL
    • AWS WAF rules

 

Billing and Pricing - AWS Trusted Advisor

  • Advises you on security, saving money, performance, service limits, and fault tolerance
  • Think of it like an automated checklist of best practices on AWS
  • Free Tier gets 7 Trusted Advisor Checks
  • Business/Enterpress - All Trusted Advisor Checks

 


 

Cost Optimization Advisor Checks

  • Idle Load Balancers
    • Will give you feedback on when Load Balancers are not being used (no instances)
  • Unassociated Elastic IP Addresses
    • If you have an instance with a static IP, you can reserve an IP through AWS (which costs money)
    • If it is not attached to an EC2 instance, it costs money (because AWS wants to release the IP to be used by other customers potentially

 

Performance

  • High Utilization EC2 Instances 
    • Advises on upgrading to bigger instances if CPU usage is high to get better performance 

 

Security

  • MFA on Root Account
  • IAM Access Key Rotation
    • Advises to rotate access keys to keep the instances secure

 


 

Fault Tolerance 

  • Amazon RDS Backups
    • Recommends that you have backups in place or turned on in case db goes down

 

Service Limits

  • If you go beyond the capacity of a service, you will have to ask for a Service Limit Increase
    • Ex. SES Daily Sending Quota for emails 
      • If you send more than 5,000 allotted emails per day, you will have to increase the Service Limit

 

Billing and Pricing - Consolidated Billing

  • Allows for one bill for all of your accounts
    • AWS treats all accounts in an organization as if they were one account
    • Happens by default for the master account
    • You can designate the Master account in charge of paying for all member accounts under it
  • Offered at no additional cost
  • Use Cost Explorer to visualize usage for consolidated billing
  • *Note: if you have a member account that leaves the organization, the Cost Explorer data will no longer be available

 

Consolidated Billing Volume Discounts

  • The more you use, the more you save
  • Consolidated Billing lets you take advantage of Volume Discounts

 


 

AWS Cost Explorer

  • Cost Explorer lets you visualize, understand, and manage your AWS costs and usage over time
  • If you have multiple AWS accounts within an AWS Organization, costs will be consolidated in the master account
  • Default Reports give insight into cost drivers and usage trends 
  • Use forecasting to get an idea of future costs 
  • You can view data at a monthly or daily level of granularity
  • Use filter and grouping functionalities to dig even deeper into your data

 

 


 

Billing and Pricing - AWS Budgets (Service)

  • Plan your service usage, service costs, and Instance reservations
    • Billing alarms on steroids
  • First two budgets are FREE
  • Each additional budget costs $0.60/month
  • Limit of 20,000 budgets
  • Create budgets for
    • Cost - dollar amount
    • Usage - e.g. EC2 running hours
    • Reservation - for Reserved Instances 
  • Tracked monthly, quarterly, or yearly, with customizable start and end dates 
  • Alerts support EC2, RDS, Redshift, and ElastiCache reservations 
  • Can be managed via the Dashboard or Budgets API
  • Get notified of by providing an email or Chatbot, and check how close to the threshold of the current or forecasted budget you are
  • Based on fixed cost OR plan on upfront based on your chosen level (tier)

 


 

Billing and Pricing - TCO Calculator 

  • Total Cost of Ownership - allows you to estimate how much you would save when moving from on-premise to AWS
  • Provides a detailed set of reports that can be used in executive presentations
  • Built on underlying calculation models that generate fair assessments of value that you can achieve given the data provided
  • Helps to reduce the need to invest in large capital expenditures (datacenters, hard disks, IT staff)
  • ONLY FOR APPROXIMATION - not exact
  • Three Steps
    • 1. Describe your environment 
    • 2. View 3 Year Summary of Cost Comparisons
    • 3. Download a detailed report 

 

Billing and Pricing AWS Landing Zone - Diagrams

  • Helps enterprises quickly set up a secure, AWS multi-account
  • Provides a baseline environment to get started with a multi-account architecture
  • AWS Account Vending Machine (AVM)
    • Automatically provisions and configures new accounts via a Service Catalog Template
    • Uses Single Sign On (SSO) for managing and accessing accounts
      • Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.
  • The environment is customizable to allow customers to implement their own account baselines through a Landing Zone configuration and update pipeline

 

Notes

  • When setting up an AWS Organization account, always have an isolated Log In Account and an isolated Security Account
    • Better for auditing purposes
    • This is done by AWS Landing Zone

 


 

Billing and Pricing - Resource Groups and Tagging

  • Tags - words or phrases that act as metadata for organizing AWS resources 
  • Resource Groups - collections of resources that share one or more TAGS
  • Helps to organize and consolidate information based on your project and resources that you use
  • Resource Groups can display details about a group of resources based on:
    • Metrics
    • Alarms
    • Configuration Settings 
  • At any time, you can modify the settings of your resource groups to change which resources appear
  • Ex. If you have a database, a server, and an S3 Bucket, you would give them the same tag and put them in the same Resource Group

 

Billing and Pricing - AWS Quick Starts

  • Prebuilt templates by AWS and AWS Partners that help to deploy popular stacks on AWS
    • Reduces hundreds of manual procedures into a few steps
  • Composed of 3 Parts
    • A reference architecture for the deployment
    • AWS CloudFormation templates that automate and configure the deployment
    • A deployment guide that explains the architecture and implementation in detail
  • Most Quick Starts reference deployments enable you to spin up a fully functional architecture in less than an hour

 

Billing and Pricing - Cost and Usage Report

  • Generates a detailed spreadsheet that enables you to better analyze and understand your AWS costs
  • Places report into S3 Bucket
  • Use Athena to turn the report into a queryable database
  • Use QuickSight to visualize your billing data as graphs

 


 

Technology Overview - AWS Organizations and Accounts



  •  Organizations allow you to centrally manage billing, control access, compliance, security, and share resources across your AWS accounts
  • Root Account User is a single, sign-in identity that has complete access to all AWS services and resources in an account. 
    • Each account has a root user
  • Organization Units are a group of AWS accounts within an organization which can also container other organizational units - creating a hierarchy
  • Service Control Policies give central control over the allowed permissions for all accounts in your organization, helping to ensure your accounts stay within your organization’s guidelines 

 

Tech Overview - AWS Networking

  • Region - the geographical region of your network
  • AZ - the data center of your AWS resources 
  • VPC (Virtual Private Cloud) - a logically isolated section of the AWS Cloud where you can launch AWS resources 
  • Internet Gateway - enable access to the internet 
  • Route Tables - determine where network traffic from your subnets is directed
  • NACLs (Network Access Control List) - act as firewalls at the subnet level
  • Security Groups - act as firewalls at the instance level
  • Subnets - a logical partition of an IP network into multiple, smaller network segments
    • Public vs Private Subnets 
    • Public - accessible to the internet (Ex. EC2 Instance)
    • Private - secure, not accessible to the internet (Ex. RDS DB)

 


 

Tech Overview - DB Services

 


**Probably just know DynamoDB, RDS, Aurora, Redshift 

  • When you run Aurora is highly available and durable, and when you have a cluster, it will run 6 copies of the DB across 3 AZs (more expensive than RDS)
  • Aurora Serverless - much less expensive than Aurora (need be basis)
    • Good for development or infrequently used apps
  • Neptune - Managed Graph DB
  • Redshift - Columnar DB, petabyte warehouse (1000 TB = 1PB)
    • Instead of reading via rows, it reads via columns
    • Good for working with large amounts of data for reports, analytics
    • Handles PBs of data!!!
  • ElastiCache - Redis or Memcached database
    • For caching
  • Caching
    • Caching is an area of a computer’s memory devoted to temporarily storing recently used information. The content, which includes HTML pages, images, files and Web objects, is stored on the local hard drive in order to make it faster for the user to access it, which helps improve the efficiency of the computer and its overall performance.

 

Provisioning Services

  • Provisioning - the allocation or creation of resources and services to a customer
  • Elastic Beanstalk - service for deploying and scaling web apps and services developed with Java, .NET, PHP, Node, Python, Ruby, Go, Docker
    • Similar to Heroku, Netlify
  • OpsWorks - configuration management service that provides managed instances of Chef and Puppet
    • Chef and Puppet programmatically set up a server
      • Chef uses Ruby to define recipes to set up servers, dependencies, pull code
    • OpsWorks has layers for infrastructure
      • DB layer, network layer, application layer
  • CloudFormation - infrastructure as code, JSON or YAML
    • Create a JSON or YAML file that defines all AWS Resources and how you want to configure them, and this will set up everything that you want in one go
    • CloudFormation is the most complex option/most flexible option (more powerful than Opsworks)
  • AWS QuickStart - pre-made packages that can launch and configure your AWS compute, network, storage, and other services required to deploy a workload on AWS
  • AWS Marketplace - a digital catalogue of thousands of software listings from independent software vendors to find, buy, test, and deploy software

 


Computing Services 

  • EC2 (Elastic Compute Cloud) - highly configurable server in terms of CPU, Memory, Network, OS
    • Every service under the hood is running on EC2 instances 
  • ECS (Elastic Container Service) - Docker as a Service - highly scalable, high-performance container orchestration service that supports Docker containers, pay for EC2 instances 
  • Fargate - Microservices with which you don't have to think about infrastructure
    • Pay per task (runtime and CPU utilized when running)
    • You don’t choose EC2 instances, just define containers within a task or service, and AWS will run it
  • EKS - Kubernetes as a Service - easy to deploy, manage, and scale containerized applications using Kubernetes
    • Kubernetes is a standard in the industry
  • Lambda serverless functions run code without provisioning or managing servers 
    • Pay for compute time that you consume (how long it runs)
  • Elastic Beanstalk - orchestrates various AWS services, including EC2, S3, Simple Notification Service (SNS), CloudWatch, autoscaling, and Elastic Load Balancers (ELBs)
  • AWS Batch - plans, schedules, and executes batch computing workloads across the full range of AWS compute services and features, such as Amazon EC2 and Spot Instances
    • Saves a lot of money $$$


 

Storage Services




  • Storage Gateway - hybrid cloud storage with local caching
    • An extension of on-premise storage in the cloud
  • EBS (Elastic Block Storage) - hard drive in the cloud you attach to EC2 instances
    • Different choices include SSD, IOPS SSD, Throughput HHD, Cold HHD
  • Snowball - physically migrate lots of data via a computer suitcase 50-80 TB
    •  
  • Snowball Edge - a better version of Snowball (100TB)
  • Snowmobile - shipping container, pulled by a semi-trailer truck (100PB)
    • Actually in a truck!!!!

 

Business Centric Services 

  • Amazon Connect
    • Accept inbound calls and dial outbound
    • Record calls and store them in S3 (run analysis through Amazon Comprehend)
    • Set up workflows
  • WorkSpaces 
    • Virtual, remote desktop
    • Spin up Windows 10 server from AWS
  • WorkDocs 
    • Sharepoint competitor
  • Chime
    • Ex. Slack + Skype
  • Workmail
    • Gmail for AWS
  • Pinpoint
    • Email marketing
    • Create campaigns
    • Do A/B testing
  • SES Simple Email Service 
    • Cloud-based email for developers
    • For when you are building an app and want to send out emails FROM that application
    • Supports HTML emails 
    • SNS can also send emails, but only plain text
  • QuickSight 
    • Connect data from S3, Aurora, RDS
      • Creates graph from this data


 

Enterprise Integration

  • Going Hybrid! (On-premise + Cloud)
  • Direct Connect 
    • Low latency, dedicated connection
  • VPN 
  • Storage Gateway 
    • Ex. extends on-prem hard drives onto AWS
  • Active Directory




 

Logging Services 

  • CloudTrail 
    • Determines who we should blame for something on AWS (which employee)
    • Detect developer misconfiguration ^
    • Detect malicious actors
    • Automate response (everytime something is created, create a notification)
  • CloudWatch
    • CloudWatch Logs****


 

Quick Guide


 

Shared Responsibility Model

  • Customers are responsible for security IN the cloud
    • Any data that you put into AWS
    • If you do not secure it, that is your fault
    • If you do not monitor sensitive data, that is your fault
  • AWS is responsible for Security of the CLOUD
  • Just know the first model**

 



 

AWS Compliance Programs 

  • Set of internal policies and procedures of a company to comply with laws, rules, and regulations, or to uphold business reputation
  • Ex.
    • HIPAA 
      • Safeguards medical information
    • PCI DSS
      • When you want to sell things online and handle credit card information


 

AWS Artifact

  • How do we prove AWS meets a compliance?
  • Go into AWS Artifiact, choose package or Artifact, it will generate a PDF, and within this PDF you will click a link to get the files that you want


 

Amazon Inspector

  • How do we prove an EC2 Instance is hardened?
  • Hardening - the act of eliminating as many security risks as possible
  • Runs a Security Benchmark against specific EC2 instances 
    • You can run a variety of these 
  • CIS - Center of Internet Security -  a benchmark that runs over 699 checks
  • Network Assessment - checking whether ports are open and whether they’re reachable to the internet
  • Host - checks the applications and OS

 


 

AWS WAF (Web Application Firewalls)

  • WAF has to be attached to either CLOUDFRONT or APPLICATION LOAD BALANCER (ALB)

 

AWS Shield 

  • DDOS Attack - a malicious attempt to disrupt normal traffic by flooding a website with a large amount of fake traffic 
  • DDOS = Distributed Denial of Service 
  • AWS Shield is a managed DDOS protection service that safeguards applications on AWS
  • You should always be routing your traffic through Route53 or CloudFront (Automatically come with AWS Shield Standard)
  • Protects against Layer 3,4, and 7 attacks 
    • 7 = Application
    • 4 = transport
    • 3 = network


 

AWS Shield Plans

  • Shield Standard  - Free
    • Protects again most common DDOS attacks
  • Shield Advanced  - $3000/year
    • Additional protection against larger and more sophisticated attacks 
    • Available for:
      • Route53
      • CloudFront
      • ELB
      • AWS Global Accelerator
      • Elastic IP (Amazon Elastic Compute Cloud and Network Load Balancer)


 

Security - Penetration Testing

  • PenTesting - authorized simulated cyberattack on a computer system, performed to evaluate the security of a system
  • You CAN do this on AWS for some services 

 


 

AWS Security - Guard Duty 

  • IDS = Intrusion Detection System
  • IPS = Intrusion Protection System
  • How do you detect whether someone is attempting to gain access to your AWS account or resources 
  • Guard Duty is a threat detection service that uses machine learning to analyze:
    • CloudTrail logs
    • VPC Flow logs
    • DNS logs


 

Key Management Service (KMS)

  • Makes it easy to create and control encryption keys to encrypt your data
  • KMS is a multi-tenant hardware security module (HSM)
    • An actual piece of hardware that is used by multiple AWS customers that are isolated using virtual software
  • Many AWS services use KMS to encrypt data with a simple checkbox
  • KMS uses Envelope Encryption
    • Envelope Encryption - when you encrypt your data, your data is protected, but you have to protect your data/encryption key. When you encrypt your data key with a master key, you have an additional layer of security
      • Like putting your key in an envelope so others can’t see

 


 

Amazon Macie

  • Macie is a fully managed service that continuously monitors S3 data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks
    • Uses Machine Learning to analyze your CloudTrail logs
    • When you put data in your S3 Data, like credit card numbers, Macie detects sensitive data and whether that data is exposed or can be compromised
      • Ex. if credit card numbers are stored as plain text, Macie will alert you that you should encrypt that data
  • Will identify your most at-risk users 
    • Ranked by badges 
      • The nicer the badge, the worse the user is at best practices 


  • Ransomware - locking you out of your data and asking for money
  • Privilege Escalation - someone getting access to stuff they’re not supposed to
  • Identity Enumeration - trying to enumerate over data to figure out what they can steal
  • Credential Loss

 

Security Groups vs. NACLs 

  • Security Groups are firewalls at the instance level 
  • NACLs are a firewall at the subnet level

 


 

AWS VPN

  • Lets you establish a secure and private tunnel from your network or device to the AWS Global Network
  • Site-to-Site VPN
    • Securely connect on-premises network or branch office site to VPC
    • Ex. connect an entire office or network
  • AWS Client VPN
    • Securely connect users to AWS or on-premises networks
    • Connect individual employees 

 


 

Cloud Service Variation Study

  • CloudFormation - infrastructure as code, sets up services via templating script via JSON and YML
  • CloudTrail - who you can blame - logs all API calls between AWS Services
  • CloudFront - Content Distribution Network (CDN) creates a cached copy of your website and copies to servers located near people trying to download the website
  • CloudWatch - a collection of services 
    • CloudWatch logs
      • Any custom log data, Memory Usage, Rails Logs, Nginx Logs
    • CloudWatch Metrics 
      • Metrics based off of logs, i.e. Memory Usage
    • CloudWatch Events 
      • Trigger an event based on a condition, i.e. every hour take a snapshot of the server
    • CloudWatch Alarms 
      • Triggers notifications based on metrics
    • CloudWatch Dashboard
      • Create visualizations based on metrics
  • CloudSearch
    • Search engine for when you have an ecommerce website and you want a search bar

 


 

Connect Service Variation Study

  • Direct Connect - dedicated fiber optics connections from DataCenter to AWS
    • A large enterprise has their own datacenter and they need an insanely fast connection directly to AWS. If you need security, you can apply a VPN on top of Direct Connect 
  • Amazon Connect - Call Center Service
    • A call center in the cloud 
    • Toll free number, accept inbound and outbound calls, setup automated phone payments
  • Media Connect - New version of Elastic Transcoder, Converts Videos to different Video Types

 


 

Elastic Transcoder vs. MediaConvert (Same price)

  • Both services transcode videos
  • Elastic Transcoder is the old way
    • Transcodes videos to streaming formats 
  • AWS Elemental MediaConvert (new way)
    • Transcodes videos to streaming formats
    • Overlays images
    • Insert video clips
    • Extracts captions data 
    • Robust UI

 

SNS vs SQS (They both connect apps via Messages)

  • SNS - Simple Notification Service
    • Passes along messages using PubSub (Publisher - Subscriber)
    • Send notifications to subscribers on topics via HTTP, email, SQS, SMS
    • Used for plain text emails (cannot do HTML emails), ex. Billing alarms
  • SQS - Simple Queue Service 
    • Queue up messages, guaranteed delivery
    • Places messages into a queue - applications pull queue using the AWS SDK (Software Development Kit)
    • Retains message up to 14 days
    • Sends messages in sequential order
    • Ensure only one message is sent
    • Ensure messages are delivered at least ONCE
    • Good for delayed tasks, i.e. queueing up emails

 


 

Inspector vs. Trusted Advisor (Both security tools to perform audits)

  • Amazon Inspector (Only for EC2 instances 
    • Audits a SINGLE EC2 instance that you have selected
    • Generates reports from a long list of checks… 699 checks 
  • Trusted Advisor (Multiple AWS services and security practices)
    • Doesn’t generate a PDF report
    • Gives a holistic view of recommendations across multiple services and best practices 
      • Ex. you have open ports on these security groups
      • Ex. you should enable MFA on your root account when using trusted advisor

 


 

ALB v. NLB v. CLB

 





SNS vs. SES 


TOPICS and SUBSCRIPTIONS REGARDING SNS!!!

 

Artifact v. Inspector 




Last Minute Tips



  • Global Accelerator can be used to reduce latency of websites to load faster for users around the world
    • Monitors health with the ability to route traffic to healthy regional endpoints
  • VPC Flow Logs can capture information about IPD traffic or any traffic flowing into your VPC
  • You can use Snowball or Data Migration Service (DMS) to move data from on-premise to AWS

 

 

           

           

 

No comments:

Post a Comment

AWS Certified Solutions Architect Associate

  Notes for AWS Certified Solutions Architect Associate Credit: https://github.com/SkullTech/aws-solutions-architect-associate-notes I recen...