CloudLeaf

The primary types of cloud computing services are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). IaaS provides virtualized computing resources, PaaS allows for building applications without managing underlying infrastructure, and SaaS offers software solutions through a subscription model.

The major deployment models in cloud computing include public, private, and hybrid clouds. Public clouds are hosted by third-party providers and offer services to the general public, while private clouds are dedicated to a single organization. Hybrid clouds combine both, providing flexibility and scalability.

Cloud computing offers significant advantages such as cost savings, scalability, flexibility, and the ability to access services from anywhere. However, concerns about data security, privacy, and compliance remain key challenges for businesses considering cloud adoption.

Major cloud providers include Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, each offering a wide range of services to meet diverse business needs. Cloud computing continues to evolve, with innovations such as edge computing and serverless architecture driving further growth.

IAM enables you to define fine-grained access to AWS resources using policies. Policies are written in JSON and specify the permissions granted to users, groups, or roles. You can also define password policies and enforce multi-factor authentication (MFA) for additional security.

IAM roles allow AWS services like EC2 or Lambda to access resources without embedding access keys in your application. Best practices include using IAM roles, enabling MFA, and regularly rotating credentials for added security.

IAM is an essential part of managing AWS security. By following best practices such as least privilege and policy simulation tools, you can effectively control and monitor user access in your AWS environment.

Key features include: On-Demand Instances, Reserved Instances, and Spot Instances. EC2 offers flexibility in instance types, storage, networking, elastic load balancing, and auto-scaling to suit a variety of application needs.

EC2 allows customized instance sizing and configuration. You can choose instance types based on application requirements, leverage Amazon EBS for persistent storage, and manage networking with VPCs and security groups. Auto scaling automatically adjusts instances to match demand.

EC2 also supports bootstrapping, which runs user data scripts at the instance launch. This can automate tasks like software installations, downloading configuration files, and configuring system settings.

EC2 offers a range of instance types for different workloads, such as General Purpose Instances, Compute Optimized Instances, Memory Optimized Instances, and Storage Optimized Instances. Each type provides specific resources like vCPUs, memory, network performance, and storage tailored to various application needs.

Instance types include: t4g.micro, m5.large, c5.large, r5.xlarge, i3.large, and more, each with varying levels of CPU, memory, storage, and network performance to meet specific use cases like web servers, databases, batch processing, and high-frequency trading.

EBS volumes are automatically replicated within an Availability Zone (AZ) and come in several types, including General Purpose (gp3/gp2), Provisioned IOPS (io1/io2), Throughput Optimized (st1), and Cold (sc1). They can be attached to one EC2 instance at a time but can be detached and re-attached as needed.

The EBS delete on termination attribute controls whether the volume is automatically deleted when the associated EC2 instance is terminated. By default, the root volume is deleted, while additional volumes are not unless explicitly specified.

EBS snapshots offer point-in-time backups of EBS volumes and are stored in Amazon S3. Snapshots are incremental, capturing only changes since the last backup. They can be copied across regions or accounts and automated using Amazon Data Lifecycle Manager (DLM).

EBS snapshot archives are cheaper, providing a 75% reduction in cost. However, they take between 24 to 72 hours to restore. The EBS Snapshot Recycle Bin feature allows retention of deleted snapshots, offering recovery after accidental deletion with customizable retention periods.

Elastic File System (EFS) is a fully managed NFS solution for EC2 instances that can scale automatically and provides high availability across multiple Availability Zones. EFS can be accessed by hundreds of EC2 instances simultaneously, making it ideal for shared storage applications.

EFS Infrequent Access (EFS-IA) is a lower-cost storage class for infrequently accessed data, offering up to 92% savings compared to standard EFS. It automatically moves less-accessed files to the EFS-IA tier, while maintaining high availability.

Scalability can be vertical (increasing a single instance's capacity) or horizontal (adding more instances to distribute the load). Vertical scalability is often used for databases, while horizontal scalability is suited for applications requiring resilience and distributed workloads.

High Availability is achieved by deploying resources across multiple Availability Zones (AZs) to ensure failover and redundancy. It works best with horizontal scalability, as multiple AZs provide resilience against zone failures.

In EC2, vertical scaling involves increasing instance size, from smaller instances like t2.nano to larger ones like u-12tb1.metal. Horizontal scaling involves adding more instances using Auto Scaling Groups (ASG) and Elastic Load Balancing (ELB).

Scalability, Elasticity, and Agility each refer to different aspects of cloud infrastructure. Scalability adjusts capacity to handle varying traffic, elasticity dynamically adjusts resources in real-time, and agility enables quick deployment in response to demand changes.

Load balancing distributes incoming traffic across multiple resources, preventing overloading any single resource. It improves fault tolerance, high availability, and provides features like SSL termination and health checks.

Elastic Load Balancer (ELB) is a managed service that distributes traffic across multiple targets in one or more AZs. ELB improves performance and scales with demand, with AWS handling upgrades and high availability.

Types of ELBs include Application Load Balancer (ALB) for HTTP/HTTPS traffic at Layer 7, Network Load Balancer (NLB) for high-performance traffic at Layer 4, and Classic Load Balancer (retiring) for both layers.

An Auto Scaling Group (ASG) adjusts the number of EC2 instances based on metrics like CPU utilization, ensuring optimal capacity and high availability. It can automatically scale out (add instances) or scale in (remove instances) as needed, with cost savings from only running at optimal capacity.

Buckets must follow naming conventions: no uppercase letters or underscores, 3-63 characters long, cannot be an IP, and must start with a lowercase letter or number.

Objects in S3 are identified by a "Key," which is the full path to the object. While S3 doesn’t have actual directories, the UI mimics a folder structure using slashes ("/") in the object keys.

The maximum object size in S3 is 5TB, but for uploads over 5GB, multi-part upload is required. Each object can have metadata and tags, and if versioning is enabled, a version ID is also included.

S3 offers various security mechanisms, including user-based IAM policies and resource-based policies such as bucket policies and access control lists (ACLs). Encryption can also be applied to S3 objects.

Bucket policies are JSON-based and allow defining which actions are permitted or denied for specific resources. These policies can be used for public access management, cross-account access, and ensuring encryption during object uploads.

For added security, you can configure "Block Public Access" settings to prevent unauthorized public access to your buckets and objects. These settings can be enforced at the account level.

S3 can host static websites, making your content accessible via a specific URL. However, to avoid access issues, ensure that the bucket policy allows public reads if needed.

Databases are designed for specific purposes and offer features like indexing, relationships, and query optimization. Managed databases in AWS take care of maintenance, backups, and security, reducing operational complexity.

Benefits of managed databases include high availability, disaster recovery, scalability, and enhanced security. AWS offers various database types such as Relational (SQL), NoSQL, Data Warehousing, and In-memory Caching.

Relational Databases (SQL) store structured data in predefined schema tables and are commonly used in transactional applications and financial systems. Popular examples include MySQL, PostgreSQL, Oracle, SQL Server, and MariaDB.

NoSQL databases offer flexibility with no predefined schema, making them ideal for real-time applications, IoT, and mobile apps. They scale out using distributed clusters and are optimized for specific data models. Examples include DynamoDB, MongoDB (DocumentDB), and various key-value, document, graph, and search databases.

JSON is a common data format in NoSQL databases, supporting nested fields, dynamic structures, and new data types like arrays. An example of a NoSQL data entry might look like this:

              {
                "name": "Abc",
                "age": 30,
                "cars": ["Ford", "BMW", "Fiat"],
                "address": {
                  "type": "house",
                  "number": 23,
                  "street": "Abc Road"
                }
              }
            

AWS operates with a shared responsibility model. AWS handles infrastructure management, backups, patches, and availability, while customers are responsible for data security, encryption, IAM access controls, monitoring, and performance tuning.

AWS RDS (Relational Database Service) is a fully managed service for relational databases, supporting MySQL, PostgreSQL, MariaDB, Oracle, and SQL Server. It automates provisioning, OS patching, backups, high availability, scaling, and more.

Key advantages of using RDS over deploying a database on EC2 include automated provisioning, continuous backups, monitoring dashboards, read replicas for improved performance, and Multi-AZ setups for disaster recovery. However, you cannot SSH into RDS instances.

RDS offers different deployment options like Read Replicas (for scaling read workloads), Multi-AZ (for high availability with automatic failover), and Multi-Region (for disaster recovery and global availability).

In RDS, Read Replicas improve read performance and allow asynchronous replication, while Multi-AZ deployments provide failover and high availability, ensuring the database remains accessible in case of an AZ outage.

Docker containers provide consistency across different environments, allowing you to run the same application on any machine without compatibility issues. This leads to easier maintenance, faster scaling, and predictable behavior.

Docker works with any language, OS, or technology and enables rapid scaling of containers, with adjustments made in just seconds.

Docker images are stored in repositories like Docker Hub for public access, and Amazon ECR (Elastic Container Registry) for private storage, management, and deployment of container images.

Docker is often compared to Virtual Machines (VMs), but they are different. While both virtualize environments, Docker containers share the host OS kernel, making them more lightweight and portable. Virtual machines, on the other hand, include a full operating system, making them heavier and slower to start.

Docker containers are best for modern, microservices-based applications, while virtual machines are better suited for running multiple OS environments.

Amazon ECS (Elastic Container Service) is a fully managed container orchestration service that supports Docker containers. ECS automates container management, allowing you to launch and manage Docker containers on AWS. ECS integrates with other AWS services like IAM, VPC, ELB, and ECR.

AWS Fargate is a serverless compute engine for containers that works with ECS and EKS. It eliminates the need to manage EC2 instances, allowing you to pay for only the resources (CPU and memory) your containers use.

Amazon ECR is a fully managed Docker container registry that stores, manages, and secures Docker images. It integrates with ECS, EKS, and Fargate for seamless deployment and running of Docker containers.

Serverless computing eliminates the need to provision, scale, or manage servers. With serverless services like AWS Lambda, resources are automatically provisioned and scaled by AWS. Developers simply deploy functions (code) that respond to events, rather than managing infrastructure.

AWS Lambda is a serverless compute service that executes code in response to events like API calls or file uploads. It automatically scales and only charges you for usage.

In contrast to EC2, where you manage virtual servers, AWS Lambda runs code in a serverless environment with no server management required. Lambda functions are limited by time, whereas EC2 instances are limited by RAM and CPU. Lambda scales automatically, unlike EC2, which requires manual intervention.

Benefits of AWS Lambda include automatic scaling based on event triggers, a pay-per-use pricing model, and a free tier that covers up to 1,000,000 requests and 400,000 GB-seconds of compute time. Lambda also integrates seamlessly with other AWS services and supports multiple programming languages.

Lambda is ideal for event-driven architectures, with easy monitoring through AWS CloudWatch and the ability to increase resources (up to 10GB of RAM) to boost performance.

CloudFormation allows you to declare your infrastructure using templates, specifying the resources you need (e.g., security groups, EC2 instances, S3 buckets, load balancers). It then creates, configures, and maintains the resources for you in the correct order.

The benefits of AWS CloudFormation include:

• Infrastructure as code: Resources are defined through code, improving control and eliminating manual configuration.
• Cost management: Each resource within a CloudFormation stack is tagged, helping you track costs. You can also estimate costs through the template.
• Productivity: CloudFormation allows you to destroy and recreate infrastructure quickly, automating diagram generation and eliminating the need for reinventing the wheel.

CloudFormation supports almost all AWS resources, and if a resource isn't supported, you can use "custom resources" to define it. You can even leverage existing templates found on the web.

For visual management, AWS CloudFormation Stack Designer allows you to see all resources in your stack and how they relate to each other. For example, a WordPress CloudFormation Stack would allow you to view all resources and their relationships.

The AWS Cloud Development Kit (CDK) allows you to define your cloud infrastructure using a programming language you're familiar with, such as JavaScript, TypeScript, Python, Java, or .NET. The CDK compiles this code into a CloudFormation template, enabling you to deploy infrastructure and runtime code together.

Here’s an example using Python with the AWS CDK to create an S3 bucket with versioning enabled:

            
      from aws_cdk import core
      from aws_cdk import aws_s3 as s3
      
      class MyS3BucketStack(core.Stack):
          def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
              super().__init__(scope, id, **kwargs)
      
              # Define an S3 bucket
              s3.Bucket(
                  self,
                  'MyS3Bucket',
                  versioned=True,
                  removal_policy=core.RemovalPolicy.DESTROY
              )
      
      # App entry point
      app = core.App()
      MyS3BucketStack(app, 'MyS3BucketStack')
      app.synth()
            
          

After setting up the project and installing dependencies, running this script will create the S3 bucket as defined in the CDK stack.

Common developer challenges in AWS include managing infrastructure, deploying code, configuring databases, load balancers, and scaling. CloudFormation and CDK simplify these tasks by providing reusable templates and automating infrastructure provisioning.

Most web applications share similar architectures (such as an Application Load Balancer (ALB) and Auto Scaling Group (ASG)). Developers are primarily focused on getting their code running consistently across different applications and environments, without the need to manage infrastructure manually.

AWS’s global infrastructure is made up of:

• Regions: Locations for deploying applications and infrastructure.
• Availability Zones: Multiple data centers within a region for redundancy and fault tolerance.
• Edge Locations: Points of presence for content delivery to ensure low latency for end-users.

More details can be found at AWS Global Infrastructure.

Global Applications in AWS

AWS offers several services to enhance the performance and availability of global applications:

• Global DNS: Route 53 – Direct users to the nearest deployment based on latency or disaster recovery strategies.
• Global Content Delivery Network (CDN): CloudFront – Replicates applications to AWS Edge Locations to reduce latency, with caching for improved user experience.
• S3 Transfer Acceleration – Speeds up global uploads and downloads to/from Amazon S3.
• AWS Global Accelerator – Improves global application availability and performance using the AWS global network.

Amazon Route 53 Overview

Route 53 is a managed DNS service that helps direct clients to the correct servers through DNS records.

• A Record: Maps a domain to an IPv4 address (e.g., www.google.com => 12.34.56.78).
• AAAA Record: Maps a domain to an IPv6 address.
• CNAME: Maps one domain to another domain (e.g., search.google.com => www.google.com).
• Alias Record: Used to map a domain to AWS resources like ELB, CloudFront, S3, RDS, etc.

Route 53 Routing Policies

Route 53 supports various routing policies. Here’s a brief overview of the main types:

• Simple Routing Policy: For a single resource serving a function, such as a web server.
• Weighted Routing Policy: Routes traffic to multiple resources in a specified proportion.
• Latency Routing Policy: Routes traffic to the region with the best latency.
• Failover Routing Policy: Configures active-passive failover for disaster recovery.

AWS CloudFront

CloudFront is a Content Delivery Network (CDN) that improves the read performance of your applications by caching content at AWS Edge Locations globally. It helps improve user experience by reducing latency and includes DDoS protection through AWS Shield and AWS Web Application Firewall.

CloudFront can work with multiple origins:

• S3 Bucket: For distributing and caching files at the edge with enhanced security (via CloudFront Origin Access Identity).
• Custom Origin (HTTP): You can use CloudFront with Application Load Balancers, EC2 instances, or even other HTTP backends.
• S3 Website: CloudFront can be used to serve static websites hosted in S3 buckets.

CloudFront vs S3 Cross-Region Replication

Feature	CloudFront	S3 Cross-Region Replication
Network	Global Edge network	Set up for each region
Content Update	Content cached for a TTL (time-to-live)	Content updated in near real-time
Use Case	Great for static content globally	Great for dynamic content with low-latency needs

Amazon SQS - Simple Queue Service

Amazon Simple Queue Service (SQS) is AWS's oldest offering, providing a fully managed, serverless service for decoupling applications. SQS allows asynchronous message communication between components, making it highly scalable and reliable for distributed applications.

• Decoupling of Applications: Send and receive messages asynchronously.
• Queue Types: Standard queues (unlimited throughput) and FIFO queues (ordered processing).
• Scalability: From 1 message per second to 10,000+ messages per second.
• Retention: Default message retention of 4 days, with a maximum of 14 days.
• Low Latency: Less than 10ms for publishing and receiving messages.
• Horizontal Scaling: Multiple consumers share the workload.
• Message Deletion: Messages are deleted after they’re read by consumers.

Amazon Kinesis

Amazon Kinesis is a real-time big data streaming service that allows you to collect, process, and analyze real-time streaming data at any scale. It's mainly used for real-time data processing and analytics.

While too detailed for the Cloud Practitioner exam, these components of Kinesis are important:

• Kinesis Data Streams: Low-latency streaming to ingest data from thousands of sources.
• Kinesis Data Firehose: Loads streams into S3, Redshift, ElasticSearch, etc.
• Kinesis Data Analytics: Real-time analytics on streams using SQL.
• Kinesis Video Streams: Monitor and analyze real-time video streams for applications like analytics or machine learning (ML).

Amazon SNS - Simple Notification Service

Amazon SNS allows you to send notifications to multiple receivers. It's used for mass message delivery, primarily for mobile users, and provides low-cost infrastructure for event-driven systems.

• Event Publishers: Only need to send messages to one SNS topic.
• Event Subscribers: Multiple subscribers can listen to the SNS topic and receive all messages.
• Subscriptions: Up to 12,500,000 subscriptions per topic, with a limit of 100,000 topics.

Amazon MQ

Amazon MQ is a managed Apache ActiveMQ service, designed to support legacy protocols like MQTT, AMQP, STOMP, and WSS. It's particularly useful when migrating traditional on-premise applications to the cloud, offering a way to integrate without re-engineering applications for cloud-native services like SQS and SNS.

• Managed ActiveMQ: Amazon MQ is a managed service for applications that use open protocols.
• Queue & Topic Support: Similar to SQS and SNS, but with traditional message broker support.
• Not Serverless: Runs on dedicated machines, not serverless like SQS and SNS.

Integration Summary

Here’s a comparison of the key AWS messaging services:

Service	Purpose	Key Features
SQS	Queue service for decoupling applications	Multiple producers and consumers, message retention up to 14 days, low latency, horizontal scaling
SNS	Notification service for broadcasting messages	Multiple subscribers (email, Lambda, HTTP, mobile), no message retention
Kinesis	Real-time data streaming	Data ingestion, real-time analytics, video streaming
Amazon MQ	Managed message broker (Apache ActiveMQ)	Supports open protocols (MQTT, AMQP, STOMP), queue & topic support, dedicated machines

Amazon CloudWatch

Amazon CloudWatch is a monitoring and observability service that provides real-time metrics and logs for AWS resources, applications, and custom metrics. It helps you collect, analyze, and act on performance and operational data.

Key Features:

• Metrics: Collect and track metrics like CPU utilization, network I/O, and more.
• Alarms: Set alarms and take automated actions when thresholds are exceeded.
• Logs: Store and access logs for troubleshooting.

Important Metrics:

• EC2 Instances: CPU utilization, disk I/O, network I/O (Default metrics every 5 minutes; Detailed monitoring every minute).
• EBS Volumes: Disk read/writes.
• RDS Databases: CPU utilization, free storage space, read/write IOPS.
• S3 Buckets: Number of requests, latency, errors.
• Lambda Functions: Invocation count, error count, duration.
• Billing: Total estimated charge (only in us-east-1).
• Service Limits: Usage of AWS service APIs.
• Custom Metrics: Push your own metrics.

Amazon CloudWatch Alarms

CloudWatch Alarms help you take actions automatically when a metric exceeds a set threshold. For example, if EC2 CPU utilization exceeds 80%, you can send an alert or trigger an auto-scaling event.

• Examples: Send an SNS notification, scale EC2 instances based on demand.
• Alarm States: OK, INSUFFICIENT_DATA, ALARM.
• Actions: EC2 stop, terminate, reboot, or recover.

Amazon CloudWatch Logs

CloudWatch Logs is a centralized logging service that can collect logs from various AWS services and applications.

• Supported Sources: Elastic Beanstalk, ECS, Lambda, CloudTrail, EC2 instances, Route 53 DNS queries.
• Real-time Monitoring: View logs as they are generated.
• Adjustable Retention: Control how long logs are stored.

Amazon CloudWatch Events

CloudWatch Events delivers a stream of system events describing changes to AWS resources. It can be used to trigger automated workflows based on resource changes.

• Examples: Trigger Lambda on EC2 state change or run scheduled cron jobs.
• Event Patterns: Create event rules to react to specific events.
• Automation: Trigger Lambda, send SNS/SQS messages, or invoke other services.

Amazon EventBridge

EventBridge is the evolution of CloudWatch Events, offering more advanced capabilities for building event-driven architectures.

• Event Buses: Default (AWS services), Partner (from third-party SaaS), and Custom (for your own applications).
• Schema Registry: Define and manage event schemas.
• EventBridge vs CloudWatch Events: EventBridge introduces new event bus capabilities and greater integration with external services.

AWS CloudTrail

CloudTrail tracks and logs API calls made within your AWS account, providing visibility into user activity for security analysis, compliance, and operational troubleshooting.

• Enabled by Default: Tracks API calls across AWS services made through the console, CLI, SDK, etc.
• Log Delivery: CloudTrail logs can be sent to CloudWatch Logs or S3 for storage and analysis.
• Trail Scope: Can be configured to log events in all regions or a specific region.

CloudTrail Events

• Management Events: Activities like configuring security policies or creating EC2 subnets.
• Data Events: Activities at a lower level, such as object-level operations on S3 or Lambda invocations.

CloudTrail Insights

CloudTrail Insights detects unusual activity in your account, such as inaccurate resource provisioning, hitting service limits, or anomalies in IAM actions.

• Automatic Baselines: Insights create a baseline of normal activity and detect anomalies by comparing with past patterns.
• EventBridge Integration: Insights events can trigger automated workflows via EventBridge.

Amazon VPC

Amazon Virtual Private Cloud (VPC) is a private network within AWS that you can use to host your resources. VPCs are region-specific and consist of subnets, which allow you to partition your network based on availability zones.

Subnets

• Public Subnet: A subnet that is accessible from the internet.
• Private Subnet: A subnet that is not accessible from the internet.

Routing Access with Route Tables

Route tables control the flow of traffic within your VPC. They define how traffic is routed between subnets and to/from the internet.

Internet Gateway (IGW)

The Internet Gateway connects your VPC to the internet, allowing instances in your VPC to communicate directly with the internet.

• Essential for enabling public subnet communication with the internet.

NAT Gateway

The NAT Gateway allows instances in private subnets to initiate outbound traffic to the internet while preventing unsolicited inbound traffic.

• Used for scenarios like downloading updates and patches while preventing direct access from the internet.
• Managed by AWS for ease of use and scalability.

NAT Gateway vs NAT Instance

Attribute	NAT Gateway	NAT Instance
Availability	Highly available, AWS manages redundancy	Requires manual failover setup
Bandwidth	Up to 100 Gbps	Depends on instance type
Maintenance	Managed by AWS	Managed by you
Performance	Optimized for NAT traffic	Generic AMI configured for NAT
Cost	Charged by usage and data transfer	Charged by instance type and usage
Public IP Addresses	Elastic IP address	Elastic or public IP address
Private IP Addresses	Automatically selected	Manually assigned
Security Groups	Cannot associate security groups	Can associate security groups
Flow Logs	Supported	Supported
Port Forwarding	Not supported	Customizable for port forwarding

Network ACLs vs Security Groups

Network ACLs and Security Groups are both firewalls, but they operate at different levels and have different capabilities.

Feature	Network ACL	Security Group
Level of Operation	Subnet level	Instance level
Rule Type	Allow and Deny rules	Allow rules only
Statefulness	Stateless (return traffic must be allowed)	Stateful (return traffic allowed by default)
Rule Processing	Rules processed in order	All rules evaluated before action
Application	Automatically applied to all instances in subnet	Applied to instances based on association

VPC Flow Logs

VPC Flow Logs capture information about IP traffic going into or out of your network interfaces. This can help monitor and troubleshoot connectivity issues.

• Captures traffic from VPC, subnet, or ENI.
• Useful for monitoring subnets’ traffic to/from the internet or between subnets.
• Can send log data to S3 or CloudWatch Logs.

VPC Peering

VPC Peering allows direct communication between two VPCs, either in the same AWS account or across different accounts, without the use of the internet.

• Must have non-overlapping CIDR blocks.
• Provides private, high-speed communication between VPCs.

VPC Endpoints

VPC Endpoints allow private connections between your VPC and AWS services, without using public internet routing.

• Gateway Endpoint: For S3 and DynamoDB.
• Interface Endpoint: For all other AWS services.

Site-to-Site VPN & Direct Connect

A Site-to-Site VPN allows you to securely connect your on-premises network to AWS over the public internet. AWS Direct Connect establishes a private, secure, high-performance connection.

• Site-to-Site VPN: Automatically encrypted, connects via a Virtual Private Gateway.
• AWS Direct Connect: Physical connection, private and secure, ideal for high-volume traffic.

AWS Shared Responsibility Model

The AWS Shared Responsibility Model clarifies the division of responsibilities for security and compliance between AWS and the customer. AWS handles security for the infrastructure, while customers are responsible for securing their data, applications, and other elements within the cloud.

Shared Responsibility Categories

Aspect	AWS Responsibility	Customer Responsibility
Infrastructure	Physical security, hardware, and global network	Not applicable (fully managed by AWS)
Configuration	Default configurations for services	Customize configurations to meet security requirements
Data Protection	Ensure data encryption capabilities are available	Encrypt sensitive data and manage access permissions
Patching	Patching underlying infrastructure	Patching the operating system and applications
Access Management	IAM service availability and best practices	Defining and enforcing user and resource permissions

Example for RDS

AWS Responsibility:

• Managing the underlying database engine (e.g., MySQL, PostgreSQL).
• Ensuring hardware security and network isolation.
• Applying patches to the database software.
• Audit the underlying instance and disks & guarantee it functions.

Customer Responsibility:

• Managing database credentials and access control.
• Encrypting data at rest and in transit.
• Defining backup and recovery policies.
• Monitoring database performance using CloudWatch.
• Ensuring parameter groups or DB is configured to only allow SSL connections.

Example for S3

AWS Responsibility:

• Ensuring data durability and availability.
• Managing infrastructure security for S3.
• Guarantee unlimited storage.
• Ensuring AWS employees can’t access your data.
• Ensuring separation of the data between different customers.

Customer Responsibility:

• Configuring bucket policies, access control lists (ACLs), and IAM roles.
• Enabling encryption for objects (e.g., server-side or client-side encryption).
• Monitoring and auditing access using AWS CloudTrail and S3 access logs.
• Implementing versioning and lifecycle policies for object management.

DDoS Protection on AWS

AWS provides several security features to mitigate the risk of DDoS attacks and protect your applications:

• AWS Shield Standard: Protects against DDoS attacks for all customers at no additional cost.
• AWS Shield Advanced: 24/7 premium DDoS protection.
• AWS WAF: Web Application Firewall to filter specific requests based on custom rules.
• CloudFront and Route 53: Availability protection using AWS’s global edge network.
• Auto Scaling: Be ready to scale with AWS Auto Scaling during high traffic periods.

AWS Shield

AWS Shield provides protection against DDoS attacks across Amazon CloudFront, Elastic Load Balancing, and other AWS services. Key features include:

• Protection from SYN/UDP Floods, Reflection attacks, and other layer 3/layer 4 attacks.
• 24/7 access to AWS DDoS Response Team (DRT).
• Mitigating higher fees during usage spikes caused by DDoS attacks.

AWS WAF (Web Application Firewall)

AWS WAF helps protect your applications from common web exploits, including SQL injection and Cross-Site Scripting (XSS). Key features include:

• Define Web ACLs (Access Control Lists) based on IP addresses, HTTP headers, body, or URI strings.
• Protects from common attacks and allows you to set size constraints, geo-match rules, and rate-based rules.

Penetration Testing on AWS Cloud

AWS allows customers to perform penetration testing or security assessments on certain AWS services without prior approval. These services include:

• Amazon EC2, RDS, CloudFront, and more.
• For a full list, please refer to AWS’s official documentation.

Prohibited Activities

• DNS zone walking via Amazon Route 53 Hosted Zones.
• DoS and DDoS simulations, port flooding, and other attack simulations without approval.

For more information on Penetration Testing, visit AWS Security Penetration Testing.

Amazon Rekognition

Amazon Rekognition uses machine learning to identify objects, people, text, and scenes in images and videos. It offers powerful tools for facial analysis, user verification, and people counting. You can create a database of familiar faces or compare against celebrities.

Key Uses:

• Labeling
• Content Moderation
• Text Detection
• Face Detection and Analysis (e.g., gender, age range, emotions)
• Face Search and Verification
• Celebrities Recognition

For more information, visit Amazon Rekognition.

Amazon Transcribe

Amazon Transcribe converts speech to text using Automatic Speech Recognition (ASR), offering fast and accurate transcription for a variety of use cases.

Key Uses:

• Transcribing customer service calls
• Automating closed captioning and subtitling
• Generating metadata for searchable media archives

Amazon Polly

Amazon Polly turns text into lifelike speech using deep learning technology. It enables the creation of talking applications that can engage users with natural-sounding voice interactions.

Amazon Translate

Amazon Translate provides natural and accurate language translation, allowing businesses to localize content for international users and efficiently translate large volumes of text.

Amazon Lex & Amazon Connect

Amazon Lex

Amazon Lex uses ASR to convert speech to text and Natural Language Understanding (NLU) to recognize text and intent. It’s the same technology behind Amazon Alexa, enabling the creation of conversational bots and virtual assistants.

Amazon Connect

Amazon Connect is a cloud-based virtual contact center that allows businesses to create personalized contact flows and integrate with CRM systems or other AWS services, offering a cost-effective alternative to traditional contact centers.

Amazon Connect requires no upfront payments and is 80% cheaper than traditional contact centers.

Amazon Comprehend

Amazon Comprehend is a fully managed, serverless Natural Language Processing (NLP) service. It uses machine learning to find insights and relationships in text, providing valuable analytics on customer sentiment, key phrases, and more.

Key Features:

• Identifies language of the text
• Extracts key phrases, places, people, brands, or events
• Determines sentiment of the text
• Analyzes text using tokenization and parts of speech
• Organizes text by topic

Amazon SageMaker

Amazon SageMaker is a fully managed service designed for developers and data scientists to build, train, and deploy machine learning models. It simplifies the complex machine learning process, allowing users to focus on creating intelligent applications.

A simple example: Predicting your exam score based on historical data.

Amazon Forecast

Amazon Forecast uses machine learning to deliver highly accurate forecasts, reducing the time it takes to forecast from months to hours. It helps businesses predict future sales, demand, and other important factors with 50% more accuracy than traditional methods.

Key Uses:

• Product demand planning
• Financial planning
• Resource planning

Amazon Kendra

Amazon Kendra is a fully managed document search service powered by machine learning. It can extract answers from various document types and offers natural language search capabilities.

Kendra learns from user interactions and allows manual fine-tuning of search results to ensure the most relevant information is presented.

Amazon Personalize

Amazon Personalize is a fully managed ML service that provides real-time personalized recommendations. It’s used for creating customized user experiences, such as personalized product recommendations and targeted marketing campaigns.

Key Uses:

• Personalized product recommendations
• Customized direct marketing
• Integrates with websites, applications, SMS, email marketing systems

Amazon Textract

Amazon Textract automatically extracts text, handwriting, and data from scanned documents using AI and machine learning. It’s designed to process various document types such as PDFs, images, and scanned forms.

Key Uses:

• Financial Services (e.g., invoices, financial reports)
• Healthcare (e.g., medical records, insurance claims)
• Public Sector (e.g., tax forms, ID documents, passports)

Summary

• Rekognition: Face detection, labeling, celebrity recognition
• Transcribe: Speech-to-text (e.g., subtitles)
• Polly: Text-to-speech conversion
• Translate: Language translation
• Lex: Build conversational bots (chatbots)
• Connect: Cloud-based virtual contact center
• Comprehend: Natural language processing
• SageMaker: ML model development
• Forecast: Accurate forecasts
• Kendra: ML-powered document search
• Personalize: Real-time personalized recommendations
• Textract: Document text extraction

AWS Organizations

AWS Organizations is a global service that allows you to manage multiple AWS accounts. The main account in the organization is the master account, which oversees all billing and access controls for the organization.

Cost Benefits

• Consolidated billing across all accounts, simplifying the payment process.
• Volume-based pricing benefits, such as discounts for EC2, S3, and other services due to aggregated usage.
• Pooling of Reserved EC2 instances for optimal savings.
• API available for automating AWS account creation.
• Restrict account privileges using Service Control Policies (SCP).

Multi-Account Strategies

• Create accounts per department, cost center, or environment (dev, test, prod) for better resource isolation.
• Use SCPs to enforce compliance or regulatory restrictions.
• Enable centralized logging by sending CloudTrail and CloudWatch logs to a central account.
• Utilize tagging standards for billing purposes and separate per-account service limits.

Service Control Policies (SCP)

SCPs allow you to whitelist or blacklist IAM actions at the organizational unit (OU) or account level, except for the master account. They do not affect service-linked roles, which are essential for AWS services to integrate with AWS Organizations.

• SCP must have an explicit "Allow" to permit access (by default, they do not allow anything).
• Common use cases: restricting access to certain services, enforcing PCI compliance by disabling services, etc.

AWS Control Tower

AWS Control Tower helps you set up and govern a secure, multi-account AWS environment following AWS best practices. It runs on top of AWS Organizations and automates ongoing policy management, detecting violations and monitoring compliance.

• Automate environment setup in a few clicks.
• Use "guardrails" for policy enforcement and remediation.
• Monitor compliance through an interactive dashboard.

AWS Resource Access Manager (AWS RAM)

AWS RAM allows you to share AWS resources that you own with other AWS accounts, either within your organization or externally. This helps avoid resource duplication and can save costs across multiple accounts.

• Resources supported for sharing include VPC subnets, Transit Gateway, Aurora, EC2 Dedicated Hosts, Route 53, etc.

AWS Service Catalog

AWS Service Catalog provides a curated, self-service portal for launching AWS resources. It helps ensure that users follow governance policies and only deploy approved resources, reducing the risk of non-compliant or rogue stacks.

• Users can launch predefined sets of authorized products, such as virtual machines, databases, and storage options.

Pricing Models in AWS

AWS offers four primary pricing models to cater to different business needs and optimize cost savings:

• Pay as you go: Pay only for what you use, offering agility and scalability.
• Save when you reserve: Reduce costs with reserved capacity for EC2, DynamoDB, ElastiCache, RDS, etc.
• Pay less by using more: Receive volume-based discounts for higher usage levels.
• Pay less as AWS grows: Benefit from cost reductions as AWS scales its services.

EC2 Pricing

The EC2 pricing model offers several options based on your needs:

On-Demand Instances

• Pay for the compute capacity by the second or hour (Linux/Windows).
• Flexible, pay for what you use without long-term commitments.

Reserved Instances

• Save up to 75% compared to on-demand pricing.
• Commit to a 1- or 3-year term, with various payment options: all upfront, partial upfront, or no upfront.

Spot Instances

• Bid for unused EC2 capacity and save up to 90% off on-demand pricing.
• Best for workloads that can tolerate interruptions.

Dedicated Hosts

• On-demand or reserved (1 or 3 years).
• Reserved instances also available to save on sustained usage.

Savings Plans

• Alternative to Reserved Instances, offering flexible savings for EC2 and Fargate workloads.

AWS STS (Security Token Service)

AWS Security Token Service (STS) allows you to provide temporary, limited-privilege credentials for accessing AWS resources. The credentials are time-bound, with a configurable expiration period, ensuring that access to resources is controlled and secure.

Use Cases

• Identity Federation: Manage user identities in external systems and provide STS tokens for secure access to AWS resources.
• Cross-Account Access: Use IAM roles with STS to grant temporary access between different AWS accounts or within the same account.
• EC2 Instance Access: Use IAM roles with STS for EC2 instances to temporarily access AWS resources without hardcoding credentials.

Amazon Cognito

Amazon Cognito enables user identity management for web and mobile applications, supporting potentially millions of users. Instead of creating IAM users, you can create and manage users directly within Cognito, allowing for easy integration with your applications.

• Scalability: Amazon Cognito can scale to handle millions of users, offering a secure and cost-effective solution for managing identities.
• User Pools: Create and manage a user directory for your web and mobile apps.
• Federated Identities: Authenticate users from third-party providers like Google, Facebook, and SAML-based identity providers.

Microsoft Active Directory (AD) Integration

AWS offers several solutions to integrate Microsoft Active Directory (AD) with AWS for centralized security management, such as managing user accounts, permissions, and resources across your organization.

AWS Directory Services

AWS Directory Services offers multiple options for integrating Active Directory into AWS, providing both managed and self-managed solutions to meet your business needs:

AWS Managed Microsoft AD

• Fully managed service to create and manage your own Active Directory within AWS.
• Supports Multi-Factor Authentication (MFA) and establishes trust connections with on-premise AD.
• Enables seamless integration of AWS resources with your existing AD infrastructure.

AD Connector

• Acts as a proxy to redirect directory requests to your on-premise Active Directory.
• Supports MFA and allows you to manage users and resources from your on-premise AD while integrating with AWS services.

Simple AD

• A managed directory service that is compatible with Active Directory but does not support joining with on-premise AD.
• Ideal for lightweight directory requirements without the need for full AD integration.

AWS IAM Identity Center

AWS IAM Identity Center provides a centralized identity management solution that enables Single Sign-On (SSO) for multiple AWS accounts and business applications. It integrates with cloud apps like Salesforce, Microsoft 365, and SAML-based apps for seamless user access.

• Single Sign-On (SSO): Provides one-click access to multiple AWS accounts and applications.
• Identity Providers: Built-in identity store in IAM Identity Center or integration with external SAML 2.0 identity providers.
• Application Integration: Enables easy access to third-party cloud apps (e.g., Salesforce, Box, etc.) without separate logins.

Summary

AWS provides a variety of services to manage identities and access in a secure and scalable way:

• AWS IAM: Identity and access management within your AWS account for trusted users.
• AWS Organizations: Manage multiple AWS accounts for better governance and resource management.
• AWS STS: Provides temporary, limited-privilege credentials for AWS resource access, ideal for identity federation and cross-account access.
• Amazon Cognito: Create and manage user identities for mobile and web applications, integrating with external identity providers.
• AWS Directory Services: Integrates Microsoft Active Directory in AWS, supporting managed AD, AD Connector, and Simple AD solutions.
• AWS IAM Identity Center: Single sign-on for AWS accounts and cloud applications, streamlining user access management.

Amazon WorkSpaces

Amazon WorkSpaces is a fully managed Desktop as a Service (DaaS) solution that provides Windows or Linux desktops, eliminating the need to manage on-premise Virtual Desktop Infrastructure (VDI). It's scalable to thousands of users quickly and integrates with AWS Key Management Service (KMS) for data security. The service follows a pay-as-you-go model with both monthly and hourly pricing options.

Key Features:

• Fully managed virtual desktops (Windows or Linux)
• Scalable to thousands of users
• Integration with AWS KMS for secure data storage
• Pay-as-you-go pricing with monthly or hourly options

Amazon AppStream 2.0

Amazon AppStream 2.0 is a Desktop Application Streaming Service that allows you to stream applications to any computer without the need for provisioning infrastructure. Applications are streamed directly from within a web browser, providing secure access without requiring users to connect to a Virtual Desktop Infrastructure (VDI).

Key Features:

• Stream desktop applications to web browsers without VDI
• Works across any device with a browser
• Customizable instance types (CPU, RAM, GPU) for each application
• On-demand and always-on workspace configurations

Amazon Sumerian

Amazon Sumerian is a platform to create and run virtual reality (VR), augmented reality (AR), and 3D applications without requiring programming skills. It offers easy-to-use tools to quickly create 3D models with animations. The service provides ready-to-use templates and assets, making it ideal for developers and creators looking to build immersive experiences.

Key Features:

• Create 3D models with animations
• No programming or 3D expertise required
• Accessible via web-browser URLs or popular AR/VR hardware

Example Showcase: Amazon Sumerian Getting Started Showcase

AWS IoT Core

AWS IoT Core is a service that allows you to securely and scalably connect IoT devices to the AWS Cloud. It supports serverless communication with devices, even when they are disconnected, and integrates with various AWS services such as Lambda, S3, and SageMaker to process, analyze, and act on IoT data.

Key Features:

• Secure and scalable device connection to AWS Cloud
• Integrates with services like Lambda, S3, SageMaker for data processing
• Supports disconnected communication for IoT applications

Amazon Elastic Transcoder

Amazon Elastic Transcoder is a fully managed service that allows you to convert media files stored in Amazon S3 into formats required by consumer playback devices (e.g., phones, tablets, etc.). It supports large volumes of media files with a cost-effective, pay-as-you-go pricing model.

Key Benefits:

• Easy-to-use interface for media transcoding
• Highly scalable, handling large volumes of media files
• Cost-effective with duration-based pricing

AWS AppSync

AWS AppSync is a service that allows you to store and sync data across mobile and web apps in real-time using GraphQL. It integrates seamlessly with DynamoDB, Lambda, and other AWS services and supports offline data synchronization for resilient apps.

Key Features:

• Real-time data synchronization for mobile and web apps
• Uses GraphQL to query and manipulate data
• Offline synchronization capabilities (replacing Cognito Sync)
• Fine-grained security controls

AWS Amplify

AWS Amplify is a set of tools and services that help developers build and deploy scalable, full-stack web and mobile applications. It includes features for backend-as-a-service (BaaS), frontend libraries, real-time capabilities, and CI/CD for continuous development.

Key Features:

• Backend-as-a-Service (BaaS) with tools for authentication, storage, API management
• Real-time and offline capabilities via AWS AppSync
• CI/CD support for continuous integration and delivery
• Integration with GitHub, AWS source code, and more

AWS Device Farm

AWS Device Farm is a fully-managed service that allows you to test web and mobile applications across real devices. It enables running tests on multiple devices simultaneously to speed up execution and provides device configuration options like GPS, Wi-Fi, and Bluetooth settings.

Key Features:

• Test apps on real mobile devices and browsers
• Run tests concurrently across multiple devices
• Configure device settings like GPS, language, and Wi-Fi

AWS Backup

AWS Backup is a fully managed service that allows you to automate and centrally manage backups across AWS services. It supports on-demand and scheduled backups, retention policies, and cross-region backup capabilities.

Key Features:

• Fully managed, on-demand and scheduled backups
• Point-in-time recovery (PITR) capabilities
• Cross-region and cross-account backup support

AWS Elastic Disaster Recovery (DRS)

AWS Elastic Disaster Recovery (formerly CloudEndure) provides quick and easy recovery for physical, virtual, and cloud-based servers to AWS. It supports continuous block-level replication for server recovery and is ideal for protecting critical databases and applications.

Key Features:

• Continuous block-level replication for disaster recovery
• Protect critical databases (e.g., Oracle, MySQL) and enterprise applications (e.g., SAP)
• Ideal for protecting data from ransomware attacks

AWS DataSync

AWS DataSync is a service for transferring large amounts of data from on-premises systems to AWS. It supports synchronization with Amazon S3, EFS, and FSx, and provides scheduling for incremental replication after the initial data transfer.

Key Features:

• Move large amounts of data from on-premises to AWS
• Sync data with Amazon S3, EFS, and FSx
• Support for scheduling and incremental replication

AWS Application Discovery Service

AWS Application Discovery Service helps plan migration projects by gathering data about on-premises data centers. It collects server utilization data and maps dependencies for migration planning, using both agentless and agent-based discovery options.

Key Features:

• Collects server utilization and dependency data for migrations
• Agentless and agent-based discovery options
• Integrates with AWS Migration Hub

Well-Architected Framework General Guiding Principles

• Stop guessing capacity needs: Use automated tools and scaling to avoid over-provisioning.
• Test systems at production scale: Simulate real-world load and usage patterns.
• Automate to facilitate architectural experimentation: Make testing and evolving architectures fast and efficient.
• Allow for evolutionary architectures: Continuously adapt to changing requirements and scale as needed.
• Drive architectures using data: Use data-driven decisions for continuous improvement.
• Improve through game days: Simulate high-stress events like flash sales to test system robustness.

AWS Cloud Best Practices - Design Principles

• Scalability: Scale both vertically (bigger servers) and horizontally (more servers) to meet demand.
• Disposable Resources: Ensure that resources (like servers) are disposable, easily replaced, and automatically configured.
• Automation: Utilize serverless, Infrastructure as a Service (IaaS), and auto-scaling to reduce human intervention.
• Loose Coupling: Break monolithic applications into smaller, independent services to avoid cascading failures.
• Services, Not Servers: Use managed services, serverless options, and databases instead of managing EC2 instances yourself.

The 6 Pillars of the AWS Well-Architected Framework

1. Operational Excellence

The ability to run and monitor systems for business value while improving supporting processes and procedures.

• Design Principles: Automate operations, perform frequent, reversible changes, anticipate failure, and learn from all failures.
• Key Focus: Infrastructure as code, documentation automation, frequent refinement of operational processes, and failure anticipation.

2. Security

The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.

• Design Principles: Implement centralized identity management, enable traceability, apply security at all layers (network, OS, application), automate security practices, and prepare for security events.
• Key Focus: Strong identity management (IAM), encryption, secure data access, and incident response preparation.

3. Reliability

The ability to recover from disruptions, dynamically acquire resources, and mitigate misconfigurations or transient network issues.

• Design Principles: Test recovery procedures, automatically recover from failures, scale horizontally for availability, and manage change with automation.
• Key Focus: Redundancy, automated failover, horizontal scaling, and capacity management through Auto Scaling.

4. Performance Efficiency

Efficiently using computing resources to meet system requirements while maintaining efficiency as demands change.

• Design Principles: Democratize advanced technologies, go global quickly, use serverless architectures, experiment often, and stay aware of all AWS services.
• Key Focus: Using the right tools and technologies to meet demand, and ensuring systems evolve efficiently with changing workloads.

5. Cost Optimization

The ability to deliver business value at the lowest possible cost while avoiding over-spending on unnecessary resources.

• Design Principles: Pay for what you use, measure efficiency with CloudWatch, stop spending on data center operations, and use managed services to reduce costs.
• Key Focus: Reduce resource wastage, optimize pricing models, and regularly track costs through tags and usage analysis.

6. Sustainability

Minimizing environmental impacts of running cloud workloads through energy-efficient systems and practices.

• Design Principles: Understand your impact on the environment, set sustainability goals, maximize utilization of resources, and automate sustainability best practices.
• Key Focus: Maximize efficiency, reduce energy/resource consumption, and adopt greener technologies.

Summary

The AWS Well-Architected Framework helps businesses build cloud systems that are scalable, secure, reliable, cost-efficient, and sustainable. By following the six pillars—Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability—you can ensure that your applications and workloads are well-architected to meet both current and future demands.