AWS (Solutions Architect Associate) by CloudGuru

31 Dec 2019

EC2 (Elastic Compute Cloud)

• pricing:
  • on demand
  • reserved (1yr or 3yrs)
  • spot
  • dedicated
• spot terminated will not be charged if terminated by Amazon
• first launch AMI cannot be encrypted (root can be encrypted later )
• on EBS backed, default action is to terminate and delete the volume
• termination protection by default is OFF
• bootstrap scripts
  • during EC2 instance creation, a bootstrap script can be used to take various action on the instance
• instance metadata
  • curl http://169.254.169.254/latest/meta-data information about this instance
  • curl http://169.254.169.254/latest/user-data information from bootstrap
    • e.g. /local-ipv4 - local IP address
    • or /public-ipv4

EC2 Placement Groups

• only certain types of instances can be launched
• you can’t move an existing instance into a placement group
• clustered
  • within a single AZ, same region, low latency, high throughput
  • cant span multiple AZ
• spread
  • small number of critical instances, independent from each other
  • in same AZ or different AZ
  • for single instances
• partitioned
  • each segment on different partitions, on separate racks/blades
  • multiple instances
  • homogenous (same type) of instances are recommended

EFS - Elastic File System

• similar to EBS, easy and simple way to provision user storage
• automatic growing and shrinking
• we can enable lifecycle management, similar to S3
  • we can move less used to EFS IA (infrequent access)
  • by default, replicated to all AZs in a Region
• we need amazon-efs-utils (e.g. yum install amazon-efs-utils)
• it needs a Security Group for provisioning
  • needs NFS ports opened for it to work
  • supports NFSv4
• pay as you go, up to PetaBytes, supports thousands of concurrent NFS connections
• Read after Write consistency
• can be using encryption in transit or not

EC2 Security Groups

• all changes to SGs take effect immediately
• SG are STATEFUL, all inbound rules are added automatically to outbound rules
• we cannot blacklist a particular port or IP address
• 1 or more SGs can be assigned to an instance
• all inbound traffic (everything) is BLOCKED by default
• all outbound traffic is ALLOWED
• we can have any number of EC2 instances withing a single SG
• we can have multiple SGs to a single EC2 instance
• we can specifically ALLOW rules, but not DENY rules
• NACL are stateless, port or IP address can be blocked in NACLs

EBS (Elastic Block Store)

• persistent block storage
• 5 different flavours:
  1. general purpose SSD (16000 iops) - gp2
  2. provisioned IOPS (64000 iops) SSD io1
  3. throughput HDD (500 iops) st1
  4. Cold HDD (250 iops) sc1
  5. EBS Magnetic - standard
     • max size is 16TB
• ebs volume ALWAYS on same AZ as the ec2 instance
• copy AMI to a different region by using snapshots
• additional volumes will continue to persist on termination, root volume will be terminated
• snapshots exist on S3, and are INCREMENTAL
• AMIs can be created from both volumes and snapshots
• you can stop instances to create a consistent snapshot
• you can change volume types on the fly
• AMI based on Region / OS / Arch / Launch Permissions / Storage for root device: Instance Store (ephemeral) / EBS Backed Volumes
  • EBS - from an EBS snapshot
  • Instance Store - root device created from template stored in S3
    • can be added only before startup of the AMI
    • sometimes called ephermeral storage
    • if instance is stopped, all data is lost
• EBS backed instance will not lose data on stop
• by default, both root volumes will be deleted on termination - for EBS backed the default can be changed (termination protection)

Encrypted Root Device volumes and snapshots

• an ec2 instance can be started with an encrypted root volume (new)
• to encrypt a volume - take a snapshot of the volume, copy the volume and select ENCRYPT, next create an IMAGE out of the encrypted snapshot -> that can be launched as an encrypted AMI
  • this cannot be launched as an unencrypted volume
  • snapshots of this will be encrypted automatically
  • volumes restored from encrypted snapshots are encrypted

CloudWatch

• monitors performance
• we can create Dashboards, can be global as well as regional
• we can create Alarms
• we can configure Events to respond to state changes
• logs - to store, monitor and aggregate performance data
• CloudTrail monitors API calls - it’s more about auditing than performance
• Standard monitoring is at 5 minute intervals by default (can be set to 1 minute, for Detailed Monitoring)
• monitor service to check resources from AWS
  • host level metrics, CPU, network, disk, status
  • as well as applications

AWS CLI

• you need to setup access in IAM (Identity and Access Management)
• aws configure
• aws s3 ls - list all buckets
• to provision ec2 or aws resources

Region > AZ

• 19 regions & 57 AZs
• AZ (availability zone) think of it as a DataCenter
• Region: a geographical area, made up of 2 or more AZ
• Edge location: endpoints for caching content, used by CloudFront (CDN), ~ 150 edge locations currently
• 4 levels of support, 3 paid, TAM only on Enterprise level support

Identity Access Management (IAM)

• manage users and level of access to the console
• shared access, granular permissions, Identity Federation
• MFA, password rotation policy
• temporary access for users, if necessary
• PCI DSS compliance
• key terms: Users, Groups, Policies (made from polici documents, JSON), Roles
• custom sign in domain
• IAM settings are all global, does not apply to regions
• best practice is to not directly use root account/”god mode”
• roles - allow one service to use another service e.g. EC2 instance can use S3
• new users have NO permissions when created
  • key and secret ID assigned for programmatic access
  • user/password for console access, different than keys mentioned above
  • only visible once, make sure not to loose them
• always setup MFA on your root account
• password policies and rotation can be configured
• policies can be AWS or customer-managed
• CloudWatch can manage/create billing alarms
• SAML can give you federated SSO to AWS

IAM Roles

• ec2 instance -> Attach/Replace IAM Role
• roles are more secure than just storing your access key + secret access key
• roles are easier to manage
• can be assigned after the instance is created and are GLOBAL (universal)

S3 - Simple Storage Service

• read S3 FAQ before exam
• object based storage, unlimited in size
• 0 bytes to 5TB, stored in buckets
• example URL https://s3-eu-west-1.amazonaws.com/
• buckets must be unique globally (universal name), http200 when upload ok
  • an S3 object has: key (name), value (file data), versionId, metadata, and Subresources
    • ACL , torrent
  • Consistency types for S3 objects
    • read after write consistency for PUTs
    • eventual consistency for overwrite PUTs and DELETEs
• MFA delete protection can be set up
• built for 4 9s availability, guaranteed 3 9s; 11 9s durability
• charges: Storage, Requests, Storage Mgmt, Data transfer, Transfer Acceleration (CloudFront edge locations), Cross region replication
• storage classes (tiers)
  • S3 standard - can sustain loss of 2 facilities
  • S3 Infrequent Access (IA)
    • min 128KB size charged
    • objects stored for at least 30 days
  • S3 One Zone IA (reduced redundancy storage)
  • S3 Intelligent Tiering
  • S3 Glacier - for data archiving
    • 3 retrieval speeds: expedited (1-5 mins), std (3-5hrs), bulk (5-12hrs)
    • 90 days minimum
    • extra 8kb + 32kb metadata
    • bytes restored are relevant
  • S3 Glacier Deep Archive - 12hrs retrieval time
    • 180 days
    • std 12hrs, bulk 48hrs
    • bytes restored are relevant
• Control to buckets can be set using bucket policies
• by default all new buckets are private
• S3 buckets can be configured to store access logs from S3 buckets access
• ACL are at object level
• encryption levels: -
  • in transit (HTTPS),
  • at rest (server side)
    • S3 managed keys SSE S3
    • AWS KMS (Key Mgmt Service) SSE KMS
    • server side with client keys SSE C
• Version Control
  • stores all versions, including writes
  • once you enable it, can only be suspended
  • integrates with Lifecycle rules
  • integrates with MFA Delete
• S3 lifecycle rules
  • can be used in conjuction with versioning, and applied to current and previous versions
  • automate transitions to different tiers of storage
  • transition and expiration to XX from YY after number of days
• Cross Region Replication
  • can be used only when versioning is enabled, on both source and replication buckets
  • the replicated S3 can be in a different tier
  • only changes after enabling CRR are visible in the replicated bucket
    • files in existing bucket are not replicated automatically, all subsequent updates are recorded
  • won’t replicate delete markers nor deletes of individual versions
• Transfer Acceleration
  • upload directly to Edge Location which in turn uploads to S3

CostExplorer

• forecasting, 3 months
• last 13 months
• recommendations / trends

CloudFront

• it is a global service - CDN
• Edge Location - location where content will be cached - not an AZ nor Region
• Origin: ec2, elb, s3, route53 - origin of files distributed towards cdn
• Distribution (name of CDN): collection of edge locations, name given to the CDN; it can have 2 types
  • Web - use for websites
  • RTMP for streaming / Adobe something
• edge location can be written to (see transfer acceleration)
• objects are cached for TTL (time to leave), can be invalidated - you will be charged
• access can be restricted using sign URLs or cookies
• in a Distribution we can add Invalidations in case we want to no longer cache certain content/files/file types

Snowball

• PB-scale data transfer 50 80TB
• Snowball edge 100TB
• Import and Export large amounts of data to S3

Storage Gateway

• connects an on-premise software appliance with AWS storage infra
• virtual (VMWare or Hyper-V) or physical device as a Storage Gateway
• 3 types :
  • File Gateway (NFS, SMB) -> flat files, S3
  • Volume Gateway (iSCSI) -> EBS snapshots to S3
    • Stored Volumes -> store your primary data locally (on site)
    • Cached Volumes -> minimize the need of your local storage, only actively used data is stored -> stores data to S3
  • Tape Gateway - Virtual Tape Library -> archive data to cloud, virtual tapes to S3; directly to Glacier or Deep

Databases

Amazon RDS - Relational Database Services

• SQL Server, PostgreSQL, Oracle, MariaDB, MySQL, Aurora (all OLTP)
• Multi AZ for Disaster Recovery (auto failover)
• Read Replicas for Performance (no auto failover) - up to 5 copies
• RDS runs on virtual machines, but you cannot ssh into those
• RDS is not serverless (with exception of Aurora Serverless)
• can’t SSH / RDP into the systems; patching and upgrades handled by Amazon

Backups

• Automated backups (between 1 - 35 days)
  • point in time recovery, down to second
  • free storage space equal to your database
• Database Snapshots are manually / user intiated
• restored version is a new RDS instance, with a new DNS record

• encryption at rest is done using KMS, supported for all DB types: backups, snapshots and read replicas

• Multi-AZ - synchronous replication - same database in an extra AZ
  • automatic failover
  • for DR ONLY, not for PERFORMANCE
  • to switch AZ, we can reboot with failover
• Read-replicas are used for PERFORMANCE
  • SQL Server does NOT support currently read-replicas
  • we can have chained-read-replicas (read replicas of read replicas), watch out for LATENCY
  • read-only from primary RDS instance, async replication
  • read-heavy workloads are benefiting from read-replicas
  • up to 5 read replicas copies
  • automatic backups need to be enabled to use read-replicas
  • can be promoted to primary DB/master, no longer a read-replica
  • extra replica can be set up in a second region
  • read replica can be in any region

DynamoDB

• tailored for OLTP (OnLine Transactional Processing)
• NoSQL database service, single millisecond latency
• stored on SSD storage,
• across 3 geographically distinct data centers
• eventual consistent reads (best read performance, no reads within 1 sec) vs strongly consistent reads (1 sec requirement)

Amazon RedShift

• data warehousing, business intelligence, OLAP
• single node (160GB) or multi-node (leader node + compute nodes - 128 max)
• using column compression
• Massive Parallel Processing (MPP) - distributes data and query across nodes
• default backups of 1 day retention period, max 35 days, default ON
• at least 3 copies of your data: original, backup in S3, copies on compute node
• billing for compute nodes, not for the leader nodes
• encrypted in transit (SSL) and at rest
• only 1AZ availability
• can do async replication to S3 for DR, in another region

Amazon Aurora

• 10GB to 64TB, 10GB increments
• 2 copies of your data in each AZ, minimum of 3AZs (6 copies)
• can share Aurora snapshots with other AWS accounts
• can handle the loss of 2 copies without affecting database write availability
  • 3 copies loss without affecting read availability
• aurora and/or mysql replicas
  • automated failover only on aurora replicas
• up to 5x MySQL performance
• up to 15 replicas (vs 5 for MySQL)
• automated backups always enabled, do not impact performance, ON by default
• migration from mysql to aurora, then promoting it to primary instance
  • take snapshot from aurora, then restore snapshot

ElastiCache

• web service to deploy, operate and scale in-memory caches
• increase db and web application performance
• in memory caches
  • memcached
    • can scale horizontally + multi-threaded performance
  • Redis
    • data types, sorting data sets, pub/sub, persistence, multi-AZ, backup & restore

Security, Identity & Compliance

Network & Content Delivery

Route53

• DNS
• ELB do not have IPv4 addresses, you resolve them using a DNS name
• registrars - authority that can assign domain names
• SOA (start of authority) record - name of the server, administrator, TTL, current version
• NS (name server) - direct traffic to content server
• DNS records
  • A record (address)
  • CName (canonical name) - used to resolve one domain name to another
  • Alias record - similar to CName, but can’t be used for naked domain name (zone apex record) - always choose if selecting between Alias record or CName
  • TTL - length that a DNS record is cached, lower faster that changes take place
  • MX record - for emaul
• PTR record, reverse of A record
• understand difference between Alias Record and CName
• you can buy domain names directly from AWS
  • up to 3 days to register, depending on circumstances
• Routing policies:
  • simple
    • Create Record Set
    • 1 record with multiple IP addresses, in RANDOM order
  • weighted
    • 10% to us-east-1, 90% to us-west-1; weight into different areas
    • 1 record set per IP
    • we can configure Health Checks for the Route53 DNS redirects
      • on individual record sets; SNS notifications are possible
  • latency-based policy
    • based on lowest network latency for your end user
    • Route53 will choose the link with the lowest latency
  • failover
    • using an active/passive setup
    • on failure, active switches to the alternative route (passive)
    • we want to associate it with a health check (at least the primary site)
  • geolocation routing policy
    • lets you choose traffic redirect depending on the geographic location of your users
    • different than latency based routing
    • Location can be done by country or continent
  • geoproximity (traffic flow only) - not in exam scope
    • based on geo location of your users and your resources
    • bias value can be adjusted, need to use Route53 Traffic Flow
      • Traffic policies must be created
  • multivalue answer policy
    • still need to create one entry per route
    • similar to simple routing, allows to check each resource, so it will return only healthy routes based on health checks

VPC (Virtual Private Cloud)

• think of it as a logical data center in AWS:
  • Network Gateways
  • Routing tables
  • NACL - stateless
  • Security Groups - stateful
• NO TRANSITIVE PEERING
• assign custom IP address ranges
• Default VPC
  • default VPC is user friendly, you can immediately deploy instances
  • all subnets in default VPC have a route out to internet
  • each EC2 instance has a public and private IP address
  • 1 subnet is always = 1 AZ
    • there can be multiple subnets in the same AZ
• Custom VPC
  • no transitive peering
  • you can peer between Regions
• you can have by default 5 VPCs / region
• us-east-1a / 1b / 1c are randomized, so there is better traffic balancing
• Bastion box / jump box - securely administer ec2 instances
• NAT Gateway or NAT Instance is used to provide internet traffic to ec2 instances
  • a NAT gateway cannot be used as a Bastion host
• Direct Connect
  • cloud service that helps you connect between office/DC/collo and AWS
  • useful for high throughput workloads or need a reliable secure connection
• VPC Endpoint
  • Interface Endpoints
  • Gateway Endpoints: supports S3 and DynamoDB only
• privately connect your VPC to your AWS services
• traffic between VPC and the other Amazon service does not leave the AWS network
• horizontally scalable
• attach ENI (Elastic Network Interface) to EC2 instance, and then we can talk directly to - AWS services
• Internet gateway - allows our VPC to talk to the internet

  VPC

  • creation: name; IPv4 CIDR block; IPv6 CIDR is supported and optional
  • by default it does not create any subnets or internet gateway
    • subnets need to be created if we want to use our newly created VPC
      • ** 1 subnet in 1 AZ, ALWAYS **
      • AZ names are randomized
      • 5 IP addresses are reserved, only from /16 to /28
      • we need to select Auto assign IP address, in order to be able to create ec2 instances
    • Sec Groups cannot span VPCs
    • igw (internet gateway) can be created, it needs to be attached to VPC 1-to-1
      • HA for igw enabled through the design
    • a subnet needs to be associated to route table
  • it creates a Security Group, NACL, and Route Table
• NAT Instances vs NAT Gateway
  • NAT instance - phasing out - single ec2 instance
    • send/receive traffic when a source / dest is not itself; acting as a gateway
    • we need to disable source and destination check
    • must be in a public subnet, behind a SecGroup
    • single instance, single point of failure, must be in a public subnet, and a route out from public subnet
    • HA can be implemented, but more complex setup
    • always behind a Security Group
  • NAT Gateway
    • elastic IP, redundant inside AZ
    • 1 NAT GW inside 1 AZ, start at 5gbps up to 45gbps
    • no SG associations, no need to patch, auto assigned IP address
    • route needs to be added for both instance types
    • for resources in multiple AZ sharing a single AZ, resources in other AZ lose internet access in case NAT GW / AZ is down; we need to configure routing with multi-AZ to address this
    • it needs a route out to the Internet
• Network ACLs
• always evaluated before the Security Groups
• there is a default NetworkACL in your VPC; a subnet can only be associated with 1 NACL
  • default allows all in and out
  • NACL can have multiple subnets inside
• on creation, default setting is DENY ALL in and out traffic
• read all links from the Resources
• they are evaluated in shown order, DENY should be before ALLOW
  • each rule can ALLOW or DENY traffic
• each subnet in your VPC must be associated with a NACL
  • if not explicitly associated, subnet is assoc with default ACL which allows everything
• blocking IP addresses is done using NACLs not Security Groups
• 1 subnet associated with 1 NACL; previous are removed
• lowest number rule is evaluated first
• ARE STATELESS; both inbound and outbound rules need to be defined
• VPC Flow Logs
  • capturing traffic: can log All, or Accepted traffic, or Rejected traffic
    • can be stored to CloudWatch logs or to S3 bucket
  • you cannot enable flow logs for VPCs that are peered with your VPC, unless same account
  • you cannot tag a flow log
  • after creating a flow log, you cannot change (can’t associate different IAM)
  • DNS traffic won’t be monitored
  • traffic to 169.254.169.254 won’t be monitored;
    • traffic for windows license activation wont be monitored
    • traffic to reserved IP addresses wont be monitored
    • DHCP traffic not monitored
  • at VPC level, at subnet level, at network level
  • storing network traffic

ELB (Elastic Load Balancers)

• many questions for the exam - never IP address, only using DNS name
• 3 types:
  • ALB (Application Load Balancer) intelligent, HTTP/HTTPS - Layer 7
    • route to Target Group
    • more intelligent than Classic LB
  • NLB (Network Load Balancer) TCP - Layer 4 - performance is paramount
    • highest performance
  • Classic Load Balancer: L7 or L4, currently being deprecated
    • simple routing, cheapest
    • ping protocol, port, path, intervals, timeout, threshold
• ALB - can be internal or external
• NLB - millions requests / second
• instances monitored by ELB can be InService or OutofService
• LB have their own DNS name, you never get an IP address
• when provisioning a LB, we need at least 2 PUBLIC SUBNETS
• Target Group -
• 504 (gateway timeout) application has timed out, need to troubleshoot application as app / database layers are not responding
• to get IPv4 of users look for X-Forwarded-For header
• state of instance is InService or OutofService
• 10 questions in exam, read ELB FAQ for Exam

  Advanced Load Balancer

• Sticky Sessions for ALB and Classic LB, for ALB requests per Target Group
  • all traffic sent to single node out of many
• Cross Zone Load Balancing - us-east-1a 4 hosts / us-east-1b 1 host -> 20% / host
  • balance traffic across multiple AZ
• Path Patterns - traffic can be sent to a different AZ, depending on URL path of request (e.g. /images/ )

  Auto-Scaling Groups

  High Availability architecture

• always design for failure
• use multiple AZ and multiple Regions
  • multi-AZ for DR for RDS, read-replicas for performance for RDS
• read the questions carefully!
• know the difference between different S3 storage classes
• HA app
  • s3 - create distribution - 2 buckets
  • rds w/ multi-az
  • ec2 instance running wordpress
• CloudFront data can take up to 10 minutes to have all propagated
• RDS: failover from 1 AZ to another, option in RDS -> reboot with failover
• ALB need to be deleted before our Target Groups
• CloudFormation <- Management and Governance
  • select/create a template; a template can be read from S3
  • AWS Quick Starts are available for lots of advanced CloudFormation apps/tools prepared by solution architects
  • Delete stack
  • completely scripting your cloud environment
• Elastic Beanstalk
  • create an environment + uplod your code => ready!
    • create app / Security Groups / S3 buckets / ….
    • grow your infrastructure, input is only code (type), e.g. PHP for WordPress
  • you can use autoscaling with Elastic Beanstalk
  • quickly deploy and manage apps in AWS

    Applications

    SQS (Simple Queue Service)

• pull based, NOT push based
• 2 types:
  • Standard queues - practically unlimited number of transactions per second
    • more than 1 copy might be delivered
    • can be out of order
  • FIFO - up to 300 msg/s
    • always in order
    • exactly once delivered
    • support message groups
• 256KB in size
• guarantees that messages are processed at least once
• visibility timeout - how long they’re invisible after a reader picks up a message; max 12hrs
• long polling doesn’t return a response until a message arrives, or a long timeout occurs
• retention period of 14 days
• message oriented API

  SFW (Simple WorkFlow Service)

• way of coordinating apps as well as manual processes
• task assigned only once, never duplicated
• when there’s a human element, the SWF is preferred over SQS
• task oriented API
• workflow starters, deciders or activity workers - it’s SWF

  SNS (Simple Notification Service)

• push notifications, instantaneous; push based
  • can deliver notifications by email, to SQS, or to any HTTP endpoint
  • you can group multiple recipients using topics
• all messages are stored redundantly across multiple AZ
• set up, operate, and send notifications from the cloud
• publish messages from an app
• flexible message delivery over multiple transport protocols

  Elastic Transcoder

• media transcoder in the cloud
• transcoding presets for popular output formats
• pay based on minutes of transcoded media and resolution
• S3 bucket -> Lambda function -> Elastic Transcoder -> S3 bucket

  API Gateway (a lot in exam)

• managed service, easy for developers to publish, maintain, monitor and secure APIs
• API that acts as a “front door” for apps running in EC2, Lambda, …
• expose https endpoints to define a RESTful API
• track & control usage / throttle / CloudWatch
• caching can be enabled to increase performance to cache your endpoint response; a TTL is defined in SECONDS
• CORS (Cross Origin Resource Sharing) restricted resources can be requested from another domain (e.g. fonts from Google)
  • HTTP OPTIONS for url -> these domains are approved for GET or ERROR CORS needs enabling
  • CORS is enforced by client (browser)
• scales automatically and is low cost
• you can throttle API GW to prevent attacks

  Kinesis

  Streaming Data is generated continuously by many sources, and usually small sizes (social network data, purchases, geo data, game data, stock prices, IoT data) Kinesis is a platform to send your streaming data

  1. Kinesis Streams
  • data has persistence
  • 24 hours storage by default (max 7 days)
  • data is stored in shards; 5 tps per reads; 1000 records per second writes
  • data can be analyzed by “Consumers” using EC2 instances; which in turn can save it to DynamoDB / S3 / EMR / RedShift 2. Kinesis Firehose
  • there is no persistent storage
  • data comes in, triggers lambda function -> outputs it somewhere 3. Kinesis Analytics
  • works for Streams and Firehose and analyzes data

    Web Identity Federation - Cognito

• give users access to AWS resources after auth on Facebook/Google/Amazon
• Cognito is a web identity federation service
  • access for guest users
  • acts as Identity Broker between your app and web id providers, no need to write your own code
  • recommended for mobile apps for AWS
  • brokers between app and AWS
• User Pools - sign up / sign in for mobile and web
  • JSON Web Token (JWT) - converted from a Token coming in from Google/Facebook
  • email address (example)
  • user auth / registration
• Identity Pools
  • granting the actual access to an AWS resource
  • authorizes access to AWS resources
• tracks association from user identity and various devices

Serverless

Lambda

• event-driven compute, for example changes to S3 or DynamoDB
• compute service to run code in response to HTTP request using API Gateway
• one lambda function can trigger another lambda function
• API GW -> Lambda -> DynamoDB or Aurora Serverless
• languages: Go, Java, Python, node, C#, PowerShell
• priced per requests and per duration, 100ms rounding
• continuous scaling, scaling out - NOT UP
• lambda functions are independent 1 event = 1 function
• AWS Xray allows debugging with lambda, as architectures can get very complicated
• different lambda triggers

• RDS is not serverless, except Aurora Serverless

ToDo:

• CloudFront distribution
• RDS
• EC2 + NATGW + IGW
• placement groups

---

2017

Compute

EC2 - Elastic Compute Cloud

EFS - Elastic File Storage - block based storage

Storage Gateway -

Storage

S3 - Simple Storage System

• object based storage

  Glacier - archiving solution

Database

RDS - Relational Database Service

DynamoDB - NoSQL database

Redshift - data warehousing

VPC - Virtual Private Cloud

Analytics

EMR

Kinesis

Cloud Search

Elastic Search

Networking

Route 53 - DNS service

CloudFront - CDN

Direct Connect - connecting directly to AWS

Lambda - (not for exam)

• code will respond to events

Security & Identity

IAM

Certificate Mgr

Directory Service

Mgmt tools

Cloud Watch

Cloud Formation

Cloud Trail - auditing

Opsworks - Chef

Trusted Advisor

• automated environment scan

Messaging

SNS - Simple Notification Service

SQS - Simple Queuing Service

SES - Simple Email Service

Migration

Snowball - send your drives to AMZN

DMS - DB migration Service

AWS

• Region is geographical area, each Region has at least 2 AZ (Availability Zones - can be considered a data center)
• Edge Locations are CDN end points for CloudFront

General information

• AWS 90% yoy growth, 15bln revenue for 2016 (approx)
• CS Arch Associate Exam covers: Messaging, Desktop (high level), Security & Identity, Network, Storage, Database, Mgmt tools, Compute
• Voice/ AI/ Machine Learning
  • Polly text to speech