AWS Cloud Practitioner Exam Prep

AWS Private Link

A service that allows users to access AWS services and third-party services securely on the Amazon network without exposing them to the public Internet.

Site to Site VPN

A secure connection that allows on-premises networks to connect with AWS VPCs over an encrypted tunnel, enabling secure communication between the two. Site needs customer gateway and VPC needs virtual private gateway before site to site can be establsihed

Direct Connect (DX)

A dedicated network connection that enables on-premises data centers to connect directly to AWS, offering improved bandwidth and lower latency compared to Internet-based connections. Has physical connection, takes a month to establish, more reliable than typical Internet connections and reduces data transfer costs.

AWS Client VPN

A fully managed solution that allows you to securely access AWS resources and on-premises networks from anywhere using an OpenVPN-based client. Goes over public internet.

Transit Gateway

A service that enables you to connect multiple VPCs and on-premises networks through a central hub, simplifying your network architecture and routing policies.

Internet Gateway

At the VPC level, provide internet access

NAT Gateway/Instances

A service that enables instances in a private subnet to connect to the internet or other AWS services while preventing inbound traffic from the internet.

NACL

A network security layer that controls inbound and outbound traffic at the subnet level in a VPC, based on rules defined by the user. Firewall, stateless

VPC Peering

A networking connection between two VPCs that enables traffic to be routed between them using private IP addresses without needing an internet gateway or VPN.

Security Groups

Stateful, operate at the EC2 instance level of ENI and act as virtual firewalls to control inbound and outbound traffic.

Elastic IPs

Static public IP addresses that can be associated with AWS resources. They allow for flexible reallocation between instances and provide a consistent endpoint. You have to pay for them

AWS Shared Responsibility - AWS Responsibility

includes the security of the cloud infrastructure, such as the physical data centers, servers, and networking. Ex: (Managed Services like S3, DynamoDB, RDS)

AWS Shared Responsibility - Customer Responsibility

for ec2 management of the guest OS (security patches and updates) , firewall & network configuration, IAM. Also encrypting application data

AWS Shared Responsibility - Shared

Patch management, config management, awareness and training

RDS

(Relational Database Service) is a managed relational database service that enables users to set up, operate, and scale a relational database in the cloud.

DDOS Attack

A distributed denial-of-service attack is an attempt to disrupt the normal functioning of a targeted server, service, or network by overwhelming it with a flood of internet traffic.

DDOS Protection on AWS

Options: AWS Shield Standard, AWS Shield Advanced, AWS WAF (filter specific requests)

AWS Network Firewall

Protect VPC against network attacks

CloudHSM

You get hardware to manage your own encryption keys

AWs Certificate Manager (ACM)

provides in-flight encryption for websites (https), provision, manafe, and deploy SSL/TLS Certificates

Secrets Manager

Service to store secrets, you can force them to be rotated, encrypted using KMS, A fully managed service by Amazon Web Services that helps you securely store, manage, and retrieve secrets such as database credentials, API keys, and other sensitive information. It supports automatic rotation, fine-grained access control, and audit logging to enhance security and simplify secret management.

Amazon Inspector

Find software vulnerabilities in EC2, ECR images, and Lambda functions

Shield

Automatic DDoS Protection + 24/7 support for advanced

WAF

Firewall to filter incoming requests based on rules

KMS

Encryption keys managed by AWS

Artifact

Get Access to coompliance reports such as PCI, ISO, etc

GuardDuty

Find malicious behavior with VPC, DNS & CloudTrail Logs

Config

Track config changes and compliance against rules

Macie

Find sensitive data (ex: PII data) in Amazon S3 buckets

CloudTrail

Track API calls made by users within account

AWS Security Hub

Gather security findings from multiple AWS accounts

Amazon Detective

Find the root cause of security issues or suspicious activities

AWS Abuse

Report AWS resources used for abusive or illegal purposes

Root user Privileges

• Change account settings

• Close your AWS account

• Change or cancel your AWS Support plan

• Register as a seller in the Reserved Instance Marketplace

IAM Access Analyzer

Identify which resources are shared externally

Firewall Manager

Manage security rules across an Organization (WAF, Shield)

Amazon Rekognition

Find objects, people, text, scenes, in images and videos using ML

Use cases:

• Labeling

• Content Moderation

• Face Detection/Search/Analysis

Transcribe

Automatically convert speech to text by passing in audio, uses autamtic speech recognition (ASR)

• can remove personally identifiable info using reduction

• supports multi-lingual audio

  Use Cases

• transcribe service calls

• automate closed captioning

Polly

Turn text into speech, allow you to create applications that talk

Translate

Natural and accurate languafe translation

Lex

Lex is the same technology that powers Alexa (automatic speech recognition and natural language understanding)

• helps build chatbots, call center bots

Connect

Receive Calls, create contact flows, cloud-based virtual contact center

can integrate with other CRM (customer relationship manager) systems or AWS

Comprehend

For NLP, fullyy managed and severless service

Use Cases

• uses ml to find insights and relationships in tet

• language

• extracts key phrases

• positive vs negative

SageMaker

Fully managed service for developer/ data scientists to build ML models

typically difficult do all the process in one place + provision servers

Kendra

Document Search Service that can extract answers from within a document, can use data sources (Amazon S3, Google Drive, MS Sharepoint, etc.)

Personalize

Build apps with real-time personalized recommendations (used by amazon.com)

Textract

Automatically extracts text, handwriting, and daa from any scanned documents using AI/ML

AWS Organizations

Allows mangement of multiple AWS accounts, Global service

Cost Benefits (consolidated billing and pricing benefits from aggregated usage, pooling of reserved EC2 instances)

API available to automate account creation

Restrict account privileges using Service Control Policies (SCP)

MultiAccount vs OneAccount Multi VPC (Multi Account Strategies)

• Multi-Account Strategy:
  Uses separate AWS accounts for different teams, environments (e.g., dev, prod), or business units.
  ✅ Better isolation, security, billing, and compliance.
  🔄 Requires centralized management (e.g., AWS Organizations, Control Tower).

• One-Account Multi-VPC Strategy:
  Uses a single AWS account with multiple VPCs to separate environments or workloads.
  ✅ Easier to manage initially, simpler IAM.
  ⚠ Risk of resource limits, complex networking, and weaker isolation.

Service Control Policies

Whitelist or blacklist IAM actions (Applied at OU[organizational unit] or account level)

Does not apply to the master account

Disallows everything by default

Doesn’t affect service-linked roles (how aws services themselves interact with each other)

Use cases:

• Restrict access to certain services

• Enforce PCI compliance by explicitly disabling services

AWS Organization - Consolidated Billing

• combined usage

• one bill

AWS Control Tower

easy way to set up and govern a secure and compliant multi-acccount AWS environment based on based practices

• automate set up of env

• automate ongoing policy management using guardrails

• detect policy violations and remediate them

• monitor compliance through an interactive dashboard