AWS Study Guide

IaaS (Infrastructure as a Service)

Services in this category are the basic building blocks for cloud IT and typically provide you with

access to networking features, computers (virtual or on dedicated hardware), and data storage

space. (Amazon’s EC2s are an example)

PaaS (Platform as a Service)

Services in this category reduce the need for you to manage the underlying infrastructure (like hardware and operating systems) and enable you to focus on the deployment and management of your applications. (Amazon’s Relational Database Service (RDS) is an example)

SaaS (Software as a Service)

Services in this category provide you with a completed product that the service provider runs and manages. In most cases, software as a service refers to end-user applications. With a SaaS offering, you do not have to think about how the service is maintained or how the underlying infrastructure is managed. (Amazon’s data warehouse, RedShift, is an example)

Cloud

A cloud-based application that is fully deployed in the cloud, and all parts of the application run in the cloud.

Hybrid

A hybrid deployment is a way to connect infrastructure and applications between cloud-based resources and existing resources that are not located in the cloud.

On-premises

Deploying resources on the company’s premises, using virtualization and resource management tools. This configuration is sometimes referred to as a “private cloud”.

Resiliency

A system’s ability to continue operating correctly even when it faces disruptions, failures, or unexpected conditions.

Elasticity

The ability of an application to scale resources up and down to meet demand

Scalability

The ability of an application to continue to increase resources to meet increasing demand.

Fault-tolerance

The ability of an application to continue operating even in the event of failure (like hardware, power, networking, or even software)

High availability

An application that has a minimum amount of downtime.

AWS Cloud Adoption Framework (AWS CAF)

Is a tool that identifies specific organizational capabilities that underpin successful cloud transformations to help organizations in planning their cloud transition.

AWS Identity and Access Management (IAM)

Enables you to manage access to AWS services and resources securely. By using IAM, you can create and manage AWS users and groups. You can use IAM permissions to allow and deny user and group access to AWS resources.

AWS Organizations

Facilitates consolidated billing, supports delegated administration, minimizes the impact of security breaches, risk minimization from configuration errors

AWS Budgets

Enables you to set thresholds and receive alerts when costs or usage approach or exceed those thresholds.

Amazon CloudFront

Amazon’s Content Delivery Network (CDN) for managing the caching of your content (static web pages, videos, images) around the global to minimize latency for your users.

AWS Cost Explorer

Has an easy-to-use interface that enables you to visualize, understand, and manage your AWS costs and usage over time.

AWS Trusted Advisor

Automated service that analyzes your AWS environment and provides best-practice recommendations. Acts like a "cloud consultant" and gives recommendations to improve your AWS configuration

AWS Cost and Usage Report

Contains the most comprehensive set of AWS cost and usage data available, including additional metadata about AWS services, pricing, and reservations.

Edge Locations

Physical servers spread around the global that host the data cached by Amazon CloudFront.

AWS Pricing Calculator

Tool that lets you explore AWS services and create an estimate for the cost of your use cases on AWS.

AWS’ Responsibility – Security of the cloud

AWS operates, manages, and controls the components from the software virtualization layer down to the physical security of the facilities where AWS services operate. AWS is responsible for protecting the infrastructure that runs all the services that are offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run the AWS Cloud services.

Customer’s Responsibility – Security in the cloud

The customer is responsible for the encryption of data at rest and data in transit. The customer should also ensure that the network is configured for security and that security credentials and logins are managed safely. Additionally, the customer is responsible for the configuration of security groups and the configuration of the operating system that run on compute instances that they launch (including updates and security patches)

Authentication

The process of verifying identity.

Authorization

The process of verifying permissions

Principle of Least Privilege

Grant users the minimum set of permissions that they require to do their jobs. Grant additional permissions as necessary. Following “Principle of Least Privilege” helps to avoid inadvertent security gaps and helps to prevent mistakes.

Encryption of data at Rest

The concept of encrypting stored data (in a database or in files on a disk) so that if the storage is breached, the thief cannot read the data. Configuring encryption at rest is the responsibility of the customer. Encryption key management is provided by AWS KMS.

Encryption of data in Transit

The concept of encrypting data while it is moving across the network – either between internal resources like an EC2 and a database or between the client and the web server. This encryption protects the data from eavesdroppers during the transmission. Typically accomplished via Transport Layer Security (TLS) using the AWS Certificate Manager to manage the certificates. (HTTPS is an example of TLS.)

IAM User

A person or application that can authenticate with an AWS account. • Programmatic Access (AWS CLI and SDKs) authenticate with access key id and secret access keys. • Console Access is by username and password. Enabling MFA is a best practice

IAM Group

A collection of IAM users that are granted identical authorization. Users can be in multiple groups. Groups do not nest. There are no default groups; a user needs to be explicitly added to each group they need to be added to.

IAM Policy

A document that defines which resources can be accessed and the level of access to each resource. • All permissions are implicitly denied by default. • If something is explicitly denied, it is never allowed

Identity Policies

(more common) are attached to users, groups, and/or roles and specify which resources that entity can use (and what operations they can perform with the resource).

Resource Policies

are attached to resources and specify who can use the resource (and what they can do).

IAM Role

Useful mechanism to grant a set of permissions for making AWS service requests. Useful for an EC2 to assume a role that grants it permission to access a particular S3. In this way, user credentials don’t need to be stored on the server.

Service Control Policies (SCPs)

AWS Organizations integrate with IAM with service control policies which can restrict which accounts have access to which services and API actions. SCPs essentially limit the permissions that are available in an account that is part of an organization. SCPs can be assigned to individual accounts or to Organizational Units (OUs) which are the interior nodes of the AWS Organizations tree.

Amazon VPC

Enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. Is for a single region. Can span multiple availability zones

Subnets

Range of IP addresses that divide a VPC. Belongs to a single Availability Zone.

Largest CIDR block size

/16 (65536 addresses)

Smallest CIDR block size

/28 (16 addresses)

IP Ranges

AWS reserves 5 addresses for each subnet for internal purposes

Elastic Network Interface (ENI)

Is a virtual network card for EC2 instances, specifies the IP address(es) for that instance. Can be moved between instances. An EC2 can have multiple ENIs.

Route Table

Specifies the rules on how traffic (data packets) will be routed based upon their destination IP address. Each subnet in AWS must have exactly one route table. The route table will automatically contain a route for local traffic within the subnet – this route cannot be deleted. You can add additional routes as desired, for example to provide internet access.

Internet Gateway

Bridge for connecting your subnet to the Internet. Subnets are isolated from the internet by default. The Internet Gateway must be explicitly configured.

Network Address Translation (NAT) Gateway

Similar to an internet gateway but allows outbound traffic only. Used for private subnets.

VPC Sharing

Typically, a VPC is for one account only. VPC sharing enables customers to share subnets with other AWS accounts in the same AWS Organization.

VPC Peering

A networking connection between two VPCs that allows them to communicate with each other as if they were part of the same network. (A typical use case is connecting different AWS Regions or accounts.)

VPC Endpoints

A private connection between your VPC and an AWS service in another VPC that doesn’t require traffic to go over the public internet. Essentially, it allows resources inside your VPC (like EC2 instances) to securely access AWS services privately. (More restrictive than VPC peering as the access is by resource, not to the entire other VPC.)

AWS Site-to-Site VPN

A service that connects your on-premises network (like your company’s data center or office network) to your AWS Virtual Private Cloud (VPC) over an encrypted VPN connection using the public internet.

AWS Direct Connect

An alternative to Site-to-Site VPN that instead uses a dedicated, private network connection between your network and AWS. Can provide faster, more consistent performance than sending traffic across the public internet.

AWS Transit Gateway

A central hub that connects multiple VPCs and on-premises networks in a scalable and simplified way. Think of it as a cloud router for your AWS environment

Amazon Cognito

Adds user sign-up, sign-in, and access control to your web and mobile applications

Amazon CloudFront

Amazon’s Content Delivery Network (CDN) for managing the caching of your content (static web pages, videos, images) around the globe to minimize latency for your users.

Amazon GuardDuty

A threat-detection service for your AWS account using machine learning that continuously monitors for malicious activity and unauthorized behavior.

Amazon Inspector

An automated security assessment service that helps improve the security and compliance of applications that are deployed on AWS. Automatically assesses applications for exposure, vulnerabilities, and deviations from best practices

Amazon Macie

A security service that uses machine learning to automatically discover, classify, and protect sensitive data stored in Amazon S3s. Recognizes sensitive data such as personally identifiable information (PII) or intellectual property.

Amazon Route 53

Amazon’s Domain Name System (DNS) web service (resolves DNS names to IP addresses)

Amazon VPC

Enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. Is for a single region.

AWS Artifact

A service that provides on-demand access to AWS compliance reports and security and privacy documentation.

AWS Certificate Manager

A service that provisions, manages, and automatically renews SSL/TLS certificates to secure your websites and applications.

AWS Config

A service that continuously monitors and records your AWS resource configurations and changes to help with compliance and auditing.

AWS Identity and Access Management (IAM)

Enables you to manage access to AWS services and resources securely. By using IAM, you can create and manage AWS users and groups. You can use IAM permissions to allow and deny user and group access to AWS resources.

AWS Key Management Service (AWS KMS)

Enables you to create and manage encryption keys. Enables you to control the use of encryption across AWS services and in your applications

AWS Organizations

Facilitates consolidated billing, supports delegated administration, minimizes the impact of security breaches, risk minimization from configuration errors

AWS Service Catalog

Enables organizations to create and manage catalogs of IT services that are approved for use. (In this way, you can control what AWS resources your company’s employees have access to – can be controlled by region

AWS Shield

A managed distributed denial of service (DDoS) protection tool

Edge Locations

Physical servers spread around the global that host the data cached by Amazon CloudFront.

Amazon AMI (Amazon Machine Image)

A template that is used to create an EC2 instance, containing a Windows or Linux operating system and often includes some pre-installed software.

Amazon Aurora

Amazon’s SQL relational DB engine, compatible with MySQL and PostgreSQL, built to be cloud-native

Amazon DynamoDB

Fast and flexible NoSQL database service for any scale

Amazon EBS

Amazon Elastic Block Store is storage that works like a hard drive and can attach to a single EC2 instance. Amazon EBS can be used as the boot volume of an EC2

Amazon EFS

Amazon Elastic File System can be shared by many EC2s – feels like a regular file system. Redundant across multiple AZs

Amazon EC2

Virtual machines that you can manage as you choose. Specify the Availability Zone for the host

Amazon ECS

Amazon Elastic Container Service orchestrates the running of Docker containers

Amazon EKS

Amazon Elastic Kubernetes Service enables you to run Kubernetes containers on AWS

AWS Fargate

Serverless compute engine for containers. Provides a way to run containers that reduce the need for you to manage servers or clusters. (With ECS, you are responsible for building the EC2 servers. With Fargate, it runs the servers for you.)

Amazon ECR

Enables you to store, manage, and deploy your Docker containers.

AWS Elastic Beanstalk

An easy way to get web applications up and running. A managed service that automatically handles provisioning and configuration, deployment, load balancing, scaling, monitoring, among others. No additional charge for elastic beanstalk – you pay for the underlying resources.

AWS Lambda

A serverless compute service that provides built-in fault tolerance and automatic scaling. Enables you to build and run applications and services without provisioning or managing servers.

Amazon RDS

Managed service that sets up and operates a relational database in the cloud. (PaaS)

Amazon Redshift

A fully managed (SaaS), cloud-based data warehouse service that allows you to analyze large volumes of data quickly using SQL and standard business intelligence tools.

Amazon S3

Amazon Simple Storage Service -- Object storage accessed by web APIs (HTTP). Flat structure. Most durable in comparison to EBS and EFS.

Amazon S3 Glacier

A data archiving service that is designed for security, durability, and extreme low cost.

Amazon Cloudwatch

A monitoring and observability service that collects logs, metrics, and events to help you track performance and respond to operational changes.

Amazon EC2 Auto Scaling

Automatically adjusts the number of EC2 instances in response to demand to maintain performance and reduce costs

AWS Trusted Advisor

An online tool that provides real-time best-practice recommendations to help optimize cost, performance, security, and reliability in your AWS environment

AWS Well-Architected Framework

A set of best practices organized into six pillars that helps you design, build, and optimize secure, reliable, efficient, cost-effective, and sustainable cloud architectures.

AWS Well-Architected Tool

A free service that helps you review your workloads against AWS best practices by guiding you through the Well-Architected Framework, identifying risks, and providing recommended improvements.

Elastic Load Balancing

Automatically distributes incoming application traffic across multiple targets to improve availability and fault tolerance.

Fault Tolerance

The built-in redundancy of an application's components and its ability to remain operational.

Recoverability

The process, policies, and procedures that are related to restoring service after a catastrophic event

Scalability

The ability of an application to accommodate increases in capacity needs without changing design.

Amazon Athena

A serverless, pay-per-query service that lets you analyze data in Amazon S3 using standard SQL without managing any infrastructure.

Amazon ElastiCache

In-memory caching service; speeds up applications by reducing database load.

Amazon EventBridge

A serverless event bus service that lets you route events between AWS services, SaaS apps, and your own applications to build event-driven architectures

Amazon Kendra

An intelligent enterprise search service that uses machine learning to help organizations index and search across large volumes of structured and unstructured data. It enables users to ask natural-language questions and receive precise answers drawn from documents, databases, and other internal content sources.

Amazon Kinesis

Processes real-time streaming data; used for analytics and monitoring.

Amazon Lex

Build conversational interfaces; powers chatbots.

Amazon Lightsail

A simplified cloud platform that makes it easy to launch virtual servers, databases, and containers with predictable, low-cost pricing.

Amazon Polly

Converts text to speech; used for voice-enabled applications.

Amazon QuickSight

A fully managed business intelligence service that lets you create interactive dashboards and visualizations from your data at any scale.