AWS Features & Benefits:

• Global availability is a feature of AWS which will support an international company to provide low latency to customers
• AWS feature reducing the TCO (total cost of ownership)
• Reduce TCO total code of ownership & OPEX operational expenditure
• Reduced need for manual intervention & increased efficiency
• Ability to focus on revenue-generating activities;
• Transitioning to a fully variable expense model from a capital expense-heavy model;
• Elasticity & Agility; the most celebrated benefit is Elasticity since we can expand services as traffic grows;
• Concept of elasticity:
  • The ability to adjust resource allocation in response to changing demand.
  • The speed at which additional resources are made available on demand.
  • Elasticity
• Increase speed and agility
• Stop guessing about capacity
• AWS performs infrastructure discovery scans on the customer's behalf.
• Making AWS cost effective for workload with dynamic user demand
• AWS shorten the time to provision IT resources by ?? programmatically provision existing resources.
• Automatically Adjust the required resources based on demand changes.
• AWS Cloud feature - agility:
• Agility - "Quickly" deliver new functionality in an iterative manner minimizing the time to market an example of AWS agility is decreased acquisition time for new compute resources;
  ability to scale up & down during peek times;
  The rapid deployment of AWS services and resources
• Massive economies of scale - pay-as-you-go prices is offered as a benefit of AWS Cloud
• 6 Advantages of Cloud Computing
• Cloud Computing - overview
• Compute, Storage, and data transfer out of the AWS Cloud are the 3 pricing fundamentals of the AWS Cloud.
• Capacity is unlimited in the cloud, you do not need to worry about it. The 4 points of considerations when choosing an AWS Region are: compliance with data governance and legal requirements, proximity to customers, available services and features within a Region, and pricing.
• Pay-as-you-go pricing - pay only upon usage;
• AWS helps users focus on business value by increasing speed and agility through automatic scaling and deployment capabilities.

AWS Config

• Assess; audit & evaluate configurations resources.
• Amazon Config
• Config is good to "Audit" change management of AWS resources
• Tracking configuration changes
• AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
• Record configurations and changes over time

Auto Scaling - enables compute capacity to adjust as loads change

Cloud - is a deployment models that enables customers to fully trade their CApital IT EXpenses for OPerational EXpenses

EC2 Auto Scaling

Application Load Balancer

• groups help achieve high availability for a web
• Load balancing - distributing load.

EC2 Auto Scaling

• app by automagically adding or replace instances across multiple Availability Zones. ASGs add & removed instances based on Demand. * can be used to run a "customer-managed relational database"; - ensures that your app on EC2 always has the right amount of capacity to handle the current traffic demand
• EC2 Auto Scaling
• EC2 Instance Store has a better I/O performance, but data is lost if: the EC2 instance is stopped or terminated, or when the underlying disk drive fails.
• An Auto Scaling Group (ASG) can automatically and quickly scale-in and scale-out to match the changing load on your applications and websites.
• Auto Scaling Groups (ASG) offers easy horizontal scaling of compute capacity && offers the capacity to scale-out and scale-in by adding or removing instances based on demand.
• Auto Scaling Groups can add or remove instances, but from the same type. They cannot change the EC2 Instances Types on the fly.

AMI - Amazon Machine Image

• EC2 to launch a pre-configured EC2
• AMIs Amazon Machine Images
• Select a pre-configured templated AMI Amazon Machine Image
• We must use AMI from the same region as EC2;
• The region of AMI has no bearing on the performance of EC2;
• An Amazon Machine Image (AMI) provides the information required to launch an instance.

AWS Trusted Advisor

• AWS Trusted Advisor
  • optimizes costs
  • improve performance
  • address security gaps
• AWS Trusted Advisor
• AWS Trusted Advisor monitors & provides advises on
  • Compliance w/ security best practices
  • Cost optimization
• Trusted Advisor will identify if unrestricted access to a resource has been allowed by a "Security Group"
• AWS Trusted Advisor can be run & review the findings with will Determine if any security groups in AWS have been provisioned to allow unrestricted access for specific ports by Ex. 2 categories: Instance Usage & Performance
• Use Trusted Advisor if a Security officer wants a list of any potential vulnerabilities in EC2
• AWS Trusted Advisor is an online tool that provides you real-time guidance to help you provision your resources following AWS best practices on cost optimization, security, fault tolerance, service limits and performance improvement.
• A highly available workload in AWS with a disaster recovery plan in case of a regional service interruption:
  run on 2 Availability Zones in one region & using another region for disaster recovery.
• Trusted Advisor can help us analyze your infrastructure to identify unattached or underutilized Amazon EBS Elastic Volumes
• Trusted Advisor provides recommendations that helps us reduce costs;
• AWS Trusted Advisor inspects AWS environment and makes recommendations to help you save money, improve system performance, and close security gaps. Trusted Advisor provides real-time insight into your usage patterns, configurations, and resources, then compares it to AWS best practices

Regions & Availability Zones

• Expanding into another region; We create resources in a new region;
• Great white paper: AWS Regions and Availability Zones
• Availability Zones are interconnected with a region for low latency;
• AWS availability zones are one or more discrete data centers;
• a minimum of 2 zones must be provisioned to achieve high availability
• AWS Regions are separate geographic areas. They are an example of global infrastructure ex. when choosing AWS region take into consideration: reduced latency to users (important for UX) & Data sovereignty compliance
• What are the advantages of deploying an application with Amazon EC2 instances in multiple Availability Zones?
  • increasing the availability of the app
  • preventing a single point of failure

AWS Well architected framework - change management steps to achieve reliability:
AWS Certificate Manager ACM is a service manages SSL/TLS. AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

Architecture Design Principles:

• Automatically recover from failure: By monitoring a workload for key performance indicators (KPIs), you can run automation when a threshold is breached.
• * use fault-tolerant services; * use EBS elastic block store snapshots; * auto-scaling for auto-recovery * example of design for failure: distributing workloads across multiple availability zones
• * design for scalability - Design for failure principle |
• Implement loose coupling - between services can also be done by asynchronous integration.
• AWS Design principles
• * ex. - using many instances in parallel is a good approach to transcoding a large number of video files.
• Design principles to improve operational workloads:
  • loose coupling
  • disposable resources
• use multiple availability zones
• Multi-site active-active is the DR disaster recovery which offers the lowest probability of down time; aka hot standby

Implement Elasticity principle

Internet Gateway - is an allows inbound traffic from internet to access a VPC;

AWS Acceptable Use Policy - AUP - policy describes prohibited uses of the web services offered by AWS

AWS Partner Solutions (formerly Quick Starts) - quickly deploy a popular tech on AWS

• AWS Partner Solutions are automated reference deployments built by Amazon Web Services (AWS) solutions architects and AWS Partners.
• AWS Partner Solutions - Startups

The AWS Well-Architected Framework is based on six pillars

• Operational Excellence - includes the ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.
  pillar of the AWS Well-Architected Framework recommends maintaining infrastructure as code (IaC)
  Adopt serverless architecture whenever possible
• Security - focuses on protecting information & systems
  Implement the principle of least privilege to all AWS resources
  applying best practices around the protection
• Reliability - focuses on workloads performing their intended functions and how to recover quickly from failure to meet demands.
  Scale horizontally to increase aggregate workload availability.
  Ability to recover from failure automatically.
  Horizontal scaling is another important aspect of the Reliability Pillar. AWS offers elastic scaling capabilities that allow applications to scale horizontally by adding more instances to distribute the workload.
  AWS Reliability Pillar
• Performance Efficiency - focuses on using IT and computing resources efficiently
  provides guidance on selecting appropriate compute resources based on workload needs
  ensures the right selection of resource types and optimized sizes for workload requirements
  Use the right type and size of resources for your workload. By using the correct type and size of resources, the system can achieve optimal performance and reduce unnecessary costs.
  Using serverless architectures is a key design principle recommended by AWS for achieving performance efficiency
• Cost Optimization - focuses on avoiding un-needed costs. The Cost Optimization pillar focuses on achieving the lowest cost of operation for a system and reducing cost through effective resource management, matching supply with demand and optimizing over time.
• Sustainability - focuses on minimizing the "environmental" impacts of running cloud workloads.

APN Consulting Partner - is the global partner program for technology and consulting businesses that leverage Amazon Web Services to build solutions and services for customers

• Good for get expert professional advice on migrating to AWS and managing their applications on AWS Cloud
• AWS Partners Network
• Service to help identify the right solution we need when a company wants to migrate infrastructure to the AWS cloud

AWS Cloud Adoption Framework (AWS CAF)

• Governance is key functionality of CAF
• Cloud fluency capability is identified under the People Perspective for organizational adaptation to cloud technology
• Roles: CTO & Engineer
• AWS Cloud Adoption Framework (AWS CAF)
• Benefits management is a capability from AWS CAF governance perspective is required to define and track business outcomes during a cloud transformation journey
• Data architecture is capability is included in the platform perspective of CAF

VPC Peering Connection - optimal way of privately sharing data between the two VPCs

• What is VPC Peering
• VPC Peering connection is a networking connection between two VPCs using AWS' network.
• AWS Site-to-Site VPN creates an encrypted connection between on-prem & aws

Amazon VPC

• Control traffic to your AWS resources using security group
• An NACL contains both allowed and denied rules.
• A Security Group has only allowed rules.
• Have complete control over the virtual networking environment.
• Can configure network ACL that acts as a firewall for controlling traffic.

"6 R's" migration strategy in AWS

• Refactor, Rehost, Repurchase, Retain, Retire, and Rebuild
• not one of the 6 R's: Reiterate; Retry & Replicate
• Refactor - enhance the scalability of its legacy application by breaking it into smaller

Cloud fluency

• In AWS Cloud Adoption Framework (CAF), cloud fluency is identified under the People Perspective for organizational adaptation to cloud technology
• Cloud fluency emphasizes the importance of education and knowledge across the organization about cloud technologies and AWS services. Ensuring that staff are cloud-fluent means they understand not only the technical aspects but also the operational, financial, and business implications of using AWS services.

Multi-tier architecture benefits in AWS it improves security by separating public-facing and internal resources

• A multi-tier architecture separates systems into different tiers or layers, each having a specific role and responsibility. In a typical three-tier architecture, for example, there's a presentation tier (public-facing, user interface), a logic tier (application processing, business logic), and a data tier (database, file storage). This separation greatly enhances security by limiting the exposure of the more sensitive tiers.

AWS Elastic Disaster Recovery

• AWS Elastic Disaster Recovery (EDR) provides automated, cross-region disaster recovery for critical workloads
• AWS Elastic Disaster Recovery (EDR)
• EDR good for ability to quickly activate a standby environment if the primary one fails.

Amazon Kinesis Video Streams

• Amazon Kinesis Video Streams is a service for streaming video. It makes it easy to securely stream video from connected devices to AWS for analytics, machine learning (ML), and other processing. This service does not handle the conversion of media file formats.

Amazon EFS with Lifecycle Management

• Amazon Elastic File System (EFS) is a scalable, elastic, cloud-native file storage service for Linux-based workloads. It seamlessly integrates with AWS cloud services and on-premise resources, providing a simple, serverless, set-and-forget elastic file system. Amazon EFS is designed to be highly available and durable, offering a file system interface and file system semantics. It allows multiple EC2 instances to access the data concurrently.
• multiple EC2 instances simultaneously & ensure that infrequently used files are moved to a more cost-effective storage class;

Amazon MemoryDB

• Amazon MemoryDB is a fully managed in-memory database service built on an architecture designed for durability and fault tolerance. It is designed to support applications requiring microsecond read latency and high-speed data ingestion, making it a perfect fit for a gaming application like the one described.
• MemoryDB

AWS Shared Responsibility model - The Shared Responsibility Model defines who is responsible for what in the AWS Cloud.

• Customers responsibility:
• Customers responsible for security "IN" the cloud:
• Data encryption - ensure that app data is encrypted at rest && Encrypting data in transit & at rest
• Patching EC2 instances;
• Ensure users have security training
• Penetration tests
• Managing VPC network access control lists to secure apps
• Maintaining server-side Encryption
• Using RDS customer is responsible for controlling network access through security groups;
• Customers are responsible for defining and using IAM policies.
• Configure an S3 bucket to allow public access;
• Customers are responsible for configuring firewalls and access management.
• Applying appropriate security levels of assets stored in the AWS environment.
• For EC2 instance; responsible for guest OS (including patches & updates), firewall & network config, IAM & encrypting app data
• RDS: Check ports IP Security group inbound rules; user permissions; create db with or without public access; ensure DB is configured to only allow SSL connections && database encryption settings
• S3 Bucket config; bucket policy; IAM user & roles & Encryption
• AWS responsibility:
• AWS responsible for security "OF" the cloud:
• has sole responsibility for physical security; "Security of the Cloud"
• AWS is responsible for protecting the infrastructure that runs all of the services offered in AWS Cloud;
• Updating firmware
• Auditing physical data center assets
• Patching db software
• Backing up DBs
• Securing the EC2 Hypervisor & physical controls
• Edge location management
• For abstracted services like Amazon S3, AWS operates the infrastructure layer, the operating system, and platforms
• protecting infrastructure (hardware, software, facilities & networking) that runs all the AWS Services; Managed services like S3, DynamoDB, RDS
• RDS DB & OS Patching; audit the underlying instance & disks
• S3: guarantee unlimited storage & we get encryption; ensure separation of data between different customers; ensure AWS employees cannot access data;
• Shared responsibility:
  • Awareness & training
  • Configuration Management
  • Awareness & training is a shared control between customer & AWS
• Shared responsibility model

Security - Security-related services AWS offers:
MFA physical tokens;
Data Encryption is often done with help of KMS

2 security measures to protect AWS accounts:

• grant least
• privilege access to IAM users; * Activate MFA

Security Groups act as a virtual firewall for the Amazon EC2 instance;

SECURITY Steps taken when conducting penetration testing on AWS?

• Penetration Testing
• We request & wait for approval from AWS internal security team.
• Penetration Tests || security assessments
• AWS customers can carry out security assessments or penetration tests against their AWS infrastructure without prior approval for few common AWS services.

U2F security key - hardware - Universal 2nd Factor (U2F)
Security Key is a device that you can plug into a USB port on your computer.

Virtual Multi-Factor Authentication (MFA) device
NOT a physical device - generates a six-digit numeric code

AWS CloudHSM | Hardware Security Model | Hardware data encryption - Manage single-tenant hardware security modules (HSMs) on AWS

• AWS CloudHSM
• AWS CloudHSM is a cloud-based Hardware Security Module (HSM) that enables you to easily generate and use your encryption keys on the AWS Cloud.
• CloudHSM is a security device to manage cryptographic keys to use for highly secure sensitive data
• AWS CloudHSM provides hardware-based key storage and cryptographic operations within a tamper-resistant hardware device. This service helps you meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated HSM appliances within the AWS Cloud.

AWS WAF - Web Application Firewall

• AWS WAF
• AWS WAF - is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.
• WAF protects its web applications from common web exploits that may affect availability, compromise security, or consume excessive resources
• WAF creates security rules to protect from cross-site scripting attacks;
• AWS Shield is only used to safeguard running applications from DDoS attacks;
• AWS Shield
• AWS Shield Standard is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS
• AWS Shield Advanced provides advanced DDoS protection by offering additional DDoS mitigation capabilities over AWS Shield Standard. It also includes cost protection and risk management benefits.

AWS Security Hub

• AWS Security Hub
• Automate AWS security checks and centralize security alerts
• Centrally automate security checks across several AWS accounts
• AWS Security Hub provides us with a comprehensive view of your security state within AWS and your compliance with security standards and best practices.

Root User Privileges

• Root User Privileges
• Actions only by root user:
• Change account settings
• Close Account
• Change or cancel AWS Support plan
• Register as a seller in Reserved Instances Marketplace
• view tax invoices
• Restore IAM user permissions
• Config S3 to enable MFA & edit S3 that include invalid VPC ID
• Sign up for GovCloud

To gain programmatic access to an AWS account, the required credential components are an:

• access key ID
• secret access key
• Access key ID and secret access key are both required to access AWS CLI.

Network ACL - Network Access Control List (ACL)

• ACL is a security layer in AWS that acts as a firewall for controlling traffic at the subnet level.
• VPC Network Acts | Control subnet traffic with network access control lists
• Used to control incoming and outgoing traffic at the subnet level

AWS Service Catalog

• AWS Service Catalog enables organizations to create and manage catalogs of IT services for use on AWS
• AWS Service Catalog
• Manage its deployed IT services and govern infrastructure as code (IaC) templates.

AWS Audit Manager

• Audit manager is a service that could provide insight into how AWS services impact organizations in meeting SOC2 compliance requirements
• AWS Service Catalog
• AWS Audit Manager helps automate the process of assessing, managing, and reporting on compliance with regulations and industry standards.

Customer Managed Key

• Store sensitive data in an Amazon S3 bucket and encrypt it after upload. Therefore, they want to manage their own keys for encryption in AWS services
• Customer Managed Key
• A Customer Managed Key (CMK) is a key that's generated and managed within AWS Key Management Service (KMS) by the customer.

IAM - Identity & Access Management

• adds security & identity * MFA & enforcing pw strength & expiration IAM policies don't have access keys. The only way you will ever get an Access key is to create them from an IAM user.
• Apply an IAM policy to an IAM group - apply common access controls to large set of use
• IAM groups able to administer multiple users
• IAM policies can limit S3 access to specific users.
• AWS IAM Identity Center - SSO - access management to multiple AWS accounts as well as facilitate AWS Single Sign-On (AWS SSO) access to its AWS accounts
• AWS IAM Identity Center - SSO
• Connect your existing workforce identity source and centrally manage access to AWS
• Always free to use IAM || IAM enables us to manage access to AWS services & resources securely. Using IAM, we can create & manage AWS users & groups, & use permissions to allow & deny their access to AWS resources. IAM is a feature of your AWS account offered at no additional charge.
• IAM Credentials report is a Security tool that lists all your account's users and the status of their various credentials. The other IAM Security Tool is IAM Access Advisor. It shows the service permissions granted to a user and when those services were last accessed.
  IAM Credential report reviews how frequently passwords and access keys are updated within its AWS environment.
• An IAM policy is an entity that, when attached to an identity or resource, defines their permissions. JSON docs to define users; groups || roles permissions;
• IAM is a global service (encompasses all regions).
• AWS IAM policy and a roles: A policy is a set of permissions that determine what an AWS service can do, while a role is a temporary identity that can be assumed by a user or AWS service.
• A user is a permanent identity that can access AWS services, while a role is a temporary identity that can be assumed by a user or AWS service.
• AWS IAM Identities (users; user groups & roles)
• AWS IAM access keys best practices include:
  • Don't embed access keys directly into code.
  • Rotate access keys periodically.

AWS EC2

• Can be used to manually launch "instances" bases on resource requirements
• can be used to host MS SQL Server
• 2 services required to launch EC2:
  • VPC - Amazon Virtual Private Cloud (VPC) is a virtual network dedicated to an AWS account. It's like your own slice of the AWS cloud, and it's where your EC2 instances live.
  • AMI - An Amazon Machine Image (AMI) is an essential component for launching an EC2 instance
• EC2 is IaaS Infrastructure as a Service

AWS Cloud Tail

• AWS CloudTrail
• Track user activity & API usage.
• A service to gather info about AWS account activity
• Use CloudTrail to log, monitor and retain account activity related to actions across your AWS infrastructure
• Ensure that its AWS account activity meets the governance, compliance and auditing norms
• CloudTrail can record the history of events/API calls made within you AWS account, which will help determine who or what deleted the resource. You should investigate it first.
• CloudTrail can ensure the AWS account activity meets governance, compliance & auditing norms.

Amazon RDS - relational Database Service advantage is it

• Simplifies administration tasks.
• Used to host db's
• AWS Manages the maintenance of the OS
• MS SQL Server - RDS can be used to host
• AWS RDB
• Suited for OLTP workloads
• RDS Multi-AZ deployments' main purpose is high availability, while RDS Read replicas' main purpose is scalability.
• RDS Multi-AZ enhances database availability - benefit of deploying an Amazon RDS Multi-AZ database with one standby
• Use Amazon RDS Multi-AZ deployment with automatic failover when need a db to continue functioning in AZ outage w/out manual intervention.
• Amazon RDS replicates data in a synchronous way to different AZ
• AWS Lambda allows you to receive a notification after inserting data into Amazon RDS. AWS Lambda is a serverless compute service that allows you to run your code in response to events, such as changes to data in an Amazon RDS database, and automatically manages the compute resources for you.

Read Replicas provide enhanced performance and durability for Amazon RDS database (DB) instance & improves scalability

• Read Replicas
• Read Replica improves database scalability & performance; - scale out globally
• AWS DMS database migration service
• DMS Database Migration Service
• AWS MGN Application Migration Service. migrate physical servers like dbs or app to EC2.

AWS CloudFormation - speed up cloud provisioning with infrastructure as code;

• AWS CloudFormation
• CloudFormation good for deploying identical resources across all AWS regions and accounts using templates while estimating costs
• CloudFormation can provision the same AWS infrastructure across multiple regions.
• AWS CloudFormation templates are JSON or YAML-formatted text files. They are declarations of the AWS resources that make up a stack.
• CloudFormation is free of use; but we do pay for the resources created.

AWS CodeDeploy - automates software deployments

• AWS CodeDeploy
• Automate code deployment to maintain application uptime
• AWS CodeArtifact (repo for code dependencies) is a managed artifact repository (also called code dependencies)
• AWS CodeArtifact allows you to publish and share software packages used in the software development process;
• AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy
• AWS CodeDeploy is a hybrid service that automates code deployments to any instance, including Amazon EC2 instances and instances running on-premises.
• AWS CodeCommit is a secure, highly scalable, managed source control service that makes it easier for teams to collaborate on code. It also provides software version control. Git based repos;
• AWS Cloud Development Kit (AWS CDK) is an open source software development framework to define your cloud application resources using familiar programming languages.
• AWS CodePipeline - service supports CD (Continuous Delivery) that automates the release process whenever you change code

Aurora - scale MySQL & PostgreSQL

• AWS Aurora
• Amazon Aurora is a MySQL and PostgreSQL-compatible relational database built for the cloud, that combines the performance and availability of traditional enterprise databases with the simplicity and cost-effectiveness of open source databases. It is a proprietary technology from AWS.
• A relational database & is a proprietary technology from AWS and is cloud-optimized

Amazon QLDB - Quantum Ledger Database

• AWS QLDB
• A service that is an immutable ledger database
• Amazon QLDB is a fully managed ledger database that provides a transparent, immutable, and cryptographically verifiable transaction log owned by a central trusted authority

AWS EMR - Elastic MapReduce Hadoop cluster Big Data - Easily run and scale Apache Spark, Hive, Presto, and other big data workloads

• AWS EMR
• Amazon EMR is a web service that enables businesses, researchers, data analysts, and developers to easily and cost-effectively process vast amounts of data. EMR helps creating Hadoop clusters (Big Data) to analyze and process vast amount of data
• EMR can analyze large-scale datasets;
• EMR is designed to efficiently process, analyze, and derive insights from large datasets quickly by distributing the data across a resizable cluster of AWS EC2 instances. It simplifies running big data frameworks for processing and analyzing large datasets, handling everything from provisioning and configuring the data processing infrastructure to scaling and managing the cluster.

DynamoDB - NoSQL db's / schemaless database

• DynamoDB - NoSQL
• Serverless, NoSQL, fully managed database with single-digit millisecond performance at any scale
• Global tables - NoSQL supports active-active configuration in both the East and West US AWS regions
• DynamoDB - good for store data from a recommendation engine in a database with Least operational overhead for any scale;
• Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for Amazon DynamoDB that delivers up to a 10 times performance improvement—from milliseconds to microseconds—even at millions of requests per second.

AWS Athena

• AWS Athena
• Serverless SQL
• Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.

Redshift - big data as service / cloud data warehouse

• AWS Redshift

AWS KMS - Key Management Service

• AWS KMS
• create & control keys used to encrypt or digitally sign data;
• AWS KMS is a managed service that enables you to easily create and control the keys used for cryptographic operations. It is managed by AWS.

AWS Direct Connect - Create a dedicated network connection to AWS

• Direct Connect enables us to connect securely AWS to on-prem data center. ex. Direct connect can connect Amazon VPC to on-premises data center.
• On-Prem connections
• AWS Direct Connect
• AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated private network connection from your premises to AWS.
• Direct Connect is used to establish a consistent & private connection from company's on-prem data center to AWS.

AWS VPC

• AWS VPC
• 2 features that can be configured with VPC are:
• Security Groups - operate at instance level and can control traffic in & out of EC2
• Subnets
• Virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.
• NAT Gateways allow your instances in your private subnets to access the Internet while remaining private, and are managed by AWS.
• A public subnet is accessible from the Internet while a private subnet is not accessible from the Internet.
• NACL - network access control list is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. They have both ALLOW and DENY rules.
• AWS Transit Gateway connects thousands of VPC and on-premises networks together in a single gateway.
• An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.

AWS Lambda - runs code serverless without thinking of servers or clusters;

• AWS Lambda
• Charged by - users pay based on the number of requests & consumed compute resources.
• Lambda is charged by # of requests & time it takes for function to run;
• Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. Good to enhance its application scalability and resilience by migrating to a microservices approach for its next-generation software suite.

Amazon Step Functions; Amazon DynamoDB & Amazon SNS - serverless platform;

• Amazon DynamoDB
• Amazon SNS
• Lambda is charged by call & duration; In AWS Lambda, we are charged per request and compute time, that's it.

AWS Personal Health Dashboard

• Provides alerts when an AWS event may impact a company's AWS resources. Provides alerts & remediation guidance when AWS is experiencing events.
• ex. provides a customized view of the health of specific AWS services that power a customers workloads running on AWS.
• AWS Health - Your Account Health Dashboard | gives a personalized view of the status of the AWS services that are part of your Cloud architecture so that you can quickly assess the impact on your business when AWS service(s) are experiencing issues
• AWS Health - Your Account Health Dashboard - personalized view of the status of the AWS services that are part of your Cloud architecture so that you can quickly assess the impact on your business when AWS service(s) are experiencing issues
• AWS Health - Your Account Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you.

AWS Health Dashboard - Service Health -

• used to subscribe to an RSS feed to be notified of the status of all AWS service interruptions
• Service health is the single place to learn about the availability and operations of AWS services
• AWS Health Dashboard Status
• AWS Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you.
• AWS Health Dashboard - Service Health can be used to subscribe to an RSS feed to be notified of the status of all AWS service interruptions

AWS Marketplace - search for software listing that runs on AWS

• AWS Marketplace
• Sell Software as a Service (SaaS) solutions to AWS customers

Facilitates use cases:

• Sell Software as a Service (SaaS) solutions to AWS customers
• AWS customer can buy software that has been bundled into customized Amazon Machine Image (AMIs) by the AWS Marketplace sellers

AWS managed services such as ElastiCache & RDS benefits are:

• they simplify patching & updating OS's

RDS & EFS are services for read/write of constantly changing data Amazon Elastic File System EFS

• EFS - Amazon Elastic File System
• Amazon EFS is a fully managed service that makes it easy to set up, scale, and cost-optimize file storage in the Amazon Cloud.
• EFS - EC2 Storage used to create a shared network file system for EC2 Instances
• * EFS provides simple scalable elastic NFS file system & can be used for on-premises including Linux Glacier is used for archiving | long term low cost storage;
• Amazon Elastic File System (Amazon EFS) - use a storage service which would be accessed by hundreds of EC2 instances simultaneously to append data to existing files
• Storage Classes

AWS Glacier - Long-term, secure, durable storage classes for data archiving at the lowest cost and milliseconds access

• Deep Archive - lowest-cost storage class and supports long-term retention and digital preservation for data that may be accessed once or twice in a year || Good for Disaster Recovery
• Flexible Retrieval - delivers low-cost storage, up to 10% lower cost (than Amazon S3 Glacier Instant Retrieval), for archive data that is accessed 1—2 times per year and is retrieved asynchronously
• S3 Glacier

Amazon S3 - object storage build to retrieve any amount of data from anywhere lowest cost durable storage option for retaining database backups for immediate retrieval;

• AWS S3
• * can be used for serving large amounts of online video content with lowest possible latency
• * can be used for hosting static websites;
• Hosting a static website using Amazon S3
• S3 One Zone-IA used to store thumbnails images
• Use Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) to store the thumbnails
• Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) is for data that is accessed less frequently but requires rapid access when needed.
• S3 buckets have encryption configured by default
• Lifecycle Rules can be used to define when S3 objects should be transitioned to another storage class or when objects should be deleted after some time.
• Amazon S3 Standard-Infrequent Access allow you to store infrequently accessed data, with rapid access when needed, has a high durability, and is stored in several Availability Zones to avoid data loss in case of a disaster. It can be used to store data for disaster recovery, backups, etc.
• S3 Standard-IA has a higher storage cost but a lower retrieval cost, while S3 Glacier has a lower storage cost but a higher retrieval cost. S3 Standard-IA has a higher storage cost than S3 Glacier because it is designed to provide fast access to data;
• S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket.
• Inbound data transfer in the S3 region is free.
• AWS Outposts bring native AWS services, infrastructure, and operating models to virtually any data center, co-location space, or on-premises facility.
• S3 - Use "Server Access Logging" to obtain a security & access audit of an Amazon S3 bucket. Server Access Logging allows detailed logging of requests made to an S3 bucket.
• Use client-side encryption by using the AWS Encryption SDK when needing to encrypt data before sending it to S3;
  The AWS Encryption SDK simplifies the task of encrypting data on the client side before uploading it to S3.
• Amazon S3 Multi-Region Access Points make it simpler to build applications that require global access to data by streamlining the endpoint naming convention and by automatically routing requests to data in the most optimal AWS region.
  Hosting a static website using Amazon S3
• S3 Versioning allows you to keep multiple versions of an object in a single bucket. It can ensure that deleted objects can be retrieved;
• Encrypted data at rest in S3 we can use
  • AWS KMS-managed keys (SSE-KMS) | SSE-KMS, Amazon S3 automatically encrypts the object data on the server-side
  • AWS S3 managed keys (SSE-S3) | When we use SSE-S3, Amazon S3 handles and manages the encryption keys for us
• Set up S3 Object Lock with a retention period of X years to retain; S3 Object Lock provides a way to store objects using a "Write Once, Read Many" (WORM) model;

Routing types:

• Routing Policy
• Weighted routing - lets you associate multiple resources with a single domain name
  Weighted routing is an AWS Route 53 routing policy would you use to route traffic to multiple resources and also choose how much traffic is routed to each resource
• Failover routing - This routing policy is used when you want to configure active-passive failover.
• Simple routing - With simple routing, you typically route traffic to a single resource, for example, to a web server for your website.
• Latency-based routing - This routing policy is used when you have resources in multiple AWS Regions and you want to route traffic to the region that provides the best latency.
• Route 53 - DNS reliable & cost effective way to route end users to apps; Route 53 is considered global not regional
• AWS Wavelength (5G) is an AWS Infrastructure offering optimized for mobile edge computing applications. Wavelength combines the high bandwidth and ultra-low latency of 5G networks with AWS compute and storage services to enable developers to innovate and build a whole new class of applications.
• Route 53 Policy: Weighted Routing Policy is used to route traffic to multiple resources in proportions that you specify.
• Route 53 Policy: Geolocation Routing Policy is used to route traffic based on users' location.
• Route 53 some features are: Domain Registration, DNS, Health Checks, Routing Policy
• Use Amazon Route 53 with latency-based routing to ensure global content delivery with the lowest possible latency
• Route 53 provides:
  • DNS Management
  • Domain registration

AWS EBS - Elastic Block Store - high performance block storage

• EBS - Amazon Elastic Block Store
• is a device you can mount onto EC2 it is a block storage so you format it; we are able to chose which type of file we want.
• EBS Volumes can be attached to only one EC2 Instance at a time, but EC2 Instances can have multiple EBS Volumes attached to them.
• EBS Volumes allows instances' data to persist even after their termination.
• EBS Snapshots are used to backup data on your EBS Volumes at a point in time.
• EBS Volumes are tied to only one availability zone.
• EBS Snapshots are added cost in GB per month
• EBS Provisioned IOPS SSD (io2) ensures rapid data retrieval and continuous read/write operations.
• Creating snapshots of Amazon Elastic Block Store (EBS) volumes provides the benefit of durability
• EBS - Volume Types
• Durability - is the benefit of creating snapshots of Amazon EBS volumes to back up data

Amazon Elastic Transcoder

• Amazon Elastic Transcoder is a scalable media transcoding service in AWS that converts audio and video files into formats suitable for various devices.
• AWS Elastic Transcoder

Amazon Device Farm - test applications across multiple desktop browsers and mobile devices

• AWS Device Farm allows you to test your applications on real physical devices in the AWS Cloud.
• AWS Device Farm

Network Load Balancer (NLB) - type of Elastic Load Balancer can handle millions of requests per second at the TCP and UDP connection level

• Network Load Balancers are designed to handle millions of requests per second while maintaining high throughput and ultra-low latency.
• Network Load Balancer

SQS - Simple Queue Service

• Amazon Simple Queue Service (SQS) is another AWS service that provides decoupled communication for microservices-based applications.
• Amazon SQS Simple Queue Service
• SQS - A service that provides decoupled communication for microservices-based applications
• Amazon Simple Queue Service (SQS) is another AWS service that provides decoupled communication for microservices-based applications. SQS is a fully managed message queuing service that enables you to decouple the components of a distributed application. Microservices can send messages to SQS queues, and other microservices can consume those messages at their own pace, allowing for asynchronous and decoupled communication.

AWS Pinpoint - Connect with customers through scalable, targeted multichannel communications

• Amazon Pinpoint is a scalable and flexible service that allows you to engage with your customers through multiple channels, including email, SMS, push notifications, and more.
• AWS Pinpoint
• Send a bulk marketing email to customers.

if you receive a notification that your AWS account has been compromised:
Delete any resources on your account that you didn't create, such as Amazon EC2 instances and AMIs.
Delete any potentially unauthorized IAM users, and then change the password for all other IAM users.

AWS Cloud9 IDE for writing; running & debugging code
AWS Cloud9

AWS Neptune - High-performance graph analytics and serverless database for superior scalability and availability
AWS Neptune

AWS Firewall Manager

• centrally manage security policies across multiple AWS accounts for AWS WAF, AWS Shield Advanced, and VPC security groups;
• AWS Firewall Manager is a security management service that centrally configures and manages firewall rules across multiple AWS accounts and resources. It automates the deployment and enforcement of security policies, ensuring consistent protection for applications deployed in AWS. Firewall Manager supports AWS WAF, AWS Shield Advanced, and VPC security groups, allowing administrators to create and apply rules based on security best practices
• AWS Firewall Manager

AWS Resource Groups

• AWS Resource Groups helps you to group your AWS resources, which can then be managed and automated as a collection.
• effectively organize and manage AWS resources across different environments such as development, testing, and production
• Resource Groups

AWS Support Plans:

• AWS Support Plans
• Business
  • minimum that allows one hour response time
  • Minimum plan that provides technical support phone calls. 24/7 phone; email & chat to cloud support engineers.
  • Ideal support plan should you choose if you want to start a startup
  • Offers 24/7 access to Cloud Support Engineers via email, chat, and phone. It also provides a response time of less than one hour for business-critical system downtime.
  • Provides detailed architectural guidance contextual to your use-cases.
  • AWS Business Support provides detailed architectural guidance contextual to your use-cases.
• Enterprise
  • includes a dedicated Technical Account Manger
  • includes Infrastructure Event Management without additional costs.
  • AWS Concierge support team is the primary contact for billing & account inquires for Enterprise level support.
  • Enterprise Support Plan comes with a business-critical system down response under 15 minutes and offers access to a Technical Account Manager, as well as a Concierge Support Team. It is the only plan to have these features.
• Developer
  Offers best practice guidance and troubleshooting help during local business hours, but its coverage and benefits are limited compared to the Business plan. It's more suitable for testing or doing early development on AWS.
• Basic - Support includes 24/7 access to customer service and documentation.
  AWS Trusted Advisor is included in basic support plan

EC2 Pricing models:

• On-Demand - instances in EC2 Pricing model is MOST cost efficient for an uninterruptible workload that runs once a year for 24 hours
  On Demand is: pay for what you use - 1 benefit of On-demand EC2 pricing is paying only for time used.
• Reserved Instances - RI
  long term never interrupted.
  instances are not cheap;
  save up to 72%
  good for 3 yrs non-interruptible
  Amazon EC2 Reserved Instance Utilization Report provides ability to share the cost benefits of Reserved instances across AWS accounts;
  1 year or 3 years terms are available for EC2 Reserved Instances
  EC2 Image Builder is an automated pipeline for the creation, maintenance, validation, sharing, and deployment of Linux or Windows images for use on AWS and on-premises.
  EC2 Image Builder can be used to automate image management processes
  most cost-effective options when using EC2 instances:
  • Reserved Instances for sustained workloads
  • Spot Instances for stateless and flexible workloads
• Spot instances
  • * can be interrupted; spot = interruptible jobs
  • * can save up to 90%;
  • adjusts based on demand;
  • When there is flexibility in when an app needs to run = a spot benefit
  • Spot instances will interrupt a running EC2 instance if capacity becomes temp unavailable;
  • Spot Instances are good for short workloads, but are less reliable. Spot Instances can provide the biggest discount, but is not suitable for critical jobs or databases
  • Spot instances can access unused EC2 capacity; allows customers to purchase unused EC2 capacity at often discounted rate.
  • If the Spot price increases and exceeds your maximum price then "the instance is terminated and cannot be recovered."
    Spot Instances are an offering from AWS where you can bid for spare Amazon EC2 computing capacity. If your Spot Instance is running and the Spot price increases above your maximum price, AWS will automatically terminate your instance.
• Dedicated host - allows you to use your eligible software licenses from vendors such as Microsoft and Oracle on Amazon EC2 so that you get the flexibility and cost-effectiveness of using your licenses, but with the resiliency, simplicity, and elasticity of AWS

There is a one-minute minimum charge for Linux based EC2 instances. Therefore if a user used 30 seconds we'll be charged for 60 seconds;
EC2 instances, you pay per second of compute capacity. There is also a minimum of 60s of use.

• EC2 Billing

Optimize EC2 costs:

• Set up Auto Scaling groups to align the number of instances with the demand
• Purchase Amazon EC2 Reserved instances (RIs)
• fyi - Compute Savings Plans provide the most flexibility and help to reduce your costs by up to 66% in exchange for a commitment to a consistent amount of usage for a 1 or 3 year term.

An app has flexible start & end times. EC2 pricing model which is best would be "Spot Instances".

• Amazon EC2 Spot Instances
• Spot instances optimizes costs; run hyperscale workloads & builds sustainable solutions.

Optimize EC2 costs by:

• Implementing Auto Scaling groups to add & remove instances based on demand;
• Purchasing Reserved Instances

AWS Artifact - access AWS & ISV security & compliance reports

• AWS Artifact
• ex. we can download compliance & certification reports;
• provides Service Organization Control (SOC) and Payment Card Industry (PCI) reports

Service control policies (SCPs)

• Service control policies (SCPs)
• AWS Service Control Policies (SCPs) are a type of policy that you can use to manage permissions in your AWS organization. SCPs enable you to define the maximum permissions for member accounts in the organization.
• can be used to grant permission to access AWS resources from members' accounts in the AWS organization

BILLING AWS Organizations - centrally manage environments & multiple AWS accounts

• AWS Organizations
• ex. if customer is using multiple AWS accounts with separate billing to take advantage of volume discounts
• ex. if each company dept. has own AWS account to consolidate billing we could create an AWS Organization & invite the others.
• Best practices for AWS Orgs:
  • Create AWS accounts per department
  • Restrict account privileges using Service Control Policies (SCP)
• AWS Control Tower offers the easiest way to set up and govern a new, secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and enables governance using guardrails you can choose from a pre-packaged list.
• Consolidated billing combines incurred costs across accounts into a single invoice.
• All member accounts can share their reserved instances when needed.

Hosting models: Dedicated hosts ~= physical isolation;

• ex. Cost allocation tags is good to track & categorize spending?
• Cost Allocation Tags
• ex. Volume pricing qualifications is an advantage of consolidated billing;

AWS Cost & Usage tool give most granular insight into cost & usage.

• AWS Cost & Usage tool

Massive economies of scale - customers can benefit - periodic price reductions as the result of Amazon's operational efficiencies.
The massive scale at which AWS operates also benefits customers - ever increasing economies of scale enables them to continually reduce the pricing of compute and storage services.

Moving from on-premises data center to AWS cloud - one financial difference will be:

• * moving from upfront Capital Expense CAPEX to variable operational expense OPEX - trade CapEx for OpEx

AWS simple Monthly Calculator - can be used to forecast the future costs of running a new web app. It's a new app so the cost explorer is used to predict cost.

AWS Cost Explorer - used to forecast your AWS account usage and costs

• AWS Cost Explorer
• * Visualize, understand, and manage your AWS costs and usage over time

TOC total cost of ownership from on-prem vs AWS cloud 2 expenses considered are: * storage hardware * physical servers

• 2 factors doing TOC total cost of ownership when moving from on-premises to AWS cloud:
• power consumption
• Labor costs to replace old servers
• AWS Total Cost of Ownership (TCO) calculator allows us to estimate the cost saving when using AWS && if a company perform a cost benefit analysis of migrating to AWS;

Migrating production workloads to the AWS cloud to reduce operational costs:

• Reduce overprovisioned instances
• Use managed services

AWS Pricing Calculator - compare the cost of running their IT infrastructure on-premises vs AWS Cloud. Good for a company to check whether or not it is cost-effective to migrate to the AWS Cloud

• AWS Pricing Calculator lets you explore AWS services and create an estimate for the cost of your use cases on AWS
• AWS Pricing Calculator can be used to forecast your AWS account usage and costs
• AWS Compute Optimizer recommends optimal AWS resources for your workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics.

AWS Cost Anomaly Detection - receive alerts for unauthorized or unusual billing activity that indicates potential fraud or mismanagement.
AWS Cost Anomaly Detection

A startup reconfigured the AWS infrastructure to release a new feature last month. They noticed that the AWS bill was significantly higher than expected this month. The reason could be:
They keep unused elastic IPs that are not associated with any Resources.