This page is a reference for AWS training. You will need a free AWS account.
Go here to start AWS training.
AWS Cloud Practitioner Essentials
Amazon EC2 (Elastic Compute Cloud) instance types
Amazon EC2 instance types are optimized for different tasks. When selecting an instance type, consider the specific needs of your workloads and applications. This might include requirements for compute, memory, or storage capabilities.
General purpose instances provide a balance of compute, memory, and networking resources. You can use them for a variety of workloads, such as:
- application servers
- gaming servers
- backend servers for enterprise applications
- small and medium databases
Suppose that you have an application in which the resource needs for compute, memory, and networking are roughly equivalent. You might consider running it on a general purpose instance because the application does not require optimization in any single resource area.
Compute optimized instances are ideal for compute-bound applications that benefit from high-performance processors. Like general purpose instances, you can use compute optimized instances for workloads such as web, application, and gaming servers.
However, the difference is compute optimized applications are ideal for high-performance web servers, compute-intensive applications servers, and dedicated gaming servers. You can also use compute optimized instances for batch processing workloads that require processing many transactions in a single group.
Memory optimized instances are designed to deliver fast performance for workloads that process large datasets in memory. In computing, memory is a temporary storage area. It holds all the data and instructions that a central processing unit (CPU) needs to be able to complete actions. Before a computer program or application is able to run, it is loaded from storage into memory. This preloading process gives the CPU direct access to the computer program.
Suppose that you have a workload that requires large amounts of data to be preloaded before running an application. This scenario might be a high-performance database or a workload that involves performing real-time processing of a large amount of unstructured data. In these types of use cases, consider using a memory optimized instance. Memory optimized instances enable you to run workloads with high memory needs and receive great performance.
Accelerated computing instances use hardware accelerators, or coprocessors, to perform some functions more efficiently than is possible in software running on CPUs. Examples of these functions include floating-point number calculations, graphics processing, and data pattern matching.
In computing, a hardware accelerator is a component that can expedite data processing. Accelerated computing instances are ideal for workloads such as graphics applications, game streaming, and application streaming.
Storage optimized instances are designed for workloads that require high, sequential read and write access to large datasets on local storage. Examples of workloads suitable for storage optimized instances include distributed file systems, data warehousing applications, and high-frequency online transaction processing (OLTP) systems.
In computing, the term input/output operations per second (IOPS) is a metric that measures the performance of a storage device. It indicates how many different input or output operations a device can perform in one second. Storage optimized instances are designed to deliver tens of thousands of low-latency, random IOPS to applications.
You can think of input operations as data put into a system, such as records entered into a database. An output operation is data generated by a server. An example of output might be the analytics performed on the records in a database. If you have an application that has a high IOPS requirement, a storage optimized instance can provide better performance over other instance types not optimized for this kind of use case.
On-Demand Instances are ideal for short-term, irregular workloads that cannot be interrupted. No upfront costs or minimum contracts apply. The instances run continuously until you stop them, and you pay for only the compute time you use.
Reserved Instances are a billing discount applied to the use of On-Demand Instances in your account. There are two available types of Reserved Instances:
- Standard Reserved Instances
- Convertible Reserved Instances
You can purchase Standard Reserved and Convertible Reserved Instances for a 1-year or 3-year term. You realize greater cost savings with the 3-year option.
Spot Instances are ideal for workloads with flexible start and end times, or that can withstand interruptions. Spot Instances use unused Amazon EC2 computing capacity and offer you cost savings at up to 90% off of On-Demand prices.
Dedicated Hosts are physical servers with Amazon EC2 instance capacity that is fully dedicated to your use.
Scaling Amazon EC2
There's a great quote by Werner Vogels that says, "Everything fails all the time, so plan for failure and nothing fails."
Scalability involves beginning with only the resources you need and designing your architecture to automatically respond to changing demand by scaling out or in. As a result, you pay for only the resources you use. You don’t have to worry about a lack of computing capacity to meet your customers’ needs. You can scale your EC2 instances either vertically by resizing the instance, or horizontally by launching new instances and adding them to the pool. You can set up automated horizontal scaling, using Amazon EC2 Auto Scaling.
Amazon EC2 Auto Scaling enables you to automatically add or remove Amazon EC2 instances in response to changing application demand. By automatically scaling your instances in and out as needed, you can maintain a greater sense of application availability.
Within Amazon EC2 Auto Scaling, you can use two approaches: dynamic scaling and predictive scaling.
Dynamic scaling responds to changing demand.
Predictive scaling automatically schedules the right number of Amazon EC2 instances based on predicted demand.
To scale faster, you can use dynamic scaling and predictive scaling together.
Elastic Load Balancing is the AWS service that automatically distributes incoming application traffic across multiple resources, such as Amazon EC2 instances.
A load balancer acts as a single point of contact for all incoming web traffic to your Auto Scaling group. This means that as you add or remove Amazon EC2 instances in response to the amount of incoming traffic, these requests route to the load balancer first. Then, the requests spread across multiple resources that will handle them.
Amazon Simple Queue Service or SQS and Amazon Simple Notification Service or SNS. SQS allows you to send, store, and receive messages between software components at any volume. SNS is similar in that it is used to send out messages to services, but it can also send out notifications to end users.
Suppose that you have an application with tightly coupled components. These components might include databases, servers, the user interface, business logic, and so on. This type of architecture can be considered a monolithic application.
In a microservices approach, application components are loosely coupled. In this case, if a single component fails, the other components continue to work because they are communicating with each other. The loose coupling prevents the entire application from failing.
Amazon Simple Notification Service (Amazon SNS) is a publish/subscribe service. Using Amazon SNS topics, a publisher publishes messages to subscribers. In Amazon SNS, subscribers can be web servers, email addresses, AWS Lambda functions, or several other options.
Amazon Simple Queue Service (Amazon SQS) is a message queuing service. Using Amazon SQS, you can send, store, and receive messages between software components, without losing messages or requiring other services to be available.
Additional Compute Services
The term “serverless” means that your code runs on servers, but you do not need to provision or manage these servers. With serverless computing, you can focus more on innovating new products and features instead of maintaining servers. An AWS service for serverless computing is AWS Lambda.
AWS Global Infrastructure
When determining the right Region for your services, data, and applications, consider the following four business factors.
- Number one, compliance. Before any of the other factors, you must first look at your compliance requirements.
- Number two, proximity.
- Number three, feature availability.
- Number four, pricing.
An Availability Zone is a single data center or a group of data centers within a Region. Availability Zones are located tens of miles apart from each other. A best practice is to run applications across at least two Availability Zones in a Region.
CDNs are commonly used, and on AWS, we call our CDN Amazon CloudFront. CloudFront is a service that helps deliver data, video, applications, and APIs to customers around the world with low latency and high transfer speeds. Amazon CloudFront uses what are called Edge locations, all around the world, to help accelerate communication with users, no matter where they are. An edge location is a site that Amazon CloudFront uses to store cached copies of your content closer to your customers for faster delivery.
Edge locations are separate from Regions, so you can push content from inside a Region to a collection of Edge locations around the world, in order to accelerate communication and content delivery. AWS Edge locations, also run more than just CloudFront. They run a domain name service, or DNS, known as Amazon Route 53, helping direct customers to the correct web locations with reliably low latency.
Provisioning AWS resources
In AWS, everything is an API call. Ways to interact with AWS services:
- The AWS Management Console is a web-based interface for accessing and managing AWS services.
- AWS CLI enables you to control multiple AWS services directly from the command line within one tool.
- Software development kits - SDKs make it easier for you to use AWS services through an API designed for your programming language or platform.
There are also other ways you can manage your AWS environment using managed tools like AWS Elastic Beanstalk, and AWS CloudFormation. AWS Elastic Beanstalk gives you the convenience of not having to provision and manage all of these pieces separately, while still giving you the visibility and control of the underlying resources.
AWS CloudFormation is an infrastructure as code tool that allows you to define a wide variety of AWS resources in a declarative way using JSON or YAML text-based documents called CloudFormation templates. Once you define your resources in a CloudFormation template, CloudFormation will parse the template and begin provisioning all the resources you defined in parallel. With AWS CloudFormation, you can treat your infrastructure as code. This means that you can build an environment by writing lines of code instead of using the AWS Management Console to individually provision resources.
With AWS Elastic Beanstalk, you provide code and configuration settings, and Elastic Beanstalk deploys the resources necessary to perform the following tasks:
- Adjust capacity
- Load balancing
- Automatic scaling
- Application health monitoring
Networking - Connectivity to AWS
A VPC, or Virtual Private Cloud, is essentially your own private network in AWS. A VPC allows you to define your private IP range for your AWS resources, and you place things like EC2 instances and ELBs inside of your VPC. Subnets are chunks of IP addresses in your VPC that allow you to group resources together. Subnets, along with networking rules control whether resources are either publicly or privately available. Public subnets contain resources that need to be accessible by the public, such as an online store’s website. Private subnets contain resources that should be accessible only through your private network, such as a database that contains customers’ personal information and order histories.
In order to allow traffic from the public internet to flow into and out of your VPC, you must attach what is called an internet gateway, or IGW, to your VPC. To establish an encrypted VPN connection to your private internal AWS resources, you would need to attach a virtual private gateway to your VPC. A network ACL is a virtual firewall that controls inbound and outbound traffic at the subnet level. Network ACLs perform stateless packet filtering. They remember nothing and check packets that cross the subnet border each way: inbound and outbound.
A security group is a virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance. By default, a security group denies all inbound traffic and allows all outbound traffic. You can add custom rules to configure which traffic should be allowed; any other traffic would then be denied. Security groups perform stateful packet filtering. They remember previous decisions made for incoming packets.
AWS Direct Connect allows you to establish a completely private, dedicated fiber connection from your data center to AWS. You work with a Direct Connect partner in your area to establish this connection. AWS Direct Connect provides a physical line that connects your network to your AWS VPC.
Amazon Route 53 is a DNS web service. It gives developers and businesses a reliable way to route end users to internet applications hosted in AWS.
Storage and databases
With Elastic Block Store, you can create virtual hard drives, that we call EBS volumes, that you can attach to your EC2 instances. These are separate drives from the local instance store volumes, and they aren't tied directly to the host that you're EC2 is running on. This means, that the data that you write to an EBS volume can persist between stops and starts of an EC2 instance. It's very important that you take regular snapshots of your EBS volumes. An Amazon EBS volume stores data in a single Availability Zone.
Amazon Simple Storage Service (Amazon S3) is a service that provides object-level storage. Amazon S3 stores data as objects in buckets. In object storage, each object consists of data, metadata, and a key.
- Amazon S3 Standard provides high availability for objects.
- Amazon S3 Standard-IA is ideal for data infrequently accessed but requires high availability when needed
- S3 One Zone-IA stores data in a single Availability Zone.
- In the S3 Intelligent-Tiering storage class, Amazon S3 monitors objects’ access patterns.
- S3 Glacier Flexible Retrieval is a low-cost storage class that is ideal for data archiving.
- S3 Deep Archive supports long-term retention and digital preservation for data that might be accessed once or twice in a year.
- Amazon S3 Outposts delivers object storage to your on-premises AWS Outposts environment.
Amazon Elastic File System (Amazon EFS) is a scalable file system used with AWS Cloud services and on-premises resources. As you add and remove files, Amazon EFS grows and shrinks automatically. Amazon EFS is a regional service. It stores data in and across multiple Availability Zones.
Amazon Relational Database Service, or RDS supports all the major database engines, but this service comes with added benefits. These include automated patching, backups, redundancy, failover, disaster recovery, all of which you normally have to manage for yourself. Amazon Aurora is an enterprise-class relational database. It is compatible with MySQL and PostgreSQL relational databases. It replicates six copies of your data across three Availability Zones and continuously backs up your data to Amazon S3. Relational databases use structured query language (SQL) to store and query data.
Amazon DynamoDB is a serverless database, meaning you don't need to manage the underlying instances or infrastructure powering it. DynamoDB is a NoSQL (non-relational) database. Non-relational databases tend to have simple flexible schemas, not complex rigid schemas, laying out multiple tables that all relate to each other. One type of structural approach for nonrelational databases is key-value pairs. Not every item in the table has to have the same attributes. Amazon DynamoDB is a key-value database service. It delivers single-digit millisecond performance at any scale.
Amazon Redshift is data warehousing as a service. It's massively scalable. Redshift nodes in multiple petabyte sizes is very common. When you need big data BI solutions, Redshift allows you to get started with a single API call.
Amazon Database Migration Service, or DMS, to help customers do just that. DMS helps customers migrate existing databases onto AWS in a secure and easy fashion. The source database remains fully operational during the migration, minimizing downtime to applications that rely on that database. Better yet is that the source and target databases don't have to be of the same type.
Amazon DocumentDB, Great for content management, catalogs, user profiles. Amazon QLDB, or Quantum Ledger Database is an immutable system of record where any entry can never be removed from the audits. Amazon ElastiCache provides caching layers without your team needing to worry about the heavy lifting of launching, uplift, and maintenance. It comes in both Memcached and Redis flavors. DynamoDB Accelerator is a native caching layer designed to dramatically improve read times for your nonrelational data. Amazon Neptune is a graph database service.
With the shared responsibility model, AWS controls security of the cloud and customers control security in the cloud. AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. The root user is accessed by signing in with the email address and password that you used to create your AWS account. Do not use the root user for everyday tasks. Instead, use the root user to create your first IAM user and assign it permissions to create other users. An IAM group is a collection of IAM users. When you assign an IAM policy to a group, all users in the group are granted permissions specified by the policy. In IAM, multi-factor authentication (MFA) provides an extra layer of security for your AWS account.
You can use AWS Organizations to consolidate and manage multiple AWS accounts within a central location. Group accounts into organizational units (OUs) to make it easier to manage accounts with similar business or security requirements.
AWS Artifact is a service that provides on-demand access to AWS security and compliance reports and select online agreements. AWS Artifact consists of two main sections: AWS Artifact Agreements and AWS Artifact Reports.
The Customer Compliance Center contains resources to help you learn more about AWS compliance.
A denial-of-service (DoS) attack is a deliberate attempt to make a website or application unavailable to users. In a distributed denial-of-service (DDoS) attack, multiple sources are used to start an attack that aims to make a website or application unavailable. AWS Shield is a service that protects applications against DDoS attacks. AWS Shield provides two levels of protection: Standard and Advanced.
AWS Key Management Service (AWS KMS) enables you to perform encryption operations through the use of cryptographic keys. A cryptographic key is a random string of digits used for locking (encrypting) and unlocking (decrypting) data. You can use AWS KMS to create, manage, and use cryptographic keys.
AWS WAF is a web application firewall that lets you monitor network requests that come into your web applications.
Amazon Inspector helps to improve the security and compliance of applications by running automated security assessments. It checks applications for security vulnerabilities and deviations from security best practices, such as open access to Amazon EC2 instances and installations of vulnerable software versions.
Amazon GuardDuty is a service that provides intelligent threat detection for your AWS infrastructure and resources. It identifies threats by continuously monitoring the network activity and account behavior within your AWS environment.
Amazon CloudWatch is a web service that enables you to monitor and manage various metrics and configure alarm actions based on data from those metrics. CloudWatch uses metrics to represent the data points for your resources. AWS services send metrics to CloudWatch. With CloudWatch, you can create alarms that automatically perform actions if the value of your metric has gone above or below a predefined threshold. The CloudWatch dashboard feature enables you to access all the metrics for your resources from a single location.
AWS CloudTrail records API calls for your account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, and more. Within CloudTrail, you can also enable CloudTrail Insights. This optional feature allows CloudTrail to automatically detect unusual API activities in your AWS account.
AWS Trusted Advisor is a web service that inspects your AWS environment and provides real-time recommendations in accordance with AWS best practices. This is a service that you can use in your AWS account that will evaluate your resources against five pillars. The pillars are cost optimization, performance, security, fault tolerance, and service limits. Trusted Advisor can help point you in the right direction when it comes to the five pillars. You can set up email alerts that go out to billing, operations, and security contacts, as checks get run in your account. Make sure you have Trusted Advisor turned on so that you too can start taking action to optimize your AWS account. When you access the Trusted Advisor dashboard on the AWS Management Console, you can review completed checks for cost optimization, performance, security, fault tolerance, and service limits.
The AWS Free Tier enables you to begin using certain services without having to worry about incurring costs for the specified period.
- Always Free
- 12 Months Free
AWS Lambda allows 1 million free requests and up to 3.2 million seconds of compute time per month. Amazon DynamoDB allows 25 GB of free storage per month. 12 months free - Amazon S3 Standard Storage, thresholds for monthly hours of Amazon EC2 compute time, and amounts of Amazon CloudFront data transfer out. Short-term free trial offers start from the date you activate a particular service. The length of each trial might vary by number of days or the amount of usage in the service. AWS offers a range of cloud computing services with pay-as-you-go pricing.
The AWS Pricing Calculator lets you explore AWS services and create an estimate for the cost of your use cases on AWS. A Compute Savings Plan offers lower compute costs in exchange for committing to a consistent amount of usage over a 1-year or 3-year term. With Amazon EC2, you pay for only the compute time that you use while your instances are running.
Use the AWS Billing & Cost Management dashboard to pay your AWS bill, monitor your usage, and analyze and control your costs. You have access to other billing tools, such as Cost Explorer, Budgets, along with a few others. You also get access to your bill itself.
AWS Organizations, a service that enables you to manage multiple AWS accounts from a central location. AWS Organizations also provides the option for consolidated billing. The consolidated billing feature of AWS Organizations enables you to receive a single bill for all AWS accounts in your organization.
In AWS Budgets, you can create budgets to plan your service usage, service costs, and instance reservations. The information in AWS Budgets updates three times a day. AWS Cost Explorer is a tool that lets you visualize, understand, and manage your AWS costs and usage over time.
AWS offers four different Support plans to help you troubleshoot issues, lower costs, and efficiently use AWS services. Basic Support is free for all AWS customers. It includes access to whitepapers, documentation, and support communities. With Basic Support, you can also contact AWS for billing questions and service limit increases. You can choose from the following Support plans to meet your company’s needs:
- Enterprise On-Ramp
The Enterprise On-Ramp and Enterprise Support plans include access to a Technical Account Manager (TAM).
At the highest level, the AWS Cloud Adoption Framework (AWS CAF) organizes guidance into six areas of focus, called Perspectives. Each Perspective addresses distinct responsibilities. The planning process helps the right people across the organization prepare for the changes ahead. In general, the Business, People, and Governance Perspectives focus on business capabilities, whereas the Platform, Security, and Operations Perspectives focus on technical capabilities.
When migrating applications to the cloud, six of the most common migration strategies that you can implement are (6 Rs):
The AWS Snow Family is a collection of physical devices that help to physically transport up to exabytes of data into and out of AWS. AWS Snow Family is composed of AWS Snowcone, AWS Snowball, and AWS Snowmobile.
AWS Lambda is an example of a service that you can use to run serverless applications. If you design your architecture to trigger Lambda functions to run your code, you can bypass the need to manage a fleet of servers.
AWS offers Amazon SageMaker to remove the difficult work from the process and empower you to build, train, and deploy ML models quickly.
AWS offers a variety of services powered by artificial intelligence (AI). Get code recommendations while writing code and identify security issues in your code with Amazon CodeWhisperer. Convert speech to text with Amazon Transcribe. Discover patterns in text with Amazon Comprehend. Identify potentially fraudulent online activities with Amazon Fraud Detector. Build voice and text chatbots with Amazon Lex.
The AWS Well-Architected Framework helps you understand how to design and operate reliable, secure, efficient, and cost-effective systems in the AWS Cloud. It provides a way for you to consistently measure your architecture against best practices and design principles and identify areas for improvement.
The Well-Architected Framework is based on six pillars:
- Operational excellence
- Performance efficiency
- Cost optimization
Advantages of AWS
Operating in the AWS Cloud offers many benefits over computing in on-premises or hybrid environments.
- Trade upfront expense for variable expense.
- Benefit from massive economies of scale.
- Stop guessing capacity.
- Increase speed and agility.
- Stop spending money running and maintaining data centers.
- Go global in minutes.
The AWS Certified Cloud Practitioner exam includes four domains:
- Cloud Concepts
- Security and Compliance
- Billing and Pricing
AWS Technical Essentials
Cloud computing provides developers and IT departments with the ability to focus on what matters most by avoiding work like procurement, maintenance, and capacity planning. Cloud computing is the on-demand delivery of IT resources over the internet with primarily pay-as-you-go pricing. Using cloud computing saves time during setup and removes redundant and unnecessary tasks. Six advantages of cloud computing:
- The cloud computing model is based on paying only for the resources that you use.
- Because usage from hundreds of thousands of customers is aggregated in the cloud, AWS can achieve higher economies of scale, which translates into lower pay-as-you-go prices.
- With cloud computing you can access as much or as little capacity as you need, and scale up and down as required with only a few minutes notice.
- You reduce the time to make resources available to developers from weeks to minutes.
- With cloud computing, you can focus on your customers, rather than racking, stacking, and powering physical infrastructure.
- Applications can be deployed in multiple Regions around the world with a few clicks.
In AWS, this physical infrastructure makes up the AWS Global Infrastructure, in the form of Regions and Availability Zones. Regions are geographic locations worldwide where AWS hosts its data centers.
Inside every Region is a cluster of Availability Zones. An Availability Zone consists of one or more data centers with redundant power, networking, and connectivity. These data centers operate in discrete facilities in undisclosed locations. They are connected using redundant high-speed and low-latency links. Depending on the AWS service that you use, your resources are either deployed at the Availability Zone, Region, or Global level. To keep your application available, you must maintain high availability and resiliency. A well-known best practice for cloud architecture is to use Region-scoped, managed services. At a minimum, you should use two Availability Zones.
Edge locations are global locations where content is cached. Amazon CloudFront delivers your content through a worldwide network of edge locations. One way to manage cloud resources is through the web-based console, where you log in and choose the desired service. This can be the easiest way to create and manage resources when you first begin working with the cloud.
The AWS CLI is a unified tool that you can use to manage AWS services. You can download and configure one tool that you can use to control multiple AWS services from the command line, and automate them with scripts.
AWS shared responsibility model. AWS is responsible for security of the cloud. This means that AWS protects and secures the infrastructure that runs the services offered in the AWS Cloud. Customers are responsible for security in the cloud. When using any AWS service, the customer is responsible for properly configuring the service and their applications, in addition to ensuring that their data is secure. A key concept is that customers maintain complete control of their data and are responsible for managing the security related to their content.
When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS root user and is accessed by signing in with the email address and password that were used to create the account. The root user has complete access to all AWS services and resources in your account, including your billing and personal information. Therefore, you should securely lock away the creUsing MFA adds an additional layer of security because it requires users to use a supported MFA mechanism in addition to their regular sign-in credentials. Activating MFA on the AWS root user account is an AWS best practice. dentials associated with the root user and not use the root user for everyday tasks.
When you configure access to any account, two terms come up frequently: authentication and authorization. Although these terms might seem basic, you must fully understand them to properly configure access management on AWS.
When you create your AWS account, you use the combination of an email address and a password to verify your identity. If a user types in the correct email address and password, the system assumes the user is allowed to enter and grants them access. This is the process of authentication.
Authorization is the process of giving users permission to access AWS resources and services. Authorization determines whether a user can perform certain actions, such as read, edit, delete, or create resources. AWS Identity and Access Management (IAM) is an AWS service that helps you manage access to your AWS account and resources. It also provides a centralized view of who and what are allowed inside your AWS account (authentication), and who and what have permissions to use and work with your AWS resources (authorization).
An IAM user represents a person or service that interacts with AWS. You define the user in your AWS account. Any activity done by that user is billed to your account. When you create a user, that user can sign in to gain access to the AWS resources inside your account. An IAM group is a collection of users. All users in the group inherit the permissions assigned to the group. This makes it possible to give permissions to multiple users at once. It’s a more convenient and scalable way of managing permissions for users in your AWS account.
To manage access and provide permissions to AWS services and resources, you create IAM policies and attach them to an IAM identity. Whenever an IAM identity makes a request, AWS evaluates the policies associated with them. Most policies are stored in AWS as JSON documents with several policy elements.
The first building block that you need to host an application is a server. Servers can usually handle HTTP requests and send responses to clients following the client-server model. At a fundamental level, three types of compute options are available: virtual machines (VMs), container services, and serverless. EC2 instances are a combination of virtual processors (vCPUs), memory, network, and, in some cases, instance storage and graphics processing units (GPUs). When you create an EC2 instance, you need to choose how much you need of each of these components.