AWS and cloud computing

gartner

Aws vs on premise
AWS platform, infraestructura

Regions
AWS Services

Compute
EC2 - AMI

EC2 instance types – EC2 types

EC2 price ec2 pricing model

ECS ec2 cluster

AWS lambda

Storage and content delivery

EBS elastic block storage

EBS
EBS automatic replication AZ, snapshot backup to S3

EBS types
S3

Glacier backup 0.01 GB/month

Lifecycle from s3 to glacier

Snowball
Snowball use
Cloud front cloudfront

DAtabase

Amazon rds
Managed relational databases
Amazon RDS key benefits

Amazon DynamoDB

AWS DMS database migration service

Redshift, data warehouse and analytics

SQL Data Warehouse

Amazon VPC
VPC connections – Gateway connections

MANAGEMENT TOOLS

Amazon CloudWatch – resource and application monitoring

AWS Cloudformation – templates for aws recourse creation

AWS trustedadvisor – best practice scan
Best practice recommendations:
- Cost optimization
- Performance
- Security
- Fault tolerance

SECURITY AND AIDENTITY

IAM –> identity and access management

Access controls

AWS WAF -> protects web application, web application firewall

ANALYTICS

Amazon EMR
Web services process lots amount of date, apache Hadoop framework

Amazon Kinesis
Streaming data - firehose
APPLICATION SERVICES

Amazon API Gateway

Amazon SQS
AMAZON WORKSPACES

DEVOPS:
AWS codepipeline

AWS Codecommit

AWS Cloud Migration

Migration tools:

Unmanaged migration tools

S3 migration up to 5 GB per operation
Glacier migration lower data, if they are more than 100 GB then it will be upload with
multiparts

Managed migration tools

Application discovery service

Server migration service

Web, IoT, Mobile, Big Data
Traditional architecture Web

AWS Architecture

Aws Mobile
AWS IoT

support HTTP, MQTT

AWS Big Data

AWS Security

Shared security resposability model

AWS EC2 Firewall, deny all mode

AWS Database Security
AWS S3 security - storage security

AWS security certifications

Six advantages
- Global in minutes
- Variable vs capital expense
- Stop guessing capacity
- Economies of scale
- Focus on business differentiatios
- Increase speed and agility

Cloud deployment models:

- All-in
- Hybrid

Global locations
- Regions, separate geographic área,
- Availability zone, multiple locations isolated inside the region

Resources aren’t replicated across regions unless organizations choose to do so.

- Each Availability Zone is also isolated, but the Availability Zones in a region are connected
through low-latency links.
- Availability Zones are all redundantly connected to multiple tier-1 transit providers.
- You can achieve high availability by deploying your application across multiple Availability Zones.
Redundant instances for each tier (for example, web, application, and database) of an application
should be placed in distinct Availability Zones, thereby creating a multisite solution. At a minimum,
the goal is to have an independent copy of each application stack in two or more Availability
Zones.

Compute and network services

EC2
Lambda, runs code under an EC2 managed by AWS
Auto scaling
Elastic Load balancing, load balancing sobre ec2
Elastic beanstalk, deploy code
Amazon VPC( virtual private cloud),
Aws direct connect,
Amazon route 53, DNS server

Storage and Content Delivery

Amazon Simple Storage Service S3,

Amazon Glacier, archive
Amazon Elastic Block Store, (EBS), persisten block level storage volumes
AWS Storage Gateway, on premise software appliance with cloud base storage
Amazon CloudFront, content delivery web service,

Database Service

Amazon RDS, HA, fault tolerance, manage time-consuming administration tasks, backups,
replication, software patching, monitoring, scaling.
Amazon DynamoDB, No SQL db
Amazon Redshift, BI
Amazon Elasticache

Management tools

Amazon Cloudwatch
Amazon CloudFormation

AWS CloudTrail, API web services to call aws API, tracks logs and audit for all API calls
AWS config

Security and Identity

AWS identity and Access Management (IAM), users management, permissions

AWS Key Management Services (KMS), encryption keys
AWS directory Service, connect Microsoft active directory
AWS Certificate Manager, certificate SSL/TLS, apply to elastic load balance for example.
AWS WAF

Application Services

Amazon API Gateway, creates apis as front doors

Amazon Elastic Transcoder, convert media
Amazon SNS, Simple Notification Service, something like forums web service
Amazon SES simple email service,
Amazon SWF simple workflow service, configure tasks like crontab
Amazon SQS simple queue service,
AMAZON S3
S3 objects are private by default, only owner has access

Object differences between block storage or file storage, is that object is at application level,
block and operating system level.

Common uses for S3:

- Backup and archive for on premises storage
- Content, media and storage for distribution
- Big data analytics
- Static website hosting
- Disaster recovery

Storage Classes:
- General purpose
- Infrequent access
- Archive

Lifecycle policies
Glacier -> cold data
There is no sub-bucket
There is no way to mount a bucket, open an object, install O.S. or install BD on it
S3 Objects are auto replicated in multiple devices and facilities within a region.
Every S3 object must be in a Bucket
Bucket name is global, like a DNS
Up to 100 per account
Each Bucket is created in a specific region
Objects can be up to 5 TB, a single bucket can store unlimted amount of objects.
System Metada and User Metadata(tag an object, is optional)
Object key must be unique in a single bucket
S3 Operations:
- Create/delete a bucket
- Write an object
- Read an object
- List keys

Amazon s3 storage is designed for 99.999999999% durability and 99.99% of availability objects
over a year
RRS has a lower cost for durability, gives 99.99%
For PUTs to new objects we can read them after upload, for overwrite or delete, it takes
eventual consistency while the replication of the change is taken in all zones.
S3 Access Control, by default only the person who creates the Bucket or Object has access
- ACL: read, write or full-control to object or bucket
 - Policies: Recommended, associated with the bucket instead of IAM principal, specify
who can access from where and for how much time.
- IAM
- Query string authentication

Static Website hosting

S3 Storage Classes:
- S3 Standard: ofrece HD, HA, low latency, high performance storage for general
purpose
- S3 Standard IA: the same as standard but designed for long-lived infrequent access
data, minimum size of 128 KB, minimum duration 30 days.
- S3 RRS, Reduced Redundancy Storage, lower durability >9.9999, data easy to
reproduce like thumbnails.
- S3 Storage Glacier, does not need real time access, archive and backup purposes, for a
restore it takes from 3 to 5 hours and it is retrieved to RRS, like a copy, the original
remains in Glacier, free up to 5% to retrieve storage.
Retrieval policies
Glacier uses S3 API, but it has its own.

S3 Object Lifecycle Management it is the same as storage tiering

- Data Hot -> frequent access
- Data Warm -> infrequent access
- Data Cold ->long term backup or archieve
S3 lifecycle configuration rules to automate tiering
Lifecycle configuration are attached to a Bucket, or all objects in the bucket or some object
with the same prefix.

S3 Encryption
At flight -> Amazon S3 SSl, to use API, via HTTPs
At rest -> Amazon S3 SSE, this is provided by S3 and KMS uses 256 AES(advanced encryption
standard) or CSE, to encrypt before send it to S3
- SSE-S3 ( AWS Managed Keys) -> full managed encryption by AWS, applied with a check
box, assign keys to each object and it has a relation with a master key, that key is
regenerated monthly.
- SSE-KMS(AWS KMS Keys) -> auditing level additional to SSE-S3, we can see who use
the key to access what object, and failed attempts.
- SSE-C (Customer Provided Key) -> AWS do the encryption/decryption while we control
the keys
- Client-Side Encryption -> encrypt data on site before upload to S3, two options to use
data encryption keys:
o AWS KMS-managed customer master key
o Client-side master key

S3 Versioning
Helps to protect the data against malicious or accidental damage, identified by version ID per
object.
Versioning is enabled in the Bucket, once enabled, it cant be disabled, only suspended.
- MFA Delete: Need an additional authentication, to delete an object version or change
versioning state of a bucket. This option can be enable only by a root account.
 - Pre-Signed URLs: Share objects temporary by creating pre signed url, to create it we
must provide our security credentials, specify bucket name, object key and HTTP
method and expiration date and time, this only works by the specified duration.
- Multipart Upload: to upload or copy large objects, Multipart Upload API, the ability to
pause and resume
o Three steps: initiation, uploading parts, completion or abort.
o Should use Multipath Upload for more than 100 MB
o Must use Multipath Upload for more than 5 GB
o There is a policy for lifecycle to delete multipart uploads incompleted.
- Range GETs, it is possible to download a portion of a file.

S3 Cross Region Replication

Replicate all new objects of the Bucket from one region to another region, async.
To enable replication, it is necessary to enable versioning in both Buckets, and use IAM policy
to give S3 permissions to replicate objects.
If enable this option after the Bucket was being used, it will only replicate the new objects, the
previous ones have to be copied with another command.

S3 Logging
Logging is off by default for a bucket, the destination bucket where the logs will be written has
to be specified, it can be in the same bucket or not.
Logs information:
- Requestor account and IP
- Bucket Name
- Request Time
- Action…GET, PUT…
- Error code, status

S3 Event Notifications
Send in response to actions taken on S3 objects.
Run workflows, send alerts or perform other actions in response to changes in the objects.
Are set up at bucket level
Notification messages can be sent through SNS, SQS, or lambda function.

For high rates it is better to have a HASH as a prefix.

For static sites and querys, it is better to have a Cloudfront before accessing the bucket

AMAZON GLACIER

Archive and long term backup

Retrieval time of 3 or 5 hours.
Unlimited amount of data.
The data consist in large TAR or ZIP files.
Store data in multiple devices and facilities in a region.
Durability for a year of 99.999999999% nine nines

Glacier Archives
Data is stored in archives, an archive can contain up to 40 TB of data, and there is no limit for
amount of archives.
Glacier assigns a Unique Id, Archive and not be modified is immutable
Automatic encrypted

Glacier Vaults
Glacier vaults are containers for archives, an account can have up to 1000 vaults.
Control with vault access, or IAM policies.

Glacier Vaults Locks

Create policy for vaults, once the policy is locked it cannot be edited.

Data Retrieval is up to 5% of the data stored for free in a month, we can deploy policies to limit
the data amount retrieval or the retrieval rate to minimize costs, policy applied to a vault.
AMAZON EC2 -AMAZON EBS
Virtual Machine = Instance
2 Concepts to launch instances:
- Amount of virtual hardware dedicated to the instance
- Software loaded on the instance
This is controlled by the instance type.

EC2 Instance Types

Instance types varying depending on the following dimensions:

- vCPU
- Memory
- Storage (Size and Type)
- Network Performance
Instance types are grouped into Families.
Each family scales linearly in compute and price
Sample instance type families

EC2 Enhanced Networking

Enables Single Root I/O Virtualization (SR-IOV), this results in more Packets Per Second (PPS),
lower latency and lower jitter, supported by C3,C4, D2,I2,M4,R3.
Needs drivers to work and modify an instance attribute.
Supported only in HVM instances launched in a VPC

Amazon Machine Images (AMI)

Defines the initial software in an instance when it is launched, like a template, these are based
on x86 SOs, Linux and Windows.

Sources of AMI:
- Published by AWS: for linux Ubuntu, RedHat and Amazon and Windows 2008 and
Windows 2012.
- AWS Marketplace
- Generated from current Instances
- Uploaded Virtual Servers: AWS VM import/export service.

EC2 Securely using Instance

How instances may be addressed by internet:

- DNS: when an instance is launched AWS generates a Name, it persist only when the
instance is running, this cannot be specified, cannot be transferred
- Public IP: This cannot be specified, this persists only when instance is running and this
cannot be transferred
- Elastic IP: can be transferred and assigned to an instance
- Private IP Address: Only on VPC
- Elastic Network Interface: Only on VPC

EC2 Initial Access

AWS uses public-key cryptography to encrypt or decrypt login information, public to encrypt,
private to decrypt, these two are called key pair
Key Pairs can be created by the user. AWS stores Public key while the user keeps the private
key.
Public keys are stored on .ssh/authorized_keys, default user for Amazon Linux instances is
ec2-user.
For windows is better to change the local admin password at the initial access.

EC2 Virtual Firewall Protection

Virtual Firewall called Security Groups, controls traffic based on port, protocol and
source/destination
Associated with VPC or EC2 instances
EC2 Security Groups: controls outgoing *(and incoming) traffic
VPC Security Groups: controls outgoing and incoming traffic.
Cada instancia debe tener por lo menos un Security Group, puede tener mas
A security group is default deny, that means it will deny all traffic that is not defined in a rule.
When there are multiple security groups to an instance, they are aggregated, both rules will be
applied.
It is stateful and applied at instance level.

EC2 Lifecycle

EC2 Bootstrapping
This is the process to provide code to be run on an instance at launch.
One of the parameters used when an instance is launched is UserData (it is not encrypted) this
is passed to the SO to be executed at launch the first time the instance is booted.
Script can do:
 - Apply patches and updates to SO
- Enroll a directory service
- Install Application software
- Copy long script or program to be run in the instance
- Installing Chef or Puppet to admin the Server

EC2 VM import/Export

Import virtual instances as AMI.

Import virtual machines and export virtual machines to an on-premise. ( Only imported
instances can be exported, New Instances generated via AWS cannot be exported )

EC2 Instance Metadata

Have information related to the instance, it has an http method to check information tree (
http://IP/latest/meta-data) Includes the following attributes:

- Associated security groups

- Instance ID
- Instance Type
- AMI used to launch the instance

EC2 Managing

- Tags, key/value pairs, up to 10 tags per instance

EC2 Monitoring

AWS offers a service called CloudWatch that provides monitoring and alerting

EC2 Modify

- Instance Type: This can be a higher or lower hardware, instance has to be stopped,
change the instance type and then restart the instance.
- Security Groups: If an instance is inside a VPC security groups can be changed while
the instance is running, if the instance is not in a VPC cannot be changed after launch.
- Termination protection: this can be enabled for an instance to protect from
termination (stop the machine and remove it from AWS) this will lock the termination
process for an instance, to terminate it we have to disable termination protection.
Works for manual termination from console, API or CLI.

EC2 Options
EC2 Pricing Options
- On-Demand Instances: for unpredictable workloads
- Reserved Instances: capacity reservations for predictable workloads up to 75% of
discount, it depends on the term commitment(1 or 3 years the longer commitment the
bigger discount) and payment option. Payment methods:
o All Upfront: Pay the entire reservation up front , no monthly charges.
o Partial Upfront: pay a portion upfront and the rest monthly.
o No Upfront: pay monthly
Reserved instances can be changed or a subset in on or more of the following ways:
o Switch availability zones within the same region
 o Change between VPC and EC2 Classic
o Change the instance type within the same family (ONLY LINUX)
- Spot Instance: not critical and tolerant to interruption (big data, analytics, media
encoding, testing), offers the greatest discounts, customer specify the price they are
willing to pay, when the customers bid is above the instance type, the customer will
receive the instances. Customer will only pay for the time the instance runs. The
instance will run until:
o Customer terminates it.
o The Spot Price is above the customers bid, two minutes before terminate it
AWS notify the customer.
o There is not enough space for spot instances.

EC2 Architecting with different pricing models

EC2 Tenancy options:

- Shared Tenancy: Default tenancy option. Single Host can host instances from multiple
customers, AWS does not overprovision and fully isolates instances.
- Dedicated Instances: Instances run on hardware dedicated to a single customer.
- Dedicated Host: Dedicated host to a customer.

EC2 Placement Groups

Logical grouping of instances within a single Availability Zone.
Enable applications to work on low latency network – 10 Gbps, this represents network
between instances.

EC2 Instance Stores

Instance store or ephemeral storage, this storage is provided from the local disks attached in
the host, ideal for temp information, like cache, buffers, that changes frenquently. HDD or SDD
depending on the instance type, could be used for temporary data or providing redundancy
such as Hadoop HDFS
Included in the instance cost.
This data is temporal, will be lost:
- The underlying disk fails.
- The instance stops (the data will remain if instance reboot)
- The instance is terminated

AWS EBS
EBS Basics
Persistent block level storage volumes,
Automatically replicated within its availability zone offering HA and HD
Differs in performance characteristics and price
An Instance can have a lot of EBS, but an EBS can only be used one instance at a time.

EBS Types
Vary in areas such as:
- Underlying hardware
- Performance
- Cost
- EBS Magnetic Volumes: lowest performance and lowest cost, from 1 GB to 1 TB, and
100 IOPS, suited for data accessed infrequently, sequential reads and low cost storage
as a requirement, are billed based on data space provisioned but not data used.

- EBS General Purpose SSD: cost effective storage for a wide range of workloads, from 1
GB to 16 TB, baseline performance of 3 IOPS per GB capping up to 10000 IOPS or up to
160 MB of throughput, for instance for 3 GB gives 3000 IOPS but for 5 TB will give the
capped value of 10000 IOPS.
Exists bursting behavior under 1 TB, limit for 1 TB is 3000 IOPS, but if you have a
volume of 500 GB, that gives 1500 IOPS, so when it not uses those IOPS they are saved
to use them when it needs the, and they can get up to 3000 IOPS to consume the IOPS
not used before.
Used where highest disk performance is not critical such as: system boot volumes,
smail-medium DB, Development and test environments.

- EBS Provisioned IOPS SSD: meets IO intensive workloads, most expensive EBS volume
per GB, provide the highest performance, size from 4 GB to 16 TB, you specify not just
the size, but the number of IOPS, max 30 times the number of GB of the volume or
20000 IOPS. The IOPS are charged whether thery are used or not.
Provides predictable and high performance, for critical business applications, large
database workloads, more than 10000 IOPS or 160 MB of throughput

- EBS Throughput-optimized HDD: low cost HDD volumes for frequent access, big data,
data warehouse and log processing. Up to 16 TB with max 500 IOPS and max
Throughput of 500 MB/s, cheaper than General-purpose SSD

- EBS Cold HDD: less frequently accessed workloads, up to 16 TB with max 250 IOPS,
and throughput 250 MB/s, cheaper than the other HDD.
EBS Volume type comparison

- Amazon EBS-Optimized Instances: instances optimized with more stack to take

advantage of EBS IO, it has a higher cost

EBS Protecting Data

EBS Lifecycle,

EBS Backup/Recovery (Snapshots)

Taking point in time snapshots, are incremental backups.
- Through the AWS console
- Through CLI
- Through API
- Setting schedule of regular snapshots
Snapshots are stored in S3, actions to schedule is free, pay for S3 use.
Can be taken while the Volume is in use, snap could be pending while all blocks have been
transferred to S3, instead they are in S3 we can not manipulate them, just through EBS
console.
Snaps can only be restored in the same region, to restore them in another region a copy
must be needed.
 - EBS Creating a Volume from a Snapshot
To use a snapshot we need to create a new EBS from Snapshot, the volume is created
lazily, it means it will only restore data once it is consulted, Good practice to initialize
volume first before use.
Increase volume size replacing the volume with a snap resized.
- EBS Recovering Volumes
You can use a volume from a damaged instance in another instance, just detaching it, take
care of “DeleteOnTermination” to detach it before terminate the damaged instance.
- EBS Encryption options
EBS offers native encryption on all volume types, when an encrypted EBS volume is
launched, KMS is used to handle key management, a master key will be created unless we
have already one, are encrypted with AES256 algorithm.
Data is encrypted on the media, and in the transit between storage and host. Snapshots
are auto encrypted.

AWS VPC ( Virtual Private Cloud)

Custom defined amazon virtual private cloud VPC, separate logically isolated section of AWS.
Networking layer of EC2, can control some aspects:
- Select own IP address range
- Create own subnets
- Configure own route tables
- Configure Network Gateway
- Security settings
Create multiple VPC within a region, each VPC is isolated logically If it shares IP address space
In VPC you must specify PIV4 address range in creation, choosing CIDR block.
VPC address range cannot be changed after created
IPV4 address range is as large as /16 and as small as /28, should not overlap any other network
with they are connected
There are two different networking platforms, because EC2 was launched before VPC:
- EC2 Classic: AWS accounts created before December 2013 supports both.
- EC2 VPC : supported only for AWS accounts created after December 2013, Will have
a default VPC created in each region and default subnet in each AZ, CIDR block is
172.31.0.0/16

VPC Components:

- Subnets
- Route Tables
- DHCP Option sets
- Security Groups
- ACL

VPC Optional Components:

- Internet Gateways (IGWs)

- Elastic IP (EIP) address
- Elastic Network Interfaces (ENIs)
- Endpoints
 - Peering
- Network Address Translation (NATs) instances and NAT Gateway
- Virtual Private Gateway (VPG)
- Customer Gateways (CGWs)
- Virtual Private Networks (VPNs)

VPC Subnets

CIDR blocks define subnets.

AWS reserves the first 4 IP addresses and the last one of every subnet for internal purposes.
You can add one or more Subnets in one AZ
Subnets resides in one AZ and cannot span zones.
1 Subnet = 1 AZ
1 AZ = multiple Subnets

VPC Subnets Classified

- Public: Route table routes the traffic to AWS VPC IGW
- Private: Route table does not direct the subnet traffic to AWS VPC IGW
- VPN Only: Route tables direct traffic to VPC VPG and does not have route to IGW.
The internal ip address range of subnet is always private.
Default AWS VPC contains one public subnet in every AZ within a Region, with mask of /20.

VPC Route Table

Contains set of rules called routes applied to a VPC subnet.

Permit EC2 instances within diff subnets within VPC to communicate each other.
Specify public subnets by directing internet traffic to the IGW
Each Route table has Default Route called Local Route which enables communication in VPC,
and this cannot be removed or modified
Routes can be added to direct traffic to exit the VPC:
- Via IGW
- Via VPG
- Via NAT Instance
Specifications:
- VPC has implicit router
- VPC auto comes with a main route table that can be modified
- Create custom route tables for VPC
- Each subnet associated with Route Table controls routing for subnet, if association
does not exists, subnet will be associated to the main route table
- Main route table can be replaced with a custom so each new subnet is auto associated
to it.
- Each route specifies a destination CIDR and a target. AWS uses most specific route that
matches to route table.
VPC Internet Gateways (VPC IGW)

Horizontally scaled, redundant and HA amazon VPC component allows communications

between instances and Internet.
VPC IGW provides a target in VPC route tables for internet traffic, and performs NAT for
instances that have public IP Address
EC2 instances in VPC are only aware of private IP Address.
IGW translates from private to public addresses between EC2 instance and internet.

To create public subnet:

- Attach an IGW to VPC
- Create a subnet route table route to send all non-local traffic (0.0.0.0/0) to the IGW
- Configure ACL and security group rules to allow traffic
- To enable EC2 instance to send and receive traffic from internet, you must assign
public IP address or EIP address.

VPC DHCP Option Sets – VPC Option Sets

Passing configuration information to hosts on TCP/IP

- DHCP options of DHCP message contains like Domain name, domain name server and
netbios-node-type, 5 options sets
- AWS auto creates and associate DHCP option set for AWS VPC and sets two options:
o Domain-name-servers: Defaulted to AmazonPovidedDNS, enables DNS for
instances that need internet via VPC IGW
o Domain-name: Defaulted to domain name for region

Direct DHCP options sets to own resources:

- Domain-name-servers
- Domain-name
- Ntp-servers
- Netbios-name-servers
- Netbios-node-type: always as 2

Every AWS VPC must have only 1 DHCP option set.

VPC EIP Elastic IP Address

AWS has a pool of public ip address to assign to resources.

Static Public ip address in the pool for that region, you can pull and release from region ip pool.
- Must first allocate EIP for VPC and then assign it to an instance.
- EIP is specific to a region
- One to one relation between EIP and interface.
- You can move EIPS between VPC inside the same region
- EIP remain associated until you release them
- There are charges for every EIP allocated on your account even if it is not associated to
an instance.

VPC ENI Elastic Network Interface

Virtual network interface to attach to an instance in VPC. Available within the VPC and are
associated with a subnet when created.
- Can have 1 public ip address
 - Multiple private ip address, have network presence in different subnets, one as a
primary
- Low budget, HA solution

VPC Endpoints

Connect VPC to other AWS services without internet, direct connect, NAT or VPN.
Create different endpoints to the same service and multiple routing tables to the same service.
VPS endpoint supports communication with S3.
- To create an endpoint:
o Specify a VPC
o Specify prefix: com.amazonaws.<region>.<service>
o Specify Policy, full access or create custom that can be changed at any time
o Specify route tables, route added to each route table, service as destination
and endpoint as target
- Two types of endpoints, Interface and gateway
o Gateway type, gives a destination path to route table to services S3 Dynamo
o Interface type, direct connection and SaaS Codebuild

VPC Peering

Network conn between two VPC to each other as if they are in the same network.
- Can be between VPC from different accounts within single region.
- Created as request/accept protocol.
- Identified by VPC ID or/and VPC ID
- One week to accept peering, then expires.
- Peering is one to one, only one peer between two VPC, do not support transitive
routing, only direct.
- Cannot be created between VPC with matching or overlapping CIDR Blocks.
- Cannot create peering between VPC in diff regions.
- Cannot support transitive.

VPC Security Groups

Virtual stateful firewall controls inbound and outbound traffic, first level of defense at instance
level.
EC2 must be launched into security group, if not specified then launched into default security
group.
Default security group rules can be changed but default group cannot be deleted.
Allows comm between all resources within security group, allows all outbound traffic and
denies all other traffic.
Inbound rules must to be added
Exam important points security group:
- Up to 500 security groups per VPC
- 50 inbound and 50 outbound rules per security group.
- Associate up to 5 security groups with each network interface
- Can specify allow rules but not deny rules, important difference between Security
group and ACL
- Separate rules for inbound and outbound
- By Default, no inbound traffic allowed.
- By Default, new security groups allow all outbound traffic.
 - Security groups are stateful, this means responses to allowed inbound routes are
allowed to flow regardless outbound rules and vice versa. Important difference
between ACL and Security group
- Instances associated with the same security group cannot talk each other unless create
rules for that.
- Changes can be done and applied instantly

VPC Network access control lists VPC ACL

Stateless firewall on a subnet level. Second level of defense.

Numbered list of rules evaluated in order starting with the lowest numbered rule to determine
if traffic is allowed of any subnet associated with the ACL.
VPC are created with a modifiable ACL network that allows all inbound and outbound traffic.
Custom ACL will deny all by default.
Every subnet must be associated with an ACL.
Differences between ACL and Security groups for exam:

VPC NAT instances and VPC NAT gateway

By default any EC2 instance is not allowed to comm to internet through the IGW.
AWS recommends to use a NAT gateway instead of NAT instance.
NAT gateway provides better availability and higher bandwidth and less admin effort.

VPC NAT Instance

Is an AMI designed to accept traffic from instance within a private subnet, translate source IP
to public IP address of the NAT instance and forward traffic to IGW.
NAT instance maintain the state of forwarded traffic.
String amzn-ami-vpc-nat are in their names.
To allow instance in a private subnet to access internet through IGW you must do:
 - Create security group for the NAT.
- Launch NAT AMI in a pubic subnet and associated with the NAT security group.
- Disable source/destination check attribute of the NAT
- Configure route table associated with private subnet to direct internet traffic to NAT
instance ( i-asdfdga )
- Allocate EIP and associate it with the NAT Instance.
- This allows instances in private subnet to access internet but prevents inbound traffic
initiated in internet to access instance.

VPC NAT Gateway – VPC NAT GW

AWS managed resource with HA within an AZ.

To allow instance within private subnet to access internet through IGW via NAT Gateway:
- Configure routing table to direct internet traffic to the NAT gateway
- Create EIP associate to NAT GW

VPC VPG – VPC Virtual Private Gateway

VPG is the VPN concentrator on the AWS side of the VPN connection between the two
networks.
VPC CGW – VPC Customer Gateway
CGW is the device on the customers side of the VPN connection

Once the CGW and VPG are created we can create VPN tunnel.
VPC VPN – VPC Virtual Private Network

Routing type must be specified when using VPN connection. If the CGW supports BGP then
configure connections for dynamic routing, if not static routing.
VPC supports multiple CGW, each having VPN conn to a single VPG (many to one)
CGW IP must be unique per region.
VPN conn consists of two IPSEC tunnels for HA.
VPN, VPG and CGW exam points
- VPG is the AWS end of the VPN tunnel.
- CGW is the customer end of the VPN tunnel.
- Initiate the VPN tunnel from the CGW to the VPG.
- VPG supports dynamic and static routing.
- VPN connection consists of two tunnels for higher availability to the VPC

AWS ELASTIC LOAD BALANCING - AWS ELB

Managed load balancer that auto distribute traffic across multiple EC2 instances.
Distribute across a group of EC2 in one or more AZ.
Supports routing and load balancing of:
- HTTP
- HTTPS
- TCP
- SSL
Provides a single CNAME for DNS configuration and supports internet and internal load
balancers.
Supports health checks for EC2 instances to ensure traffic is not routed to failing instances
Automatically scales based on collected metrics.
ELB advantages:
- Managed service
- Scales in and out auto to meet demands of application traffic
- HA within a region itself as a service
- Integrate with Auto Scaling to scale instances behind load balancer
- Supports integrated certificate management and SSL

ELB Types

- ELB internet facing load balancers

Takes request from internet and distribute to EC2, it receives a public DNS name so clients can
send requests to them via internet, DNS resolves load balancer Public IP.
It is recommended to point to DNS name instead of Public IP because load balancer scales so
maybe an IP from the pool would not be used.
ELB supports IPv4 in VPC
ELB supports IPv4 and IPv6 in EC2 classic

- ELB Internal Load Balancers

Useful in a multitier application, to load balance between tiers.
Route traffic to EC2 instances in VPC private network.

- ELB HTTPS Load Balancers

Use TLS/SSL for encrypted connections, SSL offload.
Enables traffic encryption between load balancer and clients that initiate HTTPS sessions and
between load balancer and back-end.
Provides security policies with predefined SSL negotiation. Install SSL certificate on the load
balancer.
Not Support SNI, if you want to host multiple websites behind ELB with a single SSL, you will
need SAN for each website.

ELB Listeners

ELB must have at least one listener, is a process that checks for connection requests.
Every listener is configured with protocol and port for a front-end connection and protocol and
port for back end connections.
Supports protocols operating at two layers in OSI,
- Layer 4 (TCP connection)
- Layer 7 application layer HTTP and HTTPS

ELB Configure ELB options

- ELB Idle Connection Timeout

ELB maintains two connections per request, one with client and the other one with the back
end.
After the idle timeout expiration, the connection will be closed, if no data is transferred.
By default timeout is 60 sec for both connections.
If the request does not complete within the time period even if there is still data being
transferred, conn closes.
Extends this timeout for uploading process.
Keep alive when enabled in the web server settings or kernel settings for EC2, allows load
balancer to reuse conn for HTTP and HTTPS listeners to reduce CPU use.
To make responsible the load balancer of closing backend connections be sure the keep alive
value is higher than the idle timeout in load balancer.

- ELB Cross zone load balancing

To enable routing traffic regardless AZ you have to enable this option
It is recommended to have equivalent number of backend instances across AZ.

- ELB Connection Draining

Enable connection draining to stop sending request to instances unregistered or unhealthy,
while keeping existing conn open.
configure time to keep connections alive before reporting an instance as deregistered, values
can be set from 1 to 60 min, default 5 min, when time limit reached conn will be closed.

- ELB Proxy Protocol

When you use TCP or SSL for both front and backend, the load balancer will forward request
without modify headers, if proxy protocol enabled, header is modified and send to backend.
Be sure there is no proxy before the load balancer.

- ELB Sticky Sessions – ELB Session Affinity

By default ELB routes each request independently (each request as a single request no matters
if it is in the same conversation) activating sticky session, bind user’s session to a specific
instance, all requests from the same session will be sent to the same instance
For cookies if the application has its own cookies then the ELB follows app cookies, if not, ELB
will create its own cookies. AWSELB is the cookie name.

- ELB Health Checks

Supports health checks for instances behind ELB, if the instance is OK then the check is
InService, unhealthy ones will be OutOfService.
It is performed to all instances,
o is a ping,
o a conn attempt or
o page checked periodically
time between requests and timeout could be configured, set a threshold for a consecutive
number of checks failed to consider an instance as unhealthy.

*To update Instances, instance must be take out the ELB updated, and then take it inside the
ELB again.

AWS CLOUDWATCH

Monitor services in real time, collect and track metrics, create alarms, send notifications and
make changes to resources being monitored based on rules
Perform automated actions when a threshold is triggered.
Metrics can be retrieved by GET request.
Each AWS account has a limitation of 5000 Alarms, data is retained for 2 weeks by default, if
you want more you have to move logs to S3 or Glacier.
Can execute auto scaling policies or send notifications.
- CW Basic Monitoring: monitoring every 5 minutes for limited number of preselected
metrics with no charge. By default
 - CW Detailed Monitoring: monitoring every minute allows data aggregation across AZ
within a region, with additional charge, this must be enabled.

Using Cloud watch API, we can PUT custom metrics, with name-value, and then use triggers
and actions based on these ones.

CloudWatch Logs,
you can install an Agent in Linux or Ubuntu in a EC2 instance, you can save logs in S3, open logs
from CloudTrail, configure alarms, you have to install agent in machine

AWS AUTO SCALING

Allows to scale number of EC2 instances automatically, according to criteria defined.

Auto Scaling Plans

- Maintain Current Instance Levels: Configure auto scaling group to maintain a min of
instances working always, if one is unhealthy then it terminates that instance and
launches a new one
- Manual Scaling: define max and min, or desired capacity to maintain.
- Scheduled Scaling: schedule a scaling event for example every end of month.
- Dynamic Scaling: for example across a cloud watch alarm, that triggers a threshold
monitoring bandwidth then will launch another instance, with a scaling policy

Auto Scaling Components

- Launch Configuration: template to create new instance, each auto scaling group must
have only one launch configuration at a time, composed by:
o Name
o AMI
o EC2 type
o Security Group – For EC2 classic can be referenced by name like “SSH” or
“WEB”
o Instance key pair
Default limit for launch config is 100 per region, using this the limit for EC2 within a
region is 20.
Can reference on demand or spot but not both
- Auto Scaling Group: collection of EC2 managed by Auto Scaling service. Must contain a
name and minimum and maximum number of instances, and optionally define
capacity which is the number of instances that the group must have at all times, if not
specified then will be the minimum number of instances, must reference launch
config.
o Name
o Launch Config
o AZ’s
o Min size
o Desired Capacity
o Max Capacity
o Load Balancers
Can manage either On Demand or Spot instances, On Demand is the default, but spot
can be configured with a max bid price.
 - Scaling Policy: cloud watch alarms can be associated with scaling policies and an auto
scaling group to adjust auto scaling groups dynamically. Cloud watch sends a message
to auto scaling group and this group execute auto scaling policy to scale group. Policies
define the instructions to scale out or scale in.
The number of instances to increase or decrease can be specified by a number, a
percentage or a target (max). More than one policy can be associated to a group
Best Practice is to scale out quickly and scale in slowly. Cooldown period to suspend
scaling activities. This is to avoid relaunch instances in a short period of time, instances
are billed by hours even if they are used less than an hour.

AWS Identity and Access Management - AWS IAM

IAM powerful services that allows to control how people and programs are allowed to
manipulate AWS services.
Components:
- Users
- Groups
- Access control policies
Who can use, What can be used and how they can use the AWS services.
Active Directory on premise can be merged with AD in Cloud, and Amazon Cognito can be used
for Apps authentication
IAM is only for AWS infrastructure, not for internal server applications.

Authentication Technologies:

IAM can be manipulated by:

- AWS Management Console
- AWS CLI
- AWS SDK

IAM Principals

Is an IAM entity that is allowed to interact with AWS resources. Can be permanent or temp, it
can be a human or an application, three types:
- IAM Root users, only for the first use, to create the first IAM user to control
everything, the default root user is the user that we use to create AWS account.
- IAM users, users created by a principal with administrative privileges, they have no
expiration, an administrator have to delete it first, there could be an IAM user for each
company users that needs access. (Principle of least privilege) assigning only policies
they need and nothing else.
 - IAM Roles/Temporary security Tokens, advance usage, Roles grants specific
permissions to specific actors during specific period of time, actor can be
authenticated even with external system, when an actor assumes the role then a STS
security token service will deliver a temporary token, a period of time must be
specified, can be between 15 mins and 36 hours.
Use Cases:
o Amazon EC2 Roles:
granting permissions to applications running on EC2, to configure access from an EC2
to a resource like S3 requires to create an IAM user with permissions and application
will store credentials of that user to access, IAM Roles avoid to save those credentials
in a configuration file of the application, With IAM Roles you can assign a role to that
EC2 so the SDK handle EC2 role to authenticate against S3, and like the token is
updated each 36 hours then it is secure and the process is transparent for the Instance
operation.
o Cross-Account Access:
grant permissions to users from other AWS accounts (providers, customers), users
from other accounts can assume that role instead of giving him a fix credential.
o Federation:
grant permissions to users authenticated by an external system. IAM identity providers
(idP). Two types of idP, web based identities like FB, Google, etc.. AWS supports
integration with OpenID Connect (OIDC). For internal identities like LDAP, AWS
supports integration via (SAML). SAML compliant idP such an Active directory
federation service (ADFS) is used to federate the internal directory against IAM.

Traits of AWS Principals:

IAM Authentication

There are 3 ways to authenticate a principal:

- Username/Password, for human authentication
- Access Key, combination of access key (20 chars) and access secret (40 chars). For a
program that will authenticate against AWS via the API or SDK.
- Access key/ Session token, the token also includes a session token with the
authentication., for user or application using temporary security token.
An administrator must define a password an access key or password, because when an IAM
user is created t does not have neither access key nor password.

IAM Authorization
Authorization is the process of specify what actions can or cannot perform a principal. Once
authenticated we have to manage the access to the AWS infrastructure.
This is granted specifying privileges in policies and associating this with principals.
IAM Policies

JSON documents that fully defines permissions to access and manipulate AWS resources.
- IAM effect: allow or deny
- Service: for what service the permissions is being configured for.
- Resource: ARN Amazon Resource Name – the name for the resource that will be
applied this policy. Wildcards could be used, like *
- Action: What action will be allowed or denied for that resource, (read, write…)
- Condition: limit the actions allowed by the permission, maybe a condition could be to
restrict access from specific IP, or during specific time interval.

For example for S3 could be the resource with * like in linux

IAM Associate policies with principals

There are two ways to associate IAM User to a policy

- User Policy: exists only in the user context on IAM user page
- Managed Policies: created on the policies tab on IAM page, and exists independently
of any individual user.
It is recommended to use predefined policies.
We can assign policy to a Group.
There are two ways a policy can be associated with an IAM group:
- Group Policy: exists only on group context
- Managed policies: the same way as the users one.

Best Practice when the account is new is to create an admin group and an admin user and
grant full access permissions, so you can avoid to use root.

An Actor can be associated with a policy is assuming a role, and it is provided with a temporary
security token with the policies of that role.

IAM Features

- IAM Multi-Factor Authentication - IAM MFA A second security factor, could be with a
hardware device or a virtual app like AWS virtual MFA app, it double checks your
identity with something you know and something you have. MFA can be assigned to a
IAM user account, whether if is a person or an application. Recommended that Root
user has enable the MFA.
- IAM Rotating Keys: is a best practice to rotate access keys associated with your IAM
users, allows two active access keys at a time, this process can be handle with console,
CLI or sdk. ( create new one, reconfigure applications with new keys, disable original
key, verify and then delete)
- IAM Resolving Multiple Permissions: permissions if a principal can perform an action
may come from different policies, how can a permissions conflicts be resolved:
o Initially the request is denied by default
o All policies are evaluated, if there is a “deny” then the request is denied and
evaluation stops
o If no “deny” is specified and an “allow” is specified then the request is allowed.
 o If there are not explicit “deny” or “allow” then the default “deny” is applied to
the request.
The only exception is if AssumeRole includes a role and a policy, policy cannot
override any permission that is denied by default in the role.
AWS Database - AWS DB

Databases are categorized in

- OLTP is referenced to a transaction oriented [‘ that are frequently changing data, more
often less complex.
- OLAP is reporting or analyzing large data sets, more complex less often
- Amazon RDS, supports, supports OLTP and OLAP,
o MySQL
o Oracle
o Postgresql
o Microsoft SQL
o MariaDB
o Amazon Aurora
- Amazon RedShift, data warehouse, designed for OLAP
- Amazon DynamoDB, NoSQL as a service

Most organization split their Databases into OLTP and OLAP, one for transactions and other for
data warehouse (reporting)
NoSQL allows horizontal scalability.

AWS RDS

Service that simplifies setup, operations and scaling. Amazon assume offload common tasks
like backups, patching, scaling and replication.
RDS exposes database endpoint to which client software connect and execute SQL. RDS does
not provide shell access to DB instances and restrict access to certain store procedures and
tables with advanced privileges. It is compatible with ETLs.

- RDS DB instances: RDS provides an API that lets create and manage DB instances, can
be created in the Console.
o DB instance class, determines CPU and Memory resources., this can be
changed after deployed.
o DB instances storage performance and size can be selected.
o DB parameter group: acts as a container for engine configuration that can be
applied to DB instances, this can be changed but a reboot is needed.
o DB option group, acts as a container for engine features, it is empty by default.
- RDS Operational Benefits: SSH can not be used to the RDS instance,
RDS comparison operational responsabilities

RDS Database Engines

Mysql, Postgrsql, mariadb, oracle, sql server, amazon aurora.

- RDS MySQL
Supports 5.7, 5.6, 5.5, 5.1. RDS is running Open Source Community edition with InnoDB as
database storage engine. Supports MultiAZ deployments for HA and read replicas for
horizontal scaling.
- RDS PostgreSQL
Supports 9.5, 9.4 and 9.3. Supports MultiAZ deployments for HA and read replicas for
horizontal scaling.
- RDS MariaDB
Supports 10.1.17 and XtraDB storage engine. Supports MultiAZ deployments for HA and
read replicas for horizontal scaling
- RDS Oracle
Supports 11g, and 12c. Standard Edition one, Standard Edition and Enterprise Edition.

- RDS Microsoft SQL Server

Connect with SQL server management studio, supports 2008R2, 2012, 2014, supports also
Express, Web, Standard and enterprise edition
- RDS Licensing
o RDS License included: license included in AWS price, for oracle License
included is Standard Edition One. For Microsoft SQL Server license included
Express Edition, Web Edition, Standard Edition
o RDS BYOL: you can bring for Oracle Standard Edition one, Standard edition and
enterprise edition. For SQL, you can provide with Microsoft License Mobility
Program, Standard edition and Enterprise.
- RDS Aurora
Enterprise grade commercial db, redesigned MySQL, fully managed service, deliver up to 5
times MySQL performance, by default at creating Aurora DB, it creates a cluster, includes
one or more instances and a cluster volume that manages data for all instances and it is
multi AZ.
o Aurora Primary Instance: only one instance, the main supports read and write
workloads, data is modified in primary instance.
o Aurora Replica: Secondary instance, only read operations, Each cluster can
have up to 15 Replicas, could be multi AZ.
- RDS Storage Options – RDS Storage Types
RDS Built using EBS, storage options can be selected for performance and cost, up to 6 TB
and 30k IOPS. Supports 3 storage types, Magnetic, General Pupose SSD gp2 (small to
medium sized DB), General Purpose provisioned SSD
- RDS Backup and RDS Recovery
o RDS Automated Backup: continuously tracks changes and backs up, snapshot
of BD instance, backup entire DB instance and not individual databases, define
retention period. One day of backups will be retained by default, and up to 35
days. When you delete DB instances, all automated backup snapshots are
deleted and unrecoverable. Manual Snapshots are not deleted
o RDS Manual Snapshots RDS Manual Backup: manual snapshot will be
retained until you delete it.
Use MultiAZ during Snapshots to avoid IO latency
o RDS Recovery: A new DB instance is created when you restore, you can not
restore in an existing one, then you have to associate DB parameters and
Security Groups
- RDS HA with Multi AZ
Database cluster across multiple AZ using sync replication, place a second copy of DB in
another AZ, only for disaster recovery.
Automatic Failover in the following events, and manual failover can be performed
o Loss of availability in AZ
o Loss of network connectivity to primary DB
o Compute unit failure on primary db
o Storage failure on primary database
- RDS Scaling Up and Out
Scaling up is easier, increasing machine properties, scale out is scaling horizontally is
possible but more difficult
o RDS Vertical Scalability: adding additional compute, memory or storage to DB,
you can modify scheduled or immediately. We can modify Instance type and
 AWS do the migration automatically with minimum disruption. Each DB can
scale from 5 GB to 6TB in provisioned storage, storage expansion is NOT
supported by SQL.
o RDS Horizontal Scalability with Partitioning: A relational database can be
scaled vertically until you reach the max instance size. Partition into multiple
instances or shards. Sharding to scale horizontally but requires additional logic
in application layer, applications decides to route database requests. NoSQL
databases are designed to scale horizontally.
o RDS Scalability with Read Replicas: offload read transactions from the primary
DB, use cases:
 Scale capacity of single DB instance for read heavy workloads
 Handle read traffic meanwhile the primary instances is not working
due to unavailable or backups
 Offload reporting for data warehouse scenarios.
Read replicas are supported in RDS Mysql, Postgresql, mariadb and Aurora.
Data is copied from primary instance to read replica async. Read replicas can
be created across regions.
- RDS Security
o Infra, database and network security
o IAM
o Deploy in private subnet within a VPC, create DB subnet group for RDS, then
use ACL and security groups
o Users at the DB level
o Connection using SSL
o Encryption at rest with KMS and TDE
o Backup and snapshots are encrypted

AWS Redshift

Fully managed, petabyte scale data warehouse, relational DB designed for OLAP scenarios for
large datasets. OLAP database, columnar
- Uses SQL commands for queries
- Connectivity via ODBC or JDBC
- Based on PostgreSQL
- Manages backups and patching

- Redshift Clusters and Redshift Nodes

This is the key component, composed by a leader node and more compute nodes client
application only interacts with leader node, compute nodes are transparent, parallel query
execution across nodes and slices.
Six nodes types supported:
o Dense compute, up to 326TB fast SSD
o Dense Storage, 2PB magnetic disks
Compute node storage disks are divided into a slices (between 2 and 16)
To increase redshift performance add more nodes to cluster
Whenever perform a resize operation, the cluster will be created and migrated to a new
one and during the migration, it will become read-only.
- Redshift Table Design
Redshift cluster supports multiple databases and many tables, when creating table redshift
supports compression, distribution and sort keys
o Redshift Data Type: existing columns cannot be modified
o Redshift Compression Encoding: automatic compression or specify by column
 o Redshift Distribution strategy: how to distribute records across nodes and
slices, distribution style can be configured to improve performance
 Redshift EVEN distribution, default option uniform fashion
 Redshift KEY distribution, according to values in one column, leader
node store matching values close together.
 Redshift ALL distribution, full copy of entire table is distribute to every
node. Useful for tables not updated frequently
o Redshift Sort Keys: specify one or more columns as sort keys, sort enables
efficient handling of range-restricted predicates, can be compound or
interleaved
o Redshift Load Data: use COPY command for bulk operations from flat files in
S3 or Dynamo DB table, COPY can read from multiple files at the same time
this operation can be distributed across the nodes. After loading bulk data we
have to run VACUM to reorganize and reclaim space and ANALYZE to update
table statistics
o Redshift Query Data: work with Workload Management (WLM) to queue and
prioritize queries
o Redshift Snapshots: Point in time snapshots of your Cluster to restore or
create a new one, stored in S3, automated and manual snapshots supported
o Redshift Security: using IAM, network level with ACL and security group
policies, master account is the admin account, permissions for Redshift users
are different from IAM ones, data encryption in transit using SSL, use KMS and
cloudHSM for rest

AWS DynamoDB

Fully managed NoSQL database, simplifies:

- Hardware provisioning
- Setup
- Configuration
- Replication
- Software patching
- Cluster Scaling

Write unlimited number of items with consistent latency, distributing data traffic over multiple
partitions, capacity can be adjusted after created, all table data is stored on high performance
SSD, replicate data across multi AZ within a Region.

- DynamoDB Data Model: includes tables, items and attributes. A table is a collection of
items and each item Is a collection of attributes, each item has a primary key. Limit of
400 KB on the item size, key/value pairs, a key can have multiple values. Applications
can connect to DB endpoint using HTTPs, web service configured in JSON.
- DynamoDB Data Types:
o Scalar: string, number, binary, Boolean, null
o Set: (list) String set, number set, binary set
o Document: List and Map.
- DynamoDB Primary Key: specified in table creation pointing to one item, two types
and this cannot be changed:
o DynamoDB Partition Key: made of one attribute, unordered has index on this
attribute
o DynamoDB Partition Key and Sort Key: made of two attributes, first one is the
partition key and the second one is the sort or range key. Each item is unique
 identified by combination of both, partition can be repeated but sort not.
Primary key must be defined as scalar type. Hash and range key
Distribute requests across the full range of partition
- DynamoDB Capacity, read and write capacity must be assigned to the table to handle
workloads, then DynamoDB provisions needed infrastructure based on the capacity,
these values can be changed later, to scale up or down.
Each operation consumes capacity units. 1 Capacity unit for item of 4 KB or smaller for
read operations, and 1 capacity unit for 1 item that is 1 KB or smaller for write
- DynamoDB Secondary Indexes: when using hash and range key, you can define
optionally one or more secondary indexes.
o Global Secondary Index: can be different from those on the table, can be
deleted or create a new one at any time on a table maintain their own
provisioned throughput
o Local Secondary Index: the same partition key as the primary in the table but
the sort key is different. This can be created only in the table creation.
Secondary index is updated when an item is modified, updates consumes capacity
units
- DynamoDB write and read data:
o DynamoDB putitem, creates or updates if primary exists, requires table name
and primary key
o DynamoDB updateitem, can update and create items if does not exists,
support for atomic counters
o DynamoDB deleteitem
o DynamoDB getitem, query or scan based on primary key
- DynamoDB Eventual Consistency: when reading the operation can be eventually
consistent or strongly consistent reads, like dynamodb replicates data across regions
for HA maybe when a read operation after a write cannot have the latest data because
of replication.
- DynamoDB Batch Operations: to work with large batch of items, perform up to 25
items creates or updates per operation.
- DynamoDB Search Items: can use Query or Scan, max output 1 MB, try to avoid SCAN
because perform a full scan in the table and secondary indexes
- DynamoDB Scaling and Partitioning: this can be scale horizontally also using
partitions, each partition is a unit of compute and storage capacity, distribute items
across partitions, capacity given to a partition is fixed and cannot be shared, a portion
of capacity is keep to handle peak traffic or bursts.
Partitions can be split and there is no rollback
- DynamoDB Security: granular access control, integrates with IAM, for mobile use AWS
STS
- DynamoDB Streams: each item change is buffered, consist in a stream record that
represents data modification, they are grouped into shards. Shards lives for a max of
24 hours. To build an application from a shard, use DynamoDB kinesis adapter.

AWS SQS

AWS Simple Queue Service – AWS SQS

Fully managed message queuing service with HA, to decouple components of a cloud
application, this is to transmit any volume of data at any level of throughput, you can store
application messages on reliable and scalable infrastructure.
It is a buffer between the application components that receive data and the ones that process
data. Work is not lost when insufficient resources, this would work on peak hours when
instances cannot process requests so they can be waiting in queue meanwhile.
Deliver message at least once, can have multiple readers and writers, queue can be shared
between multiple resources.
This service is NOT FIFO

- SQS Message Lifecycle: messages once it is queried it will stay

- SQS Delay Queues and SQS Visibility Timeouts: postpone delivery new messages for a
specific number of secs. Messages send to this delay queue will be delayed (max 15
mins) default for delay is 0 secs, Difference is delay queue delay message when
message is added, visibility timeout works to hide message once it is retrieved from
the queue the first time.
- SQS Queue Operations, Unique ID and Metadata: each message has a unique id
globally, it message has a receipt handle.
- SQS Queue and Message Identifiers, tree identifiers:
o Queue URL, defined by AWS, to perform an action to queue use this
o Message ID, max length 100, to identify each message
o Receipt Handles, needed to delete message, message must be received once
to delete.
- SQS Message attributes: allows to provide metadata information, up to 10 attributes
per message, send along with the body.
- SQS Long Polling: to wait for a message before making a new query about that
message just in case it has not arrived and to avoid call the query a lot of times
- SQS Dead Letter Queues: it is a queue parallel where the failed messages are hosted,
can be processed later.
- SQS Access Control, queues can be exposed to other aws accounts, without that
account to assume IAM role
o To execute specific type of access, like send message.
o To grant other aws account to access queue for a period of time
o To grant only if the request come from your EC2
o Deny other aws account.

AWS SWF – AWS Simple Workflow Service

Build applications that coordinate work across distributed components. Task is logical unit of
work that is performed by a component of the application. Coordinate tasks across the
application, managing inter tasks dependencies, scheduling.
Workers must be implemented to perform tasks, can be either in EC2 or on premise.

- SWF Workflows: implement async applications as workflows, can run parallel or

sequential. Task = activities, workflows coordinate logic to execute activities
- SWF Workflow Domains: scopes resources within aws account, a domain must be
specified for all components of a workflow, there could be multiple workflows in a
domain, but a workflow can only be in a domain.
- SWF workflow History: logs for all executions
- SWF Actors: actors can be workflow starters, deciders or activity workers. Actors can
be developed in any programming language. Activities in a workflow can be sync,
async, sequentially or in parallel.
- SWF Tasks: type of tasks:
 o SWF Activity tasks, tells activity worker to perform its function
o SWF Lambda tasks, is the same as activity tasks but is a lambda function
o SWF decision tasks, tells a decider id the state of workflow changed so it can
make decisions.
- SWF Tasks List, group of tasks, can be associated as a single task
- SWF Long Polling, deciders and activity workers, they periodically initiate
communication and notify AWS about its availability.
- SWF Object Identifiers: objects unique id
o Workflow type identified by domain, name and version
o Registered activity identified by domain, name and version
o Decision tasks and activity tasks identified by a unique task token.
o A single execution of a workflow is identified by domain, workflow id and run
id.
- SWF Workflow Closure: can be closed as completed, canceled, failed or timed out. The
decider, person administering, and SWF can close the workflow execution.
- SWF Lifecycle of workflow

AWS SNS – AWS Simple Notification Service

Web service for mobile and enterprise messaging that enables to set up, operate and send
notifications. Publish subscribe (pub-sub) messaging paradigm, notifications being delivered
with push. Two Types of clients, publishers and subscribers (producers and consumers).
Publishers communicate to subscribers async by sending message to a topic. Topic is an access
point channel that contains list of subscribers and method to communicate to them, when a
message is send to the topic, it is forwarded to each subscriber in this topic and in the method
defined in that topic.

SNS owner has to define topic to allow publishers, subscribers and technologies to
communicate.

- SNS Common Scenarios: monitoring applications, workflows systems. Real time

events, mobile push notifications, emails, text messages, alerts
o SNS Application and system Alets, SMS and Email notifications triggered by
thold.
o Push Email and Text messaging, by email or SMS.
o Mobile Push Notifications, send notifications to mobile applications.
- SNS Fanout: when SNS message is sent to a topic and then replicated and pushed to
multiple SQS queues, HTTP endpoints or email addresses.

AWS DNS - AWS Route 53

.com in domain is TLD(top level domain) and amazon would be SLD(second level domain) in
amazon.com
Route 53 is an authoritative DNS system for public DNS
TLD Top level domain, like .com, .net, .gov, .edu
Zone files have the information about domain name and ip address

- Route 53 Supported DNS Record Types Supported: record map resources with ip
address
o Start of Authority Record SOA: mandatory in all zone files, single record,
stores info about name of DNS, admin of the zone, etc…
o A and AAA: A maps record to ipv4 and AAAA to ipv6
o CNAME: alias for server, defined in A or AAAA
o MX: route mail servers, defined by A and not by CNAME.
o NS: routes the traffic to the authoritative dns server
o PTR: reverse of A record.
o SPF: used by mail servers to combat spam
o TXT: hold text information
o SRV: provides where the DNS server is hosted.
o Routing Policies
- Route 53 main functions:
o Domain Registration: lets register domain names
o DNS Service: translates DNS with IP Address thru UDP, when size is higher
than 512 bytes then uses TCP, it is an authoritative DNS service, when register
new domain name register then a hosted zone will be created, DNS service can
be transferred to AWS route 53
o Health Checking: sends automated requests to check if it is reachable.
- Route 53 Hosted Zones: is collection of resource record sets, has its own metadata
and configuration information.
o Route 53 Public hosted zone: container that holds information to internet
o Route 53 private hosted zone: holds information about how to traffic inside
VPC
Route 53 not allowed to use CNAME
Do not use A records for subdomains

- Route 53 Routing Policy: determines how route 53 response, options:

o Simple: default routing policy when create a new resource, for only own
resource
o Weighted: associate multiple resources as EC2 and ELB to a single DNS name,
it works to balance traffic defined by %, could work between regions
o Latency based: routing based on lower latency, it works for workloads
identical configured in more than 1 region or AZ, based on end user requests
location
o Failover: active-passive failover, route traffic when a resource is available, it
works only for public zones.
o Geolocation: create policies for content depending on geographic location,
needs global registry, supports overlapping

Health checks will work with cloudwatch, name servers can route differently with an unhealthy
node in 30 secs, new dns results will be known in 60 secs.

- Route 53 Enables Resiliency – Route 53 Resiliency

o In every Region, ELB is set up cross-zone
 o ELB, delegate requests to EC2 running in multiple AZ in an auto scaling group.
o ELB has health checks to delegate requests only to healthy instances.
o ELB has a Route 53 health check to ensure requests are routed to ELB with
healthy EC2
AWS ELASTICACHE

It Is a web service to simplify the setup and management of distributed in memory caching
environments.
HP and scalable caching solution, we can choose between Memcached or redis to launch
cluster. Replicas and fail over cache nodes can be configured with Redis Engine.
In memory caching technologies.

- Elasticache in memory caching: developers can deploy and manage cache

environments running either Memcached or redis.
- Elasticache Data Access Patterns: define data access pattern before store it in cache.
- Elasticache Cache Engines: clusters can be deployed based on two different cache
engines, Memcached and Redis.
o Elasticache Memcached: simple interface, in memory key/value data stores.
Cluster can be partitioned into shards and support parallel operations.
Supports 1.4.24 and 1.4.5. Up to 20 nodes
o Elasticache Redis: deploy redis clusters 2.8.24, redis supports the ability to
persist the in memory data onto disk, Memcached does not support this, you
can create snapshot to backup or replicate the data, can have up to 5 read
replicas, use multi AZ replication groups. Advanced features to sort and rank
data. Read replica can be promoted to be the master. Cluster with single node
but group clusters in replication group with read replicas
- Elasticache Nodes – Elasticache Cluster: Each deployment consists in one or more
nodes in a cluster. There are different types of nodes, each node type is derived from
EC2 types (t2,m3,r3), nodes can be added or removed from time to time.
For failure, in Memcache when a node fail, aws create a new one, for Redis, if there is
read replica then it will be promoted to primary.
- Elasticache Memcached Auto Discovery: For clusters partitioned across multiple
nodes, aws supports auto discovery, this simplifies discovery within a cache cluster,
initiate and maintain connections. This client is available for .NET, java and php.
- Elasticache Scaling: adjust size of your env to meet needs of workloads as they evolve
over time.
o Horizontal Scaling: differs depends on cache engine used, Memcached scale
horizontally to 20 nodes or more. Auto discovery nodes are discovered from a
cluster. Redis cluster one node or cluster handling writing and up to 5 read
replicas.
o Vertical Scaling: service does not allow to resize resources vertically,
Memcached starts from scratch empty, and redis cluster can be created from a
backup
- Elasticache Replication and MultiAZ: Memcached not support replication, are
standalone. Replication is ASYNC
- Elasticache Replication Group: when the primary node fails, then a replica will be
promoted as primary, can be in a different AZ.
- Elasticache Backup Elasticache recovery: redis allows to persist your data from in
memory to disk and create snapshot stored in S3, with redis own backup strategy.
Perform backup against read replica. Manual snapshots wont delete themselves.
 Snapshots can be scheduled. A redis cluster can be created from snapshot or other
RDB file generated from redis.
- Elasticache Access Control: controlled restricting inbound network access to cluster
using security groups, each node will have private ip address, cluster only can be
accessed inside VPC, ACL can be implemented.
AWS CLOUDFRONT

is a CDN service, works with DNS geo location to deliver content from cache edge locations, to
low original website traffic loads. Cloudfront work with S3 or web server, s3 static websites,
EC2 and ELB. Integrates with Route 53. Supports content served over HTTP or HTTPS, also
supports serve dynamic web pages. Supports streaming using HTTPs and RTMP.

Cloudfront concepts:
- Cloudfront distributions: identified by dns domain name,or create a friendly domain
name. select min, max, and TTL for objects in distribution.
- Cloudfront origins: when create distribution must specify origin- s3 bucket or HTTP
server-. Define headers
- Cloudfront Cache Control: once requested and server from edge location, objects stay
in the cache until expire or evicted to make room for more frequently accessed
content.by default objects expire after 24 hrs. It is better to create a second version
for a file rather than delete it.
Cloudfront Advanced features:
Dynamic content, multiple origins and cache behaviors. Control which requests are served by
which origin and how requests are cached using Cache Behaviors. Cache behavior, includes:
- The path pattern
- Which origin to forward your requests to
- Whether to forward query strings to your origin
- Whether accessing the specified files requires signed URL
- Whether to require HTTPS access
- The amount of time that those files stay in Cloudfront.
Cloudfront Whole Website: cache behaviors and multiple origins, supporting different
behaviors for diff client.
Cloudfront Private Content: allows you to serve private content:
- Signed URL, urls are valid only between certain times and certain IP
- Signed cookies, require authentication via public and private key pairs
- Origin Access Identities (OAI), access restricted to an S3 bucket with special cloud front
user associated to distribution.
Cloudfront Use cases:
- Serving the static assets of popular websites, images, css, javascript.
- Serving whole website or web application, both dynamic and static content, with
multiple origins, cache behaviors and TTLs.
Cloudfront wont work for a single point of access, or thru VPN.

AWS STORAGE GATEWAY

Caching frequently accessed data on premises while encrypting and storing in S3 or Glacier
Three configurations for Storage Gateway
- Storage Gateway Cached Volumes: allows to expand local storage capacity into S3, all
data stored is moved to S3, while recently read data is retained in local storage. Each
 volume is limited to 32 TB and a gateway can have up to 32 volumes. Work with
snapshots, and only incremental backups are stored, transferred over SSL. Data cannot
be accessed thru S3, only via Storage Gateway. Expand local storage hardware to
amazon S3.
- Storage Gateway Stored Volumes: store data on premises storage and async back up
that data to S3. Data is backed up to EBS snapshots. Volume limited to 16 TB, gateway
can support up to 32 volumes. Incremental backups for snapshots. Store backups on
cloud.
- Storage Gateway Virtual Tape Libraries VTL: archive data on AWS cloud. Gateway can
contain up to 1500 tapes. Virtual tape library, virtual type shelf, allowed 1 VTS per
AWS region.

AWS DIRECTORY SERVICE

Provides directories that contain information about organizations, users, groups, computers
and other resources, each directory is deployed across multiAZ. Data replication and auto daily
snapshots
Directory Service Types:
- Directory Service for Microsoft AD: Enterprise Edition, managed Microsoft AD hosted.,
provides integration with aws. Set up trust relationships with AD domanis to extend
directories. Best choice if have more than 5000 users and need trust relationships.
- Directory Service Simple AD: Microsoft AD compatible powered by Samba 4. Provides
daily auto snapshots. Can be integrated with IAM to use AWS applications. Trust
relationships does not work with other AD domains, not supports LDAP, MFA, DNS
dynamic update nor FSMO roles. Less than 5000 users and don’t need advanced
Microsoft AD.
- Directory Service AD Connector: proxy service for connecting on premises Microsoft
AD to AWS, without federation infrastructure, query on premise AD for data. Enable
MFA integrated with radius. Enables consistent enforcement of security. Use existing
on premise directory.

AWS KMS ( key management Service) – AWS CloudHSM

Deals with key generation, exchange, storage, use and replacements.

Two solutions to manage own symmetric and asymmetric crypto keys:
- KMS: enabling to generate, store, enable, delete symmetric keys, service to create and
control encryption keys, cannot be exported from the service.
o KMS Customer Managed Keys: uses CMK customer master key to encrypt and
decrypt data, can encrypt data keys.
o KMS Data Keys: encrypt large data objects within own application outside
KMS.
o Envelope Encryption: to protect data, creates data key, encrypts it with CMK.
o Encryption Context: KMS accepts key/value context information, can be used
for policies authorization
- CloudHSM: key storage making HSM available on AWS cloud, using dedicated HSM
appliances within AWS. Hardware appliance provides key storage and crypto
operations for government standard
o Scalable Symmetric Key distribution: same key should be used for encrypt and
decrypt.
 o Government Validated Cryptography: types of data PCI, must be protected
with cryptography.

AWS CloudTrail

Visibility for user activity recording API calls. Track changes. Deliver logs files to S3, logs can be
sent to CloudWatch monitoring group. SNS can be received when a log is delivered.
Types of Trail:
- CloudTrail applies to all Regions: creates the same trail in all regions and send logs to
the single S3 bucket defined.
- CloudTrail applies to One region: specify bucket that received from one region.
By default, encrypted using S3 SSE. Log files can be stored as long as we want. S3 lifecycle rules
can be defined to archive or delete log files. Delivers within 15 mins log files, service publishes
new logs every 5 mins. Trails should be enabled for all AWS accounts, for all regions.

AWS Kinesis

Platform for handling massive streaming data, enable to build custom streaming data
applications.
Three services addressing different real-time streaming, limitless data stream.
- Kinesis Firehose: load massive volumes of streaming data into AWS. Receives stream
data and stores in S3, Redshift (first is send to S3 and a copy send it to Redshift) or
ElasticSearch (backup to S3). Create delivery stream and destination data.
- Kinesis Streams: build custom applications for more complex analysis of streaming
data in real time. Collect and process large amount of data in real time. Distribute
incoming data across shards. Shard can be splited in more shards.
- Kinesis Analytics: analyze streaming data real time with SQL

AWS EMR – AWS Elastic Map Reduce

Fully managed on demand Hadoop framework. When launching a EMR cluster these are the
options to specify:
- Instance type of nodes in cluster
- Number of nodes in cluster
- Version of Hadoop (apache Hadoop, MapR Hadoop)
- Additional applications (hive, pig, spark, presto)
Two types of storage:
- EMR HDFS (Hadoop distributed file system): standard FS, data replicated across
instances, can use EC2 storage or EBS. Data is not persistent when cluster shutdown if
not using EBS.
- EMR EMRFS EMR FS: allows to store data in S3.
For persistent clusters use HDFS, when clusters are powered on and then shut down onlyu for
specific tasks it is transient cluster, and the preferred is EMRFS
This EMR works for log processing, clickstream analysis, life sciences.

AWS Data Pipeline

Web services that helps process data between different AWS compute and storage services,
and also on premises data sources, process data, transform and transfer to S3, RDS, Dynamo
and EMR.
There is a pipeline definition to run schedules. Can run every 15 mins, every day….
Interacts with data stored in data nodes. Data node is where pipelines read data from or write
data (S3, MySQL, redshift cluster) data node can be in AWS or on premises. There are activities
that represent scenarios like moving data and running queries. Activities could require EMR or
EC2 resources, pipeline can launch resources when needed and turn them down when activity
is completed. Supports preconditions, conditions that need to be true before an activity run.
Retry is automatic when an activity fails, it repeats until the limit configured.

AWS Import Export

Service to transfer data using physical storage appliances bypassing internet, then shipped to
AWS and copy information to AWS.
- Snowball: provides amazon storage shippable through UPS. Protected with KMS
supports 50 TB and 80 TB.
o import export between on premises and S3.
o Encryption enforced
o Snowball console to manage jobs.
o No box required
- Import Export Disk: transfers data directly onto and off of storage devices you own
using amazon high speed internal network
o Data can be imported into glacier and EBS additional to S3
o Export data from S3
o Encryption optional
o Buy and maintain hardware devices
o Cant manage jobs in snowball console.
o Limit of 16 TB

AWS OpsWorks

Configure and operate applications using Chef. Does not matter architecture nor complexity.
Define package installation, software config and storage. Supports linux, windows or on
premise servers.
Server Stack is composed by (load balancer, app server, db servers…)
Helps to manage these resources as a group, this can be run in VPC.
Adding elements to a stack has to add layers, layer is a set of resources for a particular
purpose. How packages are installed, configured and deployed.
Lifecycle of tasks to run appropriates actions in specific instance.
Sends metrics to CloudWatch.
- OpsWorks Use Cases: Host multitier web applications, support continuous integration.

AWS CloudFormation

Service that helps to setup aws resources (collection of related resources), allows to deploy,
modify and update resources in orderly and predictable way, applying version control.
Work with templates(JSON) and stacks(manage related resources as a single unit).
To update a stack, create a change set by submitting a modified version of original stack, to
delete stack and leave some resources deletion policy must be specified, if not resource will be
deleted by default. If a resource cannot be deleted then the stack will not be deleted
complete.
- Cloud Formation Use Cases: quickly launch test environments. Reliably replicate
configuration between environments, launch applications in new aws regions.

AWS Elastic Beanstalk

Simplest way to get an application up and running on AWS. Developers only upload application
code, service handles all details about load balancing, provisioning, auto scaling. Deploy
application without worry about infrastructure. An application looks like a folder.
- Elastic Beanstalk Application version: labeled iteration that points to S3 object where
the code is.
- Elastic Beanstalk environment: application version deployed in aws resources, each
environment runs only one version.
- Elastic Beanstalk environment configuration: parameters and settings to define how
an environment work, when updated, the changes are done immediately.
Environment tier could be web server tier if it is a web app, or worker tier if it runs background
process.
Supports java, node.js, php, python, ruby and go, for containers supports Tomcat, Passenger,
Puma and Docker.
Can be Integrated with cloudwatch, SNS.

AWS Trusted Advisor

Inspects aws environment and makes recommendations to save money, improve system
availability and performance and close gaps. See overall status of AWS resources and saving
estimations.
Provides best practices in 4 categories, red (action recommended, yellow investigation, green
no problem)
- Trusted Advisor Cost
- Trusted Advisor Optimization
- Trusted Advisor Fault Tolerance
- Trusted Advisor Performance Improvement
Customers have access to 4 aws trusted advisor checks at no cost. These are:
- Trusted Advisor Service Limits: check for usage more than 80% of the service limit,
these are based on a snapshot, this infor can take up to 24 hours to reflect.
- Trusted Advisor Security group: checks security groups that allow unrestricted access
0.0.0.0/0 to specific ports
- Trusted Advisor IAM Use: checks for use of AWS IAM.
- Trusted Advisor MFA Root account: warns if MFA is not enabled.
Customers with business or enterprise support plan can view all 50 checks.

AWS Config

Managed service that provides with AWS resource inventory, config history and config change
notifications to enable security governance. Discover existing and deleted resources. Enables
auditing, security analysis, resource change tracking and troubleshooting
When turn on aws config then there will be a discovery task and generates a configuration
item per each resource.
It maintains historical data per configuration item with configuration recorder.
Config rule represents desired config settings for specific aws resources for an AWS account.
Monitor if configurations violate rules.
Management tasks:
- Config Discovery: discover resources on account, record configuration, capture
changes to these configs.
- Config Management: use SNS to notify about changes in resources config.
- Config Continuous Audit and Compliance: rules are designed to help assess
compliance with internal policies and regulatory standards.
- Config Troubleshooting: for operational issues
- Config Security and incident analysis Integrates with Cloudtrail

AWS Security
Shared responsibility model:

- Security Compliance Program: it security standards:

o SOC1, SSAE16, ISAE3402, SAS70
o SOC2, SOC3
o FISMA, DoD, DIACAP, FedRAMP
o DoD SRG lv2 lv4
o PCI DSS lv1
o ISO 9001, ISO 27001, ISO 27017, ISO 27018
o ITAR
o FIPS 140-2
o CJIS
o CSA
o FERPA
o HIPAA
o MPAA
o Cyber Essentials Plus
 o FIP
o IRAP
o MTCS
o NIST'
- Security Network Monitoring and Protection:
o DDoS attacks
o MITM attacks
o Ip Spoofing
o Port Scanning
o Packet sniffing by other tenants
- Security Credentials: cannot be recovered if lost
o Passwords
o MFA, additional security access six digit, can enable to IAM users, add to IAM
access policy to require MFA for API calls.
o Access Keys, created by AWS IAM and delivered as a pair, Access Key ID ( AKI)
and Secret access key (SAK), a request must reach AWS in 15 mins if not it will
be denied. Signature version 4 which calculates HMAC-SHA 256. IAM roles
provide temporary credentials that can change multiple times a day.
o Key Pairs, supports RSA 2048 ssh keys, for cloud front this is used
o X.509 Certificates, to sign SOAP based requests contains public key with private
key. For IAM users this must be created. For SSL/TLS server certificates for
customers who want to use HTTPS. Private key will be used to create CSR and
submit to CA.
- Security CloudTrail: built using SHA 256 hashing and SHA 256 with RSA for digital
signing.
- Security EC2: Multiple levels of security: OS, firewall and singed API calls.
o Hypervisor: xen hypervisor, taking advantage of paravirtualization. Using Rings
from 0 to 3
o Instance Isolation: aws firewall resides within the hypervisor, between physical
network and virtual interface
 o Host Operating System: to access this administrative host must use MFA.
o Guest Operating System: completely controlled by me.
o API Access: must have Secret access key the IAM user
- Security Networking:
o Elastic Load Balancing Security: manage traffic of EC2 across AZ within a Region.
Takes over the encryption and decrypt for EC2, first line of defense, supports
creation of security groups, supports end to end traffic encrypt using TLS on
HTTPS. HTTPS/TLS uses secret key to be used between server and browser to
create encrypt message.
o VPC security: can define private subnets, security includes security groups,
network ACL, routing tables and external gateways.
 Subnets and route tables, mac spoofing and arp spoofing are blocked.
 Firewall (security groups) filters ingress and egress
- Security CloudFront: every request made must be authenticated. Request signed with
HMAC-SHA1, is accessible only with SSL enable endpoints.
- Security S3, data access is restricted by default, only owners have access (AWS
account owner, no the one you created it), using iam policies, ACLs, Bucket policies,
Query String Authentication. Data transfer is encrypted with SSL. Recommend not to
place sensitive information in S3 metadata, S3 SSE uses AES 256. Buckets log access.
Use Cross Origin Resource Sharing.
- Security Glacier: encrypt using AES 256
- Security Storage Gateway: transfer over SSL, encrypt AES256
- Security DynamoDB: with IAM policies, use HMAC-SHA-256 signature from request.
- Security RDS: using security groups, authorize network ip range or EC2 security group.
Uses network isolation. Uses ACLs, encryption using SSL. Supports TDE.
- Security Redshift: petabyte scale SQL data warehouse. Configure security groups, run
inside a VPC, encrypted using AES 256. Uses four tier architecture for encryption.
 o Data encryption keys, encrypt data blocks in cluster, AES256 using database key
o Database key encrypts data encryption, AES 256,
o Cluster key encrypts the database key. Use HSM to store cluster key.
o Master key encrypts cluster key if stored in AWS.
- Security Elasticache, cache node is fixed size chunk secure network attached RAM.
Uses cache security groups
- Security SQS: access via AWS IAM, ssl encrypted endpoints.
- Security SNS: HTTPS, uses IAM
- Security EMR: uses two security groups, one for master and other for slaves. Uses ssl
to transfer to S3, uses IAM
- Security Kinesis: uses IAM role for third party consumers. Ssl encrypted endpoint.
- Security Cognito: identity and sync services for mobile and web based applications.
Simplifies authenticating users and storing data across multiple devices. Provides
temporary credentials without manage back end infrastructure. Uses google, facebook
and amazon authentication. OAuth and OpenID connect token, uses identity pool and
IAM role.
o Identity pool: store of user identity information specific to AWS account.
o IAM Role: set of permissions to access specific resource but not tied to a
specific IAM user or group. Temporary security credentials work for a lifespan
of 12 hours.
SKD client uses SQLite, identity transmitted over HTTPS.
- Security Workspaces: managed desktop service, quickly provision cloud-based
desktop. PCoIP, users can log in with AD credentials. AD group policies to manage user
privileges, we can use on premise AD or create own private cloud directory. MFA can
be used and use an on premise Radius, supports (PAP, CHAP, MS-CHAP1, MS-CHAP2).
Works with EBS and snapshots twice a day.

AWS Risk and AWS Compliance

AWS compliance and security teams have stablished an info security framework based on
COBIT, ISO 27001 and ISO 27002, PCI. Works under NDA.

AWS Best Practices

Tenets of architecture best practices to migrate existing applications or designing new
applications.

- Design for failure and nothing fails: design for failure, assume the worst scenario,
assume things will fail, deploy for automated recovery from failure
- Implement Elasticity: ability to grow to handle increased load. Scalable architecture.
No drop in performance. Scale vertically and horizontally.
o Scaling Vertically: increase specifications of individual resource. EC2 stop
instance and resize.
 o Scaling Horizontally: increase the number of resources key characteristic is
stateless and stateful architectures.
 Stateless applications: a session is created when a user or service
interact with app. Stateless don’t need knowledge of previous
interactions nor session information. Any request can be used by any
instance because no data needs to be shared.
 Stateless components: store unique session identifier and light
cookies.
 Stateful Components: databases are stateful, for example for low
latency applications like games, run in a single server
 Deployment automation: systems scale without human intervention.
 Automate infrastructure: use API to automate deployment process.
 Bootstrap instances: every EC2 has a single role to play in the env (DB,
APP server, etc) it then can take actions after it boots. For recreating
env with few clicks, maintain control, reduce human induced.
- Leverage Different storage options:
o One Size Does not fit all: migrate static data from a web site to S3 and pulish it
via cloudfront, store session information in elasticache or DynamoDB
- Build security in every layer: apply encryption in transit and in rest
o Features to defense in Depth: VPC, subnets, security groups, routing controls,
WAF, IAM
o Reduce privileged access: use of service accounts using temporary tokens. Use
least privileges policy
o Security as Code: capture all security policies in a script is a golden
environment, create a cloudformation script with all the security hardening
process to deploy easy. Templates in cloudformation can be imported as
products into AWS Service Catalog.
o Real Time Auditing: services like aws config rules, aws inspector, aws trusted
advisor monitor for compliance or vulnerabilities, use cloudwatch logs and
cloudtrail.
- Think parallel: automate parallelization.
- Loose coupling sets you free: reduce interdependencies, the more loosely system
components are coupled, the larger they scale. API gateway to publish and manage
API. Use Async integration to lose coupling between services. With SQS.
- Don’t fear constrains