CloudFormation:

Template components:
1) Resources – AWS resources to be created.
2) Parameters – dynamic inputs to be provided.
3) Mappings – Static variables to be used by the template.
4) Outputs – Details you want to get back form the stack.
5) Conditions – Condition to perform a resource action.
6) Metadata
Template helpers:
1) References
2) Functions

Although AWS CloudFormation allows you to name some resources (such as Amazon S3
buckets), CloudFormation doesn’t allow this for all resources. Naming resources restricts the
reusability of templates and results in naming conflicts

AWS CloudFormation automatically tags Amazon EBS volumes and Amazon EC2 instances with
the name of the AWS CloudFormation stack they are part of.

AWS CloudFormation provides a WaitCondition resource that acts as a barrier, blocking the

creation of other resources until a completion signal is received from an external source such as
your application, or management system.

AWS CloudFormation account is limited to a maximum of 200 stacks. – soft limit

Template, Parameter, Output, and Resource description fields are limited to 4096 characters.
You can include up to 60 parameters and 60 outputs in a template.

A resource must have a Type attribute, which defines the kind of AWS resource you want to
create. The Type attribute has a special format:
AWS::ProductIdentifier::ResourceType
Ex: AWS::S3::Bucket
AWS::EC2::Instance
A property for a resource is simply a string value. Some resources can have multiple properties,
and some properties can have one or more subproperties.

AWS CloudFormation has a number of intrinsic functions that you can use to refer to other
resources and their properties.
You can use the Ref function to refer to an identifying property of a resource. Frequently, this is
the physical name of the resource; however, sometimes it can be an identifier, such as the IP
address for an AWS::EC2::EIP resource or an Amazon Resource Name (ARN) for an Amazon SNS
topic.
A number of resources have additional attributes whose values you can use in your template.
To get these attributes, you use the Fn::GetAtt function. The Fn::GetAtt function takes two
parameters, the logical name of the resource and the name of the attribute to be retrieved. 

parameters are a good way to specify sensitive or implementation-specific data, such as

passwords or user names, that you need to use but do not want to embed in the template
itself. For sensitive information, you can use the NoEcho attribute to prevent a parameter value
from being displayed in the console, command line tools, or API. If you set the NoEcho attribute
to true, the parameter value is returned as asterisks (*****).

The AWS::Region pseudo parameter is a value that AWS CloudFormation resolves as the region
where the stack is created.

To use a map to return a value, you use the Fn::FindInMap function, passing the name of the
map, the value used to find the mapped value, and the label of the mapped value you want to
return. 

Some resources, such as AWS::EC2::Instance, AWS::AutoScaling::AutoScalingGroup,

and AWS::ElasticLoadBalancing::LoadBalancer, have a property that specifies availability zones.
You can use the Fn::GetAZs function to get the list of all availability zones in a region.
The Fn::Join function takes two parameters, a delimiter that separates the values you want to
concatenate and an array of values in the order that you want them to appear. 

Optional attributes that can be used with any resource:

 DependsOn attribute enables you to specify that one resource must be created after
another.
 DeletionPolicy attribute enables you to specify how AWS CloudFormation should handle
the deletion of a resource.
 Metadata attribute enables you to specify structured data with a resource.

AWS::CloudFormation::Stack enables you to nest another stack as a resource within your

template.

Use cross-stack references to export resources from a stack so that other stacks can use them.
Stacks can use the exported resources by calling them using the Fn::ImportValue function.

To separate permissions between a user and the AWS CloudFormation service, use a service
role. AWS CloudFormation uses the service role's policy to make calls instead of the user's
policy.
Nested stacks are stacks that create other stacks. To create nested stacks, use
the AWS::CloudFormation::Stack resource in your template to reference other templates.

If your template requires inputs for existing AWS-specific values, such as existing Amazon
Virtual Private Cloud IDs or an Amazon EC2 key pair name, use AWS-specific parameter types.
For example, you can specify a parameter as type AWS::EC2::KeyPair::KeyName, which takes an
existing key pair name that is in your AWS account and in the region where you are creating the
stack.
Parameter Constraints - you can describe allowed input values so that AWS CloudFormation
catches any invalid values before creating a stack. You can set constraints such as a minimum
length, maximum length, and allowed patterns.
Use AWS::CloudFormation::Init to Deploy Software Applications on Amazon EC2 Instances.
When you launch stacks, you can install and configure software applications on Amazon EC2
instances by using the cfn-init helper script and the AWS::CloudFormation::Init resource.

Stack policies help protect critical stack resources from unintentional updates that could cause
resources to be interrupted or even replaced.

AWS CloudFormation provides several built-in functions that help you manage your stacks. Use
intrinsic functions in your templates to assign values to properties that are not available until
runtime.
Fn::Base64

The intrinsic function Fn::Base64 returns the Base64 representation of the input string. This
function is typically used to pass encoded data to Amazon EC2 instances by way of
the UserData property.

Ex: { "Fn::Base64" : valueToEncode }

Fn::Cidr

The intrinsic function Fn::Cidr returns an array of CIDR address blocks. The number of CIDR
blocks returned is dependent on the count parameter.

{ "Fn::Cidr" : [ipBlock, count, cidrBits]}

ipBlock

The user-specified CIDR address block to be split into smaller CIDR blocks.

count

The number of CIDRs to generate. Valid range is between 1 and 256.

cidrBits

The number of subnet bits for the CIDR. For example, specifying a value "8" for this
parameter will create a CIDR with a mask of "/24".
Condition Functions

You can use intrinsic functions, such as Fn::If, Fn::Equals, and Fn::Not, to conditionally create
stack resources.

Fn::FindInMap

The intrinsic function Fn::FindInMap returns the value corresponding to keys in a two-level map

that is declared in the Mappings section.

{ "Fn::FindInMap" : [ "MapName", "TopLevelKey", "SecondLevelKey"] }

Fn::GetAtt

The Fn::GetAtt intrinsic function returns the value of an attribute from a resource in the

template. 

{ "Fn::GetAtt" : [ "logicalNameOfResource", "attributeName" ] }

Fn::GetAZs

The intrinsic function Fn::GetAZs returns an array that lists Availability Zones for a specified
region.

For the EC2-Classic platform, the Fn::GetAZs function returns all Availability Zones for a region.
For the EC2-VPC platform, the Fn::GetAZs function returns only Availability Zones that have a
default subnet unless none of the Availability Zones has a default subnet; in that case, all
Availability Zones are returned.
{ "Fn::GetAZs" : "region" }
Fn::ImportValue

The intrinsic function Fn::ImportValue returns the value of an output exported by another

stack. You typically use this function to create cross-stack references. 

You can't create cross-stack references across regions. 

For outputs, the value of the Name property of an Export can't use Ref or GetAtt functions that

depend on a resource.
Similarly, the ImportValue function can't include Ref or GetAtt functions that depend on a
resource.

{ "Fn::ImportValue" : sharedValueToImport }
Fn::Join

The intrinsic function Fn::Join appends a set of values into a single value, separated by the
specified delimiter. If a delimiter is the empty string, the set of values are concatenated with no
delimiter.

{ "Fn::Join" : [ "delimiter", [ comma-delimited list of values ] ] }

Fn::Select

The intrinsic function Fn::Select returns a single object from a list of objects by index.

Fn::Select does not check for null values or if the index is out of bounds of the array. Both
conditions will result in a stack error
{ "Fn::Select" : [ index, listOfObjects ] }
For the Fn::Select index value, you can use the Ref and Fn::FindInMap functions.

For the Fn::Select list of objects, you can use the following functions:

 Fn::FindInMap
 Fn::GetAtt
 Fn::GetAZs
 Fn::If
 Fn::Split
 Ref

Fn::Split

To split a string into a list of string values so that you can select an element from the resulting
string list,
Specify the location of splits with a delimiter, such as , (a comma). After you split a string, use
the Fn::Select function to pick a specific element.
{ "Fn::Split" : [ "delimiter", "source string" ] }

Fn::Sub

The intrinsic function Fn::Sub substitutes variables in an input string with values that you
specify. In your templates, you can use this function to construct commands or outputs that
include values that aren't available until you create or update a stack.

{ "Fn::Sub" : [ String, { Var1Name: Var1Value, Var2Name: Var2Value } ] }

Fn::Transform

The intrinsic function Fn::Transform specifies a macro to perform custom processing on part of

a stack template. Macros enable you to perform custom processing on templates, from simple
actions like find-and-replace operations to extensive transformations of entire templates.

{ "Fn::Transform" : { "Name" : macro name, "Parameters" : {key : value, ... } } }

Ref

The intrinsic function Ref returns the value of the specified parameter or resource.

 When you specify a parameter's logical name, it returns the value of the parameter.
 When you specify a resource's logical name, it returns a value that you can typically use
to refer to that resource, such as a physical ID.

{ "Ref" : "logicalName" }
Pseudo Parameters Reference

Pseudo parameters are parameters that are predefined by AWS CloudFormation. You do not
declare them in your template. Use them the same way as you would a parameter, as the
argument for the Ref function.

AWS::AccountId:

Returns the AWS account ID of the account in which the stack is being created.

AWS::NotificationARNs:

Returns the list of notification Amazon Resource Names (ARNs) for the current stack.

AWS::NoValue:

Removes the corresponding resource property when specified as a return value in

the Fn::If intrinsic function.

AWS::Partition:

Returns the partition that the resource is in. For standard AWS regions, the partition is aws. For
resources in other partitions, the partition is aws-partitionname.

AWS::Region:

Returns a string representing the AWS Region in which the encompassing resource is being
created, such as us-west-2.

AWS::StackId:

Returns the ID of the stack as specified with the aws cloudformation create-stack command,

such as arn:aws:cloudformation:us-west-2:123456789012:stack/teststack/51af3dc0-da77-
11e4-872e-1234567db123.

AWS::StackName:

Returns the name of the stack as specified with the aws cloudformation create-stack command,
such as teststack.

AWS::URLSuffix:

Returns the suffix for a domain. The suffix is typically amazonaws.com, but might differ by
region. For example, the suffix for the China (Beijing) region is amazonaws.com.cn.
CloudFormation Helper Scripts Reference

AWS CloudFormation provides the following Python helper scripts that you can use to install
software and start services on an Amazon EC2 instance that you create as part of your stack:

 cfn-init: Use to retrieve and interpret resource metadata, install packages, create files,
and start services.
 cfn-signal: Use to signal with a CreationPolicy or WaitCondition, so you can synchronize
other resources in the stack when the prerequisite resource or application is ready.
 cfn-get-metadata: Use to retrieve metadata for a resource or path to a specific key.
 cfn-hup: Use to check for updates to metadata and execute custom hooks when
changes are detected.

The cfn-init helper script reads template metadata from the AWS::CloudFormation::Init key and
acts accordingly to:

 Fetch and parse metadata from AWS CloudFormation

 Install packages
 Write files to disk
 Enable/disable and start/stop services

The cfn-hup helper is a daemon that detects changes in resource metadata and runs user-
specified actions when a change is detected. This allows you to make configuration updates on
your running Amazon EC2 instances through the UpdateStack API action.
For Amazon EC2 issues, view the cloud-init and cfn logs. These logs are published on the
Amazon EC2 instance in the /var/log/ directory. These logs capture processes and command
outputs while AWS CloudFormation is setting up your instance. For Windows, view the
EC2Configure service and cfn logs in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.

DependsOn Attribute

With the DependsOn attribute you can specify that the creation of a specific resource follows
another. When you add a DependsOn attribute to a resource, that resource is created only after
the creation of the resource specified in the DependsOn attribute.
DeletionPolicy Attribute

With the DeletionPolicy attribute you can preserve or (in some cases) backup a resource when
its stack is deleted. You specify a DeletionPolicy attribute for each resource that you want to
control. If a resource has no DeletionPolicy attribute, AWS CloudFormation deletes the resource
by default.

 The default policy is Snapshot for AWS::RDS::DBCluster resources and

for AWS::RDS::DBInstance resources that don't specify the DBClusterIdentifier property.
Options:
Delete
Retain
Snapshot

CreationPolicy Attribute

Associate the CreationPolicy attribute with a resource to prevent its status from reaching create
complete until AWS CloudFormation receives a specified number of success signals or the
timeout period is exceeded. To signal a resource, you can use the cfn-signal helper script
or SignalResource API.

The creation policy is invoked only when AWS CloudFormation creates the associated resource.
Currently, the only AWS CloudFormation resources that support creation policies
are AWS::AutoScaling::AutoScalingGroup, AWS::EC2::Instance,
and AWS::CloudFormation::WaitCondition.

UpdateReplacePolicy Attribute

Use the UpdateReplacePolicy attribute to retain or (in some cases) backup the existing physical
instance of a resource when it is replaced during a stack update operation.

Options:
Delete
Retain
Snapshot
The cfn-signal helper script signals AWS CloudFormation to indicate whether Amazon EC2
instances have been successfully created or updated. If you install and configure software
applications on instances, you can signal AWS CloudFormation when those software
applications are ready.
You use the cfn-signal script in conjunction with a CreationPolicy or an Auto Scaling group with
a WaitOnResourceSignals update policy. 
When AWS CloudFormation creates or updates resources with those policies, it suspends work
on the stack until the resource receives the requisite number of signals or until the timeout
period is exceeded.
A common usage pattern is to use cfn-init and cfn-signal together. The cfn-signal call uses the
return status of the call to cfn-init (using the $? shell construct). If the application fails to install,
the instance will fail to create and the stack will rollback.

AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create,
update, or delete stacks across multiple accounts and regions with a single operation. Using an
administrator account, you define and manage an AWS CloudFormation template, and use the
template as the basis for provisioning stacks into selected target accounts across specified
regions.
When you use StackSets, you work with stack sets, stack instances, and stacks.
An administrator account is the AWS account in which you create stack sets.
A target account is the account into which you create, update, or delete one or more stacks in
your stack set. Before you can use a stack set to create stacks in a target account, you must set
up a trust relationship between the administrator and target accounts.
A stack set lets you create stacks in AWS accounts across regions by using a single AWS
CloudFormation template.
A stack set is a regional resource. If you create a stack set in one region, you cannot see it or
change it in other regions.
A stack instance is a reference to a stack in a target account within a region. A stack instance
can exist without a stack; for example, if the stack could not be created for some reason, the
stack instance shows the reason for stack creation failure. A stack instance is associated with
only one stack set.
EBS:

Types:
GP2 (General Purpose) :
Size: 1 GB to 16 TB (16384 GB)
3 IOPS per GB allowed. 16000 max IOPS.
16000 IOPS for volumes greater than or equal to 5333 GB.
Min: 100 IOPS
Burst only happens when volume size is less than 1000 GB to a max of 3000 IOPS.

IO1 (Provisioned IOPS):

Fast and consistent performance.
Large databases – Mongodb, Cassandra, oracle, etc.
Size: 4 GB to 16 TB
50 IOPS per GB allowed.
Min : 100 IOPS
Max: 64000 IOPS – Nitro instances
32000 IOPS – Other instances

ST1 :
Streaming workloads that require consistent, fast throughput at a low price.
Big data, Data warehouses, log processing, kafka.
Size: 500 GiB to 16 TiB
Max 500 IOPS.
Throughput: 40 MB/s for TB , max of 500 MB/s

SC1:
Large volumes that is infrequently accessed.
Lowest storage cost.
Size: 500 GiB to 16 TiB
Max 250 IOPS.
Throughput: 12 MB/s for TB , max of 250 MB/s

Cloudwatch to monitor IO credit balance.

Burstbalance cloudwatch metric for ebs volume.

Throughput based on IOPS:

Gp2:
Throughput in MB/s = (Volume size in GB) * (IOPS per GB) * (IO size in KB)
Max : 256 KB per IO operation in EBS volume.
Max throughput: 250 MB/s

IO1:
Throughput in MB/s = (Provisioned IOPS ) * (IO size in KB)
i.e , Provsioned IOPS * 256 KB/s
Limit: 500 MB/s (32000 IOPS) and 1000 MB/s (64000 IOPS)

Volume Resize:
EBS volumes can be modified while still being attached to an instance.
You can modify the type, size and IOPS.
You can only increase the size, but not decrease it.
The new resized volume is usable after it reaches Optimizing state.
You need to repartition the disk after resizing to utilize the new added space.
Data Lifecycle manager – Snapshot lifecycle policy for snapshot management.

SSD volumes are instance stores.

These are physically attached to the instance and so, you lose data on stop or terminate.
They can be used for storing temp files and cache data. They have fast performance.
EBS volumes are network drives.

EFS – Network file system

Can span across AZ’s but within a region.
Pay per use.
Mounted on EC2.
Uses NFSv4.1 protocol.
Security group to control access to EFS.
Compatible with linux AMI’s (not Windows).

S3:
Encryption:
SSE-S3 : using keys managed by AWS.
Header: “x-amz-server-side-encrytion”:”AES256”
SSE-KMS: using keys managed by KMS.
Header: “x-amz-server-side-encrytion”:”aws:kms”
SSE-C: using keys managed by customer.
HTTPS must be used.
AWS doe not store the encryption keys.
AWS does the encryption.
Client side encryption: clients encrypt and decrypt data by themselves and manage the keys.
Encryption in flight: called SSl/TLS
Enable default encryption on a bucket to encrypt all objects.

S3 bucket url:
<Bucketname>.s3-website-<AWS-Region>.amazonaws.com
Or
<Bucketname>.s3-website.<AWS-Region>.amazonaws.com
If you want to request data from another S3 bucket, you need to enable CORS.
CORS allows you to limit the number of webistes that can access your files.

Consistency model:
1) Read after write consistency for new object PUTS.
2) Eventual consistency for PUTS and DELETES on existing objects.

To pre-sign url, set default signature version to s3v4, which allows the resulting url format to be
compatible with kms encrypted object :
aws configure set default.s3.signature_version s3v4

Cloudfront access logs: logs every access request to cloudfront into a logging s3 bucket.

Glacier archives (objects) can be upto 40TB in size.

Archives are stored in vaults(like buckets).
Retrieval:
Expedited – 1 to 5 minutes
To allow expedited retrieval you need to purchase capacity units.
Standard – 3 to 5 hours
Bulk – 5 to 12 hours
Vault – one access policy and one lock policy.
Lock policy is immutable.
For regulatory and compliance requirements.
Using lock policy, we can implement WORM (write once read many) policy on the archive, so
that once written, It cannot be tempered with.

Snowball:
Physical solution to move TBs or PBs of data in and out of AWS.
Secure – KMS 256 bit encryption.
Tracking using sns and text messages.
e-ink enabled
if it takes more than a week to transfer the data over a network, use snowball.
Each snowmobile (a truck) has 100 PB of capacity.
1 EB = 1000 PB = 1,000,000 TB
Better than snowball if you transfer more than 10 PB.

File Gateway used NFS or SMB protocol. – S3

Volume gateway uses iSCSI protocol. – EBS
Cached volume and stored volume
Tape Gateway used for physical tapes – Virtual Tape Library backed by S3 and Glacier
Uses iSCSI interface – Backup by iSCSI

S3 cross region replication is asynchronous.

You can include custom info to be stored in access log record for a req by adding custom query-
string parameter to the URL for the req.
AWS S3 ignores the query string parameters that start with “x-“ but includes these parameters
in access log records.
Apache parquet and ORC are columnar storage formats that are optimized for fast retrieval of
data. And used in analytical applications.
By partitioning data, you can restrict the amount of data scanned by query, threby reducing
cost and improving performance.
CloudHSm provides single tenant key storage and support to assymetric keys like RSA,ECC.
RDS:
Upto 5 read replicas. (read scaling)
Read replicas can be in same AZ, cross AZ or cross region.
Replication is aync, ie it is eventually consistent.
Replicas can be promoted to own database manually.
Application should update connection strings to use read replicas.
Read replicas are not supported for oracle.
You can have read replicas of read replicas.
Multi AZ:
Replication is sync.
Automatic failover form master to standby.
High available
Only for disaster recovery.

Automated backups are enabled by default in RDS.

Point in time restoration.
7 days retention. (can be increased to 35)

Encryption:
At rest with AWS KMS – AES 256 encryption
SSL certificates for encryption in flight.
To enforce SSL:
Postgresql/SQL Server: rds.force_ssl=1 – parameter groups
MySQL/MariaDb:
Within db – run the following query
GRANT USAGE on *.* to ‘mysqluser’@’%’ require ssl;

To login to RDS for MySQl/Aurora, IAM users can be used now.

Aurora:
Supports Postgresql and mysql db.
5* performance improvement over mysql and 3* over postgresql
Aurora storage grows in increments of 10GB upto 64 TB. (it is auto expanding)
Can have 15 read replicas. (mysql has only 5)
Failover is instantaneous. Highly available.
Costs more.
6 copies of your data across 3 AZs.
It needs 4 copies out of 6 for write.
And 3 copies out of 6 for reads.
Storage is striped across 100s of volumes in the backend.
Automated failover in less than 30 secs.

Aurora DB Cluster:
Writer endpoint points to the master.
Autoscaling on read replicas from 1 to 15.
Reader endpoint to read replica using connection load balancing.
Backtrack: restore to point in time without backups.
Authentciation using IAM.

Aurora Serverless:
Need not choose an instance type.
Only support mysql 5.6 and postgresql (beta)
Can migrate from aurora cluster to serverless and vice versa.
Usage is measured in Aurora Capacity Units (like dynamodb).
Billed in 5 mins usage of ACU.

DB Parameter group:
Configure db engine using parameter griups.
Dynamic parametersa e applied immediately.
Static parameters are applied on instance reboot.

Backups happen during maintenance windows.

They help in point in time restoration.
When you delete a database, you retain (0 to 35 days) automated backups.

Snapshots require IO and stop the database for seconds to minutes.

They are incremental.

Encryption at rest can be enabled only when first create an RDS instance.
RDS Cloudwatch Metrics:
freeStoragespace
read/write iops
Database connections
Swapusage
Read/write latency
Read/write throughput
Diskqueuedepth
Enhanced monitoring gets the details from an agent run on the DB instance.
Granularity is from 1 sec to 60 secs.
Gets more and specific details from the db instance.

Performance Insights:
To visualize database performance and analyze any issue affecting it.
Filter the load using these:
By Waits > find the resource that is the bottleneck (CPU, IO, etc)
By SQL Query> which sql query is causing performance bottleneck.
By Hosts> which server is using most of the db.
By user > which user is using most of the database.

ElastiCache:
Managed redis or MemCached.
In-memory databases with high perf and low latency.
Helps make application stateless.
Write scaling using sharding.
Use case:
To relieve load off databases.
User Session store.

Redis – in-memoery key-value store.

Sub ms latency.
Cache survives reboot (persistence).
For: leaderboard (gaming), user session, distributed states, pb/sub for messaging.
Cluster mode enabled.

Memcached: object store.

Doesn’t survive reboots.
Use case: quick retrieval of objects from memory, cache often accessed objects.

Elastic BeanStalk:
Managed service:
Instance configuration/OS managed by BS
Deployment is performed by BS.
Application code is just the responsibility of developer.

Three deployment strategies:

1) Single Instance deployment: good for dev
2) LB +ASG : good for prod or pre-prod.
3) ASG only: non-web apps (workers only)
Three components:
1) Application
2) Application version
3) Environment
Can promote app version to next env or Rollback to previous app version.
Full control on lifecycle of envs.
Supports almost all platforms.
Deployment Options:
1) All at once – fastest, but need downtime for a bit.
2) Rolling – update a few instances at a time(bucket) and then move on to next bucket,
once first is healthy.
3) Rolling with additional batches – like rolling but spins up new instances to move the
batch. (old app is still available).
 4) Immutable – spins up new instances in new ASG, deploys versions and then swaps all
instances when everything is healthy.
5) Blue green – zero downtime, create new env and deploy v2 there.it can be validated
independently and rolled back in case of any issue. Route 53 can be used with weighted
routing to route a part of traffic to stage., then swap URL’s.

Cloudwatch:
EC2 detailed monitoring:
Normally we get details evry 5 mins.
With detailed monitoring , we get metric details every 1 minutes with extra cost.
AWS free tier allows for 10 detailed metrics.
Custom metrics:
10 dimensions per metric is allowed.
Default resolution: 1 min
High resolution metric – 1 sec
To send metric data to cloudwatch, you PutMetricData API call.
Use exponential back off in case of throttle errors.

Cloudwatch dashboards:
Quick access to key metrics.
Dashboardsa re global, you can access the dashboard in any region.
Dashboards can include graphs from diff regions.
Can change time zone and time range of dashboards.
Can setup automatic refresh .
3 dashboards(upto 50 metrics) are free.
$3/dashboard/month afterwards.

Cloudwatch alarms:
Status : OK, Insufficient_data, Alarm
Targets:
1) Stop, terminate, recover, reboot an ec2 instance.
2) Trigger autoscaling action
3) Send notification to SNS.
Cloudwatch Events:
Source + rule  Target
Schedule: Cron jobs
Event patterns
Triggers to lambda functions, sqs/sns/kinesis

Config:
Auditing and compliance of AWS resources.
Provides inventory of resources and history of conf changes to these resources.
Helps record conf and changes over time.
Record compliance over time.
Can store config data in s3.
Questions:
1) Is there an unrestricted ssh access to my security groups?
2) Do my buckets have any public access?
3) Has my alb conf changed over time?
Can receive alerts(SNS notifications) for any changes.
Per-region service, but can be aggregated across regions and accounts.
Config rules:
1) AWS managed( more than 75).
2) Custom (must be defined in AWS Lambda).
Rules can be evaluated/triggered:
1) For each config change.
2) At regular intervals.
Can see:
Compliance of a resource over time
Configuration of a resource over time
Cloudtrail api calls, if enabled.

Cost Explorer:
Cost explorer needs to be enabled and then you would be able to check the details after 24 hrs.
It also gives you reservation summary and recommendations on reserved instances for:
EC2
RDS
RedShift
Elsticache
ElastiSearch
Reservation utilization and coverage in Explore.

AWS Budgets:
Cans end alarms when usage exceeds the budget.
Types of budget: usage, cost and reservation

Tags to show up in cost report, they must be named cost allocation tags.
They will be shown as columns in reports.
AwS defined cost allocation tags – starts with prefix “aws:”
-need to activate them
-will not be applied on resources used before activation
- can only be seen in Billing and Cost management console, not in gen aws console or even tag
editor.
User defined – starts with prefix “user:”