BAB 1

Cloud Computing
Cloud computing is the on-demand delivery of IT resources over the internet with pay-as-
you-go pricing

Client Server Model

In computing, a client can be a web browser or desktop application that a person interacts

with to make requests to computer servers. A server can be services, such as Amazon Elastic

Compute Cloud (Amazon EC2) – a type of virtual server.

For example, suppose that a client makes a request for a news article, the score in an online
game, or a funny video. The server evaluates the details of this request and fulfills it by
returning the information to the client.

Deployment models for cloud computing

When selecting a cloud strategy, a company must consider factors such as required cloud
application components, preferred resource management tools, and any legacy IT
infrastructure requirements.

The three cloud computing deployment models are cloud-based, on-premises, and hybrid.

To learn more about deployment models, choose each of the following three tabs.

a. Cloud Based Deployment

• Run all parts of the application in the cloud.

• Migrate existing applications to the cloud.
• Design and build new applications in the cloud.

In a cloud-based deployment model, you can migrate existing applications to the

cloud, or you can design and build new applications in the cloud. You can build those
applications on low-level infrastructure that requires your IT staff to manage them.
Alternatively, you can build them using higher-level services that reduce the
management, architecting, and scaling requirements of the core infrastructure.

For example, a company might create an application consisting of virtual servers,

databases, and networking components that are fully based in the cloud.

b. On-premises deployment
 • Deploy resources by using virtualization and resource management tools.
• Increase resource utilization by using application management and
virtualization technologies.

On-premises deployment is also known as a private cloud deployment. In this

model, resources are deployed on premises by using virtualization and resource
management tools.

For example, you might have applications that run on technology that is fully kept in
your on-premises data center. Though this model is much like legacy IT
infrastructure, its incorporation of application management and virtualization
technologies helps to increase resource utilization.

c. Hybrid Deployment

• Connect cloud-based resources to on-premises infrastructure.

• Integrate cloud-based resources with legacy IT applications.

In a hybrid deployment, cloud-based resources are connected to on-premises

infrastructure. You might want to use this approach in a number of situations. For
example, you have legacy applications that are better maintained on premises, or
government regulations require your business to keep certain records on premises.

For example, suppose that a company wants to use cloud services that can automate
batch data processing and analytics. However, the company has several legacy
applications that are more suitable on premises and will not be migrated to the cloud.
With a hybrid deployment, the company would be able to keep the legacy
applications on premises while benefiting from the data and analytics services that run
in the cloud.

Benefit Cloud Computing

• Trade upfront expense for variable expense
Upfront expense refers to data centers, physical servers, and other resources that you
would need to invest in before using them. Variable expense means you only pay for
computing resources you consume instead of investing heavily in data centers and
servers before you know how you’re going to use them.
By taking a cloud computing approach that offers the benefit of variable expense,
companies can implement innovative solutions while saving on costs.

• Stop spending money to run and maintain data centers

Computing in data centers often requires you to spend more money and time
managing infrastructure and servers.
A benefit of cloud computing is the ability to focus less on these tasks and more on
your applications and customers.
• Stop guessing capacity
With cloud computing, you don’t have to predict how much infrastructure capacity
you will need before deploying an application.
For example, you can launch Amazon EC2 instances when needed, and pay only for
the compute time you use. Instead of paying for unused resources or having to deal
with limited capacity, you can access only the capacity that you need. You can also
scale in or scale out in response to demand.

• Benefit from massive economies of scale

By using cloud computing, you can achieve a lower variable cost than you can get on
your own.
Because usage from hundreds of thousands of customers can aggregate in the cloud,
providers, such as AWS, can achieve higher economies of scale. The economy of
scale translates into lower pay-as-you-go prices.

• Increase speed and agility

The flexibility of cloud computing makes it easier for you to develop and deploy
applications.
This flexibility provides you with more time to experiment and innovate. When
computing in data centers, it may take weeks to obtain new resources that you need.
By comparison, cloud computing enables you to access new resources within minutes.

• Go global in minutes
The global footprint of the AWS Cloud enables you to deploy applications to
customers around the world quickly, while providing them with low latency. This
means that even if you are located in a different part of the world than your
customers, customers are able to access your applications with minimal delays.
Later in this course, you will explore the AWS global infrastructure in greater detail.
You will examine some of the services that you can use to deliver content to
customers around the world.
BAB 2
Amazon EC2 instance types
When selecting an instance type, consider the specific needs of your workloads and
applications. This might include requirements for compute, memory, or storage
capabilities.

• General purpose instances

Amazon EC2 instance type balances compute, memory, and networking resources
provide a balance of compute, memory, and networking resources. You can use them
for a variety of workloads, such as:
• application servers
• gaming servers
• backend servers for enterprise applications
• small and medium databases

Suppose that you have an application in which the resource needs for compute,
memory, and networking are roughly equivalent. You might consider running it on a
general purpose instance because the application does not require optimization in any
single resource area.

• Compute optimized instances

Amazon EC2 instance type Amazon EC2 instance for a batch processing workload,
offers high-performance processors
are ideal for compute-bound applications that benefit from high-performance
processors. Like general purpose instances, you can use compute optimized instances
for workloads such as web, application, and gaming servers.
However, the difference is compute optimized applications are ideal for high-
performance web servers, compute-intensive applications servers, and dedicated
gaming servers. You can also use compute optimized instances for batch processing
workloads that require processing many transactions in a single group.

• Memory optimized instances

Amazon EC2 instance type is ideal for high-performance databases
are designed to deliver fast performance for workloads that process large datasets in
memory. In computing, memory is a temporary storage area. It holds all the data and
instructions that a central processing unit (CPU) needs to be able to complete actions.
Before a computer program or application is able to run, it is loaded from storage into
memory. This preloading process gives the CPU direct access to the computer
program.
Suppose that you have a workload that requires large amounts of data to be preloaded
before running an application. This scenario might be a high-performance database or
a workload that involves performing real-time processing of a large amount of
unstructured data. In these types of use cases, consider using a memory optimized
instance. Memory optimized instances enable you to run workloads with high
memory needs and receive great performance.
• Accelerated computing instances
use hardware accelerators, or coprocessors, to perform some functions more
efficiently than is possible in software running on CPUs. Examples of these functions
include floating-point number calculations, graphics processing, and data pattern
matching.
In computing, a hardware accelerator is a component that can expedite data
processing. Accelerated computing instances are ideal for workloads such as graphics
applications, game streaming, and application streaming.

• Storage optimized instances

Amazon EC2 instance type is suitable for data warehousing applications
are designed for workloads that require high, sequential read and write access to large
datasets on local storage. Examples of workloads suitable for storage optimized
instances include distributed file systems, data warehousing applications, and high-
frequency online transaction processing (OLTP) systems.
In computing, the term input/output operations per second (IOPS) is a metric that
measures the performance of a storage device. It indicates how many different input
or output operations a device can perform in one second. Storage optimized instances
are designed to deliver tens of thousands of low-latency, random IOPS to
applications.
You can think of input operations as data put into a system, such as records entered
into a database. An output operation is data generated by a server. An example of
output might be the analytics performed on the records in a database. If you have an
application that has a high IOPS requirement, a storage optimized instance can
provide better performance over other instance types not optimized for this kind of
use case.
Amazon EC2 pricing
With Amazon EC2, you pay only for the compute time that you use. Amazon EC2 offers a
variety of pricing options for different use cases. For example, if your use case can withstand
interruptions, you can save with Spot Instances. You can also save by committing early and
locking in a minimum level of use with Reserved Instances.

• On-Demand Instances
are ideal for short-term, irregular workloads that cannot be interrupted. No
upfront costs or minimum contracts apply. The instances run continuously until
you stop them, and you pay for only the compute time you use.
Sample use cases for On-Demand Instances include developing and testing
applications and running applications that have unpredictable usage patterns.
On-Demand Instances are not recommended for workloads that last a year or
longer because these workloads can experience greater cost savings using
Reserved Instances.

• Reserved Instances are a billing discount applied to the use of On-Demand

Instances in your account. There are two available types of Reserved Instances:
• Standard Reserved Instances
• Convertible Reserved Instances

You can purchase Standard Reserved and Convertible Reserved Instances for a
1-year or 3-year term. You realize greater cost savings with the 3-year option.

• Standard Reserved Instances: Amazon EC2 pricing option provides a discount

when you specify a number of EC2 instances to run a specific OS, instance family
and size, and tenancy in one Region. This option is a good fit if you know the EC2
instance type and size you need for your steady-state applications and in which
AWS Region you plan to run them. Reserved Instances require you to state the
following qualifications:
• Instance type and size: For example, m5.xlarge
• Platform description (operating system): For example, Microsoft
Windows Server or Red Hat Enterprise Linux
• Tenancy: Default tenancy or dedicated tenancy

You have the option to specify an Availability Zone for your EC2 Reserved
Instances. If you make this specification, you get EC2 capacity reservation. This
ensures that your desired amount of EC2 instances will be available when you
need them.

• Convertible Reserved Instances: If you need to run your EC2 instances in

different Availability Zones or different instance types, then Convertible
Reserved Instances might be right for you. Note: You trade in a deeper discount
when you require flexibility to run your EC2 instances.
At the end of a Reserved Instance term, you can continue using the Amazon EC2
instance without interruption. However, you are charged On-Demand rates until
you do one of the following:
• Terminate the instance.
 • Purchase a new Reserved Instance that matches the instance attributes
(instance family and size, Region, platform, and tenancy).

• Spot Instances
are ideal for workloads with flexible start and end times, or that can withstand
interruptions. Spot Instances use minimum contract length, unused Amazon EC2
computing capacity and offer you cost savings at up to 90% off of On-Demand
prices.
Suppose that you have a background processing job that can start and stop as
needed (such as the data processing job for a customer survey). You want to
start and stop the processing job without affecting the overall operations of your
business. If you make a Spot request and Amazon EC2 capacity is available, your
Spot Instance launches. However, if you make a Spot request and Amazon EC2
capacity is unavailable, the request is not successful until capacity becomes
available. The unavailable capacity might delay the launch of your background
processing job.

After you have launched a Spot Instance, if capacity is no longer available or

demand for Spot Instances increases, your instance may be interrupted. This
might not pose any issues for your background processing job. However, in the
earlier example of developing and testing applications, you would most likely
want to avoid unexpected interruptions. Therefore, choose a different EC2
instance type that is ideal for those tasks

• EC2 Instance Savings Plans

Amazon EC2 pricing option provides a discount when you make an hourly spend
commitment to an instance family and Region for a 1-year or 3-year term. reduce
your EC2 instance costs when you make an hourly spend commitment to an
instance family and Region for a 1-year or 3-year term. This term commitment
results in savings of up to 72 percent compared to On-Demand rates. Any usage
up to the commitment is charged at the discounted Savings Plans rate (for
example, $10 per hour). Any usage beyond the commitment is charged at regular
On-Demand rates.
The EC2 Instance Savings Plans are a good option if you need flexibility in your
Amazon EC2 usage over the duration of the commitment term. You have the
benefit of saving costs on running any EC2 instance within an EC2 instance
family in a chosen Region (for example, M5 usage in N. Virginia) regardless of
Availability Zone, instance size, OS, or tenancy. The savings with EC2 Instance
Savings Plans are similar to the savings provided by Standard Reserved
Instances.
Unlike Reserved Instances, however, you don't need to specify up front what EC2
instance type and size (for example, m5.xlarge), OS, and tenancy to get a
discount. Further, you don't need to commit to a certain number of EC2 instances
over a 1-year or 3-year term. Additionally, the EC2 Instance Savings Plans don't
include an EC2 capacity reservation option.
Later in this course, you'll review AWS Cost Explorer, which you can use to
visualize, understand, and manage your AWS costs and usage over time. If you're
considering your options for Savings Plans, you can use AWS Cost Explorer to
analyze your Amazon EC2 usage over the past 7, 30, or 60 days. AWS Cost
 Explorer also provides customized recommendations for Savings Plans. These
recommendations estimate how much you could save on your monthly Amazon
EC2 costs, based on previous Amazon EC2 usage and the hourly commitment
amount in a 1-year or 3-year Savings Plan.

• Dedicated Hosts
are physical servers with Amazon EC2 instance capacity that is fully dedicated to
your use.
You can use your existing per-socket, per-core, or per-VM software licenses to
help maintain license compliance. You can purchase On-Demand Dedicated
Hosts and Dedicated Hosts Reservations. Of all the Amazon EC2 options that
were covered, Dedicated Hosts are the most expensive.
Scalability
involves beginning with only the resources you need and designing your architecture
to automatically respond to changing demand by scaling out or in. As a result, you pay
for only the resources you use. You don’t have to worry about a lack of computing
capacity to meet your customers’ needs.

If you wanted the scaling process to happen automatically, which AWS service would
you use? The AWS service that provides this functionality for Amazon EC2 instances
is Amazon EC2 Auto Scaling.
Next, you can set the desired capacity at two Amazon EC2 instances even though your
application needs a minimum of a single Amazon EC2 instance to run.

If you do not specify the desired number of Amazon EC2 instances in an Auto
Scaling group, the desired capacity defaults to your minimum capacity.

The third configuration that you can set in an Auto Scaling group is the maximum capacity.
For example, you might configure the Auto Scaling group to scale out in response to
increased demand, but only to a maximum of four Amazon EC2 instances.

Because Amazon EC2 Auto Scaling uses Amazon EC2 instances, you pay for only the
instances you use, when you use them. You now have a cost-effective architecture that
provides the best customer experience while reducing expenses.
Elastic Load Balancing
Load balancer is an application that takes in requests and routes them to the instances
to be processed

Elastic Load Balancing is the AWS service that automatically distributes incoming
application traffic across multiple resources, such as Amazon EC2 instances. Elastic Load
Balancing is the AWS service that automatically distributes incoming application traffic
across multiple resources, such as Amazon EC2 instances. This helps to ensure that no single
resource becomes overutilized.

A load balancer acts as a single point of contact for all incoming web traffic to your Auto
Scaling group. This means that as you add or remove Amazon EC2 instances in response to
the amount of incoming traffic, these requests route to the load balancer first. Then, the
requests spread across multiple resources that will handle them. For example, if you have
multiple Amazon EC2 instances, Elastic Load Balancing distributes the workload across the
multiple instances so that no single instance has to carry the bulk of it.

Although Elastic Load Balancing and Amazon EC2 Auto Scaling are separate services, they
work together to help ensure that applications running in Amazon EC2 can provide high
performance and availability.
Mesagging & Queuing
Idea of placing messages into a buffer is called messaging and queuing. Just as our
cashier sends orders to the barista, applications send messages to each other to communicate.
If applications communicate directly like our cashier and barista previously, this is called
being tightly coupled.

• Tightly coupled architecture

is where if a single component fails or changes, it causes issues for other components
or even the whole system. For example, if we have Application A and it is sending
messages directly to Application B, if Application B has a failure and cannot accept
those messages, Application A will begin to see errors as well. This is a tightly
coupled architecture.

• Architecture is loosely coupled.

This is an architecture where if one component fails, it is isolated and therefore won't
cause cascading failures throughout the whole system. If we coded the application to
use a more loosely coupled architecture, it could look as follows.
This is loosely coupled. This is what we strive to achieve with architectures on AWS.
And this brings me to two AWS services that can assist in this regard. Amazon
Simple Queue Service or SQS and Amazon Simple Notification Service or SNS.
Additional Compute Service
Serverless means that you cannot actually see or access the underlying infrastructure or
instances that are hosting your application. Instead, all the management of the
underlying environment from a provisioning, scaling, high availability, and maintenance
perspective are taken care of for you. All you need to do is focus on your application and
the rest is taken care of.

• AWS Lambda
is a service that lets you run code without needing to provision or manage
servers. While using AWS Lambda, you pay only for the compute time that you
consume. Charges apply only when your code is running. You can also run code for
virtually any type of application or backend service, all with zero administration. For
example, a simple Lambda function might involve automatically resizing uploaded
images to the AWS Cloud. In this case, the function triggers when uploading a new
image.
 AWS Lambda is one serverless compute option. Lambda's a service that allows
you to upload your code into what's called a Lambda function. Configure a
trigger and from there, the service waits for the trigger. When the trigger is
detected, the code is automatically run in a managed environment, an
environment you do not need to worry too much about because it is
automatically scalable, highly available and all of the maintenance in the
environment itself is done by AWS. If you have one or 1,000 incoming triggers,
Lambda will scale your function to meet demand. Lambda is designed to run
code under 15 minutes so this isn't for long running processes like deep learning.
It's more suited for quick processing like a web backend, handling requests or a
backend expense report processing service where each invocation takes less
than 15 minutes to complete.

Containers provide you with a standard way to package your application's code and
dependencies into a single object. You can also use containers for processes and workflows
in which there are essential requirements for security, reliability, and scalability.
AWS container services like:
• Amazon Elastic Container Service, otherwise known as ECS.
is a highly scalable, high-performance container management system that enables you
to run and scale containerized applications on AWS. Amazon ECS supports Docker
containers. Docker(opens in a new tab) is a software platform that enables you to
build, test, and deploy applications quickly. AWS supports the use of open-source
Docker Community Edition and subscription-based Docker Enterprise Edition. With
Amazon ECS, you can use API calls to launch and stop Docker-enabled applications.

• Amazon Elastic Kubernetes Service, otherwise known as EKS.

is a fully managed service that you can use to run Kubernetes on AWS.
Kubernetes(opens in a new tab) is open-source software that enables you to deploy
and manage containerized applications at scale. A large community of volunteers
maintains Kubernetes, and AWS actively works together with the Kubernetes
community. As new features and functionalities release for Kubernetes applications,
you can easily apply these updates to your applications managed by Amazon EKS.

Both of these services are container orchestration tools, but before I get too far here, a
container in this case is a Docker container. Docker is a widely used platform that uses
operating system level virtualization to deliver software in containers. Now a container
is a package for your code where you package up your application, its dependencies as
well as any configurations that it needs to run. These containers run on top of EC2
instances and run in isolation from each other similar to how virtual machines work.
But in this case, the host is an EC2 instance. When you use Docker containers on AWS,
you need processes to start, stop, restart, and monitor containers running across not
just one EC2 instance, but a number of them together which is called a cluster.

• AWS Fargate
Is a serverless compute engine for containers. It works with both Amazon ECS and
Amazon EKS.
When using AWS Fargate, you do not need to provision or manage servers. AWS
Fargate manages your server infrastructure for you. You can focus more on
innovating and developing your applications, and you pay only for the resources that
are required to run your containers.

Container Summary:
• If you are trying to host traditional applications and want full access to the underlying
operating system like Linux or Windows, you are going to want to use EC2.
• If you are looking to host short running functions, service-oriented or event driven
applications and you don't want to manage the underlying environment at all, look
into the serverless AWS Lambda.
• If you are looking to run Docker container-based workloads on AWS, you first need
to choose your orchestration tool
BAB 3
Selecting Region
Regions are geographically isolated areas, where you can access services needed to run your
enterprise
• Compliance with data governance and legal requirements – Depending on your
company and location, you might need to run your data out of specific areas. For
example, if your company requires all of its data to reside within the boundaries of the
UK, you would choose the London Region. Not all companies have location-specific
data regulations, so you might need to focus more on the other three factors.
• Proximity to your customers – Selecting a Region that is close to your customers will
help you to get content to them faster. For example, your company is based in
Washington, DC, and many of your customers live in Singapore. You might consider
running your infrastructure in the Northern Virginia Region to be close to company
headquarters, and run your applications from the Singapore Region.
• Available services within a Region – Sometimes, the closest Region might not have
all the features that you want to offer to customers. AWS is frequently innovating by
creating new services and expanding on features within existing services. However,
making new services available around the world sometimes requires AWS to build out
physical hardware one Region at a time. Suppose that your developers want to build an
application that uses Amazon Braket (AWS quantum computing platform). As of this
course, Amazon Braket is not yet available in every AWS Region around the world, so
your developers would have to run it in one of the Regions that already offers it.
• Pricing – Suppose that you are considering running applications in both the United
States and Brazil. The way Brazil’s tax structure is set up, it might cost 50% more to
run the same workload out of the São Paulo Region compared to the Oregon Region.
You will learn in more detail that several factors determine pricing, but for now know
that the cost of services can vary from Region to Region.
Availability Zone
is a single data center or a group of data centers within a Region. Availability Zones are
located tens of miles apart from each other. This is close enough to have low latency (the time
between when content requested and received) between Availability Zones. However, if a
disaster occurs in one part of the Region, they are distant enough to reduce the chance that
multiple Availability Zones are affected.

Edge Location
An edge location is a site that Amazon CloudFront uses to store cached copies of your content
closer to your customers for faster delivery

CDN & DNS

Caching copies of data closer to the customers all around the world uses the concept of
content delivery networks, or CDNs. CDNs are commonly used, and on AWS, we call our
CDN Amazon CloudFront. Amazon CloudFront is a service that helps deliver data, video,
applications, and APIs to customers around the world with low latency and high transfer
speeds(A global content delivery service). Amazon CloudFront uses what are called Edge
locations, all around the world, to help accelerate communication with users, no matter where
they are. Edge locations are separate from Regions, so you can push content from inside a
Region to a collection of Edge locations around the world, in order to accelerate
communication and content delivery. AWS Edge locations, also run more than just CloudFront.
They run a domain name service, or DNS, known as Amazon Route 53, helping direct
customers to the correct web locations with reliably low latency.

AWS Outpost
AWS Outposts, where AWS will basically install a fully operational mini Region, right inside
your own data center. That's owned and operated by AWS, using 100% of AWS functionality,
but isolated within your own building.

API
API is an application programming interface. And what that means is, there are pre determined
ways for you to interact with AWS services. And you can invoke or call these APIs to
provision, configure, and manage your AWS resources.

AWS Management Console

The AWS Management Console is a web-based interface for accessing and managing AWS
services. You can quickly access recently used services and search for other services by name,
keyword, or acronym. The console includes wizards and automated workflows that can
simplify the process of completing tasks. You can also use the AWS Console mobile
application to perform tasks such as monitoring resources, viewing alarms, and accessing
billing information. Multiple identities can stay logged into the AWS Console mobile app at
the same time. Through the console, you can manage your AWS resources visually and in a
way that is easy to digest. This is great for getting started and building your knowledge of the
services. It's also useful for building out test environments or viewing AWS bills, viewing
monitoring and working with other non technical resources
• AWS Command Line Interface or CLI.
The CLI allows you to make API calls using the terminal on your machine. This is
different than the visual navigation style of the Management Console. Writing
commands using the CLI makes actions scriptable and repeatable. So, you can write
and run your commands to launch an EC2 Instance. And if you want to launch
another, you can just run the pre-written command again. This makes it less
susceptible to human error. And you can have these scripts run automatically, like on
a schedule or triggered by another process.

• AWS Software Development Kits or SDKs.

The SDKs allow you to interact with AWS resources through various programming
languages. This makes it easy for developers to create programs that use AWS
without using the low level APIs, as well as avoiding that manual resource creation
that we just talked about. More on that in a bit.

AWS Elastic Beanstalk

With AWS Elastic Beanstalk, you provide code and configuration settings, and Elastic
Beanstalk deploys the resources necessary to perform the following tasks: Adjust capacity
Load balancing Automatic scaling Application health monitoring

AWS CloudFormation
With AWS CloudFormation, you can treat your infrastructure as code. This means that you
can build an environment by writing lines of code instead of using the AWS Management
Console to individually provision resources. AWS CloudFormation provisions your resources
in a safe, repeatable manner, enabling you to frequently build your infrastructure and
applications without having to perform manual actions. It determines the right operations to
perform when managing your stack and rolls back changes automatically if it detects errors.

BAB 4
Amazon Virtual Private Cloud or VPCs
A networking service that you can use to establish boundaries around your AWS resources is
Amazon Virtual Private Cloud. Amazon VPC enables you to provision an isolated section of
the AWS Cloud. In this isolated section, you can launch resources in a virtual network that you
define. Within a virtual private cloud (VPC), you can organize your resources into subnets. A
subnet is a section of a VPC that can contain resources such as Amazon EC2 instances

Subnets
are chunks of IP addresses in your VPC that allow you to group resources together. Subnets,
along with networking rules we will cover later, control whether resources are either publicly
or privately available.
Virtual private gateway
To access private resources in a VPC, you can use a virtual private gateway. Here’s an example
of how a virtual private gateway works. You can think of the internet as the road between your
home and the coffee shop. Suppose that you are traveling on this road with a bodyguard to
protect you. You are still using the same road as other customers, but with an extra layer of
protection. The bodyguard is like a virtual private network (VPN) connection that encrypts (or
protects) your internet traffic from all the other requests around it. The virtual private gateway
is the component that allows protected internet traffic to enter into the VPC. Even though your
connection to the coffee shop has extra protection, traffic jams are possible because you’re
using the same road as other customers.

AWS Direct Connect

AWS Direct Connect is a service that lets you to establish a dedicated private connection
between your data center and a VPC. This private hallway provides the same type of dedicated
connection as AWS Direct Connect. Residents are able to get into the coffee shop without
needing to use the public road shared with other customers.
Network traffic in a VPC
When a customer requests data from an application hosted in the AWS Cloud, this request is
sent as a packet. A packet is a unit of data sent over the internet or a network. It enters into a
VPC through an internet gateway. Before a packet can enter into a subnet or exit from a subnet,
it checks for permissions. These permissions indicate who sent the packet and how the packet
is trying to communicate with the resources in a subnet. The VPC component that checks
packet permissions for subnets is a network access control list (ACL)(opens in a new tab).

AWS account’s default network access control list It is stateless and allows all inbound
and outbound traffic.
VPC Component
• Private Subnet
Isolate databases containing customers personal information
• Virtual Private Gateway
Create VPN Connection between the VPC and the internal corporate network
• Public Subnet
Support the customer-facing website
• AWS Direct Connect
Establish a dedicated connection between the on-premises data center and the VPC

DNS
Suppose that AnyCompany has a website hosted in the AWS Cloud. Customers enter the web
address into their browser, and they are able to access the website. This happens because of
Domain Name System (DNS) resolution. DNS resolution involves a customer DNS resolver
communicating with a company DNS server. You can think of DNS as being the phone book
of the internet. DNS resolution is the process of translating a domain name to an IP address.
Amazon Route 53
Amazon Route 53 is a DNS web service. It gives developers and businesses a reliable way to
route end users to internet applications hosted in AWS. Amazon Route 53 connects user
requests to infrastructure running in AWS (such as Amazon EC2 instances and load balancers).
It can route users to infrastructure outside of AWS. Another feature of Route 53 is the ability
to manage the DNS records for domain names. You can register new domain names directly in
Route 53. You can also transfer DNS records for existing domain names managed by other
domain registrars. This enables you to manage all of your domain names within a single
location.
BAB 5

Instance stores
Block-level storage volumes behave like physical hard drives. An instance store(opens in a
new tab) provides temporary block-level storage for an Amazon EC2 instance. An instance
store is disk storage that is physically attached to the host computer for an EC2 instance, and
therefore has the same lifespan as the instance. When the instance is terminated, you lose any
data in the instance store.
Amazon Elastic Block Store (Amazon EBS)
Best for
• Separate drives from the host computer of an EC2 instance
• Best for data that requires retention
is a service that provides block-level storage volumes that you can use with Amazon EC2
instances. If you stop or terminate an Amazon EC2 instance, all the data on the attached EBS
volume remains available. To create an EBS volume, you define the configuration (such as
volume size and type) and provision it. After you create an EBS volume, it can attach to an
Amazon EC2 instance. Because EBS volumes are for data that needs to persist, it’s important
to back up the data. You can take incremental backups of EBS volumes by creating Amazon
EBS snapshots.
Object Storage
Object storage treats any file as a complete, discreet object. Now this is great for documents,
and images, and video files that get uploaded and consumed as entire objects, but every time
there's a change to the object, you must re-upload the entire file.

Block Storage
Block storage breaks those files down to small component parts or blocks. This means, for that
80-gigabyte file, when you make an edit to one scene in the film and save that change, the
engine only updates the blocks where those bits live
Amazon S3
Amazon Simple Storage Service is a service that provides object-level storage. Amazon S3
stores data as objects in buckets. You can upload any type of file to Amazon S3, such as
images, videos, text files, and so on. For example, you might use Amazon S3 to store backup
files, media files for a website, or archived documents. Amazon S3 offers unlimited storage
space. The maximum file size for an object in Amazon S3 is 5 TB. When you upload a file to
Amazon S3, you can set permissions to control visibility and access to it. You can also use
the Amazon S3 versioning feature to track changes to your objects over time.
Amazon S3 storage classes
With Amazon S3, you pay only for what you use. You can choose from a range of storage
classes(opens in a new tab) to select a fit for your business and cost needs. When selecting an
Amazon S3 storage class, consider these two factors: How often you plan to retrieve your data
How available you need your data to be To learn more about Amazon S3 storage classes,
expand each of the following eight categories.
• S3 Standard – Designed for frequently accessed data Stores data in a minimum of
three Availability Zones Amazon S3 Standard provides high availability for objects.
This makes it a good choice for a wide range of use cases, such as websites, content
distribution, and data analytics. Amazon S3 Standard has a higher cost than other
storage classes intended for infrequently accessed data and archival storage.
• S3 Standard-Infrequent Access (S3 Standard-IA) – Ideal for infrequently accessed
data Similar to Amazon S3 Standard but has a lower storage price and higher retrieval
price Amazon S3 Standard-IA is ideal for data infrequently accessed but requires high
availability when needed. Both Amazon S3 Standard and Amazon S3 Standard-IA store
data in a minimum of three Availability Zones. Amazon S3 Standard-IA provides the
same level of availability as Amazon S3 Standard but with a lower storage price and a
higher retrieval price.
• S3 One Zone-Infrequent Access (S3 One Zone-IA) – Stores data in a single
Availability Zone Has a lower storage price than Amazon S3 Standard-IA Compared
to S3 Standard and S3 Standard-IA, which store data in a minimum of three Availability
Zones, S3 One Zone-IA stores data in a single Availability Zone. This makes it a good
storage class to consider if the following conditions apply: You want to save costs on
storage. You can easily reproduce your data in the event of an Availability Zone failure.
• S3 Intelligent-Tiering – Ideal for data with unknown or changing access patterns
Requires a small monthly monitoring and automation fee per object In the S3
Intelligent-Tiering storage class, Amazon S3 monitors objects’ access patterns. If you
haven’t accessed an object for 30 consecutive days, Amazon S3 automatically moves
it to the infrequent access tier, S3 Standard-IA. If you access an object in the infrequent
access tier, Amazon S3 automatically moves it to the frequent access tier, S3 Standard.
• S3 Glacier Instant Retrieval – Works well for archived data that requires immediate
access Can retrieve objects within a few milliseconds When you decide between the
options for archival storage, consider how quickly you must retrieve the archived
objects. You can retrieve objects stored in the S3 Glacier Instant Retrieval storage class
within milliseconds, with the same performance as S3 Standard.
• S3 Glacier Flexible Retrieval – Low-cost storage designed for data archiving Able to
retrieve objects within a few minutes to hours S3 Glacier Flexible Retrieval is a low-
cost storage class that is ideal for data archiving. For example, you might use this
storage class to store archived customer records or older photos and video files. You
can retrieve your data from S3 Glacier Flexible Retrieval from 1 minute to 12 hours.
• S3 Glacier Deep Archive – Lowest-cost object storage class ideal for archiving Able
to retrieve objects within 12 hours S3 Deep Archive supports long-term retention and
digital preservation for data that might be accessed once or twice in a year. This storage
class is the lowest-cost storage in the AWS Cloud, with data retrieval from 12 to 48
hours. All objects from this storage class are replicated and stored across at least three
geographically dispersed Availability Zones.
• S3 Outposts – Creates S3 buckets on Amazon S3 Outposts Makes it easier to retrieve,
store, and access data on AWS Outposts Amazon S3 Outposts delivers object storage
to your on-premises AWS Outposts environment. Amazon S3 Outposts is designed to
 store data durably and redundantly across multiple devices and servers on your
Outposts. It works well for workloads with local data residency requirements that must
satisfy demanding performance needs by keeping data close to on-premises
applications.

EBS and S3
EBS S3
If you're making a bunch of micro edits, If you were using S3, every time you saved
using EBS, elastic block storage, is the the changes, the system would have to
perfect use case. upload all 80 gigabytes, the whole thing,
every time.

EFS
Amazon Elastic File is a scalable file system used with AWS Cloud services and on-premises
resources. As you add and remove files, Amazon EFS grows and shrinks automatically. It can
scale on demand to petabytes without disrupting applications.

EBS and EFS

EBS
An Amazon EBS volume stores data in a
single Availability Zone. To attach an
Amazon EC2 instance to an EBS volume,
both the Amazon EC2 instance and the EBS
volume must reside within the same
Availability Zone.
EFS
Amazon EFS is a regional service. It stores
data in and across multiple Availability
Zones. The duplicate storage enables you to
access data concurrently from all the
Availability Zones in the Region where a file
system is located. Additionally, on-premises
servers can access Amazon EFS using AWS
Direct Connect.
File storage
In file storage, multiple clients (such as users, applications, servers, and so on) can access data
that is stored in shared file folders. In this approach, a storage server uses block storage with a
local file system to organize files. Clients access data through file paths. Compared to block
storage and object storage, file storage is ideal for use cases in which a large number of services
and resources need to access the same data at the same time.

Relational databases
In a relational database, data is stored in a way that relates it to other pieces of data. An example
of a relational database might be the coffee shop’s inventory management system. Each record
in the database would include data for a single item, such as product name, size, price, and so
on. Relational databases use structured query language (SQL) to store and query data. This
approach allows data to be stored in an easily understandable, consistent, and scalable way.
For example, the coffee shop owners can write a SQL query to identify all the customers whose
most frequently purchased drink is a medium latte.
Amazon Relational Database Service Amazon Relational Database
Service (Amazon RDS)

is a service that enables you to run relational databases in the AWS Cloud. Amazon RDS is a
managed service that automates tasks such as hardware provisioning, database setup, patching,
and backups. With these capabilities, you can spend less time completing administrative tasks
and more time using data to innovate your applications. You can integrate Amazon RDS with
other services to fulfill your business and operational needs, such as using AWS Lambda to
query your database from a serverless application.

Amazon RDS had 6 database engines:

• Amazon Aurora
• PostgreSQL
• MySQL
• MariaDB
• Oracle Database
• Microsoft SQL Server
Amazon Aurora
is an enterprise-class relational database. It is compatible with MySQL and PostgreSQL
relational databases. It is up to five times faster than standard MySQL databases and up to three
times faster than standard PostgreSQL databases. Amazon Aurora helps to reduce your
database costs by reducing unnecessary input/output (I/O) operations, while ensuring that your
database resources remain reliable and available. Consider Amazon Aurora if your workloads
require high availability. It replicates six copies of your data across three Availability Zones
and continuously backs up your data to Amazon S3.

Nonrelational databases
In a nonrelational database, you create tables. A table is a place where you can store and query
data. Nonrelational databases are sometimes referred to as “NoSQL databases” because they
use structures other than rows and columns to organize data. One type of structural approach
for nonrelational databases is key-value pairs. With key-value pairs, data is organized into
items (keys), and items have attributes (values). You can think of attributes as being different
features of your data.
Amazon DynamoDB

Amazon DynamoDB is a key-value database service. It delivers single-digit millisecond

performance at any scale.
• DynamoDB is serverless, which means that you do not have to provision, patch, or
manage servers. You also do not have to install, maintain, or operate software. Click to
flip Front of card Automatic scaling
• Automatic Scaling. As the size of your database shrinks or grows, DynamoDB
automatically scales to adjust for changes in capacity while maintaining consistent
performance. This makes it a suitable choice for use cases that require high performance
while scaling.

RDS and DynamoDB

RDS DynamoDB
Built for business analytics, need complex DynamoDB allows you to build powerful,
relational joins. incredibly fast databases where you don't
need complex joint functionality.
Amazon Redshift
Amazon Redshift is a data warehousing service that you can use for big data analytics. It offers
the ability to collect data from many sources and helps you to understand relationships and
trends across your data. Redshift uses a variety of innovations that allow you to achieve up to
10 times higher performance than traditional databases, when it comes to these kinds of
business intelligence workloads.

AWS Database Migration Service (AWS DMS)

AWS Database Migration Service (AWS DMS) enables you to migrate relational databases,
nonrelational databases, and other types of data stores. With AWS DMS, you move data
between a source database and a target database. The source and target databases(opens in a
new tab) can be of the same type or different types. During the migration, your source database
remains operational, reducing downtime for any applications that rely on the database. For
example, suppose that you have a MySQL database that is stored on premises in an Amazon
EC2 instance or in Amazon RDS. Consider the MySQL database to be your source database.
Using AWS DMS, you could migrate your data to a target database, such as an Amazon Aurora
database.

Use case DMS:

• Development and test database migrations
Enabling developers to test applications against production data without affecting
production users
• Database consolidation
Combining several databases into a single database
• Continuous replication
Sending ongoing copies of your data to other target sources instead of doing a one-time
migration
Additional Database Service
• Amazon DocumentDB – Amazon DocumentDB is a document database service that
supports MongoDB workloads. (MongoDB is a document database program.)
• Amazon Neptune – Amazon Neptune is a graph database service. You can use
Amazon Neptune to build and run applications that work with highly connected
datasets, such as recommendation engines, fraud detection, and knowledge graphs.
• Amazon Quantum Ledger Database (Amazon QLDB) – Amazon Quantum Ledger
Database (Amazon QLDB) is a ledger database service. You can use Amazon QLDB
to review a complete history of all the changes that have been made to your application
data.
• Amazon Managed Blockchain – Amazon Managed Blockchain is a service that you
can use to create and manage blockchain networks with open-source frameworks.
Blockchain is a distributed ledger system that lets multiple parties run transactions and
share data without a central authority.
• Amazon ElastiCache – Amazon ElastiCache is a service that adds caching layers on
top of your databases to help improve the read times of common requests. It supports
two types of data stores: Redis and Memcached.
• Amazon DynamoDB Accelerator – Amazon DynamoDB Accelerator (DAX) is an in-
memory cache for DynamoDB. It helps improve response times from single-digit
milliseconds to microseconds.
BAB 6

Security Responsible

• Customers: Security in the cloud – Customers are responsible for the security
of everything that they create and put in the AWS Cloud. When using AWS
services, you, the customer, maintain complete control over your content. You
are responsible for managing security requirements for your content, including
which content you choose to store on AWS, which AWS services you use, and
who has access to that content. You also control how access rights are granted,
managed, and revoked. The security steps that you take will depend on factors
such as the services that you use, the complexity of your systems, and your
company’s specific operational and security needs. Steps include selecting,
configuring, and patching the operating systems that will run on Amazon EC2
instances, configuring security groups, and managing user accounts.
• AWS: Security of the cloud – AWS is responsible for security of the cloud.
AWS operates, manages, and controls the components at all layers of
infrastructure. This includes areas such as the host operating system, the
virtualization layer, and even the physical security of the data centers from
which services operate. AWS is responsible for protecting the global
infrastructure that runs all of the services offered in the AWS Cloud. This
infrastructure includes AWS Regions, Availability Zones, and edge locations.
AWS manages the security of the cloud, specifically the physical infrastructure
that hosts your resources, which include: Physical security of data centers
Hardware and software infrastructure Network infrastructure Virtualization
infrastructure Although you cannot visit AWS data centers to see this protection
firsthand, AWS provides several reports from third-party auditors. These
auditors have verified its compliance with a variety of computer security
standards and regulations.
AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM)(opens in a new tab) enables you to manage
access to AWS services and resources securely. IAM gives you the flexibility to configure
access based on your company’s specific operational and security needs. You do this by using
a combination of IAM features, which are explored in detail in this lesson:
• IAM users, groups, and roles
• IAM policies
• Multi-factor authentication

Best practice: Do not use the root user for everyday tasks. Instead, use the root user to create
your first IAM user and assign it permissions to create other users. Then, continue to create
other IAM users, and access those identities for performing regular tasks throughout AWS.
Only use the root user when you need to perform a limited number of tasks that are only
available to the root user. Examples of these tasks include changing your root user email
address and changing your AWS support plan. For more information, see “Tasks that require
root user credentials” in the AWS Account Management Reference Guide.
IAM users
An IAM user is an identity that you create in AWS. It represents the person or application that
interacts with AWS services and resources. It consists of a name and credentials

IAM policies
An IAM policy is a document that allows or denies permissions to AWS services and resources.
IAM policies enable you to customize users’ levels of access to resources. For example, you
can allow users to access all of the Amazon S3 buckets within your AWS account, or only a
specific bucket.

IAM groups
An IAM group is a collection of IAM users. When you assign an IAM policy to a group, all
users in the group are granted permissions specified by the policy.
IAM roles
In the coffee shop, an employee rotates to different workstations throughout the day.
Depending on the staffing of the coffee shop, this employee might perform several duties: work
at the cash register, update the inventory system, process online orders, and so on. When the
employee needs to switch to a different task, they give up their access to one workstation and
gain access to the next workstation. The employee can easily switch between workstations, but
at any given point in time, they can have access to only a single workstation. This same concept
exists in AWS with IAM roles. An IAM role is an identity that you can assume to gain
temporary access to permissions. Before an IAM user, application, or service can assume an
IAM role, they must be granted permissions to switch to the role. When someone assumes an
IAM role, they abandon all previous permissions that they had under a previous role and
assume the permissions of the new role.

Multi-factor authentication
Have you ever signed in to a website that required you to provide multiple pieces of information
to verify your identity? You might have needed to provide your password and then a second
form of authentication, such as a random code sent to your phone. This is an example of multi-
factor authentication(opens in a new tab). In IAM, multi-factor authentication (MFA) provides
an extra layer of security for your AWS account.

AWS Organizations
Suppose that your company has multiple AWS accounts. You can use AWS Organizations to
consolidate and manage multiple AWS accounts within a central location. When you create an
organization, AWS Organizations automatically creates a root, which is the parent container
for all the accounts in your organization. In AWS Organizations, you can centrally control
permissions for the accounts in your organization by using service control policies
(SCPs)(opens in a new tab). SCPs enable you to place restrictions on the AWS services,
resources, and individual API actions that users and roles in each account can access.
Organizational units
In AWS Organizations, you can group accounts into organizational units (OUs) to make it
easier to manage accounts with similar business or security requirements. When you apply a
policy to an OU, all the accounts in the OU automatically inherit the permissions specified in
the policy. By organizing separate accounts into OUs, you can more easily isolate workloads
or applications that have specific security requirements. For instance, if your company has
accounts that can access only the AWS services that meet certain regulatory requirements, you
can put these accounts into one OU. Then, you can attach a policy to the OU that blocks access
to all other AWS services that do not meet the regulatory requirements

AWS Artifact
Depending on your company’s industry, you may need to uphold specific standards. An audit
or inspection will ensure that the company has met those standards. AWS Artifact(opens in a
new tab) is a service that provides on-demand access to AWS security and compliance reports
and select online agreements. AWS Artifact consists of two main sections: AWS Artifact
Agreements and AWS Artifact Reports.
• AWS Artifact Agreements – Suppose that your company needs to sign an agreement
with AWS regarding your use of certain types of information throughout AWS services.
You can do this through AWS Artifact Agreements. In AWS Artifact Agreements, you
can review, accept, and manage agreements for an individual account and for all your
accounts in AWS Organizations. Different types of agreements are offered to address
the needs of customers who are subject to specific regulations, such as the Health
Insurance Portability and Accountability Act (HIPAA). Review, accept, and manage
agreements with AWS.
• AWS Artifact Reports – Next, suppose that a member of your company’s
development team is building an application and needs more information about their
responsibility for complying with certain regulatory standards. You can advise them to
access this information in AWS Artifact Reports. AWS Artifact Reports provide
compliance reports from third-party auditors. These auditors have tested and verified
that AWS is compliant with a variety of global, regional, and industry-specific security
standards and regulations. AWS Artifact Reports remains up to date with the latest
reports released. You can provide the AWS audit artifacts to your auditors or regulators
as evidence of AWS security controls. Access AWS compliance reports on-demand.
AWS Compliance

Customer Compliance Center

The Customer Compliance Center contains resources to help you learn more about AWS
compliance. In the Customer Compliance Center, you can read customer compliance stories to
discover how companies in regulated industries have solved various compliance, governance,
and audit challenges. You can also access compliance whitepapers and documentation on
topics such as:
• AWS answers to key compliance questions
• An overview of AWS risk and compliance
• An auditing security checklist
Additionally, the Customer Compliance Center includes an auditor learning path. This learning
path is designed for individuals in auditing, compliance, and legal roles who want to learn more
about how their internal operations can demonstrate compliance using the AWS Cloud.

DOS
DDOS

AWS Shield
AWS Shield is a service that protects applications against DDoS attacks. AWS Shield provides
two levels of protection: Standard and Advanced. To learn more about AWS Shield, expand
each of the following two categories.
• AWS Shield Standard – AWS Shield Standard automatically protects all AWS
customers at no cost. It protects your AWS resources from the most common,
frequently occurring types of DDoS attacks. As network traffic comes into your
applications, AWS Shield Standard uses a variety of analysis techniques to detect
malicious traffic in real time and automatically mitigates it.
• AWS Shield Advanced – AWS Shield Advanced is a paid service that provides
detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS
attacks. It also integrates with other services such as Amazon CloudFront, Amazon
Route 53, and Elastic Load Balancing. Additionally, you can integrate AWS Shield
with AWS WAF by writing custom rules to mitigate complex DDoS attacks.
Encryption
encryption, which is securing a message or data in a way that can only be accessed by
authorized parties. Non-authorized parties are therefore less likely to be able to access the
message. Or not able to access it at all.
• Encryption at rest, we mean when your data is idle. It's just being stored and not
moving. For example, server-side encryption at rest is enabled on all DynamoDB
table data. And that helps prevent unauthorized access. DynamoDB's encryption at
rest also integrates with AWS KMS, or Key Management Service, for managing the
encryption key that is used to encrypt your tables
• Encryption at transit means that the data is traveling between, say A and B. Where
A is the AWS service, and B could be a client accessing the service. Or even another
AWS service itself. For example, let's say we have a Redshift instance running. And
we want to connect it with a SQL client. We use secure sockets layer, or SSL
connections to encrypt data, and we can use service certificates to validate, and
authorize a client. This means that data is protected when passing between Redshift,
and our client. And this functionality exists in numerous other AWS services such as
SQS, S3, RDS, and many more.

AWS Key Management Service (AWS KMS)

enables you to perform encryption operations through the use of cryptographic keys. A
cryptographic key is a random string of digits used for locking (encrypting) and unlocking
(decrypting) data. You can use AWS KMS to create, manage, and use cryptographic keys. You
can also control the use of keys across a wide range of services and in your applications. With
AWS KMS, you can choose the specific levels of access control that you need for your keys.
For example, you can specify which IAM users and roles are able to manage keys.
Alternatively, you can temporarily disable keys so that they are no longer in use by anyone.
Your keys never leave AWS KMS, and you are always in control of them.
AWS WAF
is a web application firewall that lets you monitor network requests that come into your web
applications. AWS WAF works together with Amazon CloudFront and an Application Load
Balancer. Recall the network access control lists that you learned about in an earlier module.
AWS WAF works in a similar way to block or allow traffic. However, it does this by using a
web access control list (ACL)(opens in a new tab) to protect your AWS resources.

Amazon Inspector
To perform automated security assessments, they decide to use Amazon Inspector. Amazon
Inspector helps to improve the security and compliance of applications by running automated
security assessments. It checks applications for security vulnerabilities and deviations from
security best practices, such as open access to Amazon EC2 instances and installations of
vulnerable software versions. After Amazon Inspector has performed an assessment, it
provides you with a list of security findings. The list prioritizes by severity level, including a
detailed description of each security issue and a recommendation for how to fix it. However,
AWS does not guarantee that following the provided recommendations resolves every potential
security issue. Under the shared responsibility model, customers are responsible for the security
of their applications, processes, and tools that run on AWS services.
Amazon Guard Duty
BAB 7

Monitoring
Observing systems, collecting metrics, and then using data to make decisions

Metrics
Variables tied to your resources

Amazon CloudWatch
Amazon CloudWatch) is a web service that enables you to monitor and manage various metrics
and configure alarm actions based on data from those metrics. CloudWatch uses metrics(opens
in a new tab) to represent the data points for your resources. AWS services send metrics to
CloudWatch. CloudWatch then uses these metrics to create graphs automatically that show
how performance has changed over time.

CloudWatch alarms
With CloudWatch, you can create alarms that automatically perform actions if the value of
your metric has gone above or below a predefined threshold. For example, suppose that your
company’s developers use Amazon EC2 instances for application development or testing
purposes. If the developers occasionally forget to stop the instances, the instances will continue
to run and incur charges. In this scenario, you could create a CloudWatch alarm that
automatically stops an Amazon EC2 instance when the CPU utilization percentage has
remained below a certain threshold for a specified period. When configuring the alarm, you
can specify to receive a notification whenever this alarm is triggered.
MTTR
mean time to resolution

TCO
total cost of ownership

AWS CloudTrail
AWS CloudTrail records API calls for your account. The recorded information includes the
identity of the API caller, the time of the API call, the source IP address of the API caller, and
more. You can think of CloudTrail as a “trail” of breadcrumbs (or a log of actions) that
someone has left behind them. Recall that you can use API calls to provision, manage, and
configure your AWS resources. With CloudTrail, you can view a complete history of user
activity and API calls for your applications and resources. Events are typically updated in
CloudTrail within 15 minutes after an API call. You can filter events by specifying the time
and date that an API call occurred, the user who requested the action, the type of resource that
was involved in the API call, and more.
CloudTrail Insights
Within CloudTrail, you can also enable CloudTrail Insights. This optional feature allows
CloudTrail to automatically detect unusual API activities in your AWS account. For example,
CloudTrail Insights might detect that a higher number of Amazon EC2 instances than usual
have recently launched in your account. You can then review the full event details to determine
which actions you need to take next

AWS Trusted Advisor

AWS Trusted Advisor is a web service that inspects your AWS environment and provides real-
time recommendations in accordance with AWS best practices. Trusted Advisor compares its
findings to AWS best practices in five categories: cost optimization, performance, security,
fault tolerance, and service limits. For the checks in each category, Trusted Advisor offers a
list of recommended actions and additional resources to learn more about AWS best practices.
The guidance provided by AWS Trusted Advisor can benefit your company at all stages of
deployment. For example, you can use AWS Trusted Advisor to assist you while you are
creating new workflows and developing new applications. You can also use it while you are
making ongoing improvements to existing applications and resources. Performance checks for
high-utilization EC2 instances
BAB 8

AWS Free Tier

The AWS Free Tier(opens in a new tab) enables you to begin using certain services without
having to worry about incurring costs for the specified period. Three types of offers are
available:
• Always Free – These offers do not expire and are available to all AWS customers. For
example, AWS Lambda allows 1 million free requests and up to 3.2 million seconds of
compute time per month. Amazon DynamoDB allows 25 GB of free storage per month.
• 12 Months Free – These offers are free for 12 months following your initial sign-up
date to AWS. Examples include specific amounts of Amazon S3 Standard Storage,
thresholds for monthly hours of Amazon EC2 compute time, and amounts of Amazon
CloudFront data transfer out.
• Trials – Short-term free trial offers start from the date you activate a particular service.
The length of each trial might vary by number of days or the amount of usage in the
service. For example, Amazon Inspector offers a 90-day free trial. Amazon Lightsail (a
service that enables you to run virtual private servers) offers 750 free hours of usage
over a 30-day period.
For each free tier offer, make sure to review the specific details about exactly which resource
types are included.

AWS Pricing
• Pay for what you use. – For each service, you pay for exactly the amount of resources
that you actually use, without requiring long-term contracts or complex licensing.
• Pay less when you reserve. – Some services offer reservation options that provide a
significant discount compared to On-Demand Instance pricing. For example, suppose
that your company is using Amazon EC2 instances for a workload that needs to run
continuously. You might choose to run this workload on Amazon EC2 Instance Savings
Plans, because the plan allows you to save up to 72% over the equivalent On-Demand
Instance capacity.
 • Pay less with volume-based discounts when you use more. – Some services offer
tiered pricing, so the per-unit cost is incrementally lower with increased usage. For
example, the more Amazon S3 storage space you use, the less you pay for it per GB.

AWS Pricing Calculator

AWS Lambda Pricing
AWS EC2 Pricing
AWS S3 Pricing
AWS Billing & Cost Management dashboard
To pay your AWS bill, monitor your usage, and analyze and control your costs.
• Compare your current month-to-date balance with the previous month, and get a
forecast of the next month based on current usage.
• View month-to-date spend by service.
• View Free Tier usage by service.
• Access Cost Explorer and create budgets.
• Purchase and manage Savings Plans.
• Publish AWS Cost and Usage Reports.

Consolidated billing
In an earlier module, you learned about AWS Organizations, a service that enables you to
manage multiple AWS accounts from a central location. AWS Organizations also provides the
option for consolidated billing(opens in a new tab). The consolidated billing feature of AWS
Organizations enables you to receive a single bill for all AWS accounts in your organization.
By consolidating, you can easily track the combined costs of all the linked accounts in your
organization. The default maximum number of accounts allowed for an organization is 4, but
you can contact AWS Support to increase your quota, if needed. On your monthly bill, you can
review itemized charges incurred by each account. This enables you to have greater
transparency into your organization’s accounts while still maintaining the convenience of
receiving a single monthly bill. Another benefit of consolidated billing is the ability to share
bulk discount pricing, Savings Plans, and Reserved Instances across the accounts in your
organization. For instance, one account might not have enough monthly usage to qualify for
discount pricing. However, when multiple accounts are combined, their aggregated usage may
result in a benefit that applies across all accounts in the organization. Combine usage across
accounts to receive volume pricing discounts.
AWS Budgets
In AWS Budgets, you can create budgets to plan your service usage, service costs, and instance
reservations. The information in AWS Budgets updates three times a day. This helps you to
accurately determine how close your usage is to your budgeted amounts or to the AWS Free
Tier limits. In AWS Budgets, you can also set custom alerts when your usage exceeds (or is
forecasted to exceed) the budgeted amount.
AWS Cost Explorer
AWS Cost Explorer is a tool that lets you visualize, understand, and manage your AWS costs
and usage over time. AWS Cost Explorer includes a default report of the costs and usage for
your top five cost-accruing AWS services. You can apply custom filters and groups to analyze
your data. For example, you can view resource usage at the hourly level.
AWS Support
AWS offers four different Support plans to help you troubleshoot issues, lower costs, and
efficiently use AWS services. You can choose from the following Support plans to meet your
company’s needs:
• Basic
• Developer – Customers in the Developer Support plan have access to features such as:
o Best practice guidance
o Client-side diagnostic tools
o Building-block architecture support, which consists of guidance for how to use
AWS offerings, features, and services together
For example, suppose that your company is exploring AWS services. You’ve heard
about a few different AWS services. However, you’re unsure of how to potentially use
them together to build applications that can address your company’s needs. In this
scenario, the building-block architecture support that is included with the Developer
Support plan could help you to identify opportunities for combining specific services
and features.
• Business - Customers with a Business Support plan have access to additional features,
including:
o Use-case guidance to identify AWS offerings, features, and services that can
best support your specific needs
o All AWS Trusted Advisor checks
o Limited support for third-party software, such as common operating systems
and application stack components
Suppose that your company has the Business Support plan and wants to install a
common third-party operating system onto your Amazon EC2 instances. You could
contact AWS Support for assistance with installing, configuring, and troubleshooting
the operating system. For advanced topics such as optimizing performance, using
custom scripts, or resolving security issues, you may need to contact the third-party
software provider directly. AWS Trusted Advisor checks at the lowest cost
• Enterprise On-Ramp - In November 2021, AWS opened enrollment into AWS
Enterprise On-Ramp Support plan. In addition to all the features included in the Basic,
Developer, and Business Support plans, customers with an Enterprise On-Ramp
Support plan have access to:
 o A pool of Technical Account Managers to provide proactive guidance and
coordinate access to programs and AWS experts
o A Cost Optimization workshop (one per year)
o A Concierge support team for billing and account assistance
o Tools to monitor costs and performance through Trusted Advisor and Health
API/Dashboard
Enterprise On-Ramp Support plan also provides access to a specific set of proactive
support services, which are provided by a pool of Technical Account Managers.
o Consultative review and architecture guidance (one per year)
o Infrastructure Event Management support (one per year)
o Support automation workflows
o 30 minutes or less response time for business-critical issues
• Enterprise – In addition to all features included in the Basic, Developer, Business, and
Enterprise On-Ramp support plans, customers with Enterprise Support have access to:
o A designated Technical Account Manager to provide proactive guidance and
coordinate access to programs and AWS experts
o A Concierge support team for billing and account assistance
o Operations Reviews and tools to monitor health
o Training and Game Days to drive innovation
o Tools to monitor costs and performance through Trusted Advisor and Health
API/Dashboard
The Enterprise plan also provides full access to proactive services, which are provided
by a designated Technical Account Manager:
o Consultative review and architecture guidance
o Infrastructure Event Management support
o Cost Optimization Workshop and tools
o Support automation workflows
o 15 minutes or less response time for business-critical issues
Developer, Business, Enterprise On-Ramp, and Enterprise
Support
The Developer, Business, Enterprise On-Ramp, and Enterprise Support plans include all the
benefits of Basic Support, in addition to the ability to open an unrestricted number of technical
support cases. These Support plans have pay-by-the-month pricing and require no long-term
contracts. In general, for pricing, the Developer plan has the lowest cost, the Business and
Enterprise On-Ramp plans are in the middle, and the Enterprise plan has the highest cost.

Basic Support
Basic Support is free for all AWS customers. It includes access to whitepapers, documentation,
and support communities. With Basic Support, you can also contact AWS for billing questions
and service limit increases. With Basic Support, you have access to a limited selection of AWS
Trusted Advisor checks. Additionally, you can use the AWS Personal Health Dashboard.

AWS Personal Health Dashboard

a tool that provides alerts and remediation guidance when AWS is experiencing events that
may affect you. If your company needs support beyond the Basic level, you could consider
purchasing Developer, Business, Enterprise On-Ramp, and Enterprise Support.

Technical Account Manager (TAM)

The Enterprise On-Ramp and Enterprise Support plans include access to a Technical Account
Manager (TAM). The TAM is your primary point of contact at AWS. If your company
subscribes to Enterprise Support or Enterprise On-Ramp, your TAM educates, empowers, and
evolves your cloud journey across the full range of AWS services. TAMs provide expert
engineering guidance, help you design solutions that efficiently integrate AWS services, assist
with cost-effective and resilient architectures, and provide direct access to AWS programs and
a broad community of experts. For example, suppose that you are interested in developing an
application that uses several AWS services together. Your TAM could provide insights into
how to best use the services together. They achieve this, while aligning with the specific needs
that your company is hoping to address through the new application.
6 Pillars Well Architected Framework

AWS Marketplace
AWS Marketplace is a digital catalog that includes thousands of software listings from
independent software vendors. You can use AWS Marketplace to find, test, and buy software
that runs on AWS. For each listing in AWS Marketplace, you can access detailed information
on pricing options, available support, and reviews from other AWS customers.
BAB 9

Six core perspectives of the Cloud Adoption Framework

At the highest level, the AWS Cloud Adoption Framework (AWS CAF)(opens in a new
tab) organizes guidance into six areas of focus, called Perspectives. Each Perspective
addresses distinct responsibilities. The planning process helps the right people across the
organization prepare for the changes ahead.
In general, the Business, People, and Governance Perspectives focus on business capabilities,
whereas the Platform, Security, and Operations Perspectives focus on technical capabilities.
o Business Perspective – The Business Perspective ensures that IT aligns with business
needs and that IT investments link to key business results. Use the Business Perspective
to create a strong business case for cloud adoption and prioritize cloud adoption
initiatives. Ensure that your business strategies and goals align with your IT strategies
and goals. Common roles in the Business Perspective include:
§ Business managers
§ Finance managers
§ Budget owners
§ Strategy stakeholders
o People Perspective – The People Perspective supports development of an
organization-wide change management strategy for successful cloud adoption. Use the
People Perspective to evaluate organizational structures and roles, new skill and process
requirements, and identify gaps. This helps prioritize training, staffing, and
organizational changes. Common roles in the People Perspective include:
§ Human resources
§ Staffing
§ People managers
o Governance Perspective – The Governance Perspective focuses on the skills and
processes to align IT strategy with business strategy. This ensures that you maximize
the business value and minimize risks. Use the Governance Perspective to understand
how to update the staff skills and processes necessary to ensure business governance in
the cloud. Manage and measure cloud investments to evaluate business outcomes.
Common roles in the Governance Perspective include:
 § Chief Information Officer (CIO)
§ Program managers
§ Enterprise architects
§ Business analysts
§ Portfolio managers
o Platform Perspective – The Platform Perspective includes principles and patterns for
implementing new solutions on the cloud, and migrating on-premises workloads to the
cloud. Use a variety of architectural models to understand and communicate the
structure of IT systems and their relationships. Describe the architecture of the target
state environment in detail. Perspective of the AWS Cloud Adoption Framework helps
you design, implement, and optimize your AWS infrastructure based on your business
goals and perspectives. Common roles in the Platform Perspective include:
§ Chief Technology Officer (CTO)
§ IT managers
§ Solutions architects
o Security Perspective – The Security Perspective ensures that the organization meets
security objectives for visibility, auditability, control, and agility. Use the AWS CAF
to structure the selection and implementation of security controls that meet the
organization’s needs. Common roles in the Security Perspective include:
§ Chief Information Security Officer (CISO)
§ IT security managers
§ IT security analysts
o Operations Perspective – The Operations Perspective helps you to enable, run, use,
operate, and recover IT workloads to the level agreed upon with your business
stakeholders. Define how day-to-day, quarter-to-quarter, and year-to-year business is
conducted. Align with and support the operations of the business. The AWS CAF helps
these stakeholders define current operating procedures and identify the process changes
and training needed to implement successful cloud adoption. Common roles in the
Operations Perspective include:
§ IT operations managers
§ IT support managers
6 strategies for migration
When migrating applications to the cloud, six of the most common migration strategies(opens
in a new tab) that you can implement are:
§ Rehosting – Rehosting also known as “lift-and-shift” involves moving applications
without changes. In the scenario of a large legacy migration, in which the company is
looking to implement its migration and scale quickly to meet a business case, the
majority of applications are rehosted.
§ Replatforming – Replatforming, also known as “lift, tinker, and shift,” involves
making a few cloud optimizations to realize a tangible benefit. Optimization is achieved
without changing the core architecture of the application.
§ Refactoring/re-architecting – Refactoring (also known as re-architecting) involves
reimagining how an application is architected and developed by using cloud-native
features. Refactoring is driven by a strong business need to add features, scale, or
performance that would otherwise be difficult to achieve in the application’s existing
environment.
§ Repurchasing – Repurchasing involves moving from a traditional license to a
software-as-a-service model. For example, a business might choose to implement the
repurchasing strategy by migrating from a customer relationship management (CRM)
system to Salesforce.com.
§ Retaining – Retaining consists of keeping applications that are critical for the business
in the source environment. This might include applications that require major
refactoring before they can be migrated, or, work that can be postponed until a later
time.
§ Retiring – Retiring is the process of removing applications that are no longer needed.
AWS Snow Family
members The AWS Snow Family is a collection of physical devices that help to physically
transport up to exabytes of data into and out of AWS.
§ AWS Snowcone is a small, rugged, and secure edge computing and data transfer
device. It features 2 CPUs, 4 GB of memory, and up to 14 TB of usable storage.
§ AWS Snowball offers two types of devices:
o Snowball Edge Storage Optimized devices are well suited for large-scale data
migrations and recurring transfer workflows, in addition to local computing
with higher capacity needs. Storage:
§ 80 TB of hard disk drive (HDD) capacity for block volumes and
Amazon S3 compatible object storage, and 1 TB of SATA solid state
drive (SSD) for block volumes.
§ Compute: 40 vCPUs, and 80 GiB of memory to support Amazon EC2
sbe1 instances (equivalent to C5).
o Snowball Edge Compute Optimized provides powerful computing resources
for use cases such as machine learning, full motion video analysis, analytics,
and local computing stacks. Storage:
§ 80-TB usable HDD capacity for Amazon S3 compatible object storage
or Amazon EBS compatible block volumes and 28 TB of usable NVMe
SSD capacity for Amazon EBS compatible block volumes.
§ Compute: 104 vCPUs, 416 GiB of memory, and an optional NVIDIA
Tesla V100 GPU. Devices run Amazon EC2 sbe-c and sbe-g instances,
which are equivalent to C5, M5a, G3, and P3 instances.
o AWS Snowmobile is an exabyte-scale data transfer service used to move large
amounts of data to AWS. You can transfer up to 100 petabytes of data per
Snowmobile, a 45-foot long ruggedized shipping container, pulled by a semi
trailer truck.
Serverless applications
With AWS, serverless refers to applications that don’t require you to provision, maintain, or
administer servers. You don’t need to worry about fault tolerance or availability. AWS handles
these capabilities for you. AWS Lambda is an example of a service that you can use to run
serverless applications. If you design your architecture to trigger Lambda functions to run your
code, you can bypass the need to manage a fleet of servers. Building your architecture with
serverless applications enables your developers to focus on their core product instead of
managing and operating servers.

Amazon SageMaker
Traditional machine learning (ML) development is complex, expensive, time consuming, and
error prone. AWS offers Amazon SageMaker to remove the difficult work from the process
and empower you to build, train, and deploy ML models quickly. You can use ML to analyze
data, solve complex problems, and predict outcomes before they happen.

Artificial intelligence
AWS offers a variety of services powered by artificial intelligence (AI). For example, you can
perform the following tasks:
o Get code recommendations while writing code and identify security issues in your code
with Amazon CodeWhisperer.
o Convert speech to text with Amazon Transcribe.
o Discover patterns in text with Amazon Comprehend.
o Identify potentially fraudulent online activities with Amazon Fraud Detector.
o Build voice and text chatbots with Amazon Lex.
BAB 10

The AWS Well-Architected Framework

The AWS Well-Architected Framework helps you understand how to design and operate
reliable, secure, efficient, and cost-effective systems in the AWS Cloud. It provides a way for
you to consistently measure your architecture against best practices and design principles and
identify areas for improvement.
The Well-Architected Framework is based on six pillars:
o Operational excellence – Operational excellence is the ability to run and monitor
systems to deliver business value and to continually improve supporting processes
and procedures. Design principles for operational excellence in the cloud include
performing operations as code, annotating documentation, anticipating failure, and
frequently making small, reversible changes. The ability to run workloads effectively
and gain insights into their operations
o Security – The Security pillar is the ability to protect information, systems, and assets
while delivering business value through risk assessments and mitigation strategies.
When considering the security of your architecture, apply these best practices:
§ Automate security best practices when possible.
§ Apply security at all layers.
§ Protect data in transit and at rest.
o Reliability – focuses on the ability of a workload to consistently and correctly
perform its intended functions. Reliability is the ability of a system to do the
following:
§ Recover from infrastructure or service disruptions
§ Dynamically acquire computing resources to meet demand
§ Mitigate disruptions such as misconfigurations or transient network
issues
Reliability includes testing recovery procedures, scaling horizontally to increase
aggregate system availability, and automatically recovering from failure.
o Performance efficiency – Performance efficiency is the ability to use computing
resources efficiently to meet system requirements and to maintain that efficiency as
demand changes and technologies evolve. Evaluating the performance efficiency of
your architecture includes experimenting more often, using serverless architectures,
and designing systems to be able to go global in minutes.
o Cost optimization – Cost optimization is the ability to run systems to deliver
business value at the lowest price point. Cost optimization includes adopting a
consumption model, analyzing and attributing expenditure, and using managed
services to reduce the cost of ownership.
o Sustainability – In December 2021, AWS introduced a sustainability pillar as part of
the AWS Well-Architected Framework. Sustainability is the ability to continually
improve sustainability impacts by reducing energy consumption and increasing
efficiency across all components of a workload by maximizing the benefits from the
provisioned resources and minimizing the total resources required. To facilitate good
design for sustainability:
§ Understand your impact
 § Establish sustainability goals
§ Maximize utilization
§ Anticipate and adopt new, more efficient hardware and software
offerings
§ Use managed services
§ Reduce the downstream impact of your cloud workloads

Advantages of cloud computing

Operating in the AWS Cloud offers many benefits over computing in on-premises or hybrid
environments. In this section, you will learn about six advantages of cloud computing:
o Trade upfront expense for variable expense. – Upfront expenses include data
centers, physical servers, and other resources that you would need to invest in before
using computing resources. Instead of investing heavily in data centers and servers
before you know how you’re going to use them, you can pay only when you consume
computing resources.
o Benefit from massive economies of scale. – By using cloud computing, you can
achieve a lower variable cost than you can get on your own. Because usage from
hundreds of thousands of customers aggregates in the cloud, providers such as AWS
can achieve higher economies of scale. Economies of scale translate into lower pay-as-
you-go prices.
o Stop guessing capacity. – With cloud computing, you don’t have to predict how much
infrastructure capacity you will need before deploying an application. For example, you
can launch Amazon Elastic Compute Cloud (Amazon EC2) instances when needed and
pay only for the compute time you use. Instead of paying for resources that are unused
or dealing with limited capacity, you can access only the capacity that you need, and
scale in or out in response to demand.
o Increase speed and agility. – The flexibility of cloud computing makes it easier for
you to develop and deploy applications. This flexibility also provides your development
teams with more time to experiment and innovate.
o Stop spending money running and maintaining data centers. – Cloud computing in
data centers often requires you to spend more money and time managing infrastructure
and servers. A benefit of cloud computing is the ability to focus less on these tasks and
more on your applications and customers.
o Go global in minutes. – The AWS Cloud global footprint enables you to quickly
deploy applications to customers around the world, while providing them with low
latency.