DAS-C01: AWS Certified Data Analytics -

Specialty

Exam Cram Notes

First Edition
Chapter 01: Introduction

Introduction
Course Introduction
Individuals with experience and skills working with AWS
services to develop, create, protect, and maintain
analytics systems can pursue the AWS Certified Data
Analytics - Specialty. This course walks you through the
different concepts, including designing analytical
questions, gathering, analyzing, and preparing data while
evaluating the data and uncovering insights from it.

Recommended AWS Knowledge

The ideal applicant should have:

1) A minimum of five years of expertise with popular Digital Use Cases

data analytics tools
2) Two years of hands-on experience and competence
in designing, building, securing, and maintaining
analytics systems using AWS services
3) The ability to create AWS data analytics services and
comprehend how they interact
4) An understanding of how AWS data analytics
services fit within the data lifecycle of collection,
storage, processing, and visualization
What is Data Analytics?
Inspection, cleaning, converting, and modeling data to
uncover usable information, informing conclusions, and
assisting decision-making are what data analytics is all
about. Simply said, data analytics implies that we have
some data, and we need to answer questions with it. We
have a process that needs to be improved, and we can
use the data we collect from our users in different
locations and on different devices to answer questions
and improve the processes that occur within our data
collection, data processing, data analytics, and our
understanding of what that data represents.
1. Application Monitoring: We can monitor our
application performance, stability, and resource
usage with data analytics to make our applications
more efficient and cost-effective.
2. Financial Analysis: Financial analysis is another huge
area for data analytics. We can gain useful insights
from huge amounts of financial data.
3. Machine Learning: We can manage our large data
sets, train models, feed information from our
machine learning application back into that same
data analytics system to help refine those models
and generally improve our machine learning systems
through the use of data analytics tools.
4. IOT Management: We can track, manage, and refine
distributed networks of discrete devices using data
analytics tools.

Steps for Success

To understand the different steps that go into a data
analytics pipeline, we need to understand the idea of the
steps for a successful data analytics pipeline.
Chapter 02: Amazon Simple Storage Service
Introduction to S3
In our data analytics steps for success, S3 will fall in data
collection primarily. It has features that will use in data
preparation, analysis, and data interpretation.
Amazon S3 is a type of object storage that allows you to
store and recover any quantity of data from any location.
It is a low-cost storage solution with business resilience,
reliability, efficiency, privacy, and infinite expansion. S3
uses an object called the bucket. The bucket is the atomic
unit for S3.
Amazon S3 offers a straightforward web service interface
for storing and retrieving any amount of data from any
location at any time. You may quickly create projects that
integrate cloud-native storage using this service.
Because Amazon S3 is easily customizable and you only
pay for what you use, you can start small and scale up as
needed without sacrificing performance or
dependability.
Upload Interfaces
When we upload data at S3, we have several interfaces
to work with. The AWS management console, the AWS
CLI, and several AWS SDKs.
AWS Management Console
When we use the management console, we use a
graphical user interface. We can add files and folders. We
can set most of the options to upload with this interface.
AWS CLI
When using the AWS CLI, we enter commands in our
terminal that will allow us to move data into the S3
bucket. We can use these commands to retrieve data
from S3 buckets.
Transfer Acceleration
Another feature of S3 that we should be aware of when
talking about getting data into S3 is Transfer
Acceleration. To understand why we use Transfer
Acceleration and how it works, let's look at a scenario.
Assume we have an application. Our application will
store data in a bucket in the us-east-1 region. And that
works very well to send and receive data. Our users will
add items to the bucket and read articles. As long as our
users are properly close to the us-east-1 region, they will
not have any issues. We will see some latency once we
get out to the other geographic locations. As users get
further and further away, that latency will increase. So,
they may complain about how long it takes to get things
from our S3 data store.
S3 Multipart Upload
What do we do when we have a lot of data?
If we think about a large file or object in the context of
S3, we can think about it as a large building. Moving it all
at once is impractical if we are moving a building. It can
be time-consuming if we have to carry a completely big
building all by itself, in one piece, it will be moved very
slowly, and we are probably going to damage the
structure, and it is potentially expensive. Hence, when
we talk about moving a large object, we run into some
same issues. It is kind of impractical. Depending on the
compute resources involved, it will be time-consuming
might be expensive. We might have a lot of idle CPU
cycles because we are just moving a large file all at once.
To get around that, multipart upload comes in. If we look
at some of the limitations of the standard ways to get
data into S3, a single S3 Put is only going to let us upload
five gigabytes of data in a single Put, but an S3 object can
be up to five tebibytes.
We will use a multipart upload to get a five-tebibyte
object into S3. It has three steps, like if we were going to
move a building, we would probably break it down into
components and have a plan and use that plan to
reassemble those components on the other side of the
move.
 Prepare Data: We will break the data into reasonably
sized pieces.
 Move Pieces: We will perform the multipart upload
steps to move all data to your S3 bucket.
 S3 puts it together: We will let S3 know the upload
is complete, and S3 puts the data back together in
the bucket.
Three Multipart Upload API Calls
There are three API calls that we use to perform this
process.
1) Create Multipart Upload: First, we have the
CreateMultipartUpload API call. It returns Bucket,
Key, and UploadID. The main thing we need from
returning this API call is the UploadID. The multipart
upload acts as a meta object that stores all of the
information about our upload while it is happening.
It is going to hold the information about all the parts.
2) Upload Parts: Next, we have the UploadPart API call.
We need to provide Bucket, Key, Part Number, and
Upload ID. It returns an ETag. It is very important
because we need to deliver that when we do our
final API call.
3) Complete Multipart Upload: Finally, we have the
CompleteMultipartUpload API call. It returns
Bucket, ETags, and Key. We need to provide Bucket,
Key, Part Number, Upload ID, all Part Numbers, and
ETags.
Three Multipart Upload API Calls
There are three API calls that we use to perform this
process.
1) Create Multipart Upload: First, we have the
CreateMultipartUpload API call. It returns Bucket, Key,
and UploadID. The main thing we need from returning
this API call is the UploadID. The multipart upload acts as
a meta object that stores all of the information about our
upload while it is happening. It is going to hold the
information about all the parts.
2) Upload Parts: Next, we have the UploadPart API call.
We need to provide Bucket, Key, Part Number, and
Upload ID. It returns an ETag. It is very important because
we need to deliver that when we do our final API call.
3) Complete Multipart Upload: Finally, we have the
CompleteMultipartUpload API call. It returns Bucket,
ETags, and Key. We need to provide Bucket, Key, Part
Number, Upload ID, all Part Numbers, and ETags.
Considerations
We have some considerations for this process.
1) Parts: Multipart uploads can be made up of up to
10,000 fragments.
2) Overwrite: Specifying the same part number as a
previously uploaded part can be utilized to overwrite
that part. We can overwrite the parts while the
multipart upload is still in progress. Suppose
something in your log file changes, or there is an
update to a section of it. In that case, you can
overwrite that part, that that section is in and have
the latest version of the log file in your object when
it uploads, or if one of the parts fails or has some
corrupted data in it, you can write it again into the
multipart upload. It will use whatever the latest data
is for that piece of the upload when it is reassembled.
3) Auto-Abort: A bucket lifecycle policy that can be
utilized to abort multipart uploads after a specified
time automatically. It prevents situations where a
multipart upload gets started, something goes wrong
with it, and the closing piece of it never goes
through, or there is an error when the close is
requested that upload will not work until the upload
is completed or aborted. Generally, in a production
system, it is good to have an auto abort configured
for your bucket if you know that there will be a lot of
multipart uploads going to that bucket.
Best Practices and Limitations
There are also a few best practices and limitations that
we need to think about.
 AWS recommends considering multipart upload for
files more significant than a hundred megabytes. It
means that you might want to use multipart upload
for anything larger than a hundred megabytes (100
MiB).
 We need to consider the limitation that all parts
must be at least five megabytes (5 MiB), except for
the final part.
 When we put these together, parts should be
between five and a hundred megabytes.
S3 Storage Classes
What are Storage Classes?
Amazon S3 provides a variety of storage classes to satisfy
a variety of use cases. Storage classes can be assigned to
individual objects, or the bucket can be configured to use
a specific storage class by default for anything added to
it. These include:
 S3 Standard is a storage type for general-purpose
storage of commonly accessed data.
 S3 Intelligent-Tiering is utilized for data with
uncertain or changing access patterns. It is more of a
management engine than a storage class itself.
 Standard Infrequent Access is used for infrequently
accessed data.
 One Zone Infrequent Access is very similar to
Standard Infrequent Access, except it can easily
replace data. We will use this storage class for that
data if we have an on-premise data store that we
want to keep a copy of in the cloud for easier access.
 The Glacier storage class is used for data archives
that we may need faster than the Glacier Deep
Archive.
 The Glacier Deep Archive is also an archival storage
class. It is utilized for digital and long-term archive
preservation.
Availability and Durability
S3 Standard, S3 Standard–IA, S3 Intelligent-Tiering, S3
One Zone–IA, S3 Glacier, and S3 Glacier Deep Archive are
all meant to offer 99.999999999 percent (11 9's) data
durability over a year. This level of durability corresponds
to a projected yearly loss of 0.000000001 percent of
items. For example, if you store 10,000,000 objects on
Amazon S3, you may anticipate a single object to be lost
once every 10,000 years on average. On Outposts, S3 is
meant to store data reliably and redundantly across
several devices and servers. Furthermore, Amazon S3
Standard, S3 Standard-IA, S3 Glacier, and S3 Glacier Deep
Archive are all built to keep data alive in the case of a
complete S3 Availability Zone failure.
The S3 Standard storage class is designed for 99.99
percent availability, the S3 Standard-IA storage class and
the S3 Intelligent-Tiering storage class for 99.9%
availability, the S3 One Zone-IA storage class for 99.5
percent availability, and the S3 Glacier and S3 Glacier
Deep Archive storage classes for 99.99 percent
availability and a 99.9% Service Level Agreement (SLA).
S3 Standard
S3 Standard provides excellent durability, availability,
and performance object storage for frequently accessed
dataS3 Standard is suitable for a wide range of use cases,
including cloud services, dynamic websites, content
distribution, mobile and gaming apps, and big data
analytics, due to its low latency and high throughput. A
single bucket can contain objects stored across S3
Standard, S3 Intelligent-Tiering, S3 Standard-IA, and S3
One Zone-IA, S3 Storage Classes, which can be defined at
the object level. You may also utilize S3 Lifecycle policies
to migrate items across storage classes without having to
make any modifications to your application.
S3 Infrequent Access
S3 Standard-IA is for data accessed infrequently but
has to be available quickly when needed. S3 Standard-IA
combines S3 Standard's strong durability, speed, and low
latency with a cheap per-GB storage and retrieval charge.
S3 Standard-IA is appropriate for long-term storage,
backups, and data storage for disaster recovery files
because of its low cost and significant performance. A
single bucket can contain objects stored across S3
Standard, S3 Intelligent-Tiering, S3 Standard-IA, S3 One
Zone-IA, and S3 Storage Classes can be defined at the
object level. You may also utilize S3 Lifecycle policies to
migrate items across storage classes without having to
make any modifications to your application.
S3 Intelligent Tiering
Independent of object size or retention duration, S3
Intelligent-Tiering is the best storage class for data with
unknown, changing, or unexpected access patterns. S3
Intelligent-Tiering may be the default storage class for
data lakes, analytics, and new applications.
S3 Intelligent-Tiering monitors our objects for access
assigned to the Intelligent-Tiering storage class. If the
object is not accessed for 30 days, it will move it to the
configured Infrequent Access storage class. And once
that object is accessed, it will be transferred back to the
Standard storage class. It is where the unknown access
pattern comes in. We will pay to monitor our objects, but
we trade off the access cost of Infrequent Access for this
monitoring cost. The monitoring is 1/4 of a penny per
1,000 objects, and the storage cost will depend on the
storage class the object is in, in the underlying storage
class. If it is in Standard or Infrequent Access, that will
determine what we are paying to store those objects.
S3 Glacier
S3 Glacier is a safe, long-lasting, low-cost data archiving
storage type. You can store any quantity of data reliably
at prices comparable to or lower than on-premises
alternatives. S3 Glacier offers three retrieval options,
ranging from a few minutes to hours, to keep costs
reasonable while meeting various demands. You may
utilize S3 Lifecycle policies to move data between the S3
Storage Classes for active data (S3 Standard, S3
Intelligent-Tiering, S3 Standard-IA, and S3 One Zone-IA)
S3 Glacier, or you can upload objects directly to S3
Glacier.
S3 Lifecycle Policies
Life Of Data
When we talk about the life of data, we mean that we
will create our data, that data will be actively utilized,
and then eventually, we will likely archive or delete that
data. Once the data has been formed, it will be active in
either the standard or infrequent access S3 storage class.
And then, it will move over to the archive storage class.
We may then push that data back into active utilization
at some point. We can manage most of this with our
lifecycle policy. We do not need to work potentially
millions of objects stored in S3, and all of this will happen
for us automatically.
Data Lifecycle in S3
When we look at the storage classes, we overlap our
Venn diagram of active and archive. Typically, we will
bounce from the S3 standard to the infrequent access
storage classes and then move to the archive. We might
move back to standard again and repeat this process in
the lifecycle of our data. It may have a loop around and
around, or it may eventually be deleted after a certain
amount of time.
S3 Security and Encryption
S3 Security Overview
At AWS, cloud security is a top priority. As an AWS client,
you have access to a data center and network
architecture designed to fulfill the needs of the most
security-conscious businesses. When we look at S3
security and encryption, there are many S3 features and
integrated services that provide various functions to
maintain the security of our S3 buckets.
S3 Features
 Access Analyzer for S3
 Amazon S3 Server Access Logging
 Bucket Policy
 Bucket Access Control List (ACL)
 Cross-Region Replication
 Multi-factor authentication (MFA) Delete
 Object Access Control List (ACL)
 Object Locking
 Versioning
Integrated Services
 Amazon CloudWatch Alarms
 AWS CloudTrail Logs
 Identity Access Management (IAM)
 VPC Endpoints
 Service Control Policies
 Key Management Service (KMS)
In-Flight Security
The S3 Bucket in In-Flight security requires TLS support
from the clients that connect to the S3 buckets. We also
have VPC endpoints, making it so that we can only access
our bucket through our VPC. We can combine that VPC
with VPN options to access S3 buckets from the outside.
Then we can use some access control and auditing
feature to ensure that our above security features are
operating in the way we expect them to.
Client-Side Encryption
The application server will request an encrypted object
for client-side encryption if we are using the KMS option.
Our bucket is going to return that encrypted object and
a cipher blob. The cipher blob identifies the Key that that
object was encrypted with. Our application server then
needs to call KMS for that Key. Hence, it will request the
Key associated with the cipher blob that is returned to
the object, and then a data key is returned for that
object. We can then combine our encrypted object and
our plain text data key into a decrypted object.
Server-Side Encryption
For server-side encryption, if S3 manages our encryption
keys, our application server will request an object, and
S3 will decrypt it and send it back.
The S3 Access Security Waterfall
There is a permission waterfall when we talk about the
API and our various ways to access objects in S3 and
control that access. Each one of the services in the
waterfall adds to the flow, and at the bottom line of the
waterfall, they are all combined to create a single policy
that determines whether or not we can access an object
or a bucket in S3.
Access Logging, Alerting, and Auditing
We have the S3 server access log and cloud trail logs, and
with these two combined, we can get various
granularities of access to our buckets. It can be used to
feed data into CloudWatch, or CloudWatch on its own
can be used for alerting to perform various actions. If a
bucket suddenly receives a considerable amount of
requests, we could set up a CloudWatch alarm that will
trigger a Lambda function that will turn off access to that
bucket. Maybe a timer waits a certain amount of time
and then automatically re-enables access to that bucket
to resume operation.
Understanding all the layers of access authorization can
get quite complicated, and that is where the access
analyzer for S3 comes in. It will analyze the various
policies and ACLs involved in providing access, and it will
generate a report around what is available. It is useful if
there is a hole that we missed in our access policies that
maybe we do not want to provide access to a bucket
through some specific avenue, which will reveal that for
us.
Object Protection and Replication
Protection
We have an object that is in our S3 bucket. This object
happens to be a beat. We want to protect this object so
that it cannot be deleted, or we are going to put it into a
Write Once Read Many modes or WORM. We can turn
on object locking, which prevents the deletion of this
object without disabling object locking.
Alternatively, we can enable multi-factor authentication
to delete our bucket, requiring an MFA token to delete
objects in the bucket. It is useful because we can control
this feature with some granularity, and these users with
MFA tokens are allowed to delete objects from a bucket.
All other users are not, which gives our administrators
the ability to remove objects if needed.
Replication
We can also replicate our bucket across regions. Hence,
the objects in our bucket will be copied to a bucket in a
second region bucket. We will need to have a different
name, but this provides disaster recovery in case there is
a loss of the entire AWS region for whatever reason. We
can turn on cross-region replication, and we will still
access our buckets. We may need to update our code to
point our applications to the correct bucket or set up
some automatic failover in our application code. To turn
on cross-region replication, you need to enable
versioning. This is because if an object is placed in a
bucket and the replication engine starts, and it is a huge
object, that object is replaced. Suddenly you have an
invalid replication occurring. Therefore, the service can
replicate a specific version. Then if that object is
overwritten while replication is still happening, it will
complete the reproduction of the performance that it is
copying and then replicate the newer version. It means
that it is possible for there to be some delay in replicating
our objects into our second region. Still, generally, this
works out very well for disaster recovery.
Chapter 03: Databases in AWS
Introduction to Databases in AWS
Introduction
In the analytics process, how do you use databases? We
will discuss databases services in AWS in this chapter. In
the analytics process, how do you use databases? For
example, databases. For the most part, Databases will be
in our data preparation section. They will be a starting
point for aggregating data or a source of data that you
will input into your pipeline, perhaps as a secondary
dimension, or collect and send into our data analysis. It
might be moved to a data warehouse or data lake, or it
could be read directly from the database in our pipeline.
Organizing Data
We might have user profile service metadata application
logs and IoT data. We will take that data and put it in our
databases, then gather it all together, get it organized,
and clean up our little pile of data.
Services
We have the relational database service Aurora, an
engine that runs in the relational database service,
DynamoDB, and Elasticache. All of these have different
use cases.
Database Engines Types
A database engine (sometimes known as a storage
engine) is the software component that enables a
Database Management System (DBMS) to generate,
read, update, and delete (GRUD) data from a database.
Most database management systems have an
Application Programming Interface (API) that allows
users to communicate with the underlying engine
without going via the DBMS's user interface.
Relational Database
A relational database is a collection of data objects with
specified relationships and can be easily retrieved. In the
relational database paradigm, data structures such as
data tables, indexes, and views are maintained distinct
from physical storage structures, allowing database
managers to alter the physical data storage without
affecting the logical data structure.
Relational databases are used in the enterprise to
organize data and find links between crucial data
elements. They simplify managing and finding
information, allowing businesses to make better-
informed decisions and save money. They work
effectively with data that is structured.
Row Databases
Row-oriented databases organize data by history and
retain all of the data associated with a record in memory
adjacent to each other. Row-oriented databases are the
conventional method of data organization, and they still
offer some important advantages for storing data fast.
They have been designed to read and write rows quickly.
Row Database Use Cases
OLTP-Online Transaction Processing has the following
features.
 Used for rapid transactions
 Protects data through transaction rollback
 Ideal for low latency applications
Columnar Databases
A columnar database is a Database Management System
(DBMS) that stores data in columns rather than rows. A
columnar database's goal is to reduce the time it takes to
return a query by quickly writing and reading data to and
from hard disc storage. Columnar databases store data
so that disc I/O speed is considerably improved. They are
very useful for data warehousing and analytics.
Columnar Database Use Cases
OLAB – Online Analytics Processing has the following
features.
 Uses for analytics workloads
 Manages large amounts of data
 Handles complex long-running query operations
Non-Relational Database
Non-relational databases (often referred to as ‘NoSQL’ or
‘JSON’ or ‘key: value’ databases) differ from traditional
relational databases because they are stored in a non-
tabular format. Non-relational databases are
substantially more adaptable than relational databases
since they can digest and organize various information
side-by-side. Non-relational databases, on the other
hand, should be built on data formats such as
documents. A document can be quite thorough while
also including various data types in multiple forms.
Key-Value Database
A key-value database is a non-relational database that
uses a basic key-value method to store data. Data is
stored in a key-value database as a collection of key-
value pairs. A key serves as a unique identifier. Both keys
and values can be any type of object, from basic to
sophisticated compound objects. Key-value databases
are extremely partitioned tables and can scale
horizontally to scales that other databases cannot.
Suppose a current section fills and extra storage space is
necessary. In that case, Amazon DynamoDB assigns
additional partitions to the database.
Document Database
A document database is a non-relational database that
stores and queries data as JSON-like documents.
Documents and document databases can adapt to the
demands of applications due to their flexible, semi-
structured, and hierarchical nature. By employing the
same document-model format as their application code,
document databases make it easier for developers to
store and query data in a database. The document model
is particularly suited to use cases where each document
is unique and changes over time, such as catalogs, user
profiles, and content management systems. Flexible
indexing, strong ad hoc searches, and analytics over
collections of documents are all possible with document
databases.
Graph Database
Graph databases are especially suited for storing and
traversing relationships. Relationships are treated as
first-class citizens in graph databases, accounting for the
vast bulk of the database's value. Nodes store data
entities, while edges store relationships between things
in graph databases. Edge contains a start node, an end
node, a type, and a direction, and it may be used to
define parent-child connections, actions, and ownership,
among other things. A node can have an infinite number
and variety of relationships.
Relational Database Service
Introduction
Amazon RDS (Amazon Relational Database Service) is a
cloud-based managed service that makes it easier to set
up, operate, and scale a relational database. It offers
cost-effectiveness and scalability while handling time-
consuming database management responsibilities,
allowing you to focus on your applications and company.
Amazon RDS offers the functionality of a well-known
MySQL, MariaDB, Oracle, SQL Server, or PostgreSQL
database. It implies that the code, apps, and tools you
are already using with your old databases should operate
just fine with Amazon RDS. Amazon RDS can back up your
database automatically and maintain your database
software up to date with the newest version. You have
the option of scaling the processing resources or storage
space associated with your relational database instance.
Furthermore, for read-heavy database workloads,
Amazon RDS makes it simple to implement replication to
increase database availability data durability or grow
beyond the capacity restrictions of a single database
instance. There are no upfront expenditures necessary,
and you just pay for the resources you use, as with other
Amazon Web Services.
Amazon Aurora, MySQL, MariaDB, Oracle, SQL Server,
and PostgreSQL are all supported by Amazon RDS.
Managed Service
RDS is a managed service. What does this mean? The
basic explanation is that we do not have access to the
operating system of the instances we run in these
services. Hence, what we get is a management API that
allows us two manage database instances. RDS runs
several engines, and you have Aurora, MySQL, MariaDB,
PostgreSQL, SQL Server, and Oracle and Aurora in two
varieties MySQL and PostgreSQL.
Second Level Service
RDS is considered the second level of service, and to
understand that, we use the dig command. You create a
database instance and run a dig against it. You can get a
ton of information about RDS structure from the simple
control.
RDS Instance
A DB instance is a standalone database environment that
runs on the cloud. It is the fundamental component of
Amazon RDS. A DB instance can hold numerous user-
created databases and be accessed using the same client
tools and applications as a single database instance.
Operation System Access
How do you manage not having operating system access
and still tune our database to function to our workload?
You have parameter groups, which are controlled
through the RDS API. You have option groups, which are
also held through the RDS API parameter groups, which
will allow us to change engine parameters, like how
logging is configured and stored various memory
management parameters and any other engine
variables. Some operating system variables/option
groups are used to manage plug-ins in some cases.
Oracle uses option groups pretty heavily, whereas
PostgreSQL does not use them.
Disaster Recovery
The big disaster recovery feature for RDS is multi-AZ
deployments. The way that it works is that you are going
to have a primary and secondary instance. In this
example, our prime samples are in US West 2A or
secondary ones in US West 2B. These instances are going
to be replicating at the block level. The database engine
is not involved at all; the database engine will not be
running at all and on the secondary. It is going to be
sleeping. RDS then monitors the engine, the compute
instances, the EBS volumes, and the replication between
those EBS volumes, and if the machine or the EC2
instance or the EBS volume fails, it will terminate that
instance. That instance will no longer be the primary, and
the secondary in US West 2B will become the primary.
The RDS service will wake up the database engine, and
then a new secondary in our old availability zone US
West 2A will be created with an engine that is not
running.
Neptune
Introduction
Amazon Neptune is a fast, trustworthy, and fully-
managed graph database service that simplifies the
design and operation of applications that deal with vast,
linked datasets. Neptune is designed around a purpose-
made, high-performance graph database engine. This
engine is designed to store billions of relationships and
query the graph in milliseconds. Neptune supports the
popular graph query languages Apache TinkerPop
Gremlin and W3C's SPARQL, allowing you to effectively
create searches that explore densely linked datasets.
Neptune drives graph application cases, including
recommendation engines, fraud detection, knowledge
graphs, medicine discovery, and network security.
Neptune is extremely available with read replicas, point-
in-time recovery, continuous backup to Amazon S3, and
replication across Availability Zones. Neptune offers data
security measures such as encryption at rest and in
transit. Because Neptune is fully managed, you no longer
need to worry about database administration activities
such as hardware provisioning, software patching, setup,
configuration, or backups.
Graph Structure
A graph is a data structure consisting of a finite number
of nodes (or vertices) and edges that link them. In the
following examples, circles represent vertices, and lines
indicate edges. An edge (x,y) signals that the x vertex
relates to the y vertex.
We know that a graph has a node from our database
engine types section. Those nodes will contain data, and
then the nodes will be connected via edges. The edges
are common data in those nodes. We can traverse these
graphs and collect data secured by the nodes.
Interface Languages
It is two different interface languages that Neptune
supports. We have Apache's TinkerPop Gremlin, or
simply Gremlin, and we have the W3C sparkle protocol,
which is used with the resource description framework
or RDF query language.
1. Apache – TinkerPop Germlin
o Graph structure property
o Interface: WebSocket
o Query Pattern: Traversal
2. W3C – SPARQL Protocol & RDF Query Language
o Graph structure: Resource Description Framework
(RDF)
o Interface: HTTP Rest
o Query Pattern: SQL
DocumenDB
Introduction
Amazon DocumentDB (with MongoDB compatibility) is a
highly scalable, dependable, and completely managed
database service. You may run the same application code
and utilize the same drivers and tools with MongoDB
with Amazon DocumentDB. Amazon DocumentDB
simplifies the setup, operation, and scaling of MongoDB-
compatible databases in the cloud.
Some programmers may not consider their data model
normalized rows and columns. Data is typically
represented as a JSON document at the application tier
because it is more intuitive for developers to think of
their data model as a document.
Serverless Options
Introduction
Serverless is a means of offering backend services as
needed. Users may use a serverless provider to build and
publish code without worrying about the underlying
infrastructure. Because the service is auto-scaling, a firm
that obtains backend services from a serverless vendor is
charged depending on their calculations and does not
have to reserve and pay for a predetermined amount of
bandwidth or number of servers. It should be noted that,
despite the term, actual servers are still utilized, but
developers are not required to be aware of them.
To start, we have S3 select, which is just an API call that
lets us make selects against data in S3 buckets. We have
Athena, which is more of a fully relational database
management system that S3 backs. We have DynamoDB,
a key-value plus a fully managed serverless database. We
also have Aurora serverless, which leverages the
architecture of Aurora to treat our database as though it
is serverless. Serverless means that we do not need to
administrate any servers. Hence there are still servers
behind all of these services. We are just not going to be
building them at all.
S3 Select
Using simple SQL expressions, S3 Select allows apps to
get only a subset of data from an object. You may
drastically improve speed by retrieving only the data
required by your application using S3 Select. In many
circumstances, you might expect to see a 400%
improvement.
S3 Select
Using simple SQL expressions, S3 Select allows apps to
get only a subset of data from an object. You may
drastically improve speed by retrieving only the data
required by your application using S3 Select. In many
circumstances, you might expect to see a 400%
improvement.
Athena
Amazon Athena is an interactive query service that
allows you to use conventional SQL to evaluate data
directly in Amazon Simple Storage Service (Amazon S3).
With a few clicks in the AWS Management Console, you
can aim Athena at your Amazon S3 data and start running
ad-hoc searches with conventional SQL to obtain results
in seconds.
DynamoDB
Amazon DynamoDB is a fully managed NoSQL database
service that delivers quick and predictable performance
while seamless scaling. You can offload the
administrative requirements of running and growing a
distributed database using DynamoDB, so you do not
have to worry about hardware provisioning, setup,
configuration, replication, software patching, or cluster
scalability. DynamoDB also supports encryption at rest,
removing the operational load and complexity
associated with securing sensitive data.
Aurora
Amazon Aurora (Aurora) is a relational database engine
that is fully managed and compatible with MySQL and
PostgreSQL. MySQL and PostgreSQL combine the
performance and dependability of high-end commercial
databases with the simplicity and low cost of open-
source databases. The code, tools, and applications that
you are now using with your existing MySQL and
PostgreSQL databases may be utilized with Aurora.
Aurora may give up to five times the performance of
MySQL and three times the throughput of PostgreSQL in
specific workloads without needing modifications to the
bulk of your existing applications.

Aurora Serverless
Amazon Aurora Serverless v1 (Amazon Aurora Serverless
version 1) is a configuration for on-demand autoscaling
in Amazon Aurora. An Aurora Serverless DB cluster is a
database cluster that dynamically scales processing
capacity based on the needs of your application. In
contrast, Aurora supplied DB clusters require manual
capacity management. Aurora Serverless v1 is a simple,
low-cost choice for occasional, intermittent, or
unexpected workloads. It saves money since it starts up
automatically, boosts processing capacity to match the
needs of your application, and shuts down when not in
use.
Chapter 04: Collecting Streaming Data
Introduction
The streaming data makes up a mass amount of data
collected, so it is important to understand what it is and
what are the different ways you can collect, process, and
store it within AWS. Streaming data is new data, and it
plays a big role in actionable decisions that can be made
with that data.
Kinesis Family
Data Collection
The practice of gathering, measuring, and evaluating
correct research insights using established procedures is
data collection. Based on the evidence gathered, a
researcher can assess their hypothesis. Depending on
the information requested, the approach to data
gathering differs for different topics of research.
Regardless of the subject of study, data gathering is the
first and most significant stage in most situations.
The systematic process of gathering and measuring
information from many sources to create a full and
accurate picture of a subject is known as data collection.
Data collecting allows a person or organization to answer
pertinent questions, assess results, and forecast future
probability and trends.
Data collection’s most critical objective is to ensure that
information-rich and reliable data is collected for
statistical analysis so that data-driven decisions can be
made.
Data Collection Methods
Surveys, interviews, and focus groups are the most
common methods for gathering information.
Corporations may now collect data from mobile devices,
website traffic, server activity, and other relevant
sources using Web and analytics technologies depending
on the project.
Big Data Collection
It is based on collecting and then mining large amounts
of data for information. Big data refers to massive
volumes of organized, semi-structured, and
unstructured data acquired by businesses. New
approaches for collecting and analyzing data have
emerged because it takes a lot of time and money to load
big data into a traditional relational database for
analysis. In a data lake, raw data with extra information
is aggregated. Machine learning and artificial intelligence
systems then employ complicated algorithms to search
for repeating patterns.
Streaming Data
Streaming data is generated continuously by thousands
of data sources. These are typically sent in small data
records simultaneously, think in the order of kilobytes.
For example, think about sensors in vehicles or industrial
equipment that you might see in some factory or farming
machinery. These sensors send data to streaming
applications; these applications monitor performance,
detect any potential defects in advance, or even place an
order for spare parts. When defects or any type of
anomaly is detected within the equipment it is running
on; it prevents equipment downtime. Another example
is a financial institution that tracks changes in the stock
market in real-time. It then computes value at risk and
rebalances portfolios automatically depending on stock
price fluctuations.
AWS Kinesis Family
The AWS Kinesis family is not just one service but a family
of services. Kinesis offers several different services that
help you get your streaming data into AWS and build
robust applications around streaming data. The first
service is the Kinesis data stream.
Kinesis data stream allows us to collect and process large
streams of data records in real-time. It is the most
important service when it comes to Kinesis services. The
next Kinesis service is Kinesis Data Firehose. Kinesis Data
Firehose is our delivery stream, which allows us to deliver
our streaming data to various data sources, such as
Amazon S3, Redshift, Elasticsearch, or Splunk. The next
Kinesis service is Kinesis video streams that allow us to
stream live videos from devices to the AWS cloud, and
you can build real-time applications around these video
streams. Finally, we have Kinesis data analytics. It is what
you can use to process and analyze streaming data using
standard SQL queries. Hence, you can essentially run SQL
queries in real-time on streaming data.
Thus, Kinesis Data Stream, Kinesis Data Firehose, Kinesis
Video Streams, and Kinesis Data Analytics are the four
services that make up the Kinesis family.
Kinesis Data Streams
Introduction
One of the benefits of using Kinesis Data Stream is
aggregating real-time data and then loading it into some
data warehousing solution like Redshift or some
MapReduce cluster like EMR. Kinesis Data Streams are
also durable and elastic, meaning that you would not
lose our data records. You would not lose our streaming
data, and it scales up or down depending on the number
of records coming into our stream. It means that you can
get all the benefits of a managed streaming service
rather than having to host it on EC2 instances ourselves.
You want to take advantage of managed services
wherever you can, which is an integral part of collecting
streaming data within AWS. You can also have parallel
applications reading from the stream. Hence, you can
perform different functions on that data. It is one of the
significant differences between Kinesis and other
queuing services.
Working with Kinesis Data Streams
Kinesis Data Streams may be used to collect and
aggregate data in real-time. IT infrastructure log data,
application logs, social media, market data feeds, and
online clickstream data are some examples of the data
types that may be employed. Because the data intake
and processing are both done in real-time, the
processing is generally minimal.
The following are some examples of how Kinesis Data
Streams can be used:
1. Accelerated log and data feed intake and processing:
Data can be immediately sent into a stream by
producers. For example, push system and application
logs will be ready for analysis in seconds. If the front-end
or application server dies, the log data will not be lost.
Kinesis Data Streams provide quicker data feed intake
because you do not batch the data on the servers before
submitting it for input.
2. Real-time metrics and reporting:
Data gathered via Kinesis Data Streams may be used for
real-time data analysis and reporting. Instead of waiting
for batches of data to arrive, your data-processing
application might work on metrics and reporting for
system and application logs as they come.
3. Real-time data analytics:
The strength of parallel processing is combined with the
value of real-time data in this way. For example, utilizing
many Kinesis Data Streams applications operating in
parallel, process website clickstreams in real-time, and
then assesses site usability engagement.
4. Complex stream processing:
Kinesis Data Stream applications and data streams may
be turned into Directed Acyclic Graphs (DAGs). It usually
entails combining data from many Kinesis Data Stream
applications into a single stream for later processing by
another Kinesis Data Stream application.
Shard
Shards are a container that holds our information
shipped off to consumers. Let us assume that you have a
single shard. You can see this shard has two data records;
each one of these data records consists of a partition key,
a sequence ID, the data, and the actual data you want to
ship off to consumers. The partition key is going to be the
same for all the records within a shard. The sequence
number will be in the order in which the shard received
the record, and that will be our data. Each shard consists
of a sequence of data records. Here, you have two, which
can be ingested at 1000 records per second. The actual
data payload per record can be up to one megabyte.
Processing & Storage
A shard is temporary data storage. Data records are
stored for 24 hours by default and can be extended up to
365 days. By default, the data retention period is 24 3. Kinesis Agent
hours. You can raise the data retention period to seven
The Kinesis Agent is a ready-to-use Java application that
days by enabling extended data retention. You can
can be deployed on a Linux-based server. It is an agent
increase it even further by allowing long-term data
that monitors specific files and continuously sends data
retention to have the data persist in the shard for up to
to our Data Stream. Hence, you might want to install this
365 days. You can do this by using the increased stream
on web servers, log servers, or database servers.
retention period operation. You can decrease it by using
the reduced stream retention period operation. Hence, Kinesis Agent is a Java software application that allows
going back to our train example, passengers will be you to gather and transfer data to Kinesis Data Streams
booted from the train every 24 hours, but some rules quickly. The agent watches a group of files in real-time
may differ for some trains. It is the retention period, so and feeds new data to your stream. The agent performs
some passengers may be allowed to stay for up to 365 file rotation, checkpointing, and retries in the event of a
days. failure. It distributes all of your data in a dependable,
fast, and straightforward manner. It also emits Amazon
Interacting with Kinesis Data Stream
CloudWatch metrics to assist you in monitoring and
There are a few different ways to interact with Kinesis
troubleshooting the streaming operation.
Data Streams:
By default, entries from each file are processed based on
1. Kinesis Producer Library (KPL):
the newline ('n') character. The agent, on the other hand,
An application that inserts user data into a Kinesis data may be set to parse multi-line entries.
stream is an Amazon Kinesis Data Streams producer (also
The agent may be deployed on Linux-based web servers,
called data ingestion). The Kinesis Producer Library (KPL)
log servers, and database servers. Configure the agent
makes it easier for developers to create producer
after installing it by providing the files to monitor and the
applications by achieving high write throughput to a
data stream. Once set up, the agent takes data from files
Kinesis data stream.
and consistently feeds it to the stream.
2. Kinesis Client Library (KCL):
4. Kinesis API (AWS SDK):
KCL takes care of many complicated duties connected
It is used to process data from the Kinesis Data Stream.
with distributed computing, allowing you to receive and
Once the data is in Kinesis Data Streams, you can use
process data from a Kinesis data stream. Load balancing
Kinesis Client Library, abbreviated as KCL, to directly
across numerous consumer application instances,
interact with the Kinesis Producer Library to consume.
responding to consumer application instance failures,
These libraries are used to abstract some of the low-level
checkpointing processed records, and responding to re-
commands you would have to use with the Kinesis API.
sharding are examples of these. The KCL handles all of
However, it is used for more low-level API operations and
these subtasks, allowing you to concentrate on
more manual configurations. Hence, the interaction with
implementing your unique record-processing logic.
Kinesis Data Stream is by using the Kinesis API. With the
The KCL is not the same as the Kinesis Data Streams APIs Kinesis API, you can perform the same actions that you
offered in the AWS SDKs. The Kinesis Data Streams APIs can achieve with the Kinesis Producer Library or the
assist you in managing many elements of Kinesis Data Kinesis Client Library. Hence, you can install the Kinesis
Streams, such as establishing streams, re-sharding, Producer Library on two EC2 Instances or integrate it
inserting and receiving information. The KCL adds a layer directly into your Java applications.
of abstraction around all of these subtasks, allowing you
KPL VS Kinesis API
to focus on the particular data processing logic in your
Some key features between the Kinesis Producer Library
consumer application.
and the Kinesis API are mentioned below:
Features of KPL:
 Provides a layer of abstraction dedicated to data
intake
 Retry system that is both automatic and adjustable
 In order to achieve higher packing efficiency and
better performance, additional processing delays
may occur
 Java wrapper
Features of Kinesis API:
 Low-level API calls (PutRecords and GetRecords)
 Stream creations, re-sharding, and putting and
getting records are manually handled
 No delays in processing
 Any AWS SDK
Kinesis Data Firehose
Introduction
Amazon Kinesis Data Firehose is a fully managed service
that delivers real-time streaming data to Amazon S3,
Amazon Redshift, Amazon OpenSearch Service (Amazon
ES), Splunk, and any custom HTTP endpoint or HTTP
endpoints owned by supported third-party service
providers like Datadog, Dynatrace, LogicMonitor,
MongoDB, New Relic, and Sumo Log. Kinesis Data
Firehose, Kinesis Data Streams, Kinesis Video Streams,
and Amazon Kinesis Data Analytics are part of the Kinesis
streaming data platform. You do not need to build
applications or manage resources using Kinesis Data
Firehose. You set up your data producers to transmit
data to Kinesis Data Firehose, and the data is delivered
automatically to the destination you specify. Kinesis Data
Firehose may also be configured to alter data before
sending it.
AWS Kinesis Firehose Key Concepts
Understanding the following ideas will help you get
started with Kinesis Data Firehose:
1. Kinesis Data Firehose Delivery Stream:
Kinesis Data Firehose is an underlying entity. You utilize
Kinesis Data Firehose by first generating a delivery
stream and then delivering data to it.
2. Record:
Your data producer provides the relevant data to a
Kinesis Data Firehose delivery stream. A record can be up
to 1,000 KB in size.
3. Data Producer:
Records are sent to Kinesis Data Firehose delivery
streams by producers. A data producer is, for example, a
web server that delivers log data to a delivery stream.
You can also set up your Kinesis Data Firehose delivery
stream to read data from an existing Kinesis data stream
and put it into destinations automatically.
4. Buffer Size & Buffer Interval:
Before sending data from Kinesis to destinations,
Firehose buffers incoming streaming data to a specific
size or for a certain amount of time. Buffer size is
measured in megabytes, while buffer interval is
measured in seconds.
Redshift Destination
The next destination is Redshift. With Redshift, you have
our data producers, and you can send the data through
Kinesis Data Firehose. The data will always go to S3 first
and then to Redshift. Hence, what happens is that the
streaming data is delivered to an S3 bucket first, and then
Firehose automatically issues the copy command to load
the data from S3 to Redshift. Anytime you load data into
Redshift, it first gets loaded into S3, and then it issues a
copy command to load that data from S3 to Redshift. You
can do the same thing by intercepting records,
transforming them using AWS Lambda, loading them
onto the S3 bucket, and then eventually using the copy
command to load it onto Redshift. You can also intercept
here and transform the records as well. Hence, you have
a few different options to transform our records before
you load them onto Redshift. You can always have a
backup bucket if you want to and store off that data
before you load onto Redshift or before you transform
those records. As a result, Redshift just knows that it is
the data warehousing solution that AWS offers.
Elasticsearch Destination
Similar to the other destinations, you have our data
producers that go through Kinesis Data Firehose. You can
then load it into Elasticsearch and transform the records
before they load onto our Elasticsearch cluster. Similarly,
you can load the data before converting it onto
Elasticsearch into a backup bucket in the S3 bucket.
Splunk Destination
The last destination is Splunk instances. Splunk is a way
to aggregate your log files from servers or applications to
have a single place where you can have all your log files
aggregated. It is important to know that it is a destination
for Firehose. Hence, just like other destinations, you
have our data producers. It goes through Kinesis Data
Firehose, where you can load the data off into our Splunk
instances and transform the records as well. Similarly,
you can load that data into an S3 bucket as a backup
before you transform it or load it into our Splunk
instances.
Buffer Size & Buffer Interval
You have all sorts of data producers. It might be
clickstream data, gaming data, IoT data, or any streaming
data. You can feed that through Kinesis Data Firehose.
You have data coming in aggregated, which then finally
shipped off to our destination. Hence, Amazon Kinesis
Firehose buffers the incoming streaming data to a certain
size for a certain period before delivering it to a
destination. The buffer size for S3 as a destination spans
from 1 to 128 megabytes. In contrast, Elasticsearch
ranges from 1 megabyte to 100 megabytes.
Kinesis Video Streams
Introduction
Amazon Kinesis Video Streams is a fully managed
Amazon Web Services (AWS) solution for streaming live
videos from devices to the AWS Cloud. Develop
applications for real-time video processing and batch-
oriented video analytics.
Kinesis Video Streams offers more than simply video data
storage. You may use it to see your video feeds as they
arrive in the cloud in real-time. You may either watch
your live streams via the AWS Management Console or
create your monitoring application that displays live
video using the Kinesis Video Streams API library.
Producer & Consumer Applications
CCTV monitoring streams video into the cloud using an
Amazon cloud cam, which is an opt-in service that you
can subscribe to. This is an example where videos are
being streamed every day. You have a camera that
streams through your wifi and collects any videos you
want, for either surveillance or in front of your own
home. This camera has some software installed onto it
that pushes Video Streams into the cloud. Since Amazon
builds it, it is all captured by Amazon, and then it has to
use Kinesis Video Streams.
Real-time vs. Batch-oriented
There are many different services that you can use to
analyze our data, either in real-time or in a batch-
oriented process. You can use Amazon EC2 instances;
you can hook it into Amazon Rekognition that allows us
to connect in machine learning services for our video
stream. You can also hook it into several other AWS and
even connect it to other third-party services. You can use
any of these services that you see below in the figure to
analyze, process, and consume our video applications.
Kinesis Video Stream Benefits
The following are some of the advantages of using
Kinesis Video Streams:
1. Connect & Stream from Millions of Devices:
Kinesis video streams link and stream video, audio, and
other data from millions of devices, such as cellphones,
drones, and dash cams. Using the Kinesis Video Streams
producer libraries, you may set up your devices to
broadcast in real-time or as after-the-fact media uploads.
2. Durably Store, Encrypt, & Index Data:
You may set your Kinesis video stream to save media
data indefinitely for specified retention periods. Kinesis
Video Streams additionally create an index over the
recorded data based on timestamps supplied by the
service producer. Using the time index in your
applications, you may obtain specified data in a stream.
3. Focus on Managing Applications Instead of
Infrastructure:
Because Kinesis Video Streams is server-less, no
infrastructure is required to set up or administer. You do
not have to worry about the underlying infrastructure's
deployment, setup, or elastic scalability as your data
streams and the number of consuming applications
increase and decline. Kinesis Video Streams provide all of
the administration and maintenance required to
automatically maintain streams, allowing you to
concentrate on the applications rather than the
infrastructure.
4. Build Real-Time & Batch Applications on Data
Streams:
Kinesis Video Streams may be used to construct bespoke
real-time applications. That works on live data streams
and batch or ad hoc applications that function on durably
persistent data. It does not have tight latency
constraints, so you may use open source (Apache MXNet,
OpenCV), homemade, or third-party solutions from the
AWS Marketplace to create, deploy, and manage
bespoke applications to process and analyze data
streams. Kinesis Video Streams Get APIs allow you to
create several concurrent applications that can handle
real-time or batch mode data.
5. Stream Data More Securely:
Kinesis Video Streams encrypt all data as it passes
through the service and as it is saved. Kinesis Video
Streams use AWS Key Management Service to encrypt all
data at rest and enforce Transport Layer Security (TLS)
based on data streaming from devices (AWS KMS). AWS
Identity and Access Management may also be used to
manage data access (IAM).
Kinesis Data Analytics
Introduction
You may use standard SQL to handle and analyze
streaming data using Amazon Kinesis Data Analytics for
SQL Applications. The service lets you quickly develop
run sophisticated SQL code against streaming sources to
do time-series analytics, feed real-time dashboards, and
generate real-time metrics.
To get started with Kinesis Data Analytics, develop a
Kinesis data analytics application that constantly reads
and analyses streaming data. Data may be ingested via
Amazon Kinesis Data Streams and Amazon Kinesis Data
Firehose streaming sources. Then, using the interactive
editor, you can write your SQL code and test it with live
streaming data. You may also choose where you want
Kinesis Data Analytics to deliver the results.
Amazon Kinesis Data Firehose (Amazon S3, Amazon
Redshift, Amazon OpenSearch Service, and Splunk), AWS
Lambda, and Amazon Kinesis Data Streams are
supported as destinations by Kinesis Data Analytics.
AWS Kinesis Data Analytics Benefits
You can create SQL code that reads, analyzes, and stores
data in real-time using Amazon Kinesis Data Analytics.
You may build applications that convert and give insights
into your data using conventional SQL queries on
streaming data. The following are some use-case
examples for Kinesis Data Analytics:
1. Generate Time-Series Analytics:
Metrics may be calculated over periods and then sent to
Amazon S3 or Amazon Redshift through a Kinesis data
delivery stream.
2. Feed Real-Time Dashboards:
You may feed real-time dashboards with aggregated and
processed streaming data findings.
3. Create Real-Time Metrics:
Custom metrics and triggers may be created for usage in
real-time monitoring, alerts, and alarms.
Amazon Managed Streaming for Kafka
Apache Kafka
Apache Kafka is a real-time data input and processing
distributed data storage system. Streaming data is
constantly created by hundreds of data sources, which
often transmit data records simultaneously. A streaming
platform must manage this continual input of data while
still processing it sequentially and progressively. Apache
Kafka was originally developed by LinkedIn and was
made open source in 2011. The Apache community then
took it over and a distributed streaming platform with
three key capabilities.
Kafka offers its consumers the following three primary
functions:
 Streams of recordings can be published and
subscribed to.
 Streams of records can be effectively stored in the
sequence in which they were created.
 Real-time processing of record streams.
Apache Kafka Management
The Apache Kafka is an open-source piece of software.
You can download that and install it onto a server or an
EC2 instance. However, if you decide to go down that
path, you have to manage all of these Apache Kafka
servers yourself. You have to ensure that the cluster is up
to date and make sure that it is auto-scaling as well. It
scales up to demand and scales back down whenever the
streaming data spikes decrease. This is where MSK,
Managed Streaming service for Kafka, comes to the
rescue.

Amazon MSK
Amazon Managed Streaming for Apache Kafka (Amazon
MSK) is a completely managed service that allows you to
design and run applications that handle streaming data
using Apache Kafka. Amazon MSK takes control-plane
actions, including building, updating, and removing
clusters. It enables the usage of Apache Kafka data-plane
tasks, such as data production and data consumption. It
runs Apache Kafka open-source versions and implies that
existing applications, tools, and plugins from partners
and the Apache Kafka community are supported without
application code modifications.
Chapter 05: Data Collection and Getting Data into AWS
Introduction
This chapter is concerned with collecting data on AWS
and deciding the best ways to ingest your data into AWS.
You will also learn how to collect data in AWS via a
dedicated network or to use hardware appliances and
transfer databases using the Database Migration Service
(DMS). You will also learn how to use the Amazon Kinesis
family of services and when each one is most useful. For
data interpretation and the discovery of our data, we can
use QuickSight.
Data Loses Value Quickly Over Time
From the graph, data loses value quickly over time. On
the left-hand side, our streaming data or our
preventative, predictive, and actionable data are where
our time-critical decisions can be made. If we want fast,
actionable data, then that is where our streaming data
lies. We want to build tools around batch-oriented
processes, build out ETL pipelines, or possibly build
business intelligence tools around our data.
Direct Connect, Snowball, Snowball
Edge, Snowmobile
AWS General Rule Of Thumb
AWS has a general rule of thumb. This graph lays out your
network connection speed, the amount of data, and
whether to use a managed or unmanaged service from
AWS. The difference between an unmanaged and
managed is that unmanaged uses the CLI, the AWS
command line, or the AWS console to transfer data into
AWS. A managed service is the Direct Connect option,
the Snowball family, and other tools that you can use to
move data from one location to another or from on-
premises into the AWS network.
Data Migration Service (Managed Services To
Move Your Data To AWS)
Hybrid Cloud Storage
The hybrid cloud storage connects your on-premises
applications that require low-latency access or need
rapid data transfer to cloud storage.
Online Data Transfer
It makes it simple and easy to transfer your data into and
out of AWS via online methods. AWS Data Sync allows
you to automate moving data between your on-premises
storage into AWS, into S3, EFS, or FSX, which is a windows
file server. You can use AWS Data Sync to transfer data
at speeds up to 10 times faster than some of the other
open-source tools that you can use. You can use Data
Sync for one-time data migrations or have recurring data
processing workflows. You can also automate the
replication and the data protection and recovery of your
data. It is a great tool to set up automation for moving
data between various locations into AWS. Several
different transfer families allow you to transfer directly
into and out of S3. You can use FTP, SFTP, or FTPS. S3
Transfer Acceleration allows you to maximize your
available bandwidth regardless of the distance from your
customers into S3. Kinesis Data Firehose is a simple way
to load streaming data into AWS.
Offline Data Transfer – The Snow Family
This introduces the snow family, which makes it simple
to get your data into and out of AWS via offline methods.
Snowcone
You can load data to Snowcone through Wi-fi wired 10
GbE networking. You can then ship the device with data
to AWS for offline data transfer.
Snowball
Used for petabyte-scale data transport with import and
export to S3.
Snowmobile
An exabyte-scale data transport solution uses a secure
semi 40-foot shipping container to transfer large
amounts of data into and out of AWS.
Snowball Edge
It is local storage and large-scale data transfer. Also, local
Lambda and EC2 instances compute, and AWS IoT
Greengrass.
Database Migration Service 1. Cross-Region Replication
1. Data Migration It gives you the ability to create cross-region replications
of your database for applications running in other
Easily and securely migrate widely used commercial and
regions.
open-source databases and data warehouses into the
cloud. 2. Offload Analytics
2. Replication You can replicate data to the cloud and run analytics on
your cloud databases rather than the original database
Easily replicate your databases and data warehouse
that users interact with.
between two locations.
3. Keeping Data in Sync
3. Fully Operational
Sometimes you need to keep your data in sync between
Databases stay fully operational during the migration,
testing, staging, and production environments.
minimizing downtime for the applications using them.

DMS Use Cases Data Pipeline

1. Migrate Applications
Migrate business-critical databases and migrate from
Classic to VPC, a costly and license-driven data
warehouse to Redshift.
2. Upgrade
With DMS, you can upgrade versions of your database
software easily with no downtime.
3. Achieve Old Data
You can migrate historical data to a more cost-efficient
storage solution while still retaining the Solution.
4. Migrate Datastores
You can migrate from NoSQL to SQL, SQL to NoSQL, and
SQL to SQL.
Mass Amount Of Data
Use a Snowball device to:
 Store 80 TB storage, 10 GB network
 User interface similar to S3
 All data is encrypted end-to-end
Replication
Leverages “change data Capture,” which pulls just the
changes from the source and delivers them to the
destination.
Data Pipeline automates the movement and
transformation of your data. It helps you process and
move data between AWS compute storage services and
on-premises data sources. You can create an ETL
workflow to automate the processing and movement of
data at scheduled intervals.
Key Concepts
Data Pipeline is a container that consists of four parts
that include data nodes, activities, Precondition, and
schedules. Data nodes define where the data is coming
from; this can be DynamoDB, S3, RDS instance or some
on-premises database, or from Redshift. Activities are a
way for the components of the Pipeline to define work
to perform. Preconditions are conditional statements
that must be true before the activity is run.
In schedules, we set up when we want the Data Pipeline
to run AWS provisions and terminates the EC2 instances
or the EMR clusters that transform and process the data
from one source to another. When it is finished, it
terminates automatically.
Data Pipeline for On-premises
We can run Data Pipeline for on-premises by installing
the task runner on a server in our local network. We can
access the local database securely and pull the Data
Pipeline for the next task to run. When it recognizes a
task to run, it runs that task on the task runner installed
on-premises.
Lambda, API Gateway, and CloudFront
Definitions
Lambda
An event-driven service that allows you to run your code
in AWS without managing infrastructure.
API Gateway
A serverless API that can be used to create RESTful, HTTP,
and WebSocket APIs.
CloudFront
A content delivery network that allows you to deliver
data, videos, applications, and APIs with low latency.
through S3 via edge locations. It can trigger API Gateway
endpoints that, in turn, trigger Lambda functions. These
Lambda functions can communicate with Cognito. You
can use Cognito for the login and authentication services.
In addition, you can communicate back and forth to S3
and the same with DynamoDB. These architectures are
pretty much endless to trigger endpoints through API
Gateway, communicate with Lambda functions, do
things like login users, get data back and forth from S3,
and create data stores within DynamoDB.

Serverless Architectures
These services in action can trigger things like Lambda
functions. You can have an application that runs on
CloudFront that gets the data from S3 or is served out
 Chapter 06: Amazon Elastic Map Reduce
Introduction
Elastic Map Reduce or EMR plays a huge role in data
analytics, processing, and big data frameworks. We can
use the EMR architecture and the Hadoop framework to
process and analyze massive amounts of data. Log
analysis, web indexing, data warehousing, machine
learning (ML), financial analysis, scientific modeling, and
bioinformatics all use Amazon EMR for data analysis. It
also supports Apache Spark, Apache Hive, Presto, and
Apache HBase workloads, connecting with Hive and Pig,
free source Hadoop data warehousing technologies. Pig
provides a high-level interface for scripting Map-Reduce
tasks in Hadoop, whereas Hive utilizes queries and
analyses. This service is expensive, and it uses a lot of
computing power, but it gives you the ability to process
huge amounts of data in a short amount of time.
Apache Hadoop and EMR Software
Collection
Map Reduce
Map-reduce is a technique that data scientists can use to
distribute workloads across many different computing
nodes to process other data and get the information
back quicker than just on a single node.
Hadoop Distributed File System (HDFS)
Hadoop Distributed File System is open-source software
that allows you to operate a distributed file system over
several computers to tackle challenges requiring large
amounts of data. HDFS is meant to run on low-cost
hardware and is extremely fault-tolerant. HDFS is a file
system that allows high-throughput access to application
data and is well suited to applications with huge data
collections. The problem with setting up an HDFS cluster
so it requires a lot of maintenance and management.
This is where Elastic Map Reduce comes in.
EMR
Elastic Map reduce is a fully managed AWS service that
allows you to spin up Hadoop ecosystems. Not only can
you store data on HDFS, but you have some other
storage options as well. We also have the EMR file
system or EMRFS. This means that the Elastic Map
reduces cluster shares the data with S3. We also can
store it on the local file system. This can be an instance
store or on EBS volumes.
EMR Architecture
Introduction
The entire cluster is spun up in a single availability zone.
Every single EMR cluster has a primary node, or it can
have three primary nodes. Hence, it is either a single
primary node or three primary nodes. This primary node
manages all of the components in the distributed
applications. When a job needs to be submitted or some
processing or Map reduce tasks, the core nodes come
into play. The primary node manages these core nodes.
The last part of the EMR architecture is our task nodes.
Task nodes are optional. They add power to perform
parallel, computational tasks on the data, and they help
the core nodes.
Primary Node Features
 Single or Multi-Primary Nodes
Whenever you launch a cluster, you will have the option
to choose between one primary node and three primary
nodes. You will only have a single primary node most of
the time, but now you can also have multiple primary
nodes. You would have numerous primary nodes
because you do not have a single point of failure.
Therefore, if one master node fails, the cluster uses the
other two master nodes to run without interruptions.
EMR automatically replaces the primary node and
provisions it with any configurations or bootstrap actions
that need to happen. Hence, all it does is remediate that
single point of failure.
 Manages the Cluster Resources
The primary node also manages the cluster resources. It
coordinates the distribution of the parallel execution for
the different Map reduce tasks.
 Tracks and Directs HDFS
The primary node also tracks and directs the HDFS. The
primary node knows how to lookup files and track data
on the core nodes.
 YARN Resource Management
The primary node is also responsible for the YARN
resource management. EMR uses YARN (Yet Another
Resource Negotiator) to manage cluster resources for
multiple data-processing frameworks.
 Monitors Core and Task Nodes Health
The primary node tracks the status of jobs submitted to
the cluster and monitors the health of the core and task
nodes.
Core Node Features
 Run Tasks for the Primary Node
The primary node manages core nodes and runs Hadoop
Map reduce tasks, Hive Scripts, and Spark executors.
 Coordinates Data Storage
The core node is also responsible for coordinating data
storage. The core nodes know how and where to store
the data. This data is stored on HDFS or EMRFS. The
DataNode daemons run on the core node.
 Multiple Code Nodes, Only One Core Instance Group
We can have multiple core nodes but only one core
instance group. These multiple core nodes are made up
of multiple EC2 instances. This makeup the instance in
group or fleet from.
Task Node Features
 Optional Helpers
Task nodes are optional and can add power to perform
parallel computation tasks on data like Map reduce tasks
and Spark executor.
 No HDFS or DataNode Daemon
Task nodes do not store data in HDFS. It is not used as a
data store and does not run the Data Node daemon.
 Added and Removed from running clusters
Task nodes can be added and removed from the core
nodes to ramp up extra CPU or memory for compute-
intensive tasks.
Single Availability Zone Concept
The EMR clusters only reside in a single availability zone.
The main reason behind the single availability zone
concept so the nodes in the cluster can communicate
faster. It means that they do not have to traverse as
much internet or the AWS backbone. They are closer
together, and they are in the same availability zone. It
means block replication can happen more quickly.
Hence, you can find your files faster when finding them
on HDFS. In addition, the communication between nodes
happens faster. Hence, whenever core nodes are
processing back and forth, they can communicate faster.
In addition, the access to metadata and the ease of
launching a replacement cluster is faster if one of the
nodes goes down or has some overload.
Long-Running Clusters
If you set up the cluster to continue operating after
processing is completed, the type of cluster is known as
a long-running cluster. Long-running allows you to
communicate with the cluster after it has completed its
operations, but it requires manual shutdown.
Considerations
Transient Cluster
 The total number of EMR processing hours per
day is less than 24, and you can benefit from
shutting down your cluster when it is not being
used.
 You are not using HDFS as your primary data
storage (instead, you are using EMRFS with S3).
 Your job processing is intensive, iterative data
processing.
Long-running Cluster
 You frequently run processing jobs where it is
beneficial to keep the cluster running after the
previous position.
 Your processing jobs have an input-output
dependency on one another.
  It is more cost-effective to store your data on
HDFS instead of S3.
 You have a requirement for higher performance
I/O HDFS provides.
EMR Operations - Choosing an
Instance Type
Whenever we provision an EMR cluster, the instance size
of our nodes is important because we might have
workloads that are CPU intensive. We might have some
that are input-output or memory intensive.
You can choose many different instances. Whenever we
choose an instance type, we prefer it either for the
primary node or for the core of task nodes. We can bunch
core and task nodes together because the primary node
will not be a super compute-intensive machine like the
core and task nodes will be.
Choosing an Instance Type
Primary Nodes
 Primary Nodes does not have large
computational requirements.
 For clusters with 50 or fewer nodes, you can use
the M5 family.
 For clusters with greater than 50 nodes, you can
use the M4 family.
Core and Tasks Nodes
 Depends on the type of processing.
 For general purposes, the balance of CPU, disk
space, and I/O, you can use the M5 family.
 For Batch Processing, HPC, or CPU-based
machine learning, you can use C4, C5, and Z1d
families.
 For Graphics processing or GPU-based machine
learning, you can use G3, P2, and P3 families.
 For spark applications (in-memory caching), you
can use R4 and R5 families.
 For Large HDFS and Map reduce jobs requiring
high I/O performance and high IOPS, you can use
H1, I3, and D2 families.
EMR Operations - On-Demand and Spot
Instances
On-Demand Instances
You pay for computing capacity by the second with On-
Demand Instances, and there are no long-term
obligations. You have complete control over its lifespan,
deciding when to start, restart, hibernate, or terminate
it.
When you buy On-Demand Instances, you do not have to
commit to anything long-term. You pay for the time your
On-Demand Instances are operating. A running On-
Demand Instance's pricing per second is fixed.
Spot Instances
A Spot Instance is a virtual machine that runs on spare
EC2 capacity accessible at a lower price than the On-
Demand price. Spot Instances allow you to request new
EC2 instances at great discounts, allowing you to reduce
your Amazon EC2 charges dramatically.
If you can be flexible about when your applications run
and if your applications is interrupted, Spot Instances are
a cost-effective option. Spot Instances are ideal for data
analysis, batch processes, background processing, and
optional activities.
CloudWatch Metrics
We will discuss some metrics that we might want to
follow to scale up our cluster or add more instances or
need to scale down our cluster.
 Tracking Cluster Progress
If we want to track the progress of the cluster, we can
use these metrics:
1. RunningMapTasks
2. RemainingMapTasks
3. RunningReduceTasks
4. RemainingReduceTasks
It will help us determine the number of maps, reduce
tasks currently running on the cluster, as well as the
number of maps, and reduce tasks remaining for a
particular job.
 Detecting Idle Cluster
We could also track a Cloud Watch metric that helps us
determine if one of our clusters is idle. It means we are
being charged, and the EMR cluster is not even doing any
work. That means life is costing us money, but it is not
running any task.
 No More Storage for HDFS
Another important Cloud Watch metric so if there is no
more storage for HDFS, we can monitor the HDFS
utilization metric, which is the percentage of disk space
currently being used. We can trigger an event that fires
once a high rate of power is used; let's say 80% of the
capacity is used. We will fire a trigger that sends an email
informing us that we are running out of space in HDFS.
You need to add more instances, you need to add more
EBS volumes, or you need to do something to make sure
you have enough room for all of your HDFS data, as well
as replications.
Monitor a Cluster with UI
Not only can we monitor our cluster with CloudWatch
metrics, but we can also monitor our cluster with an
actual user interface. If you go into the EMR
documentation, you can see all of the links for these
various UI components that come installed with an EMR
cluster.
Resizing a Cluster – Auto Scaling
EMR-managed Scaling
With EMR managed scaling, we can automatically
increase and decrease the number of instances in the
core and task nodes based on your workload. Master
nodes do not scale, though. You set a minimum and
maximum limit for the number of instances in your
cluster nodes. You create a custom auto-scaling policy.
Whenever we create our EMR cluster within the console,
we can select cluster scaling, and then we can use an
EMR manager to scale or create a custom auto-scaling
policy.
If we select EMR managed to scale, we set the minimum,
the maximum, the on-demand limit, and the full core
nodes we want. Depending on our workload, it will
automatically decrease and increase the number of
instances.
EMR File Storage and Compression
How Hadoop Splits Files?
Hadoop splits large files into multiple chunks of smaller
sizes. After breaking the files, a single map task processes
each part. The HDFS framework has already separated
the data files into various blocks using Hadoop as the
underlying data storage. Since our data is already
fragmented, Hadoop uses HDFS data blocks to assign a
single map task to each of the HDFS blocks. Hence,
whenever we use Hadoop on our EMR cluster, Hadoop
either splits the files or stores the files in HDFS or has the
file stored in S3. If stored in HDFS, the files are
automatically divided into chunks. If they are stored into
S3, files are split into multiple HTTP range requests.
Whether using HDFS or S3, the compression algorithm
needs to have splitting available.
The Benefits of File Compression
 Better Performance: You get better performance
when less data is transferred between S3, mappers,
and reducers.
 Less Network Traffic: It also gives us less network
traffic between S3 and EMR since you share fewer
data.
 Reduced Storage Costs: Smaller compressed files
take up less storage, so you end up paying less for
storage.
File Sizes Best Practices
According to AWS and the EMR best practices, we can
look at the algorithms we are using, whether they are
splitable or not, and then determine the file sizes.
Hadoop will assign a single mapper to process our data if
the compression type does not allow for splitting. That
means that a single thread is responsible for fetching that
data from S3. Since a single line is limited to how much
information it can pull from S3 at any given time, this is
the throughput. The process of reading the entire file
from S3 into a mapper becomes a bottleneck for our
data. Hence, the best practice is to have a file size of one
to two gigabytes for algorithms that do not allow
splitting. If splitting is available.
S3DistCp Command
S3DistCP is an extension of DistCP. It is optimized to work
with the AWS S3 service. The Apache framework creates
DistCP, while AWS makes the S3DistCP command. It has
been optimized for your EMR and S3 workloads.

 It allows you to copy files within a cluster or from one

cluster to another or S3 into your HDFS cluster.
 It also allows you to combine smaller files into larger
files. It can help you copy data between S3 buckets
or S3 to HDFS or HDFS to S3.
 Either you can run S3DistCP by using a step within
your EMR cluster, or you can run it on the primary
node. It allows you to copy data and combine many
small files into fewer larger files. We can either run
this on the primary node's command line-shell or
create a new step in the existing EMR clusters.
Chapter 07: Using Redshift
Introduction
Redshift is a data warehousing service. It can warehouse
the data at the petabyte scale, which means Redshift can
store large data. It can also index and query data so that
it remains usable. We can store petabytes and hexabytes
of data in S3.
Redshift Architecture
Cluster
Within the cluster, we have either leader nodes or
worker nodes. The leader node manages the schema. It
contains the data warehouse metadata and performs all
the query planning and script generation. The worker
nodes perform query execution and slice management
before storing all the data within the Slices.
Node
These are EC2 instances; there are three types to choose
from for the most part. Node is the individual compute
resources with storage attached for the Redshift cluster.
The storage attached to these nodes is faster. These are
generally used in cases where we need to perform
queries quickly. We want near real-time analytics.
Slice
A slice is a group of configurable entities kept in a
reusable asset as a single unit. Slices are useful for
grouping entities and other slices for reuse. Prefabs and
slices are similar, but slices are part of the new
component entity structure. Prefabs cannot contain
component entities, although slices can.
Redshift Query Process
A cluster has a leader node and several worker nodes. If
there is a single node cluster, the leader and worker will
be the same node. It will separate the leader into a Slice,
and we will have our user that sends a query to the
leader node. The leader node generates a query plan,
which lets it create execution scripts to complete that
query because it knows where all of the data is stored in
the cluster. Those execution scripts will go to worker
nodes. The Slices themselves do not store any table data.
They have data, and they know where that data is. The
worker nodes will go to their Slices, and then they will
each have a piece of data that they need to return, which
will come back, and the leader will combine that data
into our query response, and that query response will go
back to our end user. That is the Redshift query process
at a very high level.
Redshift in the AWS Service
Ecosystem
With Redshift, we are in the active utilization area. We
have end users on the left and a businessperson on the
right that needs to perform some analytics on the
application. End-users collect authentication data, and
they will then log in to our service. An email goes back to
the end-user and logs something in a database. There
might be some data that we want to make sure makes it
through into our storage or otherwise into our
application, so we will put it into a data stream, which
will be processed out by another compute resource that
computes resource may log something into Redshift. It
may also store something in our database. It will
generate a return that goes back to the end-user.
Redshift Use Cases
Data Warehouse VS Data Lake
The dissimilarity between a data warehouse and a data
lake is more structured. The data in it will be cataloged,
and the access speed for retrieving data from a data
warehouse is much faster than it would be from a data
lake. It is primarily because of the lack of structure and
cataloging that can be seen in a data lake.
What makes Redshift Different?
It is, in most cases, much faster if optimizing to the same
level. It is much more scalable, so we can have a small
warehouse and easily scale it up to a gigantic warehouse.
A few AWS service integrations make some of the paths
that we would perform with the data warehouse
considerably easier than they would be if we had to
integrate with other systems in an ad hoc manner.
Redshift Table Design
Columnar databases let us access columns of our data
more efficiently. The column table is arranged to set a
columnar data file. To get the node size from our row
database, we access every row in our table, whereas we
need to access a single row with the columnar database.
It has significant implications for OLAP or OLAP
transactions where we need to make comparisons or
calculations from large amounts of single-column data.
Data Types
There are several numeric data types, and they have
aliases. You can maintain compatibility between
Postgres and Redshift, for instance, because Redshift's
interface is Postgres compatible. Redshift only has a
reduced set, but it contains aliases to map them
appropriately. There are few signed integer data types
and few floating-point data types. Boolean is standard. It
is only true or false. Texts have character and variable
characters. The character is fixed length, whereas
varchar or variable character is a variable length. In time
data types, the date is the calendar date, which is the
year, month, day, and the timestamp is the date and
time. The timestamp TZ includes the time zone. Time and
time TZ is the daytime or zone daytime had; this gives us
our set of data types. These will map incompatibility to
the Postgres data types because Redshift is the primary
compatible interface. Aliases are used to map to the
actual Redshift data types to maintain compatibility.
3. All – All slices store a copy of table data.
Constraints
1. Primary, Foreign Key: Used by the query planner
as a hint about relations.
2. Unique: Not enforced used by query planner as
a hint.
3. Not Null: Not enforced or respected.
Redshift Spectrum
How do you query flow?
Redshift Spectrum is an interface to create foreign tables
in our Redshift cluster from stored data in S3. It uses the
external keyword when creating schemas and tables in
our collection. It can read and write to Spectrum tables.
It does not support update and delete operations.
Access control can either IAM or use AWS Lake
Formation in query flow, giving more granular control
over tables. It is an external service that sends data
requests through access control and then goes to the
data store. The data store comprises a Glue data catalog
and Athena SQL interface connected to the underlying
data in S3. Once that query has been answered in
Athena, it will return the data to Spectrum, which then
passes it back to the Redshift cluster and is combined
with any other data involved in our query to provide a
query response cluster.

Compression
In Redshift, Postgres can compress individual columns,
which means different compression types are available
depending on the data type. Most of our number and
time data types will default to AZ64 compression, and
our character and variable character data types will
default to LZO compression and several other impression
encodings available. The other data types are default to
raw, Boolean, real, and double. If something is our sort
key, it will need to be raw; it is uncompressed because
the database engine frequently performs queries.

Distribution Styles
1. Even – Blocks are distributed evenly between
cluster slices (default).
2. Key – identical key values are stored on the same
Slice.
Chapter 08: Redshift Operation and Maintenance
Introduction
Launching a Redshift Cluster
Interfaces
There are several interfaces for launching a Redshift
cluster. Examples of such include the AWS management
console, the AWS CLI, and various AWS SDKs.
Required Parameters
To use the AWS CLI, the parameters that need to provide
when we launch a Redshift cluster using the create
cluster command for the CLI is a node type for our
cluster. The cluster will have the same node type for
every node in our group. We cannot configure this per
node. If our cluster type is multi-node, we do not need to
provide the cluster type parameter but require several
nodes. If our cluster type is a single node, which is the
other option for cluster type, we do not need to give the
number of nodes parameter. We will need to provide a
user name and a master user password. A cluster
identifier must be provided to identify our cluster.
Resizing a Redshift Cluster
Classic Resize
 Hours To Days
Duration Impacting Factors:
 Source cluster activity.
 Size and number of tables.
 Uniformity of data distribution across nodes.
 Source and target node configuration.
Elastic Resize
 Minutes
Constraints:
 It cannot be used on single-node clusters.
 The cluster must be in a VPC.
 The new configuration must have sufficient
storage.
Utilizing Vacuum and Deep Copy
The Vacuum Process
The Vacuum process will first reclaim disk space to
remove rows marked for deletion. . Then it will sort the
table, which will make queries more efficient, and then
reindex the table to account for that new sorting so that
our query planner knows exactly where all of our rows
are on our table.
Automatic Vacuuming
Automatic Vacuum Delete
 Automatically reclaim disk space.It is triggered by a
high percentage of rows marked for deletion.
 Activity monitoring dictates the schedule.
Automatic Table Sort
 A high percentage of unsorted Rows triggers it.
 Utilizes SCAN operations to identify unsorted tables.
Automatic Analysis
 Automatically updates table statistics.
 Waits for low activity periods to analyze jobs
 Utilizes table statistics age for triggering.
Backup and Restore
Snapshots
 Point in time backup of the whole cluster.
 It can be manually triggered.
 Scheduled automated snapshots.
Restoring from Snapshot
It creates a new cluster, and then that snapshot data is
loaded as queries request it. Hence, as the cluster needs
data to fulfil a query, it will bump that data up in the
queue of loading from S3 to can complete those queries
in a timely fashion. RDS does this for most of its engines
as well. It is not as noticeable for Redshift because of how
the Redshift query process works.
Loading Data From S3  Total table count.
If we want to copy single tables in and out of a backup,  Health status
Redshift has very tight S3 integration. We can copy data
out of S3. The IAM role permits us to read out of that S3 Queries/Load
bucket we identified. Redshift will go and retrieve that  Query duration.
data and load it into our table. We need to provide some  Query throughput.
information about that data that we are pulling into our  Query duration per WLM queue.
bucket, but if it is formatted in a CSV or Parquet format,  Concurrency scaling activity.
it can infer that information from that data. We can also  Concurrency scaling usage.
use this command to copy Elastic MapReduce,  Average query time by priority.
DynamoDB, and SSH connections.
Usage limits
Unloading Data To S3  Usage limit for concurrency scaling.
We can use the unload command and provide a piece of  Usage limit for Redshift Spectrum.
SQL that specifies the data we want to unload. When we
give two directives, which tell the command where to CloudWatch
save that data, we need to provide an IAM role with In the CloudWatch, we have:
permissions to write into our target bucket and provide Cluster
a format. If we format it as Parquet, AWS calls this lake  Commit queue length.
to unload because Parquet is a common data lake
 Concurrency scaling sounds.
format. Parquet is very efficient. We are offloading a
 Database connections.
table to S3 because we will switch part of our analytics
workload to Athena. Athena works well with Parquet.  Health status.
We can dump out our entire Redshift cluster into S3 and  Maintenance mode etc.
then point Athena at that bucket, and we have access to Node
the same data without running the Redshift cluster. Once  CPU utilization.
all is specified, Redshift will generate a file and place it
 Read IOPS.
into our S3 bucket.
 Write IOPS etc.
Monitoring
Redshift Console
Redshift console has the following services that we can
monitor.

Cluster
 CPU Utilization.
 Maintenance mode.
Storage
 Percentage Disk Space used.
 Auto Vacuum Freed.
 Read throughput.
 Read latency.
 Write throughput.
 Write latency.
Database
 Database connections.
Chapter 09: AWS Glue, Athena, and QuickSight
Introduction
Construct Glue Crawler, perform SQL queries in Athena,
and create Visualization Charts with AWS QuickSight in
this chapter.
Glue Data Catalog
What is AWS?
Serverless ETL Service
Some important points about Serverless ETL services are:
 No server provisioning
 AWS fully manages them
 Extract Transform load
 Categorize, clean, and enrich your data
 Move data between various data stores
AWS Glue - Use cases
 Query Data in S3
Consider an example; you have a massive data lake in S3
with customer feedback data. You can use AWS Glue to
crawl your S3 data lake to prepare tables that you can
then query using Athena to see your customer feedback.
 Joining Data for A Data Warehouse
Consider an example; you have a Clickstream data lake in
RDS and customer data in S3. You can use Redshift
Spectrum to Query your data or QuickSight to visualize
the data. You can use AWS Glue to join and enrich your
data and then load the results into Redshift.
 Creating a Centralized Data Catalog
Consider an example; you have different types of stored
in many other locations. You can use AWS Glue to
manage the metadata and create a central repository.
You can then access the Data Catalog for ETL and
analytics with many other AWS services.
AWS Glue Components
The data can be in a plethora of different locations; it can
be in S3, DynamoDB, RDS, Redshift, or a database on EC2.
You can also have databases outside of AWS, so as long
as you can associate with them using a JDBC connection,
you will access that data as a data source within AWS
Glue.
AWS Glue Data Catalog
President Metadata Store
You can store, annotate, and share metadata between
AWS services (similar to Apache Hive megastore).
Centralized Repository
There is only one data catalog per AWS region, providing
a uniform repository so different systems can store and
find metadata to query and transform that data.
Provided Comprehensive Audit
You can stack schema changes and data access control.
This helps ensure that its data is not inappropriately
modified or inadvertently shared.
Glue Jobs
AWS Glue Jobs
AWS Glue job performs the extract, transform, and load
(ETL) work in AWS Glue. You have some input data;
consider the input data as the fabric. The Glue job is
where the actual work is being done; this is the cleaning
of your data, the transformation of your data, the
enrichment of your data, and the joining of your data.
This will be the actual physical labor and the tools that
you use to create the final output. Output data onto
another data store or into some data lake or data
warehousing solution.
Output File Formats
If we are storing data in a relational database or a JDBC
connection, the output file format would not matter.
However, if we are storing it into a file server or S3, we
can have various output file formats as follows;
Output File Formats
JSON*
CSV*
ORC
Parquet
Avro
 *optional compression (gzip, bzip2)
Glue Jobs Run In Isolated
Glue Runs Jobs on Virtual Resources
All the resources needed to run ETL jobs are provisioned
and managed in its isolated service account.
What a Glue Job needs?
You provide output data sources and input data targets
in your VPC. In addition, you give the IAM role, VPC ID,
subnet ID, and security group that is needed to access
data sources and targets.
Traffic governed by Your VPC
Traffic in, out, and within the spark environment is
determined by your networking policies. The one
exception by your networking policies is calls made to
the AWS Glue API. However, these can be audited
through CloudTrail.
Getting Started with Athena
What Is Athena?
Athena helps to easily query your S3 data. You can use
standard SQL queries to analyze data directly in S3.
Athena is serverless, and you can only pay for the queries
that you run. Athena automatically scales, so results are
fast, even with large datasets and complex questions.
Athena Federated Queries
Athena could only query data in S3, but since customers
have data in other data sources, AWS created the ability
to connect to external data sources using Athena
federated queries. Athena uses data source connectors
to run on AWS Lambda to run federated queries. A data
source connector is a section of code that can translate
between Athena and your target data source. With this
new feature, you can query data in places or build
pipelines to extract data from multiple data sources,
such as CloudWatch Metrics, DynamoDB, Elasticsearch,
JDBC compliant data sources like Redshift and RDS, and
store the query results in S3.
Athena Data Formats And Integrations
Data Formats
Athena helps you analyze unstructured, semi-structured,
and structured data stored in S3. Examples include CSV,
TSV, JSON, Textfiles, Parquet, ORC, Snappy, Zlib, LZO, and
GZIP.
Integrates With QuickSight
Create easy data visualizations by using Athena to
generate reports to explore data with BI tools of SQL
clients connected with JDBC and ODBC drivers.
Integrates With AWS Glue
Athena Integrates with AWS Glue Data Catalog, allowing
you to create tables and query data in Athena as well as
use the ETL and data discovery features of AWS Glue.
Connecting to Data Sources
Athena natively supports querying datasets and data
sources that are registered with the Glue Data Catalog.
You can have a data connector using an external Hive
metastore to query datasets in Amazon S3. You can also
use a data connector for external Hive meta stores to
query data in S3 that is using an Apache Hive metastore.
You do not have to migrate your Hive metastore data to
the AWS Glue Data Catalog.
When To Use Athena
S3 Select And Glacier Select
 S3 Select – Use SQL statements to filter the
contents of S3 objects and retrieve just the
subset of data you need.
 Glacier Select - Use SQL statements directly on
your data in S3 Glacier without restoring data to
a more frequently accessible tier.
QuickSight Visualizations and
Dashboards
Amazon QuickSight
Amazon QuickSight helps to create visualization and
dashboard with your data. Business intelligence tool
makes it easy to create visualization and dashboard from
your data. Simply point QuickSight at your input data
source to start creating visualizations.
Visualization types
 Bar Charts
 Combo Charts
 Donut Charts
 Gauge Charts (Maps)
 Heat Maps
 Histograms
 KPIs
 Line Charts
  Pie Charts Identity And Access Management In QuickSight
 Scatter Plots After creating dashboards and visualizations, you want to
 Tree Maps give users access to that data or those visualizations, so
 Word Clouds you need to find a way to make sure that you can set up
your users within QuickSight. We have our QuickSight
QuickSight Dashboards dashboards; they sit on the public internet. We can set
Specify User Access up users either using IAM credentials or have QuickSight
When sharing a dashboard, you specify which user has only users with just email addresses, but these are
access to it. filtered through.

Dashboard Viewers vs. Owners

Dashboard viewers have limited access (viewing,
filtering, sorting). Owners can share the dashboard and
optionally edit and share the analysis.

Embedded In Website or Application

A shared dashboard can be embedded only in a website
or app if QuickSight is set up as an Enterprise edition.

QuickSight Security and

Authentication
QuickSight Data Encryption
Encryption at Rest (Enterprise edition only)
The metadata and data uploaded into SPICE are
encrypted with AWS-managed keys.

Encryption in Transit
QuickSight supports encryption of all data transfers using
SSL. This includes data to and from SPICE and from SPICE
to the user interface.

Key Management
AWS manages all the keys associated with QuickSight.
Database server certificates are the responsibility of the
customer.

Connecting To AWS Resources

We can connect to resources in AWS, for example,
services like Redshift, RDS, Aurora, and databases on
EC2. Make sure that all of these security mechanisms are
set up and configured properly to allow QuickSight
access to these resources. We can also connect
QuickSight into S3. We will need to make sure that IAM
roles, the bucket policy, and the manifest file are set up
properly, which is essentially just a metadata file that
allows QuickSight to connect the dots and better
understand the data schema S3.
Chapter 10: ElasticSearch
The Interface
Introduction to Elasticsearch Elasticsearch uses a REST (Representational State
The Amazon Elasticsearch Service is a managed service
Transfer) API for its interface. JSON is a common format
that makes deploying, operating, and scaling
for REST APIs. With the standard HTTP methods, we can
Elasticsearch in the AWS Cloud simple. Elasticsearch is a
interact with Elasticsearch; assuming we have all the
prominent open-source search and analytics engine for
permissions open, we can send a GET to the base URL,
log analytics, real-time application monitoring, and click
index name, and provide a type and item ID. It will return
stream analytics, among other applications.
that item.
With Amazon Elasticsearch Service, you have direct
Loading Data
access to the Elasticsearch open-source API, allowing you
Anything that can interact with the API can send data
to reuse code and applications from your existing
into Elasticsearch. We will have to write the actual code
Elasticsearch setups. Kibana is incorporated into the
to send that data into Elasticsearch, but it is just
Amazon Elasticsearch Service, allowing you to easily
interacting with an API.
display and analyze your data.
Service Integration
Elasticsearch Service
Kinesis Data Firehose
The Amazon ElasticSearch service is a search domain that
Elasticsearch is a configurable target.
runs most of the ELK (ElasticSearch Logstash and Kibana)
stack. The service created with ElasticSearch is called Cloudwatch
search domains. They come pre-installed with CloudWatch Logs subscription can deliver to
ElasticSearch and Kibana Logstash; it is a fairly complex Elasticsearch Service.
system all on its own, but it does have tight integration
with ElasticSearch. IoT
IoT rules can send data to Elasticsearch Service.
Searching
ElasticSearch organizes data as indexes. The purpose of Visualizing Elasticsearch Data
ElasticSearch is to enable word searching. It is a search Visualization Tools Examples
engine utility. The way that searching works is called a Kibana
reverse index. For example, we take two documents,  Part of ELK stack
ElasticSearch will index each word in two documents.  Pre-installed on Elasticsearch Service (ES)
Essentially, this service creates an index and is able to domains
define some characteristics about it, and it puts every
 It does not require writing extra code
word in these two documents in all of the documents and
stores it into that index. Part of the metadata in that D3j3
index is which documents those words appear in and  They are easily embedded in external
exactly where they are within that document. We get applications
this mapping of all of the words in each document in the  Can visualize any JSON formatted data
store. This is very powerful because it can return those  Third-party connectors are available
documents very quickly, so we can search for words or
phrases and find them very quickly.
Chapter 11: AWS Security Services
Introduction
In this chapter, we are going to discuss AWS security
services. Security services do not fit in any of the steps in
the data analytics steps for success, but we need to
secure our data. Data is the lifeblood that makes our
application work. It is the most valuable thing in any
application. It is what allows us to generate revenue from
our application. Without data, our application does
nothing.
Overview
The AWS security services are Identity and Access
Management or IAM, VPC security features, the Key
Management Service, and Secrets Manager. All of these
have some integration or functionality that allows us to
secure the other services.
1. Identity Access Management
Identity and Access Management, or IAM, allows us to
control access to other AWS services. Any API call that
you make is going to pass through Identity and Access
Management. Several of the services that you use that
may not use IAM for their primary authentication on
their primary interface. You can use IAM users or groups
to control access to RDS instances or Redshift clusters, or
Elasticsearch service domains, and it also provides an
external identity federation. Hence, if you have an active
directory in an on-premises system, you can integrate
that with IAM and allow Active Directory users to access
AWS services with their Active Directory credentials.
2. VPC-Security
VPC security features are about network layer security
hence security groups and network ACLs will allow us to
control network traffic flow to and from our resources
within our VPC.
3. Key Management Service
Key Management Service is another very important
service. It allows you to store your encryption keys as
well as generate encryption keys in conjunction with IAM
and CloudTrail. You can log and audit that key usage.
Secrets Manager
Secrets Manager is a great service that acts as a vault for
our passwords and API keys. You can use it to rotate
those security objects in several of our services. You can
manage who has access to those security objects
through IAM. Hence, you can say this IAM group can use
this set of API keys or passwords so on and so forth.
Identity Access Management
Introduction
AWS Identity and Access Management (IAM) is a web
service that provides secured control access to AWS
resources such as compute, storage, database, and
application services in the AWS Cloud. IAM manages
authentication and authorization by controlling who is
signed in and has permission to utilize the resources. IAM
uses access control concepts such as Users, Groups,
Roles, and Policies to control which users can access
specific services, the kinds of actions they can perform,
and which resources are available. The IAM service is
provided at no additional cost. However, your account
will be charged upon the usage of other AWS services by
your users.
IAM Concept
With IAM, you have Amazon Web Services that is at its
core one big API. Hence, when you send a request to that
API, it is then passed through IAM to check the
permissions. If you present credentials that permit us,
our request is sent to whatever service you are making
an API call for. If you do not have permission, then you
get a response that tells us no.
IAM Permission Objects
Policies govern AWS access by establishing and applying
them to IAM identities (users, groups of users, or roles)
or AWS resources. A policy in AWS is an object that
specifies the rights of identity or resource when it is
associated with it. AWS checks these policies when an
IAM principal (user or role) submits a request. The
permissions granted by the policies determine whether
the request is authorized or refused. The bulk of AWS
rules is stored as JSON documents. AWS supports all
policy types, including identity-based policies, resource-
based policies, permission boundaries, organizations
SCPs, ACLs, and session rules.
IAM Features
The IAM service is part of AWS's secure worldwide
infrastructure. With IAM, you can create and manage
users and groups, security credentials such as
passwords, access keys, and permission policies to
allow and deny access to the AWS resources.
1. IAM Users
An IAM user is a unique identity with limited access to an
AWS account and its resources, defined by their IAM
permissions and policies. Users of IAM can represent a
person, a system, or an application. IAM policies assigned
to users must grant explicit permissions to services or
resources before viewing or using them. IAM lets you
create individual users within your AWS account and give
them their username, password, and access keys.
Individual users can then log into the console using a URL
that is specific to their account. You can also create
access keys for individual users to make programmatic
calls to access AWS resources. You can provide user
access to any or all of the AWS services linked with IAM,
or you can utilize IAM in combination with external
identity sources, such as Microsoft Active Directory, AWS
Directory Service, or log in with Amazon.
2. IAM Groups
A group is a group of IAM users. You may utilize groups
to establish permissions for a group of users, making it
easier to manage their access. For example, you may
create a group named Admins and assign the rights that
administrators generally require. Any user in that group
has the default permissions granted to the group.
Assume a new user joins your organization and requires
administrator capabilities. In that instance, you may
provide the necessary rights by adding the user to the
relevant group. Similarly, suppose a user changes jobs
within your firm rather than modifying that user's
permissions; you may delete them from the old groups
and add them to the new ones in such a case.
3. IAM Roles
An IAM role is an IAM object that allows you to define a
set of permissions for a user or service to access
resources. However, the permissions are not connected
to a specific IAM user or group. Instead, IAM users,
mobile and EC2-based applications, and AWS services
(such as Amazon EC2) can programmatically acquire a
role. The role results in temporary security credentials
that the user or application may use to make AWS
programmatic requests. These temporary security
credentials have a configurable expiration date and are
automatically cycled.
4. IAM Policies
An IAM policy is a rule or group of rules defining actions
that may not be done on an AWS resource. Policies are
used to give permissions. When a policy is associated
with an identity or resource, it defines the permissions
for that identity or resource. When a user makes a
request, AWS examines these rules. The policies'
permissions decide whether the request is approved or
rejected. AWS rules are maintained as JSON documents
and can be either identity-based or resource-based.
Policies can be granted in several ways:
 Include a controlled policy. AWS offers several pre-
defined rules, such as AmazonS3 Read-Only Access
 Include an inline policy; an inline policy is a
handwritten policy
 Add the user to a group with suitable permission
policies
 Clone an existing IAM user's permissions
IAM Secured Services
There are a few examples of services that are secured
with IAM. Simple Storage Service (S3) is often controlled
with IAM. It also has its security features. S3 predates the
AWS API. It was the second service launched as part of
Amazon web services. Bucket, object policies, and the
ACLs are artifacts before the main larger API was created.
DynamoDB access is controlled entirely with IAM.
Database Migration Service, Athena, Glue, Lake
Formation, Kinesis Elasticsearch, and QuickSight are also
controlled with IAM. Various code services are secured
with IAM. There are more than the mentioned services
that are secured with IAM. Anything that is primarily
accessed through an API interface will flow through IAM
for the most part.
Key Management System
Introduction
AWS Key Management Service (KMS) is a managed
service that allows you to produce and govern the keys
used in cryptographic activities. The service offers a
highly available key generation, storage, administration,
and auditing solution that allows you to encrypt or
digitally sign data within your applications or govern data
encryption across AWS services.
AWS KMS Keys
The fundamental resource in AWS KMS is AWS KMS keys
(KMS keys). A KMS key can be used to encrypt, decrypt,
and re-encrypt data. It can also create data keys for
usage outside of AWS KMS. Typically, symmetric KMS
keys are used, although asymmetric KMS keys can be
created and used for encryption or signing.
Customer Managed Keys
The customer handles the KMS keys you generate.
Customer-managed keys are KMS keys that you
generate, own, and administer in your AWS account. You
have entire authority over these KMS keys, including the
ability to create and manage key policies, IAM policies,
and grants, as well as activate and disable them. They
rotate their cryptographic material, add tags, make
aliases for the KMS keys, and schedule the destruction of
the KMS keys.
Customer-controlled keys are displayed on the AWS
Management Console's Customer-managed keys page
for AWS KMS. Use the DescribeKey operation to
definitively identify a customer-maintained key. The
value of the KeyManager field of the DescribeKey
response for customer-managed keys is CUSTOMER.
Symmetric KMS Keys
When you generate an AWS KMS key, you are given a
symmetric KMS key by default.
In AWS KMS, a symmetric KMS key is a 256-bit encryption
key that never leaves the system unencrypted. It would
help if you used AWS KMS to utilize a symmetric KMS
key. Symmetric keys are used in symmetric encryption,
which employs the same key for encryption and
decoding. Unless your job requires asymmetric
encryption, symmetric KMS keys are a good option
because they never leave AWS KMS unprotected.
AWS services that are connected with AWS KMS secure
your data with symmetric KMS keys. These services do
not support encryption with asymmetric KMS keys.
Asymmetric KMS Keys
AWS KMS allows you to generate asymmetric KMS keys.
An asymmetric KMS key is a mathematically connected
pair of public and private keys. The private key is never
left unprotected in AWS KMS. It would help if you used
AWS KMS to utilize the private key. The public key can be
used within AWS KMS by executing the AWS KMS API
activities or downloaded and used outside of AWS KMS.
Multi-Region asymmetric KMS keys can also be
generated.
It is possible to produce asymmetric KMS keys that
represent RSA key pairs for public-key encryption,
signing and verification, or elliptic curve key pairs for
signing and verification.
Data Keys
Data keys are encryption keys that may be used to
encrypt data, especially enormous volumes of data. Data
keys are returned to you for use outside of AWS KMS
instead of KMS keys, which cannot be downloaded.
When AWS KMS generates data keys, it provides you
with a plaintext data key that you may use immediately
away (optional), as well as an encrypted copy that you
can preserve safely with the data. When you are ready to
decrypt the data, ask AWS KMS to decode the encrypted
data key.
AWS KMS is a service that produces, encrypts, and
decrypts data keys. AWS KMS, on the other hand, does
not store, manage, or monitor your data keys, nor does
it execute cryptographic operations with data keys. Data
keys must be used and managed outside of AWS KMS.
Customer Master Key
CMKs are classified into two types: AWS-managed and
customer-managed. When you activate server-side
encryption of an AWS resource for the first time under
the AWS-managed CMK for that service, AWS-controlled
CMK is produced (e.g., SSE-KMS). The AWS-managed
CMK is specific to your AWS account and the region in
which it is deployed. AWS-managed CMKs can only
safeguard resources within the AWS service for which
they were designed. It does not offer the granular control
that a customer-managed CMK does. To get further
control, employ a customer-managed CMK in all
supported AWS services and your applications. A
customer-managed CMK is generated at your request
and should be set according to your specific use case.
Envelope Encryption
When you encrypt your data, it is protected, but you
must safeguard the encryption key. Encrypting plaintext
data with a data key and then encrypting the data key
with a separate key is known as envelope encryption.
You may even encrypt the data encryption key using
another encryption key and then encrypt that encryption
key again. However, one key must finally remain in
plaintext so that you may decrypt the keys and your data.
The root key is the top-level plaintext encryption key.
Customer Master Key
CMKs are classified into two types: AWS-managed and
customer-managed. When you activate server-side
encryption of an AWS resource for the first time under
the AWS-managed CMK for that service, AWS-controlled
CMK is produced (e.g., SSE-KMS). The AWS-managed
CMK is specific to your AWS account and the region in
which it is deployed. AWS-managed CMKs can only
safeguard resources within the AWS service they were
designed for. It does not offer the granular control that a
customer-managed CMK does. To get further control,
employ a customer-managed CMK in all supported AWS
services and your applications. A customer-managed
CMK is generated at your request and should be set
according to your specific use case.
Envelope Encryption
It is protected when you encrypt your data, but you must
safeguard the encryption key. Encrypting plaintext data
with a data key and then encrypting the data key with a
separate key is known as envelope encryption.
You may even encrypt the data encryption key using
another encryption key and then encrypt that encryption
key again. However, one key must finally remain in
plaintext so that you may decrypt the keys and your data.
The root key is the top-level plaintext encryption key.
Envelope encryption has various advantages:
 Protecting Data Keys
When you encrypt a data key, you do not have to worry
about keeping the encrypted data key since encryption
protects the data key by default. The encrypted data key
can be safely stored alongside the encrypted data
 Encrypting the Same Data under Multiple Keys
Encryption procedures can be time-intensive, especially
if the data being encrypted is substantial. You can re-
encrypt only the data keys that secure the raw data
instead of re-encrypting raw data with multiple keys
numerous times
 Combining the Strengths of Multiple Algorithms
Symmetric key algorithms are quicker than public-key
algorithms and create smaller ciphertexts. However,
public-key algorithms allow intrinsic role separation and
easier key management. Envelope encryption allows you
to combine the advantages of each technique
KMS Encryption Flows
Following are the KMS encryption flows:
 Service Side Encryption
 Envelope Encryption
Secrets Manager
Secrets Manager allows you to replace hardcoded
credentials, such as passwords, in your code with an API
call to Secrets Manager to get the secret
programmatically. As the secret no longer resides in the
code, this helps ensure that it cannot be compromised by
someone reviewing your code. You may also set Secrets
Manager to rotate the secret for you on a pre-defined
period. It allows you to substitute long-term secrets with
short-term ones, drastically lowering the chance of
compromise.
Secrets Manager Concept
AWS Secrets Manager secures access to your
applications, services, and IT resources without the
upfront investment or ongoing maintenance expenses
associated with running your infrastructure.
Secrets Manager is designed for IT administrators who
need a safe and scalable way to store and manage
secrets. Security administrators may use a secrets
manager to meet regulatory and compliance standards
to monitor and cycle secrets without interfering with
applications. Secrets Manager may be retrieved
programmatically by developers that want to replace
hardcoded secrets in their applications.
Secrets Manager Features
At runtime, encoded secret values can be retrieved
programmatically. Secrets Manager improves your
security posture by removing hard-coded credentials
from your application source code and preventing
credentials from being stored in any form within the
application. Storing the credentials in or with the
application exposes them to compromise by anybody
who has access to your program or its components. This
technique makes rotating your credentials tough. Before
you can depreciate the old credentials, you must update
your application and distribute the updates to each
client.
Secrets Manager allows you to acquire stored credentials
by replacing them with a runtime call to the Secrets
Manager Web service.
Secret Storage
The AWS secrets manager uses JSON to distort data,
approximating what it might look like is shown in the
figure below. It stores a string in the JSON. Hence those
secrets can be passwords. They could be SSH keys. It
could be API keys, really any string that fits within 64
kilobytes can be stored in Secrets Manager. You could
have Base64 encoded strings that are stored in Secrets
Manager that you know. You have to decode that Base64
encoding.
Different Secrets Types Store in AWS Secrets Manager
Secrets Manager allows you to store text in a secret
encrypted secret data part. It normally comprises the
database or service's connection information. This
information may contain the server name, IP address,
port number, and the user name and password used to
access the service.
 Secret name and description
 Rotation or expiration settings
 ARN of the KMS key associated with the secret
 Any attached AWS tags
Encrypt Secret Data
Secrets Manager encrypts a secret's protected text using
AWS Key Management Service (AWS KMS). AWS KMS is
used for key storage and encryption by many AWS
services. When your secret is at rest, AWS KMS assures
its safe encryption. Every secret is associated with a KMS
key in Secrets Manager. It can be a customer-controlled
key created in AWS KMS or an AWS-managed key for the
account's Secrets Manager (aws/secretsmanager).
Secret Rotation
The process of updating a secret regularly is known as
rotation. When you rotate a secret, the credentials in
both the secret and the database or service are updated.
You may set up an automatic rotation for your secrets in
Secrets Manager. After rotation, applications that obtain
the secret from Secrets Manager automatically receive
the updated credentials.
Automatically Rotate Secrets
Secrets Manager may be configured to automatically
rotate your secrets on a pre-defined schedule and
without human interaction.
Rotation is defined and implemented using an AWS
Lambda function. This function specifies how Secrets
Manager will carry out the following tasks:
 Creates a new version of the secret
 Stores the secret in Secrets Manager
 Configures the protected service to use the new
version
 Verifies the new version
 Marks the new version as production-ready
Rotation Strategies
Secrets Manager has two rotation strategies:
1. Single User Rotation Strategy
The single-user technique refreshes one user's
credentials in a single secret. It is the most basic rotation
approach, and it is suitable for the majority of use
scenarios.
2. Alternating Users Rotation Strategy
The alternating user’s technique refreshes two users'
credentials in a single secret. You make the first user,
then rotate clones to make the second.
The other user is kept up to speed with each new version
of a secret. If the first version contains user1/password1,
the second version has user2/password2.
User1/password3 is used in the third version, while
user2/password4 is used in the fourth. You have two sets
of valid credentials at any one time: the current and prior
credentials.
VPC Network Security Features
Amazon VPC lets you provision a logically isolated section
of the AWS cloud to launch AWS resources in a virtual
network that you define. You have complete control over
your virtual networking environment, including the
ability to define route tables and network gateways, as
well as choose IP address ranges and construct subnets.
A Virtual Private Cloud (VPC) is a cloud computing
concept that provides an on-demand modifiable pool of
shared computing resources assigned inside a public
cloud environment while also offering some level of
separation from other public cloud users. As the cloud
(pool of resources) in a VPC model is exclusively available
to a single client, it provides privacy with more control
and a safe environment where only the defined client
may work.
Components of VPC
 Virtual Private Cloud: VPC logically isolated virtual
network in the AWS cloud. The IP address space of a
VPC is defined by the ranges you choose
 Subnet: A segment of a VPC’s IP address range to
place groups of isolated resources
 Internet Gateway: The Amazon VPC side of a
connection to the public Internet
 NAT Gateway: A highly available, managed Network
Address Translation (NAT) service for your resources
in a private subnet to access the Internet
 Hardware VPN Connection: A hardware-based VPN
connection between your Amazon VPC and your
data center, home network, or co-location facility
 Virtual Private Gateway: The Amazon VPC side of a
VPN connection
 Customer Gateway: Your side of a VPN connection
 Router: Router interconnect subnets and direct
traffic between Internet gateways, virtual private
gateways, NAT gateways, and subnets
 Peering Connection: A peering connection enables
you to route traffic via private IP addresses between
two peered VPCs
 VPC Endpoints: Enables private connectivity to
services hosted in AWS from within your VPC
without using an Internet Gateway, VPN, Network
Address Translation (NAT) devices, or firewall
proxies
 Egress-only Internet Gateway: A stateful gateway
provides egress-only IPv6 traffic from the VPC to the
Internet
Network Access Control List
A network access control list (NACL) is an optional
security layer for your VPC that operates as a firewall to
manage traffic in and out of one or more subnets. Set up
network ACLs with rules similar to your security groups
to provide your VPC with an extra layer of protection.
Security Groups
For your instance, a security group acts as a virtual
firewall, controlling inbound and outgoing traffic. When
you deploy an instance in a VPC, you may designate the
instance up to five security groups. Security groups
operate at the instance level rather than the subnet
level. As a result, each instance in a VPC subnet can be
allocated to a separate set of security groups.
Traffic Monitoring
Traffic Mirroring is an Amazon VPC feature that allows
you to repeat network traffic from the elastic network
interface of an Amazon EC2 instance. The traffic can then
be routed to out-of-band security and monitoring
equipment for:
 Content inspection
 Threat monitoring
 Troubleshooting