AWS Tech Essentials

What we will cover:

o Well Architected Framework
o Security services
o AWS Organizations
o Regions and Availability Zones
o Edge locations
o Networking
o Compute – EC2, Containers, Auto Scaling, ELB
o Storage – Object, Block, Shared, Databases, In-Memory
o Serverless Services
Well Architected
Framework
š Security – protect data, systems and assets
š Reliability – application stack performs its
intended function correctly and consistently
š Performance Efficiency– use compute
resources efficiently to meet system
requirements, and maintain efficiency as
demand changes
š Cost Optimization – Systems delivery business
value at the lowest price point
š Operational Excellence – support
development and development of
workloads efficiently, gain insights into
operations, and continually improve
š Sustainability – reducing energy consumption
and increasing efficiency. Maximizing
benefits minimizing total resources required
 AWS Shared Responsibility Model

Security “of” the Cloud

High Availability
(HA)

š Automate the recovery of system components

that are part of the application stack
š High Availability designs lower the Recovery Time
Objective and the Restore Point Objective
š RTO – How long until recovery?
š RPO – How much data was lost?
Fault Tolerance

o When infrastructure components fail, no interruption to

the application stack occurs
 AWS Account

š Each AWS account is a

container
š One “root” admin account -
full access can’t be
removed
š Cloud services from > 26
AWS Regions hosted in
container
 Identities Permissions

Users Groups Role External

Credentials

Policy
document
 AWS Organizations

š AWS Organizations allows control of a nested AWS

account tree
š Member accounts can be grouped into OU’s;
each OU can be attached to different access
policies
š Users can only access what is allowed by AWS
Organizations policies
š Centralize IAM, CloudFormation, CloudTrail,
CloudWatch, Config, Control Tower, and the AWS
Directory Service and other services
 AWS Organizations
Policy Policy Policy

Organizational
Control Policy

Organizational
Unit Dev Test Prod
OU OU OU

AWS Accounts

AWS Resources
AWS Organizations
STANDARD
SERVICE ICON

ALTERNATE
SERVICE ICON

RESOURCES

AWS Global Infrastructure

 Availability Zones

Region

o Each availability zone contains at least one data center

o Most availability zones contain multiple data centers
Availability Zone A

o Each availability zone has inexpensive low latency

network connectivity to the other availability zones within Availability Zone B

the same AWS region

o Designing with two AZ’s is a best practice to consider
Availability Zone C
 Multi-AZ Design

AWS Region

VPC Load balancer

Availability Zone Availability Zone Availability Zone

EC2 EC2 EC2

 o EC2 instances can launch across multiple
subnets hosted in multiple availability zones

Availability Zones
o ELB can target EC2 instances across multiple
availability zones
o EC2 Auto Scaling can scale EC2 instances
in Operation across multiple availability zones
o RDS solutions are replicated across multiple
availability zones
Edge Locations at AWS
Edge Locations

Each edge location has a local caching

data center directly connected to the AWS
cloud using high-speed private network
links
Without CloudFront CDN
With CloudFront CDN
Services at the Edge

Caches your static Delivers your request Filters incoming

and dynamic from closest edge public traffic at
content location the edge

CloudFront Route 53 WAF

Filtering rules
Static content with
S3 and CloudFront

š Webpage content can be offloaded through

caching
š Cached data is held closest to the end-user
š Images, code, popular webpages
 App 1 App 2 App 3 App 4
(EC2 instances / VPC Security Groups -Back-end applications)

Application CloudFront CloudFront

API Gateway
load balancer Distribution Distribution
AWS
WAF
Web ACL Rules

Web ACL Rule Web ACL Rule Web ACL Rule Web ACL Rule

Internet
 AWS Global
Accelerator

o User application requests use

global edge locations and
AWS private network
VPC

š Networking layer at AWS

š A logical and isolated collection of subnets
š Launch EC2 instances onto your virtual
private network
š EC2 instances run in a virtual private cloud
that is logically isolated to your AWS account
 VPC Defaults
Availability Zone Availability Zone Availability Zone

CIDR Block 192.168.0.0 /16

Main Route
Table

Destination | Target

192.168.0.0 /16 | local

Router
 Internet gateway

VPC

Public subnet
Internet gateway

NAT gateway Route table

Private subnet
NAT gateway Virtual private
Web App gateway
Virtual private
Route table gateway

Private subnet

MySQL NAT gateway

instance
Virtual private
Route table gateway
Internet Gateway

š Allows communication between instances or services

hosted on public subnets and the Internet
š Performs NAT for instances with public IPv4 addresses
š One IGW per VPC
NAT Gateway Services

š NAT service enable instances in a private subnet to

connect to the Internet to get updates
š Traffic requests from the instance are forwarded to the
NAT service hosted in the public subnet
š Internet response is sent back to the private instance
that made the request
 Internet

Region Internet Amazon Route 53

gateway

VPC Public subnet

Public subnet

Application
NACL NAT gateway load balancer NAT gateway
NACL

Private subnet Private subnet

Security group Security group

EC2 Instances EC2 Instances

NACL Route table VPG
NACL

Private subnet Private subnet

Security group Security group

MySQL MySQL
instance instance
NACL
Route table alternate NACL

Updates using NAT Service

Security Groups

š Security groups are firewall rules that control the

inbound and outbound traffic to an EC2 instance
š When security groups are created, they are linked to a
VPC and EC2 instance
 Security Group
EC2 Security group Design
Inbound Rule
TCP 22
Outbound
Rule
TCP 22

Inbound
Elastic Load Balancer Rule EC2 Security group SQL Security group
Security group
TCP 8080 TCP 2306
TCP 443
Inbound Rule Outbound Inbound Outbound Inbound
Rule Rule Rule Rule
DNS Firewall
š Block DNS outbound queries that are made for known
malicious domains, while allowing DNS queries to trusted
domains
š DNS Firewall consists of domain lists and rule groups
associated with a VPC
š Stateless Rules have three options:
š Pass – the packet is passed without further
inspection
š Drop – the packet is dropped
š Forward – Forward packet to stateful rule groups for
further inspection
AWS Network Firewall

š Filter network traffic at the perimeter of your VPC

š Choose a subnet to host the firewall endpoint that filters
your traffic
š Deploy and manage stateful inspection, intrusion
prevention and detection, and web filtering
Transit Gateway

o Routes communicates to the networks that are connected

to the transit gateway using a hub and spoke model across
multiple regions
o Traffic between a VPC and Transit Gateway remains on AWS
private network
o Supports dynamic and static routing between attached
VPCs and VPNs
EC2 Instance FYI
š EC2 instances are members of compute families.
š For each instance’s name, the first letter is the instance
family and describes the resources allocated to the
instance.
š C stands for compute, R for RAM, I for IOPS.
š The resources (vCPUs, memory, and network
bandwidth) are assigned to your account and are
never shared with any other AWS customer
Instance families at AWS
Dedicated Host
Dedicated physical
Control the hardware Control the affinity, or
server with defined
where your instances placement of your
EC2 instance
are hosted instances on the host
capacity just for you

AMIs that can be

Dedicated hosts
launched on a dedicated
support per socket,
host are (BYOL) Amazon
per core, or per VM
Linux, and Amazon
software licenses
Marketplace AMIs
 š The precise definition of an AMI is a template that
contains the desired software configuration for an
instance:
Amazon š Operating system

Machine š Optionally an application

š Additional supporting software
Image š Root device boot volume
š After selecting an AMI, you then choose the instance
type where the AMI will be installed.
 EC2 Image Builder

Automate the creation,

maintenance, and AMI updates, security,
deployment of Linux or compliance, new tests
Windows images

Define collections of AWS and customer tests

security settings to can be executed
harden your images before finalization
Launch Templates

1 2 3 4 5 6

Amazon Choose an Key pair to Security EBS volumes Tags (key-

machine instance use when groups to or instance value pairs)
image (AMI) type that is connecting allow store to the
from which compatible to instances relevant volumes. instances
to launch with the AMI using SSH. access to and
the you've the instance. volumes.
instances. specified.
Container Options at AWS

š Elastic Container Registry – share and deploy publicly / privately.

š ECS – Run Docker containers: applications or micro-services.

š Amazon Elastic Kubernetes Service – Manage containers with Kubernetes.

š ECS Anywhere - Run Docker containers / Kubernetes service (EKS) on-

premise
EC2 Instances: Pricing Options

On-Demand Reserved Instances Spot Requests

Pay by per hour/ Discount for 1 - 3-year Spare AWS capacity
second commitment > 90% discount
Saving Plans

š Savings Plans provides savings of up to 72% on your AWS compute

usage
š Compute: Applies to all Amazon EC2 instances (OS, tenancy or
Region),Fargate and Lambda usage.
š EC2 Instances
š Amazon Sage Maker

š Commit to use a specific amount of compute power (measured in

$/hour spend) for a one, or three-year period
CloudWatch

š Built-in monitoring service for AWS cloud resources

š Collect and track metrics
š Alarms / metrics
š Supports all AWS Services
š Monitor your instance and application log files
š Set billing alarms
š Alarms have three states: OK, ALARM,
INSUFFICIENT DATA
 CloudWatch in Operation

Email notification

AWS Config
Amazon CloudWatch HTTP notification

Event Alarm SNS

Topic

AWS CloudTrail

API Calls
AWS Lambda
Authentication
Flow logs

Lambda function
EC2 Auto Scaling
o Availability – EC2 Auto Scaling helps you ensure
that you have the correct number of EC2
instances available to handle the end-user load
for your application
o Fault Tolerance – Auto scaling detects unhealthy
instances, terminates and relaunches an
instance to replace the unhealthy one
o Management of costs – Dynamically increase
and decrease capacity as required; only pay for
the computer that you need
Scaling Policy Options

SCALING POLICY DETAILS

Target tracking scaling Increase or decrease the capacity of the ASG

based on a target value for specific cloud watch
metric
Step scaling Increase or decrease the capacity based on a set
of scaling percentages

Simple scaling Increase or decrease based on a single scaling

adjustment
Auto Scale

o EC2 - Scale up or down based on demand

o ELB - Automatically add or remove instances from
target groups via auto scale
o DynamoDB - Increase or decrease provision to
read and write capacity
o Amazon Aurora - Dynamically adjust the number
of Aurora replicas provisioned for DB cluster
AWS Config

š Records changes and current status to resource inventory

š Notify when resources are created, modified, or deleted
š Configuration items track resource attributes and the
relationships, current configuration, and related events
š Custom Config rules for remediation
š Config can also capture:
š Software inventory on EC2 instances
š Patch levels
š Application versions
Data Storage Options at AWS

Storage Type Details AWS Services

Persistent Data Storage Data is persistent and S3, S3 Glacier, EBS, EFS, FSx for
durable Windows File Server
Transient Data Storage Data is temporarily stored SQS, SNS
before being passed to
another process
Ephemeral Data Data records are lost when EC2 Instance Storage, ElastiCache
Storage system(s) are stopped (Redis, Memcached)
Elastic Block Storage

• General purpose:

SSD
Boot volumes, low latency
applications
• Provisioned IOPS: Databases
with sustained IOPS

• Throughput optimized:

HDD
High-throughput sequential
workloads
• Cold: Logging and minimal
needs
AWS Key Management
Service (KMS)
š Control the encryption of stored data across AWS
services
š Centrally manage and store your customer
master keys (CMKs)
š CMKs can be generated using KMS, in an AWS
CloudHSM cluster, or imported

š Unique data keys are used for each encryption

request
š KMS stores multiple copies of encrypted versions
of your keys with 99.999999999% durability
RDS Platforms
Amazon Aurora
š An Aurora cluster consists of a set of database nodes
and a shared storage volume.
š The storage volume consists of six storage nodes placed
in three Availability Zones for high availability and
durability of user data
š Fully managed 6-way replication across 3 availability
zones with SSD Virtual SAN storage
š Two copies of data are kept in each AZ
š Every database node in the cluster is a writer node that
can run read and write statements
o Scales in 10 Gb increments / up to 32vCPU’s and 244 Gb
RAM
o Up to 15 Aurora Read replicas
Amazon Aurora

š Aurora can also be installed as a global database with

cross region replication and read replicas
š Read replicas can be created in up to five AWS regions
š Aurora MySQL can operate in a scale-out multi-master
write mode
o One or multiple writers, Multiple readers, Parallel query
o Serverless: define min and max resources needed;
database scaled based on load
 DynamoDB
š Fully managed NoSQL database with fast
performance and seamless scalability with no
downtime
š Optional cross region replication with global
tables in multiple regions
š Auto-scale capacity adjusts per defined
minimum / maximum levels
š Supports ACID compliance with DynamoDB
transactions
š Dynamo DB is designed with automatic
synchronous data replication across three
facilities in a region
š Dynamo DB supports cross region replication
across regions with Global tables
S3 Storage Classes
š S3 Standard – no minimum storage time

š S3 Standard-IA – min 30 days

š S3 Intelligent-tiering – monitor and move

to the most cost-effective tier after 30
days
š S3 One Zone-IA – one AZ, less resilience
– min 30 days
š S3 Glacier – Archive data - min 90 days

š S3 Glacier Deep Archive – Long-term

retention min 180 days
S3 Versioning

š Versioning protects against accidental object/data

deletion or overwrites
š Versioning is enabled at the bucket level
š Versioning allows you to store multiple versions of the
same object in same bucket
š Versioning stores all versions of an object (including all
writes and even objects that have been deleted)
š Once enabled, versioning can’t be disabled but can be
suspended
 Lifecycle Transitions

š Standard storage class to any other storage class

š Any storage class to Glacier or Deep Archive
š Standard 1A classes to Intelligent Tiering or One Zone
š Glacier to Deep Archive
š You can’t transition back to Standard
š You can’t transition from Deep Archive to any other
storage class
Event Notifications FYI

Notifications can be generated for the following events:

š New object created, object removal or restore events
š Replication events
Event notifications can be sent to the following destinations:
š Simple Notification Service topic
š Amazon Simple Queue Service queue
š AWS Lambda invoking a custom function
S3 Glacier Storage

š Glacier archives from 100MB up to 40TB

š Archives are held in containers called vaults
š Each AWS account can have up to 1,000 vaults
š Compliance controls per vault with a vault lock policy (WORM)
š Retrieval policy to control data access
Elastic File System
š Fully managed scalable and shareable storage service
(Up to petabytes)
š NFS file share access using the NFS protocol, and mount
points in one or many AZ’s
š Elastic storage capacity; pay for what you use
š Can be mounted from on-prem systems using Direct
Connect, or VPN connection
š EFS-to-EFS Backup solution to backup file systems
š General-purpose or Max I/O operation
š EFS can burst to high throughput levels
FSx for Windows File
Server

š Windows Server CIFS for Windows-based applications

š Shared file storage support for SMB, NTFS and Active
Directory integration
š SSD storage with automatic encryption at rest and in-
transit
š Supports Data deduplication for file shares
š Data replication within single or multiple availability
zones
š Integrates with DFS name spaces and VMware cloud on
AWS
AWS Storage Gateway
š On premise software appliance integrated with AWS cloud-
based S3 and S3:Glacaier storage
š Hosted on-premise as a local VM appliance, or in AWS on
an EC2 instance

Cached
volume
S3 S3 Glacier
 File Gateway
š Interface local storage directly into S3 storage
š Store and retrieve files in S3 using either the NFS
version 3, or 4.1 protocol
š Shares are accessible using NFS or SMB protocol

Volume Gateway
š Cached volumes: data can be stored in S3 with a copy
of frequently accessed data cached locally
š Storage volumes: data is stored locally and
asynchronously backed up using snapshots to S3
 No services, instances to manage – focus on
creating functions

Background scaling handles by AWS

Sub-second metering – pay for what you use

AWS
Lambda Bring your own code- Node.js, Java, Ruby,
Python, C#, Go

Integrate with other AWS services

Select power rating CPU and network will be

from 128 MB to 1.5 GB proportionally allocated
Guard Duty

Monitor Analysis Notify

Amazon Macie

š Automated security classification of S3 data

access patterns
š Monitor data usage for anomalies
š Proactive data loss through data visibility
š Custom report and alert management
 Data Classification Types
DSA Mailing
Router Application Encryption
CVE private address
config logs keys
key

Full name
Encrypted RSA private Swift Source
key codes Email
code
Credit card
numbers

AWS_ secret_key Drivers license JSON Financial

IDs
AWS Free Tier