Amazon S3: Introduction

Amazon Simple Storage Service (S3) is a cornerstone of AWS, offering highly

scalable, durable, and secure object storage in the cloud. As a widely-used
storage solution, S3 provides features like versioning, lifecycle policies, and
robust access controls, making it suitable for various use cases such as
backup, archiving, content distribution, and big data analytics. With its
seamless integration with other AWS services, S3 enables efficient data
processing and analytics workflows, ensuring reliability and scalability for
your storage needs.

Amazon S3: Introduction

Introduction to Amazon S3

 Amazon S3 (Simple Storage Service):

 A highly scalable, durable, and secure object storage service for

storing and retrieving any amount of data.

 Often called ‘infinitely scaling’ storage

 Offers features like versioning, lifecycle policies, and fine-

grained access controls for managing data.

 Supports data transfer acceleration and integration with other

AWS services for data processing and analytics.

 Commonly used for backup and recovery, data archiving,

content distribution, and as a data lake for big data
analytics.

Buckets in S3

 Amazon S3 facilitates the storage of objects (files) within

"buckets" (directories):

 Bucket names must be globally unique across all regions and

accounts.

 Buckets are established at the regional level.

 Despite S3 appearing as a global service, buckets are confined to a

specific region.

 Naming conventions mandate:

 No uppercase letters or underscores.

  Length between 3 and 63 characters.

 Not in the format of an IP address.

 Commencing with a lowercase letter or number.

 Excluding the prefix "xn--" at the start.

 Avoiding the suffix "-s3alias" at the end.

S3 Bucket Policies

 JSON

 Buckets and objects

 Permit or Restrict

 APIs permitted or restricted

 User or account affected by the policy

 Use the S3 bucket policy to:

 Enable public access to the bucket

 Mandate encryption on uploaded objects

 Provide access permissions to another account (Cross-Account

Access)
Characteristics of S3

Amazon S3 exhibits several key characteristics that make it a preferred

choice for storing and managing data in the cloud. These include high
scalability, durability, availability, and security. S3 is designed to handle
massive amounts of data, providing 99.999999999% durability and 99.99%
availability. It offers multiple storage classes to optimize cost and
performance based on data access patterns, ensuring flexibility and cost-
effectiveness for storing data of any size.

Characteristics of Amazon S3

Durability and Availability

 Durability:

 Amazon S3 offers high durability of 99.999999999% (11 9's) for

objects, ensuring data is protected across multiple Availability
Zones.

 With this level of durability, if you store 10 million objects with

Amazon S3, you can expect to lose a single object once every
10,000 years.

 This durability applies to all storage classes.

 Availability:

 Refers to how readily available a service is for use.

 Availability varies depending on the storage class.

 For example, S3 Standard has 99.99% availability, which equates

to potential unavailability of approximately 53 minutes per year.

Static Websites and Versioning

 S3 can host static websites and have them accessible on the

Internet

 The website URL will be (depending on the region)

 http://bucket-name.s3-website-aws-region.amazonaws.com

 OR

 http://bucket-name.s3-website.aws-region.amazonaws.com

 Versioning:
  You can version your files in Amazon S3

 It is enabled at the bucket level

 Same key overwrite will change the “version”: 1, 2, 3….

 It is best practice to version your buckets

 Protect against unintended deletes (ability to restore a version)

 Easy roll back to previous version

Versioning in S3

 File versioning is available in Amazon S3.

 It must be activated at the bucket level.

 Overwriting a file with the same key will result in incrementing the
version number: 1, 2, 3, etc.

 It is considered best practice to enable versioning on your buckets.

 Versioning helps guard against accidental deletions by

allowing you to restore previous versions.

 It simplifies the process of reverting to an earlier version of a file.

 Additional details:

 Any file not versioned before versioning is enabled will be

assigned the version "null".

 Suspending versioning will not remove any previously stored

versions.

Replication (Cross Region Replication and Same Region Replication)

 Versioning must be enabled on both the source and

destination buckets for replication.

 Supports:

 Cross-Region Replication (CRR) Same-Region Replication (SRR).

 Buckets can be in different AWS accounts.

 Copying of objects is asynchronous.

 Proper IAM permissions must be granted to S3 for

replication.
S3 Storage Classes

S3 offers a range of storage classes designed to meet diverse data storage

needs efficiently. These include Standard, Standard-IA (Infrequent Access),
One Zone-IA, Intelligent-Tiering, Glacier, and Glacier Deep Archive. Each
storage class is tailored to specific access patterns, durability requirements,
and cost considerations, allowing users to optimize storage costs while
ensuring data accessibility and durability.

S3 Storage Classes

S3 Storage Classes: An Overview

 S3 Storage Classes Overview:

 Designed for varying use cases based on access frequency,

durability, and cost.

 Includes options like Standard, Intelligent-Tiering, Standard-IA,

and One Zone-IA.

 Enables cost optimization through diverse pricing

structures.

 Supports automatic data migration with lifecycle policies.

 Provides global data storage with high availability.

 Allows easy transition between classes to meet changing needs.

All S3 Storage Classes:

1. Amazon S3 Standard - General Purpose

2. Amazon S3 Standard-Infrequent Access (IA)

3. Amazon S3 One Zone-Infrequent Access

4. Amazon S3 Glacier Instant Retrieval

5. Amazon S3 Glacier Flexible Retrieval

6. Amazon S3 Glacier Deep Archive

7. Amazon S3 Intelligent Tiering

S3 Storage Classes: Comparison

 These are the key points you need to know for the exam!
S3 - Encryption

 Server Side Encryption (Default):

 Server encrypts the file after receiving it

 Server Side Encryption (Default):

 Server encrypts the file after receiving it

 Useful whitepapers for you to read below!

IAM Access Analyzer for S3

 Ensures only intended individuals have access to your S3

buckets.

 Evaluates S3 Bucket Policies, S3 ACLs, and S3 Access Point Policies.

 Powered by IAM Access Analyzer.

 Examples include publicly accessible buckets or buckets shared

with other AWS accounts.

Shared Responsibility Model: S3

 AWS Responsibility:

 Guarantee unlimited storage.

 Provide encryption for stored data.

 Ensure data separation between different customers.

 Ensure AWS employees cannot access your data.

 Your Responsibility:

 Configure S3 buckets.

 Set bucket policies and public access settings.

 Manage IAM users and roles.

 Enable encryption for data storage.

S3 Migration

Migrating data to Amazon S3 involves transferring existing data from on-

premises storage systems or other cloud providers to S3. This process can be
performed using various methods, including AWS DataSync, AWS Snow
Family (Snowball, Snowcone, Snowmobile), or through direct data transfer
methods over the internet. S3 Migration enables organizations to leverage
the scalability, durability, and cost-effectiveness of S3 for their storage
needs.

S3 Migration

Why do we need snow migration?

 Challenges with data migration:

 Limited connectivity

 Limited bandwidth

 High network cost

 Shared bandwidth (can’t maximize the line)

 Connection stability

 Hence, we have the Snow Family

The Snow Family

 Highly-secure, portable devices designed for data collection

and processing at the edge.

 Facilitate the migration of data into and out of AWS.

 Data migration:

 Snowball Edge

 Snowcone

 Snowmobile

 Edge computing:

 Snowcone

 Snowball Edge
Snowball Edge (for data transfers)

 Physical Data Transport Solution: Enables the movement of

terabytes (TBs) or petabytes (PBs) of data in or out of AWS.

 Alternative to Network Transfer: Offers a cost-effective alternative

to transferring data over the network and incurring network fees.

 Pay-per-Transfer Job: Charges are based on each data transfer job.

 Storage Options: Provides block storage and Amazon S3-compatible

object storage.

 Snowball Edge Storage Optimized: Offers 80 TB of HDD capacity

for block volume and S3-compatible object storage.

 Snowball Edge Compute Optimized: Provides 42 TB of HDD or

28TB NVMe capacity for block volume and S3-compatible object
storage.

 Use Cases: Ideal for large data cloud migrations, data center
decommissioning, and disaster recovery.

AWS Snowcone & Snowcone SSD

 Small, portable computing device designed for use in rugged and

harsh environments.

 Lightweight, weighing 4.5 pounds (2.1 kg), and suitable for edge
computing, storage, and data transfer.

 Snowcone:

 Offers 8 TB of HDD storage.

 Snowcone SSD:

 Provides 14 TB of SSD storage.

 Ideal for use in space-constrained environments where Snowball

doesn't fit.
  Users must provide their own battery and cables.

 Can be returned to AWS offline or connected to the internet and used

with AWS DataSync to send data.

AWS Snowmobile

 Designed to transfer exabytes of data (1 EB = 1,000 PB = 1,000,000

TBs).

 Each Snowmobile has a capacity of 100 PB; multiple Snowmobiles

can be used in parallel for larger transfers.

 Features high security with temperature control, GPS tracking, and

24/7 video surveillance.

 More suitable than Snowball for transfers exceeding 10 PB.

(yes, it’s a literal truck!)

AWS Snow Family Overview

S3 Migration: Usage Processes

Learn about S3 migration involves planning, data transfer, and validation.

Organizations assess storage needs, plan migration strategies, and choose
methods based on data volume, transfer speed, and security. Monitoring and
validating the transfer ensures data integrity and completeness, facilitating a
smooth transition to Amazon S3.

S3 Snow Family: Usage Process

Snow Family: Usage Process

1. Request Snowball Devices: Order Snowball devices through the

AWS Management Console for delivery to your location.

2. Install Software: Install the Snowball client or AWS OpsHub on your

servers to facilitate data transfer.

3. Connect and Copy: Connect the Snowball device to your servers and
copy files using the client software.

4. Return Device: Ship the device back to AWS once the data transfer is
complete. The device is pre-configured to return to the correct AWS
facility.

5. Data Transfer to S3: Upon receipt, AWS will transfer the data from
the Snowball device into an Amazon S3 bucket.

6. Data Wiping: After the data transfer, the Snowball device is

completely wiped to ensure security and privacy.

Edge Computing

 Edge Computing: Process data as it's being generated at an

edge location, such as a moving truck, a ship at sea, or a
mining station underground.

 These locations may have limited or no internet

access and limited or no easy access to computing power.

 Set up a Snowball Edge or Snowcone device to enable

edge computing capabilities.

 Use Cases of Edge Computing:

 Preprocessing data before sending it to the cloud.

 Running machine learning models directly at the edge.

  Transcoding media streams on-site.

 Data Transfer: If needed, the device can be shipped back to

AWS for data transfer or further processing.

 Snowcone & Snowcone SSD (Smaller):

 2 CPUs, 4 GB of memory, wired or wireless access.

 USB-C power using a cord or the optional battery.

 Snowball Edge – Compute Optimized:

 104 vCPUs, 416 GiB of RAM.

 Optional GPU for video processing or machine learning.

 28TB NVMe or 42TB HDD usable storage.

 Storage Clustering available (up to 16 nodes).

 Snowball Edge – Storage Optimized:

 Up to 40 vCPUs, 80 GiB of RAM, 80 TB storage.

 Common Features:

 All models can run EC2 Instances & AWS Lambda functions
(using AWS IoT Greengrass).

 Long-term deployment options available with 1 and 3 years

discounted pricing.

AWS OpsHub

 Historically, using Snow Family devices required a Command Line

Interface (CLI) tool.

 Today, AWS OpsHub, a software installed on your computer or

laptop, can be used to manage Snow Family devices.

 OpsHub enables:

 Unlocking and configuring single or clustered devices.

 Transferring files to and from the device.

 Launching and managing instances running on Snow Family

devices.
  Monitoring device metrics such as storage capacity and active
instances.

 Launching compatible AWS services on your devices, such as

Amazon EC2 instances, AWS DataSync, and Network File System
(NFS).

Snowball Edge Pricing

 Device Usage and Data Transfer Costs:

 Charges apply for device usage and data transfer out of AWS.

 Data transfer into Amazon S3 is free ($0.00 per GB).

 On-Demand Pricing:

 Includes a one-time service fee per job, covering:

 10 days of usage for Snowball Edge Storage Optimized 80TB.

 15 days of usage for Snowball Edge Storage Optimized 210TB.

 Shipping days are not counted towards the included 10 or 15

days.

 Additional days are charged on a per-day basis.

 Committed Upfront Pricing:

 Pay in advance for monthly, 1-year, and 3-year usage (primarily

for Edge Computing).

 Offers up to 62% discounted pricing compared to on-demand

rates.

Hybrid Cloud for Storage

 Hybrid Cloud Approach: AWS promotes a hybrid cloud model

where part of your infrastructure is on-premises and part is on
the cloud.

 This approach may be due to:

 Long cloud migration processes.

 Specific security requirements.

 Compliance requirements.
  Overall IT strategy.

 S3 and On-Premises Integration: Given that S3 is a proprietary

storage technology, unlike EFS or NFS, the question arises: How do you
expose S3 data on-premises?

 Solution: AWS Storage Gateway provides a seamless way to

connect on-premises environments with S3 storage, enabling
hybrid cloud storage solutions!

AWS Storage Gateway

 Hybrid Storage with AWS S3:

 Connects on-premise data systems seamlessly with AWS

Cloud.

 Facilitates smooth integration and data movement between

local storage and S3.

 Key Use Cases:

 Disaster recovery: Ensures data continuity by replicating on-

premises data to the cloud.

 Backup & restore: Provides off-site backups in the cloud for

additional security and accessibility.

 Tiered storage: Moves less frequently accessed data to the

cloud to optimize costs and performance.

 AWS Storage Gateway Types:

1. File Gateway: Integrates on-premises environments with cloud-

based storage for file data.

2. Volume Gateway: Uses block-based storage interfaces

compatible with existing applications.

3. Tape Gateway: Simulates a physical tape library with virtual

tape storage in AWS.

 Detailed knowledge of Storage Gateway types is not required

for the exam.
AWS Databases: Introduction

This section provides a comprehensive introduction to various database

services available in AWS, highlighting their features, use cases, and
benefits.

Why do we need databases?

 Sometimes, you want to store a lot of or highly complex data

 Storing it on a disk, like some of the storage options AWS offers

can have it’s limitations

 So, we use databases. Databases allow for:

 Structuring the data

 Building indexes so you can efficiently search through

your data

 Defining relationships between your data which allows

you to hold more complex relationships with all your
datasets.

 Databases are designed with specific optimizations tailored to different

use cases, offering varying features, structures, and limitations. (which
you will need to know for the exam!)

 The main databases we will be covering for the AWS Cloud

Computing Practitioner fall under relational and non-relational
database categories

The difference between relational and non-relational databases

🟢 Relational Databases

1. Structure: Data stored in tables with rows and columns.

2. Schema: Fixed schema with predefined structure.

3. Relationships: Supports complex relationships using foreign keys.

4. Query Language: Uses SQL.

5. Examples in AWS: Amazon RDS (supports MySQL, PostgreSQL,

Oracle, SQL Server).

🟠 Non-Relational Databases
 1. Structure: Data stored in various formats like key-value pairs,
documents, or graphs.

2. Schema: Dynamic schema allowing flexibility.

3. Relationships: Generally does not enforce relationships; handles

large volumes of unstructured data.

4. Query Language: Various, depending on type (e.g., MongoDB,

Cassandra).

5. Examples in AWS: Amazon DynamoDB (key-value store), Amazon

DocumentDB (document store), Amazon Neptune (graph database).

Databases: Part 1

In this section, you'll explore AWS database services including Amazon RDS
and Amazon Aurora, which offer managed relational databases with
automated administration tasks and high performance. You'll also dive into
NoSQL options like Amazon DynamoDB for scalable, low-latency applications,
and Amazon DocumentDB for managing JSON data. Additionally, you'll learn
about Amazon ElastiCache for in-memory caching with Redis and
Memcached, and DynamoDB Accelerator (DAX) for enhancing DynamoDB
read performance.

Databases: Relational Databases

Amazon RDS

 Managed database service employing SQL for queries

 Enables creation of cloud databases managed by AWS

 Supports various SQL-based databases:

 PostgreSQL

 MySQL

 MariaDB

 Oracle

 Microsoft SQL Server

 IBM DB2

 Aurora (AWS proprietary database)

Amazon RDS Deployments

1. Read Replicas

 Up to 15 Read Replicas supported

 Distribute read queries across replicas

 Primary database handles all writes

 Asynchronous replication from primary

 Enhances performance and responsiveness

2. Multi-AZ

 Failover for High Availability - activates during an Availability

Zone outage, ensures continuous database service

 Main database handles all read/write operations

 Limited to one alternative Availability Zone for failover

3. Multi-Region (Read Replicas)

 Disaster recovery in case of region issue

 Local performance for global reads

 Replication cost

Amazon RDS Deployments - Amazon RDS Multi-AZ with one standby

Amazon RDS Deployments - RDS Multi-AZ with two readable
standbys

Amazon RDS Deployments - Multi-Region

Advantages of RDS compared to deploying a database on EC2:

 RDS is a managed service, offering:

 Automated provisioning and OS patching

 Continuous backups with point-in-time restore

 Monitoring dashboards

 Read replicas for enhanced read performance

 Multi-AZ setup for disaster recovery

  Scheduled maintenance windows for upgrades

 Scaling capabilities (vertical and horizontal)

 Storage backed by EBS

 Note: SSH access to instances is not available with RDS.

Amazon Aurora

 Amazon Aurora = Amazon Aurora is a global-scale relational

database service built for the cloud with full MySQL and PostgreSQL
compatibility.

 provides built-in security, continuous backups, serverless

compute, up to 15 read replicas, automated multi-Region
replication, and integrations with other AWS services.

 It supports both PostgreSQL and MySQL databases.

 Aurora is "AWS cloud-optimized" and boasts significant performance

enhancements,

 claiming a 5x improvement over MySQL on RDS and over 3x

the performance of Postgres on RDS.

 Aurora's storage automatically scales in increments of 10GB, up to 128

TB.

 While Aurora is more efficient, it also costs 20% more than RDS.

 Aurora is not included in the free tier.

Amazon Aurora Serverless

 Automated database provisioning and dynamic scaling in response to

actual usage.Both PostgreSQL and MySQL are compatible with Aurora
Serverless DB.

 Eliminates the need for capacity planning and reduces

management overhead.

 Pay-per-second billing offers potential cost savings.

 Suitable for irregular, sporadic, or unpredictable workloads.

NoSQL Databases

 NoSQL databases, short for non-SQL or non-relational databases, are

crafted for distinct data models and boast adaptable schemas
tailored for contemporary applications.

 Advantages:

 Flexibility: Simplified evolution of data models.

 Scalability: Designed for horizontal scaling through distributed

clusters.

 High Performance: Optimization for specific data models.

 Functionality: Tailored types optimized for respective data

models.
 Examples: Key-value, document, graph, in-memory, and search
databases.

 JSON (JavaScript Object Notation) Overview:

 Widely used data format modeled after JavaScript object syntax.

 Fits naturally into the NoSQL database model due to its schema-
less nature.

 Characteristics of JSON:

 Data can include nested structures, allowing for complex data

hierarchies.

 Fields in JSON data can be added, removed, or modified over

time without constraints.

 Supports a variety of data types, including arrays, strings,

numbers, and boolean values.
Amazon DynamoDB

 Automated key/value database provisioning and dynamic scaling in

response to actual usage.

 Both PostgreSQL and MySQL are compatible with Aurora Serverless DB.

 Eliminates the need for capacity planning and reduces management

overhead.

 Pay-per-second billing offers potential cost savings.

 Is a key/value database:
  A key-value database = is a type of non-relational database,
also known as NoSQL database, that uses a simple key-value
method to store data. It stores data as a collection of key-value
pairs in which a key serves as a unique identifier. Both keys and
values can be anything, ranging from simple objects to complex
compound objects.

 Suitable for irregular, sporadic, or unpredictable workloads.

Amazon DynamoDB - Global Tables

 Make a DynamoDB table accessible with low latency in multiple-

regions

 Active-Active replication (read/write to any AWS Region)

Amazon DocumentDB

 MongoDB is used to store, query, and index JSON data.

 Has similar "deployment concepts" as Amazon Aurora.

 Amazon DocumentDB (with MongoDB compatibility):

 Fully managed and highly available, with replication across 3

Availability Zones (AZs).

 DocumentDB storage automatically grows in increments of 10GB.

 Automatically scales to handle workloads with millions of requests per

second.

Amazon ElastiCache

 Similar to how RDS provides managed relational databases…

 ElastiCache offers managed Redis or Memcached services

 Caches are high-performance, low-latency in-memory databases

 They help alleviate the load on databases for workloads with heavy
read operations

 AWS handles operating system maintenance and patching,

optimizations, setup, configuration, monitoring, failure recovery, and
backups

DynamoDB Accelerator - DAX

  Fully managed in-memory cache for DynamoDB.

 Offers up to a 10x performance improvement, reducing latency from

single-digit milliseconds to microseconds.

 Provides a secure, highly scalable, and highly available solution.

 Difference with ElastiCache at the CCP level:

 DAX is exclusively used with and integrated into

DynamoDB.ElastiCache can be used with other databases.

Databases: Part 2

This section covers advanced AWS database services such as Amazon

Redshift for data warehousing, Amazon EMR for big data processing, and
Amazon Athena for running SQL queries on S3 data. You'll also explore
Amazon Neptune for graph databases, Amazon Timestream for time series
data, and Amazon Quantum Ledger Database (QLDB) for a verifiable
transaction log. Furthermore, Amazon Managed Blockchain simplifies
blockchain network management, and AWS Glue offers a fully managed ETL
service. This section equips you with the knowledge to effectively utilize
these advanced database solutions.

Databases: Non-Relational Databases

Amazon Redshift

 Redshift is based on PostgreSQL but is not used for Online

Transaction Processing (OLTP).

 Provides a SQL interface for performing queries.

 It is designed for Online Analytical Processing (OLAP) - suitable

for analytics and data warehousing.

 Typically, data is loaded once every hour, not every second.

 Offers 10x better performance than other data warehouses and

can scale to petabytes of data.

 Utilizes columnar storage of data, as opposed to row-based storage.

 Features Massively Parallel Query Execution (MPP) and is highly

available.
  Pricing is based on a pay-as-you-go model, depending on the instances
provisioned.

 Compatible with Business Intelligence (BI) tools such as AWS

Quicksight or Tableau for data visualization and analysis.

Amazon Redshift Serverless

 Automatically provisions and scales the underlying capacity of

the data warehouse.

 Allows running analytics workloads without managing data

warehouse infrastructure.

 Offers a pay-only-for-what-you-use pricing model, helping save costs.

 Use cases include reporting, dashboarding applications, and real-time

analytics.

Amazon EMR (Elastic MapReduce)

 A cloud big data platform for processing massive amounts of

data.

 Supports open-source tools such as Apache Hadoop, Apache Spark,

HBase, Flink, and Presto.

 Simplifies running big data frameworks for processing and analyzing

large datasets.

 Designed to be cost-effective, scalable, and secure.

 Commonly used for data transformation, data processing, and data

analytics tasks.

 Allows quick setup and configuration of clusters of virtual

servers for data processing.

 Suitable for handling vast amounts of data efficiently.

Amazon Athena

 Serverless query service to analyze data stored in Amazon S3.

 Uses standard SQL language to query files.

 Supports formats such as CSV, JSON, ORC, Avro, and Parquet (built on
Presto).
  Pricing: $5.00 per TB of data scanned.

 Optimize cost by using compressed or columnar data formats (reduces

data scanned).

 Use cases include business intelligence, analytics, reporting, and

analyzing logs such as VPC Flow Logs, ELB Logs, and CloudTrail
trails.

Amazon QuickSight

 Serverless machine learning-powered business intelligence

service for creating interactive dashboards.

 Fast, automatically scalable, and embeddable, with per-session

pricing.

 Use cases include:

 Business analytics.

 Building visualizations.

 Performing ad-hoc analysis.

 Gaining business insights using data.

 Integrated with various data sources such as RDS, Aurora, Athena,

Redshift, and S3.

Amazon Neptune

 Fully managed graph database service.

 Popular for datasets like social networks, where users have

friends, posts have comments, comments have likes from
users, and users share and like posts.

 Highly available across three Availability Zones (AZs), with up to 15

read replicas.

 Designed to build and run applications working with highly connected

datasets, optimized for complex and challenging queries.

 Capable of storing up to billions of relationships and querying the

graph with millisecond latency.

 Highly available with replications across multiple AZs.

  Great for use cases such as knowledge graphs (like Wikipedia),
fraud detection, recommendation engines, and social
networking.

Amazon TimeStream

 Fully managed, fast, scalable, serverless time series database.

 Automatically scales up and down to adjust capacity as

needed.Capable of storing and analyzing trillions of events per day.

 Offers performance that is 1000s of times faster and costs 1/10th that
of traditional relational databases.

 Provides built-in time series analytics functions to help identify

patterns in data in near real-time.

Amazon Quantum Ledger Database (QLDB)

 Amazon Quantum Ledger Database (Amazon QLDB) designed

to record financial transactions in a transparent, immutable,
and cryptographically verifiable manner.

 Fully managed, serverless, highly available, with replication across

three Availability Zones (AZs).

 Used to review the history of all changes made to your

application data over time.

 Immutable system: no entry can be removed or modified, ensuring

data integrity.

 Offers 2-3x better performance than common ledger blockchain

frameworks and allows data manipulation using SQL.

 Difference with Amazon Managed Blockchain: QLDB does not have a

decentralization component and is designed to comply with financial
regulation rules.

Amazon Managed BlockChain

 Blockchain Technology:

 Enables the development of applications where multiple

parties can execute transactions without requiring a
trusted, central authority.

 Amazon Managed Blockchain:

  A managed service that allows you to:

 Join public blockchain networks.

 Create your own scalable private network.

 Compatible with blockchain frameworks Hyperledger Fabric

and Ethereum.

AWS Glue

 Managed database to extract, transform, and load (ETL) service.

 Useful for preparing and transforming data for analytics.

 Fully serverless service.

Database Migration Services

In this section, you'll explore AWS Database Migration Services (DMS), which
simplifies database migrations to AWS with minimal downtime. You'll learn
about both homogeneous (e.g., Oracle to Oracle) and heterogeneous (e.g.,
SQL Server to Amazon Aurora) migrations, along with continuous data
replication. Additionally, you'll cover the AWS Schema Conversion Tool (SCT)
for transforming schemas and code during heterogeneous migrations. This
section equips you with the skills for efficient and reliable database
migrations to AWS.

Databases: Migration Services

DMS – Database Migration Service

 Quickly and securely migrates databases to AWS, ensuring

resilience and self-healing capabilities.

 The source database remains available during the migration

process.

 Supports both homogeneous migrations (e.g., Oracle to Oracle) and

heterogeneous migrations (e.g., Microsoft SQL Server to Amazon
Aurora).

AWS Schema Conversion Tool

 Both solutions automatically convert database schemas and code

objects, marking unconvertible objects with manual conversion
instructions.

 AWS SCT scans application source codes for SQL statements and
optimizes them for AWS services during database migration.

 Post-conversion, AWS SCT facilitates data migration from various

warehouses to Amazon Redshift using data migration agents.

 These tools simplify migrations, support popular databases, and save

significant manual effort and resources.

 AWS offers two schema conversion solutions for database

migrations: the managed AWS DMS Schema Conversion (DMS
SC) and the downloadable AWS Schema Conversion Tool (AWS
SCT).

Completed
AWS Databases: Shared Responsibility Model

In this section, you'll learn about the shared responsibility model for
databases in AWS. This model outlines the division of security and
compliance responsibilities between AWS and the customer. AWS is
responsible for securing the infrastructure, including hardware, software,
networking, and facilities. Customers are responsible for managing their
data, including encryption, access control, and compliance with regulatory
requirements. Understanding this model ensures that you can effectively
manage database security and compliance in the AWS environment.

 AWS:

 RDS sets up and runs the database engine on the instance

provided.

 Maintenance and Operations:

 AWS manages OS and database engine maintenance and

patching.

 Customer:

 Choose instance type and storage class for desired processing

power and performance.

 Configure network access via security groups.

 Manage database users and permissions.

IAM : Introduction

In the AWS Identity and Access Management (IAM) section, you'll dive into
managing user access and permissions in the AWS cloud. Learn to create and
manage users, groups, and roles, and implement fine-grained access
controls with IAM policies. Explore advanced features like multi-factor
authentication (MFA) and cross-account roles to ensure secure access
management.

Identity Access Management (IAM)

Identity Access Management (IAM)

 Identity Access Management allows you to specify who or what

can access services and resources in AWS, centrally manage
fine-grained permissions, and analyze access to refine
permissions across AWS.

 Global service for managing user identities and access to AWS

resources.

 Default root account is created but shouldn't be utilized or

shared for security reasons.

 Users represent individuals within the organization

and can be organized into groups.

 Groups exclusively contain users and cannot include

other groups.

 Users are not required to belong to a

group and can be members of multiple
groups simultaneously.

Identity Access Management: Permissions

 Users or groups, or roles can be assigned JSON documents known

as policies.

 Policies define the permissions granted to users.

📍 AWS follows the least privilege principle, meaning users are given only
the permissions they need to perform their tasks, minimizing the risk
of unauthorized access or misuse.

Identity Access Management: Policies

  IAM policies are JSON documents that define permissions for
users, groups, or roles.

 Each policy consists of one or more statements, each with specific

access permissions.

 Statements contain elements such as actions (the actions allowed or

denied), resources (the AWS resources to which the actions apply), and
conditions (optional criteria that must be met for the policy to be
applied).

 Policies can be attached to IAM identities (users, groups, or

roles) to grant or restrict access to AWS resources.

 AWS provides predefined policies for common use cases, and custom
policies can be created to tailor permissions according to specific
requirements.

IAM Policies Inheritance

Identity Access Management: Policy Structure

 The policy consists of:

  Version: The version of the policy language, always set to
"2012-10-17."

 Id: An optional identifier for the policy.

 Statement: One or more individual statements (required).

 Each statement consists of:

 Sid: An optional identifier for the statement.

 Effect: Specifies whether the statement allows or denies access

(Allow, Deny).

 Principal: The account, user, or role to which the policy is

applied.

 Action: A list of actions that the policy allows or denies.

 Resource: A list of resources to which the actions are applied.

 Condition: Optional conditions for when the policy is in effect.

Identity Access Management: Shared Responsibility Model

 AWS handles:

 Infrastructure (global network security)

 Configuration and vulnerability analysis

 Compliance validation

 You, the customer, handle:

 Users, Groups, Roles, Policies management and monitoring

 Enable MFA on all accounts

 Rotate all your keys often

 Use IAM tools to apply appropriate permissions

 Analyze access patterns & review permissions

Security within IAM

In this section, we focus on securing your AWS environment through IAM best
practices. Discover how to set up multi-factor authentication (MFA), enforce
strong password policies, and utilize IAM roles for secure access
management. Learn to monitor and audit IAM activity for compliance and
threat detection, ensuring your AWS resources stay protected.

IAM : Password Policy

 Setting a strong password enhances the security of your AWS

account.

 AWS allows you to establish a password policy, enabling you

to:

 Specify a minimum password length.

 Mandate the inclusion of specific character types, such as

uppercase letters, lowercase letters, numbers, and non-
alphanumeric characters.

 Permit all IAM users to change their passwords.

 Enforce password expiration, prompting users to change their

passwords after a defined period.

 Prevent the reuse of passwords to enhance security further.

IAM : Multi-Factor Authentication

 Users with access to your AWS account can potentially modify

configurations or delete resources, posing security risks.

 It's essential to safeguard both root accounts and IAM

users.

 Multi-Factor Authentication (MFA) adds an extra layer of security by

requiring users to provide both a password (something they
know) and a security device (something they own), reducing
the risk of unauthorized access, even if passwords are
compromised.

 If a password is stolen or hacked, the account is not

compromised

 Multifactor Devices:

Access Keys in AWS

 You can access AWS in three ways:

 1. AWS Management Console (protected by password +
MFA)

2. AWS Command Line Interface (CLI): protected by access

keys

3. AWS Software Developer Kit (SDK) - for code: protected by

access keys

 Access Keys are generated via the AWS Management Console.

 Users are responsible for managing their own access keys.

 Access Keys are treated as secrets and should not be shared.

 The Access Key ID serves a similar purpose as a username.

 The Secret Access Key serves a similar purpose as a password.

 Don’t share your access keys with anyone!

AWS Command Line Interface

 Facilitates interaction with AWS services via commands in your

command-line shell.

 Provides direct access to the public APIs of AWS services.

 Enables the development of scripts for resource management.

 Open-source tool available at **https://github.com/aws/aws-cli.**

 Serves as an alternative to using the AWS Management Console for

AWS resource management tasks.

AWS Software Development Kit (SDK)

📍 The AWS Software Development Kit (AWS SDK) = a collection of

language-specific APIs (libraries) that enable you to
programmatically access and manage AWS services.

 It can be embedded within your application and supports:

 SDKs: For languages like JavaScript, Python, PHP, .NET, Ruby,

Java, Go, Node.js, and C++.

 Mobile SDKs: For platforms like Android and iOS.

 IoT Device SDKs: For platforms like Embedded C and Arduino.

  An example of the AWS SDK in use is the AWS CLI, which is built on the
AWS SDK for Python.

IAM Roles for Services

 Certain AWS services require permission to perform actions on your

behalf.

 To grant permissions, IAM roles are assigned to AWS services.

 Common roles include:

 EC2 Instance Roles

 Lambda Function Roles

 Roles for CloudFormation

 IAM roles define the permissions and policies that govern what
actions the associated service can perform.

IAM Security Tools

 IAM Credentials Report (Account-Level): Provides a

comprehensive list of all users in your AWS account along with
the status of their various credentials.

 Enables tracking and monitoring of IAM users and their

associated credentials, including access keys and passwords.

 IAM Access Advisor (User-Level): Displays the service

permissions granted to an IAM user.

 Shows the timestamp of the user's last access to each service.

 Helps in reviewing and revising IAM policies based on actual

service usage to ensure adherence to the principle of least
privilege.

IAM Best Practices

 Principle of Least Privilege:

 Grant users only the permissions they need to perform their

tasks.

 Regularly review and refine IAM policies to remove unnecessary

permissions.
  Use IAM Roles for AWS Resources:

 Assign IAM roles to AWS services (e.g., EC2 instances, Lambda

functions) instead of using long-term access keys.

 Rotate IAM role credentials regularly for enhanced security.

 Enable Multi-Factor Authentication (MFA):

 Require IAM users to use MFA to add an extra layer of security.

 Enforce MFA for privileged actions and console access.

 One physical user = One AWS user

 Create a strong password policy

 Audit permissions of your account using IAM Credentials

Report & IAM Access Advisor

IAM Guidelines and Best Practices

 Root Account Usage: Only use the root account for AWS account
setup; otherwise, avoid using it for day-to-day operations.

 User Management: Create a separate AWS user for each individual

and avoid sharing credentials.

 Group Assignment: Assign users to groups and manage permissions

at the group level for easier management.

 Password Policy: Implement a strong password policy to enhance

security.

 Multi-Factor Authentication (MFA): Use and enforce MFA to add an

extra layer of security.

 Roles for Services: Use roles to grant permissions to AWS services

rather than using individual user credentials.

 Programmatic Access: Use access keys for programmatic access

(CLI/SDK) and rotate them regularly.

 Audit Permissions: Regularly audit permissions using tools like the

IAM Credentials Report and IAM Access Advisor.

 Access Key Management: Never share IAM users and access keys;
each should be unique to an individual or service.
Security Tools

This course covers essential security tools within the Amazon Web Services
(AWS) ecosystem. Learn how to protect your AWS resources with services like
AWS Secrets Manager, AWS Artifact, Amazon GuardDuty, Amazon Inspector,
AWS Config, AWS CloudTrail, and more. Gain hands-on experience in
deploying and configuring these tools to enhance your AWS environment's
security posture.

Security Tools to Protect Your AWS Resources

AWS Secrets Manager

 A recently introduced service designed for storing secrets securely.

 Passwords are an example of some of the secrets you may have!

 Allows enforcing rotation of secrets at regular intervals.

 Automates the generation of secrets during rotation, leveraging

Lambda functions.

 Integrates seamlessly with Amazon RDS (MySQL, PostgreSQL,

Aurora) for enhanced security.

 Ensures encryption of secrets using KMS (Key Management Service).

 Primarily tailored for RDS integration, providing robust secret

management capabilities.

AWS Artifact

📍 AWS Artifact = An online platform providing customers with instant

access to AWS compliance documentation and agreements.

 Artifact Reports = enable downloading of AWS security and

compliance documents from third-party auditors, including ISO
certifications, Payment Card Industry (PCI) reports, and System and
Organization Control (SOC) reports.

 Artifact Agreements = facilitate reviewing, accepting, and tracking

the status of AWS agreements like the Business Associate Addendum
(BAA) or Health Insurance Portability and Accountability Act (HIPAA)
within individual accounts or organizations.
  Supports internal audit or compliance processes by
offering comprehensive access to necessary
documentation and agreements.

Amazon GuardDuty

📍 Amazon GuardDuty = An intelligent threat discovery solution to

safeguard your AWS Account.

 Utilizes Machine Learning algorithms, anomaly detection techniques,

and third-party data sources.

 Activation is simplified with a one-click enablement process (30 days

trial), eliminating the need for software installation.

 Input data sources encompass various AWS services:

 CloudTrail Events Logs: Detects unusual API calls and

unauthorized deployments.

 CloudTrail Management Events: Monitors activities like VPC

subnet creation and trail setup.

 CloudTrail S3 Data Events: Tracks actions such as object

retrieval, listing, and deletion.

 VPC Flow Logs: Identifies unusual internal traffic patterns and

IP addresses.

 Optional features extend coverage to additional services such as EKS

Audit Logs, RDS, Aurora, EBS, Lambda, and S3 Data Events.

 Offers integration with EventBridge rules for proactive notifications in

case of findings, which can be directed to AWS Lambda or SNS.

 Provides protection against cryptocurrency attacks, with a

dedicated "finding" for this threat vector.

Amazon Inspector

📍 Amazon Inspector = Automated Security Assessments streamline

security evaluations across various AWS resources.

 AWS resources you can use Inspector on:

 EC2 Instances:
  Utilizes the AWS Systems Manager (SSM) agent for
assessment.

 Analyzes unintended network accessibility and checks for

known vulnerabilities in the running OS.

 Container Images in Amazon ECR:

 Conducts assessments of container images upon push to

Amazon Elastic Container Registry (ECR).

 Lambda Functions:

 Identifies software vulnerabilities in function code and

package dependencies.

 Assesses functions during deployment.

AWS Config

📍 AWS Config = facilitates auditing and maintaining compliance for

AWS resources.

 You can do the following with Config:

 Recording configurations and changes over time.

 Option to store configuration data in S3 for analysis with Athena.

 Resolving inquiries such as security group SSH access restrictions

and bucket public access.

 Receiving alerts (SNS notifications) for any changes made.

 Operating as a per-region service but can be aggregated across

regions and accounts for comprehensive analysis.

AWS CloudTrail

 Provides governance, compliance, and auditing capabilities for

your AWS account.

 CloudTrail is enabled by default, offering a history of events and

API calls made within your AWS account through various
interfaces such as the Console, SDK, CLI, and AWS services.

 Logs from CloudTrail can be stored in CloudWatch Logs or S3 for further

analysis and monitoring.
  A trail can be configured to apply to all regions (default) or a
single region for more granular control.

 In case of resource deletion in AWS, CloudTrail should be the first place

to investigate to understand the actions taken.

AWS Macie

📍 AWS Macie = Amazon Macie is a fully managed data security and privacy
service leveraging machine learning and pattern matching to identify
and safeguard sensitive data within AWS.

 Detects and notifies users about sensitive data, such as personally

identifiable information (PII).

AWS Security Hub

📍 Amazon Security Hub = serves as a centralized security management

tool, enabling the oversight of security across multiple AWS accounts and
automating security checks.

 Integrated dashboards provide real-time security and

compliance status, facilitating swift actions.

 Automatically aggregates alerts from various AWS services and partner

tools, including:

 Config, GuardDuty, Inspector, Macie, IAM Access Analyzer,

Systems Manager, Firewall Manager, AWS Health, and AWS
Partner Network Solutions.

 Initial activation of the AWS Config Service is required to utilize

Security Hub's capabilities.

AWS Detective

📍 AWS Detective = leverages machine learning and graph analysis to

analyze, investigate, and rapidly identify the underlying cause of security
concerns or suspicious activities.

 Automatically gathers and processes events from various sources like

VPC Flow Logs, CloudTrail, and GuardDuty, creating a comprehensive
and unified view.

 Visualizations provided by Amazon Detective offer detailed insights

and contextual information, aiding in the identification and resolution
of security incidents.
IAM Access Analyzer

 Identify shared resources outside your defined zone of

trust within AWS by examining:

 S3 Buckets

 IAM Roles

 KMS Keys

 Lambda Functions and Layers

 SQS Queues

 Secrets you store inside Secrets Manager

 Establish a zone of trust, typically an AWS Account or AWS

Organization, and flag any access to resources outside this zone
as findings for further investigation.

Root User Privilege

📍 Root user = is the AWS account owner, automatically created during

account setup

 Possesses unrestricted access to all AWS services and resources

 Lock away your AWS root user access keys

 Don’t use your root account for everyday purposes

 Actions that can be performed only by the root user:

 Change account settings (account name, email address, root

user password, root user access keys)

 View certain tax invoices

 Close your AWS account

 Restore IAM user permissions

 Change or cancel your AWS Support plan

 Register as a seller in the Reserved Instance Marketplace

 Configure an Amazon S3 bucket to enable MFA

 Edit or delete an Amazon S3 bucket policy that includes an

invalid VPC ID or VPC endpoint ID
  Sign up for GovCloud

AWS Abuse

📍 AWS Abuse = If you suspect AWS resources are being used for abusive or
illegal activities, report them promptly to the AWS Abuse team.

 Abusive and prohibited behaviors include spam, port scanning, DoS or

DDoS attacks, intrusion attempts, hosting objectionable or copyrighted
content, and distributing malware.

 Contact the AWS Abuse team through the AWS abuse form or via email
at [email protected] with relevant details and evidence for
investigation and action.
Cloud Monitoring

Cloud monitoring in AWS involves tracking the health, performance, and

security of cloud resources using services like Amazon CloudWatch and AWS
CloudTrail. These tools provide real-time insights, alerts, and logs to help
identify and resolve issues quickly. Effective monitoring ensures your AWS
applications and services remain reliable, efficient, and secure.

AWS CloudWatch Metrics

📍 CloudWatch offers metrics for every service in AWS, providing valuable

insights into resource utilization and performance.

 A metric is a variable to monitor, such as CPU utilization, network

traffic, and more, with each metric having associated timestamps.

 You can create CloudWatch dashboards to visualize and track these

metrics over time for effective monitoring and analysis.

AWS CloudWatch Alarms

 Alarms serve to initiate notifications based on various metrics.

 Alarm actions include:

 Auto Scaling: adjusting the desired count of EC2 instances.

 EC2 Actions: halting, terminating, restarting, or restoring an EC2

instance.

 SNS notifications: dispatching a notification to an SNS topic.

 Several options such as sampling, percentage, maximum, minimum,

etc.

 Users can select the evaluation period for an alarm.

 For instance, one can set up a billing alarm on the CloudWatch Billing
metric.

 Alarm states include: OK, INSUFFICIENT_DATA, and ALARM.

Amazon CloudWatch Logs

 CloudWatch Logs can collect log from:

 Elastic Beanstalk: collection of logs from application

 ECS: collection from containers

  AWS Lambda: collection from function logs

 CloudTrail based on filter

 CloudWatch log agents: on EC2 machines or on-premises servers

 Route53: Log DNS queries

 Enables real-time monitoring of logs

 Adjustable CloudWatch Logs retention

 By default, logs from your EC2 instance do not go to

CloudWatch.

 To send logs to CloudWatch, you need to run a CloudWatch agent

on EC2.

 Ensure correct IAM permissions for the agent.

 The CloudWatch log agent can also be set up on-premises.

Amazon EventBridge

 AWS EventBridge is a serverless event bus that facilitates

application integration by streaming data in real time.

 It routes events from AWS services, custom applications, and SaaS

products to over 90 AWS targets like Lambda, SQS, and SNS.

 The service decouples application components, simplifying the

management of event-driven architectures and enhancing flexibility.

 Key use cases include application orchestration and real-time data

processing.

 To get started with EventBridge, set up event rules, configure security

with IAM roles, and conduct pattern testing.

 Best practices include efficient event filtering and robust error handling
in event-driven setups.

AWS CloudTrail

 Ensures governance, compliance, and audit capabilities for your

AWS account.

 CloudTrail is activated by default.

  Tracks and records a history of events and API calls in your AWS
account via:

 AWS Management Console

 SDKs

 Command Line Interface (CLI)

 AWS Services

 Allows integration of CloudTrail logs into CloudWatch Logs or

Amazon S3 for storage.

 Trails can be configured to monitor all regions (default setting) or a

specific single region.

 In cases of resource deletion within AWS, CloudTrail should be checked

first for investigation.

AWS X-Ray

 Usually, debugging in production follows this approach:

 Test locally.

 Add log statements throughout the code.

 Re-deploy in production.

 Log formats vary across applications, making log analysis

challenging.

 Debugging is relatively straightforward for monolithic

applications but complex for distributed services.

 Lack of common views of the entire architecture hampers

understanding.

📍 X-Ray is an AWS service that provides a visual analysis of our

applications

 What it can do for you and your AWS resources:

 Troubleshooting performance (bottlenecks)

 Understand dependencies in a microservice architecture

 Pinpoint service issues

  Review request behavior

 Find errors and exceptions

 Are we meeting time SLA?

 Where I am throttled?

 Identify users that are impacted

Amazon CodeGuru

 Amazon CodeGuru is an ML-powered service for automated code

reviews and application performance recommendations.

 It provides two functionalities:

 CodeGuru Reviewer: Automated code reviews for static code

analysis during development.

 CodeGuru Profiler: Visibility and recommendations about

application performance during runtime in production.

Amazon CodeGuru Reviewer

 Identifies critical issues, security vulnerabilities, and hard-to-find bugs.

 Examples include common coding best practices, resource leaks,

security detection, and input validation.

 Uses Machine Learning and automated reasoning.

 Draws from hard-learned lessons across millions of code reviews

on thousands of open-source and Amazon repositories.

 Supports Java and Python.

 Integrates with GitHub, Bitbucket, and AWS CodeCommit.

Amazon CodeGuru Profiler

📍 Amazon CodeGuru Profiler helps understand the runtime behavior of

your application.

 Example: identify if your application is consuming excessive CPU

capacity on a logging routine.

 Features:

 Identify and remove code inefficiencies.

  Improve application performance (e.g., reduce CPU utilization).

 Decrease compute costs.

 Provides heap summary to identify which objects are using up

memory.

 Includes anomaly detection.

 Supports applications running on AWS or on-premise.

 Minimal overhead on the application.

AWS Health Dashboard - Service History

 Displays the health of all regions and services.

 Provides historical information for each day.

 Offers an RSS feed for subscription.Previously known as AWS Service

Health Dashboard.

AWS Health Dashboard –Your Account

 Same service as AWS Health Dashboard, but this time just

for your account

 Shows how AWS outages directly impact you & your AWS
resources

 Global service

 Alert, remediation, proactive, scheduled activities

Summary

Read through our summary to ensure you understand key concepts covered
in this module!

Identity Access Management (IAM): Summary

 Users: Represent individual entities, associated with a physical user

and granted access to the AWS Management Console through
passwords.

 Groups: Collections of users exclusively, used for simplified

management of access permissions.

 Policies: JSON documents detailing permissions for users or groups,

governing access to AWS resources.
  Roles: Assigned to EC2 instances or AWS services, defining the set of
permissions they possess.

 Security: Implemented through Multi-Factor Authentication (MFA) and

Password Policies, bolstering account protection.

 AWS CLI: Utilized to administer AWS services via command-line

interfaces, facilitating efficient management tasks.

 AWS SDK: Employs programming languages for managing AWS

services, offering programmatic access.

 Access Keys: Credentials facilitating access to AWS services via CLI or

SDK, enhancing automation and integration capabilities.

 Audit: Facilitated through IAM Credential Reports and IAM Access

Advisor, ensuring compliance and security assessments.

 IAM Access Analyzer: Identifies resource access risks

 Root users: Possesses unrestricted control over AWS account settings

and management.

Security and Compliance: Summary

 Shield: Automatic DDoS Protection with 24/7 support for advanced

threats**.**

 WAF: Firewall for filtering incoming requests based on rules.

 KMS: AWS-managed encryption keys.

 CloudHSM: Hardware encryption where customers manage keys.

 AWS Certificate Manager: Provision, manage, and deploy SSL/TLS

Certificates.

 Artifact: Access compliance reports like PCI, ISO, etc.

 GuardDuty: Identify malicious behavior using VPC, DNS, and

CloudTrail Logs.

 Inspector: Discover software vulnerabilities in EC2, ECR Images, and

Lambda functions.

 Network Firewall: Protect VPC against network attacks.

 Config: Monitor configuration changes and compliance adherence.

 Macie: Identify sensitive data (e.g., PII) within Amazon S3 buckets.

 CloudTrail: Track API calls made by users within the account.

 AWS Security Hub: Aggregate security findings from multiple AWS

accounts.

 Access Keys: Credentials facilitating access to AWS services via CLI or

SDK, enhancing automation and integration capabilities.

 Audit: Facilitated through IAM Credential Reports and IAM Access

Advisor, ensuring compliance and security assessments.

 IAM Access Analyzer: Identifies resource access risks

 Root users: Possesses unrestricted control over AWS account settings

and management.

 Amazon Detective: Identify the root cause of security issues or

suspicious activities.

 AWS Abuse: Report AWS resources used for abusive or illegal

purposes.

 Firewall Manager: Manage security rules across an Organization

(WAF, Shield, etc.).

 Root user privileges:

 Change account settings

 Close your AWS account

 Change or cancel your AWS Support plan

 Register as a seller in the Reserved Instance Marketplace

 IAM Access Analyzer: Identify which resources are shared externally

What is the AWS global infrastructure?

📍 Global application = an application deployed in multiple geographies

 We use global infrastructure for…

 Decreased latency

 Deploy your applications closer to your

users to decrease latency

 Disaster Recovery

 If an AWS region goes down (earthquake, storms, power

shutdown, politics), can fail-over to another region and
have your application still working

 Attack protection

 Distributed global infrastructure is harder to attack

As you remember,

1. Regions

 Geographical locations around the world where AWS has data

centers. Each region is a separate geographic area with multiple
availability zones.

2. Availability Zones (AZs)

 Isolated locations within AWS regions that are engineered to

be operationally independent of each other, with their own
power, cooling, and networking infrastructure.

 They provide redundancy and fault tolerance.

3. Edge Locations

 Locations around the world to cache copies of data closer to

users for faster access.
AWS Route53

 AWS Route53 = ****a highly available and scalable Domain Name

System (DNS) web service. Route 53 connects user requests to
internet applications running on AWS or on-premises.

 DNS = DNS is a collection of rules and records which

helps clients understand how to reach a server through
URLs.

 Routing Policies = how traffic is directed to your resources

based on various criteria

 Simple routing policy

 Weighted routing policy

 Latency Routing Policy

 Failover Routing Policy

 No health checks

Weighted Routing: Distributes traffic across multiple resources

based on weight values you assign, allowing you to control the
proportion of traffic sent to each resource.

Latency-Based Routing: Routes traffic to the resource with

the lowest latency from the user's location, optimizing performance
for end users.

Failover Routing: Automatically directs traffic to a standby resource in

the event of a failure or outage, ensuring high availability.

Source

AWS CloudFront

 AWS CloudFront = a content delivery network (CDN)

service built for high performance, security, and developer
convenience.

 Content cached at the edge locations

 Improves user performance

  S3 Bucket: Used for file distribution and caching at edge
locations.

 Utilizes CloudFront Origin Access Control (OAC), replacing Origin

Access Identity (OAI).

 CloudFront as Ingress: Allows uploads directly to an S3 bucket.

 Custom Origin Options with CloudFront:

 Application Load Balancer (ALB)

 EC2 Instance

 S3 Website (requires enabling as a static website)

 Any HTTP Backend

Source

The Difference Between CloudFront and S3 Cross Region Replication

CloudFront:

 Global Edge network.

 Files cached for a TTL (e.g., a day).

 Ideal for static content requiring global availability.

S3 Cross Region Replication:

 Requires setup for each region where replication is needed.

 Files update in near real-time.

 Read-only access.

 Suitable for dynamic content requiring low-latency access in

specific regions.

S3 Transfer Acceleration

📍 S3 Transfer Acceleration = speeds up content transfers to and

from Amazon S3 by as much as 50-500% for long-distance transfer of
larger objects.

 Mobile & web application uploads and downloads Distributed office

transfersData exchange with trusted partners

AWS Global Accelerator

  Enhance your application's availability and speed
worldwide with AWS's global network.

 Use AWS's network to find the best path for your application, resulting
in a 60% boost in performance.

 Your application gets two special IP addresses (Anycast IPs), directing

traffic through Edge Locations, 2 Anycast IP are created for
your application and traffic is sent through Edge Locations

 Traffic is then routed from Edge Locations to your application, ensuring

efficient delivery.

CloudFront vs Global Accelerator

 Both CloudFront and Global Accelerator utilize the AWS global network
and its edge locations worldwide and integrate with AWS Shield for
DDoS protection.

CloudFront

CloudFront acts as a Content Delivery Network, enhancing performance

for cacheable content like images and videos by serving them from
edge locations.

Global Accelerator

Global Accelerator, on the other hand, does not cache content but proxies
packets at the edge to applications in one or more AWS Regions.

AWS Outposts

📍 AWS Outposts = AWS Outposts are “server racks” that offers the same
AWS infrastructure, services, APIs & tools to build your own applications on -
premises just as in the cloud

 enables organizations to run AWS services locally, providing a

consistent hybrid cloud experience across on-premises and the
cloud.

 Seamless, local data processing

 Fully managed, capacity-based pricing

 Low-Latency Applications: Perfect for apps needing quick access

to on-premises data or processing.
  Data Residency Compliance: Meets data sovereignty
requirements by keeping data on-premises.

Benefits of AWS Outposts

 Low-latency access to on-premises systems

 Local data processing

 Data residency

 Easier migration from on-premises to the cloud

 Fully managed service

AWS WaveLength

📍 AWS WaveLength = brings AWS infrastructure to the edge of 5G

networks, enabling ultra-low latency applications by processing data closer
to end-users.

 Ultra-low latency

 Edge computing use cases and ensures compliance with data

residency requirements

 High-bandwidth and secure connection to the parent AWS

Region

 No additional charges or service agreements

AWS Local Zones

📍 AWS Local Zones = bring AWS services closer to large population,

industry, and IT centers.

 Runs latency-sensitive applications

 Enable customers to run applications that require single-digit

millisecond latency to end-users or local data processing

Source

AWS Global Applications Architecture

Single Region, Single AZ

 All application resources and data are hosted within a single AWS
region and a single availability zone within that region.
  This setup is the most basic configuration and offers limited fault
tolerance and resilience.

 ❌ High Availability

 ❌ Global Latency

 🟢 LESS Instance Difficulty

Single Region, Multi AZ

 Application resources are deployed across multiple availability

zones within a single AWS region.

 This setup provides higher fault tolerance and resilience

compared to a single AZ configuration while maintaining
simplicity.

 🟢 High Availability

 ❌ Global Latency

 🟠 Instance Difficulty

Multi Region, Active-Passive

 Applications are deployed across multiple AWS regions, with one

region serving as the primary active region and others as
passive standby regions.

 The primary region hosts the active workload and serves user traffic,
while standby regions are kept in sync and act as failover targets in
case of disaster or regional outages..

 🟢 Global Reads Latency

 ❌ Global Writes’ Latency

 🟠 Instance Difficulty

Multi Region, Active-Active

 Applications are deployed across multiple AWS regions, with all

regions actively serving user traffic simultaneously.

 This setup provides high availability, fault tolerance, and

scalability by distributing the workload across geographically
diverse regions.
 🟢 Reads’ Latency

 🟢 Writes’ Latency

 🔴 Instance Difficulty
Docker

 Docker is a software development platform used to deploy

applications.

 Applications are packaged in containers that can run on any

operating system.

 Apps exhibit consistent behavior regardless of their

deployment environment.

 Ensures no compatibility issues across different machines.

 Results in predictable behavior, reducing workload.

 Simplifies maintenance and deployment processes.

 Compatible with any programming language, operating system,

and technology.

 Allows for rapid scaling of containers, with adjustments taking

just seconds.

Docker Images

 Docker images are stored in Docker Repositories, which can be

public or private.

 Public Repository: Docker Hub (https://hub.docker.com/) is a popular

public repository where you can find base images for various
technologies and operating systems, such as Ubuntu, MySQL, NodeJS,
Java, and more.

 Private Repository: Amazon ECR (Elastic Container Registry) is a

private repository service provided by AWS, allowing users to store and
manage their own Docker images securely.

Elastic Container Service (ECS)

 ECS (Elastic Container Service): A service that allows you to launch

Docker containers on AWS.

 You are responsible for provisioning and maintaining the

infrastructure, such as the EC2 instances.

 Container Management: AWS takes care of starting and

stopping containers for you.
Fargate

 Launch Docker containers on AWS without provisioning the

infrastructure, eliminating the need to manage EC2 instances.

 Simplifies the deployment process as it is a serverless offering.

 AWS automatically runs containers for you based on the specified

CPU and RAM requirements.

Elastic Container Registry (ECR)

 Elastic Container Registry (ECR): A private Docker registry service

on AWS.

 ECR is used to store your Docker images securely, allowing them

to be easily accessed and run by ECS (Elastic Container Service) or
Fargate.

Serverless

📍 Serverless: A computing terminology where developers focus on

deploying code or functions without managing servers.

 Originally, serverless was synonymous with FaaS (Function as a

Service).

 Pioneered by AWS Lambda, the serverless concept now encompasses

managed services for databases, messaging, storage, and more.

 The term "serverless" doesn't imply the absence of servers; it means

that the servers are managed by the provider, making them
invisible to developers.

Lambda

 Eliminates the need for provisioning or managing servers.

 Triggers functions in response to events from various AWS

services.

 Limited by time - short executions

 Automatically scales based on demand, handling any number of

requests.

 Charges only for the compute time used, with no cost when idle.
  Seamlessly integrates with other AWS services for
comprehensive solutions.

Benefits of Lambda

 Simple Pricing Structure:

 Charges based on each request and the amount of compute time

used.

 Includes a generous free tier offering up to 1,000,000 AWS

Lambda requests and 400,000 GB-seconds of compute time.

 Fully compatible with the entire range of AWS services.

 Event-Driven Architecture:

 Functions are automatically triggered by AWS as required.

 Broad Programming Support:

 Compatible with numerous programming languages.

 Effortless Monitoring:

 Seamless integration with AWS CloudWatch for convenient

tracking and management.

 Scalable Performance:

 Easily upgrade resources per function, with up to 10GB of RAM

available.

 Enhanced RAM capacity boosts both CPU performance and

network capabilities.

Lambda Pricing

 Pay per calls:

 First 1,000,000 requests are free

 $0.20 per 1 million requests thereafter ($0.0000002 per request)

 Pay per duration: (in increment of 1 ms)

 400,000 GB -seconds of compute time per month for FREE

 == 400,000 seconds if function is 1GB RAM

 == 3,200,000 seconds if function is 128 MB RAM

  After that $1.00 for 600,000 GB-seconds

 It is usually very cheap to run AWS Lambda so it’s very popular

Amazon API Gateway

 Fully managed service for API management.

 Serverless and scalable.

 Supports RESTful and WebSocket APIs.

 Includes security, user authentication, and API throttling.

 Provides API keys and monitoring features.

AWS Batch

 Fully managed batch processing at any scale.

 Can efficiently run hundreds of thousands of computing batch

jobs on AWS.

 Batch jobs have a defined start and end, as opposed to continuous

jobs.

 Dynamically launches EC2 instances or Spot Instances as needed.

 Automatically provisions the required amount of compute and memory

resources.

 Allows submission or scheduling of batch jobs, with AWS Batch

handling the execution.

 Batch jobs are defined as Docker images and run on ECS (Elastic
Container Service).

 Helps optimize costs and reduces focus on infrastructure management.

 Cloud Integeration
 This section covers AWS cloud integration services: Amazon
SQS for managed message queuing and scalable application
decoupling. Amazon Kinesis offers real-time data streaming
through Data Streams, Firehose, and Analytics for data
collection and processing. Amazon SNS facilitates pub/sub
messaging for real-time notifications to distributed systems
and mobile devices. Amazon MQ simplifies management of
 Apache ActiveMQ and RabbitMQ message brokers, ensuring
high availability and scalability for message-oriented
applications on AWS.

Why do we need to integrate our accounts?

 When we start deploying multiple applications, they need to

communicate with one another

 There are two patterns of application communication

1. Synchronous communications (application to application)

2. Asynchronous / Event based (application to queue to

application)

 Synchronous communication can be problematic during sudden

spikes in traffic.

 Decoupling applications using AWS services:

 SQS: queue model for managing message queues.

 SNS: pub/sub model for sending messages to multiple

recipients.

 Kinesis: real-time data streaming model for processing large

amounts of data.

 These services allow scaling independently from the application.

Amazon SQS – Simple Queue Service

📍 SQS is a fully managed, serverless service used to decouple

applications.

 It can scale from handling 1 message per second to 10,000s per

second.

 Messages have a default retention of 4 days, with a maximum of 14

days.

 There's no limit to the number of messages in the queue.

 Messages are deleted after they're successfully processed by

consumers.
  Offers low latency, with less than 10 ms on publish and receive
operations.

 Consumers can share the workload to read messages, allowing for

horizontal scaling.

SQS to decouple between application tiers

 FIFO = First In First Out (ordering of messages in the queue)

 Messages are processed in order by the consumer

Amazon Kinesis

 Kinesis is a managed service for real-time big data streaming.

 It collects, processes, and analyzes real-time streaming data at

any scale.

 It offers several components:

 Kinesis Data Streams: Low-latency streaming to ingest data at

scale from hundreds of thousands of sources.

 Kinesis Data Firehose: Loads streams into S3, Redshift,

ElasticSearch, etc.

 Kinesis Data Analytics: Performs real-time analytics on

streams using SQL.

 Kinesis Video Streams: Monitors real-time video streams for

analytics or ML.

Amazon SNS

 In SNS, event publishers send messages to one SNS topic.

 Basically, sending one message to many users

 There can be multiple event subscribers listening to the SNS topic

notifications.

 Each subscriber receives all the messages sent to the topic.

 SNS supports up to 12,500,000 subscriptions per topic and has a limit

of 100,000 topics.

Source

Amazon MQ
 SQS and SNS are AWS' proprietary protocols for cloud-native services.

 Traditional applications on-premises may use open protocols like MQTT,

AMQP, STOMP, Openwire, WSS.

 Amazon MQ is a managed message broker service for migrating

such applications to the cloud.

 Amazon MQ doesn't scale as much as SQS/SNS and runs on servers,

supporting Multi-AZ with failover.

 Amazon MQ offers both queue features (like SQS) and topic features
(like SNS).

 Amazon MQ is a managed message broker service for:

 RabbitMQ

 ActiveMQ
Sharing Your Resources in AWS

15 mins read

This section covers tools and strategies for sharing and managing AWS
resources. You'll learn about AWS Organizations, including multi-account
strategies, Organizational Units (OUs), Service Control Policies (SCPs), and
consolidated billing. AWS Control Tower simplifies multi-account setup and
governance, while AWS Resource Access Manager (RAM) enables resource
sharing across accounts. Finally, AWS Service Catalog helps manage and
distribute approved AWS services and resources. By the end, you'll be
equipped to effectively share and manage resources in your AWS
environment.

AWS Organizations

📍 AWS Organizations = management service that enables you to

consolidate multiple AWS accounts into an organization that you
create and centrally manage. AWS Organizations includes account
management and consolidated billing capabilities that enable you to better
meet the budgetary, security, and compliance needs of your business.

 Manages multiple AWS accounts, acts as the central master account

 Cost Benefits:

 Consolidated Billing = Single payment method across all

accounts

 Discounts from aggregated usage (e.g., EC2, S3)

 Reserved Instance Pooling → Optimal savings with pooled

EC2 instances

 API available for automating AWS account creation

 Control Access: Restrict account privileges using Service Control

Policies (SCP) (which you will see next slide)

Source

Multi Account Strategies

 Create separate accounts for each department, cost center, and

environment (dev/test/prod).

 Implement Service Control Policies (SCP) for regulatory compliance.

  Use VPCs for resource isolation within each account.

 Manage separate service limits for each account.

 Establish a dedicated logging account.

 Choose between multi-account or single account with multiple VPCs

based on needs.

 Standardize tagging for efficient billing management.

 Enable AWS CloudTrail in all accounts; direct logs to a central S3

bucket.

 Centralize CloudWatch Logs to a dedicated logging account.

Organizational Units

 Organizational Units = You can simplify account management by

grouping related accounts into Organizational Units (OUs) within AWS
Organizations, allowing for uniform policy administration and
streamlined operations.

 Useful whitepaper
here https://docs.aws.amazon.com/organizations/latest/userguide/orgs
_manage_ous.html

Service Control Policies (SCP)

 SCPs = whitelist or blacklist IAM actions.

 Applied at the OU or Account level, excluding the Master Account.

 Affects all Users and Roles, including the Root user.

 Does not impact service-linked roles.

 SCPs must have explicit Allow rules.

 Use cases include restricting access to specific services and

enforcing compliance standards such as PCI.

AWS Organizations – Consolidated Billing

 When activated, AWS Organizations offers consolidated billing,

which allows for:
  Combined Usage: Aggregates usage across all accounts within
the organization to leverage volume pricing, Reserved Instances,
and Savings Plans discounts collectively.

 Single Bill: Consolidated billing into one invoice for all AWS
accounts within the organization.

 Control over Discounts: The management account can disable

the sharing of Reserved Instances discounts for any account
within the organization, including itself.

AWS Control Tower

📍 AWS Control Tower = offers a streamlined solution for establishing and

managing a secure and compliant multi-account AWS environment,
incorporating industry best practices.

 Advantages include:

 Automates environment setup with minimal configuration

steps.

 Automates ongoing policy enforcement using guardrails to

maintain compliance.

 Identifies policy breaches and initiates corrective actions

automatically.

 Provides an interactive dashboard for monitoring and

ensuring adherence to compliance standards.

 Use cases include restricting access to specific services and enforcing

compliance standards such as PCI.

AWS Resource Access Manager (AWS RAM)

 Share AWS resources with other AWS accounts or within your

organization

 Prevent resource duplication and foster collaboration

 Supported resources include Aurora databases, VPC subnets, Transit

Gateway attachments, Route 53 hosted zones, EC2 Dedicated Hosts,
and License Manager configurations

 Choose between sharing with specific accounts or within your AWS

Organization
  Enhance resource utilization, streamline management, and improve
collaboration with shared resources

 Ensure security with robust IAM policies and regular resource usage
monitoring

Source

AWS Service Catalog

 New AWS users often face numerous options, resulting in non-

compliant or inconsistent stacks.

 Some users prefer a simple self-service portal for accessing pre-

approved products.

 AWS Service Catalog provides a solution by offering access to pre-

defined virtual machines, databases, storage options, etc.

Pricing Models

15 mins read

AWS offers a Free Tier that provides no-cost access to various services up to
certain limits, including 12-month trials, always-free offers, and short-term
trials, allowing users to explore and test services like EC2, S3, RDS, and
Lambda. For paid services, compute pricing (e.g., EC2, Lambda) is based on
factors like instance type and usage duration; storage pricing (e.g., S3, EBS)
depends on storage type, data volume, and data transfer; and database
pricing (e.g., RDS, DynamoDB) varies by database engine, instance size,
storage, and I/O operations. This flexible, pay-as-you-go model helps users
optimize costs based on their specific requirements.

Pricing Models in AWS

 AWS has 4 pricing models:

1. Pay as you go: Pay for actual usage, ensuring agility and
responsiveness to scale demands.

2. Save when you reserve: Reserve instances to minimize risks,

manage budgets predictably, and comply with long-term
requirements.

 Reservations are available for EC2 Reserved Instances,

DynamoDB Reserved
  Capacity, ElastiCache Reserved Nodes, RDS Reserved
Instance, Redshift Reserved

 Nodes

3. Pay less by using more: volume-based discounts

4. Pay less as AWS grows

Free services & free tiers in AWS

 IAM VPC

 Consolidated Billing

 Elastic Beanstalk

 CloudFormation

 Auto Scaling Groups

 Check out the free tier here→ Free Tier

Compute Pricing – EC2

 Only charged for what you use

 Number of instances

 Instance configuration

 Physical capacity

 Region OS and software Instance typeInstance size

 ELB running time and amount of data processed

 Detailed monitoring

 On-demand instances:

 Minimum of 60 seconds

 Pay per second for Linux/Windows or per hour for other operating
systems

 Reserved instances:

 Up to 75% discount compared to on-demand hourly rate

 Offered with 1- or 3-year commitments

  Payment options include all upfront, partial upfront, or no upfront

 Spot instances:

 Up to 90% discount compared to on-demand hourly rate

 Bid for unused capacity

 Dedicated Host:

 Available on-demand

 Reservation options include 1-year or 3-year commitments

 Savings plans offer an alternative to save on sustained usage

Storage Pricing - S3

 Storage classes: S3 Standard, S3 Infrequent Access, S3 One-

Zone IA, S3 Intelligent Tiering, S3 Glacier, and S3 Glacier Deep
Archive

 Pricing factors:

 Number and size of objects (tiered pricing based on volume)

 Number and type of requests

 Data transfer OUT of the S3 region

 S3 Transfer Acceleration

 Lifecycle transitions

 Similar service: EFS (pay per use, offers infrequent access, and
lifecycle rules)

Storage Pricing - EBS

 Volume types (based on performance)

 Provisioned storage volume in GB per month

 IOPS:

 General Purpose SSD: Included

 Provisioned IOPS SSD: Provisioned amount in IOPS

 Magnetic: Number of requests

 Snapshots:
  Added data cost per GB per month

 Data transfer:

 Outbound data transfer is tiered for volume discounts

 Inbound data transfer is free

Database Pricing - RDS

 Per hour billing

 Database characteristics:

 Engine

 Size

 Memory class

 Purchase type:

 On-demand

 Reserved instances (1 or 3 years) with required up-front

 Backup Storage: There is no additional charge for backup storage up to

100% of your total database storage for a region.

 Additional storage (per GB per month)

 Number of input and output requests per month

 Deployment type (storage and I/O are variable):

 Single AZ

 Multiple AZs

 Data transfer:

 Outbound data transfer are tiered for volume discounts

 Inbound is free

Content Delivery - CloudFront Pricing

 Geographic Pricing Variation - Costs differ across various

regions.

 Charges are aggregated for each edge location before billing.

  Volume discounts apply.

 Request Counting = Charges based on the number of

HTTP/HTTPS requests.

Data Transfer Costs - Simplified

 Data transfer in - always FREE

 Opt for private instead of public IPs for cost savings and improved
network performance.

 Choose the same AZ for maximum savings, though it may reduce high
availability.

Source

Savings Plan

 EC2 Savings Plan:

 Commit a specified dollar amount per hour for 1 or 3 years.

 Offers up to a 72% discount compared to On-Demand rates.

 Applies to specific instance families (e.g., C5, M5) in one region.

 Includes any AZ, size (from m5.xl to m5.4xl), OS

(Linux/Windows), and tenancy.

 Payment options: all upfront, partial upfront, or no upfront.

 Compute Savings Plan:

 Up to 66% discount compared to On-Demand pricing.

 Flexible across any instance family, region, size, OS, tenancy,

and compute options.

 Includes EC2, Fargate, and Lambda usage.

 Machine Learning Savings Plan:

 Sagemaker

 Setup and Pricing:

 Easily set up via the AWS Cost Explorer console.

 Check detailed pricing at AWS Savings Plans Pricing

Estimating and Tracking Costs

15 mins read

Estimating and tracking costs in AWS involves several tools and services
designed to help users manage and optimize their spending. The AWS Pricing
Calculator allows you to estimate the costs of AWS services based on your
specific usage scenarios. The Billing Dashboard provides an overview of your
current charges and historical billing information. Cost Allocation Tags enable
you to categorize and track costs by assigning tags to AWS resources. Cost
and Usage Reports offer detailed insights into your AWS spending, while Cost
Explorer helps visualize and analyze your cost and usage patterns to identify
savings opportunities. Together, these tools ensure you have comprehensive
control over your AWS costs.

Pricing Calculator

📍 AWS Pricing Calculator = a free web-based planning tool that you can use
to create cost estimates for using AWS services. You can use AWS
Pricing Calculator for the following use cases:

 Model your solutions before building them

 Explore AWS service price points

 Review the calculations behind your estimates

 Plan your AWS spend

 Find cost saving opportunities

Tracking Costs

Billing Dashboard

📍 The AWS Bills page provides a monthly view of your AWS charges. For
monthly billing periods that have not yet closed, the Bills page will display
the most recent estimated charges based on services metered to date.

Source

AWS Free Tier Dashboard

 Check out all the free services AWS provides

 Elastic BeanStalk, CloudFormation, and AutoScaling groups → you

have to pay for the resources you create!
Source

Cost Allocation Tags

 Use cost allocation tags to track your AWS costs on a detailed

level

 AWS generated tags:

 Automatically applied to the resource you create

 Starts with Prefix aws: (e.g., aws: createdBy)

 User-defined tags

 Defined by the user

 Starts with Prefix user

Tagging and Resource Groups

 Tags for Organization: Utilize tags to organize various

resources such as:

 EC2 instances, images, load balancers, and security

groups.

 Apply tags to RDS, VPC resources, Route 53, IAM users, etc.

 Resources created by CloudFormation are tagged

uniformly.

 Common tags include Name, Environment, Team.

 Use tags to create and manage groups of resources with

common tags, aka Resource Groups

 Create, maintain, and view a collection of resources that share a

common tag

 Utilize the Tag Editor for efficient tag management.

Cost and Usage Reports

 Gain deeper insights into your AWS costs and usage.

 The AWS Cost & Usage Report offers comprehensive data on

AWS cost and usage, including additional metadata on AWS
services, pricing, and reservations like Amazon EC2 Reserved
Instances (RIs).
  It itemizes AWS usage for each service category used by an account
and its IAM users in hourly or daily line items, along with any tags
activated for cost allocation purposes.Integration options include
Athena, Redshift, or QuickSight for enhanced analysis.

Cost Explorer

 Gain insight into your AWS costs and usage trends over time.

 Generate custom reports to analyze cost and usage data according to

your needs.

 Analyze data at various levels: from total costs and usage across all
accounts to detailed monthly or hourly breakdowns at the resource
level.

 Optimize costs by selecting the most suitable Savings Plan based on

your usage patterns.

 Forecast usage for up to 12 months based on historical usage

data.

Cost Explorer - Monthly Resource

Cost Explorer – Hourly & Resource Level

Cost Explorer – Forecast Usage

Monitoring Costs

Billing Alarms in CloudWatch

 CloudWatch stores billing data metrics in the us-east1 region.

 This data encompasses the total worldwide AWS costs incurred.

 It reflects actual costs, not projected costs.

 While suitable for basic alarms, it lacks the robust features of AWS
Budgets for comprehensive cost management.

AWS Budgets

 Create budget and send alarms when costs exceeds the budget

 4 types of budgets: Usage, Cost, Reservation, Savings Plans

 For Reserved Instances (RI)

 Track utilization
  Supports EC2, ElastiCache, RDS, Redshift

 Up to 5 SNS notifications per budget

 Can filter by: Service, Linked Account, Tag, Purchase Option,

Instance

 Type, Region, Availability Zone, API Operation, etc…

 Same options as AWS Cost Explorer!

 2 budgets are free, then $0.02/day/budget

AWS Cost Anomaly Detection

 Utilize machine learning to continuously monitor your cost and

usage.

 ML algorithms learn your historical spending patterns to detect

anomalies, including one-time spikes or continuous increases, without
the need for predefined thresholds.

 Monitor various aspects such as AWS services, member accounts, cost

allocation tags, or cost categories.

 Receive anomaly detection reports with root-cause analysis.

 Choose to be notified with individual alerts or daily/weekly summaries

via SNS.

Source

AWS Service Quotas

 Notify you when you’re close to a service quota value threshold

 Create CloudWatch Alarms on the Service Quotas console

 Example: Lambda concurrent executions

 Request a quota increase from AWS Service Quotas or shutdown

resources before limit is reached

Source

Trusted Advisor

 Conduct a comprehensive assessment of your AWS accounts

without the need for installation.
 Receive recommendations across six key categories: cost optimization,
performance, security, fault tolerance, service limits, and operational
excellence.

 Available for users with Business or Enterprise Support plans.

 Includes a full set of checks and offers programmatic access via the
AWS Support API.
Advanced Identity in AWS

8 mins read

This course module delves into additional AWS services that expand your
cloud computing capabilities. AWS STS (Security Token Service) enables you
to grant temporary, limited-privilege credentials to users or services. Amazon
Cognito offers authentication, authorization, and user management for web
and mobile apps. Microsoft Active Directory (AD) integration with AWS allows
seamless access management for Windows workloads. AWS Directory
Services simplifies the setup and management of directory services such as
AD and LDAP. AWS IAM Identity Center provides centralized identity
management across AWS accounts and services.

AWS STS (Security Token Service)

 AWS Security Token Service (STS) creates temporary, limited-

privilege credentials.

 Credentials are short-term and configured with an expiration

period.

 Use cases include identity federation and IAM roles for cross/same
account and EC2 access.

Source

Amazon Cognito

 Amazon Cognito manages user identity for web and mobile

applications, potentially for millions of users.

 Instead of creating IAM users, you create users in Cognito.

Source

Microsoft Active Directory (AD)

 Active Directory Domain Services (AD DS) is found on any Windows

Server with AD DS installed.

 It serves as a database of objects such as user accounts,

computers, printers, file shares, and security groups.

 AD DS enables centralized security management, allowing you to

create accounts and assign permissions.

Source
AWS Directory Services

 AWS Managed Microsoft AD

 Create your own AD in AWS, manage users locally, supports

MFAEstablish “trust” connections with your on- premise AD

 AD Connector

 Directory Gateway (proxy) to redirect to on- premise AD,

supports MFAUsers are managed on the on-premise AD

 Simple AD

 AD-compatible managed directory on AWSCannot be joined with

on-premise AD

AWS IAM Identity Center

 AWS Single Sign-On (SSO) provides one login for all your AWS
accounts in AWS Organizations.

 It also offers single sign-on for business cloud applications like

Salesforce, Box, and Microsoft 365.

 SAML 2.0-enabled applications are supported for single sign-on.

 You can use AWS SSO for logging into EC2 Windows Instances.

 Identity providers, including the built-in identity store in IAM Identity

Center, are supported.

 Third-party identity providers like Active Directory (AD), OneLogin, and

Okta can also be integrated.

Other AWS Services: Part 1

10 mins read

Read through the first part of additional AWS services tailored for specific
needs. AWS WorkSpaces offers managed virtual desktops, while Amazon
AppStream securely delivers desktop applications to any device. AWS IoT
Core supports IoT device communication and management, and AWS
AppSync provides a fully managed GraphQL service for real-time data-driven
applications. AWS Amplify offers tools and services for scalable, secure cloud
applications. Enhance your AWS skills with these services to meet diverse
application requirements effectively.
Amazon WorkSpaces

 Managed Desktop as a Service (DaaS) solution.

 Easily provision Windows or Linux desktops.

 Eliminates the management of on-premise VDI (Virtual Desktop

Infrastructure).

 Fast and scalable to thousands of users.

 Secures data and integrates with KMS (Key Management Service).

 Pay-as-you-go service with monthly or hourly rates.

Source

Amazon AppStream 2.0

 Desktop application streaming service.

 Deliver applications to any computer without acquiring or

provisioning infrastructure.

 Applications are delivered from within a web browser.

Source

Amazon AppStream 2.0 vs WorkSpaces

 Workspaces: Fully managed Virtual Desktop Interface with

desktop access.

 Users connect to the VDI and open native or web

applications.Workspaces can be on-demand or always on.

 AppStream 2.0: Stream desktop applications to web browsers.

 Works with any device that has a web browser.Allows

configuration of instance types per application type (CPU, RAM,
GPU).

AWS IoT Core

📍 AWS IoT Core: Connect IoT devices to AWS Cloud.

 IoT: Internet of Things, network of internet-connected devices.

 Serverless, secure, and scalable to billions of devices.

 Applications can communicate with devices even when offline.

  Integrates with various AWS services (Lambda, S3, SageMaker).

 Build IoT applications for data gathering, processing, analysis, and

action.

AWS AppSync

📍 AWS AppSync: Store and sync data across mobile and web apps in real-
time.

 Uses GraphQL (mobile technology from Facebook).

 Client code can be automatically generated.

 Integrates with DynamoDB and Lambda.

 Real-time subscriptions for data updates.

 Offline data synchronization, replacing Cognito Sync.

 Fine-grained security controls.

 AWS Amplify can utilize AWS AppSync in the background.

Other AWS Services: Part 2

15 mins read

Read through the second part of additional AWS services tailored for specific
needs. AWS WorkSpaces offers managed virtual desktops, while Amazon
AppStream securely delivers desktop applications to any device. AWS IoT
Core supports IoT device communication and management, and AWS
AppSync provides a fully managed GraphQL service for real-time data-driven
applications. AWS Amplify offers tools and services for scalable, secure cloud
applications. Enhance your AWS skills with these services to meet diverse
application requirements effectively.

AWS Amplify

 Comprehensive toolkit for building and launching scalable web

and mobile apps.

 Includes authentication, storage, API (REST, GraphQL), CI/CD, PubSub,

analytics, AI/ML predictions, monitoring.

 Integrates with AWS, GitHub, and other sources for seamless

development and deployment.

AWS Application Composer

  Visual tool for quickly designing and building serverless
applications on AWS.

 Simplifies deployment of AWS infrastructure code without requiring

deep AWS expertise.

 Configure resource interactions and generate Infrastructure as Code

(IaC) using CloudFormation.

 Supports importing existing CloudFormation / SAM templates for

visualization.

AWS Device Farm

 Fully-managed service that tests your web and mobile apps

against desktop browsers, real mobile devices, and tablets

 Run tests concurrently on multiple devices (speed up execution)Ability

to configure device settings (GPS, language, Wi-Fi, Bluetooth, …)

Source

AWS Backup

 Fully managed service for centralized backup management and

automation across AWS services.

 Offers on-demand and scheduled backups for flexibility.

 Supports Point-in-Time Recovery (PITR) for precise restoration.

 Features retention periods, lifecycle management, and customizable

backup policies.

 Facilitates cross-region backup for enhanced data redundancy and

disaster recovery.

 Enables cross-account backup using AWS Organizations for streamlined

data protection across multiple accounts.

Disaster Recovery Strategies

1. Backup and Restore

 Allows for regular backups of data and applications to prevent data

loss.

 Enables quick restoration of data and applications in case of failure or

disaster.
  Ensures business continuity and data integrity.

2. Pilot Light

 Maintains a minimal version of the infrastructure (e.g., database,

essential services) in a standby state.

 Enables rapid scaling up of infrastructure to full capacity in case of a

disaster.

 Helps reduce costs compared to maintaining a fully active backup

infrastructure.

3. Warm Standby Cost

 Involves maintaining a partially active secondary site with scaled-down

infrastructure.

 Incurs higher costs compared to pilot light due to the partially active
state.

 Provides faster recovery times and greater capacity compared to pilot

light.

4. Multi-Site/Hot Site**

 Involves maintaining a fully redundant and active secondary site in a

different geographic location.

 Offers the highest level of resilience and availability.

 Incurs higher costs but provides the quickest recovery times and
minimal downtime in case of a disaster.

AWS Elastic Disaster Recovery (DRS)

 Used to be named “CloudEndure Disaster Recovery”

 Enables rapid recovery of servers into AWS in case of data loss

or disaster.

 Provides protection for critical databases and enterprise

applications.Uses continuous block-level replication for real-time data
protection.

Other AWS Services: Part 3

15 mins read
Read through the third part of additional AWS services tailored for specific
needs. AWS WorkSpaces offers managed virtual desktops, while Amazon
AppStream securely delivers desktop applications to any device. AWS IoT
Core supports IoT device communication and management, and AWS
AppSync provides a fully managed GraphQL service for real-time data-driven
applications. AWS Amplify offers tools and services for scalable, secure cloud
applications. Enhance your AWS skills with these services to meet diverse
application requirements effectively.

AWS DataSync

 Facilitates the transfer of large amounts of data from on-premises

to AWS.

 Supports synchronization with various AWS storage services like S3,

EFS, and FSx for Windows.

 Offers scheduled replication tasks, with incremental updates after

the initial full load.

Source

AWS Application Discovery Service

 Helps plan migration projects by collecting data from on-premises

data centers.

 Agentless discovery → VM inventory, configuration, and

performance history.

 Agent-based discovery → System configuration, performance,

running processes, and network connection details. Resulting
data is viewable in AWS Migration Hub.

 Resulting data can be viewed within AWS Migration Hub

AWS Application Migration Service (MGN)

 Lift-and-shift (rehost) solution which simplifies migrating

applications to AWS

 Converts your physical, virtual, and cloud-based servers to run natively

on AWS

 Supports wide range of platforms, Operating Systems, and databases

 Minimal downtime, reduced costs

Source

AWS Migration Evaluator

 Assists in creating a data-driven business case for migrating to

AWS.

 Offers a detailed view of the current on-premises environment.Installs

an Agentless Collector for broad-based discovery, capturing on-
premises footprint and server dependencies.

 Analyzes the current state, defines the target state, and helps develop
a migration plan.

Source

AWS Migration Hub

 Acts as a central repository for collecting servers and

applications inventory data for assessing, planning, and
tracking migrations to AWS.

 Accelerates migration to AWS and automates lift-and-shift processes.

 AWS Migration Hub → ****Provides pre-built templates through AWS

Migration Hub Orchestrator

 Saving time and effort for migrating enterprise applications such

as SAP and Microsoft SQL Server.

 Supports migration status updates from Application Migration

Service (MGN)

AWS Step Functions

 Allows you to build serverless visual workflows to orchestrate

Lambda functions.

 Features include sequence, parallel execution, conditions, timeouts,

and error handling.

 Integrates with various AWS services such as EC2, ECS, on-premises

servers, API Gateway, and SQS queues.

 Can implement human approval features.

 Use cases include order fulfillment, data processing, web applications,

and any workflow automation needs.