AWS Overview

WHAT WHEN WHY

is AWS? did AWS start? is AWS so popular?
 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Amazon

Web
Services
 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Amazon

Web
Services
WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Amazon
Web = Cloud Service Provider
Services • provides a cloud-based platform or cloud services
• Allows you to rent out virtual servers that you access remotely
 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Cloud Service Provider is like a Car Rental

I need
a car for just
$40,000
3 days
vs Brand New Car
$100
for my ?trip

$100

$40,000
 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Cloud Service Provider Car Rental

With different types of CPU, Storage, Network
and other components that you can choose from!

Virtual Machines

Physical Servers

Storage Appliances

Network Devices

Available for RENT and accessible online via Web Service interfaces (REST, SOAP etc…)
 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

• AWS started out as a department within Amazon Inc.

• Used only by early Amazon customers
2004
• Web services are not available publicly
 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

2004

• AWS officially started its operation as a public cloud

service provider

2006 • Released Amazon S3 (Simple Storage Service)

• Released Amazon SQS (Simple Queue Service)
 WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

2004

2006 • Offers hundreds of fully-featured services that are available

globally
• Provides a highly reliable, scalable, and low-cost
infrastructure platform in the cloud
Today
• Boasts a broad set of cloud-based products
WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?

Today

• is the world’s leading cloud platform.

• Used by millions of customers

• Supports various workloads
• Significantly lower your operating costs
• Enables companies to scale globally in minutes!
AWS Global Infrastructure
Has thousands of servers!

Data Center

These physical servers generate

virtual machines or store your data!
 Availability Zone Region Edge Networks

er Data Center Data Center Data Center Data Center Data Center Data Center
 Edge Networks
Improves the “Availability” Region Literally a
of your systems Geographic “Zone”

Availability Zone

Data Center Data Center Data Center

100 kilometers or 60 miles from each other

 US East (Ohio)
us-east-2
Edge Networks

Region

Availability Zone

Availability Zone 1

Data Center

Data Center Data Center

 US East (Ohio)
us-east-2
Edge Networks

Region

Availability Zone

Availability Zone 1

Data Center

Data Center Data Center

 US East (Ohio)
us-east-2
Edge Networks

Region
Availability Zone 1

Data Center

Availability Zone
Data Center Data Center
 US East (Ohio)
us-east-2
Edge Networks
Availability Zone 1

Data Center

Region Data Center Data Center

Availability Zone 2 Availability Zone 3

Availability Zone
Data Center Data Center

Data Center Data Center Data Center Data Center

 US East (Ohio)
us-east-2
Edge Networks
Availability Zone 1

Data Center

Region Data Center Data Center

Availability Zone 2 Availability Zone 3

Availability Zone
Data Center Data Center

Data Center Data Center Data Center Data Center

Your system will still run

even if one or more data centers
encountered an outage
 Origin Server in California
Edge Networks
where the files are stored
PoP Point of Presence / Edge Location

Region
Origin
Server

Availability Zone

This area is just a part of the global

Content Delivery Network
AWS Services Overview
…and many more!
 Host Run Real-Time
Web Apps Data Analytics

Develop Store Data

Mobile Apps for Backup
PER CATEGORY

COMPUTE SERVICES

Amazon EC2 AWS Lambda

AWS Outposts Amazon Lightsail

Amazon EC2 Amazon Elastic Compute Cloud

Amazon S3 Amazon Simple Storage Service

Amazon RDS Amazon Relational Database Service

Fully Managed By: Open Source Technology

Amazon Elastic Kubernetes Service (EKS)

Amazon FSx for Lustre (FSx)

Amazon Elasticsearch Service

Routes Traffic

What’s the
meaning of this
number?

Amazon Route 53

The number 53 is the TCP and UDP Port Number

used for the Domain Name System (DNS) protocol transport PORT
Amazon Elastic Container Service Amazon EC2 Amazon Elastic Kubernetes Service
AWS Compute Services
Overview
 AWS Compute Services

Virtual Machines Serverless Orchestration Container

Amazon EC2 AWS Lambda AWS Elastic Beanstalk Amazon EKS

Amazon LightSail AWS Batch Amazon ECS

AWS Outposts AWS Fargate

Virtual Machines
Used by MULTIPLE Tenants / Customers Used by a SINGLE Customer

Network
Virtual
CPU
Storage
Instance

DEFAULT
VIRTUALIZATION

CUSTOM
VIRTUALIZATION

VIRTUALIZATION
Also called a
Virtual Machine Monitor
or a
Hypervisor

SHARED DEDICATED
 Serverless Hybrid

Fully Managed By:

CPU

On-premises data center

NO DIRECT
Server access
via:

SSH or RDP
Unlike
Amazon EC2
 • A computing service that runs virtual servers in AWS

• Allows you to launch Windows, Linux or even MacOS virtual

machines

• A type of an Infrastructure as a Service (IaaS)

• A basic building block for your cloud architecture

Amazon EC2
• Used by other AWS services as an underlying compute service
 Shared Responsibility Model

Guest
OS

Host
Amazon EC2 OS
 Elastic Compute Cloud

• Flexible

• Customizable

• Scalable
Amazon EC2
 Elastic Compute Cloud

Amazon EC2 EC2

 Fully Managed By:

Serverless

SSH connection

Remote Desktop connection

RUNTIME ENVIRONMENT

AWS Lambda

CUSTOM
Lambda function RUNTIME
 Orchestration

AWS Batch AWS Elastic Beanstalk

 • Enables you to run batch computing workloads

• Dynamically provisions the optimal quantity and type of compute

resources, based on the volume and specific resource
requirements.

• Does the planning, scheduling, and execution of your batch

AWS Batch computing workloads using Amazon EC2 instances.
 • Automates the deployment, management, scaling, and monitoring
of your custom applications in AWS

• Just upload your application and it will automatically handle the

common tasks to run your application.

AWS Elastic • Handles capacity provisioning, load balancing, database

Beanstalk management, auto-scaling, and health monitoring
 Jack
and the
Beanstalk
AWS Elastic
Beanstalk
AWS Elastic
Your Applications
Beanstalk
 • An easy-to-use Virtual Private Server (VPS)

• Has its own web management console

• Also provides other services like databases, load balancers, DNS

records and many more.
Amazon LightSail
 • A hybrid service that allows you to run AWS services, like Amazon
EC2, in your on-premises data center

AWS Outposts
AWS Outposts
AWS Container Services
Overview
 AWS Container Services

Amazon ECS Amazon EKS AWS Fargate Amazon ECR

CLI Tools

A2C

AWS App2Container AWS Copilot

(A2C)
 Virtual Machine Container

App App App App App

Container 1 Container 2 Container 3 Container 1 Container 2

Guest Can also

OS run…

CONTAINER ENGINE

HYPERVISOR
HYPERVISOR

Bare
Hosted
Metal

Host
Host
Host
OS
OS OS

Firmware
 • Amazon Elastic Container Service (Amazon ECS)

• A container orchestration service that supports Docker

containers.

• Allows you to easily install, operate, and scale your cluster

management infrastructure in AWS

• Containers are defined in a task definition which you use to run

an ECS task or are grouped together as an ECS service

• Runs your ECS tasks using:

Amazon ECS

Amazon EC2 AWS Fargate

• An IAM Role can be attached to your ECS task in the TaskRoleArn

property of your task definition for security control

• Store your Docker Images to:

Amazon ECR
 Storage Integration Scaling

ECS Task 1
Amazon ECS
Data
Service Auto Scaling

Data

Amazon SQS

Amazon ECS
Amazon EFS Amazon FSx

ECS Task 2
 • Amazon Elastic Kubernetes Service (Amazon EKS)

• A fully-managed Kubernetes service

• Portable, extensible, and open-source platform for managing

containerized workloads and services

• Containers are grouped into Pods — the basic operational unit for
Kubernetes.

• Launches and orchestrates a cluster of compute resources using:

Amazon EKS Amazon EC2 AWS Fargate

• Considered as Cloud-agnostic as it allows you to easily move

your workloads to your on-premises network or to other cloud
service providers like Microsoft Azure, Google Cloud Platform
(GCP) et cetera.
 • A serverless compute engine

• Works on:

Amazon ECS Amazon EKS

• Allows you to focus on building your applications without worrying

about server provisioning, scaling, and management

• Provides a more cost-effective solution than a container running

on Amazon EC2 launch type
AWS Fargate
• Runs each ECS task or Kubernetes pod in its own kernel.

• Provides the tasks and pods in their own isolated compute

environment.
 • Amazon Elastic Container Registry (Amazon ECR)

• A fully-managed Docker container registry

• Allows you to store, manage, and deploy Docker container

images.

• Integrated with Amazon ECS

Amazon ECR • Stores your docker images in a highly available and scalable
architecture

• You can use IAM to provide resource-level control of each

repository.
 • A command-line tool

• Transforms .NET & Java applications to containerized applications

• Packages the application artifact and dependencies into container

A2C images.

AWS App2Container • Configures the network ports and generates the ECS task and
(A2C) Kubernetes pod definitions.
 • Also a command-line tool, just like AWS App2Container (A2C)

• Transforms .NET & Java applications to containerized applications

• Enables you to quickly launch and easily manage containerized

applications on AWS

AWS Copilot • Automates the deployment lifecycle of your containers

AWS Database Services
Overview
 A C I D
Atomicity Other
Consistency
Databases
Isolation
Relational Durability NoSQL In-Memory

Amazon Keyspaces

Amazon ElastiCache

Amazon RDS Amazon Aurora Amazon DynamoDB

Amazon Neptune

Data warehouse Amazon Timestream

Amazon DocumentDB
emcached

Amazon Redshift Amazon Quantum

Ledger
 • A relational database that is managed by both you (limited access)
and AWS.

• The time-consuming tasks are handled by AWS — such as

hardware provisioning, patching, backups, and maintenance.

• You can configure the underlying EC2 instance used by Amazon

RDS

DB Instance

Amazon Relational Database Service

(Amazon RDS) Storage Instance Type Network Access

VPC Endpoint

Amazon EC2

Amazon VPC
 • You decide the actual time for the patches to be applied on
its maintenance window
security patch

• Can run various types of database engines:

DB Instance

Microsoft
Amazon Relational Database Service SQL Server
(Amazon RDS)

Amazon
PostgreSQL Aurora
AWS Cloud

N. Virginia Region

Single AZ Multi-AZ
Availability Zone (AZ) 1 Availability Zone (AZ) 2 Availability Zone (AZ) 3

VPC A

Synchronous Replication

Asy
nch
ron
ous
PRIMARY PRIMARY Re STANDBY
plic
atio
n

READ REPLICA
AWS Cloud

N. Virginia Region

Single AZ Multi-AZ Ohio Region

Availability Zone (AZ) 1 Availability Zone (AZ) 2 Availability Zone (AZ) 3

VPC A VPC B

STANDBY

Asynchronous Replication

PRIMARY
PRIMARY
READ REPLICA

READ REPLICA

Tutorials Dojo
www.tutorialsdojo.com
AWS Cloud

N. Virginia Region

Single AZ Multi-AZ Ohio Region

Availability Zone (AZ) 1 Availability Zone (AZ) 2 Availability Zone (AZ) 3

VPC A VPC B

STANDBY

Asynchronous Replication

PRIMARY
PRIMARY
READ REPLICA

READ REPLICA

Tutorials Dojo
www.tutorialsdojo.com
 • A type of a database engine (that you can run on Amazon RDS) and
a fully managed database service.

• Compatible with: PostgreSQL

• Scales automatically, performs faster, and costs lower than other

databases

• Can automatically grow its data storage

• Deployed as a database cluster that consists of:

PRIMARY READ REPLICA

Amazon Aurora • Similar to Multi-AZ Deployments in Amazon RDS

• A cluster has a single-master configuration where applications can

only write data to a single, master DB instance.

• In a multi-master cluster, all DB instances have read/write

capability.
Amazon Aurora Amazon Relational Database Service
(Amazon RDS)

• Suitable for applications that read or write constantly changing data,

such as Online Transaction Processing applications or OLTP.
Data warehouse
• A fully managed data warehouse

• Allows you to analyze all your data using standard SQL or

through your existing Business Intelligence tools

• Optimized to analyze relational data coming from transactional

systems, business applications, and other sources for fast SQL
queries.

Amazon Redshift • Offers a concurrency scaling feature that supports virtually

unlimited concurrent users and concurrent queries

• Has a feature called Redshift Spectrum that allows you to query

and retrieve structured and semistructured data from files stored in:

Amazon S3
Amazon Redshift

• Primarily used for Online Analytical Processing or OLAP

applications like data reporting and analytics.
 NoSQL Databases

Amazon DynamoDB Amazon DocumentDB

 • A fully managed NoSQL database service

• A non-relational database that does not have a rigid schema or

extensive table relationships.

NON-RELATIONAL DATABASE RELATIONAL DATABASE

NO RELATIONSHIP Relationship
Dynamo Table #1
JOINS
ATTRIBUTE ITEM

Dynamo Table #2
Amazon DynamoDB
ATTRIBUTE ITEM h ip
n s
Foreign Key t io
la
Re
 DOCUMENT
• A fast, scalable, highly available MongoDB-compatible
{

id: 1898,

database service.
gid: “tutorialsdojo1898”,

firstName: "Jose",

lastName: "Rizal",

profile: {

•
nationality: “Filipino,

country: “Philippines,

birthPlace: “Laguna"

A document-oriented database program

}

}
• Cross-platform, NoSQL database

• Each document contains fields and values in JSON format with

no rigid schema enforced

DOCUMENT DATABASE RELATIONAL DATABASE

COLLECTION

Amazon DocumentDB
 • A caching service

• Allows you to set up, run, and scale open-source in-memory

databases like: emcached

IN-MEMORY DATABASE

CACHED

NO CACHE

Amazon ElastiCache
• Faster than disk-based databases

• Useful for database caching that eliminates unnecessary

frequent calls to the database just to return identical datasets

• Useful for real-time analytics, distributed session management,

geospatial services, and many more
 Amazon ElastiCache

Sub-millisecond latency

emcached
Data Partitioning

Can be integrated
to your apps with
minimal code change
 emcached
• Based on the open-source Memcached in-memory data store.

• Suitable for building a simple, scalable caching layer for your data-
intensive apps.

• Multithreaded — it can utilize multiple processing cores.

• Lacks data replication capability

Amazon ElastiCache for • Does not:

Memcached
• Support Advanced Data Structures

• Provide Highly Available Caching Layer

 stands for

REmote DIctionary Server

• Based on the open-source Redis in-memory data store.

• Provides:

• Advanced Data Structures

• Pub/Sub messaging

• Geospatial support

• Point-in-Time Snapshot support

Amazon ElastiCache for
Redis
• Has a replication feature that provides high availability via data
replication.

• You can enable the Cluster Mode in Redis to have multiple

primary nodes and replicas across two or more Availability Zones.

Tutorials Dojo
www.tutorialsdojo.com
Other
Databases
 • A scalable, highly available, and managed Apache Cassandra–
compatible database service

• An open-source, wide column data store that is

designed to handle large amounts of data.

Amazon KeySpaces

• Run your Cassandra workloads on AWS without having to provision,

patch, or manage servers.
 • A fast, reliable, fully-managed graph database service

• Makes it easy for you to build and run applications that work with
highly connected datasets

• Allows you to store billions of relationships and query your

data graphs with milliseconds latency.
Amazon Neptune
• Uses nodes to store data entities and edges to store
relationships between entities.
 9 AM 10 AM 11 AM 12 PM

Time Series

• A fast, scalable, and serverless time series database service

• Primarily used for Internet-of-Things and operational

applications.

• Track the changes of your data

Amazon Timestream • Can be used to track stock prices, temperature measurements,

and the CPU utilization of an EC2 instance over a specific amount
of time.
 • A fully managed ledger database service.

• Provides a transparent and immutable transaction log that is

owned by a central trusted authority.

• Creates logs that are cryptographically verifiable

• Provide an auditable history of all changes made to your

Amazon Quantum Ledger application data.
(Amazon QLDB)
• Can be used to track each and every application data change.
Application Integration Services
Overview
 Application Integration Services

MONOLITHIC MICROSERVICES

UI UI UI

U E
QUE
USER INTERFACE

BUSINESS LOGIC

SERVICE 1 SERVICE 3 SERVICE 5

DATA ACCESS LAYER

SERVICE 2 SERVICE 4
 Application Integration Services

Amazon Simple Queue Service Amazon Simple Notification AWS Step Functions Amazon MQ
(Amazon SQS) Service (Amazon SNS)

Amazon EventBridge AWS AppSync Amazon AppFlow

 UE
QUE

• A fully managed message queueing service

• The messages can be consumed or processed by:

Amazon EC2 AWS Lambda Amazon ECS Other Consumers

Amazon Simple Queue

Service (Amazon SQS) • Can replace your traditional message-oriented middleware
without having to manage any servers or resources
 STANDARD FIFO
First In, First Out

ChangeMessageVisibility API

4
Amazon SQS 2 3 5
1 1 2 3 4
4 6
TYPES
Possible Duplicate Messages!

DELIVERY At Least Once Exactly Once

Best Effort Preserves the exact order

ORDERING Messages might be delivered in a different order in which the messages are received

THROUGHPUT HIGH LIMITED

 • Age of the Oldest Message

1 2 3 4
• Queue Depth

Amazon SQS • Number of Messages

Target Tracking
Policy

Auto Scaling group

EC2 EC2 EC2

EC2 EC2 EC2

EC2 EC2 EC2

 Amazon Simple Notification Service
Amazon ECS
(Amazon SNS)

ECS Task 1

Data

Amazon SQS

Amazon SQS
Amazon S3 Bucket

ECS Task 2
 • A fully managed messaging and notification service

• Enables you to communicate between systems through

publish/subscribe patterns or pub/sub messaging

• Messaging via mobile push, email, or SMS

TOPIC

Amazon Simple Notification

Service (Amazon SNS)
Amazon

Car Insurance Home Insurance Pet Insurance

Queue Queue Queue
 FANOUT EVENT NOTIFICATIONS

Amazon RDS Events

Message
Filtering Car Insurance
Queue Amazon EC2

TOPIC

Home Insurance Amazon ECS

Filter by
Queue
QUOTE Type

Pet Insurance
Queue AWS Lambda
 FANOUT EVENT NOTIFICATIONS

SQS QUEUES CONSUMERS

Amazon SNS with Message Filtering

Car Insurance
Queue Amazon EC2
Message Filter

Home Insurance Amazon ECS

Custom Events SNS TOPIC Queue
Filter by
QUOTE Type

Pet Insurance
Queue AWS Lambda

Amazon CloudWatch

Tutorials Dojo
www.tutorialsdojo.com
 • A serverless function orchestrator for:
AWS Lambda

• Allows you to orchestrate multiple AWS Lambda functions,

in order to achieve a specific workflow

• Enables you to create a state machine containing a

combination of steps, activities and service tasks

Lambda
STEP 3 Send Report

AWS Step Functions STEP 2

Lambda
Verification

Lambda
STEP 1 Register
 • A managed message broker service

• Uses the open-source message broker

• The “MQ“ in Amazon MQ stands for Message Queue, which is a

form of asynchronous communication

• Works like but supports more messaging protocol

types
Amazon SQS
Amazon MQ
• Supports Java Message Service (JMS), .NET Message Service
(NMS), AMQP, MQTT, WebSocket and many others.
 • A serverless event bus service

• Enables you to connect applications together using data from

your own applications, Software-as-a-Service (SaaS)
applications, and other AWS services.

• Uses the same service API, endpoint, Amazon CloudWatch

and the underlying service infrastructure EVENTS

of:

Amazon EventBridge • Recommended to be used for your own applications, 3rd party
Software-as-a-Service apps, and other external sources

• Suitable for building event-driven applications

 • A managed service that uses GraphQL

• GraphQL is a data query language that basically allows

you to query your REST APIs

• Has different types of schema

QUERY Read Data

MUTATION Write Data
SUBSCRIPTION Download/Upload Data

• Only fetches the data that you want and not the entire data set

AWS AppSync • Unlike REST API, you can query different APIs or resources
easily using a single API call

• Uses a Resolver which populates the data in your schema

• Simplifies application development by easily integrating

GraphQL with your applications
 • A fully managed integration service

• Enables you to securely transfer data between various

systems such as your Software-as-a-Service (SaaS) applications
and different AWS Services

• Supports different SaaS apps such as Salesforce, Marketo, Slack,

ServiceNow and many more

• Can be integrated with other AWS services

Amazon AppFlow • Allows you to run your data flows on-demand, by schedule or
as a response to a business event

• Provides you with powerful data transformation capabilities like

filtering and validation
AWS Analytics Services
Overview
Data Warehouse Data Lake
STRUCTURED DATA UNSTRUCTURED DATA
STRUCTURED DATA
Open Source Technologies used by AWS Analytics Services

…and many other open-source projects!

3rd Party Technologies used by AWS Analytics Services

…and many more!

Extract Transform Load
 SERVERLESS

Extract Transform Load

 AWS Analytics Services

Amazon Elasticsearch Amazon Elastic MapReduce

Amazon Kinesis Amazon Athena Amazon QuickSight Amazon CloudSearch
(Amazon ES) (Amazon EMR)

Amazon Managed
Amazon Redshift AWS Data Pipeline AWS Glue AWS Lake Formation
Streaming for Apache Kafka
 • A suite of services for processing your data streams

• Analyzes your data streams in real-time

• Allows you to collect, transform, process, load, and

analyze the streaming data in real-time to help you
Amazon Kinesis acquire the data insights and respond to data changes
 CLICK
DATA STREAM

Amazon Kinesis
 Amazon Kinesis Amazon Kinesis
Data Streams Data Firehose

Amazon Kinesis

Amazon Kinesis Amazon Kinesis

Data Analytics Video Streams
 • A massively scalable, durable, secure and low-cost
real-time data streaming service

• Can continuously capture gigabytes of data per

second from thousands of different sources

Amazon Kinesis • Collects and sends data to your data analytics

Data Streams applications and consumers in real-time
 • Can be used in:

‣ Real-time Applications ‣ Predictive Maintenance

‣ Website Clickstreams ‣ Mobile Game Data Streams
‣ Database Event Streams ‣ Online Marketplaces
‣ IoT Telemetry ‣ Real-time Recommendations Systems
‣ Location-tracking Events ‣ …and many more!

• Provides ordering of records

• Can read & replay records in the same order

Amazon Kinesis
Data Streams • Suitable if you have a requirement where:
‣ The data events must be received in an ordered manner
‣ There’s a need to process the data stream of your web
applications, or mobile game updates, in order of receipt
 • Can be used to decouple your cloud architecture like
Amazon SQS by accepting data from your data sources
and forward it to different compute resources

• Similar to Amazon SQS with notable

differences:
‣ SQS can’t process data in real-time

‣ SQS Standard queue doesn’t maintain the

order of data records by default
Amazon Kinesis Amazon SQS
‣ SQS FIFO queue maintains the order of data
Data Streams records but is significantly slower than SQS
Standard and doesn’t perform in real-time
 USE CASES • If you need a solution that captures the clickstream
data from multiple websites in real-time and analyzes
it using batch processing

• For setting up and building a scalable, near-real-time

recommendations for your users

• For mobile games that stream score updates to a

backend system and post the results on a leaderboard
Amazon Kinesis
Data Streams • For collecting the mobile game scores in order of receipt
which can then be processed by an AWS Lambda function
and stored in DynamoDB
 USE CASES • For implementing predictive maintenance on different
types of machinery equipment using IoT sensors

• For sending data to AWS in real-time wherein the data

stream will receive events in an ordered manner for
each connected device, data producer or machinery asset

• For implementing a scalable, near-real-time solution in

processing millions of financial transactions
Amazon Kinesis
Data Streams • For launching a data stream that can be consumed by
Amazon Kinesis Data Analytics which can be queried using
SQL queries
 • A fully managed service that reliably transforms and
loads your streaming data into data stores and analytics
tools

• Directly delivers data to Amazon S3, Amazon Redshift,

Amazon Elasticsearch Service, and any HTTP endpoint

• Can be integrated with your third-party service providers

• Enables your data producers to directly send data to a

Amazon Kinesis specific destination or data store that without any
Firehose custom applications or consumers

• Can transform your data before sending it to a

specified destination to remove sensitive data or for data
pre-processing procedures
 • Similar to Amazon Kinesis Data Stream but with certain
differences:

‣ Both service can accept streaming data in real-time

‣ However, Kinesis Data Stream requires an external consumer

to store the records while Kinesis Data Firehose does not

• Acts like a ”firehose” to immediately send the streams

Amazon Kinesis of data to your data store
Firehose
• Delivers your data stream directly to your Amazon S3
buckets, Redshift databases, Amazon ES clusters, and
others without the need for a consumer
 • Can transform the data before it is sent to its
destination

• Internally invokes an AWS Lambda function to

transform the incoming source data and deliver the
processed data to its destination

Amazon Kinesis • Recommended if you need to parse the data stream to

Firehose remove any sensitive data such as personal data
or protected health information (PHI)
 • A service that securely streams video from
connected devices or sources to AWS

• Commonly used for data analytics, machine learning,

video playback, and other types of media processing

• Automatically provisions and scales all the required

infrastructure to ingest streaming video data from
millions of devices

Amazon Kinesis
• Stores, encrypts, and indexes video data in your
Video Streams streams to improve performance

• Provides access to your video data through a collection

of easy-to-use APIs
 • A serverless service that enables you to analyze your
streaming data, acquire actionable insights, and
respond to events in real-time

• Reduces the complexity of building, managing, and

integrating streaming applications with your custom
applications and other AWS services

• Serverless

Amazon Kinesis
• Uses Apache Flink to process and analyze streaming
Data Analytics data

• Eliminates the manual tasks of setting up and

maintaining Apache Flink
 • Enables you to author and run code against
streaming sources

• The data can be analyzed using SQL queries and

the results can be delivered to Amazon S3, Amazon
Redshift, and other data stores using Kinesis Data
Firehose
Amazon Kinesis
Data Analytics • Java or Scala can be used to process and analyze your
streaming data
 • In near-real-time data processing and data querying
USE CASES for acquiring timely insights of your application

• For processing your streaming data with minimal

effort and operational overhead

• For providing scalable and near-real-time data querying

with minimal data loss

• For analyzing the location data points of your GPS

Amazon Kinesis application that tracks the movement of people, bikes,
Data Analytics automobiles, or any other moving object

• You can expose a REST API using API Gateway that can
be used as an Amazon Kinesis proxy
 • An interactive query service for your data that is
stored in Amazon S3

• Simplifies data analysis in Amazon S3 using standard

SQL queries

• Unlike S3 Select, you can query the entire data in

your Amazon S3 bucket with Amazon Athena and
Amazon Athena not just its subset

• Serverless
 • Sample use case:
‣ A global eCommerce website stores 250 gigabytes of
transactional data each month in Amazon S3

‣ You need to identify the number of items sold in each particular

region for the previous month in the most cost-effective way

• Athena costs less than Amazon Redshift, Amazon

EMR, or Amazon ES since it’s serverless

Amazon Athena
• Can use an AWS Glue Data Catalog to store and
retrieve table metadata for your Amazon S3 data and
provide data visualization using Amazon QuickSight
 • A fully managed Elasticsearch service

• Elasticsearch is a distributed, multitenant-capable full-

text search engine based on the Apache Lucene library

• Provides an HTTP web interface that can store data as

a schemaless JSON document

Amazon Elasticsearch • Provisions the necessary infrastructure and

Service automatically manages the resources needed to run
(Amazon ES) the Amazon ES cluster
 • Also allows you to launch an ELK (Elasticsearch,
Logstash, and Kibana) stack in AWS

• ELK Stack:
‣ Elasticsearch - full-text search engine

‣ Logstash - server-side data processing pipeline

‣ Kibana - user interface to visualize Elasticsearch data

• Provides support for open-source Elasticsearch APIs,

Amazon Elasticsearch managed Kibana, integration with Logstash and other
Service AWS services
(Amazon ES)

• Lets you pay only for what you use (no upfront costs or
usage requirements)
 • Allows you to run different types of big data
frameworks in AWS

• A managed big data platform for processing vast

amounts of data using open source tools such as:

Amazon
Elastic MapReduce
(Amazon EMR)

Apache Zeppelin
 • Runs your big data framework on Amazon EC2
instances, Amazon Elastic Kubernetes Service clusters,
or in your on-premises EMR cluster via AWS Outposts

• The compute resources launched by Amazon EMR are

deployed in your VPC and then grouped as an Amazon
EMR cluster

• You can directly access and control the underlying

EC2 instances of your EMR cluster

Amazon • NOT serverless

Elastic MapReduce
(Amazon EMR) • Automates the server provisioning and management
process for you and allows your data to interact with
other AWS data stores such as Amazon S3 and Amazon
DynamoDB
 • A scalable, serverless, embeddable, machine learning-
powered business intelligence service

• Allows you to create and publish interactive

dashboards that can be accessed from different
browsers or mobile devices

• Allows you to embed dashboards into your

applications

Amazon QuickSight
• Highly scalable and can easily scale up to thousands of
users globally

• Serverless
 • A managed search service in AWS

• Can be used to add a search feature in your application

or websites

• You can use this to:

‣ Retrieve contents of selected fields
‣ Provide facet information to categorize results
‣ Provide statistics for numeric fields
Amazon CloudSearch ‣ Provide highlights showing search hits in the field data
‣ Autocomplete suggestions
‣ Geospatial search
‣ and many more!
 • Allows you to create a search domain, specify an
index and upload your data as documents

• Provisions and manages all the underlying servers and

resources needed to build and deploy search indexes

• Simply upload your data to any data store, create a

Amazon CloudSearch search domain in CloudSearch, and integrate it into
your applications
 • A fast, scalable data warehouse

• Allows you to analyze all your data across your data

warehouse and data lake

• Delivers faster performance than other data

warehouses through the use of machine learning,
massively parallel query execution and columnar
storage on high-performance disks

• Can run queries across petabytes of data in your

Amazon Redshift Redshift data warehouse and analyze exabytes of data
in your S3 data lake

• Primarily used for Online Analytical Processing

(OLAP) applications and reporting tools
 • Redshift clusters run in internal Amazon EC2 instances
that are configured as nodes

• You can select the particular node type and instance

size that you prefer

• Not a serverless service

• Has a feature called Redshift Spectrum that allows

you to query data from Amazon S3 without loading the
Amazon Redshift entire data into Redshift tables

• Redshift Spectrum queries use massive parallelism to

quickly execute large datasets at a fraction of the
cost
 • A service that processes and moves your data
between different AWS compute and storage
services

• Enables you to process and move your data in specific

intervals that you define to transfer your data to and
from your on-premises data center

• Allows you to access, transform and process your data

where it's stored at scale
Amazon Data Pipeline
• Empowers you to transfer and store the results to
various AWS services such as Amazon S3, Amazon
RDS, Amazon DynamoDB, and Amazon EMR
 • A fully managed and serverless service that is primarily
used for extract, transform, and load workloads
or ETL

• Simplifies the process of preparing and loading your

data before running your data analytics workload

• Creates a Data Catalog that allows you to specify and

search your data that is stored on Amazon S3 and
other AWS services

AWS Glue
• Automatically discovers your data and store the
associated metadata in the AWS Glue Data Catalog

• The data will be immediately searchable, queryable,

and available for ETL once the metadata is stored
 • A fully managed Apache Kafka service in AWS

• Apache Kafka is an open-source platform that allows

you to build real-time streaming data pipelines
and applications

• Allows you to use Apache Kafka APIs to stream

Amazon Managed Streaming changes to and from different databases, populate your
for Apache Kafka Amazon S3 data lakes, and empower machine learning
and analytics applications
 • Makes it easy for you to set up a secure data lake

• Allows you to create data catalogs for your external

data just like AWS Glue

• Collects and catalogs your data from different data

sources and moves the data into a new Amazon S3
data lake

• Classifies and processes your data using machine

learning algorithms, and secures access to your
AWS Lake Formation sensitive data

• Data can be queried and analyzed using Amazon

Athena, Amazon Redshift, Amazon EMR, and other
services
AWS Identity Services
Overview
AWS Identity Services
 AWS Identity Services

AWS Single Sign-On

AWS Identity & Access AWS Directory

Management (IAM) Service

Amazon Cognito
 • The primary identity service in AWS

• Allows you to manage access to various AWS services

and resources

AWS Identity & Access

Management (IAM)
 IAM USER IAM GROUP

PASSWORD

ACCESS KEYS

IAM POLICY
Permission 1 Permission 2 Permission 3 Permission 4

AWS Identity & Access

Management (IAM)

IAM ROLE
Permission 1 Permission 2 Permission 3 Permission 4
 • Let you add user sign-up, sign-in, and access control features
to your web or mobile apps

• Allows users to log in to your application with their:

and other
social media accounts!

Amazon Cognito
Microsoft SAML
Active Directory Security Assertion Markup Language
 USER POOL IDENTITY POOL

For Authentication For Authorization

Users can sign in by Users can obtain temporary and limited-

Amazon Cognito authenticating through their privilege AWS credentials that authorize
social identity providers access to other AWS services
 • A single sign-on service in AWS

• Allows a user to log in with a single ID and password to

access multiple and independent, software systems

• Provides a user portal that allows users to access the roles that
they can assume

AWS Single Sign-On

• Offers pre-configured SAML integrations to many business
applications
 Microsoft
• A managed
Active Directory

• Does not require you to synchronize or replicate data from your

existing Active Directory to the cloud

• No need to install and manage an Active Directory domain

controller

• Improves security and minimizes administrative overhead

• Allows you to assign IAM roles to your Active Directory users

and groups
AWS Directory Service

• Allows you to assign IAM roles to your on-premises Microsoft

Active Directory using:

AD Connector
AWS Storage Services
Overview
Built-in component and NOT
AWS Storage Services
a full-fledged AWS Service

Amazon Elastic Block Amazon Simple Storage Amazon Elastic File

Amazon EC2 Amazon S3 Glacier
Store Service System
Instance Store (Amazon EBS) (Amazon S3) (Amazon EFS)

Amazon FSx for Lustre Amazon FSx for Windows AWS Backup AWS Storage Gateway
File Server
Underlying Host Computer that

powers your .

Amazon EC2 Instances

• A temporary or ephemeral block-level storage

• Uses the local disks or storage volumes that are physically attached to
the underlying host computer of the Amazon EC2 instance.

• Provides low-latency access to your data

Amazon EC2 • Loses its stored data if:

Instance Store
• The underlying local storage fails
• The Amazon EC2 Instance:

STOP Stops Hibernates Terminates

 • A persistent block-level storage service

• Your data will still be there even if you stop, restart, or terminate
your Amazon EC2 instance, unlike:

Amazon EC2
Instance Store

• Also called EBS Volumes

• Mounted or attached to your Amazon EC2 instances

Amazon Elastic Block Store • Zonal in scope — you can only attach a volume to any EC2
(Amazon EBS) instances in the same Availability Zone.

• Can be encrypted at rest using:

AWS Key Management Service
(AWS KMS)
 Solid State Drive Hard Disk Drive
(SSD) (HDD)

Amazon Elastic Block Store

(Amazon EBS)

Read & Write Speeds Fast ! Slow…

For workloads with For data archiving, backups

Use Case frequent read/write operations or throughput-oriented storage

Dominant Performance IOPS Throughput

Attribute Input/Out operations Per Second Megabit per second (Mbps)

Can be used as
Boot Volume for ? Yes No
Amazon EC2

Tutorials Dojo
www.tutorialsdojo.com
 Solid State Drive Hard Disk Drive
(SSD) (HDD)

Amazon Elastic Block Store

(Amazon EBS)

TYPES gp General Purpose SSD st Throughput Optimized HDD

Faster data retrieval than:

io Provisioned IOPS SSD sc Cold HDD
Amazon S3
Can only be attached to a single at a time
Amazon EC2

Amazon EFS Cannot be used

Can be used as
Boot Volume for
Amazon EC2 as a Boot Volume
Amazon EC2
Amazon Elastic Block Store
(Amazon EBS) File-Manila.txt io Provisioned IOPS SSD

EBS
Multi-Attach
Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2
Nitro-based Nitro-based Nitro-based Nitro-based
Instance Instance Instance Instance

No concurrent file modification

Amazon EFS
 • An object storage service

• Highly durable and scalable

• Can store virtually unlimited amounts of data

• The files are called “objects” that you upload to an S3 Bucket

Amazon Simple Storage
Service • Access files via a REST API call
(Amazon S3)
 Amazon S3 Storage Classes

For changing or
For frequently accessed data
unknown access patterns

S3 Standard S3 Intelligent-Tiering

For storing long-lived,

yet less frequently accessed data
S3 Standard-IA S3 One Zone-IA
(Infrequent Access) (Infrequent Access)

For low-cost long-term storage

and data archiving
S3 Glacier S3 Glacier Deep Archive
 30 Days 90 Days 180 Days

S3
S3 Standard S3 Standard-IA Intelligent-Tiering S3 Glacier S3 Glacier
Lifecycle Policy S3 One Zone-IA
Deep Archive

- Secure access to your S3 buckets and objects

Access Control List
(ACL)

- Control external access to your Amazon S3 bucket.

Bucket Policy
 Version
x.* - Prevent accidental data deletion in Amazon S3.

S3 Versioning Multi-Factor Authentication

(MFA)

- Automatically replicate objects to a different

AWS Region for backup purposes
Cross Region Replication (CRR)

- Accelerate or expedite the data transfer (upload/

download) of S3 objects

Transfer Acceleration Multipart Upload …and many more S3 features!

 • One of the storage classes in Amazon S3

• Has its own web management console apart from Amazon S3

• Based on the word — Glacier:

• Rarely Accessed Data (Cold)

sc Cold HDD
• Frequently Accessed (Hot)

Amazon S3 Glacier
• Low-cost storage for data archiving and long-term backup.
 S3 Standard
Vault

S3 Glacier
S3 Glacier vs Deep Archive

LOW $ $ COST LOWEST $

MINIMUM STORAGE
90 Days DURATION 180 days

You will be billed for the entire 90 Days DATA DELETED AFTER You will be billed for the entire 180 Days
1 DAY (24 HOURS)

Normal storage usage charge DATA DELETED AFTER

You will be billed for the entire 180 Days
90 DAY

DATA DELETED AFTER

Normal storage usage charge Normal storage usage charge
180 DAYS
 S3 Standard vs S3 Glacier

HIGHEST $ $ $ COST Timed Storage - Byte Hours LOWEST $

MINIMUM STORAGE
None DURATION 90 days

Regular storage usage charge DATA DELETED AFTER You will be billed for the entire 90 Days
(24 hours) 1 DAY (24 HOURS)

Regular storage usage charge DATA DELETED AFTER

(30 days) You will be billed for the entire 90 Days
30 DAYS

Regular storage usage charge DATA DELETED AFTER Regular storage usage charge
(90 days) 90 DAYS (90 Days)
Archive Retrieval Options EXPEDITED STANDARD BULK

S3 Glacier 1 - 5 minutes 3 - 5 hours 5 - 12 hours

S3 Glacier Within Within

Deep Archive NOT AVAILABLE
12 Hours 48 hours
 • A scalable shared file storage service

• Provides a POSIX-compliant (Portable Operating System Interface)

shared file system

• Can be simultaneously accessed by multiple Amazon Linux EC2

instances in different Availability Zones.

• Uses the Network File System (NFS) protocol. Works as a file share

Amazon Elastic File System

(Amazon EFS)
• Only supports:

Linux Servers
Amazon FSx for
= Windows File Server
 Amazon Elastic File System
(Amazon EFS)

Lifecycle Policy

30 Days
IA

EFS STANDARD EFS INFREQUENT ACCESS

 Amazon FSx

Amazon FSx for

Amazon FSx for Lustre
Windows File Server
 Amazon Elastic File System
(Amazon EFS)

• A scalable shared file storage service

• Provides a POSIX-compliant (Portable Operating System Interface)

shared file system

• Can be simultaneously accessed by multiple Amazon Linux EC2

instances in different Availability Zones.

• Uses the Network File System (NFS) protocol

Amazon FSx for Lustre

• Only supports:

Linux Servers
 Linu x Cluste r
=
open-source, parallel file system

• a parallel file system used for large-scale cluster computing.

• Primarily used for High-Performance Computing, Machine Learning,

or HPC applications

• For workloads that need high-performance parallel storage for

frequently accessed hot 🥵 data.

• Provides a throughput of hundreds of gigabytes per second

• Offers millions of IOPS

Amazon FSx for Lustre
• You can mount an Amazon FSX for Lustre file share to:

Amazon EC2 Amazon ECS Amazon EKS

• Use the Container Storage Interface (CSI) to connect to your

Amazon EKS cluster.
 • A fully managed Microsoft Windows file server service

• Uses the Server Message Block (SMB) protocol

• Can be integrated to your existing:

Microsoft AWS Managed
Active Directory Microsoft AD

• Can be used as shared file storage for your:

Microsoft Microsoft
Amazon FSx for
Windows File Server SharePoint SQL Server

Microsoft

Containers
 • A fully managed backup service

• Automates your server and database backup processes.

Service-level backups

Amazon FSx Amazon EFS Amazon DynamoDB Amazon EC2

Service-level snapshots
AWS Backup Amazon Aurora Amazon RDS Amazon EBS AWS Storage
Gateway

7 Days (Default) 35 Days (Maximum)

90 Days, One Year or even more!

 • A hybrid cloud storage service

• Connects your on-premises applications and data storage to the AWS

Cloud.

• Integrate your local & cloud storage systems by using a gateway.

On-premises data center

AWS Storage Gateway On-premises applications

VIRTUAL MACHINE
 File Gateway Volume Gateway Tape Gateway

Store and retrieve objects in Amazon S3 Provides block storage to your on-premises apps
with low-latency via the A cloud-based Virtual Tape Library
using NFS and SMB protocols Internet Small Computer System Interface (iSCSI)

Amazon S3 Amazon S3
EBS Volumes

Can be integrated with: Uses for point-in-time snapshots of your Uses to back up the tapes
AWS Managed Microsoft
Microsoft AD Active Directory

On-premises data center

Can store the archived tapes in:

Provides a hardware appliance CACHED

S3 Glacier
STORED S3 Glacier Deep Archive
hosted on-premises
VM VM

To replicate your local data to
Storage Area
Network - On-premises apps can connect to the
tape gateway as iSCSI devices
- Stores a subset of frequently - Stores entire dataset
Amazon S3
accessed data locally
- Asynchronously back up the data - Reduce costs by eliminating the use of
- Uses S3 as the primary storage to AWS. physical backup tapes
 MIGRATION

On-premises data center

AWS Storage Gateway AWS DataSync

VM VM
INTEGRATION

Storage Area
Network
 REPLICATE DATA MOVE DATA

INTEGRATION MIGRATION

On-premises data center

AWS Storage Gateway VM VM AWS DataSync

On-premises data will On-premises data would

still be actively used Storage Area not be utilized anymore/
Network
will be decommissioned

Tutorials Dojo
AWS Monitoring Services
Overview
 AWS Monitoring Services

Forecast

High
CPU Utilization
Today!

CPU STORAGE NETWORK

Logs
 AWS Monitoring Services

AWS Service Health Dashboard

Amazon CloudWatch AWS Health API

AWS Personal Health Dashboard

 • A suite of AWS services used in monitoring your systems on
both:
On-premises data center

• A metrics repository that collects system data from AWS services

as well as your custom metrics

Amazon CloudWatch • Monitors and analyzes system metrics

• Notifies you if a certain threshold has been reached

• Triggers an action based on a specific threshold or events that

you define
 Logs

Metrics Logs Alarms

Amazon CloudWatch

Events Dashboards
 • Collect metrics from various AWS Services and your custom
applications

• Aggregate (combine) metrics across multiple resources

• Most AWS services send metric data to CloudWatch every 1 minute

by default

Amazon CloudWatch • For Amazon EC2, the default frequency is every 5 minutes
METRICS
• Detailed Monitoring sends EC2 metrics data every 1 minute

L
 • Primarily used for logs monitoring

• Allows you to monitor, store, access, analyze or query the logs

from your AWS resources or from your custom applications

• Install CloudWatch Logs agent to your EC2 instances to

Amazon CloudWatch automatically collect and publish your application logs to
LOGS CloudWatch

L
 • Allows you to create alarms for your monitoring

• Performs one or more actions based on a system metric and a

specific threshold

• Can notify you or other systems/services using Amazon SNS

• Can trigger a custom action, such as:

• Auto Scaling your EC2 instances

Amazon CloudWatch • Sending a billing alert
ALARMS • Invoking a Lambda function
• … and many more!

L
 CloudWatch Events and Amazon EventBridge

have the same underlying service and API,

but the latter provides more features. Amazon EventBridge

• Monitors and responds to the system/service events of your

AWS resource in near real-time

• Allows you to create a CloudWatch Event rule to track the

changes or the state of your services

• Invokes a certain action if a specific event matched your Event

rule
Amazon CloudWatch
EVENTS • Allows you to create a scheduled job that invokes a Lambda
function on a regular basis, like every hour, every day, every week,
or any schedule that you like.

L
 • A customizable dashboard containing your AWS system metrics

• Monitor your resources in a single view, even if those resources

are located across different AWS Regions

Amazon CloudWatch • Allows you to publish and view your custom metrics
DASHBOARDS

L
 Lo

Amazon CloudWatch
 REGIONS
RSS

SERVICE STATUS

AWS Service Health

Dashboard
 • A personalized dashboard that shows the status of the AWS
services that you are using

• Does NOT show you the status of all the AWS services globally but
only the status of the AWS services that you have in your account.

• Shows the AWS Health events that might affect your applications
running on AWS such as scheduled maintenance or system outages
AWS Personal Health
Dashboard • Allows you to create alerts and notifications based on the health
of your AWS resources
 • Provides programmatic access to the AWS Health information
that appears in your AWS Personal Health Dashboard

• A RESTful web service that you can access via HTTPS

• NOT available by default

AWS Health API • Only available in Business or Enterprise support plans

 Logs

CloudWatch
Logs Agent

Amazon EC2 Instance Amazon CloudWatch Logs

Tutorials Dojo
www.tutorialsdojo.com
AWS Audit & Compliance Services
Overview
AWS Audit & Compliance Services

RESOURCE CHANGES
 AWS Audit & Compliance Services

AWS CloudTrail AWS Artifact AWS Security Hub

 • Tracks user activity and API usage in your AWS account

• Stores the audit log data in:

Amazon S3 Bucket

• Enables risk auditing by continuously monitoring and logging

account activities, such as user actions:

AWS CloudTrail

AWS Management AWS SDK AWS API AWS Command Line

Console Interface (CLI)
 MANAGEMENT EVENTS DATA EVENTS

Control Plane Data Plane

Provide information about the resource operations

Provide information about the performed ON (e.g. S3 bucket) your resources
management operations
performed on your AWS resources or
performed IN (e.g. S3 objects) your resources

AWS CloudTrail

• Attaching an IAM Role

• Amazon S3 object-level API activities
• Creating a new VPC
• Invoking an AWS Lambda function
• Creating a subnet
 • Provides on-demand AWS security and compliance reports

• Acts as a self-service portal to find compliance-related information

and reports for:

• ISO Reports

• Payment Card Industry (PCI) reports

• Service Organization Control (SOC) reports

AWS Artifact
• . . . and many more!

• Allows you to download AWS security and compliance documents

such as SOC 1 report, ISO certifications, and other reports
 • Provides a centralized & comprehensive view of the
security posture of your cloud infrastructure across multiple
AWS accounts

• Helps you to comply with your company’s specific security

standards and best practices

• Collects security alerts and findings from:

AWS Security Hub

Amazon GuardDuty Amazon Inspector Amazon Macie AWS IAM Access AWS Firewall
Analyzer Manager
AWS Networking & Content Delivery Services
Overview
 AWS Networking & Content Delivery Services

Amazon VPC Elastic Load Amazon AWS Amazon AWS PrivateLink

Balancing Route 53 Global Accelerator CloudFront

AWS VPN AWS Direct AWS Amazon

AWS App Mesh AWS Cloud Map
Connect Transit Gateway API Gateway

Also categorized as an
Application Integration Service
 Amazon Virtual Private Cloud
CLOUD

REGION

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC

Private subnet 10.0.0.0/24 Public subnet 10.0.1.0/24

INTERNET GATEWAY
Amazon EFS Amazon RDS Amazon FSx Amazon EC2

VIRTUAL PRIVATE GATEWAY

 Amazon Virtual Private Cloud
CLOUD

ASIA PACIFIC (Singapore) US EAST (Northern Virginia)

VPC A - Manila Branch VPC B - New York Branch

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC

Private subnet 10.0.0.0/24 Public subnet 10.0.1.0/24

VPC Peering

Amazon Amazon Amazon Amazon

EFS RDS FSx EC2
 Virtual Private Cloud

Amazon VPC

Virtual Devices

NETWORK VIRTUALIZATION

PCIe Network Interface Card

Nitro Card for VPC

Physical Devices
 Virtual Private Cloud

Amazon VPC
Public Internet

On-premises data center

INTERNET GATEWAY

Local
VPC Extension Gateway

AWS Outpost

CUSTOMER GATEWAY

VIRTUAL PRIVATE GATEWAY

 Virtual Private Cloud
CLOUD Also located within CLOUD

Amazon VPC
Amazon S3

VPC Endpoint The traffic does NOT pass

through the
Auto Scaling

Amazon
DynamoDB

Amazon EC2

Other
Services
Amazon FSx
 • Automatically distributes incoming traffic across multiple targets
such as:

Amazon EC2 Amazon ECS AWS Fargate AWS Lambda IP Address

Instance Task Task Function

• It distributes (load balances) the incoming traffic to your underlying

resources

Elastic Load Balancing

• Provides high-availability to your web applications

• if one of your servers or EC2 instances fails (unhealthy resource), the

request will be routed to another server (healthy resource)

• Routes incoming traffic across multiple Availability Zones, within a

single AWS Region only.
 Application Network Gateway Classic
Elastic Load Balancing Load Balancer Load Balancer Load Balancer Load Balancer
TYPES ( ALB ) ( NLB ) ( GWLB ) ( CLB )

HTTP / HTTPS

HTTP / HTTPS
TCP / UDP

PROTOCOL LISTENERS IP TCP

gRPC TLS
SSL/TLS

For legacy applications

Handling in AWS
For web apps, millions of requests Running third-party
USE CASES microservices per second virtual appliances
For implementing
& containers while maintaining in AWS Custom Security Policies
ultra-low latencies and
TCP passthrough
configuration

Tutorials Dojo
www.tutorialsdojo.com
 • A Domain Name System (DNS) web service

• DNS is a system that routes a domain name to a particular IP address

• Map domain names to:

Amazon Route 53
Elastic IP Amazon EC2 Amazon S3 Elastic Load Amazon CloudFront
address Instance Static Website Balancers Web Distributions
 Buy Domains Manage Domains

Amazon Route 53

Also known as
Zone Apex or Naked Domain

Root Domain

Subdomains

philippines.tutorialsdojo.com blog.tutorialsdojo.com portal.tutorialsdojo.com cdn.tutorialsdojo.com manila-datacenter.tutorialsdojo.com

On-premises data center

Elastic IP Amazon EC2 Amazon S3 Elastic Load Amazon CloudFront

address Instance Static Website Balancers Web Distributions
 ROUTING POLICIES

Simple Failover Geolocation Geoproximity Latency-Based Multivalue Answer Weighted

Amazon Route 53

Root Domain

Subdomains

philippines.tutorialsdojo.com blog.tutorialsdojo.com portal.tutorialsdojo.com cdn.tutorialsdojo.com manila-datacenter.tutorialsdojo.com

On-premises data center

Elastic IP Amazon EC2 Amazon S3 Elastic Load Amazon CloudFront

address Instance Static Website Balancers Web Distributions
 • Provides a set of static anycast IP addresses

• The static IP address serves as a single fixed entry point to:

Elastic IP
AWS Global Accelerator Network Application Amazon EC2
address
Load Balancer Load Balancer Instance
 🇺🇸 US East Region

Amazon EC2
Instance

static anycast IP address Application

Load Balancer

Amazon EC2
Instance

🇦🇺 Sydney Region

AWS Global Accelerator

Amazon EC2
Instance

Network
Load Balancer

Amazon EC2
Instance
 • A content delivery network (CDN) service

• Quickly delivers static content and video stream to your clients.

• A CDN is a globally-distributed network of services/servers

spread around the globe that stores or caches your files.

• Reduces latency by shortening the time it takes to deliver your

data to your users
Amazon CloudFront
• Improves the response time of your application.

• Caches your images, videos, media files, or software packages

 • Allows private connectivity to various AWS services

• Does not pass through the public Internet.

• Provides a private endpoint that you can use for your:

AWS PrivateLink
Other
Services
Amazon VPC Amazon EC2 Amazon S3 Amazon
DynamoDB
 All are located within CLOUD

Amazon S3

Amazon VPC

AWS PrivateLink Amazon

DynamoDB

VPC Endpoint
Amazon EC2

Other
Services
 • AWS Virtual Private Network, or AWS VPN

• Enables you to connect your on-premises network to AWS.

• An encrypted connection that passes through the public Internet.

• Uses the IPsec protocol to authenticate and encrypt your data in

AWS VPN transit.
 On-premises data center

AWS Site-to-Site VPN AWS Client VPN

Site-to-Site VPN Endpoint

AWS VPN

Amazon VPC

AWS
Transit Gateway
 On-premises data center
Client VPN Software

CUSTOMER GATEWAY

AWS Site-to-Site VPN AWS Client VPN

AWS
AWSVPN
VPN

ENDPOINTS Site-to-Site VPN Endpoint Client VPN Endpoint

Amazon VPC

Tutorials Dojo AWS Transit Gateway

www.tutorialsdojo.com
 On-premises data center

• Allows you to establish a dedicated network connection from

your on-premises network to AWS

• Provides a more consistent network experience over Internet-

based connections such as a VPN, and a higher bandwidth.

• You can create a private virtual interface to enable your on-

premises servers to connect to the virtual private gateway of your
Amazon VPC.

AWS Direct Connect

• You can group your virtual private gateways and private virtual
interfaces using a Direct Connect Gateway.

• You can also use a public virtual interface to connect to your

Amazon S3 buckets and other public resources in AWS.

Amazon VPC • The traffic does NOT pass through the public Internet.
Amazon EC2 Amazon EC2
 Amazon VPC
On-premises data center

Amazon EC2 Customer Router

AWS Direct Connect

 Amazon VPC On-premises data center

VIRTUAL
PRIVATE
GATEWAY

Tutorials Dojo
www.tutorialsdojo.com
 Amazon Origin Access Identifier Amazon S3
USERS Access cached content
CloudFront (OAI) Bucket

Tutorials Dojo
www.tutorialsdojo.com
Tutorials Dojo
www.tutorialsdojo.com
 100s

AWS Direct Connect

Amazon VPC Gateway

• Connects your cloud networks (e.g. Amazon VPCs, VPNs, Direct

Connect Gateways, and on-premises networks) to a single gateway.

100s
• Recommended for large organizations with hundreds of Amazon
VPCs, site-to-site VPNs, and external networks.

AWS Transit Gateway • Reduces the complexity of your infrastructure and makes scaling
easier

AWS
Site-to-Site VPN
 • Allows you to publish, maintain, monitor, and secure your
RESTful APIs.

• Also supports WebSockets for real-time message communication

• Acts as a front door for your back-end services that are

running on:

Amazon API Gateway

Amazon EC2 Amazon ECS AWS Fargate AWS Lambda AWS Elastic
Beanstalk

• Works as a Proxy — similar to APIGEE, Mulesoft and other

proxies/integration platforms
 • A service mesh (an infrastructure layer that handles communication
between microservices)

• Provides application-level networking for the different types of

containerized applications in AWS.

• Allows your services to communicate with each other across

multiple types of computing infrastructure.

AWS App Mesh • Uses (an open-source service mesh proxy)

• Can be used with microservice containers managed by:

Amazon ECS Amazon EKS AWS Fargate Amazon EC2

 • A cloud resource discovery service.

• Commonly used in microservices and containerized applications that

have dynamically changing resources.

• You can name your containerized application resources with

custom names.

AWS Cloud Map • Improves your containerized applications in AWS by always

discovering the most up-to-date locations of your resources

• Improves the availability of your system.

Tutorials Dojo
www.tutorialsdojo.com
AWS Security Services
Overview
AWS Security Services
7 Open Systems Interconnection
(OSI) Model Layers

DDOS
Distributed Denial-Of-Service Attack

UDP TCP
SYN SYN SYN SYN SYN SYN SYN SYN SYN
IP

SYN ACK

ACK ACK ACK

 AWS Security Services

AWS Web Application AWS Firewall AWS Key Management

AWS Shield Amazon GuardDuty AWS CloudHSM
Firewall (AWS WAF) Manager Service (AWS KMS)
1.

AWS Certificate Manager Amazon Amazon Amazon

AWS Secrets Manager
(AWS ACM) Macie Inspector Detective
 • A web application firewall service

• Protects your web applications from common web exploits

• Allows you to create custom rules that block common attack patterns
such as:
XSS

</>

AWS Web Application Firewall

(AWS WAF)
• Can be integrated with:
Application Load Amazon API
Amazon CloudFront
Balancer Gateway
 • Has an IP Match condition feature, you can block malicious requests
from a recurring set of IP addresses.

• Can protect your application from illegitimate requests sent by

illegitimate external systems, through its rate-limiting rule.
Only Minimizes DDoS Attacks
AWS Web Application Firewall (not entirely mitigate)

(AWS WAF)

Amazon CloudFront
Rate-based
Web Access Control List
(Web ACL)

🇺🇸 🇦🇺 🇧🇷
🇵🇭 🇮🇳 🇩🇪
Geo Match condition
🇬🇧 🇨🇦 🇸🇬
🏴☠
Web Access Control List (ACL)
 • A security management service designed for:
AWS WAF Rules

• Allows you to centrally configure and manage WAF rules across

multiple AWS accounts and applications.

• Enables you to roll out your custom rules to your AWS Organization

Web ACL

Your AWS Organization

AWS Firewall Manager

AWS Account AWS Account
Manila New Clark City

Amazon Application Load Amazon API Amazon Application Load Amazon API
CloudFront Balancer Gateway CloudFront Balancer Gateway
 • A managed DDoS protection service

• Provides detection and automatic mitigations that minimize

application downtime and latency.

• Mitigate different types of flood attacks such as UDP reflection,

SYN flood, DNS Query flood, and HTTP flood attacks.

• Protects your applications that use:

Amazon EC2 Elastic Load Amazon AWS Global Amazon

Balancer CloudFront Accelerator Route 53

• Two Tiers:
AWS Shield
• Built-in by default
• Standard
• No extra charge

• Has an additional charge

• Advanced • Provides access to real-time DDoS attack notification
• DDoS Response Team (DRT) supports you during
DDoS Attack
 • A managed threat detection service

• Identifies malicious or unauthorized activities in your AWS

accounts and workloads.

• Monitors activities such as unusual API calls, cryptocurrency

mining, or potentially unauthorized deployments that indicate a
possible account compromise.

• Also detects potentially compromised:

Amazon EC2 Instances

• Produces security reports called:

Amazon GuardDuty
Findings

• Able to send notifications using CloudWatch Events when a

change was detected

• NOT capable of doing any resource changes by itself, like rate-

limiting protection or DDoS attack mitigation.
AWS CloudHSM AWS Key Management
Service (AWS KMS)
 • A fully managed, cloud-based hardware security module or HSM.

• The HSM in CloudHSM means: Hardware Security Module

AWS CloudHSM

• Enables you to easily generate and use your own encryption keys.

• Encryption keys can be in 128-bit or 256-bit

 HSM Hardware Security Module

• A physical hardware device

• Performs cryptographic operations

• Securely stores cryptographic key material

AWS CloudHSM Leading HSM Providers

• A random, Base64 or hexadecimal string

• Binary format ( .bin )
• Used by your encryption key.
 • The CloudHSM clients is installed and hosted in your:
Amazon EC2
• The HSM cluster is deployed in your: Instances

Amazon VPC

• Single Tenant — Only used by one tenant or user (you)

• Can be used to:

• Offload SSL Processing

• Enabling Transparent Data Encryption (TDE) for Oracle databases

AWS CloudHSM
• Protecting the private keys for an Issuing Certificate Authority
(CA).

• Integrate CloudHSM and to create a custom key store.

AWS KMS
 AWS CloudHSM
• A managed service that works like:

• Internally, it also uses hardware security modules (HSMs) for

creating and controlling your encryption keys.

• Has multi-tenant access Shared HSM

You share the HSM with other

tenants or AWS customers

• Unlike CloudHSM, you cannot launch the HSM to Amazon VPC or

EC2 instances (as clients with direct HSM access) that you own.

AWS Key Management

Service (AWS KMS)
• Can be integrated with other AWS services to help you protect the
data you store with these services.

Other
AWS KMS key
Amazon EBS Amazon S3 Amazon RDS Services
Snapshots Encryption Encryption
 ENVELOPE ENCRYPTION

CMK

Customer Data Key Plaintext

Data
AWS Key Management Master Key
Service (AWS KMS)

• AWS KMS automatically rotates your CMK

 • You can also create a custom key store in AWS KMS with
AWS CloudHSM

• Provides complete control over your

encryption key lifecycle management

• Allows you to remove the key material

of your encryption keys.

AWS Key Management

Service (AWS KMS)

• You can audit key usage independently of:

AWS CloudTrail AWS KMS

 • Protect the secrets of your applications, services, and IT resources.

• Enables you to easily rotate, manage, and retrieve your secrets

• A secret can be:

• A database password
*** ***
• API key
• Authentication token
• Other sensitive data

• Eliminates hardcoded sensitive information in plain text in:

• Offers secret rotation with built-in integration for: AWS Lambda

AWS Secrets Manager

Amazon RDS Amazon Redshift Amazon DocumentDB Other Services

• Control access to secrets using fine-grained permissions and

centrally audit your secrets.

• Not recommended for storing encryption keys or key materials

since it does not use an HSM
 • A fully managed data security and data privacy service

• Automatically recognizes and classifies sensitive data or intellectual

property

• Uses machine learning to automatically discover, classify, and protect

sensitive data stored in your:

Amazon S3
bucket Other Services

Amazon Macie
Jon Bonso
• Recognizes sensitive data such as personally identifiable information
Name:
Social Security #: 06-12-1898
or PII.
Driver License #: PH18981206
Bank Account #:
Password:
12061898
• Provides dashboards and alerts that give visibility into how sensitive
data is being accessed or moved.
AdoBonGM4n0k
Email Address: [email protected]
 • Provisions, manages, and deploys public and private Secure Sockets
Layer/Transport Layer Security (SSL/TLS) certificates

• Enables you to create private certificates for your internal

resources and manage the certificate lifecycle centrally

• SSL Certificates are free of charge for ACM-integrated services

AWS Certificate Manager such as:
(AWS ACM)

Amazon API Elastic Load

Gateway Balancing
 • An automated security assessment service

• Improves the security and compliance of applications deployed on

your AWS cloud infrastructure

• Automatically assesses applications for vulnerabilities or

deviations from best practices.

• Produces a detailed list of security findings prioritized by level of

security risk severity

• Provides an automated security assessment report that will

Amazon Inspector
identify unintended network access to your:

Amazon EC2 Instances

• The detailed assessment reports are available via the Amazon

Inspector console or API
 • Helps you detect the root cause of your security issues easier

• It analyzes, investigates, and quickly identifies the potential security

issues or suspicious activities in your AWS infrastructure

• Automatically collects log data from various AWS resources

such as:

Amazon Detective AWS CloudTrail VPC Flow Logs GuardDuty Findings

• Uses machine learning to analyze and conduct security

investigations.
AWS Management & Governance.
Services Overview
 AWS Management & Governance.Services

SOP HIPAA GDPR

Health Insurance Portability and
Standard Operating Procedures General Data Protection Regulation
Accountability Act of 1996
 AWS Management & Governance.Services

MANAGE — control resources GOVERN

— enforce standards
— ensure compliance

AWS Management AWS Command Line AWS Console

AWS Config AWS Organizations
Console Interface Mobile Application
(AWS CLI)

AWS Resource AWS Systems Manager

AWS Service Catalog AWS Control Tower
Access Manager (SSM)
 • A web interface to control your AWS resources

• Accessible through your web browser

• Log in using your IAM username and password

• Supports Multi-Factor Authentication (MFA)

AWS Management
Console • Accessible via this URL: https://console.aws.amazon.com
 • A command-line interface to control your AWS resources

• Accessible through your terminal, command prompt or Windows

PowerShell

AWS Command Line

Interface • Allows you to develop custom shell scripts that invoke
(AWS CLI)
different AWS CLI commands
 • The official mobile app provided by Amazon Web Services

• Allows you to monitor your resources through a dedicated dashboard

• Enables you to view your configuration details, metrics, and alarms of

select AWS services (not all services) on your mobile device

• Provides an overview of the account status, real-time CloudWatch

AWS Console metrics, Personal Health Dashboard, and AWS Billing
Mobile Application
• Has limited capabilities compared with:

AWS Management AWS CLI

Console
 • A suite of services that allows you to manage your resources

• Allows you to control both of your AWS Cloud and on-premises

infrastructure

• Composed of:

Session Manager State Manager Patch Manager Automation

AWS Systems Manager

(SSM) Maintenance
Run Command Parameter Store Others
Windows

• Also has an SSM agent that you can install on your

EC2 instances or on-premises servers to centrally
Amazon EC2 On-premises
manage your resources Instances Servers
 PREDEFINED OR CUSTOM PATCH BASELINE

OS Patches

OS OS OS

Amazon EC2 On-premises

Patch Manager Instances Servers
Maintenance Windows

• Installed softwares (e.g. startup script, antivirus etc)

• Server configurations
STATE
• Firewall settings

State Manager • Associate Ansible playbooks, Chef recipes, PowerShell

modules, and other SSM Documents
AWS Systems Manager
(SSM)

• Passwords
Secure String
• Database Strings
PARAMETER • Amazon Machine Image (AMI) IDs
• License Codes
Parameter Store
•
AWS KMS
Environment Variables
 • Enables you to easily and securely share your AWS resources
with any AWS account or within your AWS Organization

• Allows you to share:

Private subnet Public subnet

AWS Transit Subnets AWS License Amazon Route 53 Other

Gateway Manager Resolver AWS Resources

AWS Resource
Access Manager • Eliminates the need to create duplicate resources in multiple
(AWS RAM) accounts

• Reduces the operational overhead of managing multiple

resources in each and every single account you own.
 GOVERN

AWS Config AWS Organizations

AWS Service Catalog AWS Control Tower

 • Enables you to assess, audit, and evaluate the configurations
of your AWS resources

• Automates your compliance assessment process

• Provides visibility on the existing configurations of your

various AWS services and third-party resources (such as your on-

AWS Config premises servers)

• Enables you to identify the changes made to a specific resource

over time
 Periodic or change-based
configuration collectors
NOTIFICATION
on-premises

RESOURCES CHANGES REMEDIATION

AWS Config

The AMI was shared to the

Config Rule 1
AWS Marketplace

AMI
Amazon AWS
CloudWatch Events Lambda

The bucket was set

Config Rule 2
to public
S3 Bucket
AWS Systems Manager
Automation

The associated Elastic IP REMEDIATE

NON-COMPLIANT
address was removed RESOURCES

EC2 Instance
 I’ll pay all
• Consolidate and centrally manage multiple AWS accounts
the bills!

• Combines the bills of multiple AWS accounts

AWS Organizations Consolidated Billing
• Provides volume discounts to further lower
down your costs

SCP SCP • Uses Service Control Policies (SCP) to control access and
ensure organizational compliance across your AWS accounts
ORGANIZATIONAL UNIT (OU) ORGANIZATIONAL UNIT (OU)
Manila Bangalore

• Offers Central Logging to monitor all activities performed across

your organization using AWS CloudTrail

• Aggregate data from all your AWS Config rules to quickly

audit your environment for compliance.
ACCOUNT ACCOUNT ACCOUNT ACCOUNT
1 2 3 4
 I’ll pay all
the bills!

AWS Organizations Consolidated Billing

SCP SCP

A single AWS Organization can have

two or more Organizational Unit (OU) ORGANIZATIONAL UNIT (OU)
Manila
ORGANIZATIONAL UNIT
(OU) Bangalore
and underlying AWS accounts with
Service Control Policies (SCPs)
attached

ACCOUNT ACCOUNT ACCOUNT ACCOUNT

1 2 3 4

Tutorials Dojo
www.tutorialsdojo.com
 • Empowers you to set up and centrally manage catalogs of
approved IT services

• Allows you to manage various IT services, referred to as

"products" in Service Catalog then group them in a portfolio

• Machine image (AMI)

• Application server
• Program
PRODUCT
• Tool
• Database
AWS Service Catalog
• Other services

• Assists you in meeting your compliance requirements

• Enforce granular access control to your resources

 • Helps you set up and govern a secure multi-account AWS
environment

• Automates the setup of your multi-account AWS environment

• Uses blueprints that follow AWS best practices for security and
management

AWS Control Tower • Provides mandatory high-level rules called guardrails

• Help enforce your policies using service control policies (SCPs)

• Detect policy violations using AWS Config rules

IAM Overview
Identity and Access Management
AUTHENTICATION AUTHORIZATION
Identity Access Management
AUTHENTICATION AUTHORIZATION

IAM ENTITIES

TYPES:
- Root User
IAM USER - Regular IAM User
Permission 1 Permission 2 Permission 3
IAM POLICY

AWS-managed Policy
IAM GROUP

Customer-managed Policy

IAM ROLE
Inline Policy
Grant Least
Privilege
Follows the Does
best practice
not grantofthe
granting
least the least
privilege privilege

IAMROLE
IAM ROLE
GROUP

• PowerUserAccess
ROOT USER ACCESS
• AdministratorAccess
CloudFormation
Templates
 • Use the Instance Profile to pass a specific IAM role
to your Amazon EC2 instance for it to perform
certain actions

• IAM roles attached to your instance can also be

viewed on your EC2 metadata.

curl http://169.254.169.254/latest/meta-data/iam/info

Amazon EC2 and AWS IAM

 • You can set up a bucket policy to grant IAM users
and other AWS accounts the access permissions for
your bucket and its objects.

• In AWS Organization, you can set up an S3 bucket

policy that allows cross-account access to other
departments of your organization.

Amazon S3 and AWS IAM

 • For DynamoDB, you can design an IAM policy that
allows access to put, update, and delete items in one
specific table.

• IAM DB Authentication is a feature available for

Amazon RDS and Aurora. This allows you to use IAM
to centrally manage access to your database
resources

AWS Databases and AWS IAM

 • An Access Policy can be provisioned to control
external access to your SQS queue.

• Helps you grant permissions to an external company

to access your queue.

• An SQS access policy can allow external companies

to poll the queue without giving up the permissions
of your own account.

Amazon SQS and AWS IAM

IDENTITY-BASED POLICY RESOURCE-BASED POLICY

IAM ENTITIES

IAM USER

IAM GROUP

IAM ROLE
 • Allows you to set the maximum permissions
that an identity-based policy can grant to an
IAM entity.
PERMISSIONS BOUNDARY
• Ensure that the entity can only perform the
actions that are allowed by both its
identity-based policies and its permissions
boundaries.
IAM Identities
 IAM
IAM ROLE
GROUP

Permission 1 Permission 2 Permission 3

IAM POLICY
 IAM USER

IAM IDENTITIES
IAM GROUP

IAM ROLE
 • An entity that represents an actual person
or a service

• Can interact with your AWS resources

using the AWS command-line interface, AWS
IAM USER API, or through the AWS management web
console

• Provides someone the ability to sign in to the

AWS Management Console and programmatic
access to AWS APIs
 Consists of:

• NAME

• PASSWORD
IAM USER

• ACCESS KEY PAIR

• AWS CLI
• Access Key ID • AWS APIs
AWS SDKs
• Secret Access Key
•

• AWS CDKs
 OR

AWS-managed Customer-managed

Permission 1

IAM USER
Permission 2

IAM POLICY

Permission 3
 IAM POLICY TYPES

AWS-managed Customer-managed

• Managed by AWS • Managed by you (the customer)

• Cannot be fully customized • Can be fully customized

• Has AWS Managed-Policies for Job • You have to manually create a

Functions that you can readily use: policy for a particular job function
• Administrator
• Support User
• Security Auditor
• Network Administrator IAM USER
• Developer Power User
• Billing
• …and others
 Welcome to
the Group!

IAM USER IAM GROUP

 • Can contain multiple IAM Users

• A single IAM User can belong to multiple IAM

Groups

• Cannot be nested
IAM GROUP

• It can only contain IAM users and not other

IAM Groups

• There is no default user group that

automatically includes all of the IAM Users in
your AWS account
Tutorials Dojo Developers
Permission 1

IAM GROUP
Permission 2

IAM POLICY

Permission 3
assumed by

IAM ROLE
 IAM ROLE IAM USER

• Intended to be assumed by one • Uniquely associated with one

or more AWS resources single person only

• No long-term credentials • Has long-term credentials:

• AWS Management Console password

• Access Keys
 US - AWS ACCOUNT #1 INDIA - AWS ACCOUNT #2

CROSS-ACCOUNT

IAM ROLE
 • Grants access to your resources in
CROSS-ACCOUNT one account to a trusted principal in
a different AWS account

• Assumed by an AWS service or

applications running in your EC2 instance

Limited within your AWS account only

AWS SERVICE ROLE
•
IAM ROLE
• The custom applications hosted in
Amazon EC2 can assume an AWS
service role to perform certain actions

AWS SERVICE-LINKED • A predefined role that is directly linked to

ROLE an AWS service
IAM Policy Types
 IAM USER

IAM GROUP

IAM POLICY RESOURCES

IAM ROLE

IAM IDENTITIES
 • Contains permissions that explicitly ALLOW or
DENY access to certain AWS services

• It provides fine-grained access control to specific

IAM POLICY API actions as well as the AWS resources that the
policy should be applied to
 ALLOWS THE API ACTIONS
YOU SPECIFY
API action
IAM POLICY
 DENIES THE API
ACTIONS

API actions

IAM POLICY

IP Condition
 Multi-Factor Authentication
(MFA)

IAM POLICY

MFA Condition
JSON EDITOR VISUAL EDITOR
 Standalone Policy Inline Policy

• Remains unchanged even if • Will be automatically be

you delete its associated IAM deleted if you delete its
identity associated identity

• It doesn’t have a strict • Has a strict one-to-one

one-to-one relationship to its relationship to its associated
associated IAM identity IAM identity
 • Identity-based Policies

• Resource-based Policies

• Permissions Boundaries

• AWS Organizations SCPs

IAM Policy Types • S3 Access Control Lists (ACLs)

• Session Policies
 • A policy that you attach to an IAM Identity

• Two Types:

Managed Policies

• A type of a standalone policy

Identity-Based Policy
• Can either be AWS managed or Customer-managed

Inline Policies

• Maintains a strict one-to-one relationship between a policy

and an IAM identity.

• Tightly-coupled with its associated IAM Identity

 • Attaches an inline policy to a specific AWS
Resource

• Types:

S3 Bucket SQS Access

Policy Policy
Resource-Based Policy

Trust Policy
 • Defines the maximum permissions that an
identity-based policy can grant to an IAM entity

Permissions Boundaries • Does not explicitly grant permissions

• Sets a clear boundary to ensure that a given

IAM policy will not over-provision the
permissions to your AWS resources
 • Primarily used in: AWS Organizations

• Defines the maximum permissions for

account members of an organization or
organizational unit.

Service Control Policies

(SCPs)
• Limits the permissions that identity-based
policies or resource-based policies grant to the
IAM users or roles within the AWS account

• IAM policies can't restrict the AWS account root

user. In the contrary, the specified actions from
an attached SCP can affect all IAM identities,
including the root user, of the member account
 • Primarily used in: Amazon S3

• Controls which principals in other AWS accounts

can access a particular bucket

Access Control List

• These are cross-account permission policies
(ACL) that grant certain permissions to a specified
principal that you define

• ACLs cannot grant permissions to entities within

the same account
 • Limits the permissions that an identity-based
policy grants to a particular session

• Works like Permissions Boundaries

• Sets a limit of what kind of permission a

Sessions Policies session has, without granting any permissions.

• Aside from an identity-based policy, the

permissions of a session policy can also come
from a resource-based policy

• If there’s an explicit deny in any of the policies,

then it will effectively override any allowed
permissions
IAM Policy Basics
 {
Policy-wide "Id": "TutorialsDojoPolicy1",
Information "Version": "2012-10-17",

"Statement": [
{
"Sid": "AllowAllActionsOnBooksTable",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/Books"
},
Statements L o g i c a l OR
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:DeleteObject"],
"Resource": ["arn:aws:s3:::tutorialsdojo-manila"]
}
]
}
 IAM Statement Elements
{
“Sid” : "AllowActionsOnBooksTable", Statement ID

“Effect” : “Allow", ALLOW or DENY

“Principal” : { "AWS": "arn:aws:iam::123456789012:root" }

“Action” : [
“dynamodb:PutItem”,
“dynamodb:*”,
“dynamodb:UpdateItem”,
“s3:*”,
“dynamodb:DeleteItem”
“Resource” : “arn:aws:dynamodb:us-east-1:123456789012:table/Books”,
arn:aws:s3:::tutorialsdojo/*
“Condition” : {
“IpAddress”: {
“aws:SourceIp”: "220.110.16.0/20"
CONDITION ELEMENT
}
}
 CONDITION ELEMENT

• String
• Numeric
• Date
• Boolean
• Binary
• ARN
• IfExists
• IpAddress
• …and many more!
CONDITION ELEMENT

• StringEqualsIfExists
• NumericEqualsIfExists
IfExists
• BoolIfExists
• IpAddressIfExists
• etc…
Shares the Amazon S3 bucket named tutorialsdojo-manila with an external vendor
while ensuring that the bucket owner is still be able to access all objects

. . .
"Action": [
"s3:PutObject"
],
"Resource": “arn:aws:s3:::tutorialsdojo-manila/*”,
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
. . .
Users will be denied of all API actions ( except for the s3:PutObject action ) if
their multi-factor authentication (MFA) is not enabled

{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyAllTDojoUsersNotUsingMFA",
"Effect": "Deny",
"NotAction": “s3:PutObject",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"}
}
}]
}
IAM Policy Evaluation Logic
 {
"Id": "TutorialsDojoPolicy1",
"Version": "2012-10-17",

"Statement": [
{ Will the API
action be
“Effect“: “Allow“, Allowed or
“Action“: “lambda:*“, Denied?
Allows the API Action
“Resource“: “*”
},
L o g i c a l OR
{
“Effect“: "Deny",
Denies the API Action “Action“: ["lambda:CreateFunction", "lambda:DeleteFunction"],
“Resource“: “*”
}
]
}
1. Authentication

2. Process the request context

3. Evaluate all policies within a single account

 If the IAM policies are within a single
account…

Except for the

All requests will be implicitly denied
AWS account root user

Permissions Boundaries

Process the explicit ALLOW statements for Sessions Policies

identity-based or resource-based policy
Service Control Policies (SCPs)

ALLOW

DENY
 {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "*", POLICY 1
"Condition": {
"IpAddress": {
"aws:SourceIp": "49.147.194.0/24"
}
}
},
{
"Effect": "Deny", POLICY 2
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"ec2:Region": "us-west-1"
}
} This policy will allow you to terminate an Amazon EC2 instance in
}
] the us-west-1 region as long as your source IP is within the
}
49.147.194.0/24 CIDR block.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
This policy provides full access to
"Action": [
"ec2:*", Amazon EC2.
"ds:*"
],
"Resource": "*" It also allows creating, reading and
}, updating the AWS Directory Service
{
"Effect": "Deny", (DS) directories but not delete them.
"Action": "ds:Delete*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:*",
"Resource": "*"
},
{ This allows an AWS Lambda function to
"Effect": "Deny",
be created or deleted as long as the IP
"Action": [
"lambda:CreateFunction", address of the request does NOT fall
"lambda:DeleteFunction"
] under the 220.200.16.0/24 IP range.
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": “220.200.16.0/24"
}
}

}
]
}
Amazon VPC Overview
 US East (Ohio) us-east-2

Availability Zone 1

Data Center

Data Center
Data Center

Availability Zone 2 Data Center

ROUTE TABLE Availability Zone 3

Data Center

Amazon VPC
Data Center Data Center

Private subnet Public subnet Data Center Data Center

Private subnet Public subnet

Private subnet Public subnet

 US East (Ohio) us-east-2

Availability Zone 1

Data Center

Data Center
Data Center

Availability Zone 2 Data Center

Availability Zone 3
ROUTE TABLE Data Center

Amazon VPC
Data Center Data Center

Private subnet Public subnet Data Center Data Center

Private subnet Public subnet

Private subnet Public subnet

CLOUD

REGION

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC

Private subnet 10.0.0.0/24 Public subnet 10.0.1.0/24

• A subnet must reside entirely within one

Availability Zone only • You can have multiple subnets in the same
Availability Zone.
• One subnet cannot span to two or more AZs.
CLOUD

REGION

IPv4 CIDR Range: 10.0.0.0/16

ROUTE TABLE
IPv6 CIDR Range: 2001:db8:1234:1a00::/56

Amazon VPC

Private subnet 10.0.0.0/24 Public subnet 10.0.1.0/24

• For publicly accessible web servers and

• For backend systems like databases or application
resources
servers that are not meant to be accessed publicly
• This subnet has a connection to the Internet
Gateway of the VPC

Amazon EFS Amazon RDS Amazon FSx

PUBLIC Amazon EC2 web servers

PRIVATE Amazon EC2 servers

INTERNET GATEWAY
Amazon EC2 Overview
Can be integrated with
a lot of AWS Services

Amazon EC2
 MEMORY (RAM)

Your Computer
both have

Amazon EC2
 Instance Store Amazon EBS

Amazon EFS Amazon FSx for Lustre Amazon FSx for Windows
File Server

OBJECT STORAGE

Amazon S3
NETWORK
Elastic IP Elastic Network Placement Elastic Network Elastic Fabric
Amazon VPC Interface (ENI) Groups
Address Adapter (ENA) Adapter (EFA)

Amazon EC2 Auto

AUTO SCALING Scaling

Amazon Machine
Image (AMI)
Amazon Machine Image (AMI)
apps & configurations

EC2 Instance
AMI
Amazon Machine Image
(AMI)
 Amazon Machine Image
(AMI)

Volume Snapshots Block Device Mapping Launch Permissions

 Amazon Machine Image
(AMI)

BLOCK STORE TYPE Volume Snapshots Block Device Mapping Launch Permissions

Amazon EBS Amazon EBS Volumes

• Public
EBS Snapshots
mapping

• Explicit

N/A
• Implicit
Amazon EC2
Template for the root
Instance Store volume
 • Regional in scope

• You can copy your AMI to another AWS Region

Amazon Machine Image • You can also copy your AMI to another AWS account
(AMI)
AWS Cloud

N. Virginia Region Ohio Region

Availability Zone (AZ) Availability Zone (AZ)

VPC A VPC A

COPY AMI
AWS Marketplace
 Amazon Machine Image
(AMI)

VIRTUALIZATION BOOT UP SUPPORT FOR

PROCESS SPECIAL HARDWARE
TYPE EXTENSIONS

PV Uses special boot

N/A
Paravirtual loader called PV-GRUB

HVM Executes the master boot

record of the root block
Uses several
special hardware extensions
such as
Hardware device of your image enhanced networking or
Virtual Machine GPU processing
 1 2 3 4 • Age of the Oldest Message

Amazon SQS

Target Tracking
Policy

Auto Scaling group

Amazon Machine Image
(AMI)

EC2 EC2 EC2

EC2 EC2 EC2

EC2 EC2 EC2

Instance User Data
#!/bin/bash
yum update -y
mkdir tdojologs
systemctl start httpd
echo “tutorialsdojo OK!”

EC2
Instance

User Data
 Amazon EFS Auto Scaling Group

mkdir ~/tutorialsdojo-efs #!/bin/bash

sudo mount -t nfs -o nfsvers=4.1,\
rsize=1048576,wsize=1048576,hard,\
timeo=600,retrans=2,noresvport \
awsjonbonsoefs:/ ~/tutorialsdojo-efs
curl
https://s3.amazonaws.com/aws-cloudwatch/dow
nloads/latest/awslogs-agent-setup.py -O
chmod +x ./awslogs-agent-setup.py
./awslogs-agent-setup.py -n -r us-east-1 -c
s3://tutorialsdojo

User Data
 • Must be in a base64-encoded format

• Limited to 16 KB only when in raw form

• Accessible from the Instance Metadata using this URI:

http://169.254.169.254/latest/user-data

User Data
• Only run once upon the first EC2 Instance Launch

• Modifying the User Data and restarting the instance won’t affect the
initial User Data
Instance Metadata
EC2

EC2

EC2 EC2

VIRTUALIZATION
MANIFEST EC2

METADATA
• AMI

• Hostname

• Public IP address

• Private IP address

• Instance type

• MAC address

• Security groups
INSTANCE METADATA
• Security credentials

• IAM Roles of your instance

• . . . and many more!

 Link-local Address

INSTANCE METADATA SERVICE

http://169.254.169.254/latest/meta-data/
INSTANCE METADATA SERVICE
version 2
Session Oriented
CATEGORIES
Private IP Address
Public IP or Elastic IP Address
Media Access Control (MAC) Address
Security Groups
Instance Profile
Amazon S3 Overview
 • An object storage service

• S3 stands for “Simple Storage Service”

• Highly durable, available & scalable storage

service

• Primarily used to store static data that does not

Amazon S3 change frequently

• Allows your files to be publicly available via the

Internet
 Highly scalable and allows you to
METADATA store virtually unlimited amounts of
files

a set of name-value pairs

OBJECT BUCKET
 • The S3 bucket name is globally unique

• The namespace is shared by all AWS accounts

around the world

• Example:

• If you created an S3 bucket named

“tutorialsdojo”, then no other AWS user can
create a bucket with that same name
BUCKET NAMING
GUIDELINES • If someone tries to create a new bucket called
“tutorialsdojo”, then that request will fail
 •Amazon S3 does NOT support POSIX,
including:
• Concurrent file modification
• File system access semantics
• File locking

• Helps you organize or group your objects

• S3 has a flat structure

• The concept of a “folder” is not hierarchical unlike

Amazon EFS

• Example:
Object key name
Amazon S3 Folders
and Prefixes tutorialsdojo/aws.jpeg
Prefix Filename
AWS Cloud

N. Virginia Region

Automatically replicates your

objects to all Availability Zones of Availability Zone (AZ) 2 Availability Zone (AZ) 3
the AWS region by default

YOUR
VPC
AVAILABILITY 99.99%

DURABILITY 99.999999999%
 • The probability that an object remains intact and
accessible after a period of one year

100% Absolutely no data loss per year

99% 1% chance of data loss per year

99.99% 0.01% chance of data loss per year

DURABILITY
0.000000001% chance
99.999999999% of data loss per year or one lost data
every 10 million years
 Amazon S3 Storage Classes

For changing or
For frequently accessed data
unknown access patterns

S3 Standard S3 Intelligent-Tiering

For storing long-lived,

yet less frequently accessed data
S3 Standard-IA S3 One Zone-IA
(Infrequent Access) (Infrequent Access)

For low-cost long-term storage

and data archiving
S3 Glacier S3 Glacier Deep Archive
 Lifecycle Policy

30 Days 90 Days 180 Days

S3
S3 Standard Intelligent-Tiering S3 Glacier
S3 Standard-IA S3 One Zone-IA S3 Glacier
Deep Archive
 • Launch a static website with HTML pages,
downloadable packages, images, media files, or
other client-side scripts

• Cost-effective solution for hosting your static

websites with no server management required
(serverless)

Static Website • Cannot be used for running server-side

Hosting scripts such as PHP, JSP, ASP.NET etc…
 Amazon S3 Amazon EBS Amazon EFS

Via the public

Internet by
default

EC2

• Invoked via a REST API • Attached/Mounted to

request call the Amazon EC2 instance
 Version
x.* - Prevent accidental data deletion in Amazon S3

S3 Versioning Multi-Factor Authentication

(MFA)

- Secure access to your S3 buckets and objects

Access Control List

(ACL)

- Control external access to your Amazon S3

bucket
Bucket Policy
 - Automatically replicate objects to a different
Cross Region Replication (CRR) AWS Region for backup purposes

- Accelerate or expedite the data transfer

(upload/download) of S3 objects

Transfer Acceleration Multipart Upload

…and many other S3 features!

Amazon S3 Storage Classes
 Amazon S3 Storage Classes

S3 Standard S3 Intelligent-Tiering

S3 Standard-Infrequent S3 One Zone-Infrequent

Access (Standard-IA) Access (One Zone-IA)

S3 Glacier S3 Glacier Deep Archive

 • Primarily used for storing your data that
are frequently accessed

• Highly durable, highly available, and high

performance object storage

S3 Standard • Replicates your data to 3 or more

Availability Zones

• 99.99% Availability

• No minimum storage duration charge

• No data retrieval fee

 • For setting up a highly available and
durable static web hosting

• As a temporary storage service for

S3 Standard storing the nightly log processing of your
USE CASES application, where the logs are meant to
be stored for 1 day (24 hours) only. It is
a cost-effective option for this case since
it has no minimum storage duration
charge
 • Not cost-effective as this storage class
is the most expensive among all other
classes
S3 Standard
LIMITATIONS • Not recommended for data archiving,
for infrequently access files or for any
workloads that require a cost-effective
storage
 • Primarily used for storing infrequently
accessed data but provides a way to
rapidly retrieve the stored files

• Replicates your data to 3 or more

S3 Standard-IA Availability Zones

• 99.99% Availability

• 30-day minimum storage duration charge

• Has a data retrieval fee that is measured

per gigabyte (GB)
 • As a long-term storage for long-lived,
but infrequently accessed data

S3 Standard-IA • For data backups

USE CASES
• As a data store for your Disaster
Recovery (DR) files

• For storing the primary backup copies

of your on-premises dataset
 • For storing less frequently accessed
and easily reproducible data that
requires immediate retrieval when
needed

• 30-day minimum storage duration

S3 One Zone-IA charge

• Cheaper than: S3 Standard-IA

• Only uses 1 Availability Zone

• 99.95% Availability (the lowest

among all other Amazon S3 storage
classes)
 • If you require a cost-effective option
to store infrequently accessed data

• For workloads that do not require the

availability and resilience of the
S3 One Zone-IA Amazon S3 Standard or S3 Infrequent
USE CASES Access class

• For storing secondary backup copies

of rarely-accessed on-premises
dataset

• For storing easily recreatable data

 • The data is replicated in a single AZ only
S3 One Zone-IA
• Not recommended for storing your
LIMITATIONS
company’s primary backup copies or
any critical business data that is
difficult to reproduce
 • Delivers automatic cost savings

• Automatically moves your objects

between different access tiers
whenever your access pattern changes

• 30-day minimum storage duration charge

S3 Intelligent-Tiering
• No data retrieval fee

• Moves data to the most cost-effective

access tier without any operational
overhead

• Stores the objects in four access tiers:

• 2 low-latency access tiers
• 2 optional archive access tiers
 • Suitable if your data has an
unpredictable access pattern

• For buckets with a mix of frequent and

infrequent accessed data

• If the access patterns to your data vary

all the time
S3 Intelligent-Tiering
• If some of your files are accessed
USE CASES
frequently while the others are rarely
accessed (move to Glacier)

• If some of your data are accessed less

frequently than others (move to IA tier)

• If you are unsure of how frequently

your data will be accessed
 • If you want to keep costs low by
automatically moving your data to
the appropriate S3 storage class

• If your data will be accessed by users

over variable periods of time
S3 Intelligent-Tiering
USE CASES • If you need storage with no
management overhead

• If you want to avoid lifecycle policies

that are not consistently
implemented or are partially
implemented
 • A secure, durable, and low-cost storage

• Suitable for data archiving

• A cost-effective storage solution for

rarely accessed data and does not
require a fast retrieval time
S3 Glacier
• Replicates your data to 3 or more
Availability Zones

• 99.99% Availability

• 90 day-minimum storage duration

charge

• High data retrieval fee (expensive)

 • Has its own management console
apart from the regular Amazon S3
console

• 2 Ways to store your data:

S3 Glacier
• Using the Amazon S3 console

• Using the Amazon Glacier console

• Automatically move your data from S3

Standard or S3 Standard-IA to Amazon
S3 Glacier by using a lifecycle policy
 • Has a resource called: Vault

• A vault is a container for storing your

data archives

• Base unit of storage in S3 Glacier,

S3 Glacier
containing a unique ID and an optional
Vault description

• Can only be created in the Amazon S3

Glacier console

• You must provide the vault name and its

corresponding AWS Region
 • Use a Vault Lock to ensure data
integrity and access control to your
Amazon S3 Glacier Vaults

• A Vault Lock is an access policy that

helps you enforce regulatory and
compliance requirements
S3 Glacier
Vault • You can specify a “Write Once Read
Many” (WORM) control to lock your
Glacier vault policy from future edits

• A Glacier vault access policy can no

longer be changed when the vault lock
process has been completed after 24
hours
 • Applicable if your company wants to
retain its archives for a specific
number of years before the files can be
deleted
S3 Glacier
Vault • If you want to deny users from
modifying or deleting an archive until
USE CASES after 1 year, 3 years, 7 years et cetera
 S3 Glacier Archival Retrieval Options
EXPEDITED
• Quickly access a subset of
your data archives
• Allows you to access your
archived data within 1 - 5
minutes ( file size should NOT
exceed 250 MB )
• Ensure sufficient retrieval
capacity for your Expedited
retrieval operations by
purchasing provisioned
capacity
STANDARD
• Default option for retrieval
requests
• Allows you to access any of
your glacier archives within
3 – 5 hours
BULK
• Lowest-cost retrieval option
• Retrieves large amounts of
data archive in less than half
a day
• Typically completes the
process within 5 – 12 hours
 • The lowest-cost storage class in
Amazon S3.

• Supports long-term retention and

digital preservation for your data

S3 Glacier Deep Archive • Primarily used to retain your data sets for
7 to 10 years or longer to meet
regulatory compliance requirements

• Replicates your data to 3 or more

Availability Zones

• 99.99% Availability
 • 180-day minimum storage duration
charge ( roughly 6 months )
S3 Glacier Deep Archive
• Should be used for data archiving only

• The data stored here should be rarely

accessed with no strict retrieval time
 S3 Glacier Deep Archive - Retrieval Options

STANDARD BULK

• Default option for retrieval • Costs lower than the

requests Standard retrieval option

• Data will be restored within • Data will be restored within

12 hours 48 hours
Amazon CloudFront
Overview
 Content
Delivery
CloudFront
Network
C
Content
D
Delivery
N
Network
Origin
🇸
Server
 Origin
Server

🇼
🇭
🇾
🇬 🇩
 Origin
Server

Trans-Pacific Submarine Cables

🇭
 LOAD TIME 10
09 seconds
8
7
6
5
4
3
2
1
Origin
Server

🇭
 PoP
PoP

Mid
🇸 NY
Trans-Atlantic Submarine Cables
PoP
Origin
Server West
 LOAD TIME 1 second!
Origin
Server
PoP

PoP
󰐢

PoP

PoP

PoP

PoP
 Internet Service Provider #1

Edge Location
Edge/Boundary of ISP 1

• Refers to the ‘edge’ or the

boundary of the network
PoP

• Connects the different

Edge/Boundary of ISP 2
networks of various Internet
Service Providers (ISPs) or
Telecommunications
companies

Internet Service Provider #2

 Content
Delivery
CloudFront
Network
 ORIGIN

DISTRIBUTION

VIEWER
CloudFront
 ORIGIN

AWS Elemental AWS Elemental Amazon EC2 Instance or

Amazon S3 Bucket Elastic Load Balancer MediaPackage Endpoint MediaStore Container Your On-Premises Server
 Amazon CloudFront Features

OAI
&
Lambda@Edge
ORIGIN ACCESS IDENTITY
GEO-RESTRICTION and
(OAI)
CloudFront Functions

ORIGIN GROUP

primary
ORIGIN A

failover
ORIGIN B

ORIGIN GROUP and ORIGIN FAILOVER

 Amazon CloudFront Features

Custom Domain Name and Custom SSL

Signed URLs Signed Cookies
(SNI / Dedicated IP)

AWS WAF - CloudFront Integration