Tutorials+Dojo+ +AWS+Certified+Developer+Associate+DVA C01+Video+Slides
Tutorials+Dojo+ +AWS+Certified+Developer+Associate+DVA C01+Video+Slides
Amazon
Web
Services
WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?
Amazon
Web
Services
WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?
Amazon
Web = Cloud Service Provider
Services • provides a cloud-based platform or cloud services
• Allows you to rent out virtual servers that you access remotely
WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?
$100
$40,000
WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?
Virtual Machines
Physical Servers
Storage Appliances
Network Devices
Available for RENT and accessible online via Web Service interfaces (REST, SOAP etc…)
WHAT WHEN WHY
is AWS? did AWS start? is AWS so popular?
2004
2004
Today
Data Center
er Data Center Data Center Data Center Data Center Data Center Data Center
Edge Networks
Improves the “Availability” Region Literally a
of your systems Geographic “Zone”
Availability Zone
Region
Availability Zone
Availability Zone 1
Data Center
Region
Availability Zone
Availability Zone 1
Data Center
Region
Availability Zone 1
Data Center
Availability Zone
Data Center Data Center
US East (Ohio)
us-east-2
Edge Networks
Availability Zone 1
Data Center
Data Center
Region
Origin
Server
Availability Zone
COMPUTE SERVICES
What’s the
meaning of this
number?
Amazon Route 53
Network
Virtual
CPU
Storage
Instance
DEFAULT
VIRTUALIZATION
CUSTOM
VIRTUALIZATION
VIRTUALIZATION
Also called a
Virtual Machine Monitor
or a
Hypervisor
SHARED DEDICATED
Serverless Hybrid
CPU
SSH or RDP
Unlike
Amazon EC2
• A computing service that runs virtual servers in AWS
Guest
OS
Host
Amazon EC2 OS
Elastic Compute Cloud
• Flexible
• Customizable
• Scalable
Amazon EC2
Elastic Compute Cloud
Serverless
SSH connection
RUNTIME ENVIRONMENT
AWS Lambda
CUSTOM
Lambda function RUNTIME
Orchestration
AWS Outposts
AWS Outposts
AWS Container Services
Overview
AWS Container Services
CLI Tools
A2C
CONTAINER ENGINE
HYPERVISOR
HYPERVISOR
Bare
Hosted
Metal
Host
Host
Host
OS
OS OS
Firmware
• Amazon Elastic Container Service (Amazon ECS)
Amazon ECS
Amazon ECR
Storage Integration Scaling
ECS Task 1
Amazon ECS
Data
Service Auto Scaling
Data
Amazon SQS
Amazon ECS
Amazon EFS Amazon FSx
ECS Task 2
• Amazon Elastic Kubernetes Service (Amazon EKS)
• Containers are grouped into Pods — the basic operational unit for
Kubernetes.
• Works on:
Amazon ECR • Stores your docker images in a highly available and scalable
architecture
AWS App2Container • Configures the network ports and generates the ECS task and
(A2C) Kubernetes pod definitions.
• Also a command-line tool, just like AWS App2Container (A2C)
Amazon Keyspaces
Amazon ElastiCache
Amazon Neptune
DB Instance
VPC Endpoint
Amazon EC2
Amazon VPC
• You decide the actual time for the patches to be applied on
its maintenance window
security patch
DB Instance
Microsoft
Amazon Relational Database Service SQL Server
(Amazon RDS)
Amazon
PostgreSQL Aurora
AWS Cloud
N. Virginia Region
Single AZ Multi-AZ
Availability Zone (AZ) 1 Availability Zone (AZ) 2 Availability Zone (AZ) 3
VPC A
Synchronous Replication
Asy
nch
ron
ous
PRIMARY PRIMARY Re STANDBY
plic
atio
n
READ REPLICA
AWS Cloud
N. Virginia Region
STANDBY
Asynchronous Replication
PRIMARY
PRIMARY
READ REPLICA
READ REPLICA
Tutorials Dojo
www.tutorialsdojo.com
AWS Cloud
N. Virginia Region
STANDBY
Asynchronous Replication
PRIMARY
PRIMARY
READ REPLICA
READ REPLICA
Tutorials Dojo
www.tutorialsdojo.com
• A type of a database engine (that you can run on Amazon RDS) and
a fully managed database service.
Amazon S3
Amazon Redshift
NO RELATIONSHIP Relationship
Dynamo Table #1
JOINS
ATTRIBUTE ITEM
Dynamo Table #2
Amazon DynamoDB
ATTRIBUTE ITEM h ip
n s
Foreign Key t io
la
Re
DOCUMENT
• A fast, scalable, highly available MongoDB-compatible
{
id: 1898,
database service.
gid: “tutorialsdojo1898”,
firstName: "Jose",
lastName: "Rizal",
profile: {
•
nationality: “Filipino,
country: “Philippines,
birthPlace: “Laguna"
}
• Cross-platform, NoSQL database
COLLECTION
Amazon DocumentDB
• A caching service
IN-MEMORY DATABASE
CACHED
NO CACHE
Amazon ElastiCache
• Faster than disk-based databases
Sub-millisecond latency
emcached
Data Partitioning
Can be integrated
to your apps with
minimal code change
emcached
• Based on the open-source Memcached in-memory data store.
• Suitable for building a simple, scalable caching layer for your data-
intensive apps.
• Provides:
• Pub/Sub messaging
• Geospatial support
Tutorials Dojo
www.tutorialsdojo.com
Other
Databases
• A scalable, highly available, and managed Apache Cassandra–
compatible database service
Amazon KeySpaces
• Makes it easy for you to build and run applications that work with
highly connected datasets
Time Series
MONOLITHIC MICROSERVICES
UI UI UI
U E
QUE
USER INTERFACE
BUSINESS LOGIC
SERVICE 2 SERVICE 4
Application Integration Services
Amazon Simple Queue Service Amazon Simple Notification AWS Step Functions Amazon MQ
(Amazon SQS) Service (Amazon SNS)
ChangeMessageVisibility API
4
Amazon SQS 2 3 5
1 1 2 3 4
4 6
TYPES
Possible Duplicate Messages!
1 2 3 4
• Queue Depth
Target Tracking
Policy
ECS Task 1
Data
Amazon SQS
Amazon SQS
Amazon S3 Bucket
ECS Task 2
• A fully managed messaging and notification service
TOPIC
TOPIC
Pet Insurance
Queue AWS Lambda
FANOUT EVENT NOTIFICATIONS
Pet Insurance
Queue AWS Lambda
Amazon CloudWatch
Tutorials Dojo
www.tutorialsdojo.com
• A serverless function orchestrator for:
AWS Lambda
Lambda
STEP 3 Send Report
Lambda
STEP 1 Register
• A managed message broker service
of:
Amazon EventBridge • Recommended to be used for your own applications, 3rd party
Software-as-a-Service apps, and other external sources
• Only fetches the data that you want and not the entire data set
AWS AppSync • Unlike REST API, you can query different APIs or resources
easily using a single API call
Amazon AppFlow • Allows you to run your data flows on-demand, by schedule or
as a response to a business event
Amazon Managed
Amazon Redshift AWS Data Pipeline AWS Glue AWS Lake Formation
Streaming for Apache Kafka
• A suite of services for processing your data streams
Amazon Kinesis
Amazon Kinesis Amazon Kinesis
Data Streams Data Firehose
Amazon Kinesis
Amazon Kinesis
• Stores, encrypts, and indexes video data in your
Video Streams streams to improve performance
• Serverless
Amazon Kinesis
• Uses Apache Flink to process and analyze streaming
Data Analytics data
• You can expose a REST API using API Gateway that can
be used as an Amazon Kinesis proxy
• An interactive query service for your data that is
stored in Amazon S3
• Serverless
• Sample use case:
‣ A global eCommerce website stores 250 gigabytes of
transactional data each month in Amazon S3
Amazon Athena
• Can use an AWS Glue Data Catalog to store and
retrieve table metadata for your Amazon S3 data and
provide data visualization using Amazon QuickSight
• A fully managed Elasticsearch service
• ELK Stack:
‣ Elasticsearch - full-text search engine
• Lets you pay only for what you use (no upfront costs or
usage requirements)
• Allows you to run different types of big data
frameworks in AWS
Amazon
Elastic MapReduce
(Amazon EMR)
Apache Zeppelin
• Runs your big data framework on Amazon EC2
instances, Amazon Elastic Kubernetes Service clusters,
or in your on-premises EMR cluster via AWS Outposts
Amazon QuickSight
• Highly scalable and can easily scale up to thousands of
users globally
• Serverless
• A managed search service in AWS
AWS Glue
• Automatically discovers your data and store the
associated metadata in the AWS Glue Data Catalog
Amazon Cognito
• The primary identity service in AWS
PASSWORD
ACCESS KEYS
IAM POLICY
Permission 1 Permission 2 Permission 3 Permission 4
IAM ROLE
Permission 1 Permission 2 Permission 3 Permission 4
• Let you add user sign-up, sign-in, and access control features
to your web or mobile apps
Amazon Cognito
Microsoft SAML
Active Directory Security Assertion Markup Language
USER POOL IDENTITY POOL
• Provides a user portal that allows users to access the roles that
they can assume
AD Connector
AWS Storage Services
Overview
Built-in component and NOT
AWS Storage Services
a full-fledged AWS Service
Amazon FSx for Lustre Amazon FSx for Windows AWS Backup AWS Storage Gateway
File Server
Underlying Host Computer that
powers your .
• Uses the local disks or storage volumes that are physically attached to
the underlying host computer of the Amazon EC2 instance.
• Your data will still be there even if you stop, restart, or terminate
your Amazon EC2 instance, unlike:
Amazon EC2
Instance Store
Amazon Elastic Block Store • Zonal in scope — you can only attach a volume to any EC2
(Amazon EBS) instances in the same Availability Zone.
Can be used as
Boot Volume for ? Yes No
Amazon EC2
Tutorials Dojo
www.tutorialsdojo.com
Solid State Drive Hard Disk Drive
(SSD) (HDD)
EBS
Multi-Attach
Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2
Nitro-based Nitro-based Nitro-based Nitro-based
Instance Instance Instance Instance
Amazon EFS
• An object storage service
For changing or
For frequently accessed data
unknown access patterns
S3 Standard S3 Intelligent-Tiering
S3
S3 Standard S3 Standard-IA Intelligent-Tiering S3 Glacier S3 Glacier
Lifecycle Policy S3 One Zone-IA
Deep Archive
Bucket Policy
Version
x.* - Prevent accidental data deletion in Amazon S3.
Amazon S3 Glacier
• Low-cost storage for data archiving and long-term backup.
S3 Standard
Vault
S3 Glacier
S3 Glacier vs Deep Archive
You will be billed for the entire 90 Days DATA DELETED AFTER You will be billed for the entire 180 Days
1 DAY (24 HOURS)
Regular storage usage charge DATA DELETED AFTER You will be billed for the entire 90 Days
(24 hours) 1 DAY (24 HOURS)
Regular storage usage charge DATA DELETED AFTER Regular storage usage charge
(90 days) 90 DAYS (90 Days)
Archive Retrieval Options EXPEDITED STANDARD BULK
• Uses the Network File System (NFS) protocol. Works as a file share
Linux Servers
Amazon FSx for
= Windows File Server
Amazon Elastic File System
(Amazon EFS)
Lifecycle Policy
30 Days
IA
• Only supports:
Linux Servers
Linu x Cluste r
=
open-source, parallel file system
Microsoft Microsoft
Amazon FSx for
Windows File Server SharePoint SQL Server
Microsoft
Containers
• A fully managed backup service
Service-level backups
Service-level snapshots
AWS Backup Amazon Aurora Amazon RDS Amazon EBS AWS Storage
Gateway
VIRTUAL MACHINE
File Gateway Volume Gateway Tape Gateway
Store and retrieve objects in Amazon S3 Provides block storage to your on-premises apps
with low-latency via the A cloud-based Virtual Tape Library
using NFS and SMB protocols Internet Small Computer System Interface (iSCSI)
Amazon S3 Amazon S3
EBS Volumes
Can be integrated with: Uses for point-in-time snapshots of your Uses to back up the tapes
AWS Managed Microsoft
Microsoft AD Active Directory
Storage Area
Network - On-premises apps can connect to the
tape gateway as iSCSI devices
- Stores a subset of frequently - Stores entire dataset
To replicate your local data to Amazon S3
accessed data locally
- Asynchronously back up the data - Reduce costs by eliminating the use of
- Uses S3 as the primary storage to AWS. physical backup tapes
MIGRATION
VM VM
INTEGRATION
Storage Area
Network
REPLICATE DATA MOVE DATA
INTEGRATION MIGRATION
Tutorials Dojo
AWS Monitoring Services
Overview
AWS Monitoring Services
Forecast
High
CPU Utilization
Today!
Amazon CloudWatch
Events Dashboards
• Collect metrics from various AWS Services and your custom
applications
Amazon CloudWatch • For Amazon EC2, the default frequency is every 5 minutes
METRICS
• Detailed Monitoring sends EC2 metrics data every 1 minute
L
• Primarily used for logs monitoring
L
• Allows you to create alarms for your monitoring
L
CloudWatch Events and Amazon EventBridge
L
• A customizable dashboard containing your AWS system metrics
Amazon CloudWatch • Allows you to publish and view your custom metrics
DASHBOARDS
L
Lo
Amazon CloudWatch
REGIONS
RSS
SERVICE STATUS
• Does NOT show you the status of all the AWS services globally but
only the status of the AWS services that you have in your account.
• Shows the AWS Health events that might affect your applications
running on AWS such as scheduled maintenance or system outages
AWS Personal Health
Dashboard • Allows you to create alerts and notifications based on the health
of your AWS resources
• Provides programmatic access to the AWS Health information
that appears in your AWS Personal Health Dashboard
CloudWatch
Logs Agent
Tutorials Dojo
www.tutorialsdojo.com
AWS Audit & Compliance Services
Overview
AWS Audit & Compliance Services
RESOURCE CHANGES
AWS Audit & Compliance Services
Amazon S3 Bucket
AWS CloudTrail
AWS CloudTrail
• ISO Reports
Amazon GuardDuty Amazon Inspector Amazon Macie AWS IAM Access AWS Firewall
Analyzer Manager
AWS Networking & Content Delivery Services
Overview
AWS Networking & Content Delivery Services
Also categorized as an
Application Integration Service
Amazon Virtual Private Cloud
CLOUD
REGION
Amazon VPC
INTERNET GATEWAY
Amazon EFS Amazon RDS Amazon FSx Amazon EC2
Amazon VPC
VPC Peering
Amazon VPC
Virtual Devices
NETWORK VIRTUALIZATION
Physical Devices
Virtual Private Cloud
Amazon VPC
Public Internet
Local
VPC Extension Gateway
AWS Outpost
CUSTOMER GATEWAY
Amazon VPC
Amazon S3
Amazon
DynamoDB
Amazon EC2
Other
Services
Amazon FSx
• Automatically distributes incoming traffic across multiple targets
such as:
HTTP / HTTPS
HTTP / HTTPS
TCP / UDP
gRPC TLS
SSL/TLS
Tutorials Dojo
www.tutorialsdojo.com
• A Domain Name System (DNS) web service
Amazon Route 53
Elastic IP Amazon EC2 Amazon S3 Elastic Load Amazon CloudFront
address Instance Static Website Balancers Web Distributions
Buy Domains Manage Domains
Amazon Route 53
Also known as
Zone Apex or Naked Domain
Root Domain
Subdomains
Amazon Route 53
Root Domain
Subdomains
Elastic IP
AWS Global Accelerator Network Application Amazon EC2
address
Load Balancer Load Balancer Instance
🇺🇸 US East Region
Amazon EC2
Instance
Amazon EC2
Instance
🇦🇺 Sydney Region
Amazon EC2
Instance
Network
Load Balancer
Amazon EC2
Instance
• A content delivery network (CDN) service
AWS PrivateLink
Other
Services
Amazon VPC Amazon EC2 Amazon S3 Amazon
DynamoDB
All are located within CLOUD
Amazon S3
Amazon VPC
VPC Endpoint
Amazon EC2
Other
Services
• AWS Virtual Private Network, or AWS VPN
AWS VPN
Amazon VPC
AWS
Transit Gateway
On-premises data center
Client VPN Software
CUSTOMER GATEWAY
AWS
AWSVPN
VPN
Amazon VPC
Amazon VPC • The traffic does NOT pass through the public Internet.
Amazon EC2 Amazon EC2
Amazon VPC
On-premises data center
VIRTUAL
PRIVATE
GATEWAY
Tutorials Dojo
www.tutorialsdojo.com
Amazon Origin Access Identifier Amazon S3
USERS Access cached content
CloudFront (OAI) Bucket
Tutorials Dojo
www.tutorialsdojo.com
Tutorials Dojo
www.tutorialsdojo.com
100s
100s
• Recommended for large organizations with hundreds of Amazon
VPCs, site-to-site VPNs, and external networks.
AWS Transit Gateway • Reduces the complexity of your infrastructure and makes scaling
easier
AWS
Site-to-Site VPN
• Allows you to publish, maintain, monitor, and secure your
RESTful APIs.
Tutorials Dojo
www.tutorialsdojo.com
AWS Security Services
Overview
AWS Security Services
7 Open Systems Interconnection
(OSI) Model Layers
DDOS
Distributed Denial-Of-Service Attack
UDP TCP
SYN SYN SYN SYN SYN SYN SYN SYN SYN
IP
SYN ACK
• Allows you to create custom rules that block common attack patterns
such as:
XSS
</>
(AWS WAF)
Amazon CloudFront
Rate-based
Web Access Control List
(Web ACL)
🇺🇸 🇦🇺 🇧🇷
🇵🇭 🇮🇳 🇩🇪
Geo Match condition
🇬🇧 🇨🇦 🇸🇬
🏴☠
Web Access Control List (ACL)
• A security management service designed for:
AWS WAF Rules
• Enables you to roll out your custom rules to your AWS Organization
Web ACL
Amazon Application Load Amazon API Amazon Application Load Amazon API
CloudFront Balancer Gateway CloudFront Balancer Gateway
• A managed DDoS protection service
• Two Tiers:
AWS Shield
• Built-in by default
• Standard
• No extra charge
AWS CloudHSM
• Enables you to easily generate and use your own encryption keys.
Amazon VPC
Other
AWS KMS key
Amazon EBS Amazon S3 Amazon RDS Services
Snapshots Encryption Encryption
ENVELOPE ENCRYPTION
CMK
Amazon S3
bucket Other Services
Amazon Macie
Jon Bonso
• Recognizes sensitive data such as personally identifiable information
Name:
Social Security #: 06-12-1898
or PII.
Driver License #: PH18981206
Bank Account #:
Password:
12061898
• Provides dashboards and alerts that give visibility into how sensitive
data is being accessed or moved.
AdoBonGM4n0k
Email Address: [email protected]
• Provisions, manages, and deploys public and private Secure Sockets
Layer/Transport Layer Security (SSL/TLS) certificates
• Composed of:
OS Patches
OS OS OS
• Passwords
Secure String
• Database Strings
PARAMETER • Amazon Machine Image (AMI) IDs
• License Codes
Parameter Store
•
AWS KMS
Environment Variables
• Enables you to easily and securely share your AWS resources
with any AWS account or within your AWS Organization
AWS Resource
Access Manager • Eliminates the need to create duplicate resources in multiple
(AWS RAM) accounts
AWS Config
AMI
Amazon AWS
CloudWatch Events Lambda
EC2 Instance
I’ll pay all
• Consolidate and centrally manage multiple AWS accounts
the bills!
SCP SCP • Uses Service Control Policies (SCP) to control access and
ensure organizational compliance across your AWS accounts
ORGANIZATIONAL UNIT (OU) ORGANIZATIONAL UNIT (OU)
Manila Bangalore
SCP SCP
Tutorials Dojo
www.tutorialsdojo.com
• Empowers you to set up and centrally manage catalogs of
approved IT services
• Uses blueprints that follow AWS best practices for security and
management
IAM ENTITIES
TYPES:
- Root User
IAM USER - Regular IAM User
Permission 1 Permission 2 Permission 3
IAM POLICY
AWS-managed Policy
IAM GROUP
Customer-managed Policy
IAM ROLE
Inline Policy
Grant Least
Privilege
Follows the Does
best practice
not grantofthe
granting
least the least
privilege privilege
IAMROLE
IAM ROLE
GROUP
• PowerUserAccess
ROOT USER ACCESS
• AdministratorAccess
CloudFormation
Templates
• Use the Instance Profile to pass a specific IAM role
to your Amazon EC2 instance for it to perform
certain actions
curl http://169.254.169.254/latest/meta-data/iam/info
IAM ENTITIES
IAM USER
IAM GROUP
IAM ROLE
• Allows you to set the maximum permissions
that an identity-based policy can grant to an
IAM entity.
PERMISSIONS BOUNDARY
• Ensure that the entity can only perform the
actions that are allowed by both its
identity-based policies and its permissions
boundaries.
IAM Identities
IAM
IAM ROLE
GROUP
IAM POLICY
IAM USER
IAM IDENTITIES
IAM GROUP
IAM ROLE
• An entity that represents an actual person
or a service
• NAME
• PASSWORD
IAM USER
• AWS CDKs
OR
AWS-managed Customer-managed
Permission 1
IAM USER
Permission 2
IAM POLICY
Permission 3
IAM POLICY TYPES
AWS-managed Customer-managed
• Cannot be nested
IAM GROUP
IAM GROUP
Permission 2
IAM POLICY
Permission 3
assumed by
IAM ROLE
IAM ROLE IAM USER
• Access Keys
US - AWS ACCOUNT #1 INDIA - AWS ACCOUNT #2
CROSS-ACCOUNT
IAM ROLE
• Grants access to your resources in
CROSS-ACCOUNT one account to a trusted principal in
a different AWS account
IAM GROUP
IAM IDENTITIES
• Contains permissions that explicitly ALLOW or
DENY access to certain AWS services
API actions
IAM POLICY
IP Condition
Multi-Factor Authentication
(MFA)
IAM POLICY
MFA Condition
JSON EDITOR VISUAL EDITOR
Standalone Policy Inline Policy
• Resource-based Policies
• Permissions Boundaries
• Session Policies
• A policy that you attach to an IAM Identity
• Two Types:
Managed Policies
Identity-Based Policy
• Can either be AWS managed or Customer-managed
Inline Policies
• Types:
Trust Policy
• Defines the maximum permissions that an
identity-based policy can grant to an IAM entity
"Statement": [
{
"Sid": "AllowAllActionsOnBooksTable",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/Books"
},
Statements L o g i c a l OR
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket", "s3:DeleteObject"],
"Resource": ["arn:aws:s3:::tutorialsdojo-manila"]
}
]
}
IAM Statement Elements
{
“Sid” : "AllowActionsOnBooksTable", Statement ID
• String
• Numeric
• Date
• Boolean
• Binary
• ARN
• IfExists
• IpAddress
• …and many more!
CONDITION ELEMENT
• StringEqualsIfExists
• NumericEqualsIfExists
IfExists
• BoolIfExists
• IpAddressIfExists
• etc…
Shares the Amazon S3 bucket named tutorialsdojo-manila with an external vendor
while ensuring that the bucket owner is still be able to access all objects
. . .
"Action": [
"s3:PutObject"
],
"Resource": “arn:aws:s3:::tutorialsdojo-manila/*”,
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
. . .
Users will be denied of all API actions ( except for the s3:PutObject action ) if
their multi-factor authentication (MFA) is not enabled
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyAllTDojoUsersNotUsingMFA",
"Effect": "Deny",
"NotAction": “s3:PutObject",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"}
}
}]
}
IAM Policy Evaluation Logic
{
"Id": "TutorialsDojoPolicy1",
"Version": "2012-10-17",
"Statement": [
{ Will the API
action be
“Effect“: “Allow“, Allowed or
“Action“: “lambda:*“, Denied?
Allows the API Action
“Resource“: “*”
},
L o g i c a l OR
{
“Effect“: "Deny",
Denies the API Action “Action“: ["lambda:CreateFunction", "lambda:DeleteFunction"],
“Resource“: “*”
}
]
}
1. Authentication
Permissions Boundaries
ALLOW
DENY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "*", POLICY 1
"Condition": {
"IpAddress": {
"aws:SourceIp": "49.147.194.0/24"
}
}
},
{
"Effect": "Deny", POLICY 2
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"ec2:Region": "us-west-1"
}
} This policy will allow you to terminate an Amazon EC2 instance in
}
] the us-west-1 region as long as your source IP is within the
}
49.147.194.0/24 CIDR block.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
This policy provides full access to
"Action": [
"ec2:*", Amazon EC2.
"ds:*"
],
"Resource": "*" It also allows creating, reading and
}, updating the AWS Directory Service
{
"Effect": "Deny", (DS) directories but not delete them.
"Action": "ds:Delete*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:*",
"Resource": "*"
},
{ This allows an AWS Lambda function to
"Effect": "Deny",
be created or deleted as long as the IP
"Action": [
"lambda:CreateFunction", address of the request does NOT fall
"lambda:DeleteFunction"
] under the 220.200.16.0/24 IP range.
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": “220.200.16.0/24"
}
}
}
]
}
Amazon VPC Overview
US East (Ohio) us-east-2
Availability Zone 1
Data Center
Data Center
Data Center
Amazon VPC
Data Center Data Center
Availability Zone 1
Data Center
Data Center
Data Center
Availability Zone 3
ROUTE TABLE Data Center
Amazon VPC
Data Center Data Center
REGION
Amazon VPC
REGION
Amazon VPC
INTERNET GATEWAY
Amazon EC2 Overview
Can be integrated with
a lot of AWS Services
Amazon EC2
MEMORY (RAM)
Your Computer
both have
Amazon EC2
Instance Store Amazon EBS
Amazon EFS Amazon FSx for Lustre Amazon FSx for Windows
File Server
OBJECT STORAGE
Amazon S3
NETWORK
Elastic IP Elastic Network Placement Elastic Network Elastic Fabric
Amazon VPC Interface (ENI) Groups
Address Adapter (ENA) Adapter (EFA)
Amazon Machine
Image (AMI)
Amazon Machine Image (AMI)
apps & configurations
EC2 Instance
AMI
Amazon Machine Image
(AMI)
Amazon Machine Image
(AMI)
BLOCK STORE TYPE Volume Snapshots Block Device Mapping Launch Permissions
• Explicit
N/A
• Implicit
Amazon EC2
Template for the root
Instance Store volume
• Regional in scope
Amazon Machine Image • You can also copy your AMI to another AWS account
(AMI)
AWS Cloud
VPC A VPC A
COPY AMI
AWS Marketplace
Amazon Machine Image
(AMI)
Amazon SQS
Target Tracking
Policy
EC2
Instance
User Data
Amazon EFS Auto Scaling Group
User Data
• Must be in a base64-encoded format
http://169.254.169.254/latest/user-data
User Data
• Only run once upon the first EC2 Instance Launch
• Modifying the User Data and restarting the instance won’t affect the
initial User Data
Instance Metadata
EC2
EC2
EC2 EC2
VIRTUALIZATION
MANIFEST EC2
METADATA
• AMI
• Hostname
• Public IP address
• Private IP address
• Instance type
• MAC address
• Security groups
INSTANCE METADATA
• Security credentials
http://169.254.169.254/latest/meta-data/
INSTANCE METADATA SERVICE
version 2
Session Oriented
CATEGORIES
Private IP Address
Public IP or Elastic IP Address
Media Access Control (MAC) Address
Security Groups
Instance Profile
Amazon S3 Overview
• An object storage service
OBJECT BUCKET
• The S3 bucket name is globally unique
• Example:
• Example:
Object key name
Amazon S3 Folders
and Prefixes tutorialsdojo/aws.jpeg
Prefix Filename
AWS Cloud
N. Virginia Region
YOUR
VPC
AVAILABILITY 99.99%
DURABILITY 99.999999999%
• The probability that an object remains intact and
accessible after a period of one year
DURABILITY
0.000000001% chance
99.999999999% of data loss per year or one lost data
every 10 million years
Amazon S3 Storage Classes
For changing or
For frequently accessed data
unknown access patterns
S3 Standard S3 Intelligent-Tiering
S3
S3 Standard Intelligent-Tiering S3 Glacier
S3 Standard-IA S3 One Zone-IA S3 Glacier
Deep Archive
• Launch a static website with HTML pages,
downloadable packages, images, media files, or
other client-side scripts
EC2
S3 Standard S3 Intelligent-Tiering
• 99.99% Availability
• 99.99% Availability
• 99.99% Availability
• Quickly access a subset of • Default option for retrieval • Lowest-cost retrieval option
your data archives requests
• Retrieves large amounts of
• Allows you to access your • Allows you to access any of data archive in less than half
archived data within 1 - 5 your glacier archives within a day
minutes ( file size should NOT 3 – 5 hours
exceed 250 MB ) • Typically completes the
process within 5 – 12 hours
• Ensure sufficient retrieval
capacity for your Expedited
retrieval operations by
purchasing provisioned
capacity
• The lowest-cost storage class in
Amazon S3.
S3 Glacier Deep Archive • Primarily used to retain your data sets for
7 to 10 years or longer to meet
regulatory compliance requirements
• 99.99% Availability
• 180-day minimum storage duration
charge ( roughly 6 months )
S3 Glacier Deep Archive
• Should be used for data archiving only
STANDARD BULK
🇼
🇭
🇾
🇬 🇩
Origin
Server
🇭
LOAD TIME 10
09 seconds
8
7
6
5
4
3
2
1
Origin
Server
🇭
PoP
PoP
Mid
🇸 NY
Trans-Atlantic Submarine Cables
PoP
Origin
Server West
LOAD TIME 1 second!
Origin
Server
PoP
PoP
PoP
PoP
PoP
PoP
Internet Service Provider #1
Edge Location
Edge/Boundary of ISP 1
DISTRIBUTION
VIEWER
CloudFront
ORIGIN
OAI
&
Lambda@Edge
ORIGIN ACCESS IDENTITY
GEO-RESTRICTION and
(OAI)
CloudFront Functions
ORIGIN GROUP
primary
ORIGIN A
failover
ORIGIN B