STUDY SESSION

AWS
CERTIFICATION
JOURNEY
HOW WEBSITES
WORK
WHAT IS A
SERVER
COMPOSED OF?
IT TERMINOLOGY

 Network: cables, routers and

servers connected with each
other
 Router: A networking device that
forwards data packets between
computer networks. They know
where to send your packets on
the internet!
 Switch: Takes a packet and send
it to the correct server / client on
your network
TRADITIONAL
INFRASTRUCTURE
PROBLEMS WITH
TRADITIONAL IT  Pay for the rent for the data center
APPROACH
 Pay for power supply, cooling, maintenance
 Adding and replacing hardware takes time
 Scaling is limited
 Hire 24/7 team to monitor the infrastructure
 How to deal with disasters? (earthquake, power shutdown,
fire…)
  Cloud computing is the on-demand delivery of compute
power, database storage, applications, and other IT
WHAT IS CLOUD resources
COMPUTING?
 Through a cloud services platform with pay-as-you-go
pricing
 You can provision exactly the right type and size of
computing resources you need
 You can access as many resources as you need, almost
instantly
 Simple way to access servers, storage, databases and a set
of application services
CLOUD
INFRASTRUCTURE
  Private Cloud:
 Cloud services used by a single organization, not exposed to the public.
DEPLOYMENT
MODELS OF THE  Complete control
CLOUD  Security for sensitive applications • Meet specific business needs

 Public Cloud:
 Cloud resources owned and operated by a thirdparty cloud service
provider delivered over the Internet.
 Six Advantages of Cloud Computing

 Hybrid Cloud:
 Keep some servers on premises and extend some capabilities to the Cloud

 Control over sensitive assets in your private infrastructure

 Flexibility and cost effectiveness of the public cloud

  On-demand self service:
 Users can provision resources and use them without human interaction from
FIVE the service provider
CHARACTERISTICS
 Broad network access:
OF CLOUD
COMPUTING  Resources available over the network, and can be accessed by diverse client
platforms
 Multi-tenancy and resource pooling:
 Multiple customers can share the same infrastructure and applications with
security and privacy
 Multiple customers are serviced from the same physical resources

 Rapid elasticity and scalability:

 Automatically and quickly acquire and dispose resources when needed

 Quickly and easily scale based on demand

 Measured service:
 Usage is measured, users pay correctly for what they have used
  Trade capital expense (CAPEX) for operational expense (OPEX)
 Pay On-Demand: don’t own hardware
SIX ADVANTAGES
OF CLOUD  Reduced Total Cost of Ownership (TCO) & Operational Expense (OPEX)
COMPUTING  Benefit from massive economies of scale
 Prices are reduced as AWS is more efficient due to large scale

 Stop guessing capacity

 Scale based on actual measured usage

 Increase speed and agility

 Stop spending money running and maintaining data centers
 Go global in minutes:
 leverage the AWS global infrastructure
PROBLEMS  Flexibility: change resource types when needed
SOLVED BY THE
 Cost-Effectiveness: pay as you go, for what you use
CLOUD
 Scalability: accommodate larger loads by making hardware
stronger or adding additional nodes
 Elasticity: ability to scale out and scale-in when needed
 High-availability and fault-tolerance: build across data
centers
 Agility: rapidly develop, test and launch software
applications
  Infrastructure as a Service (IaaS)
 Provide building blocks for cloud IT
TYPES OF CLOUD  Provides networking, computers, data storage space
COMPUTING
 Highest level of flexibility

 Easy parallel with traditional on-premises IT

 Platform as a Service (PaaS)

 Removes the need for your organization to manage the underlying
infrastructure
 Focus on the deployment and management of your applications

 Software as a Service (SaaS)

 Completed product that is run and managed by the service provider
EXAMPLE OF
CLOUD  Infrastructure as a Service:
COMPUTING TYPES  Amazon EC2 (on AWS)

 GCP, Azure, Rackspace, Digital Ocean, Linode

 Platform as a Service:
Elastic Beanstalk (on AWS)
 Heroku, Google App Engine (GCP), Windows Azure (Microsoft)

 Software as a Service:
 Many AWS services (ex: Rekognition for Machine Learning)

 Google Apps (Gmail), Dropbox, Zoom

PRICING OF THE
CLOUD – QUICK  AWS has 3 pricing fundamentals, following the pay-as-you-
OVERVIEW go pricing model
 Compute:
 Pay for compute time

 Storage:
 Pay for data stored in the Cloud

 Data transfer OUT of the Cloud:

 Data transfer IN is free

 Solves the expensive issue of traditional IT

AWS CLOUD
HISTORY
  AWS enables you to build sophisticated, scalable applications
 Applicable to a diverse set of industries
AWS CLOUD USE
CASES  Use cases include
 Enterprise IT, Backup & Storage, Big Data analytics

 Website hosting, Mobile & Social Apps

 Gaming
AWS GLOBAL
INFRASTRUCTURE
 AWS Regions
 AWS Availability Zones
 AWS Data Centers
 AWS Edge Locations / Points of Presence
AWS REGIONS

 AWS has Regions all around the world

 Names can be us-east-1, eu-west-3…
 A region is a cluster of data centers
 Most AWS services are region-scoped
  Compliance with data governance and legal requirements:
HOW TO CHOOSE  data never leaves a region without your explicit permission
AN AWS REGION?
 Proximity to customers:
 reduced latency

 Available services within a Region:

 new services and new features aren’t available in every Region

 Pricing:
 pricing varies region to region and is transparent in the service
pricing page
  Each region has many availability zones (usually 3, min is
3, max is 6). Example:
AWS AVAILABILITY  ap-southeast-2a
ZONE
 ap-southeast-2b

 ap-southeast-2c

 Each availability zone (AZ) is one or more discrete data

centers with redundant power, networking, and connectivity
 They’re separate from each other, so that they’re isolated
from disasters
 They’re connected with high bandwidth, ultra-low latency
networking
AWS POINTS OF
PRESENCE (EDGE
LOCATIONS)
 Edge locations are primarily used for caching of data to
provide better user experience with low latency.
 Amazon has 400+ Points of Presence (400+ Edge Locations
& 10+ Regional Caches) in 90+ cities across 40+ countries
 Content is delivered to end users with lower latency
QUIZ
1. WHICH OF THE FOLLOWING IS THE DEFINITION OF CLOUD
COMPUTING?

A. Rapidly develop, test and launch software applications

B. Automatic and quick ability to acquire resources as you need them and release resourses when you no longer need them

C. On-demand availability of computer system resources, especially data storage(cloud storage) and computing power,
without direct active management by the user
D. Change resource types when needed
2. A COMPANY WOULD LIKE TO BENEFIT FROM THE ADVANTAGES OF THE
PUBLIC CLOUD BUT WOULD LIKE TO KEEP SENSITIVE ASSETS IN ITS OWN
INFRASTRUCTURE. WHICH DEPLOYMENT MODEL SHOULD THE COMPANY USE?

A. Private Cloud

B. Public Cloud

C. Hybrid Cloud
3. WHICH OF THE FOLLOWING IS NOT AN ADVANTAGE OF CLOUD
COMPUTING?

A. Trade capital expense (CAPEX) for operational expense(OPEX)

B. Train your employees less

C. Go global in minutes

D. Stop spending money running and maintaining data centers

4. YOU ONLY WANT TO MANAGE APPLICATIONS AND DATA. WHICH
TYPE OF CLOUD COMPUTING MODEL SHOULD YOU USE?

A. On-premises

B. IaaS

C. SaaS

D. PaaS
5. WHICH OF THE FOLLOWING SERVICES HAS A GLOBAL SCOPE?

A. EC2

B. IAM

C. Lambda

D. Rekognition
6. WHICH GLOBAL INFRASTRUCTURE IDENTITY IS COMPOSED OF ONE OR
MORE DISCRETE DATA CENTERS WITH REDUNDANT POWER, NETWORKING,
AND CONNECTIVITY, AND ARE USED TO DEPLOY INFRASTRUCTURE?

A. Edge locations

B. Availability zones

C. Regions
7. AWS REGIONS ARE COMPOSED OF?

A. 2 or more Edge locations

B. One or more discrete data centers

C. 3 or more Availability zones

8. WHICH OF THE FOLLOWING OPTIONS IS NOT A POINT OF
CONSIDERATION WHEN CHOOSING AN AWS REGION?

A. Compliance with data governance

B. Latency

C. Capacity availability

D. Pricing
 ANSWERS

 1-C

 2-C

 3-B

 4-D

 5-B

 6-B

 7-C

 8-C
IAM SECTION
  IAM = Identity and Access Management, Global service
 Root account created by default, shouldn’t be used or shared

IAM: USERS &  Users are people within your organization, and can be grouped
GROUPS  Groups only contain users, not other groups
 Users don’t have to belong to a group, and user can belong to multiple
groups
 IAM: PERMISSIONS

 Users or Groups can be

assigned JSON documents
called policies
 These policies define the
permissions of the users
 In AWS you apply the least
privilege principle: don’t give
more permissions than a user
needs
IAM POLICIES INHERITANCE
IAM POLICIES  Consists of
STRUCTURE  Version: policy language version, always include “2012 -10 - 17”

 Id: an identifier for the policy (optional)

 Statement: one or more individual statements (required)

 Statements consists of
 Sid: an identifier for the statement (optional)

 Effect: whether the statement allows or denies access (Allow,

Deny)
 Principal: account/user/role to which this policy applied to

 Action: list of actions this policy allows or denies

 Resource: list of resources to which the actions applied to

 Condition: conditions for when this policy is in effect (optional)

  Strong passwords = higher security for your account
 In AWS, you can setup a password policy:
IAM – PASSWORD
 Set a minimum password length
POLICY
 Require specific character types:
 including uppercase letters

 lowercase letters

 Numbers

 non-alphanumeric characters

 Allow all IAM users to change their own passwords

 Require users to change their password after some time (password

expiration)
 Prevent password re-use
MULTI FACTOR  Users have access to your account and can possibly change
AUTHENTICATION - MFA configurations or delete resources in your AWS account
 You want to protect your Root Accounts and IAM users
 MFA = password you know + security device you own
 Main benefit of MFA: if a password is stolen or hacked, the account
is not compromised
MFA DEVICES
OPTIONS IN AWS
HOW CAN USERS
 To access AWS, you have three options:
ACCESS AWS ?
 AWS Management Console (protected by password + MFA)

 AWS Command Line Interface (CLI): protected by access keys

 AWS Software Developer Kit (SDK) - for code: protected by

access keys
 Access Keys are generated through the AWS Console
 Users manage their own access keys
 Access Keys are secret, just like a password. Don’t share
them
 Access Key ID ~= username

 Secret Access Key ~= password

  A tool that enables you to interact with AWS services using
WHAT’S THE AWS commands in your command-line shell
CLI?
 Direct access to the public APIs of AWS services
 You can develop scripts to manage your resources
 It’s open-source https://github.com/aws/aws-cli
 Alternative to using AWS Management Console
WHAT’S THE AWS
SDK?  AWS Software Development Kit (AWS SDK)
 Language-specific APIs (set of libraries)
 Enables you to access and manage AWS services
programmatically
 Embedded within your application
 Supports
 SDKs (JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js,
C++)
 Mobile SDKs (Android, iOS, …)

 IoT Device SDKs (Embedded C, Arduino, …)

IAM ROLES FOR
SERVICES
 Some AWS service will need to perform actions on your behalf
 To do so, we will assign permissions to AWS services with IAM Roles
 Common roles:
 EC2 Instance Roles

 Lambda Function Roles

 Roles for CloudFormation

IAM SECURITY
 IAM Credentials Report (account-level)
TOOLS
 a report that lists all your account's users and the status of their various
credentials
 IAM Access Advisor (user-level)
 Access advisor shows the service permissions granted to a user and when
those services were last accessed.
 You can use this information to revise your policies.
IAM GUIDELINES &  Don’t use the root account except for AWS account setup
BEST PRACTICES
 One physical user = One AWS user
 Assign users to groups and assign permissions to groups
 Create a strong password policy
 Use and enforce the use of Multi Factor Authentication (MFA)
 Create and use Roles for giving permissions to AWS services
 Use Access Keys for Programmatic Access (CLI / SDK)
 Audit permissions of your account using IAM Credentials Report &
IAM Access Advisor
 Never share IAM users & Access Keys
 SHARED RESPONSIBILITY MODEL FOR IAM

 Users, Groups, Roles, Policies management and

monitoring
 Infrastructure (global network security)
 Enable MFA on all accounts
 Configuration and vulnerability analysis
 Rotate all your keys often
 Compliance validation
 Use IAM tools to apply appropriate permissions

 Analyze access patterns & review permissions

IAM SECTION –  Users: mapped to a physical user, has a password for AWS Console
SUMMARY  Groups: contains users only
 Policies: JSON document that outlines permissions for users or
groups
 Roles: for EC2 instances or AWS services
 Security: MFA + Password Policy
 AWS CLI: manage your AWS services using the command-line
 AWS SDK: manage your AWS services using a programming
language
 Access Keys: access AWS using the CLI or SDK
 Audit: IAM Credential Reports & IAM Access Advisor
QUIZ
1. WHAT SHOULD YOU DO TO INCREASE YOUR ROOT ACCOUNT
SECURITY?

A. Enable Multi-Factor Athentication

B. Remove permission from the root account

C. Use AWS only through Command Line Interface(CLI)

2. WHICH OF THE FOLLOWING IS AN IAM BEST PRACTICE?

A. Don’t use root user account

B. Create several users for a physical person

C. Share credentials so a colleague can perform a task for you

D. Do not enable MFA for easier access

3. WHICH ANSWER IS INCORRECT REGARDING IAM USERS?

A. IAM Users can belong to multiple group

B. IAM Users don’t have to belong to a group

C. IAM Users can have policies assigned to them

D. IAM Users access AWS with the root account credentials

4. WHAT IS A PROPER DEFINITION OF IAM ROLES?

A. An IAM entity that defines a set of permissions for making AWS service requests, that will be used by AWS services

B. IAM Users in multiple Groups

C. A password policy

D. Permissions assigned to Users to perform actions

5. WHAT ARE IAM POLICIES?

A. AWS services performable actions

B. JSON documents to define Users, Groups or Role’s permissions

C. Rules to set up a password for IAM Users

6. UNDER THE SHARED RESPONSIBILITY MODEL, WHAT IS THE
CUSTOMER RESPONSIBLE FOR IN IAM?

A. Infrastructure Security

B. Compliance validation

C. Configuration and vulnerability analysis

D. Assigning users proper IAM policies

7. WHICH PRINCIPLE SHOULD YOU APPLY REGARDING IAM
PERMISSIONS?

A. Grant most privilege

B. Grant least privilege

C. Grant permissions if your employee asks you to

D. Restrict root account permissions

8. WHICH OF THE FOLLOWING STATEMENTS IS TRUE?

A. The AWS client can interact with AWS using commands in your command-line shell, while the AWS SDK can interact
with AWS programmatically
B. The AWS SDK can interact with AWS using commands in your command-line shell, while the AWS CLI can interact
with AWS programatically
9. WHICH OF THE FOLLOWING IS AN IAM SECURITY TOOL?

A. IAM credentials report

B. IAM root account manager

C. IAM services report

D. IAM security advisor

 ANSWERS
 1–A

 2–A

 3–D

 4–A

 5–B

 6–D

 7–B

 8–A

 9-A
EC2 SECTION
  EC2 is one of the most popular of AWS offering
AMAZON EC2 -
 EC2 = Elastic Compute Cloud = Infrastructure as a Service
 It mainly consists in the capability of :

Renting virtual machines (EC2)

Storing data on Virtual drives (EBS)
Distributing load across machines (ELB)
Scaling the services using an auto-scaling group (ASG)
 Knowing EC2 is fundamental to understand how the Cloud
Works.
EC2 SIZING &
CONFIGURATION
OPTIONS  Operating System (OS) : Linux, Windows or Mac OS
 How much compute power & cores (CPU)
 How much random-access memory (RAM)
 How much storage space :

Network-attached (EBS & EPS)

Hardware (EC@ Instance Store)
 Network card : speed of the card, Pubic IP address
 Firewall rules : security group
 Botstrap script (configure at first launch) : EC2 User Data
EC2 USER DATA  It is possible to bootstrap our instances using EC2 User data
script
 Bootstrapping means launching commands when a machine starts
 That script is only run once at the instance first start
 EC2 user data is used to automate boot tasks such as ;

Installing Updates
Installing Software
Downloading common files from the internet
Anything you can think of
 The EC2 User Data Script runs with the root user
HANDS-ON :
LAUNCHING AN EC2
INSTANCE RUNNING LINUX

 We’ll be launching our first virtual server using the AWS Console.
 We’ll get a first high-level approach to the various parameters.
 We’ll see that our web server is launched using EC2 user data
 We’ll learn how to start/ stop/ terminate our instance.
EC2 INSTANCE TYPES
- OVERVIEW  You can use different types of EC2 instances that are optimized for
different use cases.
 AWS has the following naming convention ;
 m5.2xlarge
 m : instance class
 5 : generation (AWS improves them over time)
 2xlarge : size within the instance class
EC2 INSTANCE TYPES
– GENERAL PURPOSE  Great for adversity of workloads such as web servers or code
repositories
 Balance between :

Compute
Memory
Networking
 In the course, we will be using t2.micro which is a General
Purpose EC2 instance.
  Great for compute-intensive tasks that require high performance
EC2 INSTANCE processors :
TYPES – COMPUTE
Batch processing workloads
OPTIMIZED
Media transcoding
High performance web servers
High performance computing (HPC)
Science modelling & machine learning
Dedicated gaming servers
  Fast performance for workloads that process large data sets in
memory
EC2 INSTANCE
TYPES – MEMORY  Use cases :
OPTIMIZED
High performance relational/non-relational databases
Distributed web scale cache stores
In-memory databases optimized for BI (Business
Intelligence)
Applications performing real-time processing of big
unstructured data
  Great for storage-intensive tasks that require high, sequential
EC2 INSTANCE read and write access to large data sets on local storage.
TYPES – STORAGE  Use cases :
OPTIMIZED
High frequency online transaction processing (OLTP) systems
Relational & NoSQL databases
Cache for in-memory databases (for example Redis)
Data warehousing applications
Distributed file systems
 EC2 INSTANCE TYPES : EXAMPLE

Storage Network EBS Bandwidth

Instance vCPU Mem (GiB)
Performance (Mbps)
t2.micro 1 1 EBS-Only Low to Moderate
t2.xlarge 4 16 EBS-Only Moderate
c5d.4xlarge 16 32 1 x 400 NVMe SSD Up to 10 Gbps 4,750
r5.16xlarge 64 512 EBS Only 20 Gbps 13,600
m5.8xlarge 32 128 EBS Only 10 Gbps 6,800

t2.micro is part of the AWS free tier (up to 750 hours per month)
  Security Groups are the fundamental of network security in AWS
 They control how traffic is allowed into or out of our EC2
INTRODUCTION TO Instances
SECURITY GROUPS

Inbound traffic
WWW

Security
Group
Outbound traffic EC2 Instance

 Security group only contain allow rules

 Security group rules can reference by IP or by security group
  Security groups are acting as a firewall on EC2 instances
SECURITY GROUPS
DEEPER DIVE  They regulate :

Access to Ports
Authorized IP ranges – IPV4 and IPV6

Security
Group
Control of inbound network (from other to instance)
Control of outbound network (from the instance to other)
 SECURITY GROUPS DIAGRAM

Your Computer - IP XX.XX.XX.XX

Security Group 1 Port 22 (authorised port 22)
Inbound
Filter IP / Port with Rules Port 22 Other computer
(not authorised port 22)

EC2 Instance
IP XX.XX.XX.XX

Security Group 1 WWW

Outbound Any Port Any IP – Any Port
Filter IP / Port with Rules
  Can be attached to multiple instances
 Locked down to a region / VPC combination
 Does live outside EC2 – if traffic is blocked the EC2 instance
SECURITY GROUPS won’t see it
GOOD TO KNOW
 It’s good to maintain one separate security group for SSH access
 If your application is not accessible (time out), then it’s a security

Security
Group
group issue
 If your application gives a connection refused error, then it’s an
application error or it’s not launched
 All inbound traffic is blocked by default
 All outbound traffic is authorized by default
 REFERENCING OTHER SECURITY GROUPS DIAGRAM

Security
Port
Port22123 Group 2 EC2 Instance
(attached) IP XX.XX.XX.XX
Port 22

EC2 Instance Security Group 1

IP XX.XX.XX.XX Security
Inbound EC2 Instance
Port 123 Group 1
Authorising Security Group 1 (attached) IP XX.XX.XX.XX
Authorising Security Group
Security2 Group 1
Outbound Any Port Security
Filter IP / Port with Rules Security EC2 Instance
Port 123 Group 3
Group 3 IP XX.XX.XX.XX
(attached)
(attached)
  22 = SSH (Secure Shell) – log into a LINUX instance

CLASSIC PORTS TO  21 = FTP (File Transfer Protocol) – upload files into a file share
KNOW  22 = SFTP (Secure File Transfer Protocol) – upload files using
SSH
 80 = HTTP – access unsecured websites

Security
Group
 443 = HTTPS – access secured websites
 3389 = RDP (Remote Desktop Protocol) – log into a Windows
instance
 SSH SUMMARY TABLE
EC2 Instance
SSH Putty
Connect

Mac

Linux

Windows < 10

Windows >= 10
  We’ll learn how to SSH into your EC2 instance using Windows
 SSH is one of the most important function. It allows you to
HOW TO SSH INTO
YOUR EC2 INSTANCE control a remote machine, all using the command line.
FOR WINDOWS

SSH – Port 22
EC2 Instance

Security
Group
Linux
Public IP

 We will configure all the required parameters necessary for doing

SSH on Windows using the free tool Putty.
EC2 INSTANCE  Connect to your EC2 instance within your browser
CONNECT  No need to use your key file that was downloaded
 The magic is that a temporary key is uploaded onto EC2 by AWS

Security
Group
 Works only out-of-the-box with Amazon Linux2
 Need to make sure the port 22 is still opened
  On-Demand Instances – short workload, predictable pricing, pay by
second
 Reserved (1 & 3 years)
EC2 INSTANCES Reserved Instances – long workloads
PURCHASING OPTIONS
Convertible Reserved Instances – long workloads with
flexible instances
 Savings Plans (1&3 years) – commitment to an amount of usage, long

Security
Group
workload
 Spot Instances – short workloads, cheap, can lose instances (less
reliable)
 Dedicated Hosts – book an entire physical server, control instance
placement
 Dedicated Instances – no other customers will share your hardware
 Capacity Reservations – reserve capacity in a specific AZ for any
duration
  Pay for what you use :
EC2 ON DEMAND Linux or Windows – billing per second, after the first
minute
All other operating systems – billing per hour

Security
Group
 Has the highest cost but no upfront payment
 No long-term commitment
 Recommended for short-term and un-interrupted workloads,
where you can’t predict how the application will behave
  Up to 72% discount compared to On-demand
 You reserve a specific instance attributes (Instance Type, Region,
Tenancy, OS)
EC2 RESERVED  Reservation Period – 1 year (+discount) or 3 years (+++discount)
INSTANCES  Payment Options – No Upfront (+), Partial Upfront (++), All
Upfront (+++)
 Reserved Instance’s Scope – Regional or Zonal (reserve capacity in

Security
Group
an AZ)
 Recommended for steady-state usage applications (think database)
 You can buy and sell in the Reserved Instance Marketplace
 Convertible Reserved Instances :

Can charge the EC2 instance type, instance family, OS scope

and tenancy
Up to 66% discount
  Get a discount based on long-term usage (up to 72% - same as
Rls)
EC2 SAVINGS  Commit to a certain type of usage ($10/hour fro 1 or 3 years)
PLANS
 Usage beyond EC2 Savings Plans is billed at the On-Demand
price

Security
Group
 Locked to a specific instance family & AWS region (e.g., M5 in us-
ease-1)
 Flexible across :

Instance Size (e.g., m5.xlarge, m5.2xlarge)

OS (e.g., Linux, Windows)
Tenancy (Host, Dedicated, Default)
  Can get a discount of up to 90% compared to On-demand
 Instances that you can lose at any point of time if your max price
EC2 SPOT is less than the current spot price
INSTANCES  The MOST cost-efficient instances in AWS
 Useful for workloads that are resilient to failure

Security
Group
Batch jobs :
Data Analysis
Image Processing
Any distributed workloads
Workloads with a flexible start and end time
 Not suitable for critical jobs or databases
  A physical server with EC2 instance capacity fully dedicated to
your use
 Allows you address compliance requirements and use your
EC2 DEDICATED existing server-bound software licenses (per-socket, per-core, per-
HOSTS VM software licenses)
 Purchasing Options :

On-demand – pay per second for active Dedicated Host

Security
Group
Reserved – 1 or 3 years (No Upfront, Partial Upfront, All
Upfront)
The most expensive option :
Useful for software that have complicated licensing model
(BYOL – Bring Your Own License)
Or for companies that have strong regulatory or
compliance needs
 EC2 DEDICATED INSTANCES
 Instances run on hardware that’s
dedicated to you

 May share hardware with other

instances in same account

 No control over instance placement (can

move hardware after Stop / Start)
  Reserve On-Demand instances capacity in a specific AZ for any
EC2 CAPACITY
duration
RESERVATIONS
 You always have across to EC2 capacity when you need it
 No time commitment (create/cancel anytime), no billing discounts

Security
 Combine with Regional Reserved Instances and Savings Plans to

Group
benefit from billing discounts
 You’re charged at On-Demand rate whether you run instances or
not
 Suitable for short-term, uninterrupted workloads that needs to be
in a specific AZ
  On demand : coming and staying in resort whenever we like, we
pay the full price
WHICH PURCHASING
OPTION IS RIGHT FOR  Reserved : like planning ahead and if we plan to stay for a long
ME? time, we may get a good discount
 Savings Plans : pay a certain amount per hour for certain period
and stay in any room type (e.g.,King, Suite, Sea View,..)

Security
Group
 Spot Instances : the hotel allows people to bid for the empty
rooms and the highest bidder keeps the rooms. You can get kicked
out at any time
 Dedicated Hosts : We book an entire building of the resort
 Capacity Reservations : you book a room for a period with full
price even you don’t stay in it
 PRICE COMPARISION EX:- M4.LARGE – US-EAST-1
Price Type
On-Demand
Spot Instance (Spot Price)
Reserved Instance (1 year)
Reserved Instance (3 years)
EC2 Savings Plan (1 year)
Reserved Convertible Instance (1 year)
Dedicated Host
Dedicated Host Reservation
Capacity Reservations
Price (per hour)
$0.10
$0.038 - $0.039 (up to 61% off)
$0.062 (No Upfront) - $0.058 (All Upfront)
$0.043 (No Upfront) - $0.037 (All Upfront)
$0.062 (No Upfront) - $0.058 (All Upfront)
$0.071 (No Upfront) - $0.066 (All Upfront)
On-Demand Price
Up to 70% off
On-Demand Price
 SHARED RESPONSIBILITY MODEL FOR EC2
 Infrastructure (global
network security)
 Isolation on physical
hosts
 Replacing faulty
hardware
 Compliance validation
• Security Groups rules
• Operating-system patches and
updates
• Software and utilities installed on
the EC2 instance
• IAM Roles assigned to EC2 &
IAM user access management
• Data security on your instance
EC2 SECTION -  EC2 Instance : AMI (OS) + Instance Size (CPU + RAM) +
SUMMARY Storage + security groups + EC2 User Data
 Security Groups : Firewall attached to the EC2 instance
 EC2 User Data : Script launched at the first start of an instance

Security
Group
 SSH : start a terminal into our EC2 Instances (port 22)
 EC2 Instance Role : link to IAM roles
 Purchasing Options : On-Demand, Spot, Reserved (Standard +
Convertible + Scheduled), Dedicated Host, Dedicated Instance
QUIZ
1. WHICH EC2 PURCHASING OPTION CAN PROVIDE THE BIGGEST
DISCOUNT, BUT IS NOT SUITABLE FOR CRITICAL JOBS OR
DATABASES?

A. Scheduled Instances

B. Convertible Instances

C. Dedicated Hosts

D. Spot Instances
2. WHICH NETWORK SECURITY TOOL CAN YOU USE TO CONTROL
TRAFFIC IN AND OUT OF EC2 INSTANCES?

A. Network Access Control List (NACL)

B. Identify and Management Access (IAM)

C. Guard Duty

D. Security Groups
3. UNDER THE SHARED RESPONSIBILITY MODEL, WHO IS
RESPONSIBLE FOR OPERATING-SYSTEM PATCHES AND UPDATES
ON EC2 INSTANCES?

A. The customer

B. AWS

C. Both AWS and the customer

4. HOW LONG CAN YOU RESERVE AN EC2 RESERVED INSTANCE?

A. 1 or 3 years

B. 2 or 4 years

C. 6 months or 1 year

D. Anytime between 1 and 3 years

5. A COMPANY WOULD LIKE TO DEPLOY A HIGH-PERFORMANCE
COMPUTING (HPC) APPLICATION ON EC2. WHICH EC2 INSTANCE
TYPE SHOULD IT CHOOSE?

A. Compute Optimized

B. Storage Optimized

C. Memory Optimized

D. General Purpose
6. WHICH OF THE FOLLOWING IS NOT AN
EC2 INSTANCE PURCHASING OPTION?

A. Spot Instances

B. Reserved Instances

C. On-demand Instances

D. Connect Instances
7. WHICH EC2 PURCHASING OPTION SHOULD YOU USE FOR AN
APPLICATION YOU PLAN ON RUNNING ON A SERVER
CONTINUOUSLY FOR 1 YEAR?

A. Reserved Instances

B. Spot Instances

C. On-demand Instances

D. Convertible Instances
 ANSWERS

 1–C

 2–D

 3–A

 4–A

 5–A

 6–D

 7–A