Define the AWS cloud and its value proposition

- Security services
- Features of cloud
- Benefits of using AWS cloud
- High availability – making sure applications and resources are maintained

AWS Value proposition

- How technical resources are shifting from on premises infrastructure management to the cloud –
responsibilities and priorities will be different
- How to optimize resources in the cloud

Domain 1: Cloud Components, Benefits of the AWS Cloud

1.1 Question Walkthrough

- Read the stem (read the questions)
- Identify key words, phrases (e.g., EC2, highly available, etc.)
- Read the responses (look for responses that relate)
- Identify the key (which answer matches up)

The ability to horizontally scale Amazon EC2 instances based on demand is an example of which concept
in the AWS Cloud value proposition?

Economy of scale

Elasticity (ability to expand and contract to match the behavior of demand)

High availability

Agility (ability to make improvements)

1.2 Aspects of AWS cloud economics

Total cost of ownership (TCO) concepts

1. Operational expenses, opex – day-to-day costs

2. Capital expenses, capex – longer term benefits
3. Labor costs associated with on premise infrastructure – costs for handling on premise resources
4. Software licensing costs

Which on-premises expense will be reduced if the company migrates their application to Amazon EC2?

Server hardware costs

Amazon EBS storage costs

Storage backup costs

Costs of transferring data out to the internet

1.3 Cloud Architecture Design Principles

Four design principles of focus:

1. Design for failure

- Understand how components fail and how you can architect around them
- Anticipate failure
- Think ahead and prevent that failure
 2. Monolithic architecture vs decoupled architecture
- Monolithic architecture refers to tightly coupled resources, processes, or components of a
solution
3. Elasticity in the cloud: scale out – scale your needs to meet a demand
4. Parallel thinking = looking at how you can divide a task into parts that you can run simultaneously
instead of sequentially

Which of the following is an AWS Cloud architecture design principle?

Implement single points of failure

Implement loose coupling – idea of having dependent web tiers

Implement monolithic design

Implement vertical scaling (increasing/decreasing size of database)

https://aws-tc-largeobjects.s3.us-west-2.amazonaws.com/DEV-AWS-MO-CPE/Exercise+1+
%E2%80%93+Explore+the+AWS+Management+Console/story.html

Domain 2: Security and Compliance

2.1 AWS Shared Responsibility Model

- Customer is responsible for security in the cloud - responsible for data, who can have access to
data, setting up systems, encryptions, networking traffic
- Level of responsibility changes for each service
- AWS is responsible for security of the cloud – responsible for software, hardware, global
infrastructure

Which of the following is the customer’s responsibility under the AWS shared responsibility model?

Patching underlying infrastructure

Physical security

Patching Amazon EC2 instances – when you launch and EC2 instance, it is up to you to decide
how it will be maintained

Patching network infrastructure

2.2 Where can I find compliance information? AWS artifact

How can I achieve compliance and security on AWS? Enforcing encryption, logs, etc.

Which service enables risk auditing by continuously monitoring and logging account activity, including
user actions in the AWS Management Console and AWS SDKs?

Amazon CloudWatch – monitoring metrics

AWS CloudTrail – monitoring API calls by users

AWS Config – monitoring compliance

AWS Health – monitoring AWS infrastructure (data center going down, etc.)

2.3 User and Identity management (IAM)

 - Explain how the root user differs from other types of users within the AWS account, and how you
can create other IAM users to carry out daily tasks
- Study the different ways you can lock you AWS account root user to protect it, and the limited
number of tasks that require a root user
- Review different features of IAM: Users, groups, roles, and policies

Which of the following can limit Amazon Simple Storage Service (Amazon S3) bucket (similar to file)
access to specific users?

Public and private key pair – EC2

Amazon inspector – reporting mechanism for EC2

AWS IAM policies – S3, attached to users, allow or deny

Security Groups – EC2

2.4 Resources for Security Support

Network Security

Security groups – firewall, protect instances

Network access control lists – firewall, protect subnets

AWS WAF (web application firewall) – firewall, protect application load balancers

AWS security services:

Amazon inspector – reporting

AWS trusted advisor – advise on best practices

Amazon CloudWatch – monitoring, metrics (CPU %, bytes in/out, requests to ALB, etc.)

AWS Config – establish compliance

For third party software and tools:

AWS Marketplace

Which AWS service or feature can be used to prevent SQL injection attacks?

Security groups – firewall

Network ACLs – firewall

AWS WAF

IAM policy – permission

Security and compliance are job zero at AWS

https://aws-tc-largeobjects.s3.us-west-2.amazonaws.com/DEV-AWS-MO-CPE/Exercise+2+
%E2%80%93+Explore+IAM/story.html

Domain 3: AWS Technology

3.1 Methods of deploying and operating

 - Application programming interfaces (APIs) and AWS software development kits (SDKs)
- AWS command line interface (AWS CLI)
- AWS management console
- Infrastructure as Code (IaC)

Cloud deployment models:

- Cloud native, or all-in with cloud – All AWS

- Hybrid – combination of cloud and on premise resources
- On-premises – Data Center, not in the cloud

Connectivity options:

- VPN gateway – internet

- AWS Direct Connect – private fiber optic cables, bridge the gap from on premise to AWS
- Internet gateway – grants internet access to your VPC

Which components are required to build a successful site-to-site VPN connection on AWS?

Internet gateway

NAT gateway

Customer gateway CGW – set up on premise (You)

Transit gateway

Virtual private gateway VGW - link from CGW (AWS)

3.2 AWS global infrastructure

- Availability Zones – 1 or more data centers will exist in each availability zones, fiber optic lines
connect these data centers together, even ones from other availability zones
- Regions – more than 30, each region will have multiple availability zones (regions come first, then
availability zones)
- Edge locations – data centers that exist all around the world, cache information to improve
latency, on-ramp to the AWS backbone network

Which aspect of the AWS infrastructure enables global deployment of compute and storage?

Availability zones

Regions – multiple regions that exist all around the world

Tags

Resource groups

Which aspect of the AWS infrastructure enables regional deployment of compute and storage?

Availability zones

Regions

Tags

Resource groups

3.3 Core AWS Services

 - Compute – EC2 (virtual machine), Elastic Beanstalk (configure compute solution), Lambda
(serverless compute option, focus on code), ECS (container system, deploying docker
containers)
- Storage – EBS (block storage for EC2 instances), S3 (object storage for static content, not
manipulating blocks of data), EFS (file sharing service), S3 glacier (archiving, pay less for
storage, not for immediate access, rare access)
- Networking – VPC (data center in the cloud), Direct Connect (DX private connection to AWS) ,
Route 53 (DNS, find IP address associated with website), Transit Gateway (hub and spoke model
for managing connections)
- Databases – RDS (relational, strict schema, relationship between tables), DynamoDB (non-
relational, no SQL, no fixed schema, scales horizontally, key-value setup, enter as many items as
you want, unlimited amount data in a single table), Aurora (relational, found within RDS,
enterprise level database, take your data and replicate across multiple availability zones 6x),
Neptune (non-relational, graphs, relationships amongst data pieces, develop modelling/graphs,
bridge connections between datasets)

Which AWS service can MOST efficiently import exabytes of data to the AWS cloud from an on-premise
environment?

AWS Snowmobile – large truck with its own independent tracking system

AWS Storage Gateway

AWS Snowball – 80 TB

AWS Direct Connect

3.4 Technology Support

- Documentation
- Account-specific support
- AWS Partner Network
- AWS Trusted Advisor

Which AWS Support plan provides access to architectural and operational reviews, as well as 24/7
access to senior cloud support engineers through email, online chat, and phone?

Basic

Business

Developer

Enterprise

How: How do I manage the various components?

Where: Where are my end users?

What: What tools and services should I use?

https://aws-tc-largeobjects.s3.us-west-2.amazonaws.com/DEV-AWS-MO-CPE/exercise-3.html

Domain 4: Billing and Pricing

4.1 Pricing models for AWS

 - On-Demand instance pricing model: most flexible, costs more, no time commitment, short term
usage
- Reserved instance pricing model: pay upfront and commit to use of 1-3 years, offers discount up
to 72%, requires reserving min amount of resources, steady state/long term usage
- Savings Plan pricing model: similar to reserved, requires commitment of 1-3 years, offers
discount up to 72%, provides flexibility, based on compute usage
- Spot Instance pricing model: provides a 2 min warning before EC2 capacity runs out, has no time
commitment, offers discounts of up to 90% off On-Demand instance prices, ideal for temporary
scaling, non-critical data

Can mix/match pricing plans – based on game plan, architecture

A company has an application that only needs to run for 2 hours at any time during a day. Which Amazon
EC2 instance type will be MOST cost-effective for this application?

Dedicated instances -

On-Demand instances – temp

Reserved instances – long-term

Spot instances – temp. 90% off

4.2 Account Structures with AWS Billing and Pricing

- Recognize the different AWS billing and pricing account structures
- Use multiple accounts
- Track costs by project, team, or department
- Consolidate AWS bills to one parent AWS account
- Use different billing features of AWS organizations – centralized view of multi-account strategy

How can Amazon EC2 Reserved instances be shared across multiple AWS accounts?

AWS cost explorer activated on all AWS accounts – explain costs

AWS organizations consolidated billing

AWS compute optimizer activated on all AWS accounts – improvements

IAM cross-account roles

4.3 Resources Available for Billing Support

- AWS Cost Explorer – visualization, forecasting
- AWS Cost & Usage Report – download of summary of usage of all services into bucket, view
spending
- Amazon QuickSight - visualization tool for analytics
- AWS Marketplace – Dive deeper

Which AWS service or feature allows a company to visualize, understand, and manage AWS costs and
usage over time?

AWS Budgets – thresholds

AWS Cost Explorer

AWS Organizations – multi-accounts

Consolidated billing – feature found using AWS Organizations

https://aws-tc-largeobjects.s3.us-west-2.amazonaws.com/DEV-AWS-MO-CPE/exercise-4.html

Additional resources:

https://d1.awsstatic.com/training-and-certification/docs-cloud-practitioner/AWS-Certified-Cloud-
Practitioner_Exam-Guide.pdf

https://d1.awsstatic.com/training-and-certification/ramp-up_guides/Ramp-
Up_Guide_Cloud_Essentials.pdf

https://aws.amazon.com/compliance/shared-responsibility-model/

https://d1.awsstatic.com/training-and-certification/docs-cloud-practitioner/AWS-Certified-Cloud-
Practitioner_Sample-Questions.pdf