Please enable JavaScript.
Coggle requires JavaScript to display documents.
AWS Cloud Practitioner (pt2) - Coggle Diagram
AWS Cloud Practitioner (pt2)
5. Storage and Databases
Block-level storage:
volumes behave like physical hard drives. When there is an update, it will update the particular block of data, not entire shelf.
Instance store:
temporary block-level storage for an EC2 instance. It has the same lifespan as the instance, when the instance is terminated, you lose any data in the instance store.
Amazon Elastic Block Store (Amazon EBS)
is a service that provides block-level storage volumes that you can use with Amazon EC2 instances. If you stop or terminate an Amazon EC2 instance, all the data on the attached EBS volume remains available.
To create an EBS volume, you define the configuration (such as volume size and type) and provision it. After you create an EBS volume, it can attach to an Amazon EC2 instance.
EBS volumes store data within a single Availability Zone.
Because EBS volumes are for data that needs to persist, it’s important to back up the data. You can take incremental backups of EBS volumes by creating Amazon EBS snapshots.
An EBS snapshot
is an incremental backup. This means that the first backup taken of a volume copies all the data. For subsequent backups, only the blocks of data that have changed since the most recent snapshot are saved.
Amazon Simple Service Storage (S3)
:
Object Storage
: each object consists of data, metadata, and a key. When a file in object storage is modified, the entire object is updated. (In block storage, when you modify a file, only the pieces that are changed are updated).
S3
: is a service that provides object-level storage. Amazon S3 stores data as objects in buckets.
Can upload any type of file to S3.
S3 offers unlimited storage space.
The maximum file size for an object in S3 is 5 TB.
You can set permission to control visibility and access to a file.
Can set versioning feature to keep track changes.
Only pay for what you use.
S3 storage classes
:
S3 Standard
:
For frequently accessed data
Stores data in a minimum of three Availability Zones.
Provides high availability for objects.
S3 Standard - Infrequent Access (S3 Standard-IA)
:
Ideal for infrequently accesses data but requires high availability when needed.
Similar to S3 Standard but has a lower storage price and higher retrieval price.
Store data in a minimum of three Availability Zones.
S3 One Zone - Infrequent Access (S3 One Zone-IA
):
Store data in a single Availability Zone
Has a lower storage price than S3 Standard - IA
Only store data in a single Availability Zone
It's a good storage class to consider if:
:check: You want to save costs on storage
:check: You can easily reproduce your data in the event of Availability Zone failure.
S3 Intelligent-Tiering:
Ideal for data with unknown or changing access patterns.
Requires a small monthly monitoring and automation fee per object.
In the S3 Intelligent-Tiering storage class, S3 monitor object's access pattern. If you haven't accessed an object for 30 consecutive days, S3 automatically moves it to the infrequent access tier, S3 Standard -IA. If you access an object in the infrequent access tier, Amazon S3 automatically moves it to the frequent access tier, S3 Standard.
S3 Glacier
:
Low-cost storage designed for data archiving
Able to retrieve objects within a few minutes to hours
S3 Glacier Deep Archive:
Lowest-cost object storage class ideal for archiving
Able to retrieve objects within 12 hours
Amazon Elastic File System (EFS)
File Storage:
Multiple clients (users, applications, servers..etc) can access data that is stored in shared file folders at the same time.
Amazon EFS
: is a scalable file system used with AWS services and on-premises resources. EFS grows and shrinks automatically.
EFS store data across multiple AZ.
Amazon Relational Database Service (RDS)
Relational Database
: data is stored in a way that relates it to other pieces of data.
Amazon RDS
: is a service that enables you to run relational databases in AWS cloud. RDS is a managed service that automate:
Hardware provisioning
Database setup
Patching
Backups
Amazon RDS provides a number of different security options:
Encryption at rest: protecting data while it is stored.
Encryption in transit: protecting data while it is being sent and received.
Amazon RDS database engines
: RDS is available on six database engines. They are:
Amazon Aurora : is an enterprise-class relational database. It is compatible with MySQL and PostgreSQL. It is up to 5times faster than standard MySQL and up to 3times faster than standard PostgreSQL.
PostgreSQL
MySQL
MariaDB
Oracle Database
Microsoft SQL Server
Amazon Dynamo DB
Nonrelational database
: key-value pairs. Not every item in the table has to have the same attributes.
Amazon Dynamo DB
: is a key-value database service. It delivers single-digit millisecond performance at any scale.
Serverless
Automatic scaling
Amazon Redshift
: is a data warehousing service that you can use for big data analytics. It offers the ability to collect data from many sources and helps you to understand relationship and trends across your data.
Amazon Database Migration Service (DMS)
:
enables you to migrate relational databases, nonrelational DB and other types of data stores.
Using DMS, you move data between a source DB and a target DB. Source and Target DB can be same type or different.
During the migration, source DB remains operational, reducing downtime for business.
Additional database services
:
1. Amazon DocumentDB
: is a document DB service that support MongoDB
2. Amazon Neptune
: is a graph database service.
3. Amazon Quantum Ledger Database (QLDB)
: is a ledger DB service. use QLDB to review a complete history of all the changes that have been made to your application data.
4. Amazon Managed Blockchain
: is a service that you can use to create and manage blockchain networks with open-source frameworks.
5. Amazon ElastiCache
: is a svc that adds caching layers on top of your DB to help improve read times of common requests. Support 2 types of data stores: Redis and Memcached.
6. Amazon DynamoDB Accelerator (DAX)
: is an in-memory cache for DynamoDB.
Module 6: Security
Shared Responsibility Model
:
AWS is responsible for security of the cloud
AWS user is responsible for security in the cloud
AWS Identity and Access Management (IAM)
AWS account root user
:
Has username/password
Has complete access to all the AWS services and resources in the account
Best practice: Do not use Root User account for daily tasks, but only use for those tasks that limited to root user.
IAM users
:
Is an identity that you create in AWS.
Represent the person or application that interacts with AWS services and resources.
Consist of name and credentials.
By default, a newly created IAM user has no permission.
Best practice: Create individual IAM users for each person who needs access to AWS, even if multiple employees require the same level of access.
Best practice: enable Multi-factor Authentication for all users.
IAM policies
:
Is a document that allows or denies permission to AWS services and resources.
Is a json file
Best practice: follow the security principle of least privilege when granting permissions.
IAM groups:
Is a collection of IAM users.
When you assign an IAM policy to a group, all users in the group are granted permissions specified by the policy at the group level.
IAM roles
:
Is an identity that you can assume to gain temporary access to permissions.
When someone assume an IAM role, they abandon all previous permissions that they had under a previous role.
Best practice: IAM roles are ideal for situations in which access to services or resources needs to be granted temporarily instead of long-term.
AWS Organization
Organizational Units (OUs)
In AWS Organization, you can group accounts into OU to make it easier to manage accounts with similar business or security requirement. When you apply a policy to an OU, all the accounts in the OU automatically inherit the permissions specified in the policy.
Compliance
AWS Artifact
:
Is a service that provides on-demand access to AWS security and compliance reports and select online agreements.
Consists of two main sections: AWS Artifact Agreement and AWS Artifact Reports
Denial-of-service attack (DoS)
:
Is a deliberate attempt to make a website or application unavailable to users.
Distributed denial-of-service attach (DDoS)
:
Multiple sources are used to start an attack that aims to make a website or application unavailable.
AWS Shield
:
Is a service that protects applications against DDoS attacks.
Provides two levels of protection: Standard and Advanced
Additional security services
:
1. Key Management Service (KMS)
:
Encryption at rest: application's data is secure while in storage.
Encryption in transit: application's data is secure while it is transmitted.
KMS use cryptographic keys. Cryptographic key is a random string of digits used for locking and unlocking data.
2. Web Application Firewall (WAF)
:
Let you monitor network requests that come into your web applications.
WAF works together with CloudFront and Load Balancer.
WAF used a web access control list (ACL) to protect resources.
3. Amazon Inspector:
: helps to improve the security and compliance of applications by running automated security assessments.
4. Amazon GuardDuty:
is a service that provides intelligent threat detection for your AWS infrastructure and resources.
Module 7: Monitoring and Analytics
Amazon CloudWatch
:
Is a web service that monitor and manage various metrics and configure alarm actions based on data from those metrics.
CloudWatch alarms
: you can create alarms that automatically perform actions if the value of your metric has gone above or below a predefined threshold.
CloudWatch Dashboard:
You can access all the metrics for your resources from a single location.
AWS CloudTrail
: records API calls for your account, including:
Identity of the API caller
The time of the API call
The source IP address of the API caller and more
With CloudTrail, you can view a complete history of user activity and API calls for your applications and resources.
Events are updated in CloudTrail within 15 mins after an API call. You can filter event by many criteria.
CloudTrail Insights:
: You also can enable CloudTrail Insights. This allow CloudTrail to automatically detect unusual API activities in your AWS account.
AWS Trusted Advisor
: is a web service that inspects your AWS environment and provides real-time recommendations in accordance with AWS best practices.
Trusted Advisor compares its findings to AWS best practices in 5 categories:
Cost optimization
Performance
Security
Fault tolerance
Service Limits
Module 8: Pricing and Support
AWS Free Tier
: offers 3 types
Always free
12 months free
Trials
How AWS pricing works?
AWS offers a range of cloud computing services with pay-as-you-go pricing.
Pay for what you use
:
For each service, you pay for exactly the amount of resources that you actually use, without requiring long-term contracts or complex licensing.
Pay less when you reserve
:
Some services offer reservation options that provide discount compare to On-Demand pricing.
Pay less with volume-based discounts when you use more
:
Some services offer tiered pricing
AWS Billing & Cost Management dashboard
: monitor your usage, analyze and control your costs.
Consolidated Billing
: this billing feature of AWS Organization enables you to receive a single bill for all AWS accounts in your organization.
AWS Budgets:
You can create budgets to plan your service usage, service costs, and instance reservations.
AWS Cost Explorer
: is a tool that enables you to visualize, understand and manage your AWS costs and usage over time.
AWS Support:
AWS offers four different Support Plans to help you troubleshoot issues, lower costs, and efficiently use AWS services.
Basic
Developer
Business
Enterprise
