Please enable JavaScript.
Coggle requires JavaScript to display documents.
Ultimate AWS Certified Cloud Practitioner CLF-C02 - Coggle Diagram
Ultimate AWS Certified Cloud Practitioner CLF-C02
Section 3: What is Cloud Computing?
Section 1: Introduction
Section 2: Code & Slides Download
Section 5: EC2 - Elastic Compute Cloud
Section 4: IAM - Identity and Access Management
Section 6: EC2 Instance Storage
EBS Overview
Elastic Block Store
Bound to a specific avaliability zone
Free tier: 30GB per month
Delete on Termination attribute (quando instância EC2 é terminada)
Pode mover entre zonas com snapshot
Network drives attached to one EC2 instance
Snapshots
EBS Snapshot Archive (mais barato, mais lento)
Recycle Bin for EBS Snapshots
Retention rules
AMI Overview
Amazon Machine Image
Customization of an EC2 instance
Public / marketplace / your own
EC2 Image Builder Overview
Can be run on a schedule
Automate the creation of MVs or container images
Free service
EC2 Instance Store
High-performance hardware disk
Ephemeral (lose their storage when stopped)
EFS Overview
Elastic File System
Can be mounted on 100s of EC2
Works with Linux EC2 instances
EFS Infrequent Access (EFS-IA): 92% lower cost, transparent to applications
Shared responsibility model for EC2 storage
AWS
Infrastructure
Replication
Customer
Setting up backup procedures
Setting up data encryption
Responsibility of data on drives
Understand risk of EC2 instance store
Amazon FSx Overview
3rd party high-performance file system on AWS
Fully managed service
Amazon FSx for Windows File Server
Built on Windows File Server
Supports SMB protocol & Windows NTFS
Integrated with Microsoft Active Directory
Amazon FSx for Lustre
for High Performance Computing (HPC)
Lustre (Linux + cluster)
Section 7. ELB & ASG
High Availability, Scalability, Elasticity
Scalability
Can handle greater loads by adapting
Vertical
Exemplo: passar de t2.micro para t2.large
Very common for non distributed systems, such as a database
There's a limit to how much (hardware limit)
Increase the size of the instance (up/down)
Horizontal (= elasticity)
Implies distributed systems
Very common for web applications
Easy to scale with EC2
Increase the number of instances (in/out)
Auto Scaling Group e Load Balancer
High availability
Running app in at least 2 AZs
ASG e LB multi AZ
ELB Overview
Load balancers
Spread load across multiple instances
Expose single point of access (DNS) to app
Seamlessly handle failures
Health check of instances
SSL termination
High availability across zones
Elastic Load Balancer
Managed load balancer
Tipos
Application Load Balancer
HTTP / /HTTPS / gRPC (Llayer 7)
HTTP routing features
Static DNS (URL)
Network Load Balancer
TCP / UDP (Layer 4)
High performance
Static IP through Elastic IP
Gateway Load Balancer
Route traffic to firewalls that you manage on EC2 instances
Intrusion detection
GENEVE Protocol on IP Packets (Layer 3)
Classic Load Balancer (retired in 2023) - layer 4 e 7
ASG Overview
Auto Scaling Group
Scale in/out
Ensure min/max nubers of machines running
Register new instances to LB
Replace unhealthy instances
Sizes
Maximum size
Actual size / desired capacity
Minimum size
ASG Strategies
Manual scaling
Dynamic scaling
Target tracking scaling (ex: average CPU at 40%)
scheduled scaling (ex: increase on Fridays)
Simple / step scaling (ex: add when CloudWatch alarm is triggered)
Predictive scaling
Section 8. Amazon S3
S3 Overview
Use cases
Backup an storage
Disaster Recovery
Archive
...
Buckets
Object (files) in buckets (directories)
Globally unique name
Defined at the region level
Naming convention
No uppercase, no underscore
3-63 characters long
Not an IP
Must start with lowercase letter or number
Objects
Key is the full path
s3://my-bucket/my_file.txt (key=my_file.txt)
s3://my-bucket/my_folder/another_folder/my_file.txt (key=my_folder/another_folder/my_file.txt)
No concept of directories within buckets
Maximum size: 5TB (5000GB)
Metadata (key / value pairs)
Tags
Version ID
S3 Security: Bucket Policy
User-Based
IAM Policies
Resource-Based
Bucket Policies
Object Access Control List (ACL)
Bucket Access Control List (ACL)
Encryption
Bucket setting for Block Public Access
Extra layer to prevent company data leaks
Can be set at the account level
S3 Website overview
S3 can host static websites
http://bucket-name.s3-website.aws-region.amazonaws.com
S3 versioning overview
Same key overwrite will change the version
Enabled at bucket level
S3 Replication Overview
SRR (same region replication)
Buckets can be in different AWS accounts
CRR (cross region replication)
Copying is asynchronous
Must enable versioning
S3 Storage Classes Overview
Classes
Amazon S3 Glacier Instant Retrieval
Amazon S3 One Zone-Infrequent Access
Amazon S3 Glacier Flexible Retrieval
Amazon S3 Standard-Infrequent Access (IA)
Amazon S3 Glacier Deep Archive
Amazon S3 Intelligent Tiering
Moves objects automatically between accesstiers based on usage
Infrequent Access Tier (automatic): obj. not accessed for 30 days
Frequent Access Tier (automatic): default
Archive Instant Access Tier (automatic): obj. not accessed for 90 days
Archive Access Tier (optional): configurable from 90 days to 700+ days
Deep Archive Access Tier (optional): configurable from 180 days to 700+ days
Amazon S3 Standard - General Purpose
Durability
99.999999999%
Same for all storage classes
Availability
Depends on storage class
S3 standard has 99.99% availability (53 min/year)
Encryption
Tipos (tem os 2 na AWS)
Server-Side Encryption
Is always on
Client-Side Encryption
IAM Access Analyzer for S3
Monitoring feature
Ensures that only intended people have access to your buckets
Evaluates S3 bucket policies, S3 ACLs, S3 access point policies
Shared responsibility model for S3
AWS
Infrastructure (global security, durability, availability, sustain concurrent loss of data in two facilities)
Configuration and vulnerability analysis
Compliance validation
User
S3 versioning
S3 bucket policies
S3 replication setup
Logging and monitoring
S3 storage class
Data encryption at rest and in transit
AWS Snow Family Overview
AWS Snow Family
Highly-secure, portable devices to collect and process data at the edge, and migrate data into and out of AWS
Data migration
Snowcone
Snowball Edge
Snowmobile
Edge computing
Snowcone
Snowball Edge
Edge location
Limited / no internet
Limited / no computing power
AWS OpsHub
Para usar no lugar da CLI (que é muito difícil / complicada)
Software to manage Snow Family Device
AWS Snowball Edge - Pricing
Paga por tudo exceto dados entrando no S3
Storage Gateway Overwiew
AWS Storage Gateway
On-premise
Volume
Tape
File
Cloud
Amazon EBS
S3
Glacier
Allow on-premises to seamlessly use the AWS Cloud
Section 9: Databases & Analytics
RDS Deployment Options
Read replicas
Scale the read workload of DB
Can create up to 15 read replicas
Data is only written to the main DB
Multi-AZ
Failover in case of AZ outage (high availability)
Data is only read/written to the main database
Can only have 1 other AZ as failover
Multi-Region (read replicas)
Aplicações lêem do banco próximo (read replicas)
Aplicações escrevem no banco principal
Tem custo de replicação entre regiões
ElastiCache Overview
Redis or Memcached
Caches are in-memory databases with high performance, low latency
Reduce load off databases for read intensive workloads
DynamoDB Overview
Type of data
DynamoDB is a key/value database
DynamoDB Accelerator - DAX
Fully managed in-memory cache for DynamoDB (only)
10x performance improvement
Secure, highly scalable * highly available
Overview
Fully Managed Highly available with replication across 3 AZ
NoSQL database - not a relational database
Scales to massive workloads, distributed “serverless” database
Millions of requests per seconds, trillions of row, 100s of TB of storage
Fast and consistent in performance
Single-digit millisecond latency — low latency retrieval
Integrated with IAM for security, authorization and administration
Low cost and auto scaling capabilities
Standard & Infrequent Access (IA) Table Class
DynamoDB Global Tables
Make a DynamoDB table accessible with low latency in multiple-regions
Active-active replication (read/write to any AWS Region)
RDS & Aurora Overview
Relational Databse Service (RDS)
Postgres
MySQL
MariaDB
Oracle
Microsoft SQL Server
IBM DB2
Aurora (AWS Proprietary Database)
Advantages (RDS vs. DB on EC2)
Automated provisioning, OS patching
Continuous backups and restore to specific timestamp
Monitoring dashboards
Read replicas for improved read performance
Multi AZ setup for DR (Disaster Recovery)
Maintenance windows for upgrades
Scaling capacility (vertical and horizontal)
Storagebacked by EBS
BUT you can't SSH into your instances
Amazon Aurora
Proprietary technology from AWS
PostgreSQL and MySQL supported as Aurora DB
Aurora is "AWS cloud optimized"
Aurora storage automatically grows up to 128 TB (10GB increments)
Costs more than RDS, but is more efficient
Not in the free tier
Amazon Aurora Serverless
Automated instantiation and auto-scaling
PostgreSQL and MySQL
No capacity planning needed
Least management overhead
Redshift Overview
Overview
Redshift is based on PostgreSQL, but it's not used for OLTP
It's OLAP — online analytical processing (analytics and data warehousing)
Load data once every hour, not every second
10x better performance than other data warehouses, scale to PBs of data
Columnar storage of data (instead of row based)
Massively Parallel Query Execution (MPP), highly available
Pay as you go based on the instances provisioned
Has a SQL interface for performing the queries
BI tools such as AWS Quicksight or Tableau integrate with it
Redshift Serverless
Automatically provisions and scales data warehouse underlying capacity
Run analytics workloads without managing data warehouse infrastructure
Pay only for what you use (save costs)
Use cases: Reporting, dashboarding applications, real-time analytics...
EMR Overview
EMR stands for "Elastic MapReduce”
EMR helps creating Hadoop clusters (Big Data) to analyze and process vast amount of data
The clusters can be made of hundreds of EC2 instances
Also supports Apache Spark, HBase, Presto, Flink...
EMR takes care of all the provisioning and configuration
Auto-scaling and integrated with Spot instances
Use cases: data processing, machine learning, web indexing, big data...
Databases Introduction
Relational databases
NoSQL databases
Flexibility: easy to evolve data model
Scalability: designed to scale-out by using distributed clsuters
High-performance: optimized for a specific data model
Highly functional: types optimized for the data model
Examples: key-value, document, graph, in-memory, search databases
NoSQL data example: JSON
Data can be nested
Fields can change over time
Support for new types:arrays, etc...
Databases & Shared Responsibility on AWS
AWS offers use to manage different databases
Benefits
Quick Provisioning, High Availability, Vertical and Horizontal Scaling
Automated Backup & Restore, Operations, Upgrades
Operating System Patching is handled by AWS
Monitoring, alerting
Athena Overview
Serverless query service to perform analytics against S3 objects
Uses standard SQL language to query the files
Supports CSV, JSON, ORC, Avro, and Parquet (built on Presto)
Pricing: $5.00 perTB of data scanned
Use compressed or columnar data for cost-savings (less scan)
Use cases: Business intelligence / analytics / reporting, analyze & query VPC Flow Logs, ELB Logs, CloudTrail trails, etc...
ExamTip: analyze data in S3 using serverless SQL, use Athena
QuickSight Overview
Fast, automatically scalable, embeddable, with per-sessions pricing
Use cases
Business analytics
Building visualizations
Perform ad-hoc analysis
Get business insights using data
Serverless machine learning-powered business intelligence service to create interactive dashboards
Integrated with RDS, Aurora, Athena, Redshift, S3...
DocumentDB Overview
DocumentDB is the same for MongoDB (which is a NoSQL database)
MongoDB is used to store, query, and index JSON data
Similar “deployment concepts” as Aurora
Fully Managed, highly available with replication across 3 AZ
DocumentDB storage automatically grows in increments of 10GB
Automatically scales to workloads with millions of requests per seconds
Neptune Overview
Fully managed graph database
A popular graph dataset would be a social network
Highly available across 3 AZ, with up to |5 read replicas
Build and run applications working with highlr‘ connected datasets — optimized for these complex and hard queries
Can store up to billions of relations and query the graph with milliseconds latency
Highly available with replications across multiple AZs
Great for knowledge graphs (Wkipedia), fraud detection, recommendation engines, social networking
Timestream Overview
Fully managed, fast, scalable, serverless time series database
Automatically scales up/down to adjust capacity
Store and analyze trillions of events per day
1000s times faster & 1/10th the cost of relational databases
Built-in time series analytics functions (helps you identify patterns in your data in near real-time)
QLDB Overview
QLDB stands for "Quantum Ledger Database”
A ledger is a book recording financial transactions
Fully Managed, Serverless, High available, Replication across 3 AZ
Used to review history of all the changes made to your application data over time
Immutable system: no entry can be removed or modified, cryptographically verifiable
2-3x better performance than common ledger blockchain frameworks, manipulate data using SQL
Difference with Amazon Managed Blockchain: no decentralization component, in accordance with financial regulation rules
Managed Blockchain Overview
Blockchain makes it possible to build applications where multiple parties can execute transactions without the need for a trusted, central authority.
Amazon Managed Blockchain is a managed service to:
Join public blockchain networks
Or create your own scalable private network
Compatible with the frameworks Hyperledger Fabric & Ethereum
Glue Overview
Useful to prepare and transform data for analytics
Fully serverless service
Glue Data Catalog: catalog of datases
Can be used by Athena, Redshift, EMR
Managed extract, transform, and load (ETL) service
DMS Overview
Quickly and securely migrate databases to AWS, resilient, self healing
The source database remains available during the migration
Supports
Homogeneous migrations: ex Oracle to Oracle
Heterogeneous migrations: ex Microsoft SQL Server to Aurora
Section 10. Other Compute Services: ECS, Lambda, Batch, Lightsail
What is Docker?
What is Docker?
Apps run the same, regardless of where they're run
Software development platform to deploy apps
Scale containers up and down very quickly (seconds)
Apps are packaged in containerrs that can be run on any OS
Where Docker images are stored?
Docker Repositories
Public: Docker Hub
Private: Amazon ECR (Elastic Container Registry)
ECS, Fargate & ECR Overview
ECS
Elastic Container Service
Launch Docker containers on AWS
You must provision & maintain the infrastructure (the EC2 instances)
AWS takes care of starting / stopping containers
Has integrations with the Application Load Balancer
Fargate
Launch Docker containers on AWS
You do not provision the infrastructure (no EC2 instances to manage)
Serverless offering
AWS just runs containers for you based on the CPU / RAM you need
ECR
Store your Docker images so they can be run by ECS or Fargate
Private Docker Registry on AWS
Elastic Container Registry
Serverless Introduction
What's serverless?
Serverless is a new paradigm in which the developers don't have to manage servers anymore...
They just deploy code
They just deploy... functions !
Initially... Serverless == FaaS (Function as a Service)
Serverless was pioneered by AWS Lambda but now also includes anything that's managed: databases, messaging, storage, etc.
Serverless does not mean there are no servers... it means you just don't manage / provision / see them
So far in this course...
S3
DynamoDB
Fargate
Lambda
Lambda Overview
Why AWS Lambda
Amazon EC2
Virtual Servers in the Cloud
Limited by RAM and CPU
Continuously running
Scaling means intervention to add / remove servers
Amazon Lambda
Virtual functions — no servers to manage!
Limited by time - short executions
Run on-demand
Scaling is automated!
Benefit of AWS Lambda
Easy Pricing:
Pay per request and compute time
Free tier of 1,000,000 AWS Lambda requests and 400,000 GBs of compute time
Integrated with the whole AWS suite of services
Event-Driven: functions get invoked by AWS when needed
Integrated with many programming languages
Easy monitoring through AWS CloudWatch
Easy to get more resources per functions (up to 10GB of RAM!)
Increasing RAM will also improve CPU and network!
API Gateway Overview
Fully managed service for developers to easily create, publish, maintain, monitor; and secure APls
Serverless and scalable
Supports RESTful APls and WebSocket APls
Support for security, user authentication, APl throttling, APl keys, monitoring...
Batch Overview
AWS Batch
Fully managed batch processing at any scale
Efficiently run 100,000s of computing batch jobs on AWS
A "batch" job is a job with a start and an end (opposed to continuous)
Batch will dynamically launch EC2 instances or Spot Instances
AWS Batch provisions the right amount of compute / memory
You submit or schedule batch jobs and AWS Batch does the rest!
Batch jobs are defined as Docker images and run on ECS
Helpful for cost optimizations and focusing less on the infrastructure
Btach vs Lamba
Lambda
Time limit
Limited runtimes
Limited temporary disk space
Serverless
Batch
No time limit
Any runtime as long as it's packaged as a Docker image
Rely on EBS / instance store for disk space
Relies on EC2 (can be managed by AWS)
Lightsail Overview
Virtual servers, storage, databases, and networking
Low & predictable pricing
Simpler alternative to using EC2, RDS, ELB, EBS, Route 53...
Great for people with little cloud experience!
Can setup notifications and monitoring of your Lightsail resources
Has high availability but no auto-scaling, limited AWS integrations
Use cases
Simple web applications (has templates for LAMP, Nginx, MEAN, Node js...)
Websites (templates for WordPress, Magento, Plesk, Joomla)
Dev /Test environment
Section 11: Deployments & Managing Infrastructure at Scale
AWS Cloud Development Kit (CDK)
Define your cloud infrastructure using a familiar language
JS/TS
Python
Java
.Net
Code is "compiled" into a CloudFormation template (JSON/YAML)
You can deploy infrastructure and application runtime code together
Great for Lambda functions
Great for Docker containers in ECS/EKS
Beanstalk Overview
Overview
It uses all the components we've seen before: EC2, ASG, ELB, RDS, etc...
Beanstalk = Platform as a Service (PaaS)
Developer centric view of deploying an application on AWS
Elastic Beanstalk
Managed service
Instance configuration / OS is handled by Beanstalk
Deployment strategy is configurable but performed by Elastic Beanstalk
Capacity provisioning
Load balancing & auto-scaling
Application health-monitoring & responsiveness
Just the application code is the responsibility of the developer
Three architecture models:
Single Instance deployment: good for dev
LB + ASG: great for production or pre-production web applications
ASG only: great for non-web apps in production (workers, etc..)
Support for many platforms
Go, Java, .Net, Node, PHP, Python, Ruby...
Single container / multi-container / preconfigured docker
Health Monitoring
CloudFormation Overview
CloudFormation creates the resources in the right order with exact configuration
Benefits
Infrastructure as code
Cost
Productivity
Don't reinvent the wheel
Support (almost) all AWS resources
Declarative way of outlining your AWS Infrastructure
CodeDeploy
Works with EC2 instances
Works with On-Premises Servers
We want to deploy out application automatically
Hybrid service
Servers / instances must be provisioned and configured ahead of time with the CodeDeploy Agent
CodeCommit Overview
Fully managed
Private, Secured, Integrated with AWS
Git-based repositories
CodeBuild Overview
Compiles source code, run tests, and produces packages ready to be deployed
Pay-as-you-go pricing
Code building service in the cloud
CodePipeline Overview
Orchestrate the different steps to have the code automatically pushed to production
Compatible with Code*, Elastic Beanstalk, ClodFormation, GuitHub...
CodeArtifact Overview
Artifact management
Works with common dependecy management tools such as Maven, Gradle, npm, yarn, twine, pip, and NuGet
CodeStar Overview
Discontinued as of July 2024
Has a replacement named "CodeCatalyst"
Unified UI to easily manage software development activities in one place
Can edit the code "in-teh-cloud" using AWS Cloud 9
Cloud9 Overview
Cloud IDE for wirting, running and debugging code
Allows for code collaboration in real-time
Systems Manager (SSM) Overview
Helps you manage your EC2 and On-Premises systems at scale
Another Hybrid AWS service
Get operational insights about the state of your infrastructure
Suite of 10+ products
Most important features are:
Patching automation for enhanced compliance
Run commands across an entire fleet of servers
Store parameter configuration with the SSM Parameter Store
Works for Linux, Windows, MacOS, and Raspberry Pi OS (Raspbian)
SSM Session Manager
Allows secure shell on your EC2 and on-premise servers
No SSH access, bastion hosts, or SSH keys needed
Send session log data to S3 or CloudWatch logs
SSM Parameter Store
Systems Manager Parameter Store
Secure storage for configuration and secrets
API Keys, passwords, configurations. ..
Serverless, scalable, durable, easy SDK
Control access permissions using IAM
Version tracking & encryption (optional)
Section 12. Leveraing the AWS Global Infrastructure
Route 53 Overview
Managed DNS
Most common records
AAAA IPv6
CNAME: hostname to hostname
A record (IPv4)
Alias (ex: ELB, CloudFront, S3, rds, etc...)
Routing policies
Simple routing policy (sem health check)
Weighted routing policy
Latency routing policy
Failover routing policy
CloudFront Overview
AWS CloudFront
Content Delivey Netowrk (CDN)
Improves read performance, content is cached at the edge
216 points of presence globally (edge locations)
DDoS protection, integration with Shield, AWS Web Application Firewall
CloudFront - Origins
S3 bucket
Custom origin (HTTP)
EC2
S3 webstire
ALB
Any HTTP backend you want
CloudFront vs S3 Cross Region Replication
CloudFront
Global Edge network
Files are cached for a TTL (maybe a day)
Great for static content that must be available everywhere
S3 Cross Region Replication
Must be set up for each region
Files updated in near real-time
Great for dynamic content that needs low-latency in few regions
Why Global Applications?
Decreased latency
Multiple geographies: regions and/or edge locations
Disaster recovery (DR)
Attack protection
S3 Transfer Acceleration
Increase transfer speed by transferring file to an AWS edge location which will forward the data to the S3 bucket in the target region
AWS Global Acelerator
Leverage the AWS internal network to optimize the route to your application (60% improvement)
2 Anycast IP are create for your application and traffic is sent through edge locations
Edge locations send the traffic to your application
AWS Outposts
Hybrid cloud
Server racks that offer the same AWS infrastructure, services, APIs & tools
You are responsible for the Outposts Rack physical security
EC2, EBS, S3, EKS, ECS, RDS, EMR
AWS Wavelength
AWS services at the edge of the 5G networks
Embedded within the telecom providers' datacenters
Ultra-low latency applications through 5G networks
AWS Local Zones
Place AWS services closer to end user
Run latency-sensitive applications
Global Applications Architecture
Single Region, Multi AZ
Multi Region, Active-Passive
Single Region, Single AZ
Multi Region, Active-Active
Section 13: Cloud Integrations
Cloud Integrations Overview
Two patterns of application communication
Synchronous communications (application to application)
Asynchronous / Event based (application to queue to application)
Better to decouple applications
SNS (pub/sub model)
Kinesis (real-time data streaming model)
SQS (queue model)
SQS Overview
Simple Queue Service
Producers send messages
Consumers poll messages
Standard Queue
Oldest AWS offering (over 10 years old)
Fully managed service (~serverless), use to decouple applications
Scales from 1 message per second to 10,000s per second
Default retention of messages: 4 days, maximum of 14 days
No limit to how many messages can be in the queue
Messages are deleted after they're read by consumers
Low latency (<10 ms on publish and receive)
Consumers share the work to read messages & scale horizontally
FIFO Queue
Messages are processed in order by the consumer
Kinesis Overview
For the exam: Kinesis = real-time big data streaming
Managed service to collect, process, and analyze real-time streaming data at any scale
Too detailed for the Cloud Practitioner exam but good to know:
Kinesis Data Streams: low latency streaming to ingest data at scale from hundreds of thousands of sources
Kinesis Data Firehose: load streams into S3, Redshift, ElasticSearch, etc...
Kinesis Data Analytics: perform real-time analytics on streams using SQL
Kinesis Video Streams: monitor real-time video streams for analytics or ML
SNS Overview
The “event publishers” only sends message to one SNS topic
As many “event subscribers” as we want to listen to the SNS topic notifications
Each subscriber to the topic will get all the messages
Up to 12,500,000 subscriptions per topic, 100,000 topics limit
Amazon MQ Overview
SQS, SNS are “cloud-native” services: proprietary protocols from AWS
Traditional applications running from on-premises may use open protocols such as: MQTT, AMQP, STOMP Openwire, WSS
When migrating to the cloud, instead of re-engineering the application to use SQS and SNS, we can use Amazon MQ
Amazon MQ is a managed message broker service for RabbitMQ and ActiveMQ
Amazon MQ doesn't “scale” as much as SQS / SNS
Amazon MQ runs on servers, can run in Multi-AZ with failover
Amazon MQ has both queue feature (~SQS) and topic features (~SNS)
Section 14: Cloud Monitoring
CloudWatch Metrics & CloudWatch Alarms Overview
Important Metrics
EC2: CPU, status checks, network
EBS: disk read/writes
S3: BucketSizeBytes, NumberOfObjects, AllRequests
Billing: Total Estimated Charge (only in us-east-1)
Service Limits: how much you've been using a service API
Custom metrics: push your own metrics
Amazon CloudWatch Metrics
Metric is a variable to monitor (CPU utilization, netowrking...)
Metrics have timestamps
CloudWatch provides metrics for every service in AWS
Amazon CloudWatch Alarms
Alarms are used to trigger notifications for any metric
Various options (sampling, %, max, min, etc...)
Can choose the period on which to evaluate an alarm
Example: create a billing alarm on the CloudWatch Billing metric
Alarm States: OK. INSUFFICIENT_DATA, ALARM
Alarms actions...
Auto Scaling: increase or decrease EC2 instances “desired” count
EC2 Actions: stop, terminate, reboot or recover an EC2 instance
SNS notifications: send a notification into an SNS topic
CloudWatch Logs Overview
Amazon CloudWatch Logs
Enables real-time monitoring of logs
Adjustable CloudWatch Logs retention
CloudWatch Logs can collect log from:
Elastic Beanstalk: collection of logs from application
ECS: collection from containers
AWS Lambda: collection from function logs
CloudTrail based on fitter
CloudWatch log agents: on EC2 machines or on-premises servers
Route53: Log DNS queries
CloudWatch Logs for EC2
By default, no logs from your EC2 instance will go to CloudWatch
You need to run a CloudWatch agent on EC2 to push the log files you want
Make sure IAM permissions are correct
The CloudWatch log agent can be setup on-premises too
EventBridge Overview
Schedule: Cron jobs (scheduled scripts)
Event Pattern: Event rules to react to a service doing something
Trigger Lambda functions, send SQS/SNS messages...
Default / Partner / Custom Event Bus
CloudTrail Overview
Provides governance, compliance and audit for your AWS Account
CloudTrail is enabled by default!
Get an history of events / APl calls made within your AWS Account by:
Console
SDK
CLI
AWS Services
Can put logs from CloudTrail into CloudWatch Logs or S3
A trail can be applied to All Regions (default) or a single Region.
If a resource is deleted in AWS, investigate CloudTralil first!
X-Ray Overview
Debugging
Log formats differ across applications and log analysis is hard.
Debugging: one big monolith “easy”, distributed services “hard”
No common views of your entire architecture
X-Ray advantages
Troubleshooting performance (bottlenecks)
Understand dependencies in a microservice architecture
Pinpoint service issues
Review request behavior
Find errors and exceptions
Are we meeting time SLA?
Where I am throttled?
Identify users that are impacted
CodeGuru Overview
An ML-powered service for automated code reviews and application performance recommendations
CodeGuru Profiler
Helps understand the runtime behavior of your application
Example: identify if your application is consuming excessive CPU capacity on a logging routine
Support applications running on AWS or on-premise
Minimal overhead on application
Features:
Identify and remove code inefficiencies
Improve application performance (e.g, reduce CPU utilization)
Decrease compute costs
Provides heap summary (identify which objects using up memory)
Anomaly Detection
CodeGuru Reviewer
Identify critical issues, security wulnerabilities, and hard-to-find bugs
Example: common cpdir&g best practices, resource leaks, security detection, input validation
Uses Machine Learning and automated reasoning
Hard-learned lessons across millions of code reviews on 1000s of open-source and Amazon repositories
Supports Java and Python
Integrates with GitHub, Bitbucket, and AWS CodeCommit
AWS Health Dashboard
AWS Health Dashboard - Service History
Shows all regions, all services health
Shows historical information for each day
Has an RSS feed you can subscribe to
Previously called AWS Service Health Dashboard
AWS Health Dashboard - Your Account
Previously called AWS Personal Health Dashboard (PHD)
AWS Account Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you.
While the Service Health Dashboard displays the general status of AWS services, Account Health Dashboard glvewou a personalized view into the performance and availability of the AWS services underlying your AWS resources.
The dashboard displays relevant and timely information to help you manage events in progress and provides proactive notification to help you plan for scheduled activities.
Can aggregate data from an entire AWS Organization
Section 15: VPC & Networking
VPC Overview
At the AWS Certified Cloud Practitioner Level, you should know about:
VPC, Subnets, Internet Gateways & NAT Gateways
Security Groups, Network ACL (NACL),VPC Flow Logs
VPC Peering,VPC Endpoints
Site to Site VPN & Direct Connect
Transit Gateway
IP Addresses in AWS
IPv4
Public IPv4, changes when EC2 is started
Private IPv4, fixed for EC2 even is you start/stop them
Elastic IP
Fixed public IPv4 address
Has cost if not attached or EC2 instance is stopped
IPv6
Every IP address s public
3.4 x 10^38 addresses
VPC, Subnet, Internet Gateway & NAT Gateways
VPC & Subnets Primer
Public subnet
Private subnet
Subnets (tied to AZ)
Route tables
VPC - Virtual Private Cloud
Internet Gateway & NAT Gateways
Internet Gateways
Public subnets have a route to the internet gateway
NAT Gateways (AWS-managed) & NAT Instances (self-managed) allow your instances in your private subnets to access the internet while reamining private
Security Groups & Network Access Control List (NACL)
NACL (Netowrk ACL)
Subnet level
ALLOW and DENY rules
IP addresses
Security Group
EC2 level
Only ALLOW rules
IP addresses and other security groups
VPC Flow Logs & VPC Peering
VPC Flow Logs
Capture information about IP traffic
Helps to monitor & troubleshoot connectivity issues
VPC Peering
Connect two VPCs
Must no have overlapping CIDR
VPC Endpoints - Interface & Gateway (S3 & DynamoDB)
VPC Endpoint Gateway
S3
DynamoDB
VPC Endpoint Interface
For all thre rest
Endpoints allow you to connect to AWS Services using a private network (instead of public internet)
PrivateLink
Network Load Balancer (do lado do 3rd party VPC)
Elastinc Netowrk Interface (ENI) (do lado da minha VPC)
Direct Connect & Site-to-Site VPN
Site to Site VPN
Encrypted
Goes over public internet
Customer Gateway (on-prem) e Virtual Private Gatway (AWS)
Direct Connect (DX)
Physical connection between on-premises and AWS
Goes over a private netowrk
Takes at least a month to establish
Client VPN
AWS Client VPN (OpenVPN)
Goes over the public internet
Transit Gateway Overview
Connects 100s or 1000s of VPC together, as well with on-prem
One single gateway
Works with Direct Connect Gateway, VPN connections
Section 16: Security & Compliance
Shared Responsibility Model: Reminders & Examples
AWS Shared Responsibility Model
Customer responsibility - Security in the Cloud
Shared controls
Patch management
Configuration management
Awareness & Training
AWS responsibility - Security of the Cloud
DDoS Protection: WAF & Shield
DDOS Protection on AWS
AWS Shield Advanced
Optional, R$3k/month
Protects against more sophisticated attacks
AWS WAF
Protects from common web exploits (layer 7)
Deploy on ALB, API Gateway, ClooudFront
Can define a Web ACL
IP, headers, body
Geo-match
Rate-limit
AWS Shield Standard
Free, activated for every AWS customer
Protection from SYN/UDP floods, reflection attacks, other layer3/4 attacks
CloudFront and Route 53
AWS Auto Scaling
AWS Network Firewall
Protect your entire Amazon VPC
From layer 3 to layer 7
Any direction
AWS Firewall Manager
Manage security rules in all accounts of an AWS Organization
Security policy: common set of security rules
Rules applied to new resources as they are created (compliance)
Penetration Testing
Allowed services
EC2, NAT gateways, ELB
RDS
CloudFront
Aurora
API gateways
Lambda e Lambda Edge
Lightsail
Elastic Beanstalk
Prohibited
DNS zone walking
DDoS, flooding
Encryption with KMS & CloudHSM
Key Management System (KMS)
Encryption Opt-in
Redshift
S3
RDS
EBS
EFS
Encryption automatically enabled
CloudTrail logs
S3 Glacier
Storage Gateway
Cloud HSM
Dedicated hardware (hardware security module)
You manage your encryption keys
HSM is tamper resistant
Types of KMS keys
Customer Managed Key
AWS Managed Key
AWS Owned Key
CloudHSM Key
AWS Certificate Manager (ACM) Overview
Provision, manage and deploy SSL/TLS certificates
Integration with
ELB
CloudFront
API Gateway
Secrets Manager Overview
Can force rotation of secrets
Automate generation of secrets
Integration with Amazon RDS
Secrets encrypted using KMS
Artifact Overview
Portal winth AWS compliance documentation and AWS agreements
GuardDuty Overview
Intelligent Threat Discovery
Uses machine learning algorithms, anomaly detection, 3rd party data
Input data includes
CloudTrail
VPC Flow Logs
DNS Logs
Can protect against crypto currency attacks
Inspector Overview
EC2
Container images in ECR
Automated Security Assessments
Lamda functions
Reporting & integration with AWS Security Hub
Send findings to Amazon Event Bridge
Config Overview
Helps with auditing and recording compliance of your AWS resources
Helps record configurations and changes over time
Macie Overview
Uses ML and pattern matching to discover and protect your sensitive data in AWS
Helps identify and alert you to sensitive data, such as PII
Security Hub Overview
Central security tool to manage security
Integrated dashboards show ing current security and compliance status
Must first enable the AWS Config Service
Amazon Detective Overview
Analyzes, investigates and quickly identifies the root cause of security issues
Autoatically collects and processes events from VPC Flow Lofs, CloudTrail, GuardDuty and creat a unified view
Produces visualizations with details and context
AWS Abuse
Report AWS resources used for abusive or illegal purposes
Abusive & prohibited behaviors are:
Port scanning
DoS or DDoS
Intrusion attempts
Spam
Hosting objectionable or copyrighted content
Distributing malware
Root User Privileges
Root user = Account Owner
Has complete access to all AWS services and resources
Only root can
Change account settings
View certain tax invoices
Close your AWS account
Restore IAM user permissions
Change or cancel your AWS Support Plan
...
IAM Access Analyzer
Find out which resources are shared externally
IAM roles
KMS keys
S3
Lambda functions and layers
SQS queues
Secrets Manager Secrets
Section 17: Machine Learning
Polly Overview
Turn text into speech
Does the opposite of Transcribe
Translate Overview
Language translation
Transcribe Overview
Convert speech to text
Automatic speech recognition (ASR)
Remove PII automatically
Lex + Connect Overview
Amazon Lex
Automatic Speech Recognition (ASR) to convert speech to text
Recognizes the intent of text, callers
Amazon Connect
Cloud-based virtual contact center
Receive calls, create contact workflows
Rekognition Overview
Find objects, people, text, scenes in images and videos
Facial analysis and facial search
Create a database of "familiar faces"
Comprehend Overview
Find insights and relationships in text
Understand how positive or negative the text is
Natural Language Processing (NLP)
SageMaker Overview
Service to build ML models
Typically difficult to do all the processess in one place
Forecast Overview
Uses ML to deliver highly accurate forecasts
Example: predict the future sales of a raincoat
Kendra Overview
Document search service powered by ML
Extract answers from within a document
Personalize Overview
Build apps with real-time personalized recommendations
Example: personalized product recommendations
Textract Overview
Extracts text, handwriting and data from scanned documents
Extracts data from forms and tables
Section 18: Account Management, Billing & Support
Organizations Overview
The main account is the master account
Benefits
Consoliated billing
Pricing benefits from aggregated usage
Pooling of reserved EC2 instances
Allows to manage multiple AWS accounts
Restrict account privileges using Service Control Policies (SCP)
Multi account strategies
Department
Cost center
Dev / test / prod
...
Service Control Policies (SCP)
Applied at the OU or Account level
Does not apply to the Master Account
Whitelist or blacklist IAM actions
Applied to all the Users and Roles of the Account, including Root
Organization Consolidated Billing
Combined usage
Reserved instances
Saving plans
Volume pricing
One bill
AWS Control Tower Overview
Set up and govern a secure and compliant multi-account AWS environment
Benefits
Automate ongoing policy management
Detect policy violations
Monitor compliance
Automate the set up of the environment
AWS Resource Access Manager (AWS RAM)
Share resources with other AWS accounts
Supported resources
VPC subnets
Transit gateways
Route 53
Aurora
EC2 Dedicated hosts
AWS Service Catalog
Quick self-service portal
Set of authorized products pre-defined by admins
Pricing models of the Cloud
4 pricing models
Save when you reserve
Pay less by using more
Pay as you go
Pay less as AWS grows
Free services & free tier
Free services
IAM
VPC
Consolidated billing
Free but pay what is created
Elastic Beanstalk
CloudFormation
Auto Scaling Group
Free tier
EC2 t2.micro for a year
S3, EBS, ELB, AWS Data Transfer
Compute pricing - EC2
Spot instances: bid for unused capacity (may lose it)
Dedicated host: 1 or 3 years commitment
Reserved instances: 1 or 3 years commitment
Saving plans
On-demand instances
S3
EBS
RDS
CloudFront
Lambda & ECS
Networking
Use private IP
Use same AZ
Savings Plan
Commit a certain $ amount per hour for 1 or 3 years
Easiest way to setup long-term commit ments on AWS
EC2 Savings Plan
Compute Savings Plan
Machine Learning Savings Plan
Setup from the AWS Cost Explorer
AWS Compute Optimizer
Recommends optimal AWS resources for your workloads
Uses ML to analyze configurations and utilization
Supported resources: EC2, ASG, EBS, Lambda
Billing & Costing Tools
Tracking costs in the cloud
Cost allocation tags
Cost and usage reports
Cost explorer
Billing dashboard
Monitoring against cost plans
Billing alarms
Budgets
Estimating costs in the cloud
Pricing calculator
Tracking costs ins the cloud
AWS Billing Dashboard
Free tier dashboard
High level overview
Cost Allocation Tags
Tag Editor
Cost and Usage Reports
Cost Explorer
Monitoring costs in the cloud
Billing alarms
AWS budgets
Create budget and send alarms
4 types of budgets: Usage, Cost, Reservation, Savings Plans
AWS Cost Anomaly Detection
Detects unusual spends
Detects one-time cost spike and/or continuous cost increases
Sends report with root-cause analysis
AWS Service Quotas
Notify when you're close to a service quota threshold
Create CloudWatch Alarms on the Service Quotas console
AWS Trusted Advisor
High level AWS account assessment
Recommendation on 6 categories
Performance
Security
Fault tolerance
Cost optimization
Service limits
Operational excellence
Business & Enterprise Support plan
Full set of checks
AWS Support API
Support plans for AWS
Developer
Business hours email access to Cloud Support Associates
Business
Trusted Advisor (full set of checks) + API
24x7 phone, email and chat access to Cloud Support Engineers
Basic
AWS Trusted Advisor (only 7 checks)
AWS Personal Health Dashboard
Customer Service & Communities
Enterprise On-Ramp
Technical Account Managers (TAM)
Concierge Support Team (for billing and account best practices)
Infrastructure Event Management, Well-Architected & Operations Reviews
Enterprise
Designated Technical Account Manager (TAM)
Section 19: Advanced Identity
Security Token Service (STS)
Create temporary, limited-privilege credentials to access your AWS resources
Short-term credentials
Cognito
Identity for your web and mobile applications users (potentially millions)
Instead of creating them an IAM user, you create a user in Cognito
Directory Services
Microsoft Active Directory (AD)
Found on any Windows Server with AD Domain Services
Database of objects: user accounts, computers, printers, file shares, security groups
Centralized security management, create account, assign permissions
AWS Directory Services
AWS Managed Microsoft AD
Create AD in AWS
Establish "trust" connections with on-prem AD
AD Connector
Proxy to redirect to on-prem AD
Simple AD
AD-compatible managed directory on AWS
IAM Identity Center
Successor to AWS Single Sign-On
Identity providers
Built-in identity store in IAM Identity Center
3rd party: AD, OneLogin, Okta...
One login (single sign-on) for all your
AWS accounts in AWS Organizations
Business cloud applications (e.g., Salesforce, Box, Microsoft 365...)
SAML2.0-enabled applications
EC2 Windows Instances
Section 20: Other Services
WorkSpaces
Managed Desktop as a Service (DaaS)
Windows or Linux desktops
AppStream 2.0
Desktop Application Streaming Service
Application is delivered from within a web browser
IoT Core
Connect IoT devices to the AWS Cloud
AppSync
Store and Sync data across mobile and web apps in real-time
Uses GraphQL
Real-time subscriptions
Offline data synchronization
Amplify
Develop and deploy full stack web and mobile applications
Authentication, Storage, API, CI/CD,PubSub, Analytics...
Application Composer
Visually design and build serverless applications quickly on AWS
Generates Infrastructure as Code (IaC) usign CloudFormation
Device Farm
Tests your web and mobile apps against desktop browsers, real mobile devices and tablets
AWS Backup
Centrally manage and automate backups across AWS services
On-demand and scheduled backups
Cross-region and cross-account backup
Armazena no S3
Disaster Recovery Strategies
Warm Standby
Full version of the app in cloud, but at minimum size
Increase the size when needed (DR)
Multi-Site / Hot-Site
Most expensive
Full version of the app, at full size in cloud
Pilot Light
Run core functions of the app in the cloud (e.g. the database)
Ready to scale, but minimal setup
Backup and restore
Cheapest
Backup da app na cloud
AWS Elastic Disaster Recovery (DRS)
Used to be named "CloudEnsure Disaster Recovery"
Recover your physical, virtual and cloud-based servers into AWS
Continuous block-level replication for your servers
DataSync
Move large amounts of data from on-premises to AWS
Replication can be scheduled
Replication tasks are incremental after the first full load
Application Discovery Service & Application Migration Service
Application Discovery Service
Agentless Discovery (AWS Agentless Discovery Connector)
Agent-based Discovery (AWS Application Discovery Agent)
Plan migration projects by gathering information about on-prem data centers
AWS Application Migration Service (MGN)
Lift-and-shift (rehost) solution
Migration Evaluator
Build a data-driven business case for migration to AWS
Agentless Collector to conduct broad-based discovery
Develop a migration plan
Migration Hub
Collect server and application inventory data
Accelerate your migration to AWS
Fault Injector Simulator (FIS)
Chaos Engineering
Step Functions
Build serverless visual workflow to orchestrate your Lambda functions
Ground Station
Control satellite communications, process data, and scale your satellite operations
Provides a global network of satellite ground stations near AWS regions
Pinpoint
Scalabe 2-way (outbound/inbound) marketing communications service
Supports email, SMS, push, voice, and in-app messaging
Possibility to receive replies
Section 21: AWS Architecting & Ecosystem
AWS WhitePapers Well-Architected Framework
Guiding Principles
Test systems at production scale
Automate to make architectural experimentation easier
Stop guessing your capacity needs
Allow for evolutionary architectures
Design based on changing requirements
Drive architecture using data
Improve through game days
Simulate applications for flash sales days
Design Principles
Disposable Resources: servers should be disposable & easily configured
Automation: serverless, IaaS, auto scaling...
Scalability: vertical & horizontal
Loose coupling
Monolith
Break it down into smaller, loosely coupled components
A change or a failure in one component should not cascade to other components
Services, not servers
Don't use just EC2
Use managed services, databases, serverless, etc
6 Pillars
Security
Reliability
Operational excellence
Performance efficiency
Cost optimization
Sustainability
Pillar 1: Operational excellence
Perform operations as code - Infrastructure as code
Annotate documentation - Automate the creation of annotated documentation after every build
Make frequent, small, reversible changes - So that in case of any failure, you can reverse it
Refine operations procedures frequently - And ensure that team members are familiar with it
Anticipate failure
Learn from all operational failures
Pillar 2: Security
Implement a strong identity foundation - Centralize privilege management and reduce (or even eliminate) reliance on long-term credentials - Principle of least privilege - IAM
Enable traceability - Integrate logs and metrics with systems to automatically respond and take action
Apply security at all layers - Like edge network,VPC, subnet, load balancer, every instance, operating system, and application
Automate security best practices
Protect data in transit and at rest - Encryption, tokenization, and access control
Keep people away from data - Reduce or eliminate the need for direct access or manual processing of data
Prepare for security events - Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery
Pillar 3: Reliability
Test recovery procedures - Use automation to simulate different failures or to recreate scenarios that led to failures before
Automatically recover from failure - Anticipate and remediate failures before they occur
Scale horizontally to increase aggregate system availability - Distribute requests across multiple, smaller resources to ensure that they don't share a common point of failure
Stop guessing capacity - Maintain the optimal level to satisfy demand without over or under provisioning - Use Auto Scaling
Manage change in automation - Use automation to make changes to infrastructure
Pillar 4: Performance efficiency
Democratize advanced technologies - Advance technologies become services and hence you can focus more on product development
Go global in minutes - Easy deployment in multiple regions
Use serverless architectures - Avoid burden of managing servers
Experiment more often - Easy to carry out comparative testing
Mechanical sympathy - Be aware of all AWS services
Pillar 5: Cost optimization
Adopt a consumption mode - Pay only for what you use
Measure overall efficiency - Use CloudWatch
Stop spending money on data center operations - AWS does the infrastructure part and enables customer to focus on organization projects
Analyze and attribute expenditure - Accurate identification of system usage and costs, helps measure return on investment (ROI) - Make sure to use tags
Use managed and application level services to reduce cost of ownership - As managed services operate at cloud scale, they can offer a lower cost per transaction or service
Pillar 6: Sustainability
Understand your impact — establish performance indicators, evaluate improvements
Establish sustainability goals — Set long-term goals for each workload, model return on investment (ROI)
Maximize utilization — Right size each workload to maximize the energy efficiency of the underlying hardware and minimize idle resources.
Anticipate and adopt new, more efficient hardware and software offerings — and design for flexibility to adopt new technologies over time.
Use managed services — Shared services reduce the amount of infrastructure; Managed services help automate sustainability best practices as moving infrequent accessed data to cold storage and adjusting compute capacity.
Reduce the downstream impact of your cloud workloads — Reduce the amount of energy or resources required to use your services and reduce the need for your customers to upgrade their devices
Cloud Adoption Framework (CAF)
Capabilities in 6 perspectives
People
Governance
Business
Platform
Security
Operations
Transformation Domains
Technology
Process
Organization
Product
Transformation Phases
Align
Launch
Envision
Scale
Ebook/whitepaper, helps build a plan for digital transformation
Right Sizing
Scaling up is easy, so always start small
Matching instance types and sizes to workload
Tools: CloudWatch, Cost explorer, Trusted Advisor...
AWS Ecosystem
Free resources
AWS Forums
AWS Whitepapers & Guides
AWS Blogs
AWS Partner Solutions
AWS Solutions
AWS Support
AWS Marketplace
AWS Training
AWS Professional Services & Partner Network
AWS IQ & re:Post
AWS IQ
Quickly find professional help for your AWS projects
Like a freelance platform
AWS re:Post
Community forum
AWS-managed Q&A service
Part of the AWS Free Tier
AWS Knowledge Center
Contains the most frequent & common questions and request
Part of re:Post
AWS Managed Services
Provides infra and app support on AWS
Offers a team of AWS experts who manage your infra for security, reliability and availability
Section 22: Preparing for the Exam...
Words on Other Services
Distractors
Focar nos 40 serviços cobertos no curso
State of Learning Checkpoint
AWS CCP Official Practice Question Set
Exame: 50 questões que pontuam + 15 que não pontuam
Score de 100 a 1000 - passa com 700
AWS Skillbuider: Exam Prep Official Question Set: AWS Certified Cloud Practitioner (CLF-C02 - English)
Exam Sample Question Walkthrough
Exam Tips
You can flag questions
65 questions in 90 minutes
Fail: can retake in 14 days
Exam Walkthrough and Signup
AWS Builder ID
Save 50% on your AWS Exam Cost
Get an Extra 30 Minutes on your AWS Exam
Request Accommodation: ESL +30 minutes
Pedir antes de agendar