====== Amazon AWS Cert 1 ====== * Cert name: AWS Certified Cloud Practitioner * Exam code: CLF-C01 * Price: 100 USD * Scheduled: 18/12/19 2:15pm @ Saxons Training Facility (NT) DNS Level 11, 300 Adelaide Street ==== 1. AWS Cloud Defined ==== * Cloud * on demand network access - on demand self service * broad network access - accessible over network through standard mechanisms * shared pool of configurable resources - resource pooling * rapid provisioning - elasticity * measured service - billing, metrics * Implementations * SaaS: Software as a service - MailChimp, Pronto * PaaS: Platform aaS - lambda, run perl node.js scripts * Iaas: Infrastructure aaS: provision of hardware to some extent AWS Overview * Compute * EC2 - elastic compute, scaling by instance count or instance power * lambda - serverless code, python perl node * elastic beanstalk - web apps, php python, ruby * elastic container service - docker * Storage * simple storage service - normal object storage * elastic block store - filesystem storage * glacier - long term archiving solution, retrieval costs * elastic file system - NFS implementation * Network * Virtual Private Cloud - Vlan equivalent of Cloud / subnet * Route 53 - dns management * Cloudfront - global content delivery network * api gateway - api managed service * direct connect - direct peering to AWS from on premise - cheaper cost, faster speed * Database * Relational Database Service - aurora, postgresql mysql mariadb oracle mssql * DynamoDB - nosql * Elasticache - in memory distributed cache (redis / memcached) * Redshift - data warehouse * Security Services * Identity Access Management - control access to resources by users, groups. roles * Security Groups - associated with EC2 instances, traffic filtering * Network ACLs - traffic between VPCs : permit / deny * Automation - Application Support * CodeDeploy - fully managed code deployment * CloudFormation - configure deploy aws resources based on a template * OpsWorks - chef/puppet - configuration management tool * Management Tools * Service Catalog - approved services to run on AWS - compliance and governance * Systems Manager - unified user interface for grouping / deploying tasks to multiple resources * Trusted Advisor - resource helper to reduce cost, increase performance, and improve security by optimizing environement * Monitoring * Cloudwatch - monitoring service, collect track metrics log files, alarms, react to changes * CloudTrail - records API calls and their origin, user, resourceID and result ==== 2. Cloud Advantages ==== Opex is replacing capex * lack of contract commitment * reduction of negotiations * reduced procurement delays * pay as you go * high level of security * flexibility - auto scaling * massive global infrastructure * saas paas iaas offerings * emphasis on API support AWS Agility gain * speed - fast global infrastructure * experimentation - tools available for testing * culture of innovation AWS Global infrastructure * Regions - physical locations geographically dispersed * Availability Zones - made of 1 or more datacenters, they contain high availability and high fault tolerance hardware * edge locations - host cached content (CDN) , also entry point for S3 Huge scaling advantages * auto scaling - monitor application, auto adjust capacity, creates additional resources as demand increases * elastic load balancing - auto distributes traffic accross multiple targets (ec2, containers, ips) * application * network * classic ==== 3. Core AWS Services ==== VPC * High Availability - VPCs exist in Regions , An Account can have multiple VPCs * Subnets - segmentation at layer 3 * routa tables - route traffic IN and OUT * Internet Gateway - permits access to Internet from the VPC * Nat Gateway - translates private VPC endpoints into public IPs * NACLs - control access to VPC subnets, EC2 * 99.95% availability * Provision Type * dedicated instance - hardware dedicated to a single customer * dedicated host - physical host entirely dedicated to one instance - solves compliance and licencing issues * Pricing models * on demand - pay by hour, no long term commitment * reserved instance - up to 25% discount compared to ondemand - can be convertible instance * spot instance - bid on spare ec2 resources - up to 90% discount ECB * SSD or HDD * availability of 99.999% * encryption * access management * snapshots - quick, backed by s3 S3 * 99.9999999999% durability * 5TB per object limit * no limit on amount of objects RDS * aurora is amazon's implementation of postgres / mysql * Database migration service ==== 4. Cloud Architecture Design Principles ==== Goals of framework: * build and deploy solutions faster than ever * lower and mitigate risk with move to cloud * make informed decisions about how to implement solutions in the cloud * learn the most powerful best practice approaches to using AWS services and tools Pillars of framework: * Operational excellence - run & monitor to provide value to the business * perform operations in code * annotate documents as much as possible * make frequent small and reversible changes * refine your operational procedure frequently * anticipate failures and have recovery plans * learn from failures * security - protect assets * strong identity practices * full tracability * implemented at all layers * effort to automate many best practices * information secured at rest and in transit * prepare for security events * Reliability - recover from failures * test recovery * automate failure recovery * automatic scale horizontally when needed * stop guessing at capacity for IT resources * manage changes through automation * Performance efficiency - efficient use * democratize advanced technologies making them affordable * takes resources globally in minutes * target serverless computing * experiment freely and often * maintain mechanical sympathy - match business goals with technology * Cost optimisation * adopt consumption model based on OPEX * measure efficiency of your architecture * stop wasting money * closely analyze expenditure of AWS infra * use managed services ==== 5. Shared Responsability Model ==== Shared security * Amazon AWS handles security of host OS, virtualisation efficiency and physical security. * cloud software, compute storage networking and database * hardware * aws global infrastruture, regions AZ, edge locations * Client handles security of guest OS including updates and patches, firewall, network access lists. * customer data * platform, applications, IAM * guest OS * network and firewall systems * client side data encryption * server side encryption (FS or data) * network traffic protection (encryption, integrity and identity) IT Controls can be: * Inherited - fully inherited from AWS * shared - infra layer is properly setup by AWS but also properly configured by client (ex: IAM) * customer specific controls: client is fully responsible for security (ex: patching of EC2) ==== 6. Cloud Security and Compliance ==== Security Triad * Confidentiality - encrypting data * Integrity - protecting data * Availability - ensuring data access AWS undertakes * compliance reports * independent third party attestations * industry certifications AWS provides * reports sometimes under NDA * functionality through security features * compliance playbooks * mapping documents * risk maangement * control environments * information security ==== 7. AWS Access Management Capabilities ==== Identity Access Management * access from service to service - often as roles * MFA - 2FA * identity federation - already authenticated users can gain temporary access * identity information for assurance - cloudtrail logging * PCI DSS complliance * integration - fully integrated with every major service of AWS * eventually consistent - HA lag, IAM first * always free * accessibility options - SDK, API, AWS CLI, WEB console IAM identities * root user - account used to establish AWS account * Users - entities members of groups, with permissions and passwords * groups - collection of IAM users - easier management * roles - similar to user account but without credentials Best practices: * store root user securely * create individual iam users * use groups to assign permission to iam users - make security scalable * aws defined policies for permissions * grant least privilege * review iam permissions regularly * always configure a strong password policy for your users * enable MFA for privileged accounts * use roles - resource to resource access * use roles to delegate permissions * do not share access keys * rotate credentials * remove unnecessary credentials * use policy conditions - access from IP or geo location, or time and day of week condition * monitor access ==== 8. Resources for Security Support ==== AWS Certifications and Attestations * DoD SRG * FedRAMP * FIPS * IRAP * ISO 9001 27001 27017 27018 * MLPS Level 3 * MTCS * PCI DSS level 1 * Sec Rule 17a-4(f) * SOC 1 * SOC 2 * SOC 3 Many regulations that AWS facilitates: * EU Model Clauses * Ferpa * Hipaa * IRS 1075 * ITAR * My number act (japan) * VPAT Section 508 * EU Data protection directive Frameworks * CJIS * Fedramp TIC * FISC * FISMA * GxP (FDA 21 CFG Part 11) * IT Grundschutz * MPAA * NERC * NIST * UK CYBER ESSENTIALS Aws provides many whitepapers to help clients with howtos and best practices. AWS Artifact - central resource for compliance related information \\ on depand access to AWS security reports and agreements. AWS Trusted ADvisor * management tool for ensuring the client follows security best practices and help close security gaps * finds security issues and improvement opportunities AWS Cloud Support Associates and Engineers * different levels of support from AWS * Basic - none / forum * Developer - business hours access to cloud support associates via email * Business - 24x7 access to cloud support engineers via email chat and phone * Enterprise - 24x7 access to senior cloud support engineer via email chat and phone Additional support * professional services network - specific outcomes * AWS partner network - third party consultants * Advisories and Bulletins - updates to infrastructure * Auditor learning path - compliance focused - howto audit of AWS Cloud * Compliance Solution Guide - repository of frequently used resources and processes * Services in Scope - not all services are in scope of a compliance effort * Security Blog * Case Studies * FAQ - source of questions for AWS exams ==== 9. Methods of Deploying and Operating in AWS ==== Deployments: * Automation - accomplished without human intervention * Configuration templates * Code deployment automation * self healing infrastructures * reduction in the need for manual interventions * reduction in the potential for errors * lowered operating costs for managed service providers (MSPs) * Huge Role in * Backup generation and retention * Security compliance * code deployment * aws infrastructure changes * Orchestration - workflow / set of automated tasks * automating new instances with auto scaling * load balancing with automated ELB configs * deploying automation using codedeploy * using puppet scripts to automate configuration of OS * cloudformation - turning many tasks into a template with single api call * advantages: * lowering of IT costs * gained time for new or experimental projects * improved delivery times to customers * reduced friction between systems and development teams * Management Options * Provisioning - Cloudformation / works well with service catalog * operations management - aws systems manager, aws config or cloudtrail * monitoring and logging: cloudwatch + stream of events which can be reacted upon * managed services for configuration - AWS Opworks - fully managed config service (chef+puppet) ==== 10. AWS Global Infrastructure ==== AWS has * Regions * physical location in the world where there are multiple AZ * minimum of 2 AZ per region * regions are interconnected with high bandwidth low latency links * isolated from other regions - not dependant * regions also host EDGE LOCATIONS - endpoints from where CloudFront serves data * Availability Zones * One or more discrete data centers - each with redundant power, networking and connectivity * Higher availability due to multiple data centers * datacenter choice with multiple power providers, lower risk floodplains its Connections can be: * Direct Connect * easy to establish a dedicated network connection from premise to AWS * private connectivity between AWS and datacenter/office/colocation * potential reduction of your network costs (saving on transfer out fee) * potential increase in bandwidth throughput * typically a more consistent network experience than internet based connections * use of 802.1Q to provide access to different resources * VPC Endpoint * privately connect a VPC to supported AWS services * does not require gateway, nat device, vpn connection or directconnect link, public ip * traffic between VPC and ohter service does not leave the AWS network * virtual devices * no risk or limitation with bandwidth or availability * Interface endpoints - powered by AWS PrivateLink * assign a private elastic network interface to an AWS service like: * api gateway, cloudwatch, codebuild, config, ec2 api, ELB api * Gateway endpoints * target for a specified route in your route table * for services like: s3 or dynamoDB * VPC Peering * VPC to VPC peering * foreign VPC can be same account, different region or different account * no single point of failure for communication and bandwidth bottleneck * ClassicLink * link ec2 classic instance to a VPC under your account within same region ==== 11. Resources for Technology Support ==== AWS provides: * Documentation * Guides and API References * Computer * Storage * Database * Developer Tools * Security Identity Compliance * Machine Learning * Management Governance * Migration Transfer * Mobile * NEtworking Content Delivery * etc.. * Tutorials and Projects * Websites and Web Apps * Devops * Storage * database * SDK and TOolkits * General resouces * Best resources in "related links" * Aws glossarty * Aws case studies * AWS whitepapers * AWS general reference * FAQ * Discussion Forums ==== 12. Using the free tier to build a web server ==== * Free tier is valid for 1 year * Has the following components: * API Gateway * Cloud Directory * CloudFront * Comprehend * Connect * EC2 - t2 micro * EFS * EBS * etc.. * Extra services remaining free after a year: * CloudWatch * Cognito * DynamoDB * Glacier * Macie * SES * SNS * SQS * SWF * CodeBuild * CodeLimit * CodePipeline * Database migration service * Glue * key management service * lambda * step functions * storage gateway * x-ray ==== 13. AWS Pricing Models ==== Fundamentals: * PAYG / ondemand - no long term commitments * reserve - save up to 70% of cost over on demand * pay upfront, some or none * volume discounts as the infrastructure grows * custom pricing models for huge corporations * free services for ever * VPC * CloudFormation * IAM * Auto Scaling * Cost categories * compute * storage * data transfer out * in general, no cost for transfer IN , or transfer within AWS Cost breakdown * EC2 * total clock hours of usage * amount of distributions of load balancing * machine config * detailed monitoring * machine purchase type * software OS * elastic IP address * number of instances (including auto scaling) * cross AZ data transfer * S3 * Storage type * storage class * requests * data transfer out * EBS * Volume type * IOPS * snapshots * RDS * total clock hours of usage * additional storage * database config * purchase type * deployment type * number of databases * data transfer out * provisioned storage * cloudformation * traffic distribution location * requests * data transfer out ==== 14. Account Structures for Billing and Pricing ==== AWS Support * proactive guidance * access to a technical account manager * dedicated voice within AWS to serve as technical point of contact and advocate * proactive guidance and best practice to help optimize your AWS environment * orchestration and access to the brath and depth of technical expertise of AWS * Best practices - online resource * Trusted Advisor available on business and enterprise plans * guidance on getting best optimal performance * opportunities to reduce monthly spend while retaining productivity * best practice to help increase security * Account assistance * Concierge team at AWS part of enterprise support plan * Launch Support * planned events * guidance on scaling infrastructure for critical events * included in enterprise , extra fee for business plan * event planning and preparation based on use case and objective * resource recommendations and deployment guidance based on capacity * dedicated attention from aws support team * guidance and support as you scale resource to normal operating levels Access to support * basic $free * forums * seven core checks of trusted advisor * personal health dashboard * developer $29/m basic+ * one primary contact for tickets * 12 hours response time * general guidance for architecture support * business $100/m dev+ * infrastructure event management for a fee * 1 hour response time * aws support api * guidance and troubleshooting on third party software * enterprise $15k/m business+ * well architectured review * operational recommendations * online self paces labs * concierge support team * designated technical account manager ==== 15. Resources for Billing Support ==== Total cost of ownership TCO calculators * use to predict costs * use to experiment with overflows Simple monthly calculator * simple estimation of S3 EC2 costs * analyzing costs with graphs * cost explorer tool - free * strong filtering capability * forecast for future * Budgets * use budget to track aws usage and costs * cost explorer can match budgets to costs * Payment currencies * estimated bills * pay in local currency * default is USD * aws guarantees exchange rate for refunds * AWs cost and usage reports * billing reports s3 bucket * breakdown by hour and month * cost explorer graphs