• Cert name: AWS Certified Cloud Practitioner
• Exam code: CLF-C01
• Price: 100 USD
• Scheduled: 18/12/19 2:15pm @ Saxons Training Facility (NT) DNS Level 11, 300 Adelaide Street

• Cloud
  • on demand network access - on demand self service
  • broad network access - accessible over network through standard mechanisms
  • shared pool of configurable resources - resource pooling
  • rapid provisioning - elasticity
  • measured service - billing, metrics

• Implementations
  • SaaS: Software as a service - MailChimp, Pronto
  • PaaS: Platform aaS - lambda, run perl node.js scripts
  • Iaas: Infrastructure aaS: provision of hardware to some extent

AWS Overview

• Compute
  • EC2 - elastic compute, scaling by instance count or instance power
  • lambda - serverless code, python perl node
  • elastic beanstalk - web apps, php python, ruby
  • elastic container service - docker
• Storage
  • simple storage service - normal object storage
  • elastic block store - filesystem storage
  • glacier - long term archiving solution, retrieval costs
  • elastic file system - NFS implementation
• Network
  • Virtual Private Cloud - Vlan equivalent of Cloud / subnet
  • Route 53 - dns management
  • Cloudfront - global content delivery network
  • api gateway - api managed service
  • direct connect - direct peering to AWS from on premise - cheaper cost, faster speed
• Database
  • Relational Database Service - aurora, postgresql mysql mariadb oracle mssql
  • DynamoDB - nosql
  • Elasticache - in memory distributed cache (redis / memcached)
  • Redshift - data warehouse
• Security Services
  • Identity Access Management - control access to resources by users, groups. roles
  • Security Groups - associated with EC2 instances, traffic filtering
  • Network ACLs - traffic between VPCs : permit / deny
• Automation - Application Support
  • CodeDeploy - fully managed code deployment
  • CloudFormation - configure deploy aws resources based on a template
  • OpsWorks - chef/puppet - configuration management tool
• Management Tools
  • Service Catalog - approved services to run on AWS - compliance and governance
  • Systems Manager - unified user interface for grouping / deploying tasks to multiple resources
  • Trusted Advisor - resource helper to reduce cost, increase performance, and improve security by optimizing environement
• Monitoring
  • Cloudwatch - monitoring service, collect track metrics log files, alarms, react to changes
  • CloudTrail - records API calls and their origin, user, resourceID and result

Opex is replacing capex

• lack of contract commitment
• reduction of negotiations
• reduced procurement delays
• pay as you go
• high level of security
• flexibility - auto scaling
• massive global infrastructure
• saas paas iaas offerings
• emphasis on API support

AWS Agility gain

• speed - fast global infrastructure
• experimentation - tools available for testing
• culture of innovation

AWS Global infrastructure

• Regions - physical locations geographically dispersed
• Availability Zones - made of 1 or more datacenters, they contain high availability and high fault tolerance hardware
• edge locations - host cached content (CDN) , also entry point for S3

Huge scaling advantages

• auto scaling - monitor application, auto adjust capacity, creates additional resources as demand increases
• elastic load balancing - auto distributes traffic accross multiple targets (ec2, containers, ips)
  • application
  • network
  • classic

VPC

• High Availability - VPCs exist in Regions , An Account can have multiple VPCs
• Subnets - segmentation at layer 3
• routa tables - route traffic IN and OUT
• Internet Gateway - permits access to Internet from the VPC
• Nat Gateway - translates private VPC endpoints into public IPs
• NACLs - control access to VPC subnets,

EC2

• 99.95% availability
• Provision Type
  • dedicated instance - hardware dedicated to a single customer
  • dedicated host - physical host entirely dedicated to one instance - solves compliance and licencing issues
• Pricing models
  • on demand - pay by hour, no long term commitment
  • reserved instance - up to 25% discount compared to ondemand - can be convertible instance
  • spot instance - bid on spare ec2 resources - up to 90% discount

ECB

• SSD or HDD
• availability of 99.999%
• encryption
• access management
• snapshots - quick, backed by s3

S3

• 99.9999999999% durability
• 5TB per object limit
• no limit on amount of objects

RDS

• aurora is amazon's implementation of postgres / mysql
• Database migration service

Goals of framework:

• build and deploy solutions faster than ever
• lower and mitigate risk with move to cloud
• make informed decisions about how to implement solutions in the cloud
• learn the most powerful best practice approaches to using AWS services and tools

Pillars of framework:

• Operational excellence - run & monitor to provide value to the business
  • perform operations in code
  • annotate documents as much as possible
  • make frequent small and reversible changes
  • refine your operational procedure frequently
  • anticipate failures and have recovery plans
  • learn from failures
• security - protect assets
  • strong identity practices
  • full tracability
  • implemented at all layers
  • effort to automate many best practices
  • information secured at rest and in transit
  • prepare for security events
• Reliability - recover from failures
  • test recovery
  • automate failure recovery
  • automatic scale horizontally when needed
  • stop guessing at capacity for IT resources
  • manage changes through automation
• Performance efficiency - efficient use
  • democratize advanced technologies making them affordable
  • takes resources globally in minutes
  • target serverless computing
  • experiment freely and often
  • maintain mechanical sympathy - match business goals with technology
• Cost optimisation
  • adopt consumption model based on OPEX
  • measure efficiency of your architecture
  • stop wasting money
  • closely analyze expenditure of AWS infra
  • use managed services

Shared security

• Amazon AWS handles security of host OS, virtualisation efficiency and physical security.
  • cloud software, compute storage networking and database
  • hardware
  • aws global infrastruture, regions AZ, edge locations
• Client handles security of guest OS including updates and patches, firewall, network access lists.
  • customer data
  • platform, applications, IAM
  • guest OS
  • network and firewall systems
  • client side data encryption
  • server side encryption (FS or data)
  • network traffic protection (encryption, integrity and identity)

IT Controls can be:

• Inherited - fully inherited from AWS
• shared - infra layer is properly setup by AWS but also properly configured by client (ex: IAM)
• customer specific controls: client is fully responsible for security (ex: patching of EC2)

Security Triad

• Confidentiality - encrypting data
• Integrity - protecting data
• Availability - ensuring data access

AWS undertakes

• compliance reports
• independent third party attestations
• industry certifications

AWS provides

• reports sometimes under NDA
• functionality through security features
• compliance playbooks
• mapping documents
• risk maangement
• control environments
• information security

Identity Access Management

• access from service to service - often as roles
• MFA - 2FA
• identity federation - already authenticated users can gain temporary access
• identity information for assurance - cloudtrail logging
• PCI DSS complliance
• integration - fully integrated with every major service of AWS
• eventually consistent - HA lag, IAM first
• always free
• accessibility options - SDK, API, AWS CLI, WEB console

IAM identities

• root user - account used to establish AWS account
• Users - entities members of groups, with permissions and passwords
• groups - collection of IAM users - easier management
• roles - similar to user account but without credentials

Best practices:

• store root user securely
• create individual iam users
• use groups to assign permission to iam users - make security scalable
• aws defined policies for permissions
• grant least privilege
• review iam permissions regularly
• always configure a strong password policy for your users
• enable MFA for privileged accounts
• use roles - resource to resource access
• use roles to delegate permissions
• do not share access keys
• rotate credentials
• remove unnecessary credentials
• use policy conditions - access from IP or geo location, or time and day of week condition
• monitor access

AWS Certifications and Attestations

• DoD SRG
• FedRAMP
• FIPS
• IRAP
• ISO 9001 27001 27017 27018
• MLPS Level 3
• MTCS
• PCI DSS level 1
• Sec Rule 17a-4(f)
• SOC 1
• SOC 2
• SOC 3

Many regulations that AWS facilitates:

• EU Model Clauses
• Ferpa
• Hipaa
• IRS 1075
• ITAR
• My number act (japan)
• VPAT Section 508
• EU Data protection directive

Frameworks

• CJIS
• Fedramp TIC
• FISC
• FISMA
• GxP (FDA 21 CFG Part 11)
• IT Grundschutz
• MPAA
• NERC
• NIST
• UK CYBER ESSENTIALS

Aws provides many whitepapers to help clients with howtos and best practices.

AWS Artifact - central resource for compliance related information
on depand access to AWS security reports and agreements.

AWS Trusted ADvisor

• management tool for ensuring the client follows security best practices and help close security gaps
• finds security issues and improvement opportunities

AWS Cloud Support Associates and Engineers

• different levels of support from AWS
  • Basic - none / forum
  • Developer - business hours access to cloud support associates via email
  • Business - 24×7 access to cloud support engineers via email chat and phone
  • Enterprise - 24×7 access to senior cloud support engineer via email chat and phone

Additional support

• professional services network - specific outcomes
• AWS partner network - third party consultants
• Advisories and Bulletins - updates to infrastructure
• Auditor learning path - compliance focused - howto audit of AWS Cloud
• Compliance Solution Guide - repository of frequently used resources and processes
• Services in Scope - not all services are in scope of a compliance effort
• Security Blog
• Case Studies
• FAQ - source of questions for AWS exams

Deployments:

• Automation - accomplished without human intervention
  • Configuration templates
  • Code deployment automation
  • self healing infrastructures
  • reduction in the need for manual interventions
  • reduction in the potential for errors
  • lowered operating costs for managed service providers (MSPs)
  • Huge Role in
    • Backup generation and retention
    • Security compliance
    • code deployment
    • aws infrastructure changes
• Orchestration - workflow / set of automated tasks
  • automating new instances with auto scaling
  • load balancing with automated ELB configs
  • deploying automation using codedeploy
  • using puppet scripts to automate configuration of OS
  • cloudformation - turning many tasks into a template with single api call
  • advantages:
    • lowering of IT costs
    • gained time for new or experimental projects
    • improved delivery times to customers
    • reduced friction between systems and development teams
  • Management Options
    • Provisioning - Cloudformation / works well with service catalog
    • operations management - aws systems manager, aws config or cloudtrail
    • monitoring and logging: cloudwatch + stream of events which can be reacted upon
    • managed services for configuration - AWS Opworks - fully managed config service (chef+puppet)

AWS has

• Regions
  • physical location in the world where there are multiple AZ
  • minimum of 2 AZ per region
  • regions are interconnected with high bandwidth low latency links
  • isolated from other regions - not dependant
  • regions also host EDGE LOCATIONS - endpoints from where CloudFront serves data
• Availability Zones
  • One or more discrete data centers - each with redundant power, networking and connectivity
  • Higher availability due to multiple data centers
  • datacenter choice with multiple power providers, lower risk floodplains

its Connections can be:

• Direct Connect
  • easy to establish a dedicated network connection from premise to AWS
  • private connectivity between AWS and datacenter/office/colocation
  • potential reduction of your network costs (saving on transfer out fee)
  • potential increase in bandwidth throughput
  • typically a more consistent network experience than internet based connections
  • use of 802.1Q to provide access to different resources
• VPC Endpoint
  • privately connect a VPC to supported AWS services
  • does not require gateway, nat device, vpn connection or directconnect link, public ip
  • traffic between VPC and ohter service does not leave the AWS network
  • virtual devices
  • no risk or limitation with bandwidth or availability
• Interface endpoints - powered by AWS PrivateLink
  • assign a private elastic network interface to an AWS service like:
    • api gateway, cloudwatch, codebuild, config, ec2 api, ELB api
• Gateway endpoints
  • target for a specified route in your route table
  • for services like: s3 or dynamoDB
• VPC Peering
  • VPC to VPC peering
  • foreign VPC can be same account, different region or different account
  • no single point of failure for communication and bandwidth bottleneck
• ClassicLink
  • link ec2 classic instance to a VPC under your account within same region

AWS provides:

• Documentation
  • Guides and API References
  • Computer
  • Storage
  • Database
  • Developer Tools
  • Security Identity Compliance
  • Machine Learning
  • Management Governance
  • Migration Transfer
  • Mobile
  • NEtworking Content Delivery
  • etc..
  • Tutorials and Projects
    • Websites and Web Apps
    • Devops
    • Storage
    • database
  • SDK and TOolkits
  • General resouces
  • Best resources in “related links”
    • Aws glossarty
    • Aws case studies
    • AWS whitepapers
    • AWS general reference
• FAQ
• Discussion Forums

• Free tier is valid for 1 year
• Has the following components:
  • API Gateway
  • Cloud Directory
  • CloudFront
  • Comprehend
  • Connect
  • EC2 - t2 micro
  • EFS
  • EBS
  • etc..
• Extra services remaining free after a year:
  • CloudWatch
  • Cognito
  • DynamoDB
  • Glacier
  • Macie
  • SES
  • SNS
  • SQS
  • SWF
  • CodeBuild
  • CodeLimit
  • CodePipeline
  • Database migration service
  • Glue
  • key management service
  • lambda
  • step functions
  • storage gateway
  • x-ray

Fundamentals:

• PAYG / ondemand - no long term commitments
• reserve - save up to 70% of cost over on demand
  • pay upfront, some or none
• volume discounts as the infrastructure grows
• custom pricing models for huge corporations
• free services for ever
  • VPC
  • CloudFormation
  • IAM
  • Auto Scaling
• Cost categories
  • compute
  • storage
  • data transfer out
    • in general, no cost for transfer IN , or transfer within AWS

Cost breakdown

• EC2
  • total clock hours of usage
  • amount of distributions of load balancing
  • machine config
  • detailed monitoring
  • machine purchase type
  • software OS
  • elastic IP address
  • number of instances (including auto scaling)
  • cross AZ data transfer
• S3
  • Storage type
  • storage class
  • requests
  • data transfer out
• EBS
  • Volume type
  • IOPS
  • snapshots
• RDS
  • total clock hours of usage
  • additional storage
  • database config
  • purchase type
  • deployment type
  • number of databases
  • data transfer out
  • provisioned storage
• cloudformation
  • traffic distribution location
  • requests
  • data transfer out

AWS Support

• proactive guidance
  • access to a technical account manager
  • dedicated voice within AWS to serve as technical point of contact and advocate
  • proactive guidance and best practice to help optimize your AWS environment
  • orchestration and access to the brath and depth of technical expertise of AWS
• Best practices - online resource
  • Trusted Advisor available on business and enterprise plans
    • guidance on getting best optimal performance
    • opportunities to reduce monthly spend while retaining productivity
    • best practice to help increase security
• Account assistance
  • Concierge team at AWS part of enterprise support plan
• Launch Support
  • planned events
  • guidance on scaling infrastructure for critical events
  • included in enterprise , extra fee for business plan
    • event planning and preparation based on use case and objective
    • resource recommendations and deployment guidance based on capacity
    • dedicated attention from aws support team
    • guidance and support as you scale resource to normal operating levels

Access to support

• basic $free
  • forums
  • seven core checks of trusted advisor
  • personal health dashboard
• developer $29/m basic+
  • one primary contact for tickets
  • 12 hours response time
  • general guidance for architecture support
• business $100/m dev+
  • infrastructure event management for a fee
  • 1 hour response time
  • aws support api
  • guidance and troubleshooting on third party software
• enterprise $15k/m business+
  • well architectured review
  • operational recommendations
  • online self paces labs
  • concierge support team
  • designated technical account manager

Total cost of ownership TCO calculators

• use to predict costs
• use to experiment with overflows

Simple monthly calculator

• simple estimation of S3 EC2 costs

• analyzing costs with graphs
  • cost explorer tool - free
  • strong filtering capability
  • forecast for future
• Budgets
  • use budget to track aws usage and costs
  • cost explorer can match budgets to costs
• Payment currencies
  • estimated bills
  • pay in local currency
  • default is USD
  • aws guarantees exchange rate for refunds
• AWs cost and usage reports
  • billing reports s3 bucket
  • breakdown by hour and month
  • cost explorer graphs