AWS Associate Certificate

Get Started. It's Free
or sign up with your email address
Rocket clouds
AWS Associate Certificate by Mind Map: AWS Associate Certificate

1. Networking

1.1. VPC

1.1.1. Default VPC All subnets are public If delete public VPC, you have to contact to AWS to get it back

1.1.2. VPC Peering connect 1 VPC with another don't give access to internet don't give access to third VPC via another VPC

1.1.3. Tenancy Default Dedicated If you set dedicated while creating new VPC, all instances in the VPC will be automatically dedicated

1.1.4. Route Tables Default route table will be created for VPC automatically

1.1.5. Subnetworks 1 subnet = 1 AZ Amazon reserves 3 IP addresses in every subnet

1.1.6. IGW 1 IGW per VPC

1.1.7. NAT Instance Disable Source/Destination check larger instance provide more network performance

1.1.8. Access Control List (ACLs) It is a Firewall for entire subnet If you create subnet, it will be associated with Default ACL stateless New ACLs is denied by default Subnet can ONLY have 1 ACL (no more, no less) operating of rules begins from lowest rule number

1.2. Direct Connect

1.2.1. Provide dedicated link to AWS

1.3. Route53

1.3.1. Always choose Alias Record over CNAME

1.3.2. ELB is domain

1.3.3. Routing Policies Simple Weighted Allow split traffic based on different weight assigned Latency based on lowest network latency for your end user (ie. which region gave the fastest response time) Failover Will monitor primary web site using health checks and if failed switch to DR site Geolocation based on Geo location of end users

2. Compute

2.1. EC2

2.1.1. Price On Demand Low price and flexibility without long term commitments Application with short term and cannot be interrupted development or testing Reserved (1 or 3 Year) Steady state or predictable usage require reserved capacity User is able to do upfront payment Spot Application can flexible start and end very low compute price user need urgent large computing needs NOTE: If AWS terminate instance by itself you will not pay for part hour usage. But I you terminate, you will pay

2.1.2. Types t2 - Low cost, General Purpose M4, M3 - General purpose C3, C4 - Computer optimised R3 - Memory optimised G2 - GPU I2 - High Speed Storage (NoSQL...) D2 - Dense storage (hadoop ..)

2.1.3. EBS Type General Purpose SSD (GP2) Provisioned IOPS SSD (IO1) Magnetic (Standard) Encription Root volume (where is OS) is NOT encrypted. You can use THIRD tools to encrypt Root volume Addition volumes can be encrypted

2.1.4. SG All Inbound traffic is blocked by default All Outbound traffic is allowed by default Changes to SG take effect immediately SGs are STATEFUL If you create Inbound rule allowing traffic in, that traffic is allowed back out again

2.1.5. Volume exist on EBS Virtual Hard Disk Volume restored from encrypted snapshot is encrypted RAID AWS does NOT recommend to use RAID5 RAID0 - no redundancy and good performance RAID10 provide redundancy and good performance Creating Snapshot of RAID

2.1.6. Snapshot exist on S3 is incremental. Only changed block will be upload to s3 Snapshot of encrypted volume is encrypted automatically You can share snapshot, if the snapshot is NOT encrypted To create snapshot of Root volume, you need to stop instance (or the instance will be stopped by AWS). If an instance was not stopped at all, integrity of filesystem can not be guaranteed You can NOT remove snapshot if the snapshot is in AMI

2.1.7. AMI EBS root volume Root volume is EBS volume that created from EBS snapshot Instance Store Root device launched from AMI is instance store volume created from template stored on S3. (takes a bit more time to launch) can not be stopped if the underling host fails you will lose your data

2.1.8. ELB only has own DNS name, NOT IPs

2.1.9. IAM Role You can NOT change role for created instance You can change role itself and it will be applied immediately Roles are easier to manage

2.1.10. Instance Metadata You can NOT to get user-data using the URL. Only meta-data

2.1.11. Placement Group Single AZ Low latency 10 Gbps Name of Placement Group should be unique accoss AWS account Only certain type of instances can be launched in PG (CPU, GPU, RAM and Storage optimised) AWS recommend to use homogeneous instance type (same family and same size) can NOT merge PGs can NOT move created instance to PG

2.2. EC2 Container Service

2.3. Elastic Beanstalk

2.4. Lambda

2.4.1. is event driven compute service, where Lambda runs your code in responce to event

3. Storage

3.1. S3

3.1.1. Object base storage. Key, value storage. Consist: Key (name of the object) Value Version ID (Important for versioning) Metadata Subresources Access Control List

3.1.2. File size can be from 1 Byte to 5 Tb

3.1.3. Universal namespace:

3.1.4. Name for bucket does not support Capital characters

3.1.5. Read after  Write consistency for PUTS of new Objects

3.1.6. Eventual Consistency for overwrite PUTS and DELETES (can take some time to propagate)

3.1.7. Availability: 99.99%

3.1.8. Durability: 99,999999999 (11 x 9's)

3.1.9. New objects in Bucket are Private

3.1.10. Tiered Storage Availability (can be set/change for entire Bucket or objects in the Bucket) S3 Availability: 99.99% Durability: 99,999999999 (11 x 9's) S3 - IA (Infrequently Access) Lower fee than S3 Retrieval fee Standard - IA has a minimum object size of 128KB. Smaller objects will be charged for 128KB of storage. Minimum Storage Duration: 30days Reduced Redundancy Storage Availability: 99.99% Durability: 99,99

3.1.11. Lifecycle Management can be applied to whole bucket or prefix Actions (without versioning) Transition to S3-IA (minimum 30 after creating) Archive to Glacier Permanent Delete Actions (with versioning) Actions for current version Action for previous versions

3.1.12. Versioning Can't turn it off Versioning's MFA Delete capability Doesn't deduplicate (S3 keeps all versions of a file as separate files)

3.1.13. Security Bucket is PRIVATE by default Access Controle Bucket Policies (applied to whole bucket) Access Control List (can be applied to individual items in bucket) Encriptions In Transite At Rest

3.1.14. Transfer Acceleration Allow to upload files to S3 via CloudFront Edge

3.1.15. Cross Region Replication Doesn't replicate existing files Requires Versioning

3.2. Cloud Front

3.2.1. Edge Location supports READ and WRITE around the world, more than 50 TTL Can clear cached objects (you will be charged )

3.2.2. Origin S3 bucket EC2 instance ELB Route53 None AWS server

3.2.3. Distribution Web Distribution RTMP - media streaming

3.2.4. Geo Restrictions White list Black list

3.2.5. Invalidation to remove objects from cache

3.3. Glacier

3.3.1. Archive data

3.3.2. Takes 3-5 hours to restore

3.3.3. Extremely low-cost (0.01$ per 1Gb per 1 month)

3.3.4. Minimum Storage Duration: 90 days

3.4. EFS

3.4.1. Supports NFSv4

3.4.2. pay only for storage

3.4.3. scale up to petabytes

3.4.4. supports thousands NFS concurrency connections

3.4.5. cross AZ within single region

3.4.6. READ after WRITE concistency

3.5. Import/Export

3.5.1. Import/Export Disk Import S3 EBS Glasier Export S3

3.5.2. Import/Export Snowball Only S3

3.6. Storage Gateway

3.6.1. is a service that connect an on premises software appliance with cloud based storage to provide seamless and secure integration between organisation's on-premises IT env and AWS cloud

3.6.2. Types Gateway Store Volume Entire Dataset is stored on site and is asynchronously backed up to S3 Gateway Cached Volume Data in on S3 but the most frequent accessed data is stored locally if you lose internet, you will not have access to all data Gateway Virtual Tape Libary (VTL) Provide a Virtual Tape Shelf to backup to S3 or Glacier

4. Databases

4.1. Elasticache - In memory caching

4.1.1. Memcached

4.1.2. Redis

4.2. DMS

4.3. RDS - OLTP (Online Transaction Processing)

4.3.1. Aurora Autoscaling Storage (start from 10Gb, scales in 10Gb increment Up to 64Tb) Compute resources scale up to 32 vCPU and 244 Gb RAM 2 copies of data in each AZ within 3 minimum AZs (6 copies of data) can loss up to 2 copies without effecting Write availability can loss up to 3 copies without effecting Read availability self-healing (disk is continuously scanning for error and repairing) Replicas Aurora Replica (up to 15) MySQL Replica (up to 5)

4.3.2. Types MSSQL MySQL Postgres Oracle Aurora MarinaDB

4.3.3. Automated Backups from 0 up to 35 days Storage IO may be suspended you will get free place on S3 equals DB volume

4.3.4. Snapshots manually will be stored even if you remove source DB (unlike Automated Backup)

4.3.5. Restoring is always new RDS instance with new endpoint

4.3.6. Encryption supports by MySQL, Postgres, Oracle, mariaDB and SQL Server Can NOT be enabled for existing instances

4.3.7. MultyAZ For Disaster Recovery ONLY Automatic synchronous

4.3.8. Read Replica Asynchronous replication MySQL, Postgres, MariaDB Use for Scaling. NOT for DR Require Automatic Backup Up to 5 Read REplicas can have Read Replica of Read replica (Latency!!) Read Replica can NOT be MultyAZ Read replica in Second Region (for MySQL and MariaDB)

4.3.9. NOTES DB Security Group: you don't need to specify  port/protocol only source IP range / security group

4.4. DynamoDB - No SQL

4.4.1. Automatic Scaling on FLY vs

4.4.2. Stored on SSD

4.4.3. Spread across 3 geographically distinct data centers

4.4.4. Eventual consistency Reads (default) Consistency across all copies of data is usually reached within 1 second

4.4.5. Strong Consistency Reads returns a result of all writes

4.4.6. Pricing Read Throughput 0.0065 per hour for every 50 units Write Throughput 0.0065 per hour for every 10 units Storage const of 0.25$ per Gb per month

4.5. Redshift - OLAP (Online Analytic Processing)

4.5.1. data warehouse service in a cloud

4.5.2. Single Node (160Gb)

4.5.3. Multi-Node Leader Node (handle queries) Compute Node (store data, perform queries) up to 128 nodes

4.5.4. Price Leader node is free Compute node: charge for hours instances running Backup Data transfer (within VPC)

4.5.5. Encryption SSL/TSL for data transfer Encrypted at rest using AES-256 By default Redshift handle key by it self But you can use KMS or Manage your own keys using HSM

4.5.6. Availability only 1 AZ you can restore snapshot to New AZ

5. Analytics

5.1. EMR

5.2. Data Pipeline

5.3. ElasticSearch

5.4. Kinesis

5.5. Machine Learning

5.6. Quick Sight

6. Security & Identity

6.1. IAM

6.1.1. Users

6.1.2. Groups

6.1.3. Roles

6.1.4. Policies

6.1.5. Notes IAM items are shared globally New users don't have any permissions Root account has complete Admin access by default Power User Access allows access to all AWS services except for management of groups and users within IAM

6.2. Directory Service

6.3. Inspector

6.4. WAF

6.5. Cloud HSM

6.6. KMS

7. Management Tools

7.1. CloudWatch

7.1.1. Basic Monitoring Every 5 min Free

7.1.2. Detailed Monitoring Every 1 min Additional charge

7.1.3. Dashboard

7.1.4. Metrics CPU Disk Network

7.1.5. Events Allow to react on changes

7.1.6. Alarms Allow to react if metrics cross thresholds

7.1.7. Logs Allow to aggregate, monitor and store logs

7.2. CloudFormation

7.3. CloudTrail

7.4. Opsworks

7.5. Config

7.6. Service Catalog

7.7. Trusted Advisor

8. Application Services

8.1. API Gateway

8.2. AppStream

8.3. CloudSearch

8.4. Elastic Transcoder

8.5. SES

8.6. SQS

8.6.1. Distributed queue system

8.6.2. Message is up to 256KB text in any format

8.6.3. Billed at 64KB "Chunks"

8.6.4. first 1 million requests are free. 0.5$ per million

8.6.5. 1 request can have up to 10 messages

8.6.6. Messages can be retrieved using SQS API

8.6.7. Has Buffer

8.6.8. SQS ensures delivering at least once

8.6.9. It is NOT FIFO

8.6.10. Asynchronously PULL messages from a QUEUE

8.6.11. Visibility Period starts when Message was picked up

8.6.12. If Application is failed, message will be in a queue. After Visibility Period, Message will be consumed another application

8.6.13. When application finishes, message will be removed from Queue

8.6.14. Visibility Timeout is 30s by default.

8.6.15. Retention period is up to 14 days

8.7. SWF

8.7.1. Simple WorkFlow Service

8.7.2. Retention Period is up to 1 year

8.7.3. task oriented API (vs SQS is message oriented)

8.7.4. task is assigned ONLY ONCE

8.7.5. SWF tracks all tasks in application (for SQS you need implement your own application level )

8.7.6. SWF Actors (can be Code or Humans) Workflow Starter - start workflow Deciders - control workflow Activity Workers

9. WhitePapers

9.1. Security

9.1.1. Shared Security Model

9.1.2. Storage Decommissioning DoD 5220.22-M or NST 800-88

9.1.3. Amazon Corporate Segregation

9.1.4. Network monitoring & Protection DDOS Man in the middle attack (MITM) IP spoofing Port scanning you should request permission for vulnerable port scanning in advance Port sniffing by other tenants

9.1.5. Instance Isolation instances on the same host  are isolated by Xen hypervisor AWS firewall resides on hypervisor so instances on the same host don;t have more permissions than other RAM is separated disk and RAM are zeroing

9.1.6. AWS doesn't have a write/read access to your guest OS

9.1.7. Strategic Busyness Plan at least biannually (every 6 month)

9.1.8. AWS scans Public Services for vulnerability

9.1.9. Compliances SOC1,2,3 FISMA, DIACAP, REDRAMP PCI DSS level1 (only infrastructure) ISO27001 ISO 9001 ITAR FIPS 140-2 Industrial Standarts HIPAA Cloud Security Alliance Motion Picture Association of America

10. Development Tools

10.1. CodeCommit

10.2. CodeDeploy

10.3. CodePipeline

11. Basic

11.1. Support

11.1.1. Basic, Developer, Business, Enterprise

12. Mobile Services

12.1. Mobile Hub

12.2. Cognito

12.3. Device Farm

12.4. Mobile Analytics

12.5. SNS

12.5.1. Sends notifications from a cloud

12.5.2. Can push notification to mobile devices

12.5.3. push to SQS

12.5.4. send email

12.5.5. trigger Lambda function

12.5.6. messages are redundantly stored across multy AZ

13. Enterprise Applications

13.1. WorksSpaces

13.2. WorkDocs

13.3. WorkMail

14. Internet Of Things