1. Basic
1.1. Support
1.1.1. Basic, Developer, Business, Enterprise
2. Development Tools
2.1. CodeCommit
2.2. CodeDeploy
2.3. CodePipeline
3. WhitePapers
3.1. Security
3.1.1. Shared Security Model
3.1.2. Storage Decommissioning
3.1.2.1. DoD 5220.22-M or NST 800-88
3.1.3. Amazon Corporate Segregation
3.1.4. Network monitoring & Protection
3.1.4.1. DDOS
3.1.4.2. Man in the middle attack (MITM)
3.1.4.3. IP spoofing
3.1.4.4. Port scanning
3.1.4.4.1. you should request permission for vulnerable port scanning in advance
3.1.4.5. Port sniffing by other tenants
3.1.5. Instance Isolation
3.1.5.1. instances on the same host are isolated by Xen hypervisor
3.1.5.2. AWS firewall resides on hypervisor so instances on the same host don;t have more permissions than other
3.1.5.3. RAM is separated
3.1.5.4. disk and RAM are zeroing
3.1.6. AWS doesn't have a write/read access to your guest OS
3.1.7. Strategic Busyness Plan at least biannually (every 6 month)
3.1.8. AWS scans Public Services for vulnerability
3.1.9. Compliances
3.1.9.1. SOC1,2,3
3.1.9.2. FISMA, DIACAP, REDRAMP
3.1.9.3. PCI DSS level1 (only infrastructure)
3.1.9.4. ISO27001
3.1.9.5. ISO 9001
3.1.9.6. ITAR
3.1.9.7. FIPS 140-2
3.1.9.8. Industrial Standarts
3.1.9.8.1. HIPAA
3.1.9.8.2. Cloud Security Alliance
3.1.9.8.3. Motion Picture Association of America
4. Mobile Services
4.1. Mobile Hub
4.2. Cognito
4.3. Device Farm
4.4. Mobile Analytics
4.5. SNS
4.5.1. Sends notifications from a cloud
4.5.2. Can push notification to mobile devices
4.5.3. push to SQS
4.5.4. send email
4.5.5. trigger Lambda function
4.5.6. messages are redundantly stored across multy AZ
5. Security & Identity
5.1. IAM
5.1.1. Users
5.1.2. Groups
5.1.3. Roles
5.1.4. Policies
5.1.5. Notes
5.1.5.1. IAM items are shared globally
5.1.5.2. New users don't have any permissions
5.1.5.3. Root account has complete Admin access by default
5.1.5.4. Power User Access allows access to all AWS services except for management of groups and users within IAM
5.2. Directory Service
5.3. Inspector
5.4. WAF
5.5. Cloud HSM
5.6. KMS
6. Internet Of Things
7. Enterprise Applications
7.1. WorksSpaces
7.2. WorkDocs
7.3. WorkMail
8. Management Tools
8.1. CloudWatch
8.1.1. Basic Monitoring
8.1.1.1. Every 5 min
8.1.1.2. Free
8.1.2. Detailed Monitoring
8.1.2.1. Every 1 min
8.1.2.2. Additional charge
8.1.3. Dashboard
8.1.4. Metrics
8.1.4.1. CPU
8.1.4.2. Disk
8.1.4.3. Network
8.1.5. Events
8.1.5.1. Allow to react on changes
8.1.6. Alarms
8.1.6.1. Allow to react if metrics cross thresholds
8.1.7. Logs
8.1.7.1. Allow to aggregate, monitor and store logs
8.2. CloudFormation
8.3. CloudTrail
8.4. Opsworks
8.5. Config
8.6. Service Catalog
8.7. Trusted Advisor
9. Analytics
9.1. EMR
9.2. Data Pipeline
9.3. ElasticSearch
9.4. Kinesis
9.5. Machine Learning
9.6. Quick Sight
10. Storage
10.1. S3
10.1.1. Object base storage. Key, value storage. Consist:
10.1.1.1. Key (name of the object)
10.1.1.2. Value
10.1.1.3. Version ID (Important for versioning)
10.1.1.4. Metadata
10.1.1.5. Subresources
10.1.1.6. Access Control List
10.1.2. File size can be from 1 Byte to 5 Tb
10.1.3. Universal namespace: https://s3-us-east-1.amazonaws.com/bucketname
10.1.4. Name for bucket does not support Capital characters
10.1.5. Read after Write consistency for PUTS of new Objects
10.1.6. Eventual Consistency for overwrite PUTS and DELETES (can take some time to propagate)
10.1.7. Availability: 99.99%
10.1.8. Durability: 99,999999999 (11 x 9's)
10.1.9. New objects in Bucket are Private
10.1.10. Tiered Storage Availability (can be set/change for entire Bucket or objects in the Bucket)
10.1.10.1. S3
10.1.10.1.1. Availability: 99.99%
10.1.10.1.2. Durability: 99,999999999 (11 x 9's)
10.1.10.2. S3 - IA (Infrequently Access)
10.1.10.2.1. Lower fee than S3
10.1.10.2.2. Retrieval fee
10.1.10.2.3. Standard - IA has a minimum object size of 128KB. Smaller objects will be charged for 128KB of storage.
10.1.10.2.4. Minimum Storage Duration: 30days
10.1.10.3. Reduced Redundancy Storage
10.1.10.3.1. Availability: 99.99%
10.1.10.3.2. Durability: 99,99
10.1.11. Lifecycle Management
10.1.11.1. can be applied to whole bucket or prefix
10.1.11.2. Actions (without versioning)
10.1.11.2.1. Transition to S3-IA (minimum 30 after creating)
10.1.11.2.2. Archive to Glacier
10.1.11.2.3. Permanent Delete
10.1.11.3. Actions (with versioning)
10.1.11.3.1. Actions for current version
10.1.11.3.2. Action for previous versions
10.1.12. Versioning
10.1.12.1. Can't turn it off
10.1.12.2. Versioning's MFA Delete capability
10.1.12.3. Doesn't deduplicate (S3 keeps all versions of a file as separate files)
10.1.13. Security
10.1.13.1. Bucket is PRIVATE by default
10.1.13.2. Access Controle
10.1.13.2.1. Bucket Policies (applied to whole bucket)
10.1.13.2.2. Access Control List (can be applied to individual items in bucket)
10.1.13.3. Encriptions
10.1.13.3.1. In Transite
10.1.13.3.2. At Rest
10.1.14. Transfer Acceleration
10.1.14.1. Allow to upload files to S3 via CloudFront Edge
10.1.15. Cross Region Replication
10.1.15.1. Doesn't replicate existing files
10.1.15.2. Requires Versioning
10.2. Cloud Front
10.2.1. Edge Location
10.2.1.1. supports READ and WRITE
10.2.1.2. around the world, more than 50
10.2.1.3. TTL
10.2.1.4. Can clear cached objects (you will be charged )
10.2.2. Origin
10.2.2.1. S3 bucket
10.2.2.2. EC2 instance
10.2.2.3. ELB
10.2.2.4. Route53
10.2.2.5. None AWS server
10.2.3. Distribution
10.2.3.1. Web Distribution
10.2.3.2. RTMP - media streaming
10.2.4. Geo Restrictions
10.2.4.1. White list
10.2.4.2. Black list
10.2.5. Invalidation
10.2.5.1. to remove objects from cache
10.3. Glacier
10.3.1. Archive data
10.3.2. Takes 3-5 hours to restore
10.3.3. Extremely low-cost (0.01$ per 1Gb per 1 month)
10.3.4. Minimum Storage Duration: 90 days
10.4. EFS
10.4.1. Supports NFSv4
10.4.2. pay only for storage
10.4.3. scale up to petabytes
10.4.4. supports thousands NFS concurrency connections
10.4.5. cross AZ within single region
10.4.6. READ after WRITE concistency
10.5. Import/Export
10.5.1. Import/Export Disk
10.5.1.1. Import
10.5.1.1.1. S3
10.5.1.1.2. EBS
10.5.1.1.3. Glasier
10.5.1.2. Export
10.5.1.2.1. S3
10.5.2. Import/Export Snowball
10.5.2.1. Only S3
10.6. Storage Gateway
10.6.1. is a service that connect an on premises software appliance with cloud based storage to provide seamless and secure integration between organisation's on-premises IT env and AWS cloud
10.6.2. Types
10.6.2.1. Gateway Store Volume
10.6.2.1.1. Entire Dataset is stored on site and is asynchronously backed up to S3
10.6.2.2. Gateway Cached Volume
10.6.2.2.1. Data in on S3 but the most frequent accessed data is stored locally
10.6.2.2.2. if you lose internet, you will not have access to all data
10.6.2.3. Gateway Virtual Tape Libary (VTL)
10.6.2.3.1. Provide a Virtual Tape Shelf to backup to S3 or Glacier
11. Application Services
11.1. API Gateway
11.2. AppStream
11.3. CloudSearch
11.4. Elastic Transcoder
11.5. SES
11.6. SQS
11.6.1. Distributed queue system
11.6.2. Message is up to 256KB text in any format
11.6.3. Billed at 64KB "Chunks"
11.6.4. first 1 million requests are free. 0.5$ per million
11.6.5. 1 request can have up to 10 messages
11.6.6. Messages can be retrieved using SQS API
11.6.7. Has Buffer
11.6.8. SQS ensures delivering at least once
11.6.9. It is NOT FIFO
11.6.10. Asynchronously PULL messages from a QUEUE
11.6.11. Visibility Period starts when Message was picked up
11.6.12. If Application is failed, message will be in a queue. After Visibility Period, Message will be consumed another application
11.6.13. When application finishes, message will be removed from Queue
11.6.14. Visibility Timeout is 30s by default.
11.6.15. Retention period is up to 14 days
11.7. SWF
11.7.1. Simple WorkFlow Service
11.7.2. Retention Period is up to 1 year
11.7.3. task oriented API (vs SQS is message oriented)
11.7.4. task is assigned ONLY ONCE
11.7.5. SWF tracks all tasks in application (for SQS you need implement your own application level )
11.7.6. SWF Actors (can be Code or Humans)
11.7.6.1. Workflow Starter - start workflow
11.7.6.2. Deciders - control workflow
11.7.6.3. Activity Workers
12. Networking
12.1. VPC
12.1.1. Default VPC
12.1.1.1. All subnets are public
12.1.1.2. If delete public VPC, you have to contact to AWS to get it back
12.1.2. VPC Peering
12.1.2.1. connect 1 VPC with another
12.1.2.2. don't give access to internet
12.1.2.3. don't give access to third VPC via another VPC
12.1.3. Tenancy
12.1.3.1. Default
12.1.3.2. Dedicated
12.1.3.2.1. If you set dedicated while creating new VPC, all instances in the VPC will be automatically dedicated
12.1.4. Route Tables
12.1.4.1. Default route table will be created for VPC automatically
12.1.5. Subnetworks
12.1.5.1. 1 subnet = 1 AZ
12.1.5.2. Amazon reserves 3 IP addresses in every subnet
12.1.6. IGW
12.1.6.1. 1 IGW per VPC
12.1.7. NAT Instance
12.1.7.1. Disable Source/Destination check
12.1.7.2. larger instance provide more network performance
12.1.8. Access Control List (ACLs)
12.1.8.1. It is a Firewall for entire subnet
12.1.8.2. If you create subnet, it will be associated with Default ACL
12.1.8.3. stateless
12.1.8.4. New ACLs is denied by default
12.1.8.5. Subnet can ONLY have 1 ACL (no more, no less)
12.1.8.6. operating of rules begins from lowest rule number
12.2. Direct Connect
12.2.1. Provide dedicated link to AWS
12.3. Route53
12.3.1. Always choose Alias Record over CNAME http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
12.3.2. ELB is domain
12.3.3. Routing Policies
12.3.3.1. Simple
12.3.3.2. Weighted
12.3.3.2.1. Allow split traffic based on different weight assigned
12.3.3.3. Latency
12.3.3.3.1. based on lowest network latency for your end user (ie. which region gave the fastest response time)
12.3.3.4. Failover
12.3.3.4.1. Will monitor primary web site using health checks and if failed switch to DR site
12.3.3.5. Geolocation
12.3.3.5.1. based on Geo location of end users
13. Compute
13.1. EC2
13.1.1. Price
13.1.1.1. On Demand
13.1.1.1.1. Low price and flexibility without long term commitments
13.1.1.1.2. Application with short term and cannot be interrupted
13.1.1.1.3. development or testing
13.1.1.2. Reserved (1 or 3 Year)
13.1.1.2.1. Steady state or predictable usage
13.1.1.2.2. require reserved capacity
13.1.1.2.3. User is able to do upfront payment
13.1.1.3. Spot
13.1.1.3.1. Application can flexible start and end
13.1.1.3.2. very low compute price
13.1.1.3.3. user need urgent large computing needs
13.1.1.3.4. NOTE: If AWS terminate instance by itself you will not pay for part hour usage. But I you terminate, you will pay
13.1.2. Types
13.1.2.1. t2 - Low cost, General Purpose
13.1.2.2. M4, M3 - General purpose
13.1.2.3. C3, C4 - Computer optimised
13.1.2.4. R3 - Memory optimised
13.1.2.5. G2 - GPU
13.1.2.6. I2 - High Speed Storage (NoSQL...)
13.1.2.7. D2 - Dense storage (hadoop ..)
13.1.3. EBS
13.1.3.1. Type
13.1.3.1.1. General Purpose SSD (GP2)
13.1.3.1.2. Provisioned IOPS SSD (IO1)
13.1.3.1.3. Magnetic (Standard)
13.1.3.2. Encription
13.1.3.2.1. Root volume (where is OS) is NOT encrypted. You can use THIRD tools to encrypt Root volume
13.1.3.2.2. Addition volumes can be encrypted
13.1.4. SG
13.1.4.1. All Inbound traffic is blocked by default
13.1.4.2. All Outbound traffic is allowed by default
13.1.4.3. Changes to SG take effect immediately
13.1.4.4. SGs are STATEFUL
13.1.4.4.1. If you create Inbound rule allowing traffic in, that traffic is allowed back out again
13.1.5. Volume
13.1.5.1. exist on EBS
13.1.5.2. Virtual Hard Disk
13.1.5.3. Volume restored from encrypted snapshot is encrypted
13.1.5.4. RAID
13.1.5.4.1. AWS does NOT recommend to use RAID5
13.1.5.4.2. RAID0 - no redundancy and good performance
13.1.5.4.3. RAID10 provide redundancy and good performance
13.1.5.4.4. Creating Snapshot of RAID
13.1.6. Snapshot
13.1.6.1. exist on S3
13.1.6.2. is incremental. Only changed block will be upload to s3
13.1.6.3. Snapshot of encrypted volume is encrypted automatically
13.1.6.4. You can share snapshot, if the snapshot is NOT encrypted
13.1.6.5. To create snapshot of Root volume, you need to stop instance (or the instance will be stopped by AWS). If an instance was not stopped at all, integrity of filesystem can not be guaranteed
13.1.6.6. You can NOT remove snapshot if the snapshot is in AMI
13.1.7. AMI
13.1.7.1. EBS root volume
13.1.7.1.1. Root volume is EBS volume that created from EBS snapshot
13.1.7.2. Instance Store
13.1.7.2.1. Root device launched from AMI is instance store volume created from template stored on S3. (takes a bit more time to launch)
13.1.7.2.2. can not be stopped
13.1.7.2.3. if the underling host fails you will lose your data
13.1.8. ELB
13.1.8.1. only has own DNS name, NOT IPs
13.1.9. IAM Role
13.1.9.1. You can NOT change role for created instance
13.1.9.2. You can change role itself and it will be applied immediately
13.1.9.3. Roles are easier to manage
13.1.10. Instance Metadata
13.1.10.1. http://169.254.169.254/latest/meta-data/
13.1.10.2. You can NOT to get user-data using the URL. Only meta-data
13.1.11. Placement Group
13.1.11.1. Single AZ
13.1.11.2. Low latency
13.1.11.3. 10 Gbps
13.1.11.4. Name of Placement Group should be unique accoss AWS account
13.1.11.5. Only certain type of instances can be launched in PG (CPU, GPU, RAM and Storage optimised)
13.1.11.6. AWS recommend to use homogeneous instance type (same family and same size)
13.1.11.7. can NOT merge PGs
13.1.11.8. can NOT move created instance to PG
13.2. EC2 Container Service
13.3. Elastic Beanstalk
13.4. Lambda
13.4.1. is event driven compute service, where Lambda runs your code in responce to event
14. Databases
14.1. Elasticache - In memory caching
14.1.1. Memcached
14.1.2. Redis
14.2. DMS
14.3. RDS - OLTP (Online Transaction Processing)
14.3.1. Aurora
14.3.1.1. Autoscaling Storage (start from 10Gb, scales in 10Gb increment Up to 64Tb)
14.3.1.2. Compute resources scale up to 32 vCPU and 244 Gb RAM
14.3.1.3. 2 copies of data in each AZ within 3 minimum AZs (6 copies of data)
14.3.1.4. can loss up to 2 copies without effecting Write availability
14.3.1.5. can loss up to 3 copies without effecting Read availability
14.3.1.6. self-healing (disk is continuously scanning for error and repairing)
14.3.1.7. Replicas
14.3.1.7.1. Aurora Replica (up to 15)
14.3.1.7.2. MySQL Replica (up to 5)
14.3.2. Types
14.3.2.1. MSSQL
14.3.2.2. MySQL
14.3.2.3. Postgres
14.3.2.4. Oracle
14.3.2.5. Aurora
14.3.2.6. MarinaDB
14.3.3. Automated Backups
14.3.3.1. from 0 up to 35 days
14.3.3.2. Storage IO may be suspended
14.3.3.3. you will get free place on S3 equals DB volume
14.3.4. Snapshots
14.3.4.1. manually
14.3.4.2. will be stored even if you remove source DB (unlike Automated Backup)
14.3.5. Restoring is always new RDS instance with new endpoint
14.3.6. Encryption
14.3.6.1. supports by MySQL, Postgres, Oracle, mariaDB and SQL Server
14.3.6.2. Can NOT be enabled for existing instances
14.3.7. MultyAZ
14.3.7.1. For Disaster Recovery ONLY
14.3.7.2. Automatic
14.3.7.3. synchronous
14.3.8. Read Replica
14.3.8.1. Asynchronous replication
14.3.8.2. MySQL, Postgres, MariaDB
14.3.8.3. Use for Scaling. NOT for DR
14.3.8.4. Require Automatic Backup
14.3.8.5. Up to 5 Read REplicas
14.3.8.6. can have Read Replica of Read replica (Latency!!)
14.3.8.7. Read Replica can NOT be MultyAZ
14.3.8.8. Read replica in Second Region (for MySQL and MariaDB)
14.3.9. NOTES
14.3.9.1. DB Security Group: you don't need to specify port/protocol only source IP range / security group http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html#Overview.RDSSecurityGroups.DBSec
14.4. DynamoDB - No SQL
14.4.1. Automatic Scaling on FLY vs
14.4.2. Stored on SSD
14.4.3. Spread across 3 geographically distinct data centers
14.4.4. Eventual consistency Reads (default)
14.4.4.1. Consistency across all copies of data is usually reached within 1 second
14.4.5. Strong Consistency Reads
14.4.5.1. returns a result of all writes
14.4.6. Pricing
14.4.6.1. Read Throughput 0.0065 per hour for every 50 units
14.4.6.2. Write Throughput 0.0065 per hour for every 10 units
14.4.6.3. Storage const of 0.25$ per Gb per month
14.5. Redshift - OLAP (Online Analytic Processing)
14.5.1. data warehouse service in a cloud
14.5.2. Single Node (160Gb)
14.5.3. Multi-Node
14.5.3.1. Leader Node (handle queries)
14.5.3.2. Compute Node (store data, perform queries) up to 128 nodes
14.5.4. Price
14.5.4.1. Leader node is free
14.5.4.2. Compute node: charge for hours instances running
14.5.4.3. Backup
14.5.4.4. Data transfer (within VPC)
14.5.5. Encryption
14.5.5.1. SSL/TSL for data transfer
14.5.5.2. Encrypted at rest using AES-256
14.5.5.3. By default Redshift handle key by it self
14.5.5.3.1. But you can use KMS or
14.5.5.3.2. Manage your own keys using HSM
14.5.6. Availability
14.5.6.1. only 1 AZ
14.5.6.1.1. you can restore snapshot to New AZ