AWS Cloud Practitioner

These notes were created during my preparation for the AWS Cloud Practitioner Exam. They help me memorise essential points and knowledge commonly found in frequently asked questions.

The exam requires a substantial amount of knowledge to be memorised, particularly for those new to AWS and cloud computing.

To give you some context, I had some basic experience with AWS services from a unit I took a year ago before I started preparing for the exam.

To supplement my knowledge, I watched about half of the lectures in this udemy tutorial.

I also completed the first 5 practice exams from 6 Practice Exams to gain a better understanding of the types of questions that might appear on the actual exam. I practiced with test questions multiple times and reviewed any questions I answered incorrectly or felt uncertain about.

Luckily, I passed the exam in one shot with a score of 822 out of 1000.

Billing & Pricing

Basic:

• one-on-one responses to account and billing questions
• support forums
• service health checks
• documentation

AWS developer support plan:

• one contact + unlimited cases

Business, On-ramp, Enterprise:

• unlimited contacts + unlimited cases

Enterprise:

• concierge service
• event management (also on-ramp)
• designated technical account manager

Cost Allocation Tags:

• a label assigns to a resource (1 unique key + 1 value)
• used to track costs
• two types:
  • generated tags: tags generated by AWS
  • user-defined tags: define, create and apply tags on generated tags
• must activate both types of tags before examining cost expolorer
• not mandatory
• cannot create separate invoice based on tags

Billing metric data is stored in the US East (N. Virginia) Region and represents worldwide charges.

storage pricing:

• EFS Infrequent Access class: pay a fee each time read from or write to a file
• EBS snapshot: bill only for the changed blocks stored
• AWS backup: pay for the amount of storage used and amount of data restored in the month

AWS Budget types:

• cost budget
• reservation budget
• usage budget

Compute optimizer:

• EC2,
• Auto Scaling group,
• EBS,
• Lambda

Amazon API Gateway:

• REST, HTTP, WebSocket APIs
• for accessing AWS or other web services

Kinesis Data Stream:

• processes and analyzes streaming data at any scale
• a fully managed service

2 Savings Plans (1 / 3 yrs commitment):

• compute savings plan
• EC2 instance savings plan

CloudEndure Disaster Recovery: replicates applications into AWS (block-level)

Beanstalk:

• no additional charge
• pay for AWS resources you create to store and run your application

Trusted Advisor:

• real-time guidance to provision resources following best practices
• check EBS configurations and warns when underused
• Five categories:
  • cost optimisation
  • performance
  • security
  • fault tolerance
  • service limits

Inspector:

• automated security assessment service
• improve security & compliance of application
• not for infrastructure

Cloudwatch:

• monitor applications
• data and actionable insights
• performance changes, resource uilitisation, health

Cloud Concepts

cloud foundations:

• guide deploy, configure, secure workloads while ensuring operations in the cloud
• navigate decisions (AWS Solutions, Partner Solutions, Guidance)

Trusted Advisor:

• guide provision resources following best practices
• five categories:
  • cost optimisation
  • performance
  • security
  • fault tolerance
  • service limits

Transit gateway:

• VPC -> on-premise
• through a central hub
• can interconnect VPCs

Direct Connect:

• VPC -> on-premise
• private connection - not use public internet
• cannot interconnect VPCs

VPC peering connection:

• VPC -> VPC
• not transitive - difficult to manage

VPC interface endpoint:

• VPC -> AWS Services
• powered by PrivateLink - no public internet, support S3

VPC gateway endpoint:

• VPC -> AWS Services
• only support S3, dynamoDB.

Internet gateway:

• VPC -> public internet

API gateway:

• VPC internal service -> clients

Site-to-Site VPN:

• AWS Services -> on-premise
• cannot interconnect VPCs
• components:
  • virtual private gateway,
  • transit gateway,
  • customer gateway,
  • customer gateway device

AWS cost and usage report:

• generate billing reports that break down
  • by hour or month,
  • by product or product resource,
  • by tags
• cannot be used to identify under-utilized Amazon EC2 instances.

AWS Knowledge Center contains the most frequent & common questions and requests and AWS provided solutions for the same.

AWS Support Center is the hub for managing your Support cases.

Global Accelerator:

• low latency - high performance
• high availability
• static IP address
• non-HTTP use cases (UDP, MQTT)

S3 transfer Acceleration (S3TA):

• powered by cloudfront
• client - S3 bucket
• not for replicating data

LB: distribute traffic, not scale resources

Warm standby:

• can handle traffic at reduced levels immediately.

Pilot light:

• cannot serve requests until additional steps are taken
  • deploy infrastructure and
  • scale out resources
  • then workload can handle requests.

Cloud Adoption Framework (CAF):

• Business,
• People,
• Governance
• Platform,
• Security,
• Operations

CAF stakeholders: CTO, technology leaders, architects, engineers.

6 Pillars: 1.Operational excellence (Cloudformation): run systems to deliver business value. 2.Security (IAM, WAF, KMS): protect system while deliver business value 3.Relibility (IAM, Cloudformation, S3): the ability of a system to recover 4.Performance efficiency(auto scaling, lambda, elasticache): use computing resources efficiently 5.Cost optimisation (budget, cost explorer): run systems at the lowest price point 6.Sustainability (auto scaling, fargate, s3, ec2): minimise the environmental impacts

recovery time objective:

• real-time: Multi-site active/active (run simultaneously)
• minutes: warm standby (scaled-down but full functional copy)
• 10s of minutes: pilot light (core component)
• hours: backup & restore (data only, need redeploy infrastructure)

local zone:

• low latency to specific geographic areas
• optimise latency
• gaming

outpost:

• low latency to on-premises location
• run service locally

well-architected tool:

• review the state of your workloads
• compare with best practices

WorkSpaces:

• global services
• provision Windows or Linux desktops

Athena:

• query service
• serverless
• facilitate analyse data in S3

Security

IAM user: use access key ID and secret access key as credentials

IAM role: align with permission policies that determine allow and deny rules. - assigned to anyone who needs it.

IAM user group: specify permission policies to a group of users.

IAM policy: policies attach to IAM identities (user, group, role)

CAF:

• Business
• People
• Grovernance
• Platform
• Security
• Operations

Service Catalog: create and manage catalogs of IT services ( virtual machine images, servers, software, databases).

APN: AWS Partner Network. technology and consulting businesses to build solutions and services for customers.

AWS Organisations: centrally management. (manage billing, control access, compliance, security, share resource across AWS accounts).

CloudWatch: resource performance monitoring, events, and alerts.

CloudTrail: account-specific activity and audit.

encryption:

• automatically enabled:
  • storage gateway,
  • S3
  • cloudtrail logs stored in s3
• optional:
  • EBS,
  • Redshift,
  • EFS

Virtual MFA device: A software app that emulates a physical device.

U2F security key: A device that you plug into a USB port on your computer.

Amazon CloudWatch Logs enables you to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service.

AWS CloudTrail cannot be used to centralize the server logs for Amazon Elastic Compute Cloud (Amazon EC2) instances or on-premises servers.

Shield standard: enabled for all AWS customers at no additional cost.

WAF: HTTP/HTTPS requests forwarding to API gateway, cloudfront, ALB. (no route 53)

Credential report: list all users in the account and the status of their credentials.

Artifact: download security and compliance related information

• reports: Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies

VPC interface endpoint:

• VPC -> services
• powered by PrivateLink - no public internet, support S3

VPC gateway endpoint:

• VPC -> services
• only support S3, dynamoDB.

Trusted Advisor alerts when:

• leaving certain ports open that make you vulnerable
• neglecting to create IAM accounts for your internal users
• allowing public access to Amazon S3 buckets
• not turning on user activity logging (AWS CloudTrail)
• not using MFA on your root AWS Account.

IAM user access keys:

• long-term credentials
• global service
• not suitable for accessing dynamoDB - temporary credentials are better (IAM role)

Cognito:

• add user credential to web apps.
• cannot be used to access dynamoDB.

CloudHSM:

• generate, store, manage credentials

Secret manager:

• protect credentials for applications and services
• manage credentials (rotate, retrieve, manage)
• integrate with CloudHSM

Macie:

• data discovery and protection in Amazon S3 (Simple Storage Service) buckets
• automatically discover, classify, and protect sensitive data in S3.

Detective:

• analyse events
• identify potential security issues.
• cloudtrail logs, VPC flow logs, guardduty findings

Technology

Root user cannot be restricted

Elastic Beanstalk: PaaS. an engine to deploy and scale services.

CloudFormation:

• infrastructure as code. (a broader concept, can include IaaS)
• automate the provisioning and management of resources across various AWS services
• can estimate costs using templates

ECS:

• a container management service.
• a platform for deploying and managing containerized applications,
• leveraging Docker containers, and orchestrating their deployment and scaling.

Amazon MQ: message broker for moving messaging functionality from on-premise application to cloud.

SQS:

• move data between components.
• help build applications with independent message processing.

SNS:

• messaging service for application-application and application-person communication

Compute optimizer:

• EC2,
• Auto Scaling group,
• EBS,
• Lambda

Storage gateway:

• bridge on-premise data and cloud data in S3
• File, Volume, Tape

Step function:

• coordinate multiple AWS services (sagemaker, glue, lambda) into serverless workflows.
• Cannot be used to run a process on a schedule.

Database:

• Glue: prepare and transform data for analytics, serverless
• Neptune: graph database
• Quantum Ledger Database (QLDB): review history of all changes made to application data
• Database Migration Service (DMS)
• Athena: serverless query service to perform analytics against S3 objects
• EMR: Elastic MapReduce - analyse and process big data, hadoop cluster
• Redshift: SQL analytics and cloud data warehousing
• Aurora: MySQL and PostgreSQL
• DocumentDB: Aurora version for MongoDB
• QuickSight: create interactive dashboards on database
• ElastiCache: in-memory database

Security group:

• stateful
• instance level
• allow rule only

NACL:

• stateless
• subnet level
• allow and deny rules

Read Replicas:

• used for improved read performance. - scalability
• horizontal scaling

Amazon EFS

• keeping files accessible to satisfy audit requirements,
• performing historical analysis,
• or performing backup and recovery.
• EC2 instances can access EFS across AZs, regions, and VPCs,
• while on-premises servers can access using AWS Direct Connect or AWS VPN.
• cannot be used as a boot volume for Amazon Elastic Compute Cloud (Amazon EC2) instances.
• For boot volumes, Amazon Elastic Block Storage (Amazon EBS) volumes are used.

Amazon Kendra:

• search service in unstructured data - accurate search results.

Amazon Personalize

• building applications with personalized recommendations capability.

Amazon Comprehend

• extracting insights in unstructured data - help understanding.
• NLP
• text analysis, topic modelling, keyphrase extraction, syntax analysis…

Amazon Lex

• building conversational interfaces into any application using voice and text.
• NLU
• chatbot

A customer gateway is a resource in AWS that provides information to AWS about your Customer gateway device.

Site-to-Side VPN components:

• virtual private gateway
• transit gateway
• customer gateway
• customer gateway device

Global scope services:

• EC2, S3, DynamoDB, SNS, IAM, CloudFront, Route 53, WAF…

Regional scope services:

• lambda, redshift, read replicas, rekognition

The pricing for an AWS Lambda function is not dependent on the language runtime of the function.

AWS CodeDeploy is a service that automates code deployments to any instance,

CloudFormation cannot be used to automate code deployment.

EBS:

• A broad range of workloads, such as relational and non-relational databases, enterprise applications, containerized applications, big data analytics engines, file systems, and media workflows are widely deployed on Amazon EBS.
• not a good fit for caching information on Amazon EC2 instances

S3 actions:

• transition actions:

partner solutions:

• automated technology deployments

whitepapers:

• technical content (technical guides, reference materials, architecture diagrams)

route 53:

• domain registration
• health check and monitoring

AWS Health:

• Performance and availability of AWS services

IAM Identity Center:

• successor to sso

DataSync:

• simplifies and accelerates moving data between on-premises storage systems and AWS services

EC2 instance user data:

• data specified in the form of a bootstrap script configuration parameters while launching your instance

EC2 instance metadata:

• data about your instance you can use to manage the instance (ami-id, public-hostname)

S3 no retrieval fee:

• intelligent-tiering
• standard

read-replicas:

• create read-only copies with master database
• place in different AWS region
• improve performance
• data recovery