AWS Cloud Practioner

This certification is mostly used by people to get the understanding of the AWS
services.

Where you can take this exam ?

You can take this exam on Pearson VUE online.

This cost $100

90 mins
65 Questions
70% passing score
Valid for 3 years.
Exam Guide
This is what exam mostly comprises of

Cloud Concepts 28%.

Security 24%
Technology 36%
Billing & Pricing 12%
We have total of 65 questions and most of them are mutiple choice or multiple
response questions.

What is Cloud Computing

Its the practice of using a network of remote servers hosted on the internet to
store,manage and process data rather using a local server or personal computer.

Benefits of the cloud computing

No upfront costs such as paying for server. You can Pay On Demand.
Economies of sale you can simply save alot of money since there are so many people
using the cloud.
You can scale up or scale down based on your need.
With few clicks of a button your service is deployed.
No more maintenance costs.
Go global in few minutes since there are global regions where cloud servers are
hosted.
Types of Cloud Computing
SaaS –> Software as a Service. Basically a complete product that is ran and managed
by the service provider.(Examples: Salesforce,Gmail,GoogleDocs)
PaaS –> Platform as a Service. Focusing on deploying applications without worrying
about managing the infrastructure. (Examples: Heroku,Netlify and etc)
IaaS –> Infrastructure as a Service. The building blocks of the IT. Providing
computers access and storage needs and etc. (Examples: AWS,GCP and Azure).
Cloud Computing Models
Cloud (Fully hosted on Cloud such as startups)
Hybrid (On-Premise and Public Cloud such as Banks)
On-Premise (On Private Cloud where sensitive data is being stored).
AWS Global Infrastructure
There over a million active customers using aws.
there are total 69 Availability Zones 22 Geographic Regions around the world.
Regions –> physical location with multiple availabilty zones.
Availability Zones(AZ) –> one or more discrete data locations.(owned by aws)
Edge Locations –> data center owned by trusted partner of aws
Regions AWS
A geographically distinct location with multiple data centers.
Each region has two AZs.
US-EAST(North Virginia) is the largest AWS region and services almost always become
available first in this region.
Not all services are available in the all regions.
US-EAST-1 is where you see your billing information.
AZs(Availability Zones)
Each Region has two AZs.
An AZ is a data center ran and owned by AWS.
less than 10ms latency between AZs
Edge Locations (Get Data Fast or Upload Data Fast)
A data center owned by trusted partner of AWS and has direct connection to the aws
network.
These location serve requests for CloudFront and Route53. Requests going to either
of these services will be routed to the nearest edge location automatically.
S3 Transfer accelaration and API Gateway endpoint also use the AWS Edge Network.
This allows for low latency no matter where ever you are located.
Gov Cloud
An AWS service that allows customers to host sensitive Controlled Unclassified
Information or other types of workloads

Only operated by US Citizens or on the US Soil.

Should follow several compliance guidelines.
GovCloud
EC2 Instances
In order to create a EC2 instance head over to AWS Console.
Choose EC2 and follow along. Make sure you select Amazon Linux 2 AMI and select the
type as t2.micro since that is offered with free tier.
Now follow along and make sure to set IAM role.
lastly make sure you have billing alerts turned on.
You can either use ssh or sessions manager to get into ec2 instance.
You can also get to sessions-manager by going to systems manager.
sessions-manager opens a simple bash shell that can help you access your ec2
instance.
AMI (Amazon Machine Image)
You can create an image by going into ec2 management console and clicking on
actions and selecting image.
Basically this creates a copy that allows you launch multiple servers.
AutoScaling
This allows you ensure that multiple instances and multiple servers are running.
This also allows you meet the demand of web traffic.
In order to configure this its located in ec2 management console.
Elastic Load Balancer (ELBs)
This allows reroute the traffic. especially when doing updates to the application.
S3 Buckets
Its usually global and the buckets are usually region specific.
its a block storage used to store the files.
CloudFront (CDN)
CloudFront is basically Cotent Delivery Network.
It makes easier for companies to distribute there content.
Hook it up to S3 Bucket and deliver your content around the world.
RDS (Relational Database Service)
It’s used to setup a relational database (Examples: SQL,PSQL).
Amazon aurora would be default when setting up this service
It has auto scaling.
AWS Lambda
Serverless framework.
Allows you to run simple functions you can think of it as cronjobs.
EC2 Pricing Models
E2 has four different pricing models

On Demand
Low Cost and Flexible.
only charges per hr
short term
good for first time apps or prototypes.
No upfront payment.
Reserved Instances
Good for committed applications.
Standard savings 75% (Cannot change the RI attributes.)
Best for long term
You can schedule to reserve the instances.
there’s a commitment like 1 to 3 year with AWS.
RI’s can be shared between multiple accounts.
You can even sell your unused instances.
Spot instances
You can think of it has a hotel who offers discounts to fill there spots.
Just like hotel aws uses similar approach to maximize the usage of there idle
servers.
There are conditions such as,
Instances can be terminated anytime.
If you instance gets terminated you dont get charged for partial hour of usuage.
If you terminate an instance you will be charged for any hour that it ran.
Good for applications feasible for very low usage.
It provides you 90% savings.
Dedicated
Its the most expensive EC2 instance.
Its built for tenant customers. Its more useful for large enterprises.
Its offered both in demand and reserved.
Billing and Pricing
AWS Free Services
IAM (Identity Access Management) –> used for creating user roles.
Auto Scaling
CloudFormation
Elastic Bean
Opswork
Amplify
AppSync
CodeStar
AWS Cost Explorer
NOTE: Services in bold are free but they can provision AWS Services to cost money.

AWS Support Plan

$0/month - Basic (Support Only by Email).
$20/month - Developer (Tech Support Via Email reply within 24hrs)
No Third Party Support.
General Guidance only.
$100/month - Business (Tech Support Via Chat/Phone 24/7)
Does support third party.
Production system down less than 1hr response time (business downtime)
$15000/month - Enterprise (Tech Support Via Chat/Phone 24/7)
Personal Concierge.
TAM (Technical Account Manager)
Response time less than 15min. (business downtime)
AWS MarketPlace
A place where you will thousands of software listings from independant software
vendors.
The product is free to use or can have a charge which becomes part of the
AWS bill.
AWS Trusted Advisor Check
This advises customers on security,saving money,performance , service limits and
fault tolerance.
FREE has 7 trusted Advisor Checks
Enterprise and Business - All trusted advisor checks.
Consolidated Billing
One Master account for all member accounts.
Cost Explorer tool for visualizing the usage.
It also offers volume discounts (The more you use the cheaper it gets.)
AWS Cost Explorer
Allows you to visualize the usage of the multiple accounts.
AWS Budgets
First two budgets are free of charge.
Allows you setup alerts when you exceed your limits.
You can set three types of alerts Budget,Usage and instance reservation
Alerts supports EC2,RDS,RedShift and Elastic Cache.
You can manage budgets from AWS Budget Dashboard or Budgets API.
Get notified through email or ChatBot.
TCO Calculator
The Total Cost of Ownership calculator allows you show how much can save by
shifting to aws.

A tool that allows you build reports for execs to show how much you can save.
Only for approximation purposes.
AWS Landing Zone
Meant for enterprises.
Automatically provisions and configure new accounts via Service Catalog template.
uses SSO.
AWS Resource Groups & Tagging
Tags are words or phrases that act as metadata for organizing AWS resources.
Resource Groups are collection of resources that share one or more tag.
Resource Group can display following details of about a group of resource based on.
Metrics
Alarms
Configuration Settings.
AWS QuickStart
Prebuilt templates offered by AWS or AWS partners that helps you deploy popular
stacks on AWS. This allows to reduce the manual effort.

It’s divided into three steps.

A reference architecture for deployment.

AWS CloudFormation templates that automate and configure the deployment.
A guide explaining the architecture and implementation in detail.
AWS Cost and Usage Report
This allows you to generate a detailed report of your AWS costs. You’ll get a
spreadsheet highlighting the costs.

Reports are stored in S3.

You can use ATHENA to turn this into queryable database.
QuickSight for analyzing.
AWS Networking
Region -> The geographic location of the network.
VPC -> An isolated space of aws where you can launch aws resources.
AZ -> the data center of the aws resources.
Security Groups -> Acts as a firewall at the instance level.
Internet Gateway -> Enables access to the internet.
NACLs -> acts as a firewall at the subnet level.
Route Tables -> determine where network traffic from your subnets are directed.
Subnets -> A logical partition of an IP network into multiple,smaller network
segments.
AWS Database Services
DynamoDB -> NoSQL key/value database. (Examples:Cassandra).This is really fast for
read and write access.
DocumentDB -> NoSQL Document database that is compatible to MongoDB.
RDS -> Relational DataBase Service that supports multiple engines
MySQL,Postgres,MariaDB. (Most Popular DB)
AuroraDB -> MySQL (5x fast) and PSQL (3x Fast) fully managed database. (Runs 6
copies of the Database when used and more expensive DB)
Aurora Serverless -> Only runs when needed.
Neptune -> Graph DataBase.
RedShift -> Columnar Database petabyte warehouse.
Elastic Cache -> Redis or Memecached database.
AWS Provisioning Services
Elastic BeanStalk -> Think of it as Heroku. Its a service used for deploying and
scaling the web applications and services deployed with Java,python,c++ and etc
(Perfect for deploying WebApps)
OpsWork -> Configuration management service that provides managed instances of CHEF
and Puppet.(It has layers like tier 2 or tier 3)
CloudFormation -> IaaS , Infrastructure as Code JSON or YAML.
AWS QuickStart -> ready made templates that can launch and configure your aws
compute, network, and other services.
AWS MarketPlaces A place where you can buy or sell software or services for AWS
Cloud.
AWS Compute Services
EC2 -> Elastic Compute Cloud highly configurable server.
ECS -> Elastic Container Service Docker As Service highly scalable,high performance
and good for microservices.
Fargate -> You don’t chose the ec2 like you might chose in ECS. You define and AWS
will run the service. (Like Lambda since you dont pay for EC2)
EKS -> Kuberenetes as services makes it easy to deploy ,manage and scale.
Lambda Serverless. Just upload code as function and AWS will run the code for you.
Elastic BeanStalk -> upload the code and it will do the rest for you. Good for
developers who want to just upload there apps.
AWS Batch -> Its for Batch Processing where you can schedule Batch jobs.
AWS Storage Services
S3 -> A simple storage service - Object Store (Simply Upload Files).
S3 Glacier -> low cost for storage and good for archiving the data for long term
backup.
Storage Gateway -> A hybrid solution from on premisis to cloud for storage.
EBS (Elastic Block Storage) -> A hard drive in cloud you attach to ec2 instance
such as SSDs,HDDS.
EFS (Elastic File Storage) -> file storage moutable to multiple EC2 instances at
the same time.
Snowball -> A way of moving data from on premise to aws.
Snowball Edge -> 100 TB (better version and additional features).
SnowMobile -> Allows to move petabytes of data (DataCenter on Wheels).
AWS Business Centric Services
Amazon Connect -> Cloud Based call center service you can setup in few minutes and
later you can save the calls in s3 for furhter analysis.You can even route calls
based on defined rules
WorkSpaces -> Secured managed virutal desktops.
WorkDocs -> aws version of sharepoint where you can collaborate and share
documents.
Chime -> Think of it as skype where you can do business calls and meetings.
WorkMail -> Managed aws email service just like Microsoft Outlook Exchange uses
IMAP Protocol
PinPoint -> For marketing campaigns for targetted sending emails and sms
notifications.
SES (Simple Email Service) A cloud based email sending service used to send emails
and notifications (Good for webapps that supports sending email notifications and
has HTML format email option)
QuickSight. Think of it as QlikSense or Tableau as this allows you to visualize the
data.
AWS Enterprise Integration
Direct Connect -> A dedicated Gigabit connection from on premise to aws.
VPN
Site to Site -> Connecting to on premise to aws.
Client Vpn -> Connecting a client to AWS network.
Storage Gateway A hybrid storate service that enables on premise applications to
use AWS cloud storage.
Good for backup.
Archiving
Disaster Recovery.
migration
data processing.
AD (Active Directory) An AWS directory service for Microsoft Active Directory also
known as AWS Managed Microsoft AD - Enables your workloads and AWS related
resources to use managed AD in aws cloud.
AWS Logging Services
CloudTrail -> a logging service that logs all the api calls (SDK,CLIs) between AWS
services.
Who created the service.
Who spun up the EC2 instance.
Who launched sagemaker notebook
Detects developer misconfigurations.
Detects Malicious Activity.
Automates responses.
CloudWatch A collection of multiple services. Its more like a storage solution for
all the logs.
Stores all types of the logs.
CloudWatch Metrics -> timeseries data of logs.
CloudWatch Events -> trigger event based on a condition.(Taking the snapshot of the
server)
CloudWatch Alarms -> trigger notifications based on metrics.
CloudWatch Dashboard -> create visualizations based on metrics.
Most Common AWS Initials
IAM:Identity Access Management.
S3: Simple Storage
SWF: Simple Workflow Service.
SNS: Simple Notification System.
SQS: Simple Queue Service.
SES: Simple Email Service.
SSM: Simple Systems Manager.
RDS: Relations DataBase Service.
VPC: Virtual Private Cloud.
VPN: Virtual Private Network.
CFN: Cloud Formation
WAF: Web Application Firewall.
MQ: Amazon ActiveMQ.
ASG: AutoScaling Groups.
TAM: Technical Account Manager.
ELB: Elastic Load Balancer.
ALB: Application Load Balancer.
NLB: Network Load Balancer.
EC2: Elastic Cloud Compute .
ECS: Elastic Container Service.
ECR: Elastic Container Repository.
EBS: Elastic Block Storage.
ELF: Elastic File Storage.
EMR: Elastic MapReduce.
EB: Elastic Beanstalk.
ES: Elastic Search.
EKS: Elastic Kubernetes Service.
MKS: Managed Kafka Service.
IoT: Internet of Things.
RI: Reserved Instances.
AWS Security
In the Shared Responsibility Model the customer is responsible for the security of
the cloud such as securing the data and using the right configuration. and anything
the customer can’t touch or get access is secured by aws. Such as
Hardward,Operation of Managed Services and Global Infrastructure.

Things Customer should take care of

IAM
Customer Data
OS,Network and Firewall Configs.
Maintaining Encryption Protocols.
Things AWS takes care of
Software
Hardware
Services that aws provides.
AWS Compliance Programs
A set of internal policies and procedures of a company to comply with rules and
regulations or to uphold reputation.

two most popular ones

HIPPA
PCI (Payment Card Data/You can readmore by googling it)

ReadMore Here
AWS Artifact
A no cost, self service portal for on demand access to AWS compliance reports.

AWS Inspector
AWS inspector is a tool that runs a security benchmarks against specific EC2
instances. The most popular one is run by CIS (Center for Internet Security) which
has 699 benchmarks.It can even inspect the network to check if there are any ports
are open and running.

AWS WAF (Web Application Firewall)

It allows you protect your web application against the most common exploits. You
can write your own rules that will allow the traffic based on the contents of HTTP
requests. You can use ruleset from AWS trusted secuirty partner. It can be either
attached to CloudFront or Application Load Balance (ALB).

Most Common Attacks Include

Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities XXE
Broken Access Control
Security Misconfigurations
XSS Cross Site Scripting
Insecure Deserialization
Using Components with known Vulnerabilities
Insufficient logging and Monitoring
AWS Shield
A managed DDOS(Distributed Denial of Service) protection service that safeguards
applications running on aws.

All AWS customers benefit from the automatic protections of AWS shield standard at
no charge.

When you route your traffic through ROUTE53 or CloudFront you are using AWS Shield.

Protects you against Layer3,Layer4, and Layer7 attacks

7 Application
4 Transport
3 Network
There’s also a paid tier known as Shield Advance and that costs $3000/Year(upfront
or Commitment). It gives you extra protection with 24/7 support and its available
on

Amazon Route 53
Amazon CloudFront
ELB
AWS Global Accelarator
Elastic IP(Amazon Elastic Compute Cloud and Netword and Load Balancer).
AWS Penetration Testing
An authorized service that allows you simulate a cyber attack on a computer system,
performed to evaluate the security of the system.

Permitted Services
EC2 Instances,NAT Gateways, and ELB.
RDS
CloudFront
Aurora
API Gateways
AWS Lambda and Lambda@Edge function
LightSail resources.
Prohibited Services
DNS zone walking via Amazon Route 53 Hosted Zones.
DoS(Denial Of Service),DDoS,Simulated DoS,Simulated DDoS.
Port flooding
Protocol flooding
Request flooding
Amazon Guard Duty Service
IDS: Intrustion Detection System

IPS: Intrustion Protection System

A device or software that monnitors a network or systems for malicious activity or

policy violations.

Guard Duty is a threat detection service that continuously monitors for the
malicious,suspicious activity and unauthorized behavior. It uses machine learning
ty8111o analyze following AWS logs.

CloudTrail Logs.
VPC Flow Logs
DNS logs.
It will alert you of the findings which you can automate an incident response via
CloudWatch Events or 3rd Party Software.

KMS (Key Management System)

A managed service that makes it easy for you to create or control the encryption
keys used to encrypt that data.

KMS is a multi-tenant HSM (Hardware Security Model).

Many AWS services are intergrated to use KMS to encrypt your data with simple
checkbox.
KMS uses Envelope Encryption.
Envelope Encryption
When you encrypt your data, your data is protect but you have to protect your
encryption key. When you encrypt your data key with master key as an additional
layer of security. READMORE

Amazon Macie
Macie is fully managed service that continuously monitors S3 data access activity
for anomalies and generates detailed alerts when it detects risk of unqthorized
access or inadvertent data leaks.

It uses machine learning to analyze CloudTrail logs.

It provides you with following alerts.

Anonymized Access.
Config Compliance
Credential loss
Data Compliance
File Hosting
Identity Enumeration
Information Loss
Location Anomaly
Open Permisson
Privilege Escalation
Ransomware
Service Disruption
Suspiscious Activity
Security Groups VS NACLs(Network Access Control Lists)
Security Groups Network Access Control Lists (NACLs)
Acts as a firewall at the instance level. Acts as a firewall at the subnet level
Implicitly denies all traffic. You create Allow rules (For Example allow an `EC2`
Instance to access `port 22`) You create `allow` and `deny` rules
AWS VPN(Virtual Private Network)
It allows you create a secure and private tunnel from your network or device to the
aws global network.

AWS Site-to-Site VPN : Securely connect to on premises network or branch office

site to VPC. AWS Client VPN: Securely connect users to AWS or on premises networks.

Same Name But Different Services (Don’t Get Confused)

CloudFormation: IaaS (Infrastructure as a Service) used to setup template scripting
(YAML,JSON).
CloudTrail: logs all the api calls between aws-services (who to blame).
CloudFront: CDN(Content Delivery Network),It is used to distribute the content
(Such as videos,static assets and etc).
CloudWatch: a collection of multiple services
CloudSearch: search engine for your site (Ecommerce).
AWS Connect Services
Direct Connect: A dedicated fiber optics connections from data center to AWS. Lets
say an enterprise want a direct connection from there on premise datacenter to aws
they might use this service to connect to AWS. If you want to add extra layer of
security you might need a vpn connection.
Amazon Connect: Call Center Service.

Media Connect: A new version of Elastic Transcoder, Converts videos to different

formats.

Lets say you have 1000 videos and you need to transcode them into different formats
then this might be a useful service. You can even add watermarks and insert intro
infront of every video.

Elastic Transcoder VS AWS Elemental MediaConvert

Elastic Transcoder `OldWay` AWS Elemental MediaConvert `NewWay`
Transcodes videos to
streaming formats Transcodes videos to
streaming formats
Overlay images
Insert Video Clips
Extract captions data
Better and Robust UI
SNS vs SQS
They Both Connect Apps via Messages.

SNS
It uses PubSub model which is also known as publisher subscriber model.
It sends notifications to subscribers via protocols such as HTTP,Email SQS and SMS.
It is generally used for sending plaintext emails which is triggered via other aws
services. The best example can be billing alerts.
Can retry sending in case of failure for HTTPS.
Its good for webhooks,internal emails and triggering lambda functions.
SQS (Examples RabbitMQ) - (think of it as message broker service)
Queue Up Messages, Guaranteed Delivery

It places messages into a queue and applications pull queue using AWS SDK.
It can retain a message for up to 14 days.
Can send them in sequential order or parallel.
Can ensure only one message is sent.
Can ensure messages are delivered at least once.
Really good for delayed tasks,queueing up emails.
You can readmore about this here

NLB vs ALB vs CLB

Application Network Classic
Layer 7 Requests Layer 4 IP protocol data
Layer 4 and Layer 7
HTTPS and HTTP traffic TCP and TLS traffic where extreme
performance is required (Example: Netflix)
Intended for applications
that were built within the

EC2 Classic network

**Routing Rules**,more usability

from one load balancer

Capable of handling millions of requests
per second while maintaining `ultra-low-latencies`
Doesn't use Target Groups
Can attach WAF(WebApp Firewall) Optimized for `sudden and volatile` traffic
patterns
while using a single static IP address per AZ
Can Attach ACM (Amazon Certification Manager) SSL Manager