AWS Cloud Essentials — Study Notes
[NEW] Ultimate AWS Certified Cloud Practitioner — 2022
https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20054646#notes
Date: 7/6/2022
Section 3:
What is Cloud Computing?
What is a server composed of?
- Compute: CPU
- Memory: RAM
- Storage: Data
- Database: store data in structured way
- Network: Router, switch, DNS Server
IT Terminology
• Network: cables, routers and servers connected with each other
• Router: A networking device that forwards data packets between computer
networks. They know where to send your packets on the internet!
• Switch: Takes a packet and send it to the correct server / client on your network
Traditionally, how to build infrastructure
Home → Office → Data Center (more and more servers)
What is cloud computing?
- Cloud computing is the on-demand delivery of compute power, database storage, applications, and other IT resources
- Through a cloud services platform with pay-as-you-go pricing
- You can provision exactly the right type and size of computing resources you need
- You can access as many resources as you need, almost instantly
- Simple way to access servers, storage, databases and a set of application services
- Amazon Web Services owns and maintains the network-connected hardware required for these application services, while you provision and use what you need via a web application.
The Deployment Models of the Cloud
Private Cloud
Public Cloud: Microsoft Azure, Google cloud, AWS
Hybrid: Premises AND Cloud
Page Break
The Five Characteristics of Cloud Computing
• On-demand self-service:
Users can provision resources and use them without human interaction from the service provider
• Broad network access:
Resources available over the network, and can be accessed by diverse client platforms
• Multi-tenancy and resource pooling:
Multiple customers can share the same infrastructure and applications with security and privacy
Multiple customers are serviced from the same physical resources
• Rapid elasticity and scalability:
Automatically and quickly acquire and dispose resources when needed
Quickly and easily scale based on demand
• Measured service:
Usage is measured, users pay correctly for what they have used
Six Advantages of Cloud Computing
• Trade capital expense (CAPEX) for operational expense (OPEX)
- Pay On-Demand: don’t own hardware
- Reduced Total Cost of Ownership (TCO) & Operational Expense (OPEX)
• Benefit from massive economies of scale
- Prices are reduced as AWS is more efficient due to large scale
• Stop guessing capacity
- Scale based on actual measured usage
• Increase speed and agility
- Stop spending money running and maintaining data centers
• Go global in minutes: leverage the AWS global infrastructure
Problems solved by the Cloud
• Flexibility: change resource types when needed
• Cost-Effectiveness: pay as you go, for what you use
• Scalability: accommodate larger loads by making hardware stronger or
adding additional nodes
• Elasticity: ability to scale out and scale-in when needed
• High-availability and fault-tolerance: build across data centers
• Agility: rapidly develop, test and launch software applications
Types of Cloud Computing
Orange: AWS
Blue: us
Example of Cloud Computing Types
• Infrastructure as a Service:
- Amazon EC2 (on AWS)
- GCP, Azure, Rackspace, Digital Ocean, Linode
• Platform as a Service:
- Elastic Beanstalk (on AWS)
- Heroku, Google App Engine (GCP), Windows Azure (Microsoft
• Software as a Service:
- AWS services (ex: Rekognition for Machine Learning)
- Google Apps (Gmail), Dropbox, Zoom
Pricing of the Cloud — Quick Overview
AWS has 3 pricing fundamentals, following the pay-as-you-go pricing
model
• Compute:
- Pay for compute time
• Storage:
- Pay for data stored in the Cloud
• Data transfer OUT of the Cloud:
- Data transfer IN is free
- Solves the expensive issue of traditional IT
AWS Global Infrastructure
- AWS Regions
- AWS Availability Zones
- AWS Data Centers
- AWS Edge Locations /Points of Presence
AWS Regions
- AWS has Regions all around the world
- Names can be us-east-1, eu-west-3…
- A region is a cluster of data centers
- Most AWS services are region-scoped
How to choose an AWS Region?
• Compliance with data governance and legal requirements: data never leaves a region without your explicit permission
• Proximity to customers: reduced latency
• Available services within a Region: new services and new features aren’t available in every Region
• Pricing: pricing varies region to region and is transparent in the service pricing page
AWS Availability Zones
- Each region has many availability zones (usually 3, min is 2, max is 6).
- Each availability zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity
- They’re separate from each other, so that they’re isolated from disasters
- They’re connected with high bandwidth, ultra-low latency networking
AWS Points of Presence (Edge Locations)
Tour of the AWS Console
• AWS has Global Services:
- Identity and Access Management (IAM)
- Route 53 (DNS service)
- CloudFront (Content Delivery Network)
- WAF (Web Application Firewall)
• Most AWS services are Region-scoped:
- Amazon EC2 (Infrastructure as a Service)
- Elastic Beanstalk (Platform as a Service)
- Lambda (Function as a Service)
- Rekognition (Software as a Service)
Shared Responsibility Model Diagram
IAM Section
• IAM = Identity and Access Management, Global service
• Root account created by default, shouldn’t be used or shared
• Users are people within your organization, and can be grouped
• Groups only contain users, not other groups
• Users don’t have to belong to a group, and user can belong to multiple groups
IAM: Permissions
• Users or Groups can be assigned JSON documents called policies
• These policies define the permissions of the users
• In AWS you apply the least privilege principle: don’t give more permissions than a user need
Multi Factor Authentication — MFA
- You want to protect your Root Accounts and IAM users
- MFA — Password + Security Device
- Secure
MFA devices options in AWS
Virtual MFA device
How can users access AWS?
• To access AWS, you have three options:
• AWS Management Console (protected by password + MFA)
• AWS Command Line Interface (CLI): protected by access keys
• AWS Software Developer Kit (SDK) — for code: protected by access keys
• Access Keys are generated through the AWS Console
• Users manage their own access keys
• Access Keys are secret, just like a password. Don’t share them
• Access Key ID ~= username
• Secret Access Key ~= password
IAM Roles for Services
• Some AWS service will need to perform actions on your behalf
• To do so, we will assign permissions to AWS services with IAM Roles
• Common roles:
• EC2 Instance Roles
• Lambda Function Roles
• Roles for CloudFormation
IAM Security Tools
• IAM Credentials Report (account-level)
- a report that lists all your account’s users and the status of their various credentials
• IAM Access Advisor (user-level)
- Access advisor shows the service permissions granted to a user and when those services were last accessed.
- You can use this information to revise your policies.
IAM Guidelines & Best Practices
Shared Responsibility Model for IAM
AWS
• Infrastructure (global network security)
• Configuration and vulnerability analysis
• Compliance validation
YOU
- Create users, roles, policies management and monitoring
- Enable MFA on all accounts
- Rotate all your keys often
- Use IAM tools to apply appropriate permissions
- Analyze access patterns and review permissions
IAM Section — Summary
• Users: mapped to a physical user, has a password for AWS Console
• Groups: contains users only
• Policies: JSON document that outlines permissions for users or groups
• Roles: for EC2 instances or AWS services
• Security: MFA + Password Policy
• AWS CLI: manage your AWS services using the command-line
• AWS SDK: manage your AWS services using a programming language
• Access Keys: access AWS using the CLI or SDK
• Audit: IAM Credential Reports & IAM Access Advisor
