Everything you need to know about AWS

 

Everything you need to know about AWS to get started today.

 

Cloud Computing: It is the use of remote servers on the internet to store, manage and process data rather than a local server or your personal computer. 

Service Modules of Cloud: It delivers computer infrastructure (Servers, Storage, Processor, RAM ) on an outsourced basis to support enterprise operations.

 

PAAS (Platform): It provides a platform that allows the development, running, and manage applications without the complexity of building and maintaining the infrastructure.

SAAS (Software): It allows users to connect and use cloud-based apps over the Internet.

CAAS (Communication): It is a service module used to communicate.

NAAS (Network): It is a service module in the cloud to provide Network or Transport Connecting Services.

Types of Cloud: 

Private:

The private cloud is defined as computing services offered either over the Internet or a private internal network and only to select users instead of the general public. 

Public:

The public cloud is defined as computing services offered by third-party providers over the public Internet, making them available to anyone who wants to use or purchase them.

Hybrid:

A hybrid cloud is a computing environment that combines a public cloud and a private cloud by allowing data and applications to be shared between them.

Advantages of Cloud Computing

Variable vs Capital Expense: 

Instead of having to invest heavily in data centers and servers before knowing how you are going to use them, you can pay only when you consume computing resources and pay only for how much you consume.

Economies of Scale:

Organizations benefit from massive economies of scale by using cloud computing we can achieve a lower variable cost than you would get on your own.

Stop Guessing Capacity:

Organizations can access as much or as little as they need and scale up or down as required with only a few minutes' notice.

Increase Speed and Agility:

It allows organizations to reduce the time it takes to make those resources available to developers from weeks to just minutes. The cost and time it takes to experiment and develop are significantly lower.

Focus on Business Differentiators:

It allows organizations to focus on their business priorities, instead of on the heavy lifting of racking, stacking, and powering servers.

Go Global in Minutes:

Organization can easily deploy their applications to multiple locations around the world with just a few clicks. Going global used to be something only the largest enterprises could afford to do, but cloud computing democratizes this ability making it possible for any organization.

 Deployment Module

○ Cloud-Based Deployment
○ Hybrid Deployment

What is AWS?

Amazon Web Services (AWS) is a secure cloud services platform, offering computing power, database storage, content delivery, and other functionality to help businesses scale and grow.

AWS Domains

○ Compute

○ Storage

○ Database

○ Networking & Content Delivery

○ Migration

○ Developer Tools

○ Management Tools

○ Security, Identity & Compliance

○ Analytics

○ Artificial Intelligence

○ Internet Of Things

○ Contact Center

○ Game Development

○ Mobile Services

○ Application Services

○ Messaging

○ Business Productivity

○ Desktop & App Streaming

Accessing the Platform:

AWS Management Console:

AWS management console is a web application for managing AWS Cloud Services. Each service has its own console, which can be accessed from the AWS management console. This console also provides information about the account and billing

AWS Command Line Interface:

It is a unified tool used to manage AWS Cloud Services. With just one tool to download and configure, you can control multiple services from the command line and automate them through scripts.

AWS  Software Development Kits:

It provides an Application Programming Interface (API) that interacts with the web services that fundamentally make up the AWS Platform It supports many different programming languages and platforms to allow you to work with your preferred language.

Compute:

  EC2:

EC2 is a web service that provides resizable computing capacity-literally servers in AWS data centers. It is used to build and host your software systems.

AMI (Amazon Machine Image):

An Amazon Machine Image (AMI) is a special type of virtual appliance that is used to create a virtual machine within the Amazon Elastic Compute Cloud ("EC2"). It serves as the basic unit of deployment for services delivered using EC2.

Four Types of AMIs:

• Published by AWS
• The AWS Marketplace
• Generated from Existing Instances
• Uploaded Virtual Servers

Published by AWS:

AWS publishes AMIs with versions of many different OSs, both Linux, and Windows. Launching an instance based on one of these AIMs will result in the default OS settings, similar to installing an OS from the standard OS ISO image.

The AWS Marketplace:

It is an online store that helps customers find, buy, and immediately start using the software and services that run on Amazon EC2. Many partners have made their software available in the AWS Marketplace.

Generated from Existing Instances:

An AMI can be created from an existing EC2 instance. This is a very common source of AMIs. 

Uploaded Virtual Servers:

Using AWS VM Import/Export service, customers can create images from various virtualization formats, including raw, VHD, VHDx, VMDK, and OVA.

Instance Types:

■ General Purpose

■ Compute Optimized

■ Memory Optimized

■ Accelerated Computing (GPU)

■ Storage Optimized

General Purpose:

■ T2: (Features and Purpose) 

● High-Frequency Intel Xeon processors.

● Lowest-cost general purpose instance type and free Tier eligible. (t2.micro only)

Use Cases: 

Websites and web applications, development environments, build servers, code repositories, microservices, test and staging environments, and line of business applications

M4: (Features and Purpose)

● Support for Enhanced Networking

● 2.4 GHz Intel Xeon

● EBS-optimized by default at no additional cost

Use Cases: 

Small and mid-size databases, data processing tasks that require additional memory, and running backend servers for SAP, Microsoft SharePoint, cluster computing, and other enterprise applications.

■ M3: (Features and Purpose)

● balance of computing, memory, and network resources.

● SSD-based instance storage for fast I/O performance

Compute Optimized: 

The latest generation of Compute-optimized instances, featuring the highest performing processors and the lowest price/compute performance in EC2

C4: (Features and Purpose)

● Support for Enhanced Networking and Clustering

● High-frequency Intel Xeon processors optimized specifically for EC2

Use Case: 

High-performance front-end fleets, web servers, batch processing, distributed analytics, high-performance science and engineering applications, gaming, and video encoding.

C3: (Features and Purpose)

● Support for clustering

● SSD-backed instance storage

○ Memory Optimized

■ A type of instance for large-scale, enterprise-class, in-memory applications and have the lowest price per GiB of RAM.

■ X1

■ R4

■ R3

○ Accelerated Computing: GPU

■ Type of instance used for graphics-intensive applications.

■ P2

■ G3

■ F1

○ Storage Optimized:

■ This family includes the High Storage Instances that provide Non-Volatile Memory Express (NVMe) SSD-backed instance storage optimized for low latency, very high random I/O performance, high sequential read throughput, and provide high IOPS at a low cost.

■ I3

■ D2

Amazon EC2 Pricing

On-demand pricing:

● No commitments

● pay by the hour

● Any partial hour converted to full.

● A new billing cycle starts whenever an instance changes to running state

● The billing cycle End when the instance changes to a stopping state

Scheduled Reservation:

■ Available for 3 frequencies 

■ Daily, weekly, or Monthly

■ Saving when compared to On-Demand

Spot Instances:

■ Look at pricing history and decide on the bid price

■ Instances are terminated with 2 minutes' notice when the market price goes the ove bid price.

■ If terminated by AWS last partial hour is free.

Reserved:

■ Two terms are available

● 1 year or 3 years

■ 3 payment options

● Full Upfront

● Partial Upfront

● No Upfront (not for 3 Years)

■ Lot of saving when compared to On-Demand

○ Shared Host

○ Dedicated Instances

■ Comparatively, higher rates than On-Demand instances.

○ Dedicated Host

■ Pay for the full physical host, irrespective of the number of instances running

Suitable when you want to use hardware-bound licenses.

Elastic Beanstalk:

■ Elastic Beanstalk, allows for deployment and management of applications in the AWS Cloud without worrying about the infrastructure that runs those applications. 

■ AWS Elastic Beanstalk reduces management complexity without restricting choice or control.

■ Elastic Beanstalk supports applications developed in Java, PHP, .NET, Node.js, Python, and Ruby, as well as different container types for each language.

AWS Lambda:

■ AWS Lambda is a compute service that al ws you to run code without provisioning or managing servers. 

■ You can use AWS Lambda to run code in response to events, such as changes to data in an Amazon S3 bucket or an Amazon DynamoDB table. 

What is Cloud Storage

Cloud storage is a service model in which data is maintained, managed, backed up remotely, and made available to users over a network.

Disadvantages of Traditional Storage:

○ Storage is sitting idle in the datacenter

■ On average nearly 40% of storage purchased is not used.

■ Pay for infrastructure as you need it and no upfront payment.

Inactive data is sitting on costly storage:

■ Up to 95% of data is cold.

■ Data reduction technique and archiving to store inactive cold data.

Backup processes slow storage during the day.:

■ Nearly 50% of organizations need to reduce backup times.

■ Fast service with low cost and low risk.

Migrations are frequent, co, style, and lengthy.:

■ Plan for storage migration every 3 years.

■ Easy migration of Data.

Common terms for Storage

○ SSD (Solid State Drive/Disk) 

■ A disk that uses non-volatile memory as a means of storing and accessing data like computer RAM.

○ Performance

■ IOPS: (Input Output Operations Per Second): Unit of measure representing input/output operations per second

■ Used to characterize computer storage devices like HDD, SSD, etc

○ Disk I/O

■ It displays what percentage of time a disk is in use by a read or write command.

○ Memory

■ TiB (Tebibyte) = 1.10 TB = 1024 Gigabytes

■ GiB (Gibibyte) = 1.07 GB = 1024 Megabytes

■ MiB (Mebibyte) = 1.05  MB = 1024 Kilobytes

○ Volume:

It is a storage device that is formatted to store directories and files for frequent use.

○ Vault:

■ A storage box or a container that stores the archive data for a longer period.

Storage Domains in AWS

• Elastic Block Store
• Simple Storage Service
• Elastic File System
• Glacier
• Storage Gateway

• Elastic Block Storage
• Provides block-level storage volumes for EC2 instances. (Hdd for EC2 Instance)

When to use it?

• Data changes frequently
• Require long-term persistence
• Database-style applications that frequently encounter many random reads and writes across the data set.

EBS Volume 

Primary storage for data that requires frequent updates or storage for a database application.

EBS Snapshot

• It can backup the data on the EBS volumes.
• Snapshots are incremental backups
• Snapshots of encrypted volumes are automatically encrypted.
• Volumes that are created from an encrypted snapshot are also automatically encrypted.

 Encrypting EBS Volumes

• All the instances support EBS encryption
• For simplified data encryption, EBS volumes can be launched as encrypted volumes.
• All data stored on the volume disk I/O and snapshots created from the volume are all encrypted.
• Both encrypted and unencrypted volumes can be attached to a supported instance type.

Types of Storage

○ Block Storage
■ Block storage operates at a lower level
■ iSCSI, Fiber Channel
■ SAN (Storage Area Network)

○ File Storage
■ File storage operates at a higher level
■ CIFS, NFS, SMB
■ NAS (Network Attached Storage)

○ Object Storage
■ Objects are files used to store in a computer.

Simple Storage Service

                                  S3 (Simple Storage Services)

■ Amazon S3 is object storage built to store and retrieve any amount of data from anywhere.

 Benefits of S3

○ Durable (99.99999999999)

○ Integrated

○ Low-Cost

○ Available

○ Secure

○ High Performance

○ Scalable

○ Easy to Use

Terminologies of S3

○ Buckets

■ A bucket is a container for storing objects.

■ The bucket can be configured and created in any specific region.

○ Objects

■ Objects are files stored in S3 buckets.

■ An object can store virtually any kind of data in any format.

■ Object range in size: 0 Bytes up to 5TB.

○ Keys

■ A key is the unique identifier for an object within a bucket. Every object in a bucket has exactly one key.

S3 Bucket Features

○ Permissions

■ It allows other users to access the S3 bucket based on permission settings.

○ Bucket Policy

■ It allows users to access buckets with policy-based.

■ We use a policy generator to create a bucket policy

■ AWS ARN: (Amazon Resource Names)

■ arn:aws:s3:::bucketname/objectname.txt                                        /* (for everything)

■ This policy allows accessing other AWS user accounts also

○ Static Website Hosting

■ This feature allows you to run a static website on S3 buckets.

○ Logging

■ Logs are records to monitor access requests

● Request time

● Action (GET, PUT, LIST, and so forth)

● Response status or error code.

Object Storage Classes

○ Standard 

■ It offers high durability, high availability, low latency, and high-performance object storage for general purpose use.

○ Standard Infrequent Access

■ It offers the same durability, low latency, and high throughput as Standard, but it is designed for long-lived, less frequently accessed data.

■ Min Object 128 KB minimum duration 30 Days.

■ It is best suited for infrequently accessed data that is stored for longer than 30 days.

○ Reduced Redundancy Storage (RRS)

■ It offers slightly lower durability than standard and standard IA at a reduced cost.

Elastic File System

Storage Gateway:

○ Overview

■ It is a service connecting on-premises software appliances with cloud-based storage to provide seamless and secure integration between on-premises and AWS storage infrastructure.

■ It supports industry-standard storage protocols that work with your existing applications.

■ AWS Storage Gateway software appliance is available for download as a virtual machine[VM] image that you install on a host in your data center and register with your AWS  account.

○ There are five types of storage gateways.

1. ■ File Gateway
2. ■ Volume Gateway
3. ● Cached Volumes
4. ● Stored Volumes
5. ■ Tape Gateway

○ File Gateway

■ A file gateway supports a file interface into  S3 and combines service and a virtual software appliance.

■ The gateway provides access to objects in S3 as files on the NFS  mount point.

■ Store and retrieve files directly using the NFS version 3 or 4.1 protocol.

■ Access your data directly in Amazon S3 from any AWS cloud application or service. 

■ Manage your S3 data using life cycle policies cross-region replication, and versioning.

Networking & Content Delivery

• VPC

• CloudFront

• Direct Connect

• Route-53

• Networking & Content Delivery

VPC

■    Amazon VPC enables you to launch AWS services resources into a virtual network that you have defined.

■    This virtual network closely resembles a traditional network that you'd operate in your own data center.

VPC

 

Components of VPC

○  Addressing an Instance

■    There are several ways that an instance may be addressed over the web upon creation.

○  Public Domain Name System (DNS) Name

■    AWS creates a DNS name that can be used to access the instance. This DNS name is generated automatically and cannot be specified by the customer.

○  Public IP

■    A launched instance may also have a public IP address assigned. This IP address is assigned from the addresses reserved by AWS and cannot be specified.

○  Elastic IP (Static Public IP Address)

■    An elastic IP address is an address unique on the internet that you reserve independently and associate with an Amazon EC2 instance.

○  Subnet

■    A range of IP addresses in your VPC you can launch AWS resources into a subnet that you select.

■    Use Public Subnet for resources that must be connected to the internet

■    Use a Private subnet for resources that won’t be connected to the internet

○  Internet Gateway

■    An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.

 

Requirements for Internet Gateway

○  Route Tables

■    A routing table is a logical construct within a VPC that contains a set of rules (routes) that are applied to the subnet and used to determine where the network traffic is directed.

○  DHCP Options Set

■    It provides a standard for passing configuration information to hosts on a subnet.

●    Domain-name: sandbox and. lan

●    Domain-server: 10.0.2.10

●    NTP-servers: 10.0.2.10

●    Netbios-name-servers: ----

●    NetBIOS-node-type: ------

○  Elastic Network Interfaces (ENIs)

■    An Elastic Network Interface (ENI) is a virtual network interface that you can attach to an instance in an Amazon VPC.

○  NAT Instance:

■    A network address translation (NAT) instance in an Amazon Linux AMI that is designed to accept traffic from instances within a private subnet, translate the source IP address to the public IP address of the NAT instance and forward the traffic to the IGW.

○  NAT Gateway

■    A NAT gateway is an Amazon-managed resource that is designed to operate just like a NAT instance, but it is simpler to manage and highly available within an Availability Zone.

Comparison of NAT IGW and NAT Instance

○  EndPoints

■    An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and other AWS services without requiring access over the internet or through a NAT instance, VPN Connection, or AWS Direct Connect.

• Virtual Firewall protection

○  AWS allows you to control traffic in and out of your instance through a virtual firewall called security groups. security groups allow you to control traffic based on port protocol and source/destination.

○  Security Groups

■    A security group is a virtual stateful firewall that controls inbound and outbound network traffic to AWS resources and Amazon EC2 Instances.

■    Important points to understand about the security group for the exam.

●     You can create up to 500 security groups for each Amazon VPC.

●    You can add up to 50inboundsd and 50 outbound rules to each security group.

●    You can specify allow rules, but not deny rules.

●    You can specify separate rules for inbound and outbound traffic.

●    By default no inbound traffic is allowed until you add inbound rules to the security group.

●    You can change the security group with which an instance is associated after launch, and the change will take effect immediately.

○  Network Access Control List

■    A Network Access Control List (ACL) is another layer of security that acts as a stateless firewall on a subnet level.

 

Security Groups	ACL
Operates at the instance level	Operates at the subnet level the the
The first layer of defense	The second layer of defense supports supports
Supports allow rules only	Support allow rules and deny rules
Return rule is to allow regarding any rules	Return traffic must be explicitly all rules applied
Applied selectively to individual automatically	Automatically applied to all instances in the associated subnets.

 

○  Virtual Private Network

■    A secure connection between two private networks over the internet.

○  Virtual Private Gateway

■    A virtual Private Gateway is the virtual private network concentrator on the AWS side of the VPN connection between the two networks.

○  Customer Gateway

■    A customer gateway represents a physical device or a software application on the customer's side of the VPN Connection.

○  VPC Peering

■    An Amazon VPC peering connection is a networking connection between two Amazon VPCs that enables instances in either Amazon VPC to communicate with each other as if they are within the same network.

■    You can create an Amazon VPC peering connection between your own Amazon VPCs or with an Amazon within another AWS within a Region

■    Peering connections are created through a Request/Accept Protocol.

CDN (Content Delivery Network)

○  A content delivery network is a system of distributed servers (network) that deliver webpages and other web content to a user based on the geographic locations of the user, the origin of, the web page, and a content delivery server.

○  Key Terminologies

■    Edge Location: This is the location where content will be cached.

●    (Edge location is not an AWS Region)

■    Origin: Origin files file CDN will distribute, this includes S3 bucket, etc.

■    Distribution: CDN which consists of a collection of edge locations.

 

○  CloudFront

■    CloudFront is a global content delivery network (CDN) service that accelerates the delivery of your website, APIs, video content, or other web assets through CDN caching.

■    It integrates with other Amazon Web Services products to give developers, and businesses a very easy way to accelerate content to end-users with no minimum usage commitment.

 

Amazon Route53

DNS

■    DNS is a service that resolves Domain and addressees.

○  Domain Name

■    A domain name is the human-friendly name that we are used to associating with an Internet resource.

○  IP address

■    IPv4

■    IPv6

○  Hosts

■    Hosts refer to separate computers or services accessible through a domain.

●    http.aws.sansbound.com.

○  Top-Level Domains (TLDs)

■    A Top-Level Domain (TLD) is the most general part of the domain. The TLD is the farthest portion to the right. (.)

●    .com, .net, .org, .gov, .edu

■    ICANN (Internet Corporation for Assigned Names and Numbers)

■    Domain registrar:

●    A domain name registrar is an organization that manages the reservation of Internet domain names.

■    Network Information Center (NIC)

■    Each domabecomese becomes registered in a central database, known as the WhoIS database.

○  Subdomains

■    DNS hiera ethical m er and allows a large domain to be partitioned or extended into multiple subdomains.

●    http.aws.sansbound.com.

○  Fully Qualified Domain Name (FQDN)

■    A full name of the DNS is known as FQDN.

●    http.aws.sansbound.com.

○  Name Servers:

■    A name server is a computer designated to translate domain names into IP addresses. These servers do most of the work in the DNS.

○  Zone Files:

■    A zone file is a sample text file that contains the mapping between domain names and IP addresses.

○  How DNS Works

      Record Types

■    Start of Authority (SOA)

●    This record is mandatory in all zone files, and it identifies the base DNS information about the domain. Each zone contains a single SOA record.

■    A and AAAA

●    Both types of address records map a host to an IP address.

■    Canonical Name

●    It is a type of record used in DNS that defines an alias for a CNAME for the host record.

■    Mail Exchanger

●    MX records are used to define the mail servers used for a domain and ensure that email messages are routed correctly.

■    Name Server:

●    NS records are used by TLD servers to direct traffic to the DNS server that contains the authoritative DNS records.

■    Pointer

●    A PTR record is essentially the reverse of an A record.

■    Sender Policy Framework

●    SPF records are used by mail servers to combat spam. An SPF record tells a mail server what IP addresses are authorized to send an email from your domain name.

■    Text

●    TXT records are used to hold text information.

■    Service

●    A SRV record is a specification of data in the DNS defining the location of servers for specified services.

○  Amazon Route 53

■    Amazon Route 53 is a highly available and scalable cloud DNS web service that routes end users to Internet applications.

○  Three Functions

■    Domain Registration

■    DNS Service

■    Health Checking

○  Routing Policies

■    Simple

●    Most commonly used when you have a single resource that performs a given function for your domain.

■    Weighted

●    Used when you want to route a percentage of your traffic to one particular resource.

■    Latency-Based

●    Used to route your traffic based on the lowest latency so that your users get the fastest response time.

■    Failover

●    Used to Disaster Recover and to route your traffic from your resources in a primary location to a standby location.

■    Geolocation

●    Used to route your traffic-based ended-user location.

 

Elastic Load Balancing

○  Elastic Load Balancing is a highly available service that distributes traffic across Amazon          EC2     instances and includes options that provide flexibility and control of incoming requests to Amazon EC2 instances.

■    It supports routing and load balancing of HTTP, HHTTP TCP, and secure socket layer (SSL) traffic to Amazon EC2 instances.

■    It provides a stable single Canonical Name record (CNAME) entry point for DNS configuration and supports internet-facing and internal application-facing road balancers

■    ELB seamlessly integrates with the Auto Scaling service to automatically scale the Amazon EC2 instances behind the load balancer.

■    ELB supports health checks for Amazon EC2 instances to ensure traffic is not routed to unhealthy or failing instances using Cloud Watch.

Auto Scaling

○  It is a service that allows you to maintain the availability of your applications by scaling Amazon EC2 capacity up or down.

■    Manual Scaling

■    Scheduled Scaling

■    Dynamic Scaling (AutoScaling)

 

 

 

○  Auto Scaling Components

■    Auto scaling has several components that need to be configured to work properly

●    Launch Configuration

●    Auto Scaling Group

 

Types of Load Balancers

○  Internet-Facing Load Balancers

■    An internet-facing load balancer that takes requests from clients over the internet and distributes them to Amazon EC2 instances that are registered with the load balancer.

○  Internal Load Balancers

■    Use internal load balancers to route traffic to your Amazon EC2 instances in VPCs with private subnets.

 IAM(Identity and Access Management)

○  AWS Identity and Access Management is a web service that helps you securely control access to AWS resources for your users. Use IAM to control who can use your AWS resources (Authentication) and what resources they can use and in what way (Authorization).

 

Use Case	Technology Solutions
OS Access	Active Directory LDAP Machine-specific accounts
Application Access	Active Directory Application User Repositories Amazon Cognito
AWS Resources	IAM

 

 

 

 

Principal	Traits
Root User	Cannot is limited. Permanent.
IAM Users	Access is controlled by policy.   Durable   Can be removed by the IAM administrator. is
Roles	Access controlled by policy.   Temporary.   Expire after a specific time interval.

 

○  Authentication:

• ■    UserName and Password:

• ●     When a principal represents a human interacting with the console, the human will provide a username/password pair to verify their identity.

• ■    Access Key: An access key is a combination of an access key ID (20 characters) and an access secret key (40 Characters). When a program is manipulating the AWS infrastructure via the API.

○  Authorization: The process of specifying exactly what actions a principal can and cannot perform is called Authorization.

■    Policy: A policy is a JSON document that fully defines a set of permissions to access and manipulate AWS resources.

●    Effect: A single word:  Allow or Deny

●    Service: For what service does this permission apply?

●    Resource: The resource value specifies the specific AWS infrastructure for which this permission applies. ARN

●    Action: The action value specifies the subset of actions within a service that the permission allows or denies.

●    Condition: The condition value optionally defines one or more additional restrictions that limit the actions allowed by the permissions.

○  Components of IAM

■    Users:

●    Using IAM we can create and manage AWS users, and use permissions to allow and deny their access to AWS resources

■    Groups:

●    The users created can also be divided among groups and then the rules and policies that apply to the group apply on the user level as well.

■    Roles:

●    An IAM role is an IAM entity that defines a set of permissions for making AWS services requests.

■    Policies:

●    To assign permissions to a user group, role, or resource, you create a policy which is a document that explicitly lists permissions.

■    Multi-Factor Authentication:

●    It is like One Time Password or RSA Tokens.

Cloud Formation

○   AWS Cloud Formation is a service that helps you model and set up your AWS resources so that you can spend less time managing those resources and more time focusing on your application that runs in AWS.

 Cloud Watch

  Amazon CloudWatch is a service that monitors AWS Cloud resources and applications running on AWS. It collects and tracks metrics, collects and monitors log files, and sets Alarms. Amazon CloudWatch has a basic level of monitoring for no cost and a more detailed level of monitoring for an additional cost.

 Cloud Trail

○  AWS CloudTrail to get a history of AWS API calls and related events for your account. This history includes calls made with the AWS management console, AWS CLI, AWS SDK,s and other AWS services. It is a logging service from AWS.

 Database

■    The most common type of database in use today is the Relational Database. Relational databases provide a common interface that lets users read and write from the database using commands or queries written using Structured Query Language (SQL).

■    A relational database consists of one or more tables, and a table consists of columns and rows similar to a spreadsheet. A database column contains a specific attribute of the record, such as a person's name, address, date, and telephone number.

■    Amazon RDS offload common tasks like backups, patching, scaling and replication.

■    Amazon RDS exposes a database endpoint to which client software can connect and execute SQL.

■    A data warehouse is a central repository for data that can come from one or more sources.

○  Database Engines: Amazon RDS supports six database engines.

○  MySQL

■    MySQL is one of the most popular open source databases in the world, and it is used to power a wide range of applications, from small personal blogs to some of the largest websites in the world.

○  PostgreSQL

■    PostgreSQL is a widely used open source database engine with a very rich set of features and advanced functionality.

○  MariaDB

■    Amazon RDS recently added support for DB instances running MariaDB. MariaDB is a popular open-source database engine built by the creators of MySQL and enhanced with enterprise tools and functionality.

○  Oracle

■    Oracle is one of the most popular relational databases used in the enterprise and is fully supported by Amazon RDS.

○  Microsoft SQL Server

■    Microsoft SQL server is another very popular relational database used in the enterprise.

○  Licensing

■    Amazon RDS Oracle and Microsoft SQL server are commercial software products that require appropriate licenses to operate in the cloud.

■    AWS offers two licensing models:

●    License Included

●    Bring Your Own License (BYOL)

○  License Included

■    In the License Included model, the license is held by AWS and is included in the Amazon RDS instance price.

○  Bring Your Own License (BYOL)

■    In the BYOL model you provide your own license.

○  Amazon Aurora

■    Amazon Aurenterpgradegrade risesade commercial database technology while offering the simplicity and cost-effectiveness of an open-source database.

○  Storage Options

■    Magnetic: Magnetic storage, also called standard storage offers cost-effective storage that is ideal for applications with light I/O requirements.

■    General Purpose (SSD): General Purpose backed storage, also called gp2 can provide faster access than magnetic storage.

■    Provisioned IOPS (SSD): Provisioned IOPS storage is designed to meet the needs of I/O intensive workloads, particularly database workloads.

 

	Magnetic	General Purpose	Provisioned IOPS
Size	+++	+++++	+++++
Performance	+	+++	+++++
Cost	++	+++	+++++

 

 

 

 

Cloud Security

Shared Repository Model

                         AWS Reports, Certifications, and Third-Party Attestations

■    AWS engages with external certifying bodies and independent auditors to provide customers with considerable information regarding the policies, processes, and controls established and operated by AWS.

○  Criminal Justice Information Services (CJIS):

AWS complies with the Federal Bureau of Investigation’s (FBI) CJIS standard. AWS signs CJIS security agreements with AWS customers, which include allowing or performing any required employee background checks according to the CJIS security policy.

○  Cloud Security Alliance (CSA): In 2011, the CSA launched the Security, Trust, & Assurance Registry (STAR), an initiative to encourage transparency of security practices within cloud providers.

○  Cyber Essentials Plus: Cyber Essentials Plus is a UK government-backed, industry-supported certification schema introduced in the UK to help organizations demonstrate operational security against common cyber-attacks.

○  Department of Defense (DoD) Cloud Security Model (SRG): The DoD SRG provides a formalized assessment and authorization process for Cloud Service Providers (CSPs) to gain a DoD provisional authorization, which can subsequently be leveraged by DoD customers.

○  Federal Risk and Authorization Management Program (FedRAMP): AWS is a FedRAMP-compliant CSP. AWS has completed the testing performed by a FedRAMP accredited third-party assessment organization (3PAO) and has been granted two Agency Authority to Operate (ATO) by the U.S. Department of Health and Human Services (HHS) after demonstrating compliance with FedRAMP requirements at the moderate impact level.

○  Family Educational Rights and Privacy Act (FERPA): FERPA is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights concerning their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.” AWS enables covered entities and their business associates subject to FERPA to leverage the secure AWS environment to process, maintain, and store protected education information.

○  ISO 9001: AWS has achieved ISO 9001 certification. AWS ISO 9001 certification directly supports customers who develop, migrate, and operate their quality-controlled IT systems in the AWS Cloud.

○  ISO 27001: AWS has achieved ISO 27001 certification of the Information Security Management System (ISMS) covering AWS infrastructure, data centers, and services that are detailed in the AWS Risk and Compliance whitepaper, available on the AWS website.

AWS communicates with customers regarding its security and control environment through the following mechanisms:

■    Obtaining industry certifications and independent third-party attestations

■    Publishing information about security and AWS control practices via the website, whitepapers, and blogs

■    Directly providing customers with certificates, reports, and other documentation

Global Infrastructure Security

■    The AWS global infrastructure includes the facilities, network, hardware, and operational software (host operating system and virtualization software) that support the provisioning and use of these resources.

Physical and Environmental Security

○  Fire Detection and Suppression

○  Power

○  Climate and Temperature

○  Management

○  Storage Device Decommissioning

○  Business Continuity Management

• Availability
•  Incident Response
• Communication

○  Network Security

■    Secure Network Architecture

■    Secure Access Points

■    Transmission Protection

○  Network Monitoring and Protection

■    Distributed Denial of Service (DDoS) Attacks

■    Man in the Middle Attacks

■    IP Spoofing

■    Port Scanning

■    Packet Sniffing by Other Tenants

○  AWS Account Security Features

■    AWS Credentials

●    Passwords

●    Multi-Factor Authentication

●    Access Keys

●    Key Pairs

●    X.509 Certificates

■    AWS CloudTrail

AWS Cloud Service-Specific Security

○  Compute Services

■    EC2 ( Multiple Levels of Security)

●    The Hypervisor

●    Instance Isolation

●    Host Operating System

●    Guest Operating System

●    Firewall

●    API Access

●    EBS

EC2 Multiple Layers of networking

• Networking
• Virtual Private Cloud
• Subnets and Route Tables
• Security Groups
• Network Access Control List
• Virtual Private Gateway
• Internet Gateway

 

Flexible Network Architectures

 

○  Storage and Database

■    IAM Policies

■    Access Logs

■    Automatic Software Patching

 

KMS (Key Management Services)

○  Key management is the management of cryptographic keys within a cryptosystem this includes dealing with the generation exchange storage use and replacement of keys

○  AWS  offers two services that provide to manage your own symmetric or asymmetric cryptographic keys

○  AWS  KMS :

■    A service enabling you to generate store enable/disable and delete symmetric keys

○  AWS cloud HS

■    A service providing you with secure cryptographic key storage by making hardware security modules {HSMs}available on the AWS cloud.

Benefits of KMS

○  Fully Managed

■    This service fully is  managed so you can focus on the encryption needs of your application

○  Centralized key management

■    This service provides you with centralized control of your encryption keys KMS presents a single  view into all  of the key usage in your  organization

○  Integrated with AWS services

■    AWS key management service integrated with several other AWS services  to make it easy to encrypt the data you store  with these services using keys  that you manage

○  Encryption for all your  applications

■    This service makes it easy  to manage encryption keys used to  encrypt  data stored by your applications  regardless  of where you store it

○  Built-in  Auditing

■    This service  works with AWS cloud Trail  to provide you with logs of  API calls made to  or by KMS

○  Low cost

■    There is no charge for the storage  of default keys in your account you pay  only for  additional master keys  that you create and  your key usage

AWS Storage Gateway

■    It is a service connecting an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization's (on-premises) and AWS storage infrastructure.

■    It supports industry-standard storage protocols that work with your existing applications.

■    AWS Storage Gateway software appliance is available for download as a virtual machine (VM) image that you install on a host in your aws account.

○  There are four types of Storage Gateways

■    File Gateway

■    Volume Gateway

●    Cached Volumes

●    Stored Volumes

■    Tape Gateway

○  File Gateway

■    A file gateway supports a file interface into S3 and combines service and a virtual software appliance.

■    The gateway provides access to objects in S3 as files on the NFS mount point.

●    Store and retrieve files directly using the NFS version 3 or 4.1 protocol.

●    Access your data directly in S3 from any AWS cloud application or service.

●    Manage your S3 data using lifecycle policies, cross-region replication, and versioning.

○  Volume Gateway

■    A volume gateway provide cloud-backed storage volume that you can mount as iSCSI devices from your on-premises application servers.

■    Cached Volumes: store data in S3 and retain a copy of frequently accessed data subsets locally.

■    Stored Volumes  If you need low-latency access to your entire dataset, first configure your on-premises gateway to store all your data locally. Then asynchronously rrosnapshot snapshot snapshots of this data to S3.

●    If you need replacement capacity for disaster recovery. You can recover the backups to EC2.

○  Tape Gateway

■    A tape gateway provides a virtual tape infrastructure that scales seamlessly with your business need and eliminates the operational burden of provisioning scaling and maintaining a physical tape infrastructure.