Aws - henk52/knowledgesharing GitHub Wiki

AWS

Introduction

References

Vocabulary

AMI - Amazon Machine Image
ALB - Application Load Balancer; HTTP(s) only, layer 7
arn - Amazon Resource Name.
ASG - Auto Scaling Groups
AZ - availability zone; 1 or more discrete data centers
CAF - Cloud Adoption Framework
CDN - Content Delivery Network
CSP - Communication Service Provider
DDoS - Distributed Denial of Service.
EBS - Elastic Block Storage
ECR - Elastic Container Registry.
Elasticity - some auto-scaling, based on the load.
ELB - Elastic Load Balancer
EFS - Elastic File System. NFS. Works only with Linux images.
EFS-IA - EFS Infrequent Access. (For files not accessed every day)
FaaS - Function as a Service.
FSx - Launch 3rd party high-performance file systems on AWS.
GLB - Gateway Load Balancer; GENEVE Protocol on IP Packets, layer 3.
HA - High availability; system in at least 2 availability zones.
HSM - Hardware Security Module. Physical encryption box
IAM - Identity and Access Management, global server
Identity Center -
Inline policy - A policy applied directly to the user, rather than through a group.
NLB - Network Load Balancer; TCP/UDP, layer 4
OAC - Origin Access Control
OLAP - OnLine Analytical Processing; Analytics and data warehousing.
OLTP - OnLine Transaction Processing
OU - Organization Unit
RDS - Relational Database Service
Region
- has multiple availability zones
REST API - Representational State Transfer - Each request from a client to a server must contain all the information needed to understand and process the request. The server does not store client context between requests. a REST API is a specific type of HTTP API that follows the principles of REST architecture, while an HTTP API is a more general concept that encompasses any API operating over HTTP.
ROI - Return on investment.
S3 - Scalable Storage Service
SCP - Service Control Policies
TAM - Technical Account Manager
VPC - Virtual Private Cloud
- Will span all AZ in that region(Nan20, 2.2)
Region (3.10)
- 3-6 availability zones
  - 1+ discrete datacenters
Scalability
- Vertical - Make the instance bigger
- Horizontal - add more instances
WAF - Web Application Firewall

Installing the AWS client

AWS Command Line Interface
Ultimate AWS Certified Cloud Practitioner CLF-C02 Section 4-20 and forward

Installing the AWS client on linux

Ultimate AWS Certified Cloud Practitioner CLF-C02 Section 4-23
Install or update to the latest version of the AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version

AWS client configuration

Configure the AWS CLI with IAM Identity Center authentication
Configure the AWS CLI
Ultimate AWS Certified Cloud Practitioner CLF-C02 Section 4-24
Add 'PowerUserAccess' to the user
TODO this seems complex, maybe look at this one: AWS SSO - Single Sign-On Introduction, Concepts | Demo to configure AWS Single Sign-On using AWS SSO
aws configure sso

Pricing

t3.small
- US East: 0.0208
- (Frankfurt): 0.024
- (Paris): 0.0236
- (Stockholm): 0.0216
- US West: 0.0248 / 0.0208

Billing and Cost Management

The root user needs to allow IAM users(with AdministratorAccess) access to billing
- Click on the root drop down in the upper right corner
- Croll down to the 'IAM user and role access to Billing information'
- Activate 'IAM user/role access to billing information'
- It might take a few minutes until the admin can change the budget alerts
Admin
- topics of interest:
  - Bills
  - Budgets
  - Free Tier
Compute pricing - lambda and ECS
- Lambda
  - Pay per call
  - Pay per duration
- ECS
  - No additional fees
  - You pay for AWS resources stored and created in your application
- Fargate
  - Pay for vCPU and memory allocated to your apps in your containers
S3 Storace pricing
- Storage class
- Number and size of objects
- Number and type of requests
- data transfer out of the S3 region
- S3 transfer acceleration
- Lifecycle transitions
EFS storage pricing
- Similar to S3
EBS storage pricing
- volume type
- Size of volume in GB per month provisionned
- IOPS
  - General purpose SSD: included
  - Provissioned IOPS SSD: provisionned amount in IOPS
  - Magnetic: number of requests
- Snapshots:
  - Added data cost per GB per month
- Data transfer
  - Outbound data transfer tiered for volume discounts
  - Inbound: free
RDS Database pricing
- per hour billing
- Database characteristics
  - enging
  - Size
  - Memory class
- Purchase type
  - On-demand
  - reserved instances
- Aditional storage, GB per month
- Backup storage: not addtional charge up to 100% of your total db storage for a region
- Number of input and output requests per month
- Deployment tye
  - single AZ
  - multiple AZ
- Data transfer
  - outbound are tiedred for columen discount
  - inbound is free
Cloudfront
- different accross geographic regions
- Data trans out
- number f HTTP(s) request
Networking costs per GB
- Traffic in: free
- privat traffic: free
- AZ to AZ
  - via internet: $0.02 per GB
  - via private IP: $0.01 per GB
- inter-region: $0.02 per GB
Other
- Saving plans
- AWS compute optimizer

Costing tools

Estimating costs in the cloud
- Pricing calulator
  - You can click 'save and add' in the bottom right corner to add more services
Tracking costs in the cloud
- Billing dashboard
- Cost allocation tags
  - TODO can also be used for creating resource groups
- cost and usage reports
- cost explorer
Monitoring against costs plans
- Billing alarms in CloudWatch
- AWS Budgets - send alarms when costs exceeds the budget
  - Types
    - Usage
    - Cost
    - Reservation
    - Savings plans
  - two budgets are free, the $0.02/day/budget
AWS quotas - monitor Lambda?
Trusted Advisor
- Cost optimization
- Performance
- Security
- Fault tolerance
- Service limits
- Operational excellence

Support plans

AWS Basic Support plan
- Customer service and communities
- AWS Trusted Advisor
- AWS Personal Health Dashboard
AWS Developer Support plna
- Business hours email access
- unlimited cases
- unlimited contacts
- Case severity response times
  - general guidance: < 24 business hours
  - system imparired: < 12 business hours
AWS Business Support Plan (24/7)
- if you have production workloads
- Trusted Advisor - full set
- 24/7 phone, email and cha access to cloud support engineers.
- Access to infrastructure evenet management for additional fee
- Case severity response times
  - Production system impaired: < 4 hours
  - Production system down: < 1 hours
AWS Enterprise On-Ramp Support Plan (24/7)
- if you have production or business critical workloads
- Access to a pool of Technical Account Managers(TAM)
- Concierge support team(for billing and account best practices)
- Infrastructue event management
- Well--architected and operations reviews
- Case severity response times
  - Business critical system down: < 30 minutes
AWS Enterprise Support Plan (24/7)
- if you have mission critical workloads
- Access to a designated Technical Account Manager(TAM)
- Case severity response times
  - Business critical system down: < 15 minutes

Instances

Amazon EC2 Instance types
Comparing instances
AWS EC2 Instance Comparison: T3 vs T3a vs T4g
naming convention
- m5.2xlarge
  - m: instance class
  - 5: generations
  - 2xlarge: size within the instance class
Instance types
- General purpose - diversity workloads
  - web servers, code repositories
  - balance bewteen: compute, memory and networking
- Compute optimized - compute-intensive tasks
  - batch processing workloads, media transcoding, high performance web servers, HPC, ML, dedicated gaming servers.
- Memory optimized - process large data sets in memory
  - high performance, relation/non-relations (mostly in memory)databases
  - distributed web scale cache stores
  - in-memory DBs optimized for BI(business intelligence)
  - performing real-time processing of big unstructured data
- Storage optimized - storage-intensive tasks
  - high frequency online transaction processing(OLTP)
  - Relation and NoSQL DBs
  - Cache for in-memory DBs
  - Data warehousing apps
  - Distributed file systems
t - burstable
- t3 -
- t4g - Arm-based AWS Graviton2 processors

AWS Services of interest

API gateway
Lambda function
SQS

AWS Certifications

AWS certification paths
DevSecOps Engineer
- CLF-C02 - Cloud Practitioner
- SOA-C02 - SysOp administrator
- [Maching Learning Engineer]
- DOP-C02 - DevOps Engineer
- SCS-C02 - Security

Learn the basics

How I Would Learn AWS Today (after 10 years of cloud experience)

Suggested pre-requisites
- Networking basics
- Operating systems / virtual machines
- Linux cli basics
- Programming language
- New account checklist
Fundamental AWS Concepts
- Global AWS Infrastructure
  - Regions
  - Availability Zones(AZs)
- Services
  - Networking
    - VPC
    - Security Groups
  - Compute
    - EC2
  - Storage
    - S3
  - Databases
    - RDS(Relation Database Service)
    - DynamoDB - document store like mongoDB, NOSql DB.
    - Aurora(RDS)
  - Security
    - IAM
Suggested training order
- AWS Cloud practitioner
- AWS Solutions Architect Associate
Build your skills
- Do a Project
  - YouTube suggestions
    - Wordpress website hosting
    - Static website hosting
    - Serverless web crawler
    - Inventory in-stock notifier
    - Adrian Cantrill's Mini project
  - Paid contect
    - Be A Better Dev - AWS Learning Accelerator
    - Digital Cloud Training(Neil Davis)
    - AWS Workshop? (You have to pick your services up front)
Study AWS Architectures
- AWS Reference Architecttures
Create your own project ideas
- Anomaly detection dashboard
- CI/CD Pipeline
- Twitter clone
- Data ingestion and processing pipeline
Other tips and resources
- AWS Builders library for advance cloud concepts

Setting up

Creating an AWS account

Go to: https://aws.amazon.com/free
Click: 'Create account'
Enter sign information and click 'Verify email address'
...things happening...
Set up MFA, search for 'MFA' in the search bar.(You can use the Google MFA app)

Create admin account

So it doens't have access to credit card etc

1. go to IAM
1. click 'Add users'
- check 'Provide user access to the AWS Management console'
  - check 'I want to create an IAM user
Click next
Check 'Attach policies directly'
- check 'AdministratorAccess'
click next
click 'Create user'
Enable MFA
Look at the existing/autogenerated password
Click the 'Console sign-in link'
- This will switch your user

Creating Instances

IAM

TODO is there a bulk way to create multiple users?

IAM policy structure

4.16

Version:
Id: optional policy id
Statement
- Sid: optional statement id
- Effect: Allow/Deny
- Principal: account/user/role this policy apply
- Action: List of acctions
- Resource: list of resources to which the actions apply.
- Condition: Optional for when the policy is in effect.

FinOps

Setting up cost categories

Setting up a tag based cost category

Access the AWS Management Console and navigate to Billing and Cost Management.
In the left-hand menu, select Cost Allocation Tags
- it takes 24 hours to take effect

Account management

AWS Organizations
- Allows to manage multiple AWS accounts
  - Main accounts is the master account ad the sub account are called child accounts
- cost benefits
  - consolidated billing, single payment point
  - Price benefit with aggregated usage
  - Pooling reserved EC2 instances
- API for automated AWS account creation
- e.g. account split
  - Department
  - Cost center
  - dev/test/prod
  - project based
- Service Control Policies(SCP)
  - Does not apply to the main account.
  - allowlist and denylist for IAM actions
  - is applied to all users and roles, including root.
  - not applied to service-lnked roles
    - Service-linked roles enable other AWS service to integrate with AWS Organizaiotns and can't be rest4ricted by SCPs.
  - SCP must have explicit allow, it denys everything by default.

AWS Control Tower

Set up and govern a secure and compliant multi-account AWS environemnt, based on best practices
benefits
- automate the set-up of your env in a few clicks
- Automate ongoing policy mgmt using guardrails
- Detect and remediate policy violations.
- Monitor compliance through an interactive dashboard
Can be costly

AWS Resource Access Manager (AWS RAM)

Share owned AWS resources accross accounts
Avoid resource duplication

AWS Service catalog

Allows an admin to create a self-service portal to launch a set of authorized products
- TODO can this be used as an IDP?

Security

Customer : responsible for the security IN the cloud.
AWS : responsible for the security OF the cloud.

Shared responsibility model

Shared responsibility model
General
- AWS
  - Protecting the infrastructure that runs all the AWS services
  - Managed services like S3, DynamoDB, RDS, etc
- You
  - Security IN the cloud
- Shared
  - Patch management
    - You: EC2 etc
    - AWS: RDS etc
  - Configuration Managetment
  - Awareness and training You: you and your employee AWS: Their people
IAM
- AWS - responsible for all the infrastructure
  - Infrastructure
  - Configuration and vulneratbility analysis
  - Compliance validation
- You - responsible for how you use the infrastructure
  - Users, Grousp, Roles, Policies management and monitoring
  - Enable MFA on all accounts
  - Rotate all your keys often
  - Use IAM tools to apply appropriate permissions
  - Analyze access patterns and review permisions
EC2
- AWS
  - Infrastructure
  - Isolation on physical hosts
  - replacing faulty hw
  - compliance validation
- You
  - Security Group rules
  - OS patches and updates
  - SW and utils installed on the EC2 instance
  - IAM roles assigned to the EC2
  - IAM user access management
Storage
- AWS
  - Infrastructure
  - Replication for data for EBS volumesn and EFS drives
  - Replacing faulty hardware
  - Ensuring their employees cannot access you data
- You
  - Setting up backup/snapshot procedures
  - Setting up data encryption
  - Responsivbility of any data on the drives
  - Understanding the risk using EC2 instance store
    - You must back it up
S3
- AWS
  - Infrastructure
  - Configuration and vulnerability analysis
  - Compliance validation
- You
  - S3 versioning
  - S3 bucket policies
  - S3 Replication setup
  - Logging and Monitoring
  - S3 Storage classes
  - Data encryption at rest and in transit

AWS Security Token Service (STS)

short-term credentials(you set the expiration time)
use cases:
- identity federation : give users in external systems access to AWS resources
- IAM roles for cross/same account access
- IAM roles for EC2: temporary credentileas to enable EC2 instances to access AWS resources.

Amazon Cognito

Providing identity for your web and mobile application users.
- Instead of e.g. creating an IAM use for each.

AWS Directory Service

AWS Managed Microsoft AD
AD Connector
Simple AD

AWS IAM Identity Center

One login.

Kubernetes in AWS

EKS - Elastic Kubernetes Service; managed control plane
ECS - Elastic Container Service;
ECR - Elastic Container Registry; private docker repo.
Fargate - ; alternative to EC2 insrtances.
- Serverless way to launch containers.

EKS

AWS EKS - Create Kubernetes cluster on Amazon EKS | the easy way
How to Deploy AWS EKS with Terraform - The Simplest Guide to Get Up and Running
Get started with Amazon EKS
Set-up
- Create an AWS account
- Create a VPC
- Create an IAM role with Security Group
Create cluster control plane
- Choose cluster name, k8s version etc.
- Choose region and VPC for your cluster
- set security for your cluster
Create worker nodes and connect them to the cluster
- create workers as Node Group
  - Not individual EC2 instances
- Choose cluster the node group will attach to
- Define the Security Group
- Select instance type and resources
- Define min and max number of nodes
Configure kubectl to connect to the EKS

Services notes

CodeStar - Unified view for dev CI/CD and code
Cloud9 - Cloud IDE
Amazon Workspaces - Remote desktop
Amazon AppStream 2.0 - Application delivered from within a web browser.
AWS IoT Core
Amazon Elastic Transcode - convert media files stored in S3 into media files for consumer playback devices(phoes etc)
AWS AppSync - Store and sync data accross mobile and web apps in real-time.
AWS Amplify - A set of tools and services that helps you develop and deploy scalable full stack web and mobile applications.
AWS Application composer - Design and build serverless apps.
AWS Device from - test your web and mobile apps against dekstop browsers, real mobile devices and tables.
AWS Backup - centrally manage and automate backups accross AWS services
AWS Elastic Disaster Recovery -
AWS DataSync - Move large amount of data from onprem to AWS.
AWS Fault Injection Simulator (FIS) - Chaos monkey kind of a thing.
AWS Step functions - Visual workflow for orchestrating lambda functions.
AWS Ground Station - control your satellite communcation.
AWS Pinpoint - Scalable 2-way marketing communications service. SMS

API gateway

Amazon API Gateway | Integration and Method Requests & Responses
Fully managed service
- easily create, publish, maintain, monitor and secure APIs
Support RESTful APIs and WebSocket APIs
Support for security
- user authentication
- API keys
- API throttling
- monitoring

Lambda functions

You just deploy the code and AWS will execute it on some node.
Intended for short execution
run on demand, event driven
- functions get invoked by AWS when needed
nothing stored between executions
Easy monitoring through AWS CloudWatch
Easy to get more resources per functions(up to 10GB of RAM)
- Increasing RAM will also improve CPU and network
Supports a number of languages and Lambda Container Images
- Python, Node.js, Custom Runtime API(Rust or Golang)
- Containersimages must implement the Lambda Runtime API
  - ECS/Fargate is preferred for running arbitrary Docker images

Receive a message in a lambda function

expected message:

{
  "email": "[email protected]",
  "status": "dropped",
  "key": "value3"
}

import json

import logging

logger = logging.getLogger()
logger.setLevel(logging.INFO)

def lambda_handler(event, context):
    logger.info("Function Name: %s", context.function_name)
    logger.info("Memory Limit (MB): %s", context.memory_limit_in_mb)
    logger.info("Request ID: %s", context.aws_request_id)
    # Log the event and context objects
    logger.info("Received event: %s", json.dumps(event, indent=2))
    logger.info("Context object: %s", vars(context))
    
    # Return a success message
    return {
        'statusCode': 400,
        'body': json.dumps('new Hello from Lambda!')
    }

send message to SQS

The lambda function needs policy access to the SQS

import json
import boto3
import os

def lambda_handler(event, context):
    # Log the event and context objects
    print("Received event: ", json.dumps(event, indent=2))
    print("Context object: ", vars(context))
    
    # Extract the domain part from the email
    domain = event['email'].split('@')[1]

    # Create a new dictionary for the queue_event
    queue_event = {
        "status": event['status'],
        "domain": domain
    }
    

    print("Sending event: ", json.dumps(queue_event, indent=2))

    # Create SQS client
    sqs = boto3.client('sqs')
    
    # Retrieve the SQS queue URL from an environment variable (or directly use the queue URL)
    queue_url = os.environ['SQS_QUEUE_URL']  # or replace with the actual URL

    # Send message to SQS queue
    response = sqs.send_message(
        QueueUrl=queue_url,
        MessageBody=json.dumps(queue_event)
    )
    
    # Log the response
    print("Message sent to SQS:", response)
    
    # Return a success message
    return {
        'statusCode': 402,
        'body': json.dumps('new Hello from Lambda!')
    }

Summarize messages via lambda function

import boto3
import json
from collections import defaultdict

# Initialize SQS client
sqs = boto3.client('sqs')
# Retrieve the SQS queue URL from an environment variable (or directly use the queue URL)
queue_url = os.environ['SQS_QUEUE_URL']  # or replace with the actual URL

def lambda_handler(event, context):
    messages = []
    # Poll SQS Queue for messages
    while True:
        response = sqs.receive_message(
            QueueUrl=queue_url,
            MaxNumberOfMessages=10,
            WaitTimeSeconds=1
        )
        
        if 'Messages' not in response:
            break
        
        messages.extend(response['Messages'])
    
    # Initialize a defaultdict for tallying
    tally = defaultdict(lambda: defaultdict(int))
    
    # Process each message
    for message in messages:
        body = json.loads(message['Body'])
        status = body.get('status', 'unknown')
        domain = body.get('domain', 'unknown')
        tally[domain][status] += 1
    
    # Log the tally
    print("Tally results:")
    for domain, status_count in tally.items():
        for status, count in status_count.items():
            print(f"Domain: {domain}, Status: {status}, Count: {count}")
    
    # After logging, delete the messages
    entries = [{'Id': msg['MessageId'], 'ReceiptHandle': msg['ReceiptHandle']} for msg in messages]
    
    if entries:
        sqs.delete_message_batch(
            QueueUrl=queue_url,
            Entries=entries
        )

    return {
        'statusCode': 200,
        'body': json.dumps('Tally logged successfully!')
    }

Send messages to a slack channel

Slack API Quickstart

Simple Queue Service(SQS)

Amazon Simple Queue Service Developer Guide
Simple Queue Service (SQS) Basics | AWS Cloud Computing Tutorial for Beginners
Fully managed service
Type of queues
- Standard
  - At-least-once delivery; occasionally more than one copy is delivered.
  - Best-effortt ordering; may be delivred in an order different from which they were sent
  - Nearly unlimited number of transactions per second
- FIFO(First-in-first-out)
  - Up to 300 messages per second or 3000 messages if batched in 10
  - Exactly-once processing; duplicates are not introduced into the queue.
  - First-in-first-out delivery; preserves the order in which they were received.
Visibility timeout; default 30 sec
- the period during which a message is hidden from other consumers after being retrieved, preventing it from being processed more than once until it's either deleted or the timeout expires.
unlimited queues nad messages
message payloads of 256kb in any text format, retained for 14 days.
Batching; 1 batch = 10 messages
- send, receive or delete in batches.
- a batch costs the same as a single message so helps with cost savings
long polling; when the queue is empty wait 20s to poll again
dead letter queue

AWS batch

Fully managed batch
A docker image and run on ECS
The batch job is not continuous
Batch will dynamically launch EC2 instances or Spot instances
AWS Batch provisions the right amount of compute/memory
You submit or schedule batch jobs and AWS Batch does the rest.
Batch vs Lambde
- Lambda
  - Limited runtime (15 min)
  - Limited amount of languages
    - (TODO you could create a docker image right?)
  - Limited temporary disk space
  - Serverless
- Batch
  - No time limt
  - Any runtime as long as it is a Docker image
  - Rely on EBS for disk space

Auto scaling groups

CLF-C02 Section 7

Manual Scaling
Dynamic scaling
- Simple/Step scaling
- Target tracking scaling
- Scheduled scaling
Predictive scaling - uses ML to predict future traffic.

Container orchestration

ECS - Elastic Container Service

You must provision and maintain the infrastructure
AWS will start and stop containers
Has integration with the application load balancer
TODO is this like the k8s kube-scheduler?

Fargate

Launch docker containers on AWS
Serverless offering
AWS runs container for you based on the containers CPU/RAM needs
TODO security risks?

ECR - Elastic Container Registry

Amazon Lightsail - light weight clouding

Probably not for the pro, but for people with no cloud experience

Use case
- Simple web applications
- Websites
- Dev/Test env
- HA but no auto-scaling

Database services

NoSQL - non relational dabases
- Benefits
  - Flexibility
  - Scalabilty
  - High-performance
  - Higly functional:
- Examples
  - Key-value
  - document
  - graph
  - in-memory
  - search databases
AWS offers to mange databases
- benefits
  - Quick provisioning
  - HA
  - Vertical and horizontal scaling
  - Automated backup and restor
  - DB app upgrades
  - OS updates
  - Monitoring
  - Alerting

RDS

support replication
- 15 read replicas within AZ?
  - Read replicas
  - scale the read workload.
  - Data is only written to the main DV
- 1 copy in Multi-AZ
  - Failover in case of outage
  - Data is only read/written ot the main DB
- 1 copy in each region in multi-region
  - write to origin
  - read from local region replica
  - Disaster recovery in case of region issues
  - Local performance for global reads
  - Replication costs

ElastiCache

Caches are in-memory database

DynamoDB - NoSQL

Fully managed, HA, replicate accross 3 AZ
Key/Value DB
- Primary key seems to be made of a Partition key and a sorting key
DynamoDB Accelerator - DAX
- Fully manages in-memory cache
- 10x performance improvement
- Specifically for DynamoDB

Amazon Aurora - SQL

Both PostgreSQL and MySQL are supported as Aurora DB
Cloud optimized
also available as Serverless
- good for infrequent, intermittent or unpredictablte workloads

Redshift - OLAP

Analytics and data warehousing
Load data once every hour, not every second.
10x better performance than other data warehouses
Scales to PBs of data
Columnar storage of data, instead of row based? TODO how does this work
MPP - Massively Parallel Query Execution
Pay as you go, based on instances provisioned
Has a SQL interface for queries
Interface for BI (Business Inteligence) tools; AWS Quicksight, Tableau.
Also exeists as a Serverless

Amazon EMR - Hadoop cluster

EMR - Elastic MapReduce
Helps creating a Hadoop cluster
- Takes care of all provisioning and configuration
- Auto-scaling
- Integrated with Spot instances
hundreds of EC2 instances
Also supports
- Apache Spark
- HBase
- Presto
- Flink

Amazon Athena

Serverless query service to perform analytics against S3 objects
Use SQL to query
Supports CSV, JSON, ORC, Avro, Parquet
Use cases:
- BI
- Analytics
- Reportin
- Analyze and query VPC Flow logs
- ELB Logs
- CloudTrail trails

Amazon QuickSigt

Serverless ML porwere BI servce to create interactive dashboards of you data

DocumentDB - NoSQL

based on MongoDB
JSON data
Fully managed
replicated accross 3 AZ
Grows in increments of 10GB

Amazon Neptune - Graph DB

Fully managed
HA; 3 AZ
15 read replicas
Great for
- knowledge graphs
- fraud detection
- recomendation egnines
- social networking

Amazon Timestream

Fully managed
time series DB
Automatically scale up/down to adjust capacity
Built-in time series analytics funcitons

Amazon QLDB

QLDB - Quantum Ledger DataBase
- Ledger - book recording financial transactions
Fully manages
serverless
HA
Replication across 3 AZ
Used for
- Review history of all the changes made to your application data over time
Immutable; no entry can be removed or modified
- cryptographically verifiable.

Amazon Managed Blockchain

used for
- join public blockchaing network
- create your own scalable blockchain network.

AWS Glue

ETL service- extract, transform and load
Fully serverless
Useful for preparing and trasnforming data for analytics

DMS - Database Migration Service

Quickly and securely migrate DBs to AWS, resilient and self healing.
Support
- homogeneous migration; e.g. PostGreSQL to PostGreSQL
- Heterogeneous mirgration; e.g. MS SQL server to Aurora.

Globale Acess

Route 53

Managed DNS
Common records
- A record(IPv4) - hostname to IP address
  - www.google.com => IP address
- CNAME - hostname to hostname
  - search.google.com => www.google.com
- Alias - hostname => AWS resource
  - example.com => ELV/CloudFront/S3/RDS/...
Routing policies
- Simple routing policy
  - no health checks, only one without health check.
- Weighted routing policy
  - you can assign a weight to each instance, that then becomes a percentage of the traffic routed to that instance.
- Latency routing policy
  - Select the target with lowest latency
- Failover routing policy
  - Disaster recovery

AWS CloudFront

Content Delivery Network (CDN)
Caches content at the edge locations
- Improves user experience
DDos protection
- world wide locations
- Shield - AWS Web application firewall
Origins - what it can front:
- S3 bucket
- HTTP
  - ALB
  - EC2
  - S3 website
  - Any HTTP backend you want
Difference to S3 Cross Region Replication
- CloudFront
  - Global edge network
  - Files are cached for maybe a day
  - Great for static onten that must be available everywhere.
- S3 Cross Region Replication
  - Great for dynamic content the needs to be available in a few regions
  - Must be setup for each region you want replication to happen to
  - Files are updated in near real-time

S3 Transfer Acceleration

AWS Global Accelerator

Your target is hosted in a single place and the edge locations uses the AWS internal network to connect from the edge to the target location.
AWS Global Accelerator vs CloudFront
- Both
  - use AWS global network and edge locations
  - integrates with AWS Shield for DDos protection.
- Cloudfront
  - CDN
- Global Ecceleator
  - No caching
  - Good for regional failover

AWS Outposts

AWS in racks in your local server racks
- AWS will setup and manage "Outposts Racks"
- You can now use AWS commands against your on-prem racks.
You are responsible for the physical security.

AWS WaveLength

Bring AWS services to the edge of the 5G networks
Ultra low latency access through the5G network
The traffic never leaves the CSP network
- CSP - Communication Service Provider
High bandwitdh and secure connection to the parent AWS region
Wavelength zones are infrastructure deplloyments embedded within the telco providers data centers at the edge of the 5G networks
Use cases:
- Smart Cities
- ML-assisted diagnostics
- Connected vehicles

AWS Local zones

TODO Are they small datacenters?

Cloud integration

SQS - Simple Queue Service - queue model
SNS - Simple Notification Service - pub/sub model
- Note: both SNS and SQS exists becaus multiple consumers can read the same message from the SQS queue
- possible subscribers
  - SQS
  - Lambda
  - Kinesis data firehose
  - e-mails
  - SMS and Mobilen notifications
  - HTTP Endpoints
Kinesis: real-time data streaming model.
- Managed service
- collect, process and analyze rea-time streaming data at any scale
- Kinesis Data Streams: low latency streaming, ingesting data at scale from hrundres of thousands of sources
- Kinesis Data Firehose: Load streams into S3, Redshift, ElasticSearch etc
- Kinesis Data Analytics: perform real-time analytics on streams using SQL
- Kinesis Video Streams: monitor real-time video streams for analytics or ML
Amazon MQ - Messagebroker
- Managed service
  - RabbitMQ
  - ActiveMQ
- Doesn't scale as musch as SQS/SNS
- Can run in Multi-AZ with failover

Storage

S3 storage

CLF-C02 Section 8

Amazon S3 Bucket
- Amazon S3 allow peopler to store objects(files) in buckets(directories)
- Buckets must have a globally uniqie name(accross all regions and all accounts)
- Buckets are defined at the region level.
- Bucket naming convention
  - No upper case
  - No underscore
  - 3-63 characters long
  - not an IP
  - must start with a lowercase letter or a number
  - must not start with 'xn--'
  - must not end with 's3alias'
Amazon S3 Objects
- Objects(files) have a key
  - the key is the full path:
    - s3://some-bucket/a_folder/myfile.md
  - the key is composed of a 'prefix' + 'object name'
  - There are no concepts of 'directories' in buckets
  - the keys simply contains '/'
- Values are the content of the body
  - Max 5TB
  - If you are uploading more than 5FB then you must use "multi-part upload"
- Metadata
  - list of text key/value pairs
- Tags
  - unicode key/value pair - up to 10
    - useful for security / lifecycle (TODO how?)
- Version ID (if enabled)
S3 Security
- User based
  - IAM Policies - specify which API calls are allowed for a specific user from IAM
- Resource based
  - Bucket policies - bucket wide rules - can allow cross account access.
  - Object ACL
  - Bucket ACL
- Encryption using keys
- Access calculation
  - e.g IAM principal
    - The user IAM permissions allow it,
      - or thre resource policy allows it
      - and there is no explicit deny.
S3 Replication
- CRR - Cross Region Replication
- SRR - Same Region Replication
- Must enable Versionin in both the source and destination bucket
- Bucket can be in different AWS accounts
- Copying is asynchronous
- Must giver proper IAM permission to the S3s
S3 storage classes
- Standard - General pupose
  - Availbility: 4 nines (not available 53 min/y)
  - used for: frequently accessed data
  - Low latency and high throughput
  - use cases
    - Mobile and gaming apps
    - big data analytics
    - content distribution
- Standard-Infrequent Access(IA)
  - Availability: 3 nines
  - used for: less frequentl access, but rapid access when needed
  - lower cost, but higher retrival cost?
  - Use cases:
    - Disaster recovery
    - backups
- One Zone-Infrequent access
  - Availability: 99.5% Availability
  - use cases:
    - secondary backup copies of on-prem data
    - data you can recreate
- Glacier
  - used for: archiving backup
  - pricing: storage + retrieval cost
  - Glacier instant retrieval
    - Milisecond retreival
    - Minimum storage duration: 90 days
    - use for: data accessed once a quater
  - Glacier flexible retrieval
    - Expedite (1-5 minutes)
    - Standard (3-5 hours)
    - Bulk (5-12 hours)
    - Minimum storage duration: 90 days
  - Glacier deep archive
    - Standard (12 hours)
    - Bulk (48 hours)
    - Minimum storage duration: 180 days
- Intelligent tiering
  - Moves objects automatically between access tiers based on usage
  - small montly monitoring and auto-tiering fee
  - There are no retrieval charges.
  - Frequent access tier(automatic): default
  - Infrequent access tier(automatic): object not accessed for 30 days
  - Archive instant access tier(automatic): object not accessed for 90 days
  - Achieve access tier(optional): configurable from 90 days to 700+ days
  - Deep achieve access tier(optional): configurable from 180 days to 700+ days
S3 Durability - 11 nines
S3 Encryption
- Server-side encryption
- Client-side encryption

Managing

CloudFormation

A decalractive way of outlining the AWS infrastruture
E.g.
- Withing a CloudFormation template you speicify
  - Security grou
  - how many EC2 instances
  - S3 bucket
  - ELB
- CloudFormation then creates them.
You can estimate cost
you can automatically create a delete templates at specified times

AWS Cloud Development Kit - CDK

Declare the cloud infrastructure using a prg language
- e.g Python
Generates the YAML CloudFormation template

AWS Beanstalk

A developer centric view of deploying an application on AWS.
Platform as a Service
Managed service
- Instance configuration/OS is handled by Beanstalk
- Deployment strategy is configurable but done by Elastic Beanstalk
- Capacity provisioning
- Load balancing and auto-scaling
- Application health-monitoring and responsiveness
Three architecture models
- Single instance deployment
  - for dev env
- LB+ASG
  - for prod and pre-pod web apps
- ASG only
  - non-web apss in prod
Support many platforms
- Languages
  - python, go, Node.js ...
- Docker
  - Single container
  - multi-container
  - preconfigured docker (TODO what is this?)
Has full heath within beanstalk

The developer is only responsible for the application code.

AWS CodeDeploy

Automatically deploy applications
Works with EC2 instances
Works with On-Premises Servers
Servers and Instances must be provisioned and configured ahead of time.
- Including the CodeDeploy Agent.
TODO is this like Ansible/Puppet?

AWS CodeBuild

Compiles source code, run test and produces pakcages
Fully managed, serverless
Continuously scalable
HA
Secure
Pay-as-you-gode

AWS CodePipeline

Basis for CI/CD
Orchestrate the different steps
e.g. Orchestrates:
- CodeCommit --> CodeBuild --> CodeDeploy --> Elastic Beanstalk

AWS CodeArtifact

artifact management for sw dev
Devs and CodeBuild can retieve dependencies straight from CodeArtifact
Works with
- Maven
- Gradle
- npm
- yarn
- twine
- pip
- NuGet
TODO is this like frogger et al?

AWS Systems Manager - SSM

Manage your EC2 and OnPrem systems at scale
Get operational insigts about the state of your infrastructure
Top features
- Automatic patching for enhanced compliance
- Run commands accross an entire fleet of servers
- Store parameter configuration with the SSM parameter store
Works for Linux, Windows, MacOS and Raspberry Pi
Requires and SSM agento on the target.
No SSH acess used.
TODO does all instances run: /usr/bin/amazon-ssm-agent
TODO is this like Ansible??

Cloud monitoring

CloudWatch

Metrics
- Every 5 min, pay more to get it every 1 minute
- EC2 Instances
  - CPU utilization
  - Status checks
  - network
  - NOT RAM
- EBS volumes
  - Disk read/writes
- S3 buckets
  - BucketSizeBytes
  - NumberOfObjects
  - AllRequests
- Billing
  - TODO is it only us-east-1?
- Service limits
  - how much have you been using a service API
- Custom metrics
  - Push your own metrics
Alarms
- trigger notifivcations
- actions
  - auto scaling; change desired EC2 instance count
  - EC2 Actions; Stop, terminate, reboot or recover(TODO what is this)
  - SNS notifications
- Various options (sampling etc)
- Alarm states:
  - OK
  - INSUFFICIENT_DATA
  - ALARM
Logs
- can be collected from:
  - Elastic Beanstalk
  - ECS
  - AWS lambda
  - CloudTrail
  - EC2 machines (or on-prem servers)
    - Default wont send logs to CloudWatch
  - Route53

Amazon EventBridge

Schedule: Cron jobs
- e.g. trigge a lambda function
Event Pattern: Event rules to react to a service doing somthing
- e.g IAM root user signing in

AWS CloudTrail

Provides, for your AWS account
- governance
- compliance
- audit
Log events and API calls within your AWS account:
- Console
- SDK
- CLI
- AWS Sevices
Can put logs into:
- CloudWatch Logs
- S3
If a resource is delted in AWS look in CloudTrail

AWS X-Ray

Debugging in production
Visual analysis of your applications
TODO Seems like Jäger

Amazon CodeGuru

ML powered service for
- automated code reviews; CodeGuru Reviewer
  - Supports Java and Python
  - Integrates with: Githubb, Bitbucket
- application performance recommendations; CodeGuru Profiler
- CodeGuru Security - SAST

AWS Health Dashboard

Show the health of all AWS' services in all regions.

VPC and networking

IP addresses in AWS
- IPv4
  - Public IPv4
    - EC2 instances get a new public IP address every time you stop and start them(default)
  - Elastic IP -allows you to attach a fixed public IPv4 address to an EC2 instance
    - TODO can it be attached to an ALB?
  - Private IPv4
    - Fixed for an EC2 instance even when stopped and started again.
- IPv6
  - There are no private IPv6 addresses
VPC - Virtual Private Cloud
- Subnet
  - Public subnet
  - Private subnet - not part of a default VPC
- VPC can go accross AZs

cidr.xyz - https://cidr.xyz/

Network ACL - NACL
- A firewall the controls traffic to and from subnets
- attached to the subnets
- only include IP addresses
- stateless
Security Groups
- a FW that controls traffic to and from an EC2 instance
- TODO so doe this protect one EC2 instance from another?
- Can have only ALLOW rules
- Rules includ IP addresses and other security groups
- is stateful
- evaluate ALL rules before deciding
- only applies to an instance if attached at start or later on
VPC Flow logs
- Capture information about traffic goiing into your interfaces:
  - VPC flow logs
  - Subnet flow logs
  - Elastic network interface flow logs
- Helps to monitor and troubleshoot connection issues
  - e.g
    - subnet to internet
    - internet to subnet
    - subnet to subnet
- The logs can be sent to
  - S3
  - CloudWatch logs
  - Kinesis Data Firehose
VPC Peering
- Connect two VPC, privately using the AWS network
- Make them behave as if ther were in the same network
- You must specifically connect each VPC
  - e.g VPC-A is connected to VPC-B and VPC-C
    - VPC-B and VPC-C have to be specifically connected to each other to see each other.
VPC Endpoints
- TODO what is an endpoint
- Endpoints allows you to connect to AWS services using a priavte network instead of a public network
- VPC Endpoint Gateway:
  - S3
  - DynamoDB
- VPC Endpoint Interface
  - The rest of the AWS services
AWS PrivateLink
- Most secure way for axposing a service to thounsands of VPCs(other customers)
Site VPN
- Connects and onprem VPN to AWS
- Automatically encryptes
- Goes over public internet
- onprem side must use a 'Customer Gateway'(CGW)
- AWS side must use a 'Virtual Private Gateway' (VGW)
Direct Connect(DX)
- Physical connection between onprem and AWS
- Goes over the private connection.
AWS Client VPN
- Connect from you computer using OpenVPN to your private network in AWS and onprem
- Allows you to connecto your EC2 instance over a private IP.
- Goes over the public internet.

Transit Gateway

For having transitive peering between thousands of VPC' and onprem
hub-and-spoke connection

Security and Compliance

Protecting from DDoS attack

AWS Best Practices for DDoS Resiliency

AWS Shield

Standard is free
- Protects from
  - SYN/UDP floods
  - Reflection attacks
  - other layer 3/4 attacks
Advanced: 24/7 premium ~$3k per org
- More sophisticated attacks on
  - EC2, ELB, CloudFront, Global Accellerator, Route53
  - 24/7 access to AWS DDos response team (DRP)
  - Protect against higher fees during usage spikes due to DDos

WAF

AWS WAF: Filter specific requests based on rules
CloudFront and Route53
- Availability protection using global edge network
Being ready to scale; AWS AutoScaling
Protect web apps from common web explouts (Layer 7)
Deploy on ALB, API Gateway, CloudFront
Define web ACL
- Rules include IP addr, HHTP headers , HTTP body, URI strings
- protects from SQL injection and XSS
- geo-match
- Rate-based rules

AWS Network Firewall

protect entire VPC
Fromlayer 3 to 7

AWS Firewall Manager

Manage security rules in all accounts of an AWS Org
Security policy
- VPC security groups for EC2, ALB etc
- WAF rules
- AWS Shield Advanced
- AWS Network Firewall
Rules will be applied to all current and future accounts

Penetration testing on AWS

Penetration Testing
Against your own AWS infrastructure without prior approval, for eight services:
- EC2
- NAT Gateways
- ELB
- Amazon RDS
- Amazon CloudFront
- Amazon Aurora
- Amazon API GW
- AWS Lambda
- AWS Lamda Edge functions
- Amazon Lightsail resources
- Amazon Elastic Beanstalk environments
Prohibited
- DNS zone walking via Route53 hosted zones
- DoS
- DDos
- Simulated DoS
- Simulated DDoS
- Flooding
  - Port
  - Protocol
  - Request
    - login
    - API requests
For any other simulated evens contact aws-security

Encryption

Data at rest
- stored
- archived
Data in transit
- onprem to AWS

AWS KMS (Key Management Service)

AWS manages sw for encryption
Encryption opt-in
- EBS volumes
- S3 buckets
- Redshift databse
- RDS
- EFS
Encryption automatically enabled
- CloudTrail logs
- S3 Glacier
- Storage Gateway
Type of KMS keys
- Customer managed
  - Create, managed and used by you
  - Posibility for rotation policy
  - Posibility to bring-your-own-key
- AWS Managed key
  - Create, managed and used on your behalf by AWS
  - Used by AWS services
- AWS Owned key
  - Collection of CMKs that an AWS service owns and manages to use in multople accounts
  - AWS can use those keys to protect resources in your account
  - You can't view the keys
- CloudHSM keys
  - Keys generated from your own CloudHSM hw
  - Cryptographic operations are performed within the CloudHSM cluster

CloudHSM

AWS provisions encryption hw.
- HSM device is tamper resistant
- FIPS I 40-2 lvl 3 compliant
You manage your own encryption keys.

AWS Certificate Manager (ACM)

Lets you easily provision, manage and deploy SSL/TLS Certs
Suppors both public and private TLS Certs
Free for public TLS certs
Automatic TLS cert renewal.
Integration with
- ELB
- CloudFront
- API GW

AWS Secrets Manager

for storing secrets
can force secrets every X days.
Can Auto generates secrets on rotation
Integration with Amazon RDS
Encrypted usin KMS

AWS Artifact - portal for AWS compliance documentation

AWS GuardDuty

ML Threat discovery service, that does anomaly detection
Input includes
- CloudTrail Event Logs
  - CloudTrail management events - create VPC subnet ...
  - CloudTrail S3 data events - get objects, ...
- VPC Flog logs - unusual internal traffic, unusual IP address
- DNS Logs
- Optional features, EKS Audite logc, ...
- Can setup EventBridge rules to be notified in case of findings
- Can protect against CryptoCurrency attacks.

Amazon Inspector - Automates security assessment

For EC2 instances
For container images pushed to Amazon ECR
For Lambda functions
Reporting and integrations with AWS security hub
Send findings to Amazon Event bridge
Pkg vuln of EC2, ECR, Lambda from CVEs
Network reachability
A risk score is associated with all vuln.

AWS Config

Helps with auditing and recording compliance of you AWS resources
Helps record configurations and changes over time

Amazon Macie - ML discover and protect sensitive data

ML that monitors S3 buckets for sensitive data and send out alert

AWS Security hub

Manage security accross several AWS accounts and automate security checks
Aggregates alerts from various AWS services and AWS partner tools

Amazon Detective - identify root cause of security issues

AWS Abus - for reporting abusive behavior

e.g: Spam, port scanning, DoS, intrusion attempts etc

IAM Acess Analyzer

Find out which resources are shared externally
Define Zone of Trust

Amazon ML

AWS Rekognition - image analysis.
Amazon Transcribe - convert speech to text.
Amazon Polly - text to speech.
Amazon Translate - text language translation.
Amazon Lex - Automatic Speech Recognition(ASR) speech to text.
Amazon Connect - recieve call, virtual contact center.
Amazon Comprehend - ML find insights and relationships in text.
Amazon SageMake - Helps you build ML models.
Amazon Forecast - uses ML to deliver highly accurate forecasts.
Amazon Kendra - ML document search service.
Amazon Personlize - ML real-time personalized recommendataions(the one from amazon.com).
Amazon Textract - Extract text from handrwriting and scanned documents.

AWS Architecting and ecosystem

Well architected framwork general guiding priciples

Stop guessing your capacity needs.
Test systems at production scale.
Automate to make architectural experimentation easier
Allow for evolutionery architecture
- Design based on changing requirements
Drive architecture using data
- Simulate applications for flash sale day

AWS Cloud best practices - Design principles

Scalability: both vertical and horizontal
Disposable resources: servers should be disposable and easily configured
Automation: Serverless, IaaS, Autoscaling
Loose coupling
Services not servs

Well architected framework - six pillars

1. Operational Excellence
- Include the ability to
  - run and monitor systems
  - deliver business value
  - continually improve supporting processes and procedures
- Design principles
  - Perform operations as code - infrastructure as code
  - make frequent, small, reversible changes.
  - Refine operations procedurs freuntly
  - Anticipate failure
  - Learn from all operational failures
  - Use managed services
  - Implement observability for actionable insigts
- Using AWS services
  - Prepare
    - AWS Cloudformation
    - AWS Config
  - Operate
    - AWS CloudFormation
    - AWS Config
    - AWS CloudTrail
    - AWS CloudWatch
    - AWS X-Ray
  - Evolve
    - AWS CloudFormation
    - AWS CodeBuild
    - Soure repo?
    - AWS CodeDeploy
    - AWS CodePipeline
1. Security
- Includes the ability to
  - protect information, systems and assets
  - while deliveing business value
  - through risk assessments and mitigation strategies
- Design principles
  - Implement a strong identity foundation
    - Centralize privilige managenment
    - reduce or eliminate the reliance on long-term credentials
    - Principle of least privilege
  - Enable traceability
    - integrate logs and metricswith systems to automatically respond and take action.
  - Apply security at all layers
    - Edge network
    - VPC
    - subnet
    - load balancer
    - EC2 instances
    - Operating system
    - Application
  - Automate securuty best practices
  - Protect date in transit and at rest
    - Encryption
    - Tokenization
    - Access control
  - Keep people away from data
    - Reduce or eliminate the need for direct access or manual processing of data.
  - Preprate for security events
    - Run incident response simulations
    - use tools with automation to increase your speed for detection, investigation and recovery.
- AWS Services
  - Identity and Access Managerment
    - IAM
    - AWS-STS
    - MFA token
    - AWS Organizations
  - Detection controls
    - AWS Config
    - AWS CloudTrail
    - Amazon CloudWatch
  - Infrastructure protection
    - Amazon CloudFront
    - Amazon VPC
    - AWS Shield
    - AWS WAF
    - Amazon Inspector
  - Data protection
    - KM
    - S3
    - ELB
    - Amazon EBS
    - Amazon RDS
  - IAM
  - AWS CloudFormation
  - Amazon CloudWatch Events
1. Reliability
- Ability of a system to
  - recover from infrastructure or service disruption
  - dynamically acquire computing resources to meet demands
  - mitigate disruptions
    - e.g. msiconfiguration or transient network issues
- Design principles
  - Test recovery procedures
    - use automation to simulate different failures
    - recreate scenarios that led to failures before
  - Automatically recover from failure
    - Anticipate and prevent failures before they occur
  - Scale hrorizontally to increase aggregate system availability
    - Distribute requests accross multiple resources
    - ensure that they do not share a common point of failure
  - Stop guessing capacity
    - Maintain the optimal level to satisfy demand without over or under provisioning
  - Manage change via automation
- AWS Services
  - Foundations
    - IAM
    - Amazon VPC
    - Service Quotas
    - AWS Trusted Advisor
  - Change management
    - AWS auto scaling
    - Amazon CloudWatch
    - AWS CloudTrail
    - AWS Config
  - Failure Management
    - Backups
    - AWS CloudFormation
    - S3
    - Amazon Route 53
1. Performance efficiency
- Includes the ability to
  - use computing resources efficiently
  - to meet system requirements
  - to maintain that efficiency as demand changes and technologies evolve
- Design principles
  - Democratize advanced technolgies
    - use the services available and focus on product development
      - Focus on the pizza not the delivery truck
  - Go global in minutes
    - Easy deployment in multiple reqions
  - Use serverless architectures
    - Avoid burden of managing servers
  - Experiment more often
    - Easy to carry out comparative testing
  - Mechanical sympathy
    - Be aware of all AWS services
- AWS Services
  - Selection
    - AWS auto scaling
    - AWS Lambda
    - EBS
    - S3
    - Amazon RDS
  - Review
    - AWS CloudFormation
    - AWS news blog
  - Monitoring
    - Amazon CloudWatch
    - AWS Lambda
  - Tradoffs
1. Cost optimization
- include the ability to deliver business value at the lowest price point.
- Design principles
  - Adopt a consumption mode
    - Pay only for what you use
  - Measure overall efficiency
    - Use CloudWatch
  - Stop spending money on data center operations
  - Analyze and attribute expenditure
    - Measure ROI
      - identify system usage and cost
      - use tags
  - Use managed and application level services to reduce the cost of ownershiå
- AWS Services
  - Expendirute awareness
    - AWS budgets
    - AWS cost and usage report
    - AWS cost explorer
    - Reserved instance reporting
  - Cost-effective respirces
    - e.g spot instance, reserve instance, S3 glacier etc
  - Matching supply and demand
    - AWS Auto scaling
    - AWS lambda
  - Optimizing over time
    - AWS trusted advisor
    - AWS cost and usage report
    - AWS News blog
1. Sustainability
- focuses on minimizing the environmental impact of running cloud workloads.
- Design principles
  - Understand your impact
    - Establish performance indicators
    - evaluate improvements
  - Establish sustainability goals
    - set long term goals for each workload
    - model ROI
  - Maximize utilization
    - right size each workload
  - Anticipate and adopt new more efficient hw and sw offerings
    - design for flexibility to adopt new technologies over time.
  - Reduce the downstream impact of your cloud workloads
    - Reduce the amount of energy or resources required to use your servuces
    - reduce the need for your customers to upgrade theri devices
- AWS Services
  - EC2 Atuo scaling
  - Serverless offering
    - Lambda
    - Fargate
  - Cost explorer
  - AWS Graviton 2
  - EC2 T instances
  - spot instances
  - EFS-IA
  - S3 Glacier
  - EBS cold HDD volumes
  - S3 lifcycle configurations
  - S3 intelligent tiering
  - Amazon data lifcycle manager
  - read local, write global
    - RDS read replicas
    - Aurora global DB
    - DynamoDB global table
    - Cloudfront

AWS Well-architected tool

Free tol to review your architecture against the six pillars
New – AWS Well-Architected Tool – Review Workloads Against Best Practices
AWS Well-Architected Tool

AWS Customer Carbon footprint tool

New – Customer Carbon Footprint Tool
Search for 'carbon' in the AWS web app search bar.

AWS Cloud Adoption Framework (CAF)

Troubleshooting

time out - probably a security group issue(, 37)
connection refused - probably an application issue or not launched(, 37)