fully managed service
platform/service where the cloud provider takes care of provisioning/ scaling/ patching/ and monitoring
well architected framework pillars
operational excellence/ security/ reliability/ performance efficiency/ cost optimization/ sustainability
well-architected security
protecting data/ detecting abuse/ restricting privilege
local zone
select core AWS services needed for latency-sensitive workloads closer to end-users
availability zone
one or more isolated/ physically separate data centers
warm standby
retains minimal deployment that can handle requests at a reduced capacity. only requires you to scale up to handle full capacity
well-architected sustainability
reducing resource utilization and resources necessary to implement workloads
RPO
recovery point objective - max tolerable amount of data loss an org can tolerate
shared responsibility model
duty of both AWS and the consumer to ensure the cloud is compliant
well-architected performance efficiency
efficient use of computing resources to meet system requirements
well-architected operational excellence
systems musts be functioning and monitored/ and processes and procedures must be constantly improved
security in the cloud
customer responsibility. securing/configuring cloud resources
edge location
data centers closer to users than regions or azs. mostly for caching content
security of the cloud
AWS responsibility; securing physical infrastructure and maintaining things in the infrastructure
well-architected cost optimization
keeping expenses as low as possible
disaster recovery
resilience strategy; how your workload reacts in the event of a disaster
RTO
recovery time objective - max duration to restore a business to normal operational level following a disruption
vertical scaling
upgrading an instance's or node's resources to handle an increase in workload
pilot light
duplicate data; data is live but compute is turned off. reduces the cost of DR over time
backup and restore
backups made in the same region as the source and duplicated to a different region
region
geographical area around the world where multiple datacenters are located
horizontal scaling
adding exrtra instances or nodes to manage an increase in workload
multi-site active/active
full deployment of infrastructure in multiple regions
High availability
ensures uptime for higher than a normal period (quickly restoring service after failure)
service endpoint
URL that denotes a service within AWS
multi-site active/passive
full deployment.serves one region/ other region(s) are only used for DR
Fault tolerance
enables a system to continue operating properly in the event of component failure (operating through a failure w/o downtime)
architecture center
provides reference architecture diagrams/ solutions and best practices
resilience levels
global/ regionally/ AZ
well-architected reliability
a workload performing its designated function consistently and correctly when required
Lambda @ Edge
executes code in closer to application users using CDN
app runner
simple way to deploy from source code or a container image directly to a scalable and secure web application in the cloud
AMI
Amazon Machine Image. packaged software bundle required to spin up EC2 instance
simspace weaver
enables operation of large-scale spatial simulations
EC2 image builder
automates creation/ maintenance/ and validation of machine images
shared tenancy
default tenancy where various customers are on the same piece of hardware
EC2
vm in the cloud
placement groups - spread
across multiple AZs. reduces risk of failures in a single AZ
dedicated instance
ruins on hardware designated for single customer. can change physical hosts
wavelength
embeds AWS compute and storage services in 5G networks. offers mobile edge computing infrastructure
parallel computing service
simplifies running and scaling HPC workloads on AWS
parallelcluster
high-performance computing (HPC) service that lets you launch and manage clusters in the cloud
Lambda
run code without having to provision or manage servers
dedicated host
pay for entire host/ but not individual instances
Lambda concurrency
allows you to run Lamda functions concurrently
Lightsail
offers pre-configured virtual private server (VPS) instances/ containers/ storage/ and databases
placement groups - cluster
within a single AZ to enhance network performance
on-demand instance
offer EC2 by the second. use for apps with unpredictable short-term demands
spot instance
leverage unused EC2 capacity in the cloud. use for workloads that don't need to run all the time
reserved instance
1 or 3 year pricing discount for instances. can sell reserved instances in the marketplace
auto scaling
automatically adjust number of EC2 isntances based on demand
outposts family
physical AWS hardware that can live in your on-premise data center as an extension of a cloud region
placement groups - partition
single AZ but distributed across multiple partitions
serverless application repository
managed repository service for sharing serverless applications
Elastic Beanstalk
used to quickly deploy and manage applications in AWS without managing infrastructure
AWS batch
efficiently run hundreds of batch computing jobs
bucket policy
resource-based policy with allow/deny statements and read/write perms for specific IAM users
archive retrieval option - standard w/ batch operations
minutes - 5 hours for glacier flexible/ 9-12 hours for deep archive
S3 intelligent tiering
monitors access patterns and stores data in 3 tiers (standard/standard IA/Glacier instant retrieval)
S3 encryption types
server-side and client-side
elastic disaster recovery
automatically replicates data and apps from on-prem to AWS
requester pays buckets
cost of the request and the data download from the bucket are covered by the requester and not the owner
S3 durability
11 nines (99.999999999)
glacier instant retrieval
ideal for archive that needs immediate access. usually once per quarter with millisecond retrieval
storage gateway - hardware appliance
standalone physical server tailored for on-premises deployments
object ACL
configure access at the object level
EBS HDD
throughput optimized - low cost HDD for high-throughput applications (big data/ data warehouses/ log processing). cold: low cost HDDs for workloads that aren't accessed frequently
storage gateway - tape gateway
allows leverage of tape-based backups on virtual tape cartridges
aws backup
helps in centralizing and automating data backup across AWS services and on-prem
EBS snapshots
save new/changed data since the last snapshot. used for EBS volume backups
IAM policy
attached to IAM identities. define permissions for an action regardless of the method used to perform the action
express one zone
storage class intended for high-performance and low-latency apps that reside in a single AZ. stores data in an S3 directory bucket
server-side encryption
S3 encrypts the object when stored and decrypts it when you retrieve. AWS manages encryption keys
storage gateway - volume gateway cached volumes
allows storage of data primarily in S3 while keeping frequently accessed data local
glacier flexible retrieval
ideal for backups/ DR/ and offsite data storage. usually accessed 1-2 times per year. data retrieved in minutes
one zone storage
stores data in just one AZ for 20% less than standard-ia
S3 max filesize
5TB
archive retrieval option - bulk
5-12 hours for flexible/within 48 hours for deep archive
S3 lifecycle configurations
automated way to handle and move objects between different storage classes
EFS storage classes
standard and infrequent access
S3 permission types
bucket policies/ IAM policies/ object ACLs
S3 standard-IA
used for data that is not accessed frequently but needs quick access
client-side encryption
user encrypts object before uploading to S3 and decrypts after retrieving
storage gateway - file gateway
allows integration b/w on-prem apps and S3/FSx. for NFS and SMB
glacier
storage classes made for data archiving
EFS
elastic file system - file system storage that can grow from gigs to petabytes of data
archive retrieval option - expedited
1-5 minutes for glacier flexible retrieval
FSx
allows you to run and scale high-performance file systems on AWS. for Lustre/Windows File server/OpenZFS/Netap ONTAP
EBS
elastic block store - provides block-level storage volumes for EC2 instances
glacier deep archive
ideal for data sets of regulated industries. data can be retrieved in 12-48 hours. usually accessed once per year
storage gateway
allows you extend your on-prem with unlimited cloud storage. used for low-latency access to data on AWS from on-prem apps
EBS SSDs
gen purpose and provisioned IOPS (for high performance/ sub-millisecond latency)
storage gateway - volume gateway stored volumes
allows storage of data locally while ensuring offsite backups in AWS
S3
simple storage service. serverless oject storage
S3 standard tier
default. for data that is frequently accessed. replicates data to a minimum of 3 AZs
S3 outposts
for workloads with performance needs that require data to reside close to on-prem data center applications
archive retrieval option - standard w/o batch operations
3-5 hours for flexible/ within 12 hours for deep archive
MemoryDB for Redis
high-performance primary database for your microservice apps
DynamoDB
NoSQL serverless database
multi-AZ read replicas
replicates data synchronously to a standby instance in a different AZ. one or more read only copies
DocumentDB
fully managed NoSQL database service that supports MongoDB workloads
RDS
relational database service - managed database for aurora/maria/mysql/oracle/sql server and rds custom
Neptune
graph database service. optimized for storing relationships and querying graphs
aurora serverless
aurora with clusters that automatically adjust capacity
aurora global database
allows global replication and cross-region disaster recovery. made for distributed applications
DynamoDB Streams
time ordered sequence of modifications in a DynamoDB table
DynamoDB DAX
highly available cache for DynamoDB. minimizes the requirement for direct access to DynamoDB
aurora
fully managed database allowing MySQL and PostgreSQL
Keyspaces for Apache Cassandra
allow you to use Cassandra developer tools and app code on AWS workloads
Timestream
time series serverless database. used for engagement with an application over time
ElastiCache
in-memory caching database that improves the performance of applications
RDS automations
hardware provisioning/database config/ patching + automated backups/ encryption at rest/monitoring with cloudwatch
customer managed key (CMK)
created and maintained by the customer
role
can be assumed by anyone who needs it. not uniquely assigned to a user
policy
JSON document that is attached to users/groups/roles
AWS owned key
owned and managed by AWS
identity-based policy
policies attached to IAM identities
Shield Advanced
protects against layer 7 attacks. offers advanced reporting
Cognito
Customer identity and access management (CIAM) service. simplifies sign-up/in and offers federated identities
Detective
helps find the root cause of security vulnerabilities or unusual activity
IAM
for managing access to AWS resources by creating users/groups/roles
What does a policy consist of? (4 parts)
statement ID/ effect/ action/ resource
Key Management Service
encryption service for key generation/ storage/ management and auditing. uses hardware security modules (HSMs) validated under FIPS 140-2
AD connector
Allows AWS services needing directory to use on-prem directory
Verified Access
allows secure application access without the need of a VPN
With SSE-KMS who is responsible for key management? Who handles encryption processing?
S3+KMS for key management/ S3 for encryption processing
GuardDuty
threat monitoring service that checks workloads continually for malicious behavior
With SSE-C who is responsible for key management? Who handles encryption processing?
customer handles keys/ encryption processing is on S3
Directory Service
aws managed directory. runs in VPC
resource-based policy
policies attached to resources themselves
Security Lake
centralizes security data from AWS and third-party sources into a data lake powered by S3
inline policy
applying policy to individual accounts
AWS managed key
managed by an AWS service for the customer
Inspector
automated vulnerability management solution that continuously workloads for software vulnerabilities and accidental network exposure
Artifact
centralized portal that provides on-demand access to compliance reports and agreements
permission boundary
specifies maximum permissions that an IAM identity can have. does not grand permissions directly
Security Hub
cloud security posture management (CSPM) that checks against AWS resources for compliance with best practices
With SSE-S3 who is responsible for key management? Who handles encryption processing?
S3 for both
policy evaluation logic
implicit deny. an explicit deny in any policy overrides any allow.
What has priority if permissions overlap? (implicit v explicit deny/allow)
explicit deny > explicit allow > implicit deny
Payment Cryptography
simplifies process of implementing cryptographic operations for securing data in payment processing apps
Shield
protects website/apps from DDoS attacks.
Signer
service for code signing to guarantee reliability and accuracy of code
AWS Certificate Manager (ACM)
simplifies management of certificates for securing AWS websites and applications
Firewall Manager
for central configuration and management of firewall rules across accounts
simple AD DS
Standalone directory using Samba4
Secrets Manager
enables you to store/ manage/ and retrieve credentials/keys centrally
IAM Identity Center
for connecting users and groups to AWS from a single location
Resource Access Manager (RAM)
lets you share resources in one AWS account with other AWS accounts using a single set of policies
session policy
provides temporary access through AWS security token service
CloudHSM
cloud-hosted HSM service that enables secure key management and cryptographic operations in a cloud environment
managed Microsoft AD
uses Microsoft AD. Primary location is in AWS
users
person or a service. users are given perms to access different AWS services in the account
Private Certification Authority
for management of private certificates. issues x.509 certs
managed policy
standalone policy created and administered by AWS
Shield Standard
protects against layer 3 and 4 attacks
WAF
web application firewall. configure rules to allow/block/monitor web requests to protect web apps/APIs
service control policy
defines/limits actions that the account's administrator can delegate to IAM users and roles
group
combination of users.
With client-side encryption who is responsible for key management? Who handles encryption processing?
customer for both
Macie
employs pattern matching and machine learning to protct sensitive data in S3
audit manager
for continuous audits to ensure compliance with internal policies and external regulations
Service Catalog - catalog admins
manage a catalog of products and provide end-users access
Resource Explorer
simplifies search across regions for specific AWS resources
AWS Control Tower
for setting up a multi-account AWS environment
Chatbot
updates users in chat about events in their AWS services in real time
Resource Groups & Tag Editor
allows organization of AWS services based on their tags or CloudFormation stack
CloudFormation
Infrastructure as code. allows you to deploy AWS resources using JSON/YAML
Trusted Advisor
analyzes cost/performance/security/fault tolerance/ and service limit checks to ensure best practices
CloudWatch - metrics
variables to monitor and the data points that represent the values of that variable over time
CloudTrail
a service that provides a detailed audit trail for governance and compliance. tracks actions taken through SDKs/ management console/ and APIs
Prometheus
(AWS managed) monitoring and alerting solution optimized for container environments
License Manager
helps manage software licenses from Microsoft/ SAP/ Oracle/ and IBM across AWS and on-prem environments
Resilience Hub
protects apps from disruptions. define your reslience goals and assess your resilience posture against those goals
Compute Optimizer
evaluates AWS resource configuration and usage. reports if resources are optimal and makes recommendations to decrease costs/ increase performance
CloudWatch
for monitoring cloud resources and the applications run in AWS
Control Tower - landing zone
the multi-account environment. provides SSO/ID federation/ centralized logging+auditing
Telco Network Builder (TNB)
assists CSPs in deploying telco networks
User Notifications
lets you centrally setup and view notifications from AWS services in a human-friendly format
Grafana
visualization tool for metrics/logs/traces from multiple data sources
Systems Manager
offers an interface that enables you to examine operational data from services and automate tasks across your resources
CloudWatch - logs
monitors and stores log files from AWS services
AWS config
monitors and records AWS resource configurations in real time
Service Catalog - end users
customers who obtain AWS credentials and launch products
Launch wizard
guided approach for configuring AWS resources designed for SQL server and SAP systems
Health Dashboard
provides real time visibility into the health and availability of your AWS resources and services
Control Tower - controls
high-level rule that provides ongoing governance for the environment (also called guard rail)
Control Tower - account factory
automates and standardizes account creation
CloudWatch - alarms
keeps track of a single metric for a specified period and takes actions based on values
consolidated billing
makes the owner of the management account responsible for paying for all of the resources used by all accounts in the organization
Organizations
enable customers to manage several AWS accounts together
Proton
enables automated IaC provisioning and deployment of serverless and container-based applications
Service Catalog
allows users to quickly deploy approved AWS resources and applications
Elastic Container Storage (ECS)
container orchestration service that helps deploy/manage/scale containerized applications
ECS EC2 launch type
configure EC2 instances that will run the container
Fargate
serverless compute that allows you to run ECS and EKS services without having to manage servers or clusters
ECS Anywhere
run ECS with on-premise data center to meet any compliance needs
Elastic Container Registry (ECR)
managed container image registry service. makes it easy to store/ manage/ and deploy Docker containers
OpenShift Service on AWS
fully managed implementation of OpenShift container platform deployed and operated on AWS
App2Container
command line tool for turning .NET and Java apps into apps that run in containers.
Elastic Kubernetes Service (EKS)
managed service that allows you to deploy Kubernetes on AWS and on-prem without having to build control plane or worker nodes
ECS Fargate Launch
pay as you go serverless option
Snowball Edge
both compute and storage. for remote sites where processing on ingestion is needed
Database Migration Service
migrates databases to AWS securely and quickly. supports homogeneous and heterogeneous migrations
Location Service
service for file and object transfer. data is encrypted in-flight
Snowball
for migrating data to AWS. storage only/ 50 or 80TB capacity
Migration Hub
single place to find existing servers/ plan migrations/ and check the status of each application migration
Application Discovery Service
automatically finds applications running in on-prem data centers. agent based or agentless (with appliance)
Schema Conversion Tool
automates heterogeneous database migrations by converting the database schema/code to the target database's format
Mainframe Modernization
modernizes mainframe applications to AWS controlled runtime environments
Transfer Family
secure file transfer service that allows transfer to/from AWS using SFTP/ FTPS/ FTP/ or AS2
Application Migration Service
for lift and shift migrations. converts source servers to run natively on AWS
Snowmobile
portable datacenter in a shipping container. use whne 10+ PB migration is required
Route53
AWS managed DNS
R53 routing policy - simple
maps a domain to an IP address to server traffic
VPC Gateway Endpoint
allow VPCs to access S3 and DynamoDB without using public addressing
VPC peering
link that allows you to connect to another VPC within the same or different AWS accounts
Elastic Load Balancing
automatically distributes an application's traffic across different targets
Elastic IP
static public IP that you can associate with EC2 instances
CloudFront signed cookies
use when you want to provide access to multiple restricted files
public hosted zone
public hosted zone is a container that holds info about how you want to route traffic on the internet for a specific domain
App Mesh
captures metrics logs and traces from your apps to identify and isolate issues
Application Recovery Controller
provides insights and control to help recover applications across AWS regions and AZs
Internet Gateway/ Security Groups/ and NACLs are included in what?
VPCs
R53 routing policy - latency
route to the region that provides the best latency with round trip time
What is a stateful firewall?
fw that tracks the state of active connections/ offer better security analysis/ but slower
R53 routing policy - geoproximity
route based on location of resources
NAT Gateway
used to enable the connection between private VPC and a public one
AWS Client VPN
allows customers to securely access AWS and on-prem resources using OpenVPN clients
What does a DNS registrar do?
allows domain registration
Customer Gateway
an appliance that establishes a connection between on-prem and VPC using a site/site VPN connection
VPC CIDR blocks
range of IP addresses you can use in your VPC. AWS default 172.31.0.0/16
private subnet
isolated within AWS. cannot access the Internet unless a NAT gateway is attached.
Are security groups attached to ENIs or instances?
ENIs
VPC Interface Endpoint
allows connectivity to services using AWS PrivateLink
AWS Site to Site VPN
encrypted connection between VPC and on-prem network over the internet
What is a bastion host?
instance inside a VPC that handles incoming management connection
How many VPCs can you directly connect with VPC peering
2
on-premesis network can only access VPNs using what technology?
VPNs/directconnect
CloudFront
content delivery network service that delivers data securely to customers
R53 routing policy - multivalue answer
route up to eight healthy records selected at random
Network Load Balancer
network load balancer (TCP/TLS/ UDP)
private hosted zone
holds DNS information for a domain (and subdomains) within one or more VPCs
NACL
acts as a firewall. Allow/Deny at the subnet level. sits at boundary of subnet
What is a stateless firewall?
fw that uses predefined roles/ each packet is a separate entity (ingress v egress)
CloudFront signed URL
use when you want to restrict access to buckets and clients don't support cookies
Classic Load Balancer
load balancing for EC2 instances on L7 and L4. suitable for applications within the EC2 network
What does a DNS registry do?
maintains zones for a Top Level Domain (TLD)
Application Load Balancer
app load balancer (HTTPS/websocket)
origin access control
viewers can only access content through the CF distribution. no direct access.
VPC Reserved IPs
.1 - VPC Router/ .2 - for DNS/ .3 - reserved for future use/ last (i.e. .255) - broadcast IP
Gateway Load Balancer
one gateway for distributing traffic across multiple virtual appliances while scaling them up or down
VPC endpoints
provide private access to public services.
Internet Gateway
allows VPC resources to access the Internet. a route to the IG must be put in the route tables of the subnet
Virtual Private Cloud
virtual network in a logically isolated section of AWS
R53 routing policy - weighted
route to multiple resources in proportions
Private 5G
install/run/scale private mobile network on-prem
Direct Connect
dedicated physical network connection from an on-prem data center or office. does not use public internet
public subnet
can communicate with the Internet. uses Internet Gateway
R53 routing policy - failover
redirects traffic to secondary when primary is unavailable
VPC security group
controls traffic entering and leaving EC2 instances (in/outbound)
Virtual Private Gateway
enables secure communication between VPC and on-prem network
VPC subnets
allow you to divide your VPC network
API Gateway
allows devs to create and maintain APIs. provides an entry point for managing interactions between clients and back end services.
R53 routing policy - geolocation
route based on location of users
Cloud Map
asset discovery. allows you to register resources with custom names
Transit Gateway
network transit hub that connects VPCs and on-prem networks. a single global view of all of your private network
Global Accelerator
routes user traffice to best performing endpoint. associate static IPs to endpoints in one or more AWS regions
Panorama
enables companies to add computer vision to their on prem cameras to make automatic forecasts
Comprehend Medical
uses NLP to identify entities that reference PHI
Polly
converts text to life-like speech. standard TTS
Personalize
allows you to add individualized recommendations for end-users to your applications
Deep Learning Containers
provides Docker containers on ECS/EKS with deep learning frameworks preinstalled
Health Imaging
simplifies the storage/ analysis/ and sharing of medical images
Lookout for Vision
a machine learning service provided by Amazon Web Services (AWS) that helps you identify defects and anomalies in images for industrial applications
Bedrock
offers an API that grants access to a diverse selection of foundation models
Fraud Detector
detects potentially fraudulent online activity
DevOps Guru
analyzes operational data and application metrics and events to identify behaviors that deviate from normal operating patterns
Transcribe
converts audio input to text
Translate
can translate text between 70 supported languages.
Rekognition
allows you to apply picture and video analysis to your apps
HealthOmics
supports the storage and analysis of genomic variants and annotations.
Lex
creates interactive chatbots
HealthLake
HIPAA-eligible service for storage/ processing/ querying/ and analyzing health data
Q
generate AI-powered assistant that comes in two flavors
Deep Learning AMIs
provides EC2 instances of Amazon Linux or Ubuntu with deep learning frameworks preinstalled
Kendra
intelligent search service designed to mimic human experts
Lookout for Equipment
automatically analyzes sensor data for your industrial equipment to detect abnormal machine behavior.
Forecast
uses statistical and machine learning algorithms to deliver highly accurate time-series forecasts
Lookout for Metrics
finds anomalies in your data/ determines root causes/ and enables you to take action
Comprehend
natural language processing (NLP). pretrained or custom models. real time analysis
Monitron
monitoring system that warns you in real time when industrial machinery begins malfunctioning and allows you to enforce preventative maintenance
Textract
automatically extracts written text/ handwriting/ and other data from scanned documents to recognize/ understand and extract data
CodeGuru
uses program analysis and ML to find bugs in your code and suggest how to fix them