Contenu connexe Similaire à AWS Certified Cloud Practitioner Course S11-S17 (20) AWS Certified Cloud Practitioner Course S11-S171. © Digital Cloud Training | https://digitalcloud.training
SECTION 11
Databases and Analytics
2. © Digital Cloud Training | https://digitalcloud.training
Types of Database
3. © Digital Cloud Training | https://digitalcloud.training
Relational vs Non-Relational
Relational Non-Relational
Organized by tables, rows and columns Varied data storage models
Rigid schema (SQL) Flexible schema (NoSQL) – data stored in key-value
pairs, columns, documents or graphs
Rules enforced within database Rules can be defined in application code (outside
database)
Typically scaled vertically Scales horizontally
Supports complex queries and joins Unstructured, simple language that supports any
kind of schema
Amazon RDS, Oracle, MySQL, IBM DB2,
PostgreSQL
Amazon DynamoDB, MongoDB, Redis, Neo4j
Key differences are how data are managed and how data are stored
4. © Digital Cloud Training | https://digitalcloud.training
Relational Database
Relational Database – Multiple Tables
Relational Database
SELECT FirstName
FROM employees
WHERE Location = Sydney
Structured Query Language (SQL) query:
5. © Digital Cloud Training | https://digitalcloud.training
Types of Non-Relational DB (NoSQL)
Key-value – e.g. Amazon DynamoDB
Document – e.g. MongoDB
Graph – e.g. Amazon Neptune
6. © Digital Cloud Training | https://digitalcloud.training
Operational vs Analytical
Operational / transactional Analytical
Online Transaction Processing (OLTP) Online Analytics Processing (OLAP) – the source data comes
from OLTP DBs
Production DBs that process transactions. E.g. adding
customer records, checking stock availability (INSERT,
UPDATE, DELETE)
Data warehouse. Typically, separated from the customer
facing DBs. Data is extracted for decision making
Short transactions and simple queries Long transactions and complex queries
Relational examples: Amazon RDS, Oracle, IBM DB2,
MySQL
Relational examples: Amazon RedShift, Teradata, HP Vertica
Non-relational examples: MongoDB, Cassandra, Neo4j,
HBase
Non-relational examples: Amazon EMR, MapReduce
Key differences are use cases and how the database is optimized
7. © Digital Cloud Training | https://digitalcloud.training
Operational vs Analytical
Amazon RDS
Amazon RDS
Amazon RDS
Amazon Redshift
COPY
COPY
COPY
Data Warehouse
performs analytics
Operational DBs
receive data from
applications
8. © Digital Cloud Training | https://digitalcloud.training
AWS Databases
Data Store Use Case
Database on EC2 • Need full control over instance and database
• Third-party database engine (not available in RDS)
Amazon RDS • Need traditional relational database
• e.g. Oracle, PostgreSQL, Microsoft SQL, MariaDB, MySQL
• Data is well-formed and structured
Amazon DynamoDB • NoSQL database
• In-memory performance
• High I/O needs
• Dynamic scaling
Amazon RedShift • Data warehouse for large volumes of aggregated data
Amazon ElastiCache • Fast temporary storage for small amounts of data
• In-memory database
Amazon EMR • Analytics workloads using the Hadoop framework
9. © Digital Cloud Training | https://digitalcloud.training
Amazon Relational Database
Service (RDS)
10. © Digital Cloud Training | https://digitalcloud.training
Amazon RDS
Amazon RDS
RDS is a managed,
relational database
EC2
RDS runs on EC2
instances, so you must
choose an instance type
RDS supports the following
database engines:
• Amazon Aurora
• MySQL
• MariaDB
• Oracle
• Microsoft SQL Server
• PostgreSQL
11. © Digital Cloud Training | https://digitalcloud.training
Amazon RDS Scaling Up (vertically)
M4 instance
M4 Instance
db.m4.2xlarge
4 vCPUs, 32
GiB RAM
db.m4.large 2
vCPUs, 8 GiB
RAM
12. © Digital Cloud Training | https://digitalcloud.training
Disaster Recovery (DR) and Scaling Out (Horizontally)
Region
VPC
Availability Zone
Availability Zone
EC2 App Server
RDS Standby
Reads only
RDS Master RDS Read Replica
EC2 App Server
Synchronous
replication
Writes
Asynchronous
replication
Multi-AZ creates a
passive standby.
Primarily used for
disaster recovery
Read Replicas are used
for scaling database
queries (reads)
Application servers
can read from the
read replica and
write to the master
Writes
13. © Digital Cloud Training | https://digitalcloud.training
Amazon RDS
• RDS uses EC2 instances, so you must choose an instance family/type
• Relational databases are known as Structured Query Language (SQL)
databases
• RDS is an Online Transaction Processing (OLTP) type of database
• Easy to setup, highly available, fault tolerant, and scalable
• Common use cases include online stores and banking systems
• You can encrypt your Amazon RDS instances and snapshots at rest by
enabling the encryption option for your Amazon RDS DB instance (during
creation)
• Encryption uses AWS Key Management Service (KMS)
14. © Digital Cloud Training | https://digitalcloud.training
Amazon RDS
• Amazon RDS supports the following database engines:
• SQL Server
• Oracle
• MySQL Server
• PostgreSQL
• Aurora
• MariaDB
• Scales up by increasing instance size (compute and storage)
• Read replicas option for read heavy workloads (scales out for reads/queries only)
• Disaster recovery with Multi-AZ option
15. © Digital Cloud Training | https://digitalcloud.training
Create Amazon RDS
Database
17. © Digital Cloud Training | https://digitalcloud.training
Amazon Aurora
• Amazon Aurora is an AWS database offering in the RDS family
• Amazon Aurora is a MySQL and PostgreSQL-compatible relational database built for
the cloud
• Amazon Aurora is up to five times faster than standard MySQL databases and three
times faster than standard PostgreSQL databases
• Amazon Aurora features a distributed, fault-tolerant, self-healing storage system
that auto-scales up to 64TB per database instance
18. © Digital Cloud Training | https://digitalcloud.training
Amazon Aurora
Availability Zone Availability Zone Availability Zone
Primary
Data Copies
Data Copies Data Copies
Replica Replica Replica
Writes
Writes
Writes
Reads
Reads Reads Reads
Region
Single Logical Volume
Aurora Fault Tolerance
• Fault tolerance across 3 AZs
• Single logical volume
• Aurora Replicas scale-out read
requests
• Can promote Aurora Replica to
be a new primary or create new
primary
• Can use Auto Scaling to add
replicas
Aurora Replicas are
within a region
19. © Digital Cloud Training | https://digitalcloud.training
Amazon Aurora Key Features
Aurora Feature Benefit
High performance and scalability
Offers high performance, self-healing storage that scales up to 64TB, point-in-time recovery
and continuous backup to S3
DB compatibility Compatible with existing MySQL and PostgreSQL open source databases
Aurora Replicas In-region read scaling and failover target – up to 15 (can use Auto Scaling)
MySQL Read Replicas
Cross-region cluster with read scaling and failover target – up to 5 (each can have up to 15
Aurora Replicas)
Global Database
Cross-region cluster with read scaling (fast replication / low latency reads). Can remove
secondary and promote
Multi-Master Scales out writes within a region. In preview currently and will not appear on the exam
Serverless
On-demand, autoscaling configuration for Amazon Aurora - does not support read replicas
or public IPs (can only access through VPC or Direct Connect - not VPN)
20. © Digital Cloud Training | https://digitalcloud.training
Amazon DynamoDB
21. © Digital Cloud Training | https://digitalcloud.training
Amazon DynamoDB
• Fully managed NoSQL database service
• Key/value store and document store
• It is a non-relational, key-value type of database
• Fully serverless service
• Push button scaling
DynamoDB Table
22. © Digital Cloud Training | https://digitalcloud.training
Amazon DynamoDB
• DynamoDB is made up of:
• Tables
• Items
• Attributes userid orderid book
user001 1000092
price
ISBN100..
1000102
1000168
date
user002
user003
ISBN100..
ISBN2X0..
9.99 2020.04..
2020.03..
2020.04..
24.99
12.50
23. © Digital Cloud Training | https://digitalcloud.training
Amazon DynamoDB Key Features
DynamoDB Feature Benefit
Serverless Fully managed, fault tolerant, service
Highly available 99.99% availability SLA – 99.999% for Global Tables!
NoSQL type of database with Name / Value
structure
Flexible schema, good for when data is not well structured or unpredictable
Horizontal scaling Seamless scalability to any scale with push button scaling or Auto Scaling
DynamoDB Accelerator (DAX) Fully managed in-memory cache for DynamoDB that increases performance (microsecond latency)
Backup Point-in-time recovery down to the second in last 35 days; On-demand backup and restore
Global Tables Fully managed multi-region, multi-master solution
24. © Digital Cloud Training | https://digitalcloud.training
Create Amazon DynamoDB
Table
25. © Digital Cloud Training | https://digitalcloud.training
Amazon RedShift
26. © Digital Cloud Training | https://digitalcloud.training
Amazon Redshift
Amazon RDS Amazon RDS
Amazon Redshift
COPY
COPY
Production DBs in different
geographies
Data is loaded
into RedShift
Data can be analyzed
with BI tools such as
QuickSight using SQL
JDBC/ODBC
27. © Digital Cloud Training | https://digitalcloud.training
Amazon RedShift
• Amazon Redshift is a fast, fully managed data warehouse that makes it
simple and cost-effective to analyze all your data using standard SQL and
existing Business Intelligence (BI) tools
• RedShift is a SQL based data warehouse used for analytics applications
• RedShift is a relational database that is used for Online Analytics Processing
(OLAP) use cases
• RedShift uses Amazon EC2 instances, so you must choose an instance
family/type
• RedShift always keeps three copies of your data
• RedShift provides continuous/incremental backups
28. © Digital Cloud Training | https://digitalcloud.training
Amazon Elastic Map Reduce
(EMR)
29. © Digital Cloud Training | https://digitalcloud.training
Amazon EMR
• Managed cluster platform that simplifies running
big data frameworks including Apache Hadoop
and Apache Spark
• Used for processing data for analytics and business
intelligence
• Can also be used for transforming and moving
large amounts of data
• Performs extract, transform, and load (ETL)
functions
30. © Digital Cloud Training | https://digitalcloud.training
Amazon EMR
Availability Zone
Amazon EMR
Cluster
AWS Cloud
Amazon S3 Amazon DynamoDB
Amazon Redshift
Amazon S3 Glacier Amazon RDS HDFS
EBS volume Cluster Cluster
Data Store options
Optionally attach
EBS volumes
Root access to
cluster instances
Scale cluster instances
or deploy multiple
clusters
31. © Digital Cloud Training | https://digitalcloud.training
Amazon ElastiCache
32. © Digital Cloud Training | https://digitalcloud.training
Amazon ElastiCache
• Fully managed implementations Redis and Memcached
• ElastiCache is a key/value store
• In-memory database offering high performance and low latency
• Can be put in front of databases such as RDS and DynamoDB
Application
Instance
ElastiCache
Node
Amazon RDS
Load data Cache hit
Database write
33. © Digital Cloud Training | https://digitalcloud.training
Amazon ElastiCache
• ElastiCache nodes run on Amazon EC2 instances, so you must choose an instance
family/type
Use Case Benefit
Web session store In cases with load-balanced web servers, store web session information in Redis so if a server is
lost, the session info is not lost, and another web server can pick it up
Database caching Use Memcached in front of AWS RDS to cache popular queries to offload work from RDS and
return results faster to users
Leaderboards Use Redis to provide a live leaderboard for millions of users of your mobile app
Streaming data dashboards Provide a landing spot for streaming sensor data on the factory floor, providing live real-time
dashboard displays
34. © Digital Cloud Training | https://digitalcloud.training
Amazon Athena and AWS
Glue
35. © Digital Cloud Training | https://digitalcloud.training
Amazon Athena and AWS Glue
Data Lake on Amazon S3
Amazon Athena
AWS Glue
Athena can query
data in CSV, TSV,
JSON, Parquet and
ORC formats
Point Athena at data
source in S3 and then
run SQL queries
AWS Glue is used as a
metadata catalog (can
also use Apache Hive)
36. © Digital Cloud Training | https://digitalcloud.training
Amazon Athena
• Athena queries data in S3 using SQL
• Can be connected to other data sources with
Lambda
• Data can be in CSV, TSV, JSON, Parquet and ORC
formats
• Uses a managed Data Catalog (AWS Glue) to
store information and schemas about the
databases and tables
37. © Digital Cloud Training | https://digitalcloud.training
AWS Glue
• Fully managed extract, transform and load (ETL)
service
• Used for preparing data for analytics
• AWS Glue runs the ETL jobs on a fully managed,
scale-out Apache Spark environment
• Works with data lakes (e.g. data on S3), data
warehouses (including RedShift), and data stores
(including RDS or EC2 databases)
38. © Digital Cloud Training | https://digitalcloud.training
Amazon Kinesis
39. © Digital Cloud Training | https://digitalcloud.training
Amazon Kinesis
Amazon Kinesis
Data Streams
Amazon Kinesis
Data Analytics
Amazon Kinesis
Data Firehose
Amazon S3
Amazon Redshift
AWS Lambda Amazon DynamoDB
Data is ingested
into Data Streams
Firehose loads data
straight to destinations
Kinesis deals with
streaming data
Data Analytics
provides real-time
SQL processing
40. © Digital Cloud Training | https://digitalcloud.training
Amazon Kinesis
Examples of streaming data use cases include:
• Purchases from online stores
• Stock prices
• Game data (statistics and results as the gamer plays)
• Social network data
• Geospatial data (think uber.com)
• IoT sensor data
41. © Digital Cloud Training | https://digitalcloud.training
Amazon Kinesis
Kinesis Data Streams
• Producers send data which is stored in shards for up to 7 days
• Consumers process the data and save to another service
Amazon Kinesis Data Firehose
• No shards, completely automated and elastically scalable
• Saves data directly to another service such as S3, Splunk,
RedShift, or Elasticsearch
Amazon Kinesis Data Analytics
• Provides real-time SQL processing for streaming data
42. © Digital Cloud Training | https://digitalcloud.training
Other Databases and
Analytics Services
43. © Digital Cloud Training | https://digitalcloud.training
Other Databases and Analytics Services
AWS Data Pipeline
• Processes and moves data between different AWS compute
and storage services
• Save results to services including S3, RDS, DynamoDB, and
EMR
Amazon QuickSight
• Business intelligence (BI) service
• Create and publish interactive BI dashboards for Machine
Learning-powered insights
Amazon Neptune
• Fully managed graph database service
44. © Digital Cloud Training | https://digitalcloud.training
Other Databases and Analytics Services
Amazon DocumentDB
• Fully managed document database service (non-relational)
• Supports MongoDB workloads
• Queries and indexes JSON data
Amazon QLDB
• Fully managed ledger database for immutable change
history
• Provides cryptographically verifiable transaction logging
Amazon Managed Blockchain
• Fully managed service for joining public and private
networks using Hyperledger Fabric and Ethereum
45. © Digital Cloud Training | https://digitalcloud.training
SECTION 12
Management and Governance
46. © Digital Cloud Training | https://digitalcloud.training
AWS Organizations
47. © Digital Cloud Training | https://digitalcloud.training
AWS Organizations
AWS Organization
Management Account
Receive a
consolidated bill
Test
Development
Production
You can group accounts
into Organizational Units
(OUs)
Service Control Policies
(SCPs) can control
tagging and the
available API actions
Create accounts
programmatically
using the
Organizations API
48. © Digital Cloud Training | https://digitalcloud.training
AWS Organizations
• AWS organizations allows you to consolidate multiple AWS accounts into an
organization that you create and centrally manage
• Available in two feature sets:
• Consolidated Billing
• All features
• Includes root accounts and organizational units
• Policies are applied to root accounts or OUs
• Consolidated billing includes:
• Paying Account – independent and cannot access resources of other accounts
• Linked Accounts – all linked accounts are independent
49. © Digital Cloud Training | https://digitalcloud.training
AWS Organizations
50. © Digital Cloud Training | https://digitalcloud.training
AWS Control Tower
51. © Digital Cloud Training | https://digitalcloud.training
AWS Control Tower
• Simplifies the process of creating multi-account
environments
• Sets up governance, compliance, and security
guardrails for you
• Integrates with other services and features to setup
the environment for you including:
• AWS Organizations, SCPs, OUs, AWS Config, AWS
CloudTrail, Amazon S3, Amazon SNS, AWS
CloudFormation, AWS Service Catalog, AWS Single
Sign-On (SSO)
52. © Digital Cloud Training | https://digitalcloud.training
AWS Control Tower
Examples of guardrails AWS Control Tower can
configure for you include:
• Disallowing public write access to Amazon Simple
Storage Service (Amazon S3) buckets
• Disallowing access as a root user without multi-
factor authentication
• Enabling encryption for Amazon EBS volumes
attached to Amazon EC2 instances
53. © Digital Cloud Training | https://digitalcloud.training
AWS Systems Manager
54. © Digital Cloud Training | https://digitalcloud.training
AWS Systems Manager
• Manages many AWS resources including Amazon EC2, Amazon S3,
Amazon RDS etc.
• Systems Manager Components:
• Automation
• Run Command
• Inventory
• Patch Manager
• Session Manager
• Parameter Store
55. © Digital Cloud Training | https://digitalcloud.training
AWS Systems Manager
Automation
Documents Amazon RDS
Run Command Amazon EC2
This command checks
for missing updates
This automation, takes a
snapshot of an RDS DB
instance
Documents
56. © Digital Cloud Training | https://digitalcloud.training
AWS Systems Manager
Inventory
57. © Digital Cloud Training | https://digitalcloud.training
AWS Systems Manager
Patch Manager
• Deploy operating system and software patches
automatically across large groups of Amazon EC2 or on-
premises instances
Compliance
• Scan managed instances for patch compliance and
configuration inconsistencies
58. © Digital Cloud Training | https://digitalcloud.training
AWS Systems Manager
Session Manager
• Secure remote management of your instances at scale
without logging into your servers
• Replaces the need for bastion hosts, SSH, or remote
PowerShell
Parameter Store
• Parameter Store provides secure, hierarchical storage for
configuration data management and secrets management
59. © Digital Cloud Training | https://digitalcloud.training
Manage EC2 Instances
60. © Digital Cloud Training | https://digitalcloud.training
AWS Service Catalog
61. © Digital Cloud Training | https://digitalcloud.training
AWS Service Catalog
• AWS Service Catalog allows organizations to create and manage
catalogs of IT services that are approved for use on AWS
• AWS Service Catalog allows you to centrally manage commonly
deployed IT services
• IT services can include virtual machine images, servers, software,
and databases and multi-tier application architectures
• Enables users to quickly deploy only the approved IT services they
need
62. © Digital Cloud Training | https://digitalcloud.training
AWS Service Catalog
Service Catalog
Administrator
Product X
Version 1.0 Version 1.1
Portfolio A
Product is added to
portfolio
AWS Service Catalog
Catalog Admin
authors template and
creates product
Users / Groups are
assigned permissions
to portfolio
64. © Digital Cloud Training | https://digitalcloud.training
AWS Config
AWS Config
Amazon S3
Amazon EC2
Elastic Load Balancing
Amazon RDS
Example Services:
Amazon Simple
Notification Service
Configuration changes
occur and information is
sent to AWS Config
AWS Config evaluates the
configuration against
desired configurations
Send notifications
with SNS
CloudWatch Events
Alert via CW Events
when changes occur
65. © Digital Cloud Training | https://digitalcloud.training
AWS Config
Example Rule Description
rds-instance-public-access-check Checks whether the Amazon Relational Database Service
(RDS) instances are not publicly accessible
restricted-ssh Checks whether security groups that are in use disallow
unrestricted incoming SSH traffic
cloudtrail-enabled Checks whether AWS CloudTrail is enabled in your AWS
account
s3-bucket-server-side-encryption-enabled Checks that your Amazon S3 bucket either has S3 default
encryption enabled or that the S3 bucket policy explicitly
denies put-object requests without server side encryption
66. © Digital Cloud Training | https://digitalcloud.training
Configuration Compliance
67. © Digital Cloud Training | https://digitalcloud.training
AWS Trusted Advisor
68. © Digital Cloud Training | https://digitalcloud.training
AWS Trusted Advisor
• Trusted Advisor is an online resource that helps to
reduce cost, increase performance and improve
security by optimizing your AWS environment
• Trusted Advisor provides real time guidance to help
you provision your resources following best practices
• Advisor will advise you on Cost Optimization,
Performance, Security, and Fault Tolerance
69. © Digital Cloud Training | https://digitalcloud.training
AWS Health API and
Dashboards
70. © Digital Cloud Training | https://digitalcloud.training
AWS Personal Health Dashboard
• AWS Personal Health Dashboard provides alerts and
remediation guidance when AWS is experiencing events
that may impact you
• Personal Health Dashboard gives you a personalized
view into the performance and availability of the AWS
services underlying your AWS resources
• Also provides proactive notification to help you plan for
scheduled activities
71. © Digital Cloud Training | https://digitalcloud.training
AWS Service Health Dashboard
Not personalized
information so
may not be
relevant to you Shows current status
information on
service availability
No proactive
notification of
scheduled
activities
72. © Digital Cloud Training | https://digitalcloud.training
SECTION 13
AWS Cloud Security and Identity
73. © Digital Cloud Training | https://digitalcloud.training
Identity Providers and
Federation
74. © Digital Cloud Training | https://digitalcloud.training
Federation with IAM
AWS IAM
Active Directory
(self-managed)
Social
Providers
Web Identity Federation
for mobile apps uses
OpenID Connect (OIDC)
Authenticated and
authorized users can
access AWS services
SAML 2.0 compatible
LDAP source (AD in
this case)
Identity provider is
configured in AWS IAM
- Either SAML or OIDC
75. © Digital Cloud Training | https://digitalcloud.training
AWS Single Sign-On (SSO)
AWS Single Sign-On
AWS Organizations
AWS
Account A
AWS
Account B
AWS Account C
AWS Account D
Active Directory
(self-managed)
AWS Directory Service
Azure AD
Identity sources can be AWS SSO,
Active Directory and standard
providers using SAML 2.0
Built-in SSO integrations to
business applications
Corporate Office / DC
Enables centralized
permissions
management
Connect AWS
accounts and
Organizations
Connect AWS
accounts and
Organizations
76. © Digital Cloud Training | https://digitalcloud.training
AWS Cognito (Mobile and Web Apps)
Cognito Identity Pool
SAML OIDC
Identity
Providers
AWS Lambda
STS
IAM Role
Amazon DynamoDB
Identity pools are used to obtain
temporary, limited-privilege
credentials for AWS services
Cognito User Pool
Identity pools use AWS STS to
obtain the credentials
Identities can
come from a
Cognito user pool
Identities can come
from social IdPs
An IAM role is assumed
providing access to the
AWS services
77. © Digital Cloud Training | https://digitalcloud.training
AWS Directory Service
78. © Digital Cloud Training | https://digitalcloud.training
AWS Managed Microsoft Active Directory
Corporate Office / DC
VPC
Azure AD
Microsoft AD
Console Workspaces
RDS Workdocs
QuickSight Workmail
HA pair of Windows
Server 2012 Domain
Controllers (DCs)
Securely connect to
Amazon EC2 Linux and
Windows instances
Some of the Apps and
Services that support
authentication and
authorization using
AWS Directory Services
Synchronize users and
federate identities
with Azure/O365
VPN
Managed
implementation
of Microsoft
Active Directory
running on
Windows Server
2012 R2
Also Allows you to:
• Apply group policy
• Use single sign-on to
apps and services
• Enable MFA with
RADIUS
79. © Digital Cloud Training | https://digitalcloud.training
AWS Managed Microsoft Active Directory
• Fully managed AWS services on AWS infrastructure
• Best choice if you have more than 5000 users and/or need a
trust relationship set up
• You can setup trust relationships to extend authentication
from on-premises Active Directories into the AWS cloud
• On-premise users and groups can access resources in either
domain using SSO
• Can be used as a standalone AD in the AWS cloud
80. © Digital Cloud Training | https://digitalcloud.training
AD Connector
AD
Connector
Active Directory Amazon EC2
AWS Management
Console
Amazon WorkSpaces
Connection
over VPN or
Direct Connect
Corporate Office / DC
Self-managed
Micorosoft AD
VPN
Provides federated sign-in to the AWS
Management Console by mapping
Active Directory identities to IAM Roles
Sign-in to AWS applications such as
Amazon WorkSpaces, Amazon
WorkDocs, and Amazon WorkMail by
using your Active Directory credentials
Seamlessly join
Windows EC2
instances to an on-
premise AD domain
81. © Digital Cloud Training | https://digitalcloud.training
AD Connector
• AD Connector is a directory gateway for redirecting
directory requests to your on-premise Active Directory.
• AD Connector eliminates the need for directory
synchronization and the cost and complexity of hosting a
federation infrastructure
• Connects your existing on-premise AD to AWS
• Best choice when you want to use an existing Active
Directory with AWS services.
82. © Digital Cloud Training | https://digitalcloud.training
AWS Directory Services Options
Directory Service Service Description Use Case
AWS Directory Service
for Microsoft Active
Directory
AWS-managed full Microsoft AD
running on Windows Server 2012 R2
Enterprises that want hosted Microsoft
Active Directory
AD Connector Allows on-premises users to log into
AWS services with their existing AD
credentials
Single sign-on for on-premises
employees
Simple AD Low scale, low cost, AD
implementation based on Samba
Simple user directory, or you need
LDAP compatibility
83. © Digital Cloud Training | https://digitalcloud.training
Protecting Secrets
84. © Digital Cloud Training | https://digitalcloud.training
Systems Manager Parameter Store
• Provides secure, hierarchical storage for configuration
data management and secrets management
• It is highly scalable, available, and durable
• You can store data such as passwords, database strings,
and license codes as parameter values
• You can store values as plaintext (unencrypted data) or
ciphertext (encrypted data)
• You can then reference values by using the unique name
that you specified when you created the parameter
Amazon EC2
Parameter
Store
Retrieve database
connection string
Amazon RDS
85. © Digital Cloud Training | https://digitalcloud.training
AWS Secrets Manager
• Similar to Parameter Store
• Allows native and automatic rotation of keys
• Fine-grained permissions
• Central auditing for secret rotation
87. © Digital Cloud Training | https://digitalcloud.training
Encryption In Transit vs At Rest
User
Unencrypted
Object
Encrypted
bucket
Encryption process
Data encryption key
Encryption In Transit
Encryption At Rest
HTTPS Connection
ALB
Data is protected by
SSL/TLS in transit
Amazon S3 encrypts the
object as it is written to
the bucket it
88. © Digital Cloud Training | https://digitalcloud.training
Asymmetric Encryption
• Asymmetric encryption is also known as public key cryptography
• Messages encrypted with the public key can only be decrypted with
the private key
• Messages encrypted with the private key can be decrypted with the
public key
• Examples include SSL/TLS and SSH
Encrypted
data
Plaintext data
Public key Private key
Plaintext data
Encryption Decryption
89. © Digital Cloud Training | https://digitalcloud.training
AWS Certificate Manager (ACM)
• Create, store and renew SSL/TLS X.509 certificates
• Single domains, multiple domain names and wildcards
• Integrates with several AWS services including:
• Elastic Load Balancing
• Amazon CloudFront
• AWS Elastic Beanstalk
• AWS Nitro Enclaves
• AWS CloudFormation
90. © Digital Cloud Training | https://digitalcloud.training
Symmetric Encryption
Data encryption key
Encrypted
data
Encryption process
Plaintext data
Encrypted
data
Encryption process Plaintext data
Data encryption key
Encryption
Decryption
The same key is used
for both encryption
and decryption
91. © Digital Cloud Training | https://digitalcloud.training
AWS Key Management Service (KMS)
• Create and managed symmetric and asymmetric encryption keys
• The customer master keys (CMKs) are protected by hardware security modules
(HSMs)
Customer Managed Keys
CMK
CMK CMK
CMK
Developer
aws/acm
aws/sqs aws/fsx
aws/ebs
AWS Managed Keys
AWS KMS
Developer creates
customer managed
customer master keys
(CMKs) in AWS KMS
92. © Digital Cloud Training | https://digitalcloud.training
AWS CloudHSM
• AWS CloudHSM is a cloud-based hardware security module (HSM)
• Generate and use your own encryption keys on the AWS Cloud
• Manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs
• CloudHSM runs in your VPC
CloudHSM AWS KMS
Tenancy Single-tenant HSM Multi-tenant AWS service
Availability Customer-managed durability and
available
Highly available and durable key storage
and management
Root of Trust Customer managed root of trust AWS managed root of trust
FIPS 140-2 Level 3 Level 2 / Level 3 in some areas
3rd Party Support Broad 3rd Party Support Broad AWS service support
93. © Digital Cloud Training | https://digitalcloud.training
Encryption on AWS
94. © Digital Cloud Training | https://digitalcloud.training
Logging and Auditing
95. © Digital Cloud Training | https://digitalcloud.training
Amazon CloudWatch Logs
• Gather application and system logs in CloudWatch
• Defined expiration policies and KMS encryption
Amazon CloudWatch
Amazon EC2
Application logs
System logs
AWS Lambda
On-premises
servers
Application logs
System logs
Unified CloudWatch Agent
installed on EC2 and on-
premises servers
Function requires
permissions to
CloudWatch Logs
AWS Lambda
Real-time log
processing with
subscription filters
Amazon Elasticsearch
Service
96. © Digital Cloud Training | https://digitalcloud.training
AWS CloudTrail
• CloudTrail logs API activity for auditing
• By default, management events are logged and retained
for 90 days
• A CloudTrail Trail logs any events to S3 for indefinite
retention
• Trail can be within Region or all Regions
• CloudWatch Events can triggered based on API calls in
CloudTrail
• Events can be streamed to CloudWatch Logs
97. © Digital Cloud Training | https://digitalcloud.training
VPC Flow Logs
VPC
Private subnet
Public subnet
Flow logs
Flow logs
EC2 Instance Flow logs
• Flow Logs capture information about the
IP traffic going to and from network
interfaces in a VPC
• Flow log data is stored using Amazon
CloudWatch Logs
• Flow logs can be created at the following
levels:
• VPC
• Subnet
• Network interface
98. © Digital Cloud Training | https://digitalcloud.training
Access Logs
Elastic Load Balancing Access Logs
• capture detailed information about requests sent
to the load balancer
• Use to analyze traffic patterns and troubleshoot
issues
• Can identify requester, IP, request type etc.
• Can be optionally stored and retained in S3.
S3 Access Logs
• Provides detailed records for the requests that are
made to a bucket
• Details include the requester, bucket name,
request time, request action, response status, and
error code (if applicable)
• Disabled by default
99. © Digital Cloud Training | https://digitalcloud.training
AWS CloudTrail
100. © Digital Cloud Training | https://digitalcloud.training
Detect and Respond
101. © Digital Cloud Training | https://digitalcloud.training
Amazon Detective
• Analyze, investigate, and quickly identify the root
cause of potential security issues or suspicious
activities
• Automatically collects data from AWS resources
• Uses machine learning, statistical analysis, an
graph theory
• Creates a unified, interactive view of resources,
users and interactions between them
• Data sources include VPC Flow Logs, CloudTrail,
and GuardDuty
102. © Digital Cloud Training | https://digitalcloud.training
AWS GuardDuty
• Intelligent threat detection service
• Detects account compromise, instance
compromise, malicious reconnaissance, and bucket
compromise
• Continuous monitoring for events across:
• AWS CloudTrail Management Events
• AWS CloudTrail S3 Data Events
• Amazon VPC Flow Logs
• DNS Logs
103. © Digital Cloud Training | https://digitalcloud.training
Amazon Macie
• Macie is a fully managed data security and data
privacy service
• Uses machine learning and pattern matching to
discover, monitor, and help you protect your
sensitive data on Amazon S3
• Macie enables security compliance and preventive
security
• Can Identify a variety of data types, including PII,
Protected Health Information (PHI), regulatory
documents, API keys, and secret keys
104. © Digital Cloud Training | https://digitalcloud.training
Amazon Macie
Amazon S3
Amazon Macie CloudWatch Events
Automatically
discovers S3 buckets
Analyzes buckets using
ML to discover sensitive
information
Sends findings to
CloudWatch Events
105. © Digital Cloud Training | https://digitalcloud.training
Firewalls and DDoS
Protection
106. © Digital Cloud Training | https://digitalcloud.training
AWS Web Application Firewall (WAF)
• AWS WAF is a web application firewall
• WAF lets you create rules to filter web traffic based on
conditions that include IP addresses, HTTP headers and
body, or custom URIs
• WAF makes it easy to create rules that block common
web exploits like SQL injection and cross site scripting
• The rules are known as Web ACLs
107. © Digital Cloud Training | https://digitalcloud.training
AWS Web Application Firewall (WAF)
AWS WAF Amazon CloudFront
ALB
Amazon API Gateway
AWS WAF
AWS WAF
Amazon EC2
AWS AppSync
AWS WAF
108. © Digital Cloud Training | https://digitalcloud.training
AWS Shield
• AWS Shield is a managed Distributed Denial of
Service (DDoS) protection service
• Safeguards web application running on AWS with
always-on detection and automatic inline
mitigations
• Helps to minimize application downtime and latency
• Two tiers –
• Standard – no cost
• Advanced - $3k USD per month and 1 year commitment
• Integrated with Amazon CloudFront (standard
included by default)
109. © Digital Cloud Training | https://digitalcloud.training
Compliance Services
110. © Digital Cloud Training | https://digitalcloud.training
AWS Artifact
• AWS Artifact provides on-demand access to AWS’ security and compliance
reports and select online agreements
• Reports available in AWS Artifact include:
• Service Organization Control (SOC) reports
• Payment Card Industry (PCI) reports
• Provides certifications from accreditation bodies across geographies and
compliance verticals that validate the implementation and operating
effectiveness of AWS security controls
• Agreements available in AWS Artifact include the Business Associate
Addendum (BAA) and the Nondisclosure Agreement (NDA)
111. © Digital Cloud Training | https://digitalcloud.training
Security Management and
Support
112. © Digital Cloud Training | https://digitalcloud.training
AWS Security Hub
• Provides a comprehensive view of security alerts
and security posture across AWS accounts
• Aggregates, organizes, and prioritizes security
alerts, or findings, from multiple AWS services
• Continuously monitors your environment using
automated security checks
• Configure security standards to validate against
• AWS Foundational Security Best Practices v1.0.0
• CIS AWS Foundations Benchmark v1.2.0
• PCI DSS v3.2.1
113. © Digital Cloud Training | https://digitalcloud.training
AWS Security Bulletins
• Security and privacy events affecting AWS services
are published (also has an RSS feed)
114. © Digital Cloud Training | https://digitalcloud.training
AWS Trust & Safety Team
• Contact the AWS Trust & Safety team if AWS
resources are being used for:
• Spam
• Port scanning
• Denial-of-service attacks
• Intrusion attempts
• Hosting of objectionable or copyrighted content
• Distributing malware
• Email address is: abuse@amazonaws.com
115. © Digital Cloud Training | https://digitalcloud.training
Penetration testing
116. © Digital Cloud Training | https://digitalcloud.training
Penetration Testing
• Penetration testing is the practice of testing one’s own application’s
security for vulnerabilities by simulating an attack
• AWS allows penetration testing without prior approval for 8 AWS
services
117. © Digital Cloud Training | https://digitalcloud.training
Penetration Testing
Permitted services
• Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
• Amazon RDS
• Amazon CloudFront
• Amazon Aurora
• Amazon API Gateways
• AWS Lambda and Lambda Edge functions
• Amazon Lightsail resources
• Amazon Elastic Beanstalk environments
Prohibited Activities
• DNS zone walking via Amazon Route 53 Hosted Zones
• Denial of Service (DoS), Distributed Denial of Service (DDoS),
Simulated DoS, Simulated DDoS Port flooding
• Protocol flooding
• Request flooding (login request flooding, API request flooding)
118. © Digital Cloud Training | https://digitalcloud.training
Shared Responsibility Model
Review
119. © Digital Cloud Training | https://digitalcloud.training
The AWS Shared Responsibility Model
120. © Digital Cloud Training | https://digitalcloud.training
The AWS Shared Responsibility Model
CUSTOMER RESPONSIBILITY
AWS RESPONSIBILITY
Bucket with
objects
Role
Data encryption
Multi-Factor
Authentication
IAM User Network ACL
Security Group
SSL encryption
Patch
management
EC2 Instance
Auto Scaling
Elastic load
balancer
Data center
Network router
Network switch
Server
Storage
Disk drive
Data center
security
Staff training
Database
Server
121. © Digital Cloud Training | https://digitalcloud.training
Architecting for the Cloud
SECTION 14
122. © Digital Cloud Training | https://digitalcloud.training
AWS Well-Architected
123. © Digital Cloud Training | https://digitalcloud.training
AWS Well-Architected
• AWS Well-Architected helps cloud architects build
secure, high-performing, resilient, and efficient
infrastructure for their applications and workloads
• Based on 5 pillars:
• Operational Excellence
• Security
• Reliability
• Performance Efficiency
• Cost Optimization
124. © Digital Cloud Training | https://digitalcloud.training
AWS Well-Architected
Consists of:
• AWS Well-Architected Guidance
• AWS Well-Architected Tool
• AWS Well-Architected Lenses
• AWS Architecture Center
125. © Digital Cloud Training | https://digitalcloud.training
AWS Well-Architected
Framework
126. © Digital Cloud Training | https://digitalcloud.training
AWS Well-Architected Framework
• Helps you understand the pros and cons of
decisions you make while building systems on AWS
• Based on 5 pillars:
Operational Excellence Pillar
• Support development and run workloads
effectively
• Gain insight into workload operations
• Continuously improve processes and procedures to
deliver business value
127. © Digital Cloud Training | https://digitalcloud.training
AWS Well-Architected
• Best practices for operational excellence:
• Perform operations as code
• Make frequent, small, reversible changes
• Refine operations procedures frequently
• Anticipate failure
• Learn from all operational failures
128. © Digital Cloud Training | https://digitalcloud.training
AWS Well-Architected
Security Pillar
• Protect data, systems, and assets to take advantage
of cloud technologies to improve your security
• Best practices for security:
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Keep people away from data
• Prepare for security events
129. © Digital Cloud Training | https://digitalcloud.training
AWS Well-Architected
Reliability Pillar
• Ensuring a workload can perform its intended function
correctly and consistently when it’s expected to
• This includes the ability to operate and test the
workload through its total lifecycle
• Best practices for reliability:
• Automatically recover from failure
• Test recovery procedures
• Scale horizontally to increase aggregate workload
availability
• Stop guessing capacity
• Manage change in automation
130. © Digital Cloud Training | https://digitalcloud.training
AWS Well-Architected
Performance Efficiency Pillar
• The ability to use computing resources efficiently to
meet system requirements, and to maintain that
efficiency as demand changes and technologies
evolve
• Best practices for performance efficiency:
• Democratize advanced technologies
• Go global in minutes
• Use serverless architectures
• Experiment more often
• Consider mechanical sympathy
131. © Digital Cloud Training | https://digitalcloud.training
AWS Well-Architected
Cost Optimization Pillar
• The ability to run systems to deliver business value
at the lowest price point
• Best practices for cost optimization:
• Implement Cloud Financial Management
• Adopt a consumption model
• Measure overall efficiency
• Stop spending money on undifferentiated heavy
lifting
• Analyze and attribute expenditure
132. © Digital Cloud Training | https://digitalcloud.training
SECTION 15
Accounts, Billing and Support
133. © Digital Cloud Training | https://digitalcloud.training
AWS Pricing Fundamentals
134. © Digital Cloud Training | https://digitalcloud.training
AWS Pricing Fundamentals
Compute Storage Outbound Data Transfer
Amount of resources
such as CPU and
RAM and duration
Quantity of
data stored
Quantity of data
that is transferred
out from all
services
135. © Digital Cloud Training | https://digitalcloud.training
AWS Pricing Fundamentals
Pay-as-you-go
• Easily adapt to changing business needs
• Improved responsiveness to change
• Adapt based on needs, not forecasts
• Reduce risk over overpositioning of missing
capacity
136. © Digital Cloud Training | https://digitalcloud.training
AWS Pricing Fundamentals
Save when you reserve
• Invest in reserved capacity (e.g. RDS and EC2)
• Save up to 75% compared to on-demand (pay-as-
you-go)
• The more you pay upfront the greater the discount
137. © Digital Cloud Training | https://digitalcloud.training
AWS Pricing Fundamentals
Pay less by using more
• Pay less using volume-based discounts
• Tiered pricing means the more you use the lower
the unit pricing
138. © Digital Cloud Training | https://digitalcloud.training
Amazon EC2 Pricing Options
139. © Digital Cloud Training | https://digitalcloud.training
Amazon EC2 Pricing Options
Reserved
Spot Instances Dedicated Instances
Dedicated Hosts
On-Demand
Savings Plans
Standard rate - no discount; no
commitments; dev/test, short-term, or
unpredictable workloads
1 or 3-year commitment;
up to 75% discount; steady-state,
predictable workloads and reserved capacity
Bid for unused capacity; up to 90% discount;
can be terminated at any time; workloads
with flexible start and end times
Physical isolation at the host hardware level
from instances belonging to other
customers; pay per instance
Commitment to a consistent amount of
usage (EC2 + Fargate + Lambda); Pay by
$/hour; 1 or 3-year commitment
Physical server dedicated for your use;
Socket/core visibility, host affinity; pay per
host; workloads with server-bound software
licenses
140. © Digital Cloud Training | https://digitalcloud.training
Amazon EC2 Billing
Billed per hour;
Minimum of 1 hour
Billed per second;
Minimum of 1 minute
Volumes billed per second;
Minimum of 1 minute
Per-second billing is for
Amazon Linux and
Ubuntu in On-Demand,
Reserved, and Spot forms
Commercial Linux distros
such as Red Hat EL and SUSE
ES use hourly pricing
141. © Digital Cloud Training | https://digitalcloud.training
Amazon EC2 Reserved Instances (RIs)
When the attributes of a used instance
match the attributes of an RI the
discount is applied
Tenancy: Default or Dedicated
Availability Zone Region
Reserves capacity
in specified AZ
Does not reserve
capacity; discount
applies to all AZs
142. © Digital Cloud Training | https://digitalcloud.training
Amazon EC2 Reserved Instances (RIs)
Scheduled RI
• Match capacity reservation to
recurring schedule
• Minimum 1200 hours per year
• Example: Reporting app that runs 6
hours a day 4 days a week = 1248
hours per year
This message started showing
recently but exam may not
reflect this yet
143. © Digital Cloud Training | https://digitalcloud.training
AWS Savings Plans
Compute Savings Plan EC2 Savings Plan
1 or 3-year; hourly
commitment to usage of
Fargate, Lambda, and
EC2; Any Region, family,
size, tenancy, and OS
1 or 3-year; hourly
commitment to usage of
EC2 within a selected
Region and Instance
Family; Any size, tenancy
and OS
144. © Digital Cloud Training | https://digitalcloud.training
Amazon EC2 Spot Instances
Spot Fleet: launches and maintains the number of
Spot / On-Demand instances to meet specified
target capacity
Bid for unused capacity at up
to 90% discount
Spot Instance: One or more EC2 instances
EC2 Fleet: launches and maintains specified
number of Spot / On-Demand / Reserved
instances in a single API call
Can define separate OD/Spot
capacity targets, bids, instance
types, and AZs
2-minute warning if AWS
need to reclaim capacity –
available via instance
metadata and CloudWatch
Events
145. © Digital Cloud Training | https://digitalcloud.training
Spot Block
Requirement:
Uninterrupted for
1-6 hours
Solution: Spot Block
Pricing is 30% - 45% less
than On-Demand
146. © Digital Cloud Training | https://digitalcloud.training
Dedicated Instances and Dedicated Hosts
Characteristic Dedicated Instances Dedicated Hosts
Enables the use of dedicated physical servers X X
Per instance billing (subject to a $2 per region fee) X
Per host billing X
Visibility of sockets, cores, host ID X
Affinity between a host and instance X
Targeted instance placement X
Automatic instance placement X X
Add capacity using an allocation request X
147. © Digital Cloud Training | https://digitalcloud.training
Amazon EC2 Pricing Use
Cases
148. © Digital Cloud Training | https://digitalcloud.training
Amazon EC2 Pricing Use Cases
Developer working on a small
project for several hours;
cannot be interrupted
Reserved
Scheduled Reserved
Spot Instances
Dedicated Instances
Dedicated Hosts
On-Demand
Compute-intensive, cost-
sensitive distributed
computing; can withstand
interruption
Steady-state, business critical,
line-of-business application;
continuous demand
149. © Digital Cloud Training | https://digitalcloud.training
Amazon EC2 Pricing Use Cases
Reporting application, runs for
6 hours a day, 4 days per week
Reserved
Scheduled Reserved
Spot Instances
Dedicated Instances
Dedicated Hosts
On-Demand
Database with per-socket
licensing
Security-sensitive application,
requires dedicated hardware;
per-instance billing
150. © Digital Cloud Training | https://digitalcloud.training
Pricing for other AWS
Services
151. © Digital Cloud Training | https://digitalcloud.training
Amazon S3 Pricing
• Storage class – e.g. Standard or IA
• Storage quantity – data volume stored in your
buckets on a per GB basis
• Number of requests – the number and type of
requests, e.g. GET, PUT, POST, LIST, COPY
• Lifecycle transitions requests – moving data
between storage classes
• Data transfer – data transferred out of an S3
region is charged
152. © Digital Cloud Training | https://digitalcloud.training
Amazon S3 Glacier Pricing
• Three options for access to archives, listed in the
table below:
Expedited Standard Bulk
Data access time 1-5 minutes 3-5 hours 5-12 hours
Data retrievals $0.03 per GB $0.01 per GB $0.0025 per GB
Retrieval requests On-Demand: $0.01 per
request
Provisioned: $100 per
Provisioned Capacity Unit
$0.050 per 1,000
requests
$0.025 per 1,000 requests
153. © Digital Cloud Training | https://digitalcloud.training
Amazon EBS Pricing
• Volumes – volume storage for all EBS volumes type
is charged by the amount of GB provisioned per
month
• Snapshots – based on the amount of space
consumed by snapshots in S3. Copying snapshots is
charged on the amount of data copied across
regions
• Data transfer – inbound data transfer is free,
outbound data transfer charges are tiered
154. © Digital Cloud Training | https://digitalcloud.training
Amazon RDS Pricing
• Clock hours of server uptime – amount of time the DB
instance is running
• Database characteristics – e.g. database engine, size
and memory class
• Database purchase type – e.g. On-Demand, Reserved.
• Number of database instances
• Provisioned storage – backup is included up to 100%
of the size of the DB
• Additional storage – the amount of storage in addition
to the provisioned storage is charged per GB per
month
155. © Digital Cloud Training | https://digitalcloud.training
Amazon RDS Pricing
• Requests – the number of input and output
requests to the DB
• Deployment type – single AZ or multi-AZ
• Reserved Instances – RDS RIs can be purchased
with No Upfront, Partial Upfront, or All Upfront
terms. Available for Aurora, MySQL, MariaDB,
Oracle and SQL Server
156. © Digital Cloud Training | https://digitalcloud.training
Amazon DynamoDB Pricing
• Charged for reading, writing, and storing data
• On-demand capacity mode
• Charged for reads and writes
• No need to specify how much capacity is required
• Good for unpredictable workloads
• Provisioned capacity mode
• Specify number of reads and writes per second
• Can use Auto Scaling
• Good for predictable workloads
• Consistent traffic or gradual changes
157. © Digital Cloud Training | https://digitalcloud.training
Amazon CloudFront Pricing
• Traffic distribution – data transfer and request
pricing, varies across regions, and is based on the
edge location from which the content is served
• Requests – the number and type of requests
(HTTP or HTTPS) and the geographic region in
which they are made
• Data transfer out – quantity of data transferred
out of CloudFront edge locations
• There are additional chargeable items such as
invalidation requests, field-level encryption
requests, and custom SSL certificates
158. © Digital Cloud Training | https://digitalcloud.training
AWS Lambda Pricing
• Number of requests
• Duration of request – rounded up to the nearest
millisecond
• Price is dependent on the amount of memory
allocated to the function
• Free tier includes 1M free requests per month and
400,000 GB-seconds of compute time
159. © Digital Cloud Training | https://digitalcloud.training
AWS Pricing Calculator
160. © Digital Cloud Training | https://digitalcloud.training
AWS Support Plans
161. © Digital Cloud Training | https://digitalcloud.training
AWS Support Plans
Developer Business Enterprise
AWS Trusted Advisor Best
Practice Checks
7 Core checks Full set of checks Full set of checks
Enhanced Technical Support • Business hours email
access to Cloud Support
Associates
• Unlimited cases / 1 primary
contact
• 24x7 phone, email, and chat
access to Cloud Support
Engineers
• Unlimited cases / unlimited
contacts (IAM supported)
• 24x7 phone, email, and chat
access to Cloud Support Engineers
• Unlimited cases / unlimited
contacts (IAM supported)
Case Severity / Response
Times*
• General guidance: < 24
hours**
• System impaired: < 12
hours**
• General guidance: < 24
hours
• System impaired: < 12 hours
• Production system impaired:
< 4 hours
• Production system down: <
1 hour
• General guidance: < 24 hours
• System impaired: < 12 hours
• Production system impaired: < 4
hours
• Production system down: < 1
hour
• Business-critical system down: <
15 minutes
162. © Digital Cloud Training | https://digitalcloud.training
AWS Support Plans
Developer Business Enterprise
Architectural Guidance
General
Contextual to your use-
cases
Consultative review and guidance based on your
applications
Programmatic Case
Management
AWS Support API AWS Support API
Proactive Programs and
Services
Access to Infrastructure
Event Management for
additional fee
• Infrastructure Event Management
• Well-Architected Reviews
• Access to proactive reviews, workshops, and
deep dives
Technical Account
Management
Designated Technical Account Manager (TAM) to
proactively monitor your environment and assist
with optimization and coordinate access to
programs and AWS experts
Account Assistance Concierge Support Team
163. © Digital Cloud Training | https://digitalcloud.training
Consolidated Billing
164. © Digital Cloud Training | https://digitalcloud.training
AWS Organizations
• Consolidated billing has the following benefits:
• One bill – You get one bill for multiple accounts
• Easy tracking – You can track the charges across multiple
accounts and download the combined cost and usage data
• Combined usage – You can combine the usage across all accounts
in the organization to share the volume pricing discounts and
Reserved Instance discounts
• No extra fee – Consolidated billing is offered at no additional cost
165. © Digital Cloud Training | https://digitalcloud.training
AWS Organizations
Tier Description Price Per GB Price Per TB
First 1 TB/month $0.10 $100.00
Next 49 TB/month $0.08 $80.00
Next 450 TB/month $0.06 $60.00
Usage within Organization:
Account A (master) usage: 2 TB
Account B usage: 80 TB
Account C usage: 120 TB
Total: 202 TB
Calculation:
First 1 TB = $100.00
Next 49 TB = $3,920.00
Next 157 TB = $9,120.00
Total cost = $13,140.00
167. © Digital Cloud Training | https://digitalcloud.training
AWS Budgets
Set Custom Budgets - set custom usage and reservation budgets
Configure Alerts – receive alerts when you exceed or are forecast to
exceed your alert thresholds
Integrated with other AWS services – Includes Cost Explorer Chatbot,
and Service Catalog
168. © Digital Cloud Training | https://digitalcloud.training
AWS Cost Allocation Tags
169. © Digital Cloud Training | https://digitalcloud.training
AWS Cost Management Tools
170. © Digital Cloud Training | https://digitalcloud.training
AWS Cost Explorer
• The AWS Cost Explorer is a free tool that allows you
to view charts of your costs
• You can view cost data for the past 13 months and
forecast how much you are likely to spend over the
next three months
• Cost Explorer can be used to discover patterns in how
much you spend on AWS resources over time and to
identify cost problem areas
• Cost Explorer can help you to identify service usage
statistics such as:
• Which services you use the most
• View metrics for which AZ has the most traffic
• Which linked account is used the most
171. © Digital Cloud Training | https://digitalcloud.training
AWS Cost & Usage Report
• Publish AWS billing reports to an Amazon S3
bucket
• Reports break down costs by:
• Hour, day, month, product, product resource, tags
• Can update the report up to three times a day
• Create, retrieve, and delete your reports using the
AWS CUR API Reference
172. © Digital Cloud Training | https://digitalcloud.training
AWS Price List API
• Query the prices of AWS services
• Price List Service API (AKA the Query API) – query
with JSON
• AWS Price List API (AKA the Bulk API) – query
with HTML
• Alerts via Amazon SNS when prices change
173. © Digital Cloud Training | https://digitalcloud.training
AWS Cost Management Tools
174. © Digital Cloud Training | https://digitalcloud.training
SECTION 16
Migration, Machine Learning and More
175. © Digital Cloud Training | https://digitalcloud.training
AWS Migration and Transfer
Services
176. © Digital Cloud Training | https://digitalcloud.training
AWS Migration Tools
EC2 Instances
EFS File system
Corporate data center
Servers
Region
VPN or Direct
Connect connection
Amazon RDS
Amazon S3
Database
NAS / File
Server
AWS Database Migration
Service
AWS Server Migration
Service
AWS DataSync
AWS Migration Hub
177. © Digital Cloud Training | https://digitalcloud.training
AWS Database Migration Service (DMS)
Data center
Data center
Oracle
database
MySQL
database
Can be on-premises,
on EC2, or RDS
AWS Database Migration
Service
AWS Database Migration
Service
Amazon RedShift
Amazon Aurora
Use the Schema
Conversion Tool
for heterogeneous
migrations
Destinations include
Aurora, RedShift
DynamoDB, and
DocumentDB
178. © Digital Cloud Training | https://digitalcloud.training
AWS Server Migration Service (SMS)
AWS Server Migration
Service
Amazon Machine Image
EC2 Instances
Automated,
incremental and
scheduled migrations
EC2 instances
can be created
from the AMIs
• AWS SMS migrates VMware vSphere, Microsoft
Hyper-V/SCVMM, and Azure virtual machines to
Amazon EC2
CloudWatch Events
and Lambda can
automate actions
Data center
VMware Hyper-V
AWS SMS
Connector installed
179. © Digital Cloud Training | https://digitalcloud.training
AWS DataSync
Data center
NFS or SMB
NAS / File
Server AWS DataSync Amazon FSx for Windows
File Server
Amazon Simple Storage
Service
Amazon Elastic File
System
Scheduled,
automated
data transfer
Data is encrypted
in transit with TLS
AWS SnowCone
DataSync software
agent connects to
storage system
DataSync agent
installed on Snowcone
180. © Digital Cloud Training | https://digitalcloud.training
AWS Snowball Family
• AWS Snowball and Snowmobile are used for migrating large
volumes of data to AWS
• Snowball Edge Compute Optimized
• Provides block and object storage and optional GPU
• Use for data collection, machine learning and processing, and storage
in environments with intermittent connectivity (edge use cases)
• Snowball Edge Storage Optimized
• Provides block storage and Amazon S3-compatible object storage
• Use for local storage and large-scale data transfer
• Snowcone
• Small device used for edge computing, storage and data transfer
• Can transfer data offline or online with AWS DataSync agent
181. © Digital Cloud Training | https://digitalcloud.training
AWS Snowball Family
• Uses a secure storage device for physical transportation
• Snowball Client is software that is installed on a local computer
and is used to identify, compress, encrypt, and transfer data
• Uses 256-bit encryption (managed with the AWS KMS) and
tamper-resistant enclosures with TPM
• Snowball (80TB) (50TB ) “petabyte scale”
• Snowball Edge (100TB) “petabyte scale”
• Snowmobile – “exabyte scale” with up to 100PB per Snowmobile
182. © Digital Cloud Training | https://digitalcloud.training
AWS Machine Learning
Services
183. © Digital Cloud Training | https://digitalcloud.training
AWS Rekognition
Identify objects Perform facial analysis
Celebrity recognition
184. © Digital Cloud Training | https://digitalcloud.training
AWS Rekognition in Event-Driven Architecture
S3 Bucket
AWS Lambda Amazon Rekognition
Amazon Simple Notification
Service
AWS Lambda
Amazon DynamoDB
User uploads image
Upload to S3 triggers a
Lambda function
Rekognition
analyzes the
image
Rekognition publishes
result status to an SNS
Topic
A Lambda function
process the results
and creates an
item in DynamoDB
185. © Digital Cloud Training | https://digitalcloud.training
AWS Rekognition
• Add image and video analysis to your applications
• Identify objects, people, text, scenes, and activities
in images and videos
• Processes videos stored in an Amazon S3 bucket
• Publish completion status to Amazon SNS Topic
186. © Digital Cloud Training | https://digitalcloud.training
Amazon Transcribe
• Add speech to text capabilities to applications
• Recorded speech can be converted to text before it
can be used in applications
• Uses a deep learning process called automatic
speech recognition (ASR) to convert speech to text
quickly and accurately
187. © Digital Cloud Training | https://digitalcloud.training
Amazon Translate
• Neural machine translation service that delivers
fast, high-quality, and affordable language
translation
• Uses deep learning models to deliver more accurate
and more natural sounding translation
• Localize content such as websites and applications
for your diverse users
188. © Digital Cloud Training | https://digitalcloud.training
Amazon SageMaker
• Helps data scientists and developers to prepare, build,
train, and deploy high-quality machine learning (ML)
models
• ML development activities including:
• Data preparation
• Feature engineering
• Statistical bias detection
• Auto-ML
• Training and tuning
• Hosting
• Monitoring
• Workflows
189. © Digital Cloud Training | https://digitalcloud.training
Amazon Comprehend
• Natural-language processing (NLP) service
• Uses machine learning to uncover information in
unstructured data
• Can identify critical elements in data, including
references to language, people, and places, and the
text files can be categorized by relevant topics
• In real time, you can automatically and accurately
detect customer sentiment in your content
190. © Digital Cloud Training | https://digitalcloud.training
Amazon Lex
• Conversational AI for Chatbots
• Build conversational interfaces into any application
using voice and text
• Build bots to increase contact center productivity,
automate simple tasks, and drive operational
efficiencies across the enterprise
191. © Digital Cloud Training | https://digitalcloud.training
Amazon Polly
• Turns text into lifelike speech
• Create applications that talk, and build entirely new
categories of speech-enabled products
• Text-to-Speech (TTS) service uses advanced deep
learning technologies to synthesize natural
sounding human speech
192. © Digital Cloud Training | https://digitalcloud.training
End User Computing
193. © Digital Cloud Training | https://digitalcloud.training
Amazon Workspaces
• Managed Desktop-as-a-Service (DaaS) solution
• Provision either Windows or Linux desktops
• Simplifies delivery of desktops compared to
traditional virtual desktop infrastructure (VDI)
deployments
194. © Digital Cloud Training | https://digitalcloud.training
Amazon Workspaces
VPC
AWS Managed Microsoft AD
Amazon Workspaces
Windows 7 Windows 10 Linux
Windows 10 desktop
is streamed to client
195. © Digital Cloud Training | https://digitalcloud.training
AWS AppStream 2.0
• Fully managed non-persistent application streaming service
• Alternative to popular products such as Citrix XenApp
VPC
AWS Managed Microsoft AD
Amazon AppStream 2.0
Streaming Instances
Application is
streamed to browser
196. © Digital Cloud Training | https://digitalcloud.training
AWS WorkLink
• Provides secure, one-click access to your internal
websites and web apps using mobile phone
browsers
• Does not require VPN client or App
Corporate
Data Center
Amazon WorkLink
Internal websites and
web apps
One-click access to
internal content from
browser
197. © Digital Cloud Training | https://digitalcloud.training
AWS WorkDocs
• Fully managed, secure content creation, storage, and
collaboration service
• Create, edit, and share content that’s centrally stored on AWS
199. © Digital Cloud Training | https://digitalcloud.training
The Internet of Things (IoT)
• Describes the network of physical objects that are
embedded with sensors or software
• Each IoT device can communicate and exchange
data with other devices and systems
• Use cases include:
• Smart home automation
• Smart healthcare
• Manufacturing
• Agriculture
200. © Digital Cloud Training | https://digitalcloud.training
AWS IoT Core
• Lets you connect IoT devices to the AWS cloud
without the need to provision or manage servers
• Can support billions of devices and trillions of
messages
201. © Digital Cloud Training | https://digitalcloud.training
SECTION 17
Exam Preparation and Tips
202. © Digital Cloud Training | https://digitalcloud.training
Booking your Exam
203. © Digital Cloud Training | https://digitalcloud.training
Exam Preparation Tips
204. © Digital Cloud Training | https://digitalcloud.training
Exam Preparation Tips
• Dedicate regular time to learning
• Use the free study plan
• Use practice tests early and regularly
• Review knowledge areas where you score poorly
• Don’t book the exam until you’re ready
• Non-native English speakers can request an
extension (extra 30 minutes)
• If you’ve taken another AWS exam before, use your
50% discount voucher
205. © Digital Cloud Training | https://digitalcloud.training
Exam Question Walkthrough