65 Questions = 100 Minutes
AWS Cloud Practitioner Certification is more about checking your knowledge for various AWS services (just like any other cloud foundational certification like AZ-900 etc.)
Among all the services/tools, the highest focus is on Storage Services and Computing Services with at least 20% questions on Storage and Computing only.
Another 20% questions are around the benefits of Cloud over On-premise infrastructure and around shared responsibility.
Rest 60% questions are spread across various services primarily Database Services, Security Services, Networking Services and Management Tools.
Here are my notes for preparation for AWS Cloud Practitioner Certification and if you prep these notes well and do some practice on AWS, you hopefully should get good score. I hope you find these useful.
AWS Quick Start Reference Deployments: AWS Quick Start Reference Deployments outline the architectures for popular enterprise solutions on AWS and provide AWS CloudFormation templates to automate their deployment. Each Quick Start launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a specific workload on AWS, using AWS best practices for security and availability.
Quick Starts are built by AWS solutions architects and partners to help you deploy popular technologies on AWS, based on AWS best practices. These accelerators reduce hundreds of manual installation and configuration procedures into just a few steps, so you can build your production environment quickly and start using it immediately.
AWS OpsWorks: AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers.
OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.
Amazon CloudWatch: Amazon CloudWatch is mainly used to monitor the utilization of your AWS resources and the applications you run on AWS. You can use Amazon CloudWatch to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources. Amazon CloudWatch can monitor AWS resources such as Amazon EC2 instances, Amazon DynamoDB tables, and Amazon RDS DB instances, as well as custom metrics generated by your applications and services, and any log files your applications generate. You can use CloudWatch to detect anomalous behavior in your environments, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.
By default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention period between 10 years and one day.’ Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html ‘You can use subscriptions to get access to a real-time feed of log events from CloudWatch Logs and have it delivered to other services such as a Amazon Kinesis stream, Amazon Kinesis Data Firehose stream, or AWS Lambda for custom processing, analysis, or loading to other systems’ Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Subscriptions.html Also, AWS CloudWatch is NOT FREE; There is a Free Tier and a Paid Tier.
Note: CloudTrail is for auditing whereas CloudWatch is for performance monitoring.
Amazon S3: Amazon S3 is an object level storage built to store and retrieve any amount of data from anywhere — web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry.
S3 One Zone-IA is for data that is accessed less frequently, but requires rapid access when needed. Unlike other S3 Storage Classes which store data in a minimum of three Availability Zones (AZs), S3 One Zone-IA stores data in a single AZ and costs 20% less than S3 Standard-IA.
Amazon EFS: Amazon EFS is a file-level storage technology that provides massively parallel shared access to thousands of Amazon EC2 instances, enabling your applications to achieve high levels of aggregate throughput and IOPS with consistently low latencies.
Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, eliminating the need to provision and manage capacity to accommodate growth.
Amazon EFS is designed to provide the throughput, IOPS, and low latency needed for Linux workloads. Throughput and IOPS scale as a file system grows and can burst to higher throughput levels for short periods of time to support the unpredictable performance needs of file workloads. For the most demanding workloads, Amazon EFS can support performance over 10 GB/sec and up to 500,000 IOPS.
EFS is a fully-managed service that makes it easy to set up and scale file storage in the Amazon Cloud. EFS filesystems are mounted using the NFS protocol (which is a file-level protocol).
Access to EFS file systems from on-premises servers can be enabled via Direct Connect or AWS VPN.
You mount an EFS file system on your on-premises Linux server using the standard Linux mount command for mounting a file system via the NFSv4.1 or NFSv5 protocol.
Amazon EBS: Amazon EBS is a block-level storage that provides storage volumes for use with Amazon EC2 and Amazon RDS instances.
An Amazon EBS volume is a durable (most durable is S3 storage), block-level storage device that you can attach to a single EC2 instance. You can use EBS volumes as primary storage for data that requires frequent updates, such as the system drive for an instance or storage for a database application. You can also use them for throughput-intensive applications that perform continuous disk scans.
Note: Amazon Elastic File System allows you to connect hundreds or thousands of EC2 instances concurrently and is accessed using the file-level NFS protocol. (Note that Amazon Elastic Block Storage provides block-level volumes to individual EC2 instances, cannot connect multiple instances to a single EBS volume)
Amazon Instance Store: An instance store provides temporary block-level storage for your EC2 instances. Instance store is ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content.
Amazon Glacier is an archiving solution that is accessed through S3.
Amazon Relational Database Service (Amazon RDS): RDS makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizable capacity while automating time-consuming administration tasks such as hardware provisioning, operating system maintenance, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.
Amazon RDS is a managed-service that can be used to host Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle, and SQL Server databases.
Amazon Aurora: Amazon Aurora is a database service. Aurora supports only MySQL and Postgres.
Amazon Redshift: Amazon Redshift is not a MySQL database service. Amazon Redshift is a fully managed data warehouse service that makes it simple and cost-effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools.
Amazon DynamoDB: Amazon DynamoDB is not a MySQL database service. Amazon DynamoDB is a fully managed NoSQL database service.
DynamoDB is serverless with no servers to provision, patch, or manage and no software to install, maintain, or operate. DynamoDB automatically scales tables up and down to adjust for capacity and maintain performance. Availability and fault tolerance are built in, eliminating the need to architect your applications for these capabilities.
Other managed services include: AWS Lambda, Amazon RDS, Amazon Redshift, Amazon CloudFront, and several other services.
Infrastructure Event Management (IEM): AWS Infrastructure Event Management (IEM) is a structured program available to Enterprise Support customers (and Business Support customers for an additional fee) that helps you plan for large-scale events such as product or application launches, infrastructure migrations, and marketing events. With Infrastructure Event Management, you get strategic planning assistance before your event, as well as real-time support during these moments that matter most for your business.
Technical Account Manager: For Enterprise-level customers, a TAM (Technical Account Manager) provides technical expertise for the full range of AWS services and obtains a detailed understanding of your use case and technology architecture. TAMs work with AWS Solution Architects to help you launch new projects and give best practices recommendations throughout the implementation life cycle. Your TAM is the primary point of contact for ongoing support needs, and you have a direct telephone line to your TAM.
Direct Connect: AWS Direct Connect is a cloud service solution that is used to establish a dedicated network connection between your on-premises networks and AWS.
AWS Direct Connect enables you to securely connect your AWS environment to your on-premises data center or office location over a standard 1 gigabit or 10 gigabit Ethernet fiber-optic connection. AWS Direct Connect offers dedicated high speed, low latency connection, which bypasses internet service providers in your network path. An AWS Direct Connect location provides access to Amazon Web Services in the region it is associated with, as well as access to other US regions. AWS Direct Connect allows you to logically partition the fiber-optic connections into multiple logical connections called Virtual Local Area Networks
(VLAN). You can take advantage of these logical connections to improve security, differentiate traffic, and achieve compliance requirements.
AWS VPN: AWS Virtual Private Network (AWS VPN) allows you to establish a secure and private tunnel from your network or device to the AWS global network.
Amazon Virtual Private Cloud (Amazon VPC): It allows you to carve out a portion of the AWS Cloud that is dedicated to your AWS account. Amazon VPC enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
An AWS managed VPN can be used to quickly connect from an office to an Amazon VPC. An Amazon VPC provides the option of creating an IPsec VPN connection between remote customer networks and their Amazon VPC over the internet, as shown in the following figure. Consider taking this approach when you want to take advantage of an AWS managed VPN endpoint that includes automated multi–data center redundancy and failover built into the AWS side of the VPN connection
AWS Subnets: A subnet is a range of IP addresses within a VPC.
Amazon Route 53 is a global service that provides highly available and scalable Domain Name System (DNS) services, domain name registration, and health-checking web services. It is designed to give developers and businesses an extremely reliable and cost effective way to route end users to Internet applications by translating names like example.com into the numeric IP addresses, such as 192.0.2.1, that computers use to connect to each other.
Route 53 also simplifies the hybrid cloud by providing recursive DNS for your Amazon VPC and on-premises networks over AWS Direct Connect or AWS VPN.
Amazon Route 53 is a highly available and scalable Domain Name System (DNS) service using hosted zones. It can also be used for domain registration, health checks, and traffic flow.
How do you automate health checkup in AWS?
You should attempt to build as much automation as possible in both detecting and reacting to failure. You can use services like ELB and Amazon Route53 to configure health checks and mask failure by only routing traffic to healthy endpoints. In addition, Auto Scaling can be configured to automatically replace unhealthy nodes. You can also replace unhealthy nodes using the Amazon EC2 auto-recovery feature or services such as AWS OpsWorks and AWS Elastic Beanstalk. It won’t be possible to predict every possible failure scenario on day one. Make sure you collect enough logs and metrics to understand normal system behavior. After you understand that, you will be able to set up alarms that trigger automated response or manual intervention.
AWS Server Migration Service: AWS Server Migration Service (SMS) is used to migrate your on-premises workloads to AWS.
AWS Organizations (very important topic): It helps customers centrally govern their environments as they grow and scale their workloads on AWS. Whether customers are a growing startup or a large enterprise, Organizations helps them to centrally manage billing; control access, compliance, and security; and share resources across their AWS accounts.
AWS Organizations has five main benefits:
1) Centrally manage access polices across multiple AWS accounts.
2) Automate AWS account creation and management.
3) Control access to AWS services.
4) Consolidate billing across multiple AWS accounts.
5) Configure AWS services across multiple accounts.
AWS Organizations enables you to create groups of AWS accounts and then centrally manage policies across those accounts. AWS Organizations provides consolidated billing in both feature sets, which allows you set up a single payment method in the organization’s master account and still receive an invoice for individual activity in each member account. Volume pricing discounts can be applied to resources.
AWS Trusted Advisor: AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices. AWS Trusted Advisor offers a rich set of best practice checks and recommendations across five categories: cost optimization; security; fault tolerance; performance; and service limits.
AWS Trusted Advisor improves the security of your application by closing gaps, enabling various AWS security features, and examining your permissions.
AWS Trusted Advisor provides real-time guidance to help customers provision resources following AWS best practices. The service offers guidance for cost optimization, performance, security, fault tolerance, and service limits.
AWS Config: It is a fully managed service that provides customers with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance.
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.
AWS Shield: It is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
AWS provides flexible infrastructure and services that help customers implement strong DDoS mitigations and create highly available application architectures that follow AWS Best Practices for DDoS Resiliency. These include services such as Amazon Route 53, Amazon CloudFront, Elastic Load Balancing, and AWS WAF to control and absorb traffic, and deflect unwanted requests. These services integrate with AWS Shield, a managed DDoS protection service that provides always-on detection and automatic inline mitigations to safeguard web applications running on AWS.
AWS KMS: It provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services.
Both AWS KMS and AWS CloudHSM can be used to generate data encryption keys. You use what are called customer master keys (CMKs) to create data encryption keys. The data encryption keys can then be used to actually encrypt the data.
Amazon Cognito: It allows you to add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily.
AWS Dedicated Hosts: An Amazon EC2 Dedicated Host is a physical server with EC2 instance capacity fully dedicated to your use. Dedicated Hosts can save you money by enabling you to leverage your existing server-bound software license investments (e.g., Windows Server, Windows SQL Server, and SUSE Linux Enterprise Server) within EC2, subject to your license terms. Dedicated Hosts also give you more flexibility, visibility, and control over the placement of instances on dedicated hardware. This makes it easier to ensure you deploy your instances in a way that meets your compliance and regulatory requirements.
Reserved instances: Reserved instances are recommended for Customers that can commit to using EC2 over a 1 or 3-year term to reduce their total computing costs. Even if the project will last for more than a year, the cost-benefit for acquiring Reserved Instances is not as great as the cost-benefit from using Spot Instances. The Spot option provides the largest discount (up to 90%).
On-demand instances: On-demand instances are significantly less cost-effective than spot instances.
With On-Demand Instances, you pay for compute capacity by the second with no long-term commitments. You have full control over its lifecycle — you decide when to launch, stop, hibernate, start, reboot, or terminate it.
There is no long-term commitment required when you purchase On-Demand Instances. You pay only for the seconds that your On-Demand Instances are in the running state. The price per second for a running On-Demand Instance is fixed, and is listed on the Amazon EC2 Pricing, On-Demand Pricing page.
Amazon recommend that you use On-Demand Instances for applications with short-term, irregular workloads that cannot be interrupted.
Dedicated instances: Dedicated instances are used when you need your instances to be physically isolated at the host hardware level from instances that belong to other AWS accounts. Dedicated instances are significantly more expensive than Spot Instances
Convertible RIs (Reserved Instances): They provide a discount (up to 54% off On-Demand) and the capability to change the attributes of the RI as long as the exchange results in the creation of Reserved Instances of equal or greater value. These attributes include instance family, instance type, platform, scope, and tenancy.
Standard RIs: Standard RIs provide the most significant discount (up to 75% off On-Demand) and are best suited for steady-state usage. Standard Reserved Instances are not modifiable
Scheduled RIs: Scheduled RIs are available to launch within the time windows you reserve. This option allows you to match your capacity reservation to a predictable recurring schedule that only requires a fraction of a day, a week, or a month. Scheduled Reserved Instances are not modifiable
Spot instances: They provide a discount (up to 90%) off the On-Demand price. The Spot price is determined by long-term trends in supply and demand for EC2 spare capacity. If the Spot price exceeds the maximum price you specify for a given instance or if capacity is no longer available, your instance will automatically be interrupted.
Spot Instances are a cost-effective choice if you can be flexible about when your applications run and if you don’t mind if your applications get interrupted. For example, Spot Instances are well-suited for data analysis, batch jobs, background processing, and optional tasks.
Amazon Elastic Container Registry (ECR): It is a Docker container registry that allows developers to store, manage, and deploy Docker container images.
Amazon Athena is an interactive query service that is mainly used to analyze data in Amazon S3 using standard SQL.
AWS CloudFormation allows you to use programming languages or a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts. You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and AWS CloudFormation takes care of provisioning and configuring those resources for you. You don’t need to individually create and configure AWS resources and figure out what’s dependent on what; AWS CloudFormation handles all that for you.
AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts. This file serves as the single source of truth for your cloud environment.
Amazon EMR launches clusters in minutes. You don’t need to worry about node provisioning, infrastructure setup, Hadoop configuration, or cluster tuning. Amazon EMR takes care of these tasks so you can focus on analysis.
For managed services such as Amazon Elastic MapReduce (Amazon EMR) and DynamoDB, AWS is responsible for performing all the operations needed to keep the service running.
AWS Artifact is a self-service audit artifact retrieval portal that provides customers with on-demand access to AWS’ compliance documentation and AWS agreements. You can use AWS Artifact Agreements to review, accept, and track the status of AWS agreements such as the Business Associate Addendum (BAA).
You can also use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports.
AWS CloudTrail is an AWS service that can be used to monitor all user interactions with the AWS environment.
AWS CloudTrail is a web service that records activity made on your account and delivers log files to an Amazon S3 bucket. CloudTrail is for auditing whereas CloudWatch is for performance monitoring.
What is the preferred architecture pattern recommended by AWS?
Preferred architecture pattern recommended by AWS is Asynchronous integration. Asynchronous integration is a form of loose coupling between services. This model is suitable for any interaction that does not need an immediate response and where an acknowledgement that a request has been registered will suffice.
Amazon Simple Queue Service (SQS) and AWS Step Functions both provide asynchronous integration. SQS provides a durable message bus and Step Functions is an orchestrated workflow service.
Regions and Availability Zones
The AWS Global infrastructure is built around Regions and Availability Zones (AZs). A Region is a physical location in the world where AWS have multiple AZs. AZs consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities
TCO calculator: The TCO calculator is a free tool provided by AWS that allows you to estimate the cost savings of using the AWS Cloud vs. using an on-premised data center.
The TCO calculator can compare the cost of your applications in an on-premises or traditional hosting environment to AWS. You describe your on-premises or hosting environment configuration to produce a detailed cost comparison with AWS.
AWS CodeCommit is a fully-managed source control service that hosts secure Git-based repositories. It makes it easy for teams to collaborate on code in a secure and highly scalable ecosystem.
AWS Database Migration Service is used to migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database. The AWS Database Migration Service can migrate data to and from most widely used commercial and open-source databases.
The identity and access management service (IAM) is used to securely control individual and group access to AWS resources. IAM can also be used to manage multi-factor authentication (MFA). With MFA you add an additional factor of authentication such Google Authenticator device. This is “something you have” and is used with your password “something you know”.
CloudFront is a content delivery network (CDN) that allows you to store (cache) your content at “edge locations” located around the world. This allows customers to access content more quickly and provides security against DDoS attacks. CloudFront can be used for data, videos, applications, and APIs.
· Cache content at Edge Location for fast distribution to customers.
· Built-in Distributed Denial of Service (DDoS) attack protection.
· Integrates with many AWS services (S3, EC2, ELB, Route 53, Lambda).
For lowest latency, you have to choose CloudFront (E), and then you also have to use S3 in order to make use of CloudFront. CloudFront doesn’t work with EBS and EFS.
LightSail: Amazon LightSail provides developers compute, storage, and networking capacity and capabilities to deploy and manage websites, web applications, and databases in the cloud.
LightSail provides preconfigured virtual private servers (instances) that include everything required to deploy and application or create a database.
Deploying a server on LightSail is extremely easy and does not require knowledge of how to configure VPCs, security groups, network ACLs etc.
AWS Elastic Beanstalk can be used to quickly deploy and manage applications in the AWS Cloud. It is considered a PaaS service. However, you do still need to deploy within a VPC so more AWS expertise is required
What are various ways to interact with AWS Services?
There are three forms to interact with AWS Services.
· AWS MGMT CONSOLE Graphical interface to access AWS features
· COMMAND LINE INTERFACE (CLI) Lets you control AWS services from command line
· SOFTWARE DEVELOPMENT KITS (SDKs) Enable you to access AWS using a variety of popular programming languages
AWS Professional Services: This is the AWS team that assists customers with accelerating cloud adoption through paid engagements in any of several specialty practice areas
AWS Partner Network Consulting Partners: This is leveraged when a customer would like to design and build a new workload on AWS Cloud but does not have the AWS-related software technical expertise in-house. In such cases, customer can take advantage of to achieve that outcome.
AWS Cost Explorer: AWS Cost Explorer gives you a good insight about your costs and expenditures, it doesn’t provide any recommendation out of the box nor it can help you improving the performance of your system. AWS Trusted Advisor fulfill all this tasks.
Which AWS tools assist with estimating costs?
· Cost allocation tags
· AWS Simple Monthly Calculator
· AWS Total Cost of Ownership (TCO) Calculator