This post is part of a series of AWS related posts.

Intro

This is the beginner’s exam and the entrance barrier into the world of AWS certifications. AWS calls this the foundational level. I’ve decided to take this exam to familiarize myself with the AWS jargon and more importantly with the AWS certification exam format & type of questions. This certification has the id AWS-CLF-C01. The suffix C01 is the version of the exam and is an incremental counter.

In the following chapters, you will find the notes that I’ve taken during the AWS online course (the notes are almost a transcript of the instructor videos). Without taking the course, you might lack some context and have difficulties understanding the notes structure. If you understand the notes, you’re ready for the exam 🤓.

Some links to navigate AWS trainings & exams:

Exam website: aws.training
Old training website: aws.training
New training website: Skillbuilder
A game by AWS to learn about cloud: Cloud Quest

Links to further information in the following chapters are optional to read and not required to pass the exam.

Module 1: Intro

Introduction

You only pay for what you use (pay-as-you-go)
Client - Server model

Cloud Computing

On-demand delivery (get resources when you need them)
Undifferentiated heavy lifting of IT
- Outsource what is not your core business and makes you more valuable than competitor
- Outsource the boring stuff (tasks that are common, heavy)
Over the internet
Deployment models: cloud-based, on-premises (private cloud), hybrid
Private cloud: using virtualization on-prem
Trade upfront expense for variable expense (CapEx->OpEx)
Economy of scale (resources are cheaper for AWS, because they need more)
- AWS gets discounts, tax reductions, etc.

AWS Compute Services

EC2:

EC2: Elastic Cloud Compute
CaaS (Compute as a Service)
Virtual machines
AWS builds data centers
AWS secures data centers
AWS purchases servers
AWS installs servers
pay for what you use
Multitenancy: sharing the underlying hardware (by leveraging hypervisor technology)
Windows or Linux
EC2 instances are resizable (vertical scaling)
Launch: select template (basic configuration)
Placement group:
- a group of EC2 instances within a single Availability Zone
- the EC2 service attempts to place the instance in such a way that all of your instances are spread out across underlying hardware to minimize correlated failures

Module 2: Compute in the Cloud

EC2 Instance Types

EC2 instance families:

General purpose
- Balanced resources
- Diverse workloads
- Web servers
- Code repositories
Compute optimized
- Compute intensive tasks
- Gaming servers
- High performance computing (HPC)
- Scientific modeling
Memory optimized
- Process large datasets in memory
- High performance databases
Accelerated computing
- Floating point number calculations
- Graphics processing
- Data pattern matching
- Utilizes hardware accelerators
Storage optimized
- High performance for locally stored data
- Distributed file systems
- Data warehousing
- High frequency online trading
- IOPS: input output operations per second that a device can perform
  - input: record entered into db
  - output: data generated by server (e.g. analytics performed on db)
Migrate on-prem workload to cloud
- use AWS Server Migration Service, newly called Application Migration Service

EC2 Pricing

Options:

On-demand
Per Second pricing unit
Reserved instances (RIs)
- Focus: reserve particular machines
- Affects: EC2
- predictable usage
  - stick to instance family & size
  - change instance type
- can’t change regions
- 1 year or 3 years terms
Savings plan
- Focus: reserve particular workload
- Affects: EC2, Fargate, Lambda, SageMaker
- More flexibility than RIs
  - stick to instance family
  - change instance type & size
- can’t change regions
- 1 year or 3 years terms
- same discount as RIs, but more flexibility
- Instead of having to evaluate which Reserved Instance(s) to buy and committing to a specific instance type, Savings Plans allow you to commit to a certain amount of spend in dollars and AWS will grant you the highest amount of savings possible regardless of the specific instance type you’re using
Spot instances
- AWS can give you a 2 min heads up and then they can reclaim the hardware
- good for workload that can be interrupted (e.g. batch workload)
Dedicated host

Scaling EC2

Scalability & Elasticity, provided by EC2 “Auto Scaling”
Scale resources up and down, based on demand
Scaling resources: scaling in & out
EC2 Auto Scaling
- Dynamic scaling: based on changing demand
- Predictive scaling: scheduling # of instances, based on predicted demand
Scaling up: adding more resources (CPU, memory, etc.) to instance (mnemonic: up -> “bigger” instance)
Scaling out: add more instances

Directing traffic w/ Elastic Load Balancing

Load balancer: routing requests to services
ELB: Elastic Load Balancing
- regional construct

Messaging & Queuing

Decoupling components
Loosely coupled architecture advantage: single failure won’t cause cascading failures
SQS: simple queue service
- send, store & receive messages between software components
SNS: simple notification service
- publish/subscribe model
- SNS topic: a channel for messages to be delivered
- subscribers: web servers, email addresses, lambda functions, etc.

Additional Compute Services

Serverless: you cannot see the underlying infrastructure (abstracted)
- e.g. Lambda, EKS (Elastic K8s Service), ECS (Elastic Container Service), Fargate

Module 3: Global Infrastructure and Reliability

A region consists of multiple availability zones
Data always stays in a region (data sovereignty)
Factors to decide about regions
1. compliance
2. proximity (to users; latency)
3. feature availability (not all regions have all features)
4. pricing

Availability Zones (AZ)

an AZ consists of one or more data centers in an AWS Region
- with redundant power, networking, and connectivity
regionally-scoped services are by definition highly available (e.g. ELB)

Edge locations

Edge locations are Amazon DCs closer to users than regions or AZs
Edge locations are sites that host
- Amazon CloudFront to store cached copies of your content closer to your customers
- Amazon Route53
- AWS WAF & AWS Shield
Outpost: a region in your DC, managed by AWS

Provision AWS Resources

APIs for everything…
AWS CLI: API calls via CLI, scriptable & repeatable
Elastic Beanstalk
- to deploy WEB applications
- takes application code and runtime config and does…
  - adjust capacity
  - load balancing
  - automatic scaling
  - application health monitoring
CloudFormation
- to deploy infrastructure
- IaC (CF “templates”)
- declarative
- provision resources in repeatable manner
AWS OpsWorks
- automate with Chef and Puppet

Module 4: Networking

AWS Connectivity

VPC: virtual private cloud
- a private network in the cloud
IGW: Internet Gateway
- allow public traffic from internet into VPC
VPG: Virtual Private Gateway
- allow PRIVATE traffic from internet into VPC (VPN)
Direct Connect:
- dedicated fiber connection between DC and AWS VPC

Subnets & ACLs

Network Hardening:

reason to use subnets: control access from IGW to resources
- Private subnets cannot be accessed from IGW
ACLs check traffic in/out of subnets
- Default: allow all inbound/outbound traffic
- Stateless
IGW checks traffic in/out of VPC
Security Groups (SG) check traffic in/out of instance
- Default: outbound allowed all, inbound denied all
- Stateful

Global Networking

DNS: Route 53
- latency-based routing
- geolocation routing
  - traffic based on where user is located
- geoproximity routing
  - traffic based on where resource is located (e.g. resource in neighbor country could be closer)
- weighted round robin
CloudFront: CDN
- delivers content to edge, closest to users
- for static assets

Module 5: Storage & Databases

Block Storage

when you modify a file in block storage, only the pieces that are changed are updated

EBS - Elastic Block Storage

Use cases
- Databases
- Enterprise software
- File systems
EBS volumes: virtual hard drives
- up to 16TiB
Snapshots: incremental backups

Instance store

Instance store: block-level storage for EC2
- has the same lifecycle as the EC2 instance, meaning, data is lost when EC2 instance is terminated. That’s why we use EBS that can be attached to EC2 instances
- Instance Store or EBS can be the “local harddrive with root fs”.

AWS S3

Serverless
S3: Simple Storage Service
S3: store and retrieve unlimited amount of data
Data stored as objects (-> object store as opposed to block storage)
When a file in object storage is modified, the entire object is updated
Objects accessed via unique key
Objects stored in buckets instead of FS
Max object size: 5TB
Version objects
WORM: write once, read many
- every file change means: re-upload object
S3 storage tiers are categorized by availability & durability
- (not “accessibility”, which means ease of access)
Tiers
- Standard
  - 11 nines availability
  - 3 copies in different availability zones
  - use case: static website hosting
- Standard - Infrequent Access (IA)
  - less frequently accessed data
  - immediately available like standard
    - you don’t need this data often, but if you do, you need it instantly
  - use cases
    - backup
    - disaster recovery files
    - never for websites - even if access pattern are “predictable”
- S3 One Zone-IA
  - lower-cost option for infrequently accessed data
  - if you do not require the multiple Availability Zone data resilience model of the S3 Standard
- Glacier
  - low cost
  - not immediately available
  - archiving: retain data for 10+ years for compliance reasons
Life cycle policies: allows to move objects between tiers
S3 Intelligent Tiering: a service that monitors access frequency of objects and moves them between Standard and IA to save money
S3 Transfer Acceleration: fast, easy, and secure transfers of files over long distances between your client and an S3 bucket by leveraging edge locations

EFS - Elastic File System

File system to share data between servers
AWS-managed (autom. scaling, etc.)
EBS vs EFS
- EBS
  - volumes attach to EC2 instances
  - AZ-level resource
  - needs to be in same AZ than EC2 instance
  - does not scale
- EFS
  - multiple instances reading/writing at same time
  - regional resource
  - Linux file system
  - autom. scales
  - files/folders instead of objects

RDS - Relational Database Service

for storing data that have relations
Mysql/MariaDB, Postgres, Oracle, MSSQL
lift-and-shift migration possible
Amazon RDS features
- setup
- autom. patching
- backups
- redundancy
- failover
- disaster recovery
Aurora
- Mysql
- Postgresql
- 1/10th cost of commercial databases
- data replication
- up to 15 read replicas
- continuous backup to S3
- point-in-time recovery
- supports replicas across 3 AZs

DynamoDB

Serverless db
organized in items & attributes
highly performant (better than SQL)
NoSQL (non-relational db)
simple schemas (as opposed to SQL schemas)
Items (keys) and items have attributes (values)
purpose built - not a general purpose db
DAX is a DynamoDB accelerator

Redshift

“Big data BI”
A data warehouse for big data analytics
Answers questions like
- Show me last hours sales number for all stores
- How many bags of coffee do we have in store right now?

Database Migration Service

DMS: database migration service
source database remains operational during migration
source and target db do not have to be of same type
DB consolidation: sync several dbs into a single db
One-time sync
- Homogeneous migration: source and target db of same type
- Heterogeneous migration: source and target db of different type
Ongoing sync
- Continuous database replication: for disaster recovery & region separation

Additional DB Services

DocumentDB
- a Content Management System
- Catalogues
- User profiles
Neptune
- Graph database
- Use case: social network
Amazon Managed Blockchain
- decentralized, not good for regulations
Quantum Ledger Database (QLDB)
- immutable system of records
Database Accelerators
- caching layers, improved read times
- e.g. Amazon ElastiCache (Redis, Memcache)
- e.g. DAX, a DynamoDB accelerator

Module 6: Security

Shared Responsibility Model

model

Layers
- AWS: responsible for security OF the cloud (Physical, Network, Hypervisor)
- Customer: responsible for security IN the cloud (OS, Application, Data)

User Permissions and Access

Root account: like owner of an org
- cannot be restricted
- Initial account setup
  1. login as root user
  2. create IAM user w/ permission to create other users (admin)
  3. login as new user and continue to create other users
Principle of least privilege: only grant access to what a user needs
IAM entities
- root user (usually a wildcard for other roles in an account!)
- users
- groups
- policies
- roles
Roles
- associated with permissions
- allow or deny
- assumed temporarily
- no username or password
- roles can be assumed by
  - AWS resources
  - users
  - external identities
  - applications
  - other AWS services
- when assuming an IAM role, all previous permissions are abandoned
IAM user
- has console password (webui)
- has access key id & access key secret (api)
- has ssh keys for CodeCommit
Amazon Cognito
- Single sign on service for web apps and mobile devices

AWS Organizations

AWS Organization: a central location to manage multiple AWS accounts
Features
- centralized account management
- consolidated billing for all member accounts
- hierarchical groupings of accounts (inherit settings, e.g. regulatory)
  - e.g. org unit (OUs)
- AWS service and API actions access control
- SCP: Service Control Policies
  - SCPs can be attached to OUs and individual AWS member accounts
    - SCPs cannot be attached to IAM users, groups, roles, however IAM users, groups and policies are affected by SCPs being applied to an AWS account.
Taxonomy: Root Org -> OUs -> Nested OUs -> AWS accounts -> IAM users, groups, roles
- AWS docs

Compliance

AWS Artifact service
- AWS Artifact Agreements
  - customer can sign agreements with AWS regarding customer’s use of certain types of information throughout AWS services
- AWS Artifact Reports
  - AWS Artifact Reports provide compliance reports from third-party auditors. These auditors have tested and verified that AWS is compliant
AWS Customer Compliance center
- contains resources to learn about AWS compliance
- read how other AWS customers solved compliance stories

Denial of Service Attacks

DDoS: distributed denial-of-service
DDoS tries to deny operation of infrastructure by overwhelming its capacity
Examples
- UDP flood: send small request to weather service, weather service responds with lots of data (amplification attack) while spoofing source IP addr
- Bots that impersonate users and connect to your infra
  - sometimes using a slowloris attack, e.g. by issuing requests & keeping them open as long as possible, occupying server sockets & resources
Solution:
- UDP flood: security groups
  - only allow in proper requests, e.g. denying UDP
- Slowloris attack: Add ELB that handles load and only forwards valid requests to your instance
AWS Shield w/ AWS WAF: advanced web app firewall
- Standard: protects customers at no cost
- Advanced: paid service that provides detailed attack diagnostics and ability to detect & mitigate sophisticated DDoS attacks

Additional Security Services

Encryption
- at rest, in transit
- AWS KMS (key management service)
AWS WAF
Amazon Inspector
- runs autom. security assessment against your infra
- checks against best practices
- consists of
  - network configuration reachability piece
  - Amazon agent
  - security assessment service
Amazon Guard Duty
- Threat detection
- analyses meta data from AWS account, network activities, DNS & flow logs
- uses ML for anomaly detection, etc.
- independent of your cloud resources, hence doesn’t slow them down

Module 7: Monitoring & Analytics

Monitoring: observing systems, collecting metrics and then using data to make decisions

CloudWatch

Monitoring infra & app level in real-time
Metrics: variables tied to your resources
- e.g. CPU utilization
CloudWatch alarm: set metric threshold that creates alarm and triggers action
Access to all metrics from central location
Visibility into apps, infra & services
Reduce MTTR (mean time to resolution) and improve TCO (total cost of ownership)
Insights to optimize resources

CloudTrail

audits transactions
complete history of user activity and API calls for applications & resources
records API calls for your AWS account
recorded info
- API caller identity
- timestamp
- source IP address
- etc.
CloudTrail Insights: autom. detects unusual API activities in AWS account

AWS Config

records and evaluates configurations of your AWS resources (config db)
configure AWS Config with the resource types to track them

Trusted Advisor

An automated service that challenges your cloud resources against 5 pillars
- Cost optimization
- Performance
- Security
- Fault tolerance
- Service limits

Module 8: Pricing & Support

Create monthly reports & diagrams in “Billing and Cost Management console”

Free Tiers

Types
- always free
- 12 months free
- trials
Free Tier services
- Lambda
- SageMaker
- Comprehend Medical
- DynamoDB
- SNS
- Cognito

Pricing Concepts

Concepts
- Pay for what you use
- Pay less when you reserve
- Pay less with volume-based discounts when you use more
Pricing calculator AWS Calculator
- make price estimates
- organize estimates by groups that reflect how your company is organized

Consolidated Billing

AWS Organization consolidates billings of AWS accounts in org
Advantage:
- simplifies billing
- share savings across accounts
Default max number of accounts for an org is 4
Saving plans and reserved instances can then be shared across accounts
- e.g. when two accounts together exceed a threshold to become eligible for savings, the two accounts equally receive the discount (while one account alone would not reach threshold) –> mini “economy of scale” effect

AWS Budget

Set alarm when billing threshold is reached

Cost Explorer

detailed view of incurred costs
can filter by resource tags

Simple Monthly Calculator

Simple Monthly Calculator
estimate monthly bills

Support Plans

AWS Connect is the customer service center
Get tech support
Plans
- Basic
  - by default, for every customer
  - AWS Trusted Advisor limited checks
- Developer
  - email customer support directly
- Business
  - AWS Trusted Advisor provides full set of best practices checks
  - phone, email & chat access to cloud support engineers
- Enterprise
  - 15min SLA for critical workloads
  - TAM (Technical Account Manager)
    - TAM supports you w/ Well-Architected Framework
Well-Architected Framework
- Operational Excellence
- Security
- Reliability
- Performance Efficiency
- Cost Optimization

Marketplace

3rd-party software to deploy on your AWS account
- one-click deployments
Enterprise focused features
- custom terms and pricing
- private marketplace that only allows software adhering to regulations, etc.
- integration into your procurement system
- cost management tools

Module 9: Migration & Innovation

Cloud Adoption Framework (CAF)

The six perspectives:

business
- managers, finance, strategy
people
- hr, staffing, ppl manager
governance
- CIO, program managers, enterprise architects, business analysts
platform
- CTO, IT managers, solution architects
security
- CISO, security managers, security analysts
operations
- IT operations managers, IT support managers

Migration Strategies

The six Rs:

Rehosting
- Lift-and-shift
Replatforming
- Lift-and-shift with platform optimizations, code not touched
Retire
- Stop life of systems
Retain
- Systems about to deprecate in few months - do not migrate to cloud
Repurchasing
- Buy similar system in cloud, don’t renew on-prem licenses
- Move traditional license to software-as-a-service model
Refactoring
- Touching code! Highest initial cost

Snow Family

Migrating data of a company on-prem to cloud
Edge computing devices
Problem: 1gb/s throughput to upload 1PB to cloud takes 100d, which is not practical
Solution: snow family
Snowcone
- 2cpu, 4gb memory, 8tb storage
- order in AWS management console, copy data locally in your DC to snowcone, send back to AWS (typically to S3 bucket)
- use case: data transfer
Snowball
- Types
  - compute-optimized option (52 vCPUs, 208gb memory)
  - storage-optimized option (80tb)
- plug into your server racks, can be clustered
- run Lambda, EC2 AMIs, AWS IoT Green
- use case: ML, video analysis, batch processing
Snowmobile
- comes in shipping container on a truck
- storage: 100pb
- Tamper resistant, water proof, fireproof, video surveillance, etc.
- use case: data transfer
Encryption: 256 bit keys
Storage sizes of Snowcone, Snowball, Snowmobile: 8tb, 80tb, 100pb

Innovation

A bunch of cool, unrelated services…

VMware Cloud on AWS (move on-prem VMware VMs to AWS)
ML services
- SageMaker
  - train & deploy ML sets
AI services
- Amazon Augmented AI (Amazon A2I)
- Amazon Transcribe
- Amazon Comprehend
- Amazon Fraud Detector
- Amazon Lex
  - heart of Alexa
  - interface to process language & text
- Amazon Textract
- DeepRacer
  - Reinforcement learning for devs
AWS Ground Station
- access to satellite link
- only pay satellite time needed

Module 10: Cloud Journey

Well-Architected Framework

Reference architectures
5 Pillars
1. Operational Excellence
  - ability to operate infrastructure (monitoring, backup, etc.)
2. Security
3. Reliability
  - recovery from outages
4. Performance efficiency
  - efficient use of computing resources
5. Cost optimization
  - saving plans, discounts, etc.
Well-Architected Tool
- create infrastructure and evaluate it against tool (not automated, more like manual questionnaire assessment)

Advantages of AWS Cloud

The chance to…

reduce IT resources costs on monthly basis
profit from economy of scale
profit from flexible capacity (elasticity)
increase speed and agility of time to market
save money operating data centers
go global in minutes

Miscellaneous Services

Amazon SES: Simple Email Service
- scalable email service that enables developers to send mail from within any application
AWS CodeCommit
- managed source control service that hosts private Git repositories
- store anything from code to binaries
Amazon Rekognition: object recognition service (incl. faces)
Amazon Kinesis: collect, process, and analyze video and data streams in real-time

Module 11: Exam

Exam areas:

Cloud concepts (26%)
Security & Compliance (25%)
Technology (33%)
Pricing (16%)

Exam format:

65 questions
90 minutes
threshold to pass: 70% correctly answered
Questions types
- Multiple-choice: one correct answer, three wrong or distracting questions
- Multiple-response: two or more correct answers out of five

Exam strategy:

Out of 4 choices per question, 2 are typically wrong in an obvious way - eliminate them
From the 2 remaining choices, one is a distractor, which means it is a true statement, but not as relevant or quite as true as the correct answer 👉 find the distractor!

Exam practicing options:

Intro#

Module 1: Intro#

Introduction#

Cloud Computing#

AWS Compute Services#

Module 2: Compute in the Cloud#

EC2 Instance Types#

EC2 Pricing#

Scaling EC2#

Directing traffic w/ Elastic Load Balancing#

Messaging & Queuing#

Additional Compute Services#

Module 3: Global Infrastructure and Reliability#

Availability Zones (AZ)#

Edge locations#

Provision AWS Resources#

Module 4: Networking#

AWS Connectivity#

Subnets & ACLs#

Global Networking#

Module 5: Storage & Databases#

Block Storage#

EBS - Elastic Block Storage#

Instance store#

AWS S3#

EFS - Elastic File System#

RDS - Relational Database Service#

DynamoDB#

Redshift#

Database Migration Service#

Additional DB Services#

Module 6: Security#

Shared Responsibility Model#

User Permissions and Access#

AWS Organizations#

Compliance#

Denial of Service Attacks#

Additional Security Services#

Module 7: Monitoring & Analytics#

CloudWatch#

CloudTrail#

AWS Config#

Trusted Advisor#

Module 8: Pricing & Support#

Free Tiers#

Pricing Concepts#

Consolidated Billing#

AWS Budget#

Cost Explorer#

Simple Monthly Calculator#

Support Plans#

Marketplace#

Module 9: Migration & Innovation#

Cloud Adoption Framework (CAF)#

Migration Strategies#

Snow Family#

Innovation#

Module 10: Cloud Journey#

Well-Architected Framework#

Advantages of AWS Cloud#

Miscellaneous Services#

Module 11: Exam#