===== AWS Certified Cloud Practitioner – Study Notes ===== Based on the excellent notes by **Furkan Gülşen** (Furkan-Gulsen). Original source: [[https://github.com/Furkan-Gulsen/aws-certified-cloud-practitioner-certification-my-notes|GitHub – AWS Certified Cloud Practitioner Certification - My Notes]] ---- ==== Deployment Models for Cloud Computing ==== * **Cloud-based deployment** * Applications fully deployed in the cloud. * **On-premises deployment** * Traditional local data centers (“private cloud” when virtualized + automated). * **Hybrid deployment** * Combination of on-premises resources and cloud resources. ---- ==== Benefits of Cloud Computing ==== * **Trade CAPEX for OPEX** * No large upfront data center/server purchases. * Pay only for what you actually consume. * **Stop running and maintaining data centers** * Focus on business-differentiating projects instead of racking and stacking. * **Stop guessing capacity** * Avoid over-provisioning or under-provisioning. * Scale up/down in minutes. * **Economies of scale** * Aggregated usage across many customers ⇒ lower variable costs. * **Increase speed and agility** * New IT resources are a click away; weeks → minutes. * **Go global in minutes** * Deploy to multiple regions for low latency and better user experience. ---- ==== Design Principles for AWS in the Cloud ==== * Perform operations as code. * Make frequent, small, reversible changes. * Refine operations procedures frequently. * Anticipate failure. * Learn from all operational failures. ---- ==== AWS Shared Responsibility Model ==== {{image1.png?direct|Shared Responsibility Model}} /* placeholder for Image1 */ * AWS is responsible **for**: * Physical infrastructure, networking, hypervisor, managed service layers (where applicable). * The customer is responsible **in**: * Configuration, data, identity & access, OS layer for IaaS, application-level security. {{image2.png?direct|Shared Responsibility – Expanded}} /* placeholder for Image2 */ ---- ==== Amazon EC2 – Instance Types Overview ==== * **General Purpose** * Balanced compute, memory, networking. * Web servers, dev/test, small/medium DBs. * **Compute-optimized** * High vCPU-to-memory ratio. * Scientific modeling, batch processing, gaming servers. * **Memory-optimized** * Large in-memory workloads. * In-memory DBs, real-time analytics. * **Accelerated computing** * GPUs or other accelerators. * ML, video processing, HPC. * **Storage-optimized** * High sequential read/write. * Data warehousing, distributed file systems. ==== EC2 Instance Store ==== * **Ephemeral block storage** on disks physically attached to host. * Ideal for: * Buffers, caches, scratch data, temporary content. * Replicated data (e.g., web server fleets). * Data is **lost** if instance stops, terminates, or fails. ---- ==== Amazon EC2 Pricing Models ==== * **On-Demand** * Short-term, irregular workloads. * No upfront cost or long-term commitment. * **Reserved Instances / Savings Plans** * 1 or 3-year commitments. * Standard RI, Convertible RI, or Instance/Savings Plans. * Regional vs Zonal flexibility. * **Spot Instances** * Up to ~90% discount. * Can be interrupted by AWS. * **Dedicated Host** * Physical server dedicated to a single customer. * Compliance, licensing, and placement control. {{image3.png?direct|EC2 Pricing Model Diagram}} /* placeholder for Image3 */ Factors affecting EC2 price: * Purchase option (On-Demand, RI/Savings Plans, Spot, Dedicated). * Instance type and size. * Region. * Number of instances. * Use of Elastic IPs, Load Balancers, and Auto Scaling. ---- ==== AWS Access & Management Tools ==== * **AWS Management Console** * Web-based GUI. * **AWS CLI** * Command-line; supports scripting and automation. * **AWS SDKs** * Language-specific libraries for programmatic access. * **AWS Cloud9** * Cloud-based IDE integrated with AWS. ---- ===== Networking & VPC ===== ==== Key VPC Components ==== * **Internet Gateway (IGW)** * Connects VPC to the internet (required for public subnets). * **Virtual Private Gateway (VGW)** * Endpoint for Site-to-Site VPN or Direct Connect. * **VPC Peering** * Private connectivity between two VPCs (same or different accounts). * **AWS Direct Connect** * Dedicated private link from on-prem to AWS (no internet). * **NAT Gateway** * Managed service that allows **private** subnet instances outbound internet access (for updates, patches, etc.). * Blocks unsolicited inbound connections. {{image4.png?direct|NAT Gateway vs NAT Instance}} /* placeholder for Image4 */ ==== Subnets ==== * **Public subnet** * Has route to IGW; resources can have direct internet access. * **Private subnet** * No direct route to IGW; resources are isolated from direct internet access. ==== Security Groups vs Network ACLs ==== {{image5.png?direct|Security Groups vs NACLs}} /* placeholder for Image5 */ **Security Groups** * Instance-level, **stateful**, allow rules only. * No rule numbers. * Commonly used with EC2, RDS, EFS, ELB, etc. * Support IPs, CIDRs, and SG IDs as source/destination. **Network ACLs (NACLs)** * Subnet-level, **stateless**. * Ordered rules with rule numbers. * Support both allow and deny. * Often used as an additional subnet firewall. ==== VPC Flow Logs ==== * Capture IP traffic information for: * ENIs, subnets, or whole VPCs. * Used for troubleshooting and security analysis. ---- ===== Storage Services ===== ==== Amazon EBS (Elastic Block Store) ==== * Block-level storage volumes for EC2. * Multiple volume types (different IOPS and throughput). * Data replicated within an AZ (high durability). * Snapshots stored in S3. * You can grow or change volume type. * Pricing: * Volumes, snapshots, and data transfer. * **Per-AZ** service (not regional). Cost optimization tips for EBS: * Delete unattached volumes. * Resize or change volume type. * Delete stale snapshots. ==== Amazon EFS (Elastic File System) ==== * Fully managed NFS file system. * Shared across multiple EC2 instances. * Automatically scales capacity. * Data replicated across multiple AZs in the region. * POSIX compliant. * Regional service, pay per read/write and storage. ==== Amazon S3 – Storage Classes ==== {{image6.png?direct|S3 Storage Classes}} {{image7.png?direct|S3 Storage Classes – Comparison}} * **S3 Standard** * High durability; multi-AZ. * Frequently accessed data; static websites. * **S3 Standard-IA** * Infrequent access, lower storage cost / higher retrieval cost. * 30-day minimum storage duration. * **S3 One Zone-IA** * Single AZ; cheaper; 30-day minimum. * For recreatable or backup-type data. * **S3 Intelligent-Tiering** * Automatically moves data between tiers based on access patterns. * **S3 Glacier Instant Retrieval / Flexible Retrieval / Deep Archive** * Archive tiers with different retrieval times & costs. * **S3 Outposts** * S3-compatible storage on-prem via Outposts. **S3 Transfer Acceleration** * Uses CloudFront edge network to speed up uploads/downloads over long distances. **S3 Pricing Factors** * Storage amount and storage class. * Data transfer out. * Number and type of requests. * Lifecycle transition requests. ==== S3 Policies (Bucket Policies) ==== {{image8.png?direct|S3 Policy Structure}} Key fields: * **Action** – s3:GetObject, s3:PutObject, etc. * **Effect** – "Allow" or "Deny". * **Resource** – bucket and/or object ARNs. * **Principal** – who the policy applies to. * **Sid** (optional) – statement ID. * **Condition** (optional) – context-based conditions. ==== Amazon EFS vs EBS vs S3 (high-level) ==== * **EBS**: Block storage for EC2, one instance at a time (or via multi-attach types). * **EFS**: Shared POSIX file system over NFS. * **S3**: Object storage for unstructured data, HTTP-based. ---- ===== Databases & Data Migration ===== ==== Amazon RDS ==== * Managed relational DB service: * MySQL, PostgreSQL, Oracle, SQL Server, MariaDB, Aurora. * Automated backups, snapshots, Multi-AZ HA. * Easy scaling for compute/storage. * AWS manages: * Infra, OS, DB software install, patches, backups. * Customer manages: * DB schema, query tuning, app-level security, data protection. ==== AWS Database Migration Service (DMS) ==== * Migrates databases to AWS, between clouds, or between engines. * Supports homogeneous and heterogeneous migrations. * Minimal downtime – source DB continues running. * Continuous replication and sync. * Works with AWS Schema Conversion Tool (SCT). ==== Amazon Athena ==== * Serverless interactive query service. * Run SQL queries directly on S3 data. * Pay per TB of data scanned. * Supports CSV, JSON, ORC, Parquet, etc. * Integrates with AWS Glue Data Catalog. ---- ===== Identity, Access & Security ===== ==== AWS IAM (Identity and Access Management) ==== * **Users** * Represent real people or applications. * **Groups** * Collections of users with shared policies. * **Roles** * Temporary permissions for AWS services, users, or external identities. * **Root User** * Full account control; should be protected and rarely used. Best practices: * Lock away root access keys. * Create individual IAM users. * Use groups to assign permissions. * Grant least privilege. * Prefer customer-managed policies over inline. * Enforce strong password policy. * Enable MFA. * Rotate credentials regularly. * Monitor activity with CloudTrail. ==== AWS Artifact, Compliance & Security Services ==== * **AWS Artifact** * Download SOC/PCI and compliance reports. * **AWS GuardDuty** * Intelligent threat detection (anomaly- and ML-based). * **AWS Shield** * DDoS protection at L3/L4 (Standard) and advanced (with Shield Advanced). * **AWS WAF** * Layer 7 web application firewall. * Block IPs, SQL injection, XSS, rate limiting, managed rule sets. * **Customer Compliance Center** * Compliance info, audit checklists, security whitepapers. ==== Logging & Monitoring ==== * **Amazon CloudWatch** * Metrics, logs, dashboards, alarms, and automated actions. * **AWS CloudTrail** * API call logging for governance, compliance, and audit. * **AWS Config** * Resource configuration tracking, compliance checks, and history. * **AWS Security Hub** * Central view of security findings from GuardDuty, Config, etc. * **Amazon Detective** * Helps analyze and visualize security-related data for investigations. ---- ===== Cost Management & Billing ===== ==== AWS Billing & Cost Tools ==== * **AWS Billing Dashboard** * MTD spend, forecasts, Free Tier usage. * **AWS Budgets** * Set cost/usage budgets and receive alerts. * **AWS Pricing Calculator** * Estimate costs before deployment. * **AWS Cost and Usage Report (CUR)** * Most granular cost/usage data; can be queried via Athena, QuickSight, Redshift. * **AWS Cost Explorer** * Visualize and analyze historical and forecasted costs. ==== AWS Consolidated Billing (Organizations) ==== * One bill for multiple accounts. * Combined usage for volume discounts. * No extra fee. ==== TCO Calculator ==== * Compare on-premises vs AWS costs. * Understand potential savings of cloud migration. ---- ===== AWS Support Plans ===== {{image9.png?direct|Support Plan Overview}} {{image10.png?direct|Support Plan Detail}} * **Basic** * 24x7 customer service, docs, whitepapers, re:Post. * Limited Trusted Advisor checks. * Personal Health Dashboard. * **Developer** * Best practice guidance, building-block support. * Business-hours support; ~12-hour response for non-critical. * **Business** * 24x7 technical support (1-hour response for urgent). * All Trusted Advisor checks. * Limited 3rd-party software support. * **Enterprise On-Ramp & Enterprise** * TAM (or pool of TAMs), Concierge team. * IEM (Infrastructure Event Management). * Proactive guidance, cost optimization, architecture reviews. * Fast response (down to 15 minutes) for critical issues. **Key teams:** * **AWS Security Team** – security incidents, vulnerabilities. * **AWS Abuse Team** – misuse, spam, phishing. * **AWS Customer Service** – accounts, billing. * **Concierge Team** – for Enterprise support customers. ---- ===== Architecture: AWS Well-Architected Framework ===== {{image13.png?direct|Well-Architected Framework}} Pillars: * **Operational Excellence** * Ops as code, frequent small changes, learn from failures. * **Security** * Strong identity foundation, traceability, security at all layers, protect data in transit/at rest. * **Reliability** * Recover from failures, auto-recovery, horizontal scaling, stop guessing capacity. * **Performance Efficiency** * Right-sized resources, serverless where possible, global deployments. * **Cost Optimization** * Consumption model, managed services, cost allocation and analysis. * **Sustainability** * Understand impact, set goals, maximize utilization, use efficient hardware, reduce downstream impact. The **AWS Well-Architected Tool** helps review workloads against these pillars. ---- ===== Migration, Hybrid & Edge ===== ==== 6 Strategies for Migration ==== * **Rehosting (“Lift and Shift”)** * **Replatforming** * **Refactoring / Re-architecting** * **Repurchasing** (move to SaaS) * **Retaining** * **Retiring** ==== AWS Snow Family ==== * **Snowcone** * Rugged edge device, ~14 TB, 2 vCPU, 4 GB RAM. * **Snowball / Snowball Edge** * ~80 TB storage, compute options. * Storage-Optimized and Compute-Optimized variants. * **Snowmobile** * Truck-sized; up to 100 PB per container. ==== AWS Outposts ==== * Run AWS services on-prem with the same APIs and tools. * Consistent hybrid experience. ==== AWS Local Zones & Wavelength ==== * **Local Zones** * AWS infra closer to large population centers for low latency. * **Wavelength** * Runs AWS services inside telecom 5G networks. ---- ===== Serverless & Application Integration ===== ==== AWS Serverless Services (examples) ==== * **AWS Lambda** * **Amazon API Gateway** * **AWS Step Functions** * **Amazon DynamoDB** * **Amazon S3** * **Amazon EventBridge** * **Amazon SNS**, **Amazon SQS** * **AWS Fargate** (serverless containers) * **AWS AppRunner** ==== CI/CD & Developer Tools ==== * **CodeCommit** – Private Git repos. * **CodeBuild** – Fully managed build service. * **CodeDeploy** – Automated deployments (EC2, Lambda, on-prem). * **CodePipeline** – CI/CD orchestration. * **CodeStar** – Project scaffolding and unified view. * **CodeGuru** – ML-based code review and profiler. ==== Application Integration & Events ==== * **Amazon EventBridge** * Event bus for AWS services, SaaS, and custom apps. * EventBridge Scheduler for cron-like schedules. * **Amazon S3 Lifecycle Policies** * Automatic transitions and deletions of objects. ---- ===== Identity Federation & SSO ===== * **AWS Cognito User Pools** * User directory, sign-up/sign-in, social and SAML IdPs, MFA, JWT tokens. * **Cognito Identity Pools** * Temporary AWS credentials for authenticated/unauthenticated users. * **AWS IAM Identity Center (successor to AWS SSO)** * Central SSO to AWS accounts and SaaS apps. * **AWS Directory Service** * Managed Microsoft AD or AD integration. * **AWS STS** * Temporary security credentials for roles and federated users. * **AWS Federation** * SAML 2.0 SSO from corporate IdPs into AWS. ---- ===== Load Balancing & Edge Networking ===== ==== Elastic Load Balancing (ELB) ==== * **Application Load Balancer (ALB)** – L7 HTTP/HTTPS; path-based routing. * **Network Load Balancer (NLB)** – L4 TCP/UDP/TLS; ultra-low latency. * **Classic Load Balancer (CLB)** – Legacy L4/L7; not recommended for new workloads. * **Gateway Load Balancer (GWLB)** – L3; for virtual appliances (firewalls, etc.). ==== Amazon CloudFront ==== * CDN for static and dynamic content. * Use cases: static asset caching, video streaming, security with WAF/Shield, API acceleration, software distribution. * Costs depend on: * Data transfer out. * Request volume. * Edge locations used. ==== AWS Global Accelerator ==== * Anycast static IP entry points. * Routes traffic over AWS global network. * Good for non-HTTP and latency-/availability-sensitive apps. ==== Amazon Route 53 – Routing Policies ==== * Simple * Failover * Geolocation * Geoproximity * Latency-based * IP-based * Multivalue answer * Weighted ---- ===== Misc. High-Value Services (By Category, Brief) ===== * **Analytics** * EMR, Kinesis Data Streams, Timestream, Athena, QuickSight (and QuickSight Q). * **Security & Key Management** * KMS (customer-managed keys, AWS-managed, AWS-owned keys). * CloudHSM (hardware-based key management). * Macie (sensitive data discovery in S3). * **Management & Governance** * Organizations, Service Control Policies (SCP). * Control Tower, Service Catalog, Systems Manager (Parameter Store, Session Manager, Patch Manager). * Service Quotas, OpsWorks, CloudFormation, Proton. * **Application Services** * AppSync (GraphQL), Amazon Chime, Pinpoint, WorkSpaces, AppStream 2.0. * **Migration & Transfer** * Application Migration Service (MGN), Migration Hub, DataPipeline, Transfer Family, Storage Gateway. * **Marketplaces & Partner Network** * AWS Marketplace (ISVs, SaaS, etc.). * APN Technology & Consulting Partners. * AWS Partner Paths (Software, Hardware, Services, Training, Distribution). ---- ==== Author & Attribution ==== These notes are derived from and heavily based on: * **Author:** Furkan Gülşen (Furkan-Gulsen) * **Original GitHub repo:** [[https://github.com/Furkan-Gulsen/aws-certified-cloud-practitioner-certification-my-notes|AWS Certified Cloud Practitioner Certification - My Notes]] All credit for the original compilation belongs to the author above. This DokuWiki version is a reorganized derivative intended for personal study and internal documentation.