Based on the excellent notes by Furkan Gülşen (Furkan-Gulsen). Original source: GitHub – AWS Certified Cloud Practitioner Certification - My Notes

• Cloud-based deployment
  • Applications fully deployed in the cloud.
• On-premises deployment
  • Traditional local data centers (“private cloud” when virtualized + automated).
• Hybrid deployment
  • Combination of on-premises resources and cloud resources.

• Trade CAPEX for OPEX
  • No large upfront data center/server purchases.
  • Pay only for what you actually consume.
• Stop running and maintaining data centers
  • Focus on business-differentiating projects instead of racking and stacking.
• Stop guessing capacity
  • Avoid over-provisioning or under-provisioning.
  • Scale up/down in minutes.
• Economies of scale
  • Aggregated usage across many customers ⇒ lower variable costs.
• Increase speed and agility
  • New IT resources are a click away; weeks → minutes.
• Go global in minutes
  • Deploy to multiple regions for low latency and better user experience.

• Perform operations as code.
• Make frequent, small, reversible changes.
• Refine operations procedures frequently.
• Anticipate failure.
• Learn from all operational failures.

/* placeholder for Image1 */

• AWS is responsible for:
  • Physical infrastructure, networking, hypervisor, managed service layers (where applicable).
• The customer is responsible in:
  • Configuration, data, identity & access, OS layer for IaaS, application-level security.

/* placeholder for Image2 */

• General Purpose
  • Balanced compute, memory, networking.
  • Web servers, dev/test, small/medium DBs.
• Compute-optimized
  • High vCPU-to-memory ratio.
  • Scientific modeling, batch processing, gaming servers.
• Memory-optimized
  • Large in-memory workloads.
  • In-memory DBs, real-time analytics.
• Accelerated computing
  • GPUs or other accelerators.
  • ML, video processing, HPC.
• Storage-optimized
  • High sequential read/write.
  • Data warehousing, distributed file systems.

• Ephemeral block storage on disks physically attached to host.
• Ideal for:
  • Buffers, caches, scratch data, temporary content.
  • Replicated data (e.g., web server fleets).
• Data is lost if instance stops, terminates, or fails.

• On-Demand
  • Short-term, irregular workloads.
  • No upfront cost or long-term commitment.
• Reserved Instances / Savings Plans
  • 1 or 3-year commitments.
  • Standard RI, Convertible RI, or Instance/Savings Plans.
  • Regional vs Zonal flexibility.
• Spot Instances
  • Up to ~90% discount.
  • Can be interrupted by AWS.
• Dedicated Host
  • Physical server dedicated to a single customer.
  • Compliance, licensing, and placement control.

/* placeholder for Image3 */

Factors affecting EC2 price:

• Purchase option (On-Demand, RI/Savings Plans, Spot, Dedicated).
• Instance type and size.
• Region.
• Number of instances.
• Use of Elastic IPs, Load Balancers, and Auto Scaling.

• AWS Management Console
  • Web-based GUI.
• AWS CLI
  • Command-line; supports scripting and automation.
• AWS SDKs
  • Language-specific libraries for programmatic access.
• AWS Cloud9
  • Cloud-based IDE integrated with AWS.

• Internet Gateway (IGW)
  • Connects VPC to the internet (required for public subnets).
• Virtual Private Gateway (VGW)
  • Endpoint for Site-to-Site VPN or Direct Connect.
• VPC Peering
  • Private connectivity between two VPCs (same or different accounts).
• AWS Direct Connect
  • Dedicated private link from on-prem to AWS (no internet).
• NAT Gateway
  • Managed service that allows private subnet instances outbound internet access (for updates, patches, etc.).
  • Blocks unsolicited inbound connections.

/* placeholder for Image4 */

• Public subnet
  • Has route to IGW; resources can have direct internet access.
• Private subnet
  • No direct route to IGW; resources are isolated from direct internet access.

/* placeholder for Image5 */

Security Groups

• Instance-level, stateful, allow rules only.
• No rule numbers.
• Commonly used with EC2, RDS, EFS, ELB, etc.
• Support IPs, CIDRs, and SG IDs as source/destination.

Network ACLs (NACLs)

• Subnet-level, stateless.
• Ordered rules with rule numbers.
• Support both allow and deny.
• Often used as an additional subnet firewall.

• Capture IP traffic information for:
  • ENIs, subnets, or whole VPCs.
• Used for troubleshooting and security analysis.

• Block-level storage volumes for EC2.
• Multiple volume types (different IOPS and throughput).
• Data replicated within an AZ (high durability).
• Snapshots stored in S3.
• You can grow or change volume type.
• Pricing:
  • Volumes, snapshots, and data transfer.
• Per-AZ service (not regional).

Cost optimization tips for EBS:

• Delete unattached volumes.
• Resize or change volume type.
• Delete stale snapshots.

• Fully managed NFS file system.
• Shared across multiple EC2 instances.
• Automatically scales capacity.
• Data replicated across multiple AZs in the region.
• POSIX compliant.
• Regional service, pay per read/write and storage.

• S3 Standard
  • High durability; multi-AZ.
  • Frequently accessed data; static websites.
• S3 Standard-IA
  • Infrequent access, lower storage cost / higher retrieval cost.
  • 30-day minimum storage duration.
• S3 One Zone-IA
  • Single AZ; cheaper; 30-day minimum.
  • For recreatable or backup-type data.
• S3 Intelligent-Tiering
  • Automatically moves data between tiers based on access patterns.
• S3 Glacier Instant Retrieval / Flexible Retrieval / Deep Archive
  • Archive tiers with different retrieval times & costs.
• S3 Outposts
  • S3-compatible storage on-prem via Outposts.

S3 Transfer Acceleration

• Uses CloudFront edge network to speed up uploads/downloads over long distances.

S3 Pricing Factors

• Storage amount and storage class.
• Data transfer out.
• Number and type of requests.
• Lifecycle transition requests.

Key fields:

• Action – s3:GetObject, s3:PutObject, etc.
• Effect – “Allow” or “Deny”.
• Resource – bucket and/or object ARNs.
• Principal – who the policy applies to.
• Sid (optional) – statement ID.
• Condition (optional) – context-based conditions.

• EBS: Block storage for EC2, one instance at a time (or via multi-attach types).
• EFS: Shared POSIX file system over NFS.
• S3: Object storage for unstructured data, HTTP-based.

• Managed relational DB service:
  • MySQL, PostgreSQL, Oracle, SQL Server, MariaDB, Aurora.
• Automated backups, snapshots, Multi-AZ HA.
• Easy scaling for compute/storage.
• AWS manages:
  • Infra, OS, DB software install, patches, backups.
• Customer manages:
  • DB schema, query tuning, app-level security, data protection.

• Migrates databases to AWS, between clouds, or between engines.
• Supports homogeneous and heterogeneous migrations.
• Minimal downtime – source DB continues running.
• Continuous replication and sync.
• Works with AWS Schema Conversion Tool (SCT).

• Serverless interactive query service.
• Run SQL queries directly on S3 data.
• Pay per TB of data scanned.
• Supports CSV, JSON, ORC, Parquet, etc.
• Integrates with AWS Glue Data Catalog.

• Users
  • Represent real people or applications.
• Groups
  • Collections of users with shared policies.
• Roles
  • Temporary permissions for AWS services, users, or external identities.
• Root User
  • Full account control; should be protected and rarely used.

Best practices:

• Lock away root access keys.
• Create individual IAM users.
• Use groups to assign permissions.
• Grant least privilege.
• Prefer customer-managed policies over inline.
• Enforce strong password policy.
• Enable MFA.
• Rotate credentials regularly.
• Monitor activity with CloudTrail.

• AWS Artifact
  • Download SOC/PCI and compliance reports.
• AWS GuardDuty
  • Intelligent threat detection (anomaly- and ML-based).
• AWS Shield
  • DDoS protection at L3/L4 (Standard) and advanced (with Shield Advanced).
• AWS WAF
  • Layer 7 web application firewall.
  • Block IPs, SQL injection, XSS, rate limiting, managed rule sets.
• Customer Compliance Center
  • Compliance info, audit checklists, security whitepapers.

• Amazon CloudWatch
  • Metrics, logs, dashboards, alarms, and automated actions.
• AWS CloudTrail
  • API call logging for governance, compliance, and audit.
• AWS Config
  • Resource configuration tracking, compliance checks, and history.
• AWS Security Hub
  • Central view of security findings from GuardDuty, Config, etc.
• Amazon Detective
  • Helps analyze and visualize security-related data for investigations.

• AWS Billing Dashboard
  • MTD spend, forecasts, Free Tier usage.
• AWS Budgets
  • Set cost/usage budgets and receive alerts.
• AWS Pricing Calculator
  • Estimate costs before deployment.
• AWS Cost and Usage Report (CUR)
  • Most granular cost/usage data; can be queried via Athena, QuickSight, Redshift.
• AWS Cost Explorer
  • Visualize and analyze historical and forecasted costs.

• One bill for multiple accounts.
• Combined usage for volume discounts.
• No extra fee.

• Compare on-premises vs AWS costs.
• Understand potential savings of cloud migration.

• Basic
  • 24×7 customer service, docs, whitepapers, re:Post.
  • Limited Trusted Advisor checks.
  • Personal Health Dashboard.
• Developer
  • Best practice guidance, building-block support.
  • Business-hours support; ~12-hour response for non-critical.
• Business
  • 24×7 technical support (1-hour response for urgent).
  • All Trusted Advisor checks.
  • Limited 3rd-party software support.
• Enterprise On-Ramp & Enterprise
  • TAM (or pool of TAMs), Concierge team.
  • IEM (Infrastructure Event Management).
  • Proactive guidance, cost optimization, architecture reviews.
  • Fast response (down to 15 minutes) for critical issues.

Key teams:

• AWS Security Team – security incidents, vulnerabilities.
• AWS Abuse Team – misuse, spam, phishing.
• AWS Customer Service – accounts, billing.
• Concierge Team – for Enterprise support customers.

Pillars:

• Operational Excellence
  • Ops as code, frequent small changes, learn from failures.
• Security
  • Strong identity foundation, traceability, security at all layers, protect data in transit/at rest.
• Reliability
  • Recover from failures, auto-recovery, horizontal scaling, stop guessing capacity.
• Performance Efficiency
  • Right-sized resources, serverless where possible, global deployments.
• Cost Optimization
  • Consumption model, managed services, cost allocation and analysis.
• Sustainability
  • Understand impact, set goals, maximize utilization, use efficient hardware, reduce downstream impact.

The AWS Well-Architected Tool helps review workloads against these pillars.

• Rehosting (“Lift and Shift”)
• Replatforming
• Refactoring / Re-architecting
• Repurchasing (move to SaaS)
• Retaining
• Retiring

• Snowcone
  • Rugged edge device, ~14 TB, 2 vCPU, 4 GB RAM.
• Snowball / Snowball Edge
  • ~80 TB storage, compute options.
  • Storage-Optimized and Compute-Optimized variants.
• Snowmobile
  • Truck-sized; up to 100 PB per container.

• Run AWS services on-prem with the same APIs and tools.
• Consistent hybrid experience.

• Local Zones
  • AWS infra closer to large population centers for low latency.
• Wavelength
  • Runs AWS services inside telecom 5G networks.

• AWS Lambda
• Amazon API Gateway
• AWS Step Functions
• Amazon DynamoDB
• Amazon S3
• Amazon EventBridge
• Amazon SNS, Amazon SQS
• AWS Fargate (serverless containers)
• AWS AppRunner

• CodeCommit – Private Git repos.
• CodeBuild – Fully managed build service.
• CodeDeploy – Automated deployments (EC2, Lambda, on-prem).
• CodePipeline – CI/CD orchestration.
• CodeStar – Project scaffolding and unified view.
• CodeGuru – ML-based code review and profiler.

• Amazon EventBridge
  • Event bus for AWS services, SaaS, and custom apps.
  • EventBridge Scheduler for cron-like schedules.
• Amazon S3 Lifecycle Policies
  • Automatic transitions and deletions of objects.

• AWS Cognito User Pools
  • User directory, sign-up/sign-in, social and SAML IdPs, MFA, JWT tokens.
• Cognito Identity Pools
  • Temporary AWS credentials for authenticated/unauthenticated users.
• AWS IAM Identity Center (successor to AWS SSO)
  • Central SSO to AWS accounts and SaaS apps.
• AWS Directory Service
  • Managed Microsoft AD or AD integration.
• AWS STS
  • Temporary security credentials for roles and federated users.
• AWS Federation
  • SAML 2.0 SSO from corporate IdPs into AWS.

• Application Load Balancer (ALB) – L7 HTTP/HTTPS; path-based routing.
• Network Load Balancer (NLB) – L4 TCP/UDP/TLS; ultra-low latency.
• Classic Load Balancer (CLB) – Legacy L4/L7; not recommended for new workloads.
• Gateway Load Balancer (GWLB) – L3; for virtual appliances (firewalls, etc.).

• CDN for static and dynamic content.
• Use cases: static asset caching, video streaming, security with WAF/Shield, API acceleration, software distribution.
• Costs depend on:
  • Data transfer out.
  • Request volume.
  • Edge locations used.

• Anycast static IP entry points.
• Routes traffic over AWS global network.
• Good for non-HTTP and latency-/availability-sensitive apps.

• Simple
• Failover
• Geolocation
• Geoproximity
• Latency-based
• IP-based
• Multivalue answer
• Weighted

• Analytics
  • EMR, Kinesis Data Streams, Timestream, Athena, QuickSight (and QuickSight Q).
• Security & Key Management
  • KMS (customer-managed keys, AWS-managed, AWS-owned keys).
  • CloudHSM (hardware-based key management).
  • Macie (sensitive data discovery in S3).
• Management & Governance
  • Organizations, Service Control Policies (SCP).
  • Control Tower, Service Catalog, Systems Manager (Parameter Store, Session Manager, Patch Manager).
  • Service Quotas, OpsWorks, CloudFormation, Proton.
• Application Services
  • AppSync (GraphQL), Amazon Chime, Pinpoint, WorkSpaces, AppStream 2.0.
• Migration & Transfer
  • Application Migration Service (MGN), Migration Hub, DataPipeline, Transfer Family, Storage Gateway.
• Marketplaces & Partner Network
  • AWS Marketplace (ISVs, SaaS, etc.).
  • APN Technology & Consulting Partners.
  • AWS Partner Paths (Software, Hardware, Services, Training, Distribution).

These notes are derived from and heavily based on:

• Author: Furkan Gülşen (Furkan-Gulsen)
• Original GitHub repo: AWS Certified Cloud Practitioner Certification - My Notes

All credit for the original compilation belongs to the author above. This DokuWiki version is a reorganized derivative intended for personal study and internal documentation.