1. Storage
1.1. S3
1.1.1. Object base storage. Key, value storage. Consist:
1.1.1.1. Key (name of the object)
1.1.1.2. Value
1.1.1.3. Version ID (Important for versioning)
1.1.1.4. Metadata
1.1.1.5. Subresources
1.1.1.6. Access Control List
1.1.2. File size can be from 1 Byte to 5 Tb
1.1.3. Universal namespace: https://s3-us-east-1.amazonaws.com/bucketname
1.1.4. Name for bucket does not support Capital characters
1.1.5. Read after Write consistency for PUTS of new Objects
1.1.6. Eventual Consistency for overwrite PUTS and DELETES (can take some time to propagate)
1.1.7. Availability: 99.99%
1.1.8. Durability: 99,999999999 (11 x 9's)
1.1.9. New objects in Bucket are Private
1.1.10. Tiered Storage Availability (can be set/change for entire Bucket or objects in the Bucket)
1.1.10.1. S3
1.1.10.1.1. Availability: 99.99%
1.1.10.1.2. Durability: 99,999999999 (11 x 9's)
1.1.10.2. S3 - IA (Infrequently Access)
1.1.10.2.1. Lower fee than S3
1.1.10.2.2. Retrieval fee
1.1.10.2.3. Standard - IA has a minimum object size of 128KB. Smaller objects will be charged for 128KB of storage.
1.1.10.2.4. Minimum Storage Duration: 30days
1.1.10.3. Reduced Redundancy Storage
1.1.10.3.1. Availability: 99.99%
1.1.10.3.2. Durability: 99,99
1.1.11. Lifecycle Management
1.1.11.1. can be applied to whole bucket or prefix
1.1.11.2. Actions (without versioning)
1.1.11.2.1. Transition to S3-IA (minimum 30 after creating)
1.1.11.2.2. Archive to Glacier
1.1.11.2.3. Permanent Delete
1.1.11.3. Actions (with versioning)
1.1.11.3.1. Actions for current version
1.1.11.3.2. Action for previous versions
1.1.12. Versioning
1.1.12.1. Can't turn it off
1.1.12.2. Versioning's MFA Delete capability
1.1.12.3. Doesn't deduplicate (S3 keeps all versions of a file as separate files)
1.1.13. Security
1.1.13.1. Bucket is PRIVATE by default
1.1.13.2. Access Controle
1.1.13.2.1. Bucket Policies (applied to whole bucket)
1.1.13.2.2. Access Control List (can be applied to individual items in bucket)
1.1.13.3. Encriptions
1.1.13.3.1. In Transite
1.1.13.3.2. At Rest
1.1.14. Transfer Acceleration
1.1.14.1. Allow to upload files to S3 via CloudFront Edge
1.1.15. Cross Region Replication
1.1.15.1. Doesn't replicate existing files
1.1.15.2. Requires Versioning
1.2. Cloud Front
1.2.1. Edge Location
1.2.1.1. supports READ and WRITE
1.2.1.2. around the world, more than 50
1.2.1.3. TTL
1.2.1.4. Can clear cached objects (you will be charged )
1.2.2. Origin
1.2.2.1. S3 bucket
1.2.2.2. EC2 instance
1.2.2.3. ELB
1.2.2.4. Route53
1.2.2.5. None AWS server
1.2.3. Distribution
1.2.3.1. Web Distribution
1.2.3.2. RTMP - media streaming
1.2.4. Geo Restrictions
1.2.4.1. White list
1.2.4.2. Black list
1.2.5. Invalidation
1.2.5.1. to remove objects from cache
1.3. Glacier
1.3.1. Archive data
1.3.2. Takes 3-5 hours to restore
1.3.3. Extremely low-cost (0.01$ per 1Gb per 1 month)
1.3.4. Minimum Storage Duration: 90 days
1.4. EFS
1.4.1. Supports NFSv4
1.4.2. pay only for storage
1.4.3. scale up to petabytes
1.4.4. supports thousands NFS concurrency connections
1.4.5. cross AZ within single region
1.4.6. READ after WRITE concistency
1.5. Import/Export
1.5.1. Import/Export Disk
1.5.1.1. Import
1.5.1.1.1. S3
1.5.1.1.2. EBS
1.5.1.1.3. Glasier
1.5.1.2. Export
1.5.1.2.1. S3
1.5.2. Import/Export Snowball
1.5.2.1. Only S3
1.6. Storage Gateway
1.6.1. is a service that connect an on premises software appliance with cloud based storage to provide seamless and secure integration between organisation's on-premises IT env and AWS cloud
1.6.2. Types
1.6.2.1. Gateway Store Volume
1.6.2.1.1. Entire Dataset is stored on site and is asynchronously backed up to S3
1.6.2.2. Gateway Cached Volume
1.6.2.2.1. Data in on S3 but the most frequent accessed data is stored locally
1.6.2.2.2. if you lose internet, you will not have access to all data
1.6.2.3. Gateway Virtual Tape Libary (VTL)
1.6.2.3.1. Provide a Virtual Tape Shelf to backup to S3 or Glacier
2. Analytics
2.1. EMR
2.2. Data Pipeline
2.3. ElasticSearch
2.4. Kinesis
2.5. Machine Learning
2.6. Quick Sight
3. Security & Identity
3.1. IAM
3.1.1. Users
3.1.2. Groups
3.1.3. Roles
3.1.4. Policies
3.1.5. Notes
3.1.5.1. IAM items are shared globally
3.1.5.2. New users don't have any permissions
3.1.5.3. Root account has complete Admin access by default
3.1.5.4. Power User Access allows access to all AWS services except for management of groups and users within IAM
3.2. Directory Service
3.3. Inspector
3.4. WAF
3.5. Cloud HSM
3.6. KMS
4. Management Tools
4.1. CloudWatch
4.1.1. Basic Monitoring
4.1.1.1. Every 5 min
4.1.1.2. Free
4.1.2. Detailed Monitoring
4.1.2.1. Every 1 min
4.1.2.2. Additional charge
4.1.3. Dashboard
4.1.4. Metrics
4.1.4.1. CPU
4.1.4.2. Disk
4.1.4.3. Network
4.1.5. Events
4.1.5.1. Allow to react on changes
4.1.6. Alarms
4.1.6.1. Allow to react if metrics cross thresholds
4.1.7. Logs
4.1.7.1. Allow to aggregate, monitor and store logs
4.2. CloudFormation
4.3. CloudTrail
4.4. Opsworks
4.5. Config
4.6. Service Catalog
4.7. Trusted Advisor
5. WhitePapers
5.1. Security
5.1.1. Shared Security Model
5.1.2. Storage Decommissioning
5.1.2.1. DoD 5220.22-M or NST 800-88
5.1.3. Amazon Corporate Segregation
5.1.4. Network monitoring & Protection
5.1.4.1. DDOS
5.1.4.2. Man in the middle attack (MITM)
5.1.4.3. IP spoofing
5.1.4.4. Port scanning
5.1.4.4.1. you should request permission for vulnerable port scanning in advance
5.1.4.5. Port sniffing by other tenants
5.1.5. Instance Isolation
5.1.5.1. instances on the same host are isolated by Xen hypervisor
5.1.5.2. AWS firewall resides on hypervisor so instances on the same host don;t have more permissions than other
5.1.5.3. RAM is separated
5.1.5.4. disk and RAM are zeroing
5.1.6. AWS doesn't have a write/read access to your guest OS
5.1.7. Strategic Busyness Plan at least biannually (every 6 month)
5.1.8. AWS scans Public Services for vulnerability
5.1.9. Compliances
5.1.9.1. SOC1,2,3
5.1.9.2. FISMA, DIACAP, REDRAMP
5.1.9.3. PCI DSS level1 (only infrastructure)
5.1.9.4. ISO27001
5.1.9.5. ISO 9001
5.1.9.6. ITAR
5.1.9.7. FIPS 140-2
5.1.9.8. Industrial Standarts
5.1.9.8.1. HIPAA
5.1.9.8.2. Cloud Security Alliance
5.1.9.8.3. Motion Picture Association of America
6. Development Tools
6.1. CodeCommit
6.2. CodeDeploy
6.3. CodePipeline
7. Basic
7.1. Support
7.1.1. Basic, Developer, Business, Enterprise
8. Mobile Services
8.1. Mobile Hub
8.2. Cognito
8.3. Device Farm
8.4. Mobile Analytics
8.5. SNS
8.5.1. Sends notifications from a cloud
8.5.2. Can push notification to mobile devices
8.5.3. push to SQS
8.5.4. send email
8.5.5. trigger Lambda function
8.5.6. messages are redundantly stored across multy AZ
9. Enterprise Applications
9.1. WorksSpaces
9.2. WorkDocs
9.3. WorkMail
10. Internet Of Things
11. Networking
11.1. VPC
11.1.1. Default VPC
11.1.1.1. All subnets are public
11.1.1.2. If delete public VPC, you have to contact to AWS to get it back
11.1.2. VPC Peering
11.1.2.1. connect 1 VPC with another
11.1.2.2. don't give access to internet
11.1.2.3. don't give access to third VPC via another VPC
11.1.3. Tenancy
11.1.3.1. Default
11.1.3.2. Dedicated
11.1.3.2.1. If you set dedicated while creating new VPC, all instances in the VPC will be automatically dedicated
11.1.4. Route Tables
11.1.4.1. Default route table will be created for VPC automatically
11.1.5. Subnetworks
11.1.5.1. 1 subnet = 1 AZ
11.1.5.2. Amazon reserves 3 IP addresses in every subnet
11.1.6. IGW
11.1.6.1. 1 IGW per VPC
11.1.7. NAT Instance
11.1.7.1. Disable Source/Destination check
11.1.7.2. larger instance provide more network performance
11.1.8. Access Control List (ACLs)
11.1.8.1. It is a Firewall for entire subnet
11.1.8.2. If you create subnet, it will be associated with Default ACL
11.1.8.3. stateless
11.1.8.4. New ACLs is denied by default
11.1.8.5. Subnet can ONLY have 1 ACL (no more, no less)
11.1.8.6. operating of rules begins from lowest rule number
11.2. Direct Connect
11.2.1. Provide dedicated link to AWS
11.3. Route53
11.3.1. Always choose Alias Record over CNAME http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
11.3.2. ELB is domain
11.3.3. Routing Policies
11.3.3.1. Simple
11.3.3.2. Weighted
11.3.3.2.1. Allow split traffic based on different weight assigned
11.3.3.3. Latency
11.3.3.3.1. based on lowest network latency for your end user (ie. which region gave the fastest response time)
11.3.3.4. Failover
11.3.3.4.1. Will monitor primary web site using health checks and if failed switch to DR site
11.3.3.5. Geolocation
11.3.3.5.1. based on Geo location of end users
12. Compute
12.1. EC2
12.1.1. Price
12.1.1.1. On Demand
12.1.1.1.1. Low price and flexibility without long term commitments
12.1.1.1.2. Application with short term and cannot be interrupted
12.1.1.1.3. development or testing
12.1.1.2. Reserved (1 or 3 Year)
12.1.1.2.1. Steady state or predictable usage
12.1.1.2.2. require reserved capacity
12.1.1.2.3. User is able to do upfront payment
12.1.1.3. Spot
12.1.1.3.1. Application can flexible start and end
12.1.1.3.2. very low compute price
12.1.1.3.3. user need urgent large computing needs
12.1.1.3.4. NOTE: If AWS terminate instance by itself you will not pay for part hour usage. But I you terminate, you will pay
12.1.2. Types
12.1.2.1. t2 - Low cost, General Purpose
12.1.2.2. M4, M3 - General purpose
12.1.2.3. C3, C4 - Computer optimised
12.1.2.4. R3 - Memory optimised
12.1.2.5. G2 - GPU
12.1.2.6. I2 - High Speed Storage (NoSQL...)
12.1.2.7. D2 - Dense storage (hadoop ..)
12.1.3. EBS
12.1.3.1. Type
12.1.3.1.1. General Purpose SSD (GP2)
12.1.3.1.2. Provisioned IOPS SSD (IO1)
12.1.3.1.3. Magnetic (Standard)
12.1.3.2. Encription
12.1.3.2.1. Root volume (where is OS) is NOT encrypted. You can use THIRD tools to encrypt Root volume
12.1.3.2.2. Addition volumes can be encrypted
12.1.4. SG
12.1.4.1. All Inbound traffic is blocked by default
12.1.4.2. All Outbound traffic is allowed by default
12.1.4.3. Changes to SG take effect immediately
12.1.4.4. SGs are STATEFUL
12.1.4.4.1. If you create Inbound rule allowing traffic in, that traffic is allowed back out again
12.1.5. Volume
12.1.5.1. exist on EBS
12.1.5.2. Virtual Hard Disk
12.1.5.3. Volume restored from encrypted snapshot is encrypted
12.1.5.4. RAID
12.1.5.4.1. AWS does NOT recommend to use RAID5
12.1.5.4.2. RAID0 - no redundancy and good performance
12.1.5.4.3. RAID10 provide redundancy and good performance
12.1.5.4.4. Creating Snapshot of RAID
12.1.6. Snapshot
12.1.6.1. exist on S3
12.1.6.2. is incremental. Only changed block will be upload to s3
12.1.6.3. Snapshot of encrypted volume is encrypted automatically
12.1.6.4. You can share snapshot, if the snapshot is NOT encrypted
12.1.6.5. To create snapshot of Root volume, you need to stop instance (or the instance will be stopped by AWS). If an instance was not stopped at all, integrity of filesystem can not be guaranteed
12.1.6.6. You can NOT remove snapshot if the snapshot is in AMI
12.1.7. AMI
12.1.7.1. EBS root volume
12.1.7.1.1. Root volume is EBS volume that created from EBS snapshot
12.1.7.2. Instance Store
12.1.7.2.1. Root device launched from AMI is instance store volume created from template stored on S3. (takes a bit more time to launch)
12.1.7.2.2. can not be stopped
12.1.7.2.3. if the underling host fails you will lose your data
12.1.8. ELB
12.1.8.1. only has own DNS name, NOT IPs
12.1.9. IAM Role
12.1.9.1. You can NOT change role for created instance
12.1.9.2. You can change role itself and it will be applied immediately
12.1.9.3. Roles are easier to manage
12.1.10. Instance Metadata
12.1.10.1. http://169.254.169.254/latest/meta-data/
12.1.10.2. You can NOT to get user-data using the URL. Only meta-data
12.1.11. Placement Group
12.1.11.1. Single AZ
12.1.11.2. Low latency
12.1.11.3. 10 Gbps
12.1.11.4. Name of Placement Group should be unique accoss AWS account
12.1.11.5. Only certain type of instances can be launched in PG (CPU, GPU, RAM and Storage optimised)
12.1.11.6. AWS recommend to use homogeneous instance type (same family and same size)
12.1.11.7. can NOT merge PGs
12.1.11.8. can NOT move created instance to PG
12.2. EC2 Container Service
12.3. Elastic Beanstalk
12.4. Lambda
12.4.1. is event driven compute service, where Lambda runs your code in responce to event
13. Databases
13.1. Elasticache - In memory caching
13.1.1. Memcached
13.1.2. Redis
13.2. DMS
13.3. RDS - OLTP (Online Transaction Processing)
13.3.1. Aurora
13.3.1.1. Autoscaling Storage (start from 10Gb, scales in 10Gb increment Up to 64Tb)
13.3.1.2. Compute resources scale up to 32 vCPU and 244 Gb RAM
13.3.1.3. 2 copies of data in each AZ within 3 minimum AZs (6 copies of data)
13.3.1.4. can loss up to 2 copies without effecting Write availability
13.3.1.5. can loss up to 3 copies without effecting Read availability
13.3.1.6. self-healing (disk is continuously scanning for error and repairing)
13.3.1.7. Replicas
13.3.1.7.1. Aurora Replica (up to 15)
13.3.1.7.2. MySQL Replica (up to 5)
13.3.2. Types
13.3.2.1. MSSQL
13.3.2.2. MySQL
13.3.2.3. Postgres
13.3.2.4. Oracle
13.3.2.5. Aurora
13.3.2.6. MarinaDB
13.3.3. Automated Backups
13.3.3.1. from 0 up to 35 days
13.3.3.2. Storage IO may be suspended
13.3.3.3. you will get free place on S3 equals DB volume
13.3.4. Snapshots
13.3.4.1. manually
13.3.4.2. will be stored even if you remove source DB (unlike Automated Backup)
13.3.5. Restoring is always new RDS instance with new endpoint
13.3.6. Encryption
13.3.6.1. supports by MySQL, Postgres, Oracle, mariaDB and SQL Server
13.3.6.2. Can NOT be enabled for existing instances
13.3.7. MultyAZ
13.3.7.1. For Disaster Recovery ONLY
13.3.7.2. Automatic
13.3.7.3. synchronous
13.3.8. Read Replica
13.3.8.1. Asynchronous replication
13.3.8.2. MySQL, Postgres, MariaDB
13.3.8.3. Use for Scaling. NOT for DR
13.3.8.4. Require Automatic Backup
13.3.8.5. Up to 5 Read REplicas
13.3.8.6. can have Read Replica of Read replica (Latency!!)
13.3.8.7. Read Replica can NOT be MultyAZ
13.3.8.8. Read replica in Second Region (for MySQL and MariaDB)
13.3.9. NOTES
13.3.9.1. DB Security Group: you don't need to specify port/protocol only source IP range / security group http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html#Overview.RDSSecurityGroups.DBSec
13.4. DynamoDB - No SQL
13.4.1. Automatic Scaling on FLY vs
13.4.2. Stored on SSD
13.4.3. Spread across 3 geographically distinct data centers
13.4.4. Eventual consistency Reads (default)
13.4.4.1. Consistency across all copies of data is usually reached within 1 second
13.4.5. Strong Consistency Reads
13.4.5.1. returns a result of all writes
13.4.6. Pricing
13.4.6.1. Read Throughput 0.0065 per hour for every 50 units
13.4.6.2. Write Throughput 0.0065 per hour for every 10 units
13.4.6.3. Storage const of 0.25$ per Gb per month
13.5. Redshift - OLAP (Online Analytic Processing)
13.5.1. data warehouse service in a cloud
13.5.2. Single Node (160Gb)
13.5.3. Multi-Node
13.5.3.1. Leader Node (handle queries)
13.5.3.2. Compute Node (store data, perform queries) up to 128 nodes
13.5.4. Price
13.5.4.1. Leader node is free
13.5.4.2. Compute node: charge for hours instances running
13.5.4.3. Backup
13.5.4.4. Data transfer (within VPC)
13.5.5. Encryption
13.5.5.1. SSL/TSL for data transfer
13.5.5.2. Encrypted at rest using AES-256
13.5.5.3. By default Redshift handle key by it self
13.5.5.3.1. But you can use KMS or
13.5.5.3.2. Manage your own keys using HSM
13.5.6. Availability
13.5.6.1. only 1 AZ
13.5.6.1.1. you can restore snapshot to New AZ
14. Application Services
14.1. API Gateway
14.2. AppStream
14.3. CloudSearch
14.4. Elastic Transcoder
14.5. SES
14.6. SQS
14.6.1. Distributed queue system
14.6.2. Message is up to 256KB text in any format
14.6.3. Billed at 64KB "Chunks"
14.6.4. first 1 million requests are free. 0.5$ per million
14.6.5. 1 request can have up to 10 messages
14.6.6. Messages can be retrieved using SQS API
14.6.7. Has Buffer
14.6.8. SQS ensures delivering at least once
14.6.9. It is NOT FIFO
14.6.10. Asynchronously PULL messages from a QUEUE
14.6.11. Visibility Period starts when Message was picked up
14.6.12. If Application is failed, message will be in a queue. After Visibility Period, Message will be consumed another application
14.6.13. When application finishes, message will be removed from Queue
14.6.14. Visibility Timeout is 30s by default.
14.6.15. Retention period is up to 14 days
14.7. SWF
14.7.1. Simple WorkFlow Service
14.7.2. Retention Period is up to 1 year
14.7.3. task oriented API (vs SQS is message oriented)
14.7.4. task is assigned ONLY ONCE
14.7.5. SWF tracks all tasks in application (for SQS you need implement your own application level )
14.7.6. SWF Actors (can be Code or Humans)
14.7.6.1. Workflow Starter - start workflow
14.7.6.2. Deciders - control workflow
14.7.6.3. Activity Workers