Index
A
accelerated computing instances, 224
ACID (atomicity, consistency, isolation and durability), 442–443
ACM (Amazon Certificate Manager), 546
active-active application deployment, 100–102
AD DS (Active Directory Domain Service), identity federation, 503–505
Agile, 104
alarms, CloudWatch, 259
action settings, 263–264
creating, 262–263
ALB (Application Load Balancing), 266, 270, 271–272
access logs, 284
connection draining, 282
creating a load balancer, 272–274
health checks, 279–280
HTTPS listener security settings, 276–277
maintaining user sessions, 278
monitoring with CloudWatch, 283
rule choices, 274–276
security, 280–283
SNI (Server Name Identification), 281
sticky session support, 278–279
target groups, 271
attributes, 277
routing, 277
Amazon Aurora, 100–102, 427, 433
communicating with, 432
deployment options, 428–429
failover, 431
storage, 429–431
Amazon Inspector, 525–526
Amazon Lightsail, 232–233
Amazon MQ, 152
Amazon Redshift, 447–448
clusters, 448
columnar data storage, 448
Concurrency Scaling, 448
replication, 448–449
Amazon SNS (Simple Notification Services), 144–147
AMIs (Amazon Machine Images), 233–235
AWS Linux, 235–236
AWS Marketplace, 237
build considerations, 240–242
choosing, 235
custom, 237–239
custom instance store, 239–240
Windows, 236
API Gateway, 156–160
APIs (application programming interfaces), 11, 13–14, 156–157
application integration services, 144
Amazon SNS (Simple Notification Services), 144–147
Amazon SQS (Simple Queue Service), 147–149
AWS Step Functions, 149–152
Application Load Balancer, 20
application security, 19–20
applications
lift and shift/re-hosting, 23
replacing with SaaS application, 24
security, 517
stateless, 139
architecture(s)
active-active application deployment, 100–102
designing for high availability, 88–90
adding fault tolerance, 90–91
removing single points of failure, 91–93
and disaster recovery, 94
RPO (recovery point objective), 94
ECS (Elastic Container Service), 243
fault tolerance, 89
stateful design, 138–140
stateless design, 139–140
storing user state information, 140–142
authentication, IAM (Identity and Access Management), 461–464
auto scaling, 290
ASGs (auto scaling groups), 291–296
cooldown period, 296
DynamoDB, 439–440
launch templates, 290
lifecycle hooks, 297
termination policy, 296–297
change sets, 113
creating an EC2 instance, 111–112
stacks, 109–111
Elastic Beanstalk, 117–119
application updates, 119–121
third-party solutions, 114–115
AWS (Amazon Web Services), 3, 4, 10, 29. See also architecture(s); EC2 (Elastic Compute Cloud) instances; storage; VPC (virtual private cloud)
Application Load Balancer, 20
automation, 103–104
availability, 34
AZs (availability zones), 6, 39–40, 353
distribution, 40–41
multiple, 42–43
BAA (Business Associate Addendum), 50
budgets, 595–596
BYOIP (Bring-Your-Own IP), 368–370
CloudEndure Migration, 57–58
change sets, 113
creating an EC2 instance, 111–112
stack sets, 113–114
stacks, 109–111
CloudFront, 73–74
HTTPS access, 76
OAI (origin access identity), 77
origin failover, 78–79
regional edge caches, 75
restricting distribution of content, 78
securing access to content, 75–76
serving private content, 76–77
use cases, 74–75
and WAF, 77
creating trails, 521–522
agent, 253
basic monitoring, 249–250
and EC2 Auto Scaling, 261
events, 260
included services, 255–256
logs, 250–253
metrics, 248, 249, 250, 258–259
namespace, 257
pricing, 261
timestamps, 260
CodeCommit, 124–125
compliance rules, 45–47
FedRAMP (Federal Risk and Authorization Management Program), 51
global frameworks, 49–50
HIPAA (Health Insurance Portability and Accountability Act), 50
NIST (National Institute of Standards and Technology), 51–52
North American frameworks, 48–49
shared responsibility model, 48
Cost Explorer, 593–595, 597–599
cost(s)
billing, 592–593
budgets, 595–596
compute, 558–559
of management services, 556
managing, 599–600
data storage, 170
data transfer, 319–320
DataSync, 320
Direct Connect, 320
SFTP (SSH File Transfer Protocol), 321–322
Snow Family, 320–321
EBS (Elastic Block Storage), 33
EC2-Classic networking, 336
ECS (Elastic Container Service), 33
edge locations, 63–64
services, 64
Elastic Beanstalk, 14, 117–119
ELB (Elastic Load Balancing), 58
essential characteristics
broad network access, 6
on-demand self-service, 5
measured service, 7–8
rapid elasticity, 7
resource pooling, 6
Fargate, 245–246
free trial period, 20–21
GuardDuty, 524–525
IaaS (infrastructure as a service), 10–12
IAM (Identity and Access Management), 19
identity federation, 503–505
KMS (Key Management Service), 543–544, 545
latency, 53–54
managed services, 10–11, 16, 33
API Gateway, 156–160
Lamdba@Edge, 78–79
migrating to, 22–23
applications with local dependencies, 23
CloudEndure Migration, 57–58
determining what problem needs to be solved, 21–22
lift and shift/re-hosting, 23
multi-tier architecture solutions
design problems to overcome, 58–61
protecting against application failure, 62–63
redundancy, 61–62
three-tier design, 60
VPC (virtual private cloud), 56–58
operational benefits, 15
servers, 15
storage, 15
Organizations, 509–511
PaaS (platform as a service), 12–14
Cloud Foundry, 13
Heroku, 13
partnering with, 335–336
Promotional Credit, 9
RAM (Resource Access Manager), 511–512
RDS (Relational Database Service), 11, 14, 38
regions, 36–39
choosing, 43–44
GovCloud, 52–53
services offered in, 54–55
reliability, 35
alias records, 68–69
health checks, 49–66
resolver, 69–71
routing policies, 67
services, 65–66
traffic flow policies, 67–68
Secret Manager, 523–524
security, 18
application, 19–20
data, 18–19
ELB (Elastic Load Balancer), 20
network, 19
WAF (Web Application Firewall), 20
serverless computing, 154
Service Catalog, 115
IAM group constraints, 116–117
portfolios, 116
service quotas, 80–81
shared file storage, 306
SLAs (service-level agreements), 17, 43, 102–103
File Gateway, 322
Tape Gateway, 322–324
Volume Gateway, 322
STS (Security Token Service), 501–502
tiered pricing, 557
Trusted Advisor, 526–528
uptime, 94
user sessions
distributed, 142
management, 142–144
sticky, 142
storing user state information, 140–142
VPC (virtual private cloud), 334–335, 337–338
connectivity options, 387, 407–409
default, 352–353
determining number of needed, 347–349
endpoints, 390–395
external connections, 339, 395–396, 398, 399–406
flow logs, 385–386
hosted services, 338
hypervisor, 340–341
Layer 3 networks, 339
peering, 387–390
physical infrastructure, 339–340
Well-Architected Framework, 24
Well-Architected Framework tool, 26–27
AWS Certified Solutions Architect - Associate (SAA-C02) exam, 603–605, 606
objectives, 605
preparation tips, 606–607
scheduling, 608
suggested plan for review/study, 613
tools for final preparation, 609–613
AWS Config, 590–592
AWS Linux AMIs, 235–236
AWS Marketplace, AMIs (Amazon Machine Images), 237
AWS Shield, 71
AZs (availability zones), 6, 39–40, 353
distribution, 40–41
multiple, 42–43
B
BAA (Business Associate Addendum), 50
backup and restoration, 95
DynamoDB, 445
bare-metal instances, 224–225
billing costs. See also pricing, AWS (Amazon Web Services), 592–593
Blackfoot devices, 342
block storage, 175
EBS (Elastic Block Storage), 177–178, 183–184
attaching a volume, 182–183
boot and data volumes, 178
burst credits, 180–181
snapshots, 184–186
volume types, 178–180
building
AMIs (Amazon Machine Images), 240–242
serverless apps, 160–161
create a static website, 161–162
create the serverless backend components, 162–163
handle user authentication, 162
register for conference, 164
set up the API Gateway, 163–164
burst credits, 180–181
BYOIP (Bring-Your-Own IP), 368–370
C
choosing
AMIs (Amazon Machine Images), 235, 237
AWS regions, 43–44
CIDR block
creating, 349
primary, 349–351
secondary, 351–352
CLB (Classic Load Balancing), 265, 266, 269–270
cloud computing, 4. See also AWS (Amazon Web Services)
adopter mindsets, 8–9
availability, 34
AWS (Amazon Web Services)
AZs (availability zones), 6
broad network access, 6
on-demand self-service, 5
elasticity, 7
measured service, 7–8
resource pooling, 6
billing, 8
compliance rules, 44–45
deployment methodologies, 121–122, 123
elasticity, 286–287
GCP (Google Cloud Platform), 3
IaaS (infrastructure as a service), 3, 10–12
Oracle Cloud, 3
PaaS (platform as a service), 3, 12–14
reliability, 35
SLAs (service-level agreements), 17
Twelve-Factor App Methodology, 121, 123
execute an app as one or more stateless processes, 128–129
explicitly declare and isolate dependencies, 125
export services via port binding, 129
keep development, staging, and production similar, 130–131
maximize robustness with fast startup and graceful shutdown, 130
run admin/management tasks as one-off processes, 131
scale out via the process model, 129–130
separate the build and run stages, 127
store configuration in the environment, 126
treat logs as event streams, 131
treat tracking services as attached resources, 126–127
version control, 123–124
Cloud Foundry, 13
Cloud9, 14
CloudEndure Migration, 57–58
change sets, 113
creating an EC2 instance, 111–112
stack sets, 113–114
stacks, 109–111
CloudFront, 73–74
HTTPS access, 76
OAI (origin access identity), 77
origin failover, 78–79
regional edge caches, 75
restricting distribution of content, 78
securing access to content, 75–76
serving private content, 76–77
use cases, 74–75
and WAF, 77
CloudHSM, 545
creating trails, 521–522
CloudWatch, 33, 144–145, 247–249, 264
agent, 253
alarms, 259
action settings, 263–264
creating, 262–263
ALB monitoring, 283
basic monitoring, 249–250
and EC2 Auto Scaling, 261
events, 260
included services, 255–256
logs, 250–253
metrics, 248, 249, 250, 258–259, 425
namespace, 257
pricing, 261
timestamps, 260
CodeCommit, 124
compliance, 44–45
AWS (Amazon Web Services), 45–47
FedRAMP (Federal Risk and Authorization Management Program), 51
FISMA (Federal Information Security Modernization Act), 51
global frameworks, 49–50
HIPAA (Health Insurance Portability and Accountability Act), 50
NIST (National Institute of Standards and Technology), 51–52
North American frameworks, 48–49
shared responsibility model, 48
storage, 176
compute-optimized instances, 223
containers
management services
EKS (Elastic Kubernetes Service), 246–247
Fargate, 245–246
types of, 243–244
versus VMs, 243
controlled storage, 184
creating
EC2 (Elastic Compute Cloud) instances, 111–112
IAM policies, 484
load balancer with ALB, 272–274
VPC (virtual private cloud)
using AWS CLI, 347
using the Launch VPC wizard, 345–347
using the VPC Wizard, 344–345
custom instance store AMIs, 239–240
D
data security, 18–19
database(s), 38–39. See also SQL
communicating with, 432
deployment options, 428–429
failover, 431
storage, 429–431
clustering, 85
design solutions, 582–584
Auto Scaling, 439–440
backup and restoration, 445
burst capacity, 442
capacity, 438–439
comparison with SQL, 434
data consistency, 441
DAX, 444
global tables, 443
queries, 435–436
storage node design, 442
ElastiCache, 445–447
installing, 423–425
NoSQL, 437
OLTP (online transaction processing), 435
performance monitoring, 425
reducing costs, 581–582
dedicated instances, 226
on-demand self-service, AWS (Amazon Web Services), 5
DevOps, 104
disaster recovery, 94
backup and restoration, 95
hot site solution, 99–100
pilot light deployment, 95–97
RPO (recovery point objective), 94
RTO (recovery time objective), 95
warm standby solution, 96–99
and ACID, 442–443
adaptive capacity, 439
Auto Scaling, 439–440
backup and restoration, 445
burst capacity, 442
comparison with SQL, 434
data consistency, 441
DAX, 444
Paxos, 441
queries, 435–436
storage node design, 442
capacity, 438–439
global, 443
E
EBS (Elastic Block Storage), 33, 177–178, 182, 183–184, 297, 304
attaching a volume, 182–183
boot and data volumes, 178
burst credits, 180–181
creating a master key, 535–536
encrypted data types, 536–537
general purpose SSD, 180–181
io1 and io2 drives, 304–305
pricing, 576
administration, 185–186
taking from a Linux instance, 184
taking from a Windows instance, 185
tags, 578–579
volume types, 178–180
EC2 (Elastic Compute Cloud) instances, 4, 7, 39, 58, 152, 209, 217
accelerated computing, 224
AMIs (Amazon Machine Images), 233–235
AWS Linux, 235–236
AWS Marketplace, 237
build considerations, 240–242
choosing, 235
custom, 237–239
custom instance store, 239–240
Windows, 236
auto scaling, 285–289
ASGs (auto scaling groups), 291–296
cooldown period, 296
launch configuration, 290
launch templates, 290
lifecycle hooks, 297
termination policy, 296–297
bare-metal, 224–225
burstable performance, 420
changing the current instance type, 229–232
CloudWatch integration, 261
compute-optimized, 223
creating, 111–112
dedicated, 226
dedicated hosts, 225–226
enhanced networking, 227–228
f1, 224
Fleet instances, 573–575
g3, 224
general-purpose, 221
high-memory, 223
HVM (hardware virtual machine) images, 220
launch templates, 228–229
micro, 221
naming conventions, 218–219
network performance, 226–227
pinging, 377
convertible reserved instance, 564
on-demand instance limits, 560–561
limits calculator, 562
payment options, 564
regional and zonal RIs, 565–567
requesting a quota change, 561–562
RI (reserved instance), 562–563, 565
savings plans, 567–568
scheduled RIs, 565
standard reserved instance, 564
term commitment, 563
PV (paravirtual) images, 220
spot capacity pools, 572–573
spot fleets, optimization strategies, 571–572
spot instances, 568–571
standard, 420
storage-optimized, 224, 305–306
t, 221–222
virtual cores, 219
x1, 223
z1d, 224
ECDSA (Elliptic Curve Digital Signature Algorithm), 281
ECS (Elastic Container Service), 33, 242, 244
architecture, 243
containers
types of, 243–244
versus VMs, 243
launch types, 244
registry, 245
task placement strategy, 245
edge locations, 63–64
AWS Shield, 71
services, 64
EFS (Elastic File System), 174, 187–188, 191, 306, 307–309, 312–313
DataSync, 191
lifecycle management, 190–191
general purpose, 309
Max I/O, 309
pricing, 577
storage classes, 310–311
throughput modes, 188–189, 311
Bursting, 311–312
provisioned, 312
EIPs (elastic IP addresses), 364–366
EKS (Elastic Kubernetes Service), 246–247
Elastic Beanstalk, 14, 117–119
application updates, 119–121
AWS (Amazon Web Services), 7
ELB (Elastic Load Balancing), 20, 58, 101, 264–265, 269
choices and features, 266–267
health checks, 268–269
redundancy in design, 267–268
and security groups, 377–378
target group, 265–266
encryption
AES (Advanced Encryption Standard), 535
CloudHSM, 545
EBS (Elastic Block Storage), 535–536, 537–538
creating a master key, 535–536
encrypted data types, 536–537
envelope, 544–545
KMS (Key Management Service), 543–544, 545
S3 (Simple Storage Service), 540–542
endpoints, 390–391
Aurora, 432
gateway, 391–392
interface, 392–393
PrivateLink, 393–395
ephemeral ports, 383–385
architecture, 186–187
event(s)
CloudWatch, 260
notifications, 145–146
exam. See AWS Certified Solutions Architect - Associate (SAA-C02) exam
F
f1 instances, 224
failures
and disaster recovery, 94
protecting against, 62–63
and SLAs, 102–103
designing for, 90–91
FedRAMP (Federal Risk and Authorization Management Program), 51
firewalls. See also security
NACLs (network access control lists), 379, 380–381
custom setup, 382
ephemeral ports, 383–385
planning, 385
rule processing, 381–382
WAF (Web Application Firewall), 72–73
FISMA (Federal Information Security Modernization Act), 51
accessing, 193
features, 193–194
multi-AZ deployment, 192–193
performance, 316–317
single-AZ deployment, 192
system performance, 193
for Windows File Server, 315–316
G
g3 instances, 224
Gartners Magic Quadrant, 3
GCP (Google Cloud Platform), 3
general purpose instances, 221
GitHub, 124
GLB (Gateway Load Balancer), 266
global compliance frameworks, 49–50
GovCloud, 52–53
GuardDuty, 524–525
H
HDDs (hard disk drives), 175
health checks
ALB (Application Load Balancing), 279–280
ELB (Elastic Load Balancing), 268–269
high availability, 29, 34, 85. See also availability
designing for, 88–90
removing single points of failure, 91–93
high-memory instances, 223
HIPAA (Health Insurance Portability and Accountability Act), 50
hyperthreading, 219
I
IaaS (infrastructure as a service), 3, 10–12
VPC (virtual private cloud), 10
IAC (infrastructure as code), 104
IAM (Identity and Access Management), 19, 105, 116–117, 457–460, 503
account details, 475–476
actions, 466–467
authentication, 461–464
authorization process, 465–466
best practices, 506–507
cross-account access to AWS resources, 499–501
groups, 474
MFA (multifactor authentication), 479
password policies, 476
policies, 479
actions, 488–489
conditional elements, 494–495
control options, 489
creating, 484
custom, 482
elements, 484–486
identity-based, 480–482
job function, 480–481
in-line, 483
managed, 480–481
permission boundary, 489–491
permissions, 491–493
resource-based, 482–483
syntax and grammatical rules, 486–487
versions, 493–494
policy definitions, 460–461
policy evaluation logic, 466
requesting access to AWS resources, 464–465
roles, 496–497
service-linked, 497–498
using with mobile applications, 499
rotating access keys, 477–479
security tools, 507–509
signing in as an IAM user, 474–475
tags, 495–496
users, 467–468
access keys, 472–474
IAM user, 470–472
root user, 468–470
identity federation, 503–505
installing, databases, 423–425
instance storage, 186
architecture, 186–187
instances. See EC2 (Elastic Compute Cloud) instances
IOPS (input/output per second), 177
IP addresses
IPv6, 370–371
private IPv4, 361–362
ITIL (Information Technology Infrastructure Library), 104
J-K
JSON (JavaScript Object Notation), 105
CloudFormation templates, 107–109
Kubernetes, 246–247. See also EKS (Elastic Kubernetes Service)
L
Lambda, 152–156
latency, 53–54
launch templates, 228–229
Layer 3 networks, 339
Linux, workload testing, 181
load balancing, 92, 139, 264–265. See also ELB (Elastic Load Balancing)
ALB (Application Load Balancing), 270, 271–272
access logs, 284
connection draining, 282
creating a load balancer, 272–274
health checks, 279–280
HTTPS listener security settings, 276–277
maintaining user sessions, 278
monitoring, 283
rule choices, 274–276
CLB (Classic Load Balancing), 265, 266, 269–270
NLB (Network Load Balancing), 284–285
M
managed services, 10–11, 33, 156–160
measured service, AWS (Amazon Web Services), 7–8
memory-optimized instances, 223
metrics, CloudWatch, 258–259, 425
micro instances, 221
Microsoft Azure, 3, 4, 11, 13–14
migrating to AWS
lift and shift/re-hosting, 23
replacing with SaaS application, 24
CloudEndure Migration, 57–58
determining what problem needs to be solved, 21–22
monitoring. See also CloudWatch, planning for, 253–255
N
NACLs (network access control lists), 144, 379, 380–381
custom setup, 382
ephemeral ports, 383–385
planning, 385
rule processing, 381–382
naming conventions, EC2 (Elastic Compute Cloud) instances, 218–219
network(s)
access, AWS (Amazon Web Services), 6
data transfer costs, 585–587, 590
design solutions, 587–588
public versus private traffic charges, 588–590
reducing costs, 584–585
security, 19
NIST (National Institute of Standards and Technology), 4–5, 51–52, 286
Nitro, 340
NLB (Network Load Balancing), 266, 284–285
North American compliance frameworks, 48–49
O
OAI (origin access identity), 77
object storage, 174–175. See also storage
legal hold, 542–543
S3 (Simple Storage Service), 194–195, 204, 206–207
access points, 205–206
batch operations, 200–201
CRR (cross-region replication), 202–203
data consistency, 198
encryption, 540–542
inventory, 203–204
object lock, 201–202
object lock policies, 542
performance, 204
permissions, 196
replication, 202
SRR (same-region replication), 203
storage classes, 198–200
Storage Lens, 203
unlimited storage, 196
versioning, 204–205
OLTP (online transaction processing), 435
P
PaaS (platform as a service), 3, 12–14
Cloud Foundry, 13
Heroku, 13
PCI (Payment Card Industry), compliance rules, 46–47
performance
comparison of storage options, 579–581
EC2 (Elastic Compute Cloud) instances, 226–227
FSx, 316–317
latency, 53–54
S3 (Simple Storage Service), 204
storage, 176
and the Well-Architected Framework, 25
PIOPS (provisioned IOPS), 177
policies
bucket, 538–540
IAM (Identity and Access Management), 479
actions, 488–489
conditional elements, 494–495
control options, 489
creating, 484
custom, 482
elements, 484–486
identity-based, 480–482
job function, 480–481
in-line, 483
managed, 480–481
permission boundary, 489–491
permissions, 491–493
resource-based, 482–483
syntax and grammatical rules, 486–487
versions, 493–494
object lock, 542–543
pricing
CloudWatch, 261
compute costs, 558–559
on-demand instance limits, 560–561
savings plans, 567–568
inbound and outbound traffic charges, 367–368
management, 590–592
public versus private traffic charges, 588–590
RI (reserved instance), 562–563, 565
convertible, 564
payment options, 564
regional and zonal, 565–567
scheduled, 565
standard, 564
spot instances, 568–571
storage
AWS Backup, 576–577
EBS (Elastic Block Storage), 576
EFS (Elastic File System), 577
S3 buckets, 575–576
S3 Glacier, 576
tiered, 557
public cloud, 4–5. See also cloud computing
R
RDS (Relational Database Service), 11, 14, 38, 175, 417, 426–427. See also database(s)
communicating with, 432
deployment options, 428–429
failover, 431
storage, 429–431
best practices, 425–426
CloudWatch metrics, 425
database instances, 418–419
burstable performance, 420
class types, 420
memory-optimized, 420
standard, 420
engines, 417
failures, 62
high-availability design
failover, 422
multi-AZ deployment, 420–421, 423
replication, 422
performance monitoring, 425
setup options, 423–425
resiliency, 29
resource pooling, 287–288
AWS (Amazon Web Services), 6
alias records, 68–69
health checks, 49–66
resolver, 69–71
routing policies, 67
services, 65–66
traffic flow policies, 67–68
route tables, 360–361
custom, 357–360
main, 357
RPO (recovery point objective), 94
RTO (recovery time objective), 95
S
S3 (Simple Storage Service), 174–175, 194, 195, 204, 206–207
access points, 205–206
batch operations, 200–201
security, 538–540
versioning, 204–205
CRR (cross-region replication), 202–203
data consistency, 198
encryption, 540–542
archives, 208
Deep Archive, 208–209
object lock policies, 542
pricing, 207
storage at rest, 543
vaults, 208
inventory, 203–204
Object Lock, 201–202
object lock policies, 542
objects, 194–195
performance, 204
permissions, 196
pricing, 575–576
replication, 202
snapshots, 184
SRR (same-region replication), 203
storage classes, 198–200
Storage Lens, 203
unlimited storage, 196
SAML (Security Association Markup Language), 503
Scrum, 104
Secret Manager, 523–524
security, 18, 33, 48, 335. See also encryption
ACM (Amazon Certificate Manager), 546
ALB (Application Load Balancing), 280–283
application, 19–20
applications, 517
data, 18–19
EFS (Elastic File System), 189–190, 312
ELB (Elastic Load Balancer), 20
administrative access, 376–377
application server inbound ports, 375–376
custom, 374–375
database server inbound ports, 376
ELB (Elastic Load Balancing), 377–378
pinging an EC2 instance, 377
planning, 378–379
IAM (Identity and Access Management), 19, 105, 116–117, 457–460
account details, 475–476
actions, 466–467
authentication, 461–464
authorization process, 465–466
conditional elements, 494–495
creating policies, 484
cross-account access to AWS resources, 499–501
custom policies, 482
groups, 474
IAM user, 470–472
identity-based policies, 480–482
job function policies, 480–481
in-line policies, 483
managed policies, 480–481
MFA (multifactor authentication), 479
password policies, 476
permission boundaries, 489–491
permissions, 491–493
policies, 479
policy actions, 488–489
policy control options, 489
policy definitions, 460–461
policy elements, 484–486
policy evaluation logic, 466
policy syntax, 486–487
policy versions, 493–494
requesting access to AWS resources, 464–465
resource-based policies, 482–483
root user, 468–470
rotating access keys, 477–479
signing in as an IAM user, 474–475
tags, 495–496
tools, 507–509
user access keys, 472–474
users and groups, 467–468
identity federation, 503–505
network, 19
S3 buckets, 538–540
WAF (Web Application Firewall), 20
Well-Architected Framework, 25
serverless apps, building, 160–161
create a static website, 161–162
create the serverless backend components, 162–163
handle user authentication, 162
register for conference, 164
set up the API Gateway, 163–164
serverless computing, 152–156
Service Catalog, 115
IAM group constraints, 116–117
portfolios, 116
session affinity, 139–140
shared file storage, 306
EFS (Elastic File System), 306
FSx, 306
FSx for Lustre, 306–307
shared responsibility model, 48
shared security model, 335
single points of failure, removing, 91–93
SLAs (service-level agreements), 17, 43, 102–103
administration, 185–186
taking from a Linux instance, 184
taking from a Windows instance, 185
SQL
Amazon Redshift, 447–448
clusters, 448
columnar data storage, 448
Concurrency Scaling, 448
replication, 448–449
comparison with DynamoDB, 434
queries, 435–436
schema, 434
SSDs (solid-state drives), 175, 180–181, 305
SSO (single sign-on), 140
identity federation, 503–505
state machines, 149
activity tasks, 150–151
service tasks, 151
stateful design, 138–140
changing user state location, 140–142
stateless design, 139–140
changing user state location, 140–142
Step Functions, 149–152. See also state machines
workflows, 151
sticky sessions, 139–140, 142, 278–279
Aurora, 429–431
AWS (Amazon Web Services), 15
block, 175
comparison of options, 313–315
controlled, 184
data security, 18–19
determining workload requirements, 176–177
EBS (Elastic Block Storage), 177–178, 183–184
attaching a volume, 182–183
burst credits, 180–181
encryption, 535–538
general purpose SSD, 180–181
pricing, 576
snapshots, 184–186
tags, 578–579
volume types, 178–180
EFS (Elastic File System), 174, 187–188, 191, 307–309
DataSync, 191
lifecycle management, 190–191
pricing, 577
security, 312
storage classes, 310–311
throughput modes, 188–189, 311–312
ephemeral, 175
accessing, 193
features, 193–194
for Lustre, 317–318
multi-AZ deployment, 192–193
performance, 316–317
single-AZ deployment, 192
system performance, 193
for Windows File Server, 315–316
instance, 186–187
object, 174–175
Paxos, 441
performance comparison, 579–581
personal records, 169
RDS (Relational Database Service), 175
resiliency, 29
S3 (Simple Storage Service), 174–175, 194, 195, 204, 206–207
access points, 205–206
batch operations, 200–201
CRR (cross-region replication), 202–203
data consistency, 198
encryption, 540–542
inventory, 203–204
objects, 194–195
performance, 204
permissions, 196
replication, 202
security, 538–540
SRR (same-region replication), 203
storage classes, 198–200
Storage Lens, 203
unlimited storage, 196
versioning, 204–205
archives, 208
Deep Archive, 208–209
pricing, 576
vaults, 208
shared file, 306
EFS (Elastic File System), 306
FSx, 306
FSx for Lustre, 306–307
stateful, 138–140
user state information, 140–142
storage-optimized EC2 instances, 224, 305–306
T
t instances, 221–222
tags, 578–579
cost allocation, 579
templates
launch, 228–229
Trusted Advisor, 526–528
Twelve-Factor App Methodology, 121, 123
execute an app as one or more stateless processes, 128–129
explicitly declare and isolate dependencies, 125
export services via port binding, 129
keep development, staging, and production similar, 130–131
maximize robustness with fast startup and graceful shutdown, 130
run admin/management tasks as one-off processes, 131
scale out via the process model, 129–130
separate the build and run stages, 127
store configuration in the environment, 126
treat logs as event streams, 131
treat tracking services as attached resources, 126–127
version control, 123–124
U
user sessions
distributed, 142
management, 142–144
sticky, 142
storing user state information, 140–142
V
vCPU (virtual CPU), 219
virtual machines, 4. See also EC2 (Elastic Compute Cloud) instances
versus containers, 243
virtual private cloud, 5
VPC (virtual private cloud), 10, 19, 56–58, 334–335, 336, 337–338
AZs (availability zones), 353
Blackfoot devices, 342
CIDR block
creating, 349
primary, 349–351
secondary, 351–352
connectivity options, 387
creating
using AWS CLI, 347
using the Launch VPC wizard, 345–347
using the VPC Wizard, 344–345
default, 352–353
determining number of needed, 347–349
EIPs (elastic IP addresses), 364–366
endpoints, 390–391
gateway, 391–392
interface, 392–393
PrivateLink, 393–395
external connections, 339, 395–396
customer gateway, 404–406
Direct Connect, 407–409
egress-only Internet gateway, 398
Internet gateway, 395–396
NAT gateway, 399–401
transit gateway, 401–402
VPG (virtual private gateway), 404
VPN, 401–404
VPN CloudHub, 406
flow logs, 385–386
hosted services, 338
hypervisor, 340–341
IG (Internet Gateway), 352
inbound and outbound traffic charges, 367–368
IPv6 addresses, 370–371
Layer 3 networks, 339
packet flow, 341–342
Blackfoot devices, 342
mapping service, 343–344
peering, 387–390
physical infrastructure, 339–340
private IPv4 addresses, 361–362
public IPv4 addresses, 362–364, 366–367
custom, 357–360
main, 357
security groups, 371–374
administrative access, 376–377
application server inbound ports, 375–376
custom, 374–375
database server inbound ports, 376
ELB (Elastic Load Balancing), 377–378
pinging an EC2 instance, 377
planning, 378–379
subnets, 354–356
VPG (virtual private gateway), 404
VPNs (virtual private networks), 6, 401–404
CloudHub, 406
route propagation, 406–407
W
WAF (Web Application Firewall), 20, 72–73
and CloudFront, 77
Well-Architected Framework, 24
cost optimization, 26
operational excellence, 25
performance efficiency, 25
reliability, 25
security, 25
Well-Architected Framework tool, 26–27
Wiggins, A., 121
Windows AMIs, 236
X-Y-Z
x1 instances, 223
z1d instances, 224