0% found this document useful (0 votes)

74 views396 pages

Hands On Aw Sin 3 Weeks Latest 1719837807821

Uploaded by

snehapradhane

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

74 views396 pages

Hands On Aw Sin 3 Weeks Latest 1719837807821

Uploaded by

snehapradhane

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 396

Click to edit Master title style

Hands-on AWS in 3 Weeks

Chad Smith
Principal Cloud Architect
Click to edit Master title style

Account Creation and Login

Root User Characteristics
Click to edit Master title style

● Email address as
username
● Generic login URL
● Access to unique
tasks
Account Creation
Click to edit Master title style
https://portal.aws.amazon.com/billing/signup
Root Account Email
Click to edit Master title style
● Use a distribution list
(corporate)
● Use an alias (personal)
● Root account properties
can only be changed by
the root user
● If you close the account,
that root email cannot
ever be used again
Root Account Unique Tasks
Click to edit Master title style
● Change account settings
● Change AWS support plan
● Activate access to the Billing
and Cost Management
Console
● View billing tax invoices
● Restore IAM User permissions
for only IAM administrator
● Configure S3 bucket for MFA
delete
● Edit/Delete S3 bucket policy
with invalid VPC ID or VPC
Endpoint ID
● Sign up for GovCloud
● Close the account
Root User Credentials
Click to edit Master title style

● Username/Password
- required
● API Keys - NO
● MFA -
recommended
● Multiple MFA -
maybe?
Click to edit Master title style
Demonstration
Log in using root account credentials
Discover the AWS Console features
Click to edit Master title style

Identity Management and IAM

Permissions
AWS Policy Types
Click to edit Master title style
Attached to IAM
identities

Identity-based

Managed Inline

Customer
AWS managed
managed
AWS Policy Types
Click to edit Master title style
Attached to resources
(not supported by all
services)

Identity-based Resource-based

Permissions
Role trust policy
policy
AWS Policy Types
Click to edit Master title style
Defines maximum
permissions for a
principal or account

Identity-based Resource-based Boundary

Permissions Organizations
boundaries SCPs
AWS Policy Types
Click to edit Master title style
Limit permissions while
assuming temporary
credentials

Identity-based Resource-based Boundary Session Policies

AWS Policy Types
Click to edit Master title style
Similar to resource-based
policies but does not use
JSON, S3-only support

Access Control
Identity-based Resource-based Boundary Session Policies
Lists (ACLs)
What is an IAM User?
Click to edit Master title style
● A principal identity
● Associated with
permissions - group,
inline, managed
● Associated with a
permission boundary
● Container for
credentials
IAM User Credentials
Click to edit Master title style

● Sign-in Credentials
● Access Keys
● You must have at
least one of the
above to access AWS
resources
What is an IAM Group?
Click to edit Master title style

● Collection of IAM
Users
● Associated with
permissions - inline,
managed
● Cannot be nested
JSON Policy Elements
{
Click to edit Master title style
"Version": "2012-10-17",
"Statement": [ Version is the
{
"Effect": "Allow", API version for
"Action": ["ec2:TerminateInstances"],
"Resource": ["*"] parsing policies
},
{
"Effect": "Deny",
"Action": ["ec2:TerminateInstances"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.1.0/24",
"204.0.110.0/24"
]
}
},
"Resource": ["*"]
}
]
}
JSON Policy Elements
{
Click to edit Master title style
"Version": "2012-10-17", ● A single
"Statement": [ statement or
{
"Effect": "Allow", array
"Action": ["ec2:TerminateInstances"], ● contains primary
"Resource": ["*"]
},
permission logic
{
"Effect": "Deny",
"Action": ["ec2:TerminateInstances"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.1.0/24",
"204.0.110.0/24"
]
}
},
"Resource": ["*"]
}
]
}
JSON Policy Elements
{
Click to edit Master title style
"Version": "2012-10-17",
"Statement": [ Two options:
{
"Effect": "Allow", Explicit Allow and
"Action": ["ec2:TerminateInstances"],
"Resource": ["*"]
Explicit Deny
},
{
"Effect": "Deny",
"Action": ["ec2:TerminateInstances"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.1.0/24",
"204.0.110.0/24"
]
}
},
"Resource": ["*"]
}
]
}
JSON Policy Elements
{
Click to edit Master title style
"Version": "2012-10-17",
"Statement": [
Actions are
{ requests issued to
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
service API
"Resource": ["*"] endpoints
},
{
"Effect": "Deny",
"Action": ["ec2:TerminateInstances"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.1.0/24",
"204.0.110.0/24"
]
}
},
"Resource": ["*"]
}
]
}
JSON Policy Elements
{
Click to edit Master title style
"Version": "2012-10-17",
"Statement": [
Resources can
{ define and limit
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
the scope of the
"Resource": ["*"] actions
},
{
"Effect": "Deny",
"Action": ["ec2:TerminateInstances"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.1.0/24",
"204.0.110.0/24"
]
}
},
"Resource": ["*"]
}
]
}
JSON Policy Elements
{
Click to edit Master title style
"Version": "2012-10-17",
"Statement": [ Explicit Deny can
{
"Effect": "Allow", assist with least
"Action": ["ec2:TerminateInstances"],
"Resource": ["*"]
privilege
},
{
"Effect": "Deny",
"Action": ["ec2:TerminateInstances"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.1.0/24",
"204.0.110.0/24"
]
}
},
"Resource": ["*"]
}
]
}
JSON Policy Elements
{
Click to edit Master title style
"Version": "2012-10-17",
"Statement": [
Conditions restrict
{ the scope of
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
policies even
"Resource": ["*"] further
},
{
"Effect": "Deny",
"Action": ["ec2:TerminateInstances"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.1.0/24",
"204.0.110.0/24"
]
}
},
"Resource": ["*"]
}
]
}
JSON Policy Elements
Click to edit Master title style
{
"Version": "2012-10-17",
One type of
"Statement": [ condition can
{
"Effect": "Allow", restrict requests to
"Action": ["ec2:TerminateInstances"],
"Resource": ["*"]
specific source
}, CIDR ranges
{
"Effect": "Deny",
"Action": ["ec2:TerminateInstances"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.1.0/24",
"204.0.110.0/24"
]
}
},
"Resource": ["*"]
}
]
}
What is an IAM Role?
Click to edit Master title style

● IAM Identity
● Associated with
permissions - inline,
managed
● Assumed by other
principals
Role Trust Policy
Click to edit Master title style
Trust Policy AWS Account The principal is
Root user
the entity
Principal allowed to
IAM user
assume the role
Effect Federated user
IAM role
Action
Assumed-role session
Condition AWS services
Anonymous user
Amazon Resource Name (ARN)
Click to edit Master title style
Globally Unique Identifier

arn:
Amazon Resource Name (ARN)
Click to edit Master title style
Globally Unique Identifier

arn:partition

aws
aws-cn
aws-us-gov
Amazon Resource Name (ARN)
Click to edit Master title style
Globally Unique Identifier

arn:partition:service

ec2
s3
iam
Amazon Resource Name (ARN)
Click to edit Master title style
Globally Unique Identifier

arn:partition:service:region

us-east-1
eu-west-1
ap-south-1
Amazon Resource Name (ARN)
Click to edit Master title style
Globally Unique Identifier

arn:partition:service:region:account-id
0123456789012
Amazon Resource Name (ARN)
Click to edit Master title style
Globally Unique Identifier

arn:partition:service:region:account-id:resource-id

User/Chad
instance/i-XXXXXX
volume/vol-XXXXX
Click to edit Master title style
Demonstration
Create IAM role for power users
Create test users
Attach policy to users for password
change
Click to edit Master title style

Account Management with Organizations

Multiple Accounts Using Organizations
Click to edit Master title style
Management
Account
The Management
ROOT
account has very
few resources
such as SSO
Multiple Accounts Using Organizations
Click to edit Master title style
Management
Account
The Apps OU is
ROOT
for all product
related
Apps infrastructure
Multiple Accounts Using Organizations
Click to edit Master title style
Management
Account
Create OUs for
ROOT
Non-prod and
Prod
Apps environments

NON
PROD
PROD
Multiple Accounts Using Organizations
Click to edit Master title style
Management
Account
ROOT Another OU for
all management
activities
Apps Mgmt

NON
PROD
PROD
Multiple Accounts Using Organizations
Click to edit Master title style
Management
Account Business
ROOT continuity is
isolated into an
OU and separate
Apps Mgmt
account

NON
PROD DR
PROD
Multiple Accounts Using Organizations
Click to edit Master title style
Management
Account
So is security and
ROOT
compliance
auditing
Apps Mgmt infrastructure

NON
PROD DR Audit
PROD
Multiple Accounts Using Organizations
Click to edit Master title style
Management
Account Finally, all shared
ROOT resources can be
placed in a
separate OU and
Apps Mgmt
account

NON
PROD DR Audit Shared
PROD
AWS Organizations SCPs
Click to edit Master title style
● Service Control Policy
● Supports OU structure
● SCPs can allow
(boundary)
● SCPs can deny
● Affect IAM users and
roles
● Affect root credentials
● SCPs are inherited
SCP Exceptions
Click to edit Master title style
● Management account
● Service-linked roles
● As root user:
● Enterprise support
registration
● AWS support level
change
● CloudFront key changes
● CloudFront trusted signer
● LightSail reverse DNS
Click to edit Master title style
Demonstration
Explore the Organizations dashboard
Discuss Organizations policies
Create new SCP to deny certain actions
Validate the SCP
Click to edit Master title style

AWS Global Infrastructure

AWS Data Center
Click to edit Master title style
10s of thousands of
servers
No services

AWS data center

Custom network
hardware

Independent power, Commodity server and

A/C and Internet storage hardware
Data Center Scope
Click to edit Master title style

● Cluster
Placement Group
● Dedicated
AWS data center

Instances
● Dedicated Hosts
AWS Availability Zone
Click to edit Master title style
Atomic unit of resource
scope
Low latency

AWS data center

1+ Data centers

AWS data center

Availability Zone
Availability Zone Scope
Click to edit Master title style

● EC2 Instance
Availability Zone
● EBS Volume
● RDS Instance
● FSx File System
● Redshift Node
● VPC Subnet
Multi-AZ Scope
Click to edit Master title style
Availability Zone
● RDS Multi-AZ
● Auto Scaling on
EC2
Availability Zone
● Elastic Load
Balancer
● Elastic Beanstalk
Environment
AWS Region
Click to edit Master title style
Multiple, physically
Service API Endpoints
separate AZ
Region hosted here

Common unit of
resource scope
AWS data center AWS data center AWS data center

AWS data center AWS data center AWS data center

Availability Zone Availability Zone Availability Zone

Current Regions 07/2024
Click to edit Master title style
Region Scope
Click to edit Master title style
● All Service API
Endpoints
Region
● S3 Bucket
● DynamoDB Table
● Lambda Function
● WAF Web ACL
● VPC Network
Multi-Region Scope
Click to edit Master title style
Region

● AWS Backup Plan

● S3 Replication
Region
● RDS Read Replica
● DynamoDB
Global Table
Region Selection Criteria
Click to edit Master title style

Region
● Service availability
● Co-locate with users
● Co-locate with infra
● Data residency
● Multi-region DR
AWS Local Zone
Click to edit Master title style
Remote AZ
Region
Region AWS data center

Associate
with Region AWS data center
AWS data center AWS data center AWS data center

AWS data center

AWS data center AWS data center AWS data center

AWS data center AWS data center AWS data center Availability Zone

Availability Zone Availability Zone Availability Zone

Local Zone Scope
Click to edit Master title style

● EC2 Instance
Availability Zone
● EBS Volume
● RDS Instance
● Application Load
Balancer
Single Edge Location
Click to edit Master title style
Separate infrastructure
from regions

Connected to Region
networks

Scope for Global

services
Global Edge Location Presence
Click to edit Master title style
Better distribution
than Regions

600+ Edge Locations!

Global Scope
Click to edit Master title style

● Route 53 Zone
AWS Cloud
● CloudFront
Distribution
● WAF Web ACL*
● Lambda@Edge
Function
On-premises Scope
Click to edit Master title style
● AWS Outposts
● AWS Snowcone
● AWS Snowball
● AWS
Snowball@Edge
● AWS IoT
Greengrass
● AWS Storage
Gateway
Click to edit Master title style

Implementing Security Guardrails and

Reports
AWS Security Hub
Click to edit Master title style
● Enable per region
● Supports
Organizations
● Automate security
checks, centralize
alerts and findings
● Ingest findings from
third-party sources
● Implement checks
from several security
standards
AWS Security Hub Standards
Click to edit Master title style
AWS Foundational Security Best
Practices

CIS AWS Foundations Benchmark

NIST Special Publication 800-53

PCI DSS

Tagging
Consolidate Security Findings in AWS
Click to edit Master title style
Amazon Detective
GuardDuty findings

Inspector findings

Macie findings

SSM Patch Manager

compliance

AWS Audit Manager IAM Access Analyzer

findings
Firewall Manager
SSM OpsCenter
findings
Security Alert Automation
Click to edit Master title style
Any CloudWatch alarm
can deliver the status
CloudWatch
Alarm
SNS Topic
to an SNS topic
Security Alert Automation
Click to edit Master title style
SNS topics support
email and HTTP
CloudWatch SNS Topic Email notification subscribers for
Alarm
notifications
Security Alert Automation
Click to edit Master title style
All Security Hub
findings can be
CloudWatch SNS Topic Email notification delivered to
Alarm
EventBridge

This includes custom

Security Hub
Finding
EventBridge
Rule
insights
Security Alert Automation
Click to edit Master title style
EventBridge rules
support many different
CloudWatch SNS Topic Email notification targets for notifications
Alarm
and mitigation

Security Hub EventBridge Lambda function

Finding Rule

Run Command
Security Lake Basics
Click to edit Master title style
● Centralized security
data from various
sources
● Automated collection
from regions and
accounts
● Normalizes all data
into OCSF format
● Uses S3 for storage
Security Lake Architecture
Click to edit Master title style
CloudTrail logs
Security Lake Architecture
Click to edit Master title style
CloudTrail logs
VPC Flow logs
Security Lake Architecture
Click to edit Master title style
CloudTrail logs
VPC Flow logs
R53 Resolver query logs
Security Lake Architecture
Click to edit Master title style
CloudTrail logs
VPC Flow logs
R53 Resolver query logs
S3 data events
Security Lake Architecture
Click to edit Master title style
CloudTrail logs
VPC Flow logs
R53 Resolver query logs
S3 data events
Lambda data events
Security Lake Architecture
Click to edit Master title style
CloudTrail logs
VPC Flow logs
R53 Resolver query logs
S3 data events
Lambda data events
Security Hub
Config
Firewall Manager
GuardDuty
Health
IAM Access Analyzer
Inspector
Macie
SSM Patch Manager
Security Lake Architecture
Click to edit Master title style
CloudTrail logs Security Lake creates a
Lake Formation table for
VPC Flow logs each data source
R53 Resolver query logs
S3 data events
Lambda data events
Security Hub
Config
Firewall Manager
GuardDuty
Health
IAM Access Analyzer
Inspector
Macie
SSM Patch Manager
Security Lake Architecture
Click to edit Master title style
CloudTrail logs All normalized data is
stored in S3 and written to
VPC Flow logs the Glue Data Catalog
R53 Resolver query logs
S3 data events
Lambda data events
Security Hub
Config
Firewall Manager
GuardDuty
Health
IAM Access Analyzer
Inspector
Macie
SSM Patch Manager
Security Lake Architecture
Click to edit Master title style
CloudTrail logs
Use Athena to query the
VPC Flow logs Glue catalog
R53 Resolver query logs
S3 data events
Lambda data events
Security Hub
Config
Firewall Manager
GuardDuty
Health
IAM Access Analyzer
Inspector
Macie
SSM Patch Manager
Security Lake Architecture
Click to edit Master title style
CloudTrail logs Build QuickSight
dashboards on top of the
VPC Flow logs Athena queries
R53 Resolver query logs
S3 data events
Lambda data events
Security Hub
Config
Firewall Manager
GuardDuty
Health
IAM Access Analyzer
Inspector
Macie
SSM Patch Manager
Click to edit Master title style
Demonstration
Explore Security Hub dashboard
Explore Config dashboard and
compliance
Click to edit Master title style

Tags and Budgets

Tag Basics
Click to edit Master title style

● Metadata key/value
pairs
● key: up to 127 chars
● value: up to 255
chars
● Apply up to 50 tags
per resource
Organizations Tag Policy Basics
Click to edit Master title style
● Standardize tags
across accounts or OUs
● Uses Resource Groups
● Supports case
sensitivity for tag keys
● Supports tag value
choices
● Supports tag
enforcement on
specified resource
types
Identifying Un-tagged/Noncompliant Resources
Click to edit Master title style
Create an Organization
Any resource missing a
tag policy and apply to
"costcenter" tag is
noncompliant
accounts or OUs
Identifying Un-tagged/Noncompliant Resources
Click to edit Master title style
Even if a resource has
Any resource missing a
the right letters, case
"costcenter" tag is
noncompliant
sensitivity matters

Organizations Member Account

CostCenter

Name
Identifying Un-tagged/Noncompliant Resources
Click to edit Master title style
An organization-wide
compliance report will
Any resource missing a
identify all resources
"costcenter" tag is
noncompliant with missing or
incorrect tags

Organizations Member Account

CostCenter

Name
Tag Policy Compliance Report Considerations
Click to edit Master title style
● The report is
generated every 48
hours
● The report uses
Resource Groups
● The report supports
Organization-wide
scope for excellent
scaling
● The report is in CSV
format
Identifying Un-tagged/Noncompliant Resources
Click to edit Master title style
AWS Cloud
Resource Explorer can
be enabled per region
Region
or per account
Identifying Un-tagged/Noncompliant Resources
Click to edit Master title style
Supports a
AWS Cloud
documented list of
resources and queries
Region
for identifying tag
compliance
Resource Explorer Report Generation
Click to edit Master title style
The AWS CLI can be
used to generate
reports of resources
aws resource-explorer-2 search \ that have no user
–query-string "tag:none" defined tags
Resource Explorer Report Considerations
Click to edit Master title style
● The report is
generated every
36 hours
● The report
supports 1000
objects in output
● The report uses
CSV format
Identifying Un-tagged/Noncompliant Resources
Click to edit Master title style
Resources:
MandatoryTags: Use CloudFormation to
Type: AWS::Config::ConfigRule
Properties:
deploy a Config rule to
ConfigRuleName: BrightkeyRequiredTags identify missing tags
Description: These tags must exist on resources
Identifying Un-tagged/Noncompliant Resources
Click to edit Master title style
Resources:
MandatoryTags: Use CloudFormation to
Type: AWS::Config::ConfigRule
Properties:
deploy a Config rule to
ConfigRuleName: BrightkeyRequiredTags identify missing tags
Description: These tags must exist on resources
InputParameters:
tag1Key: costcenter
tag2Key: Name
Identifying Un-tagged/Noncompliant Resources
Click to edit Master title style
Resources:
MandatoryTags: Use CloudFormation to
Type: AWS::Config::ConfigRule
Properties:
deploy a Config rule to
ConfigRuleName: BrightkeyRequiredTags identify missing tags
Description: These tags must exist on resources
InputParameters:
tag1Key: costcenter
tag2Key: Name
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
- "AWS::EC2::Instance"
- "AWS::EC2::Volume"
Identifying Un-tagged/Noncompliant Resources
Click to edit Master title style
Resources:
MandatoryTags: Use CloudFormation to
Type: AWS::Config::ConfigRule
Properties:
deploy a Config rule to
ConfigRuleName: BrightkeyRequiredTags identify missing tags
Description: These tags must exist on resources
InputParameters:
tag1Key: costcenter
tag2Key: Name
Scope:
ComplianceResourceTypes:
- "AWS::S3::Bucket"
- "AWS::EC2::Instance"
- "AWS::EC2::Volume"
Source:
Owner: AWS
SourceIdentifier: REQUIRED_TAGS
Cost Allocation Tag Basics
Click to edit Master title style
● Associate tags with billing
● Enable in AWS console
● Use in individual
accounts
● Use in Organizations
● Good reason for tag
strategy
● AWS-generated tags
● User-defined tags
AWS Budgets Basics
Click to edit Master title style
● Monitor cost
● Monitor utilization
● Monitor coverage
● Passive
notifications
● Active actions
● Filters same as CE
Cost Budgets
Click to edit Master title style
Recurring
Name
Expiring
Effective dates
Email (up to 10)
Cost Amount(s)
SNS Topic
Filter(s)
Chatbot Alert
Threshold(s)
IAM Action
Notification(s)
SCP Action
Action(s)
EC2/RDS Action
Budget Actions
Click to edit Master title style
Apply IAM policy to
IAM users/groups/roles

Apply SCP to root or OU

in an Organization

Stop EC2 or RDS

instances in an account
Click to edit Master title style
Demonstration
Explore Cost Allocation Tags
Create Cost Budget
Click to edit Master title style

Monitoring Compliance and Events

Config Basics
Click to edit Master title style
● Region scope
● Config Streams
● Partial coverage
● Capture
changes
● Capture config
● Snapshots
● Rules
Config Rule Creation Example
Click to edit Master title style

Properties and
changes for
resources
Config Rule Creation Example
Click to edit Master title style
AWS-managed rule
Config Rule Creation Example
Click to edit Master title style

Custom rule
Config Rule Remediation Example
Click to edit Master title style
Config stream

RDS instance with

Enhanced Monitoring
disabled
Config Rule Remediation Example
Click to edit Master title style

Manual remediation using

AWS SSM document
Config Rule Remediation Example
Click to edit Master title style
Automated remediation
using AWS SSM
Automation document
EventBridge Basics
Click to edit Master title style
● Region scope
● Default Event bus
● Custom Event bus
● Sources and
targets
● Replay feature
● DLQ feature
EventBridge Sources
Click to edit Master title style

● CloudTrail API events

● GuardDuty findings
● Other service events
● Forwarded events
● Scheduled events
● Custom events
EventBridge Rules
Click to edit Master title style
API Gateway
JSON format
Match event
properties CloudWatch Logs

Source
Event EC2 Actions

Remote Event Bus

Lambda Function

SNS Topic
EventBridge Filter Samples
Click to edit Master title style
{ Use an EventBridge
"source": [ rule to identify
"aws.config"
],
resources marked as
"detail-type": ["Config Rules Compliance Change"], non-compliant by a
Config rule
EventBridge Filter Samples
Click to edit Master title style
{ Use an EventBridge
"source": [ rule to identify
"aws.config"
],
resources marked as
"detail-type": ["Config Rules Compliance Change"], non-compliant by a
"detail": { Config rule
"messageType": ["ComplianceChangeNotification"],
EventBridge Filter Samples
Click to edit Master title style
{ Use an EventBridge
"source": [ rule to identify
"aws.config"
],
resources marked as
"detail-type": ["Config Rules Compliance Change"], non-compliant by a
"detail": { Config rule
"messageType": ["ComplianceChangeNotification"],
"configRuleName": ["BrightkeyRequiredTags"],
EventBridge Filter Samples
Click to edit Master title style
{ Use an EventBridge
"source": [ rule to identify
"aws.config"
],
resources marked as
"detail-type": ["Config Rules Compliance Change"], non-compliant by a
"detail": { Config rule
"messageType": ["ComplianceChangeNotification"],
"configRuleName": ["BrightkeyRequiredTags"],
"resourceType": ["AWS::SERVICENAME::RESOURCENAME"],
EventBridge Filter Samples
Click to edit Master title style
{ Use an EventBridge
"source": [ rule to identify
"aws.config"
],
resources marked as
"detail-type": ["Config Rules Compliance Change"], non-compliant by a
"detail": { Config rule
"messageType": ["ComplianceChangeNotification"],
"configRuleName": ["BrightkeyRequiredTags"],
"resourceType": ["AWS::SERVICENAME::RESOURCENAME"],
"newEvaluationResult": {
"complianceType": [
"NON_COMPLIANT"
]
}
}
}
Click to edit Master title style
Demonstration
Create event-based Config rule
Explore Config rules with remediation
Create EventBridge rule for GuardDuty
Click to edit Master title style

Creating a Global Network

VPC Basics
Click to edit Master title style

VPC ● Virtual Private Cloud

● Region scope
● Private network for
many AWS resources
VPC CIDR Addresses
Click to edit Master title style
VPC
RFC 1918 IPv4 CIDR or bring
your own. 5 CIDR ranges
supported per VPC

Largest IPv4 CIDR is /16

Smallest IPv4 CIDR is /28

AWS-provided IPv6 CIDR or

bring your own. 5 ranges
supported per VPC
Subnet Basics
Click to edit Master title style

● Contiguous range of
IP addresses in a VPC
Private subnet

● AZ scope
Public subnet
● Local Zone scope
● Associate with Route
Table and Network
ACL
Subnet Types
Click to edit Master title style
Public subnet 0: network
Bidirectional 1: VPC router
Internet access via 2: DNS (if base VPC CIDR)
3: Reserved for future use
IGW
Last: Bcast address (not
used)
Private subnet
Outbound
Internet access via
proxy (NAT GW)

VPC/VPN only subnet

No Internet
access, or only via
VPN/DX
VPC Order of Operations
Click to edit Master title style
VPC
Create the VPC, including
a name and primary CIDR
range
VPC Order of Operations
Click to edit Master title style
Availability Zone Availability Zone

VPC
Create subnets, using AZs
as required. All subnets
Public subnet Public subnet are identical at this stage
VPC Order of Operations
Click to edit Master title style
Availability Zone Availability Zone

VPC
Internet gateway
Create an IGW and attach
it to the VPC (2 different
Public subnet Public subnet actions)
VPC Order of Operations
Click to edit Master title style
Availability Zone Availability Zone

VPC
Create a route table, add
Internet gateway
a route with IGW as the
Public subnet Public subnet
target, and attach to the
public subnets (3 tasks)

Route table
VPC Order of Operations
Click to edit Master title style
Availability Zone Availability Zone

VPC
Internet gateway

Create private subnets

Public subnet Public subnet

Route table

Private subnet Private subnet

VPC Order of Operations
Click to edit Master title style
Availability Zone Availability Zone

VPC
Internet gateway
Create a NAT Gateway
Public subnet Public subnet
with associated EIP

NAT gateway

Route table

Private subnet Private subnet

VPC Order of Operations
Click to edit Master title style
Availability Zone Availability Zone
Create a route table, add
VPC
Internet gateway
a route with NAT GW as
the target, and attach to
Public subnet Public subnet the private subnets (3
tasks)
NAT gateway

Route table

Private subnet Private subnet

Route table
VPC Peering Basics
Click to edit Master title style
● Attach 2 VPC
networks
● Same region
● Same account
● Cross region
● Cross account
● No overlapping CIDR
VPC Peering Configuration
Click to edit Master title style
VPC VPC

Public subnet Requestor VPC Public subnet

Private subnet Private subnet

VPC Peering Configuration
Click to edit Master title style
VPC VPC

Public subnet Accepter VPC Public subnet

Private subnet Private subnet

VPC Peering Configuration
Click to edit Master title style
VPC VPC

Public subnet Public subnet

Private subnet Private subnet

Add route
table entry in
both VPCs
Transit Gateway Basics
Click to edit Master title style

● Attach to subnet
● Region scope
● Standalone resource
● Connect to VPCs
● Connect to on-prem
networks
Transit Gateway Provisioning
Click to edit Master title style
Transit Gateway can be
deployed as a standalone
resource
Transit Gateway Attachments
Click to edit Master title style
VPC
Attachments can be
Public subnet
created into subnets in a
VPC

Private subnet
Transit Gateway Attachments
Click to edit Master title style
VPC
Route table entries are
Public subnet
also required for each
subnet

Private subnet
Transit Gateway Attachments
Click to edit Master title style
VPC VPC

Public subnet

Multiple VPCs can

Private subnet
communicate via the
Transit Gateway
Transit Gateway Attachments
Click to edit Master title style
VPC VPC

Public subnet

Connect an on-premises
Private subnet data center via VPN

Corporate
data center
Transit Gateway Attachments
Click to edit Master title style
VPC VPC

Public subnet

Private subnet

Corporate Direct Connect

data center Location

Connect an on-premises data center via Direct

Connect Gateway
Transit Gateway Attachments
Click to edit Master title style
Region Region Connect Transit Gateways
to each other via cross-
region VPN

Region Region
VPC Workload Isolation Strategies
Click to edit Master title style
Region

Organize by
VPC VPC environment
DEV PROD

VPC VPC

Shared Loadtest
services (temp)
VPC Workload Isolation Strategies
Click to edit Master title style
Region

Organize by workload
VPC VPC compliance
Public Internal
facing apps

VPC VPC

PCI in- Shared

scope services
VPC Workload Isolation Strategies
Click to edit Master title style
Region Region

VPC VPC Organize by business

continuity
Prod1 Prod2

Region Region

VPC VPC

Backups
Prod3
and DR
VPC Workload Isolation Strategies
Click to edit Master title style
Region Region

VPC VPC Organize by data

sovereignty
Americas EMEA

Region Region

VPC VPC

SEA AUS
Workload Isolation Strategies
Click to edit Master title style
AWS Cloud AWS Cloud

Organize by security
Security Backups
requirements
audit and DR

AWS Cloud AWS Cloud

DEV PROD
Workload Isolation Strategies
Click to edit Master title style
AWS Cloud AWS Cloud

Organize to match
company hierarchy
Marketing IT

AWS Cloud AWS Cloud

Engineering Finance
Service Selection Criteria
Click to edit Master title style
Service availability doesn't
imply all features are available
in the region

Check for service compliance

by program (PCI, SOC, GDPR,
etc.)

Service compliance doesn't

imply all features are compliant

When in doubt, ask support!

Click to edit Master title style
Demonstration
Deploy multiple VPCs (Terraform)
Connect VPCs using peering connections
Connect VPCs using Transit GW
Click to edit Master title style

Deploying EC2
EC2 Basics
Click to edit Master title style
● Elastic Compute
Cloud
● AZ scope
● Local Zone scope
● Virtual machines
● Flexible resources
● Flexible OS
EC2 Resources - Processor & Memory
Click to edit Master title style
CPU Flexible choices of
Architecture processor
architecture and
generation
AMD Intel Graviton M1
EC2 Resources - Processor & Memory
Click to edit Master title style
CPU vCPU is roughly
Architecture equivalent to a
thread on a
processor core
AMD Intel Graviton M1

vCPU: higher number for more compute capacity

EC2 Resources - Processor & Memory
Click to edit Master title style
CPU Choosing
Architecture architectures with
more vCPU raises
the memory ceiling
AMD Intel Graviton M1

vCPU: higher number for more compute capacity

More vCPU = higher memory capacity

EC2 Resources - Storage
Click to edit Master title style
Region
Instance storage is
direct attached to the
EC2 host hardware

host hardware
Availability Zone
EC2 Resources - Storage
Click to edit Master title style
EBS storage is reached
Region via network but
presented as local
block storage

host hardware
Availability Zone
EC2 Resources - Network
Click to edit Master title style
Region
One primary network
interface required,
Private subnet others are optional

Primary ENI

Secondary ENI(s)

ENA

EFA
host hardware

Availability Zone
EC2 AMI Basics
Click to edit Master title style
● Amazon Machine
Image
● Region scope
● Root volume
snapshot
● Launch permissions
● Block device
mappings for non-
root volumes
EC2 AMI Sources
Click to edit Master title style

Community Marketplace

AWS Cloud AWS Cloud

My AMIs Shared AMIs

EC2 Launch Options - Console
ClickWhat
to are
edit Master title style
the tradeoffs when launching an
EC2 instance using the AWS Console?

Path of least
resistance Can’t automate
Always current Can’t scale
Semi-helpful Human error
suggestions Frequent UI
Semi-helpful error changes
codes
EC2 Launch Options - CLI
Click to edit Master title style
What about embedding
bash/powershell syntax
inside CLI syntax?
Ever tried embedding Good luck with that!
JSON syntax inside CLI
syntax? Easy to make
mistakes!

This command line gets

ridiculous, very quickly.
Is there a better way? Look at these, tucked all
the way at the end of
the option list!
EC2 Launch Options - CLI
Click to edit Master title style
aws ec2 run-instances --generate-cli-skeleton

redirect output to text file

edit text file as per launch requirements

check the file into your source code repo

aws ec2 run-instances --cli-input-json <text file> --dry-run

aws ec2 run-instances --cli-input-json <text file>

EC2 Image Builder - Concepts
Click to edit Master title style

Components Image Pipeline Config Phases

AMI

Infrastructure Distribution
Image Recipe Config Settings
EC2 Image Builder - Recipe
Click to edit Master title style

Build Test
Select Image
Components Components
EC2 Image Builder - Pipeline
Click to edit Master title style
Required
Recipe
Optional

Infrastructure
Schedule
Config

Distribution settings
include cross Distribution
region/account copies Settings
and launch template
association!
Click to edit Master title style
Demonstration
Launch an EC2 instance using the launch
wizard
Click to edit Master title style

EC2 OS Operations
SSM Patch Manager Prerequisites
Click to edit Master title style
Availability Zone

VPC
The instance must be
Public subnet
running a supported OS

Private subnet
SSM Patch Manager Prerequisites
Click to edit Master title style
Availability Zone

VPC
The instance must have
Public subnet
the SSM Agent installed

Private subnet
SSM Patch Manager Prerequisites
Click to edit Master title style
Availability Zone

VPC
The SSM Agent must be
able to access the Systems
Public subnet
Manager service API
OR endpoint

Private subnet
SSM Patch Manager Prerequisites
Click to edit Master title style
Availability Zone

VPC
The SSM Agent must be
able to access the SSM
Public subnet managed S3 buckets

OR
Private subnet
SSM Patch Manager Prerequisites
Click to edit Master title style
Availability Zone

VPC
The SSM Agent must be
able to access the patch
Public subnet
source repos (unique per
OS type)

Private subnet
SSM Patch Manager Flow
Click to edit Master title style
There are both
Patch managed and custom
Baseline patch baselines,
including defaults for
each OS

OS
Product name
Classification
Severity
SSM Patch Manager Flow
Click to edit Master title style
Patch
Patch Group
Patch Groups are
Baseline associated with Patch
Baselines

OS
Product name "Patch Group"
Classification tag
Severity
SSM Patch Manager Flow
Click to edit Master title style
The instance requires
Patch a Patch Group tag
Patch Group EC2 Tags
Baseline with a value that
matches the SSM
Patch Group

OS
Product name "Patch Group" Patch Group:
Classification tag <value>
Severity
SSM Patch Manager Flow
Click to edit Master title style
SSM Run Command
Patch can be used to patch
Patch Group EC2 Tags
Baseline instances matching
the Patch Group tag
value

OS
Product name "Patch Group" Patch Group:
Classification tag <value>
Severity

AWS-RunPatchBaseline
Click to edit Master title style
Demonstration
Explore SSM
Explore operations using Run Command
Connect to an EC2 instance using Session
Manager
Click to edit Master title style

Creating and Maintaining S3 Buckets

S3 Basics
Click to edit Master title style
● Simple Storage
Service
● Region scope
● Object storage
● Buckets and objects
● Designed for
durability
S3 Storage Architecture
Click to edit Master title style
Region
A bucket is a region-
scoped logical container
for configuration and
permissions

Availability Zone Availability Zone Availability Zone

S3 Storage Architecture
Click to edit Master title style
Region
An object consists of data
and metadata and is
replicated in 3 AZs within
the region

Availability Zone Availability Zone Availability Zone

S3 Storage Architecture
Click to edit Master title style
Region
Each copy of the object is
validated via checksum
and replaced if checksum
fails to match

Availability Zone Availability Zone Availability Zone

Storage Classes
Click to edit Master title style
Standard
Standard Infrequent One Zone
Access Infrequent Access

● Highest ● High availability ● High availability

availability ● 3+ AZ ● 1 AZ
● 3+ AZ ● Milliseconds ● Milliseconds
● Milliseconds ● Minimum 30 ● Minimum 30
● No minimums days days
Storage Classes
Click to edit Master title style
Standard
Standard Infrequent One Zone
Access Infrequent Access

● Highest ● High availability ● High availability

availability ● 3+ AZ ● 1 AZ
● 3+ AZ ● Milliseconds ● Milliseconds
● Milliseconds ● Minimum 30 ● Minimum 30
● No minimums days days

Glacier Instant Glacier Flexible Glacier Deep

Retrieval Retrieval Archive
● Highest
● High availability availability ● High availability
● 3+ AZ ● 3+ AZ ● 3+ AZ
● Lowest latency ● Minutes or ● Hours
● Minimum 90 hours ● Minimum 180
days ● Minimum 90 days
days
S3 Intelligent Tiering
Click to edit Master title style
Standard
Standard Infrequent One Zone
Access Infrequent Access

Moves objects to
● Highest ● High availability ● High availability
availability ● 3+ AZ ● 1 AZ cost optimized tier
● 3+ AZ ● Milliseconds ● Milliseconds according to
● Milliseconds ● Minimum 30 ● Minimum 30 access patterns
● No minimums days days

Glacier Instant Glacier Flexible Glacier Deep

Retrieval Retrieval Archive
● Highest
● High availability availability ● High availability
● 3+ AZ ● 3+ AZ ● 3+ AZ
● Lowest latency ● Minutes or ● Hours
● Minimum 90 hours ● Minimum 180
days ● Minimum 90 days
days
S3 Versioning
Click to edit Master title style
Unversioned Versioning is a good
(default) way to avoid
accidental deletion

Version-enabled

Version-suspended

Version ID attached to Delete operation

each version of an attaches a delete
object marker to the object
S3 Versioning - Considerations
Click to edit Master title style

● Cost of many
versions
● Performance of
many versions
● More complex
lifecycle rules
S3 Data Retention
Click to edit Master title style
● Enable as bucket default or
per object
S3 Object Lock ● Prevents deletes on the
specific object version only
● Supports legal hold
S3 Object Lock Legal Hold
Click to edit Master title style
● Only affects
individual object
versions
● Can use S3 Batch
Operations to
apply to many
object versions
● In effect until
removed
S3 Data Retention
Click to edit Master title style
● Enable as bucket default or
per object
S3 Object Lock ● Prevents deletes on the
specific object version only
● Supports legal hold

● Expire current or old object

S3 Lifecycle versions
configuration ● Delete expired delete
markers
S3 Lifecycle Rule Options
Click to edit Master title style
Transition actions Expiration actions

● Move an object to a ● Delete a non-versioned

different storage class object
● Consider the minimum ● Assign a delete marker to a
storage class duration versioned object
● There are associated costs ● Delete expired object delete
with transition markers
S3 Lifecycle Transition Order
Click to edit Master title style
Standard
S3 Lifecycle Transition Order
Click to edit Master title style
Standard

Standard-IA
S3 Lifecycle Transition Order
Click to edit Master title style
Standard

Standard-IA

Intelligent-Tiering
S3 Lifecycle Transition Order
Click to edit Master title style
Standard

Standard-IA

Intelligent-Tiering

One Zone-IA
S3 Lifecycle Transition Order
Click to edit Master title style
Standard

Standard-IA

Intelligent-Tiering

One Zone-IA

Glacier Instant Retrieval

S3 Lifecycle Transition Order
Click to edit Master title style
Standard

Standard-IA

Intelligent-Tiering

One Zone-IA

Glacier Instant Retrieval

Glacier Flexible Retrieval

S3 Lifecycle Transition Order
Click to edit Master title style
Standard

Standard-IA

Intelligent-Tiering

One Zone-IA

Glacier Instant Retrieval

Glacier Flexible Retrieval

Glacier Deep Archive

S3 Lifecycle Rule Filters
Click to edit Master title style

● Object size
● Object age
● Bucket or prefix
scope
● Object tag keys
and/or values
S3 Data Retention
Click to edit Master title style
● Enable as bucket default or
per object
S3 Object Lock ● Prevents deletes on the
specific object version only
● Supports legal hold

● Expire current or old object

S3 Lifecycle versions
configuration ● Delete expired delete
markers

● Use to ensure data isn't

deleted
Glacier Vault Lock
● Use to ensure data is
retained
Replication Options
Click to edit Master title style
AWS Cloud

Region Same-region, same-

account replication
Replication Options
Click to edit Master title style
AWS Cloud

Region Cross-region, same-

account replication

Region
Replication Options
Click to edit Master title style
AWS Cloud AWS Cloud

Region Region Cross-region, cross-

account replication

Region
Replication Options
Click to edit Master title style
AWS Cloud AWS Cloud
Replication to
Region Region
multiple bucket
destinations

Region
Replication Options
Click to edit Master title style
AWS Cloud AWS Cloud
Multi-way
Region Region
replication between
2+ buckets

Region
Replication Considerations
Click to edit Master title style
All replication Ownership can be
All replication
requires versioning changed to that of
requires an IAM
enabled at source the destination
Role for permissions
and destination bucket

Storage class can be Multiple replication

changed on the rules are evaluated
destination bucket in priority order
Click to edit Master title style
Demonstration
Use CLI to create S3 bucket with full
configuration
Explore monitoring options
Click to edit Master title style

Deploying EFS
EFS Basics
Click to edit Master title style
● Elastic File System
● Region scope file
system
● AZ scope mount
targets
● Managed NFSv4
● Data replicated for
durability
Elastic Filesystem (EFS)
Click to edit Master title style
Region
The EFS filesystem
object is region-
Private subnet Private subnet Private subnet
scoped and durable

Availability Zone Availability Zone Availability Zone

Elastic Filesystem (EFS)
Click to edit Master title style
Region Mount targets can
specify directory and
userid
Private subnet Private subnet Private subnet

Security group

Mount targets are

Availability Zone AZ-scoped and can
Availability Zone Availability Zone

be accessed cross-
AZ
Elastic Filesystem (EFS) Mounts
Click to edit Master title style
Region

Private subnet Private subnet

UseAvailability
EFS Zone mount Availability Zone

helper from EC2

Elastic Filesystem (EFS) Mounts
Click to edit Master title style
Region

Private subnet Private subnet Mount on ECS

containers

Availability Zone Availability Zone

Elastic Filesystem (EFS) Mounts
Click to edit Master title style
Region

Private subnet Private subnet

Mount on EKS
containers

Availability Zone Availability Zone

Elastic Filesystem (EFS) Mounts
Click to edit Master title style
Region

Private subnet Private subnet

Mount on Lambda
Availability Zone Availability Zone functions
EFS Performance
Click to edit Master title style
Region
EFS File system resource
Up to 20GiB/s throughput
Depends on region
1.5GiB/s per client
General Purpose performance mode Latency: can be 1ms
250000 READ, 50000 WRITE IOPS

Availability Zone Availability Zone Availability Zone

EFS Performance
Click to edit Master title style
Region

Make sure you use the

mount point in the SAME
AZ as your client node!
Availability Zone
Watch your BurstIO
Availability Zone Availability Zone

credits in CloudWatch,
especially if you have a
large number of clients!
Click to edit Master title style
Demonstration
Create EFS file system
Create mount target in VPC
Mount file system on EC2 instance
Click to edit Master title style

Deploying and Managing RDS

RDS Basics
Click to edit Master title style

● Relational Database
Service
● AZ scoped
● Third-party database
engines
● Platform managed
by AWS
RDS Engines
Click to edit Master title style
● MySQL
● Microsoft SQL Server
● Oracle DB
● Postgres
● MariaDB
● Db2
● Custom
RDS Custom Engine
Click to edit Master title style

● Access to underlying
OS
● SQL Server
● Oracle
RDS Provisioning 1 of 3
Click to edit Master title style
Parameters Storage

Infrastructure
Instance Size Multi-AZ
resources

You must create a

subnet group first!

Network Params
RDS Provisioning 2 of 3
Click to edit Master title style
Parameters Database ID Credentials
This choice can limit
whether other
Engine version features are Database Port
available!
Database
specific
Engine type configuration Database Name

Option Group Parameter Group

RDS Provisioning 3 of 3
Click to edit Master title style
Parameters Encryption
You cannot add this
after provisioning is
complete!

Platform
Backups Monitoring
Management

Maint. Window
RDS Resilience
Click to edit Master title style
Region
Same-region read replicas
that can be promoted to
primary

R/W
W

R R R
Availability Zone Availability Zone Availability Zone
RDS Resilience
Click to edit Master title style
Region Region

Cross-region read
replicas for all
engines R

R/W
W

R R R
Availability Zone Availability Zone Availability Zone
RDS Multi-AZ Failover Conditions
Click to edit Master title style
Region

Primary
R/W Standby

Primary instance failure

Availability Zone Availability Zone Availability Zone
RDS Multi-AZ Failover Conditions
Click to edit Master title style
Region

Primary
R/W Standby

Primary AZ failure
Availability Zone Availability Zone Availability Zone
RDS Multi-AZ Failover Conditions
Click to edit Master title style
Resize Instance
Region

Primary
R/W Standby

OS Patching

Initiate Reboot with Failover

Availability Zone Availability Zone Availability Zone
Scenario
Click to edit Master title style

A DBA needs to configure

lower_case_table_names=1
for an RDS database instance
running MySQL 5.6. How can
this task be accomplished?
RDS Default Parameter Group
Click to edit Master title style
Check which
parameter
default.mysql5.6
group is
associated
Oops! Can’t edit
this!
RDS Parameter Group Creation
Click to edit Master title style
Create and
modify a new
default.mysql5.6
parameter
new_paramgroup
group
lower_case_table_names=1

Associate the
new parameter
group with RDS
RDS Parameter Group Effects
Click to edit Master title style
We should be
default.mysql5.6
done, right?
new_paramgroup
lower_case_table_names=1

Nope! We have
to reboot the
RDS instance!
CloudWatch Metrics/Alarms
Click to edit Master title style
CPU & Memory
CloudWatch
Dashboard
Disk Metrics

Network Traffic
SNS Topic
DB Connections

All metrics are gathered

from the hypervisor
perspective
CloudTrail Logging
Click to edit Master title style

IAM Users, Roles and

other services invoke
RDS actions
CloudTrail Logging
Click to edit Master title style

All RDS actions are

logged to CloudTrail,
successful or not
CloudTrail Logging
Click to edit Master title style
CloudWatch Logs
metric filters can be
used to generate
metrics, graphs, and
CloudWatch Alarms

RDS log entries are

delivered to S3 by
default, optional to
CloudWatch Logs
Enhanced Monitoring
Click to edit Master title style
CPU & Memory

Disk Metrics OS metrics are different

Primary/Standby for SQL Server instances
than for the other
Process List engines
Network Traffic
DB Connections

Fine-grained, real-time
metrics are gathered from
the OS perspective and
stored in CloudWatch Logs
Performance Insights
Click to edit Master title style
DB Load
Performance Insights are
enabled upon creation or by
modifying an existing database
instance and published to
CloudWatch as metrics

DB Load is the number

of active sessions
Performance Insights
Click to edit Master title style
DB Load

Wait Events

Wait events are unique

to each database engine
Performance Insights
Click to edit Master title style
DB Load

Wait Events

Top SQL

Top SQL shows which

queries contribute most
to DB load
Performance Insights
Click to edit Master title style
DB Load

Wait Events

Top SQL

Maximum CPU

Max CPU is determined

by the number of vCPU
for the instance
Database Logs
Click to edit Master title style

Use the RDS Dashboard in

the AWS console to view the
various database logs
Database Logs
Click to edit Master title style

Use the AWS CLI to export

logs for local viewing
Database Logs
Click to edit Master title style

Use the AWS language SDKs

to export logs for local
viewing
Database Logs
Click to edit Master title style
Each database engine has its own logs,
and some CloudWatch Logs streams may
be enabled by default

Stream the logs to

CloudWatch Logs for easier
viewing and integration with
CloudWatch
Event Notifications
Click to edit Master title style
Instances

Security Groups

Parameter Groups

Snapshots

Clusters

Cluster Snapshots

Uses SNS Topics as

destination for RDS events
DB Instance Status
Click to edit Master title style
available incompatible-restore
backing-up maintenance
backtracking modifying
configuring-enhanced-monitoring moving-to-vpc
configuring-iam-database-auth rebooting
configuring-log-exports renaming
converting-to-vpc resetting-master-credentials
creating restore-error
deleting starting
failed stopped
inaccessible-encryption-credentials stopping
incompatible-network storage-full
incompatible-option-group storage-optimization
incompatible-parameters upgrading
DB Instance Status
Click to edit Master title style
available incompatible-restore
backing-up maintenance
backtracking
Availability?modifying
configuring-enhanced-monitoring moving-to-vpc
configuring-iam-database-auth rebooting
configuring-log-exports renaming
converting-to-vpc Performance?resetting-master-credentials
creating restore-error
deleting starting
failed Durability? stopped
inaccessible-encryption-credentials stopping
incompatible-network storage-full
incompatible-option-group storage-optimization
incompatible-parameters upgrading
Click to edit Master title style
Demonstration
Deploy RDS using the launch wizard
Explore monitoring options
Click to edit Master title style

Provisioning Multi-tier Architectures

Design for Network Reliability
Click to edit Master title style
Multiple AZ ensures
Availability Zone Availability Zone
multiple data centers,
VPC
Public subnet Public subnet
fault isolation

Private subnet Private subnet

Design for Network Reliability
Click to edit Master title style
The Internet Gateway
Availability Zone Availability Zone
is virtual, fault tolerant
VPC
Public subnet Public subnet
and scales horizontally

Private subnet Private subnet

Design for Network Reliability
Click to edit Master title style
The NAT Gateway is
highly available and AZ
Availability Zone Availability Zone
scoped, which makes it
VPC
Public subnet Public subnet
a building block toward
fault tolerance

Private subnet Private subnet

Design for Application Reliability
Click to edit Master title style
Availability Zone Availability Zone ELB uses multiple AZ
VPC
Public subnet Public subnet
and is fault tolerant

Private subnet Private subnet

Design for Application Reliability
Click to edit Master title style
EC2 Auto Scaling uses
Availability Zone Availability Zone multiple AZ and is
VPC
Public subnet Public subnet
redundant (1+ EC2
instances)

Private subnet Private subnet

Design for Application Reliability
Click to edit Master title style
RDS Multi-AZ is highly
Availability Zone Availability Zone
available
VPC
Public subnet Public subnet
Active/Passive

Private subnet Private subnet

Design for Application Reliability
Click to edit Master title style
Aurora Multi-primary is
Availability Zone Availability Zone
fault tolerant and
VPC
Public subnet Public subnet
Active/Active

Private subnet Private subnet

Application Load Balancer Basics
Click to edit Master title style
● Layer 7 only
● Internet-facing or
internal only
● Multiple TLS certs
● Path-based routing
● Redirect support
● WAF support
ALB Use Cases
Click to edit Master title style

● Stateless web
applications
● Stateful application
servers
● Anything using HTTP
or HTTPS
ALB Listener Rules
Click to edit Master title style
host-header

http-header

http-request-method
Condition Type
path-pattern

query-string

source-ip
ALB Listener Rule Action Types
Click to edit Master title style
Authenticate against
AWS Cognito
ALB Listener Rule Action Types
Click to edit Master title style
Authenticate against
an OIDC compatible
identity provider
ALB Listener Rule Action Types
Click to edit Master title style
Return a static
response
ALB Listener Rule Action Types
Click to edit Master title style
Issue a 301 or 302
redirect
ALB Listener Rule Action Types
Click to edit Master title style
Forward to a target
group

Target group
ALB Listener Rule Action Types
Click to edit Master title style
Forward to multiple
weighted target
groups

Target group Target group

Auto Scaling Basics
Click to edit Master title style

● AZ scoped
● Multi-AZ support
● Horizontal EC2
scaling
What Is Horizontal Scaling?
Click to edit Master title style
Add EC2
resources into the
Availability Zone Availability Zone fleet, scaling
VPC
Public subnet Public subnet capacity to match
load

Private subnet Private subnet

What Is Horizontal Scaling?
Click to edit Master title style
Remove EC2
resources from the
Availability Zone Availability Zone fleet, scaling
VPC
Public subnet Public subnet capacity to match
load

Private subnet Private subnet

What is a Scaling Plan?
Click to edit Master title style
Scaling strategy

Availability Balanced Cost

Rules and limits for

Customer scaling EC2 resources

Combines dynamic and

AWS predictive scaling
Auto Scaling Architecture
Click to edit Master title style
Launch Templates
define WHAT to
launch
Auto Scaling Architecture
Click to edit Master title style
Auto Scaling Groups
define LIMITS and
ASSOCIATIONS

Auto Scaling group

Auto Scaling Architecture
Click to edit Master title style
Scaling Policies define
WHEN to scale
according to metrics

Auto Scaling group

Auto Scaling Architecture
Click to edit Master title style
Scheduled Actions
define WHEN to scale
according to the clock

Auto Scaling group

Auto Scaling Types
Click to edit Master title style
Dynamic scaling
happens HERE

Req / sec

24-hour period
Auto Scaling Types
Click to edit Master title style
Predictive scaling
happens HERE

Req / sec

24-hour period
Auto Scaling Group Flexibility
Click to edit Master title style
Multiple instance types
Auto Scaling Group Flexibility
Click to edit Master title style
Attribute-based instance
type selection

Architecture types
vCPU count
Minimum memory
Instance generation
Auto Scaling Group Flexibility
Click to edit Master title style
Multiple purchase
options

Multiple launch templates

Prioritize savings plans
On-demand AND spot
Capacity rebalancing
Auto Scaling Group Flexibility
Click to edit Master title style
Multiple AZs

us-east-1a us-east-1b

us-east-1c us-east-1d
Auto Scaling Extra Options
Click to edit Master title style
Decrease response time
Warm pools
to traffic spikes

Reduce impact of
Scale-in protection misconfigured health
checks

Allow for manual actions

Lifecycle hooks
required for scaling
Auto Scaling Scenarios
Click to edit Master title style

● Stateless web apps

● Unpredictable traffic
● Steady-state groups
● Message consumer
apps
Auto Scaling Anti-Scenarios
Click to edit Master title style
● Monolithic applications
(singleton instance)
● Applications with fixed IP
addresses
● Applications with many
manual deploy steps
● Applications with short,
large, random traffic
spikes
Click to edit Master title style
Demonstration
Provision EC2 Launch Template
Provision Target Group
Provision ALB
Deploy Auto-scaling Group
Click to edit Master title style

Deploying Static Websites

Static Website Hosting Basics
Click to edit Master title style
● Enables DNS CNAME
pointers
● Or use S3 website
endpoint
● Configure index
document
● Configure error pages
● Configure redirects
● Configure access logs
● Beware of S3 Block Public
Access
S3 Website Endpoints
Click to edit Master title style
http://BUCKETNAME.s3-website-REGION.amazonaws.com
http://BUCKETNAME.s3-website.REGION.amazonaws.com

No TLS supported

All resources must be

publicly readable

Only GET and HEAD

requests

Bucket name must

match CNAME FQDN
Static Website Redirect Template
Click to edit Master title style
[
{
"Condition": {
"HttpErrorCodeReturnedEquals": "string",
"KeyPrefixEquals": "string"
},
"Redirect": {
"HostName": "string",
"HttpRedirectCode": "string",
"Protocol": "http"|"https",
"ReplaceKeyPrefixWith": "string",
"ReplaceKeyWith": "string"
}
}
]
Static Website Redirect Example 1
Click to edit Master title style
[
{
"Condition": {
"KeyPrefixEquals": "images/"
},
"Redirect": {
"ReplaceKeyPrefixWith": "img/"
}
}
]
Static Website Redirect Example 2
Click to edit Master title style
[
{
"Condition": {
"KeyPrefixEquals":"old_dir/"
},
"Redirect": {
"ReplaceKeyPrefixWith":"deleted.html"
}
}
]
Static Website Redirect Example 3
Click to edit Master title style

[
{
"Redirect": {
"HostName": "test.example.com",
"ReplaceKeyWith": "http://example.com"
}
}
]
S3 Origin Access Control (OAC) Basics
Click to edit Master title style

● Make S3 resources
private
● Must use with
CloudFront
● Cannot use with S3
website endpoint
OAC Configuration Workflow
Click to edit Master title style
Create CF
Create OAC
distribution
and associate
with S3
with the S3
bucket as
origin
origin

Change
bucket policy
for OAC-only
access
Click to edit Master title style
Demonstration
Create S3 bucket
Create and configure CloudFront
distribution
Click to edit Master title style

Implementing Backups
AWS Backup Resources
Click to edit Master title style

● Backup vault
● Backup plan
● Backup job
● Restore point
AWS Backup Supported Services
Click to edit Master title style

FSx (all modes) EC2 AMI EFS DynamoDB

EBS snapshot RDS Storage Gateway DocumentDB

Aurora Volume GW Neptune

S3 Redshift Timestream
AWS Backup Workflow
Click to edit Master title style

Resource

tag backup:true

Resource assignments
can use tags to identify
multiple resources
AWS Backup Workflow
Click to edit Master title style
Vault
Permissions

Resource KMS Key

tag backup:true

Backup vaults contain

restore points,
resource-level access
control, and encryption
AWS Backup Workflow
Click to edit Master title style
Vault
Permissions

Resource Plan KMS Key

tag backup:true

Backup plans execute on

schedules and integrate
between resources, jobs,
and vaults
AWS Backup Workflow
Click to edit Master title style
Vault
Permissions

Resource Plan KMS Key

tag backup:true

Each backup job

generates a single Backup job
restore point in a vault
AWS Backup Workflow
Click to edit Master title style
Vault
Permissions

Resource Plan KMS Key

Restore point

tag backup:true Restore point

Restore point

Vaults can hold

multiple restore points Backup job
from different resource
types
AWS Backup Plan Creation Flow
Click to edit Master title style
Template

Backup Rules Interactive build

JSON

Resource
Specify tags
assignments
Backup Rule Creation Flow
Click to edit Master title style
Backup Vault
Time period
Frequency
Cron expression
Retention
Region Vault
Copy
Remote account Retention

This functionality is
unique to AWS Backup
AWS Backup Legal Hold
Click to edit Master title style
● Affects full backups
only
● Apply to >1 restore
points
● Filter by resource type
or ID
● Does not affect copies
● Multiple legal holds
can apply to the same
restore points
Organizations Backup Policy Basics
Click to edit Master title style
● Define AWS Backup
plans for OUs and
accounts
● Each policy can be
partial or complete
● Partial policies must be
combined to a
complete policy
through inheritance
Backup Policy Elements
Click to edit Master title style
Rules Schedule This can be an interval
or a cron expression

Regions

Selections
Backup Policy Elements
Click to edit Master title style
Rules Schedule Move to cold storage
Lifecycle or expire

Regions

Selections
Backup Policy Elements
Click to edit Master title style
Rules Schedule Copy to remote region
Lifecycle and/or account

Copy Actions

Regions

Selections
Backup Policy Elements
Click to edit Master title style
Rules Schedule Regions to apply the
Lifecycle rules to

Copy Actions

Regions Region 1

Region X

Selections
Backup Policy Elements
Click to edit Master title style
Rules Schedule Tags for resource
Lifecycle association

Copy Actions

Regions Region 1

Region X

Selections Tag1 Key/Value

Tag X Key/Value
Click to edit Master title style
Demonstration
Implement a Backup plan
Initiate an on-demand backup
Click to edit Master title style

Implementing Event-based Monitoring

CloudWatch Logs Metric Filter Basics
Click to edit Master title style

● Convert log data into

CloudWatch metrics
● Supports multiple log
formats
● Set static metric value
● Set dynamic metric
value
String Metric Filter Basics
Click to edit Master title style
Match everything ""

Single term ERROR

Exclude terms ERROR -PERMISSIONS

Multiple terms using AND ERROR MEMORY

Multiple terms using OR ?ERROR ?MEMORY

Match exact phrase "UNAUTHORIZED REQUEST"

Space-Delimited Metric Filter Basics
Click to edit Master title style
Specify all fields with a name, bounded by [], comma separated

Specify unknown number of fields with "..."

Add conditions =, !=. <, <=. >, >=

Utilize * to match partial strings or numbers

Implement AND with &&, OR with ||

Space-Delimited Metric Filter Examples
Click to edit Master title style
[ip, id, user, timestamp, request, status_code = 5*, size]

Match all 5XX response codes

[ip, id, user, timestamp, request, status_code, size < 100]

Match response sizes <100 bytes

[ip, id, user = "", timestamp, request, status_code != 3*, size]

Ignore all redirect response codes for anonymous users

JSON Metric Filter Basics
Click to edit Master title style
{SELECTOR EQUALITY_OPERATOR STRING} Equality

EQUALITY_OPERATOR is = or != Equality

{SELECTOR NUMERIC_OPERATOR NUMBER} Numeric

NUMERIC_OPERATOR can be =, !=, <, >, <= or >= Numeric

SELECTOR starts with $, indicating the JSON root Both

SELECTOR supports arrays Both

Implement AND with &&, OR with || Both

Publish numerical value using "metricValue:" Both

JSON Metric Filter Examples (CloudTrail)
Click to edit Master title style
{ ($.eventName = ConsoleLogin) && ($.responseElements.ConsoleLogin = "Failure") }

Match all console login failures

{ ($.eventName = "ConsoleLogin") && ($.additionalEventData.MFAUsed !=
"Yes") }

Match console login without MFA

{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS &&
$.eventType !="AwsServiceEvent"}

Match all root user activity

EventBridge Scheduled Rules
Click to edit Master title style
Schedule Fixed rate

Cron expression
Event bus

Lambda function
Target(s)

Retry policy Run command

DLQ
Queue

Permissions
Role
Config Rules
Click to edit Master title style
Rule type Managed rule
Lambda function

Custom rule
Some rules must be
triggered periodically,
Config changes while some only
trigger upon changes.
Trigger Type AND/OR Others allow both!

Periodic

Remediation
Documents
AWS Chatbot Basics
Click to edit Master title style
● Enable per account
● Notification
delivery service
● Allows DevOps
teams to monitor
and respond to
events
Chatbot Workflow
Click to edit Master title style
Important DevOps
notification

Notifications must be configured to deliver

to an SNS topic
Chatbot Workflow
Click to edit Master title style
Important DevOps
notification

Chatbot can be configured to subscribe to

the SNS topic
Chatbot Workflow
Click to edit Master title style
Important DevOps Slack
notification

Teams

Chime

Chatbot can deliver to Slack, Teams, or

Chime
Chatbot Workflow
Click to edit Master title style
Important DevOps Slack
notification

Teams

Chime

Users in these services can respond to the

messages, invoking the AWS CLI
Chatbot Workflow
Click to edit Master title style
Important DevOps Slack
notification

Teams

AWS Cloud

Chime

The CLI can perform operations with the

appropriate permissions and services
Click to edit Master title style
Demonstration
Create monitoring workflow notifying
using SNS for any termination of EC2
instances
Click to edit Master title style

Security Vulnerability Identification and

Mitigation
Amazon Inspector
Click to edit Master title style
● Enable per region
● Supports
Organizations
● Discover and scan AWS
workloads for software
vulnerabilities
● Also scans for
unintended network
exposure
Amazon Inspector Scopes
Click to edit Master title style
● EC2 instance standard
inspection (system
packages)
● EC2 deep inspection
(programming
language packages)
● ECR container images
● Lambda function
standard scan
● Lambda function code
scan
Inspector EC2 Architecture
Click to edit Master title style
AWS Cloud
To scan EC2 instances,
Inspector requires the
Availability Zone

VPC
Systems Manager
Agent on each instance
Inspector EC2 Architecture
Click to edit Master title style
AWS Cloud
To scan EC2 instances,
Inspector requires
Availability Zone

VPC
permissions using an
instance profile
Inspector EC2 Architecture
Click to edit Master title style
AWS Cloud
Each instance
communicates with
Availability Zone

VPC
the Systems Manager
service via the network
Inspector EC2 Architecture
Click to edit Master title style
AWS Cloud
The instances use long-
Availability Zone polling to continually
VPC
test for new tasks
Inspector EC2 Architecture
Click to edit Master title style
AWS Cloud
A CVE scan can be
Availability Zone initiated by informing
VPC
Systems Manager
Inspector EC2 Architecture
Click to edit Master title style
AWS Cloud
Tasks execute and
Availability Zone return results directly
VPC
to Inspector
Access Vulnerability Mitigation
Click to edit Master title style

● Disable existing API ● Revoke session ● Update bucket policy

keys permissions using with deny statements
● Rotate password console ● Restrict access to CIDR
● Replace MFA device ● Attach inline policy with or endpoint
deny statements
Secrets Manager Managed Rotation
Click to edit Master title style
Managed rotation
supports RDS, Aurora,
and Redshift
Secrets Manager Managed Rotation
Click to edit Master title style
Each managed secret is
only for the master
user
admin

root

awsuser
Secrets Manager Managed Rotation
Click to edit Master title style
Each secret can be rotated on
a fixed schedule or cron
expression and modified
directly on the secret
Secrets Manager Automatic Rotation
Click to edit Master title style
Each secret is
dedicated to a user
user1 account in the
database

user2

user3
Secrets Manager Automatic Rotation
Click to edit Master title style
Each secret creates a
Lambda function for
user1 rotation

user2

user3
Secrets Manager Automatic Rotation
Click to edit Master title style
Rotation schedules
affect the invocation of
user1 the Lambda function
directly

user2

user3
Secrets Manager Automatic Rotation Networking
Click to edit Master title style
The Lambda function
must have direct
network access to the
VPC
database resource
Public

Private
Secrets Manager Automatic Rotation Networking
Click to edit Master title style
The Lambda function
also needs access to
the secret stored in
VPC
Secrets Manager
Public
This cannot be
achieved by a Lambda
Private function deployed into
a VPC
Secrets Manager Automatic Rotation Networking
Click to edit Master title style
The Lambda function
can use a NAT Gateway
to access Secrets
VPC
Manager
Public

Private
Secrets Manager Automatic Rotation Networking
Click to edit Master title style
The Lambda function
can use a Secrets
Manager interface
VPC
endpoint
Public

Private
Click to edit Master title style
Demonstration
Explore Inspector
Explore Secrets Manager
Click to edit Master title style

Cost Optimization
AWS Compute Optimizer Basics
Click to edit Master title style
● Analyze compute
resources
● Analyze single account
● Analyze entire
organization
● 30 hours metrics
minimum
● Recommends
optimization
AWS Compute Optimizer Services
Click to edit Master title style
EC2 instances

Auto Scaling
groups

EBS volumes

Lambda
functions
Relational Database Workloads
Click to edit Master title style
Availability Zone Availability Zone
You can implement the DB
Public subnet Public subnet
on EC2 instances,
including….

Private subnet Private subnet

Backups
Replication
Software updates
Private subnet Private subnet Failover
Restores
Relational Database Workloads
Click to edit Master title style
Availability Zone Availability Zone
OR, you can deploy RDS
Public subnet Public subnet
and delegate all of these
operations to the service

Private subnet Private subnet

Backups
Replication
Software updates
Private subnet Private subnet Failover
Restores
Container Workloads
Click to edit Master title style
Availability Zone Availability Zone
You can implement Docker
Public subnet Public subnet
containers on EC2
instances, including….

Private subnet Private subnet

Deployment
Container scaling
EC2 scaling
Private subnet Private subnet OS updates
Rollbacks
Container Workloads
Click to edit Master title OR,
Availability Zone
style
you can deploy using
Availability Zone

Public subnet Public subnet Fargate and delegate

these operations to the
service
Private subnet Private subnet
Deployment
Container scaling
EC2 scaling
Private subnet Private subnet OS updates
Rollbacks
Shared Filesystem Workloads
Click to edit Master title style
Availability Zone Availability Zone
You can implement a
Public subnet Public subnet
shared filesystem on EC2,
including….

Private subnet Private subnet

Backups
Replication
Software updates
Private subnet Private subnet Failover
Restores
Shared Filesystem Workloads
Click to edit Master title style
Availability Zone Availability Zone
Or you can deploy a single
Public subnet Public subnet
EFS file system with mount
points in each AZ

Private subnet Private subnet

Backups
Replication
Software updates
Private subnet Private subnet Failover
Restores
Compute Cost - EC2 Pricing
Click to edit Master title style
Spot Instances

● No guaranteed
pricing
● Pay for unused
capacity
● Volatile
● Specify maximum
bid
● +Attribute
selection
● +Multiple
instance types
● +Multiple AZ
Compute Cost - EC2 Pricing
Click to edit Master title style
Spot Instances RIs/SPs

● No guaranteed ● Guaranteed
pricing pricing for 1-3
● Pay for unused years
capacity ● +Capacity
● Volatile guarantee
● Specify maximum ● Variable up-front
bid for more
● +Attribute discount
selection ● EC2 Savings Plans
● +Multiple for more
instance types flexibility
● +Multiple AZ ● Compute Savings
Plans for even
more flexibility!
Compute Cost - EC2 Pricing
Click to edit Master title style
On Demand
Spot Instances RIs/SPs
Instances
● No guaranteed ● Guaranteed ● Pay as you go
pricing pricing for 1-3 ● No discount
● Pay for unused years
capacity ● +Capacity
● No capacity
● Volatile guarantee guarantee
● Specify maximum ● Variable up-front
bid for more
● +Attribute discount
selection ● EC2 Savings Plans
● +Multiple for more
instance types flexibility
● +Multiple AZ ● Compute Savings
Plans for even
more flexibility!
Compute Cost - EC2 Pricing
Click to edit Master title style
On Demand Dedicated
Spot Instances RIs/SPs
Instances Instances
●NoNo guaranteed
guaranteed ● Guaranteed ● Pay as you go ● Dedicated
pricing pricing for 1-3 ● No discount hardware
pricing Guaranteed
● Pay for unused years
● No capacity Dedicated
● Can share with
Pay for unused
capacity ●pricing for up to
+Capacity hardware
●capacity
Volatile 3 years
guarantee guarantee non-dedicated
Can share with
VMs
Volatile
● Specify maximum ●+Capacity
Variable up-front Pay as you go
Specify
bid guarantee
for more No discount ●non-dedicated
Per-region fee
●maximum
+Attributebid discountup- VMs
● +Spot
Variable No capacity
selection
+Specific
● EC2 Savings Plans
front for more guarantee ●Per-region fee
+Reservations
●+Spot
● +Multiple for more
duration
instance types discount
flexibility
+On Demand
+Reservations
●+Multiple
+Multiple AZ ●Savings
Compute Plans for
Savings +On Demand
instance types more
Plansflexibility
for even
+Multiple AZ more flexibility!
Compute Cost - EC2 Pricing
Click to edit Master title style
On Demand Dedicated Dedicated
Spot Instances RIs/SPs
Instances Instances Hosts
● No guaranteed ● Guaranteed ● Pay as you go ● Dedicated ● Dedicated
pricing pricing for 1-3 ● No discount hardware hardware
● Pay for unused years
capacity ● +Capacity
● No capacity ● Can share with ● Single instance
● Volatile guarantee guarantee non-dedicated type
● Specify maximum ● Variable up-front VMs ● Pay for host
bid for more ● Per-region fee capacity, not
● +Attribute discount ● +Spot instance
selection ● EC2 Savings Plans ● +Reservations ● +Reservations
● +Multiple for more
instance types flexibility
● +On Demand ● +On Demand
● +Multiple AZ ● Compute Savings
Plans for even
more flexibility!
Compute Cost - EC2 Pricing
Click to edit Master title style
On Demand Dedicated Dedicated
Spot Instances RIs/SPs
Instances Instances Hosts
● No guaranteed ● Guaranteed ● Pay as you go ● Dedicated ● Dedicated
pricing pricing for 1-3 ● No discount hardware hardware
● Pay for unused years
capacity ● +Capacity
● No capacity ● Can share with ● Single instance
● Volatile guarantee guarantee non-dedicated type
● Specify maximum ● Variable up-front VMs ● Pay for host
bid for more ● Per-region fee capacity, not
● +Attribute discount ● +Spot instance
selection ● EC2 Savings Plans ● +Reservations ● +Reservations
● +Multiple for more
instance types flexibility
● +On Demand ● +On Demand
● +Multiple AZ ● Compute Savings
Plans for even
more flexibility!

Overall Cost
Storage Cost - Block and File
Click to edit Master title style
Storage prices drop over time. It is better to understand current
RELATIVE pricing!

EBS EBS EBS EBS EBS EFS

SC1 ST1 Standard GP2 PIOPS

Overall Cost Increase

Storage Cost - Object
Click to edit Master title style
Object Storage Cost Decrease

Object Access Cost Increase

S3 S3 S3 Glacier Glacier Glacier

Standard Infrequent OneZone Instant Flexible Deep
Access Infrequent Retrieval Retrieval Archive
Access

S3
Intelligent
Tiering
Zero-cost VPC Network Resources
Click to edit Master title style
VPC

The VPC network may be

free, but it is useless
without other features!
Zero-cost VPC Network Resources
Click to edit Master title style
Availability Zone Availability Zone

VPC
Subnets are free,
regardless of how many
Public subnet Public subnet
AZ are used in the region

Private subnet Private subnet

Zero-cost VPC Network Resources
Click to edit Master title style
Availability Zone Availability Zone

VPC
Route tables and NACLs
are free, and only limited
Public subnet Public subnet
by account quotas

Route Table
Private subnet Private subnet

Network
access
control list
Zero-cost VPC Network Resources
Click to edit Master title style
Availability Zone Availability Zone

VPC Internet Gateway

Internet
gateway
resources are free,
Public subnet Public subnet
regardless of traffic
throughput

Private subnet Private subnet

Zero-cost VPC Network Resources
Click to edit Master title style
Availability Zone Availability Zone

VPC
Inbound traffic from the
Internet is free, regardless
Public subnet Public subnet
of source

Private subnet Private subnet

Zero-cost VPC Network Resources
Click to edit Master title style
Availability Zone Availability Zone

VPC
Gateway
Endpoint
Public subnet Public subnet
Gateway Endpoints are
free, but only allow
connectivity to S3 and
DynamoDB in the same
region
Private subnet Private subnet
Zero-cost VPC Compute Resources
Click to edit Master title style
Availability Zone Availability Zone

VPC
The ENI resource is free,
but you may be charged
Public subnet Public subnet
for traffic depending on
destination

Private subnet Private subnet

Elastic Network
Interface
Zero-cost VPC Compute Resources
Click to edit Master title style
Availability Zone Availability Zone
The ENA and Elastic Fabric
VPC Adapters are similar to
ENI - free but possible
Public subnet Public subnet charges for network
activity

Private subnet Private subnet

Elastic Network
Adapter
Zero-cost VPC Compute Resources
Click to edit Master title style
Availability Zone Availability Zone

VPC
Security groups and rules
are free, and only limited
Public subnet Public subnet by account quotas

Private subnet Private subnet

Security
group
Zero-cost VPC Compute Resources
Click to edit Master title style
Availability Zone Availability Zone

VPC
Same-AZ network traffic is
free EXCEPT if a public IP
Public subnet Public subnet is the destination

Private subnet Private subnet

Zero-cost VPC Compute Resources
Click to edit Master title style
Availability Zone

VPC
Same-AZ VPC Peering
traffic is free, as long as
the public IP of the
destination is not used

VPC
Charged VPC Network Resources
Click to edit Master title style
Availability Zone Availability Zone

VPC
NAT Gateways are
charged by the hour and
Public subnet Public subnet based on throughput

NAT
gateway

Private subnet Private subnet

Charged VPC Network Resources
Click to edit Master title style
Availability Zone Availability Zone

VPC
VPGs are charged by the
hour and for VPN
Public subnet Public subnet throughput

Private subnet Private subnet

VPN gateway
Charged VPC Network Resources
Click to edit Master title style
Availability Zone Availability Zone

VPC
VPC Peering connections
are charged for traffic
Public subnet Public subnet
throughput, if cross-AZ or
Peering
connection cross-region

Private subnet Private subnet

Charged VPC Network Resources
Click to edit Master title style
Availability Zone Availability Zone

VPC
Interface Endpoints and
Privatelink are charged by
Public subnet Public subnet
the hour and for traffic
throughput
Interface
Endpoints

Private subnet Private subnet

Charged VPC Network Resources
Click to edit Master title style
Availability Zone Availability Zone
Transit Gateway
VPC
Attachments are charged
hourly and for traffic
Public subnet Public subnet
throughput

Transit
Gateway
Attachment
Private subnet Private subnet
Charged VPC Network Resources
Click to edit Master title style
Availability Zone Availability Zone

VPC
Traffic Mirroring is
charged hourly per ENI
Public subnet Public subnet
that has mirroring
enabled

Private subnet Private subnet

Traffic Mirroring
Charged VPC Network Resources
Click to edit Master title style
Availability Zone Availability Zone
VPC Flow logs are charged
VPC according to the amount
of traffic processed (and
Public subnet Public subnet for log storage in the
destination service)

Private subnet Private subnet

Flow logs
Same-Region Traffic Charges
Click to edit Master title style
Any traffic with source
Availability Zone Availability Zone
and destination in here is
VPC
free unless the
destination uses the
public IP
If the traffic must traverse
certain egress points to
the destination, you are
charged regardless of AZ
Same-Region Traffic Charges
Click to edit Master title style
Availability Zone Availability Zone Any traffic with source
VPC and destination in
different AZ is charged if
the resource is AZ scoped
Same-Region Traffic Charges
Click to edit Master title style
Most same-region traffic
Region from VPC to AWS services
will be free, such as S3
bucket access, unless
otherwise noted

VPC
Cross-Region Traffic Charges
Click to edit Master title style
All outbound cross-region
Region
traffic is charged, and
there can be additional
This includes built-in cross
Region fees based on the
region features such as S3 gateway used
replication and AMI
copies! Region
Cross-Region Traffic Charges
Click to edit Master title style
All outbound Internet
Internet traffic is charged, and
there can be additional
fees based on the
Some Internet outbound gateway used
charges can be optimized,
such as using CloudFront
instead of S3 or ALB
Region
Click to edit Master title style
Demonstration
Explore cost recommendations on Billing
dashboard
Deprovision resources from prior demos
Click to edit Master title style

Q&A

Kubernetes Concepts
No ratings yet
Kubernetes Concepts
623 pages
2024 - FCJ - Week 1 - Addons
No ratings yet
2024 - FCJ - Week 1 - Addons
146 pages
Network+ Certification Guide
No ratings yet
Network+ Certification Guide
262 pages
AIML-Module1 Vtu 21 Scheme
No ratings yet
AIML-Module1 Vtu 21 Scheme
174 pages
UNIT - 3 - OS Theory
No ratings yet
UNIT - 3 - OS Theory
158 pages
Guide en
No ratings yet
Guide en
243 pages
Laravel Framework Basics and Installation
No ratings yet
Laravel Framework Basics and Installation
105 pages
Mongo DB
No ratings yet
Mongo DB
297 pages
Lab9 - Understanding Managed Disks - Azure
No ratings yet
Lab9 - Understanding Managed Disks - Azure
33 pages
Review of ICT 1 2 1
No ratings yet
Review of ICT 1 2 1
107 pages
Rocking+System+Design+Course+Slides v2
No ratings yet
Rocking+System+Design+Course+Slides v2
330 pages
18CSC205J-UNIT-1 New
No ratings yet
18CSC205J-UNIT-1 New
106 pages
IPv6Fundamentals Slides
No ratings yet
IPv6Fundamentals Slides
203 pages
Introduction To NodeJS and Expressupdated
No ratings yet
Introduction To NodeJS and Expressupdated
106 pages
Mct702 All Units
No ratings yet
Mct702 All Units
747 pages
Lab23 - Understanding Availability Set and Load Balancer - Azure
No ratings yet
Lab23 - Understanding Availability Set and Load Balancer - Azure
163 pages
ME 157 Full Course
No ratings yet
ME 157 Full Course
203 pages
MongoDB Guide for Students
No ratings yet
MongoDB Guide for Students
104 pages
OS Unit 3
No ratings yet
OS Unit 3
77 pages
Cse - 2014 Se Module 2 V1
No ratings yet
Cse - 2014 Se Module 2 V1
154 pages
Lab20 - Understanding Table Storage - Azure
No ratings yet
Lab20 - Understanding Table Storage - Azure
22 pages
Azure Zone-Redundant Storage Guide
No ratings yet
Azure Zone-Redundant Storage Guide
17 pages
Vue Js
No ratings yet
Vue Js
70 pages
Procedure Oriented Programming Language
No ratings yet
Procedure Oriented Programming Language
273 pages
Distributed System PDF
No ratings yet
Distributed System PDF
148 pages
GCP Storage Compute
No ratings yet
GCP Storage Compute
378 pages
CDD Aws Storage 2022 05 25
No ratings yet
CDD Aws Storage 2022 05 25
116 pages
Migrating Your Application - Participant Guide
No ratings yet
Migrating Your Application - Participant Guide
267 pages
18csc310j Unit 5
No ratings yet
18csc310j Unit 5
300 pages
PHP Chapter 2
No ratings yet
PHP Chapter 2
259 pages
Ai and ML (All Modules)
No ratings yet
Ai and ML (All Modules)
735 pages
PHP Basics SF - 15 04 24
No ratings yet
PHP Basics SF - 15 04 24
118 pages
CS390 Python
No ratings yet
CS390 Python
194 pages
CSE210 MODULE 1 + Process Part of Module 2
No ratings yet
CSE210 MODULE 1 + Process Part of Module 2
119 pages
Unit - 1 Linux
No ratings yet
Unit - 1 Linux
179 pages
Jquery 170413145400
No ratings yet
Jquery 170413145400
208 pages
18CSC205J Operating Systems Unit 5 - New
No ratings yet
18CSC205J Operating Systems Unit 5 - New
140 pages
Linux Unit III
No ratings yet
Linux Unit III
74 pages
Information Systems Best Notes
No ratings yet
Information Systems Best Notes
371 pages
Artificial Intelligence CSE3002: by Dr. Manomita Chakraborty Assistant Professor VIT-AP, Amaravati, AP, India
No ratings yet
Artificial Intelligence CSE3002: by Dr. Manomita Chakraborty Assistant Professor VIT-AP, Amaravati, AP, India
313 pages
Lab Manual 4340704 IWD
No ratings yet
Lab Manual 4340704 IWD
151 pages
WT Unit 5
No ratings yet
WT Unit 5
123 pages
Finc 402 Monetary Theory Ob Marvin
No ratings yet
Finc 402 Monetary Theory Ob Marvin
342 pages
Unit2 WT
No ratings yet
Unit2 WT
204 pages
Mcsa 1 - 8
No ratings yet
Mcsa 1 - 8
392 pages
Storage and RAID Systems Guide
No ratings yet
Storage and RAID Systems Guide
104 pages
Azure Network Security Guide
No ratings yet
Azure Network Security Guide
88 pages
Gitlab Cicd
No ratings yet
Gitlab Cicd
191 pages
Module 1 - Lecture - 7CSE1
No ratings yet
Module 1 - Lecture - 7CSE1
124 pages
1-Kubernetes in Action, Second Edition MEAP V15 - Marko Lukša-2nd - 1-412
No ratings yet
1-Kubernetes in Action, Second Edition MEAP V15 - Marko Lukša-2nd - 1-412
412 pages
Chapter 1 IntroDistributed
No ratings yet
Chapter 1 IntroDistributed
143 pages
Linux Essentials
No ratings yet
Linux Essentials
100 pages
CAO - M01 - Introduction To Computer Architecture and Organization
No ratings yet
CAO - M01 - Introduction To Computer Architecture and Organization
100 pages
DNS Basics for IT Professionals
No ratings yet
DNS Basics for IT Professionals
110 pages
Chapter 1
No ratings yet
Chapter 1
325 pages
Unit 1 - Fundamental of OOP - Final
No ratings yet
Unit 1 - Fundamental of OOP - Final
122 pages
Introduction to AI Concepts
No ratings yet
Introduction to AI Concepts
168 pages
Foundation of ICT
No ratings yet
Foundation of ICT
185 pages
DSA - Unit 1
No ratings yet
DSA - Unit 1
149 pages
AWS IAM Policies
No ratings yet
AWS IAM Policies
13 pages
KMKT Skema
No ratings yet
KMKT Skema
8 pages
2-Protocol-Design Sistemas Distribuidos
No ratings yet
2-Protocol-Design Sistemas Distribuidos
29 pages
DST 9.4 Slides v1.2
No ratings yet
DST 9.4 Slides v1.2
189 pages
Ceh 8
No ratings yet
Ceh 8
49 pages
Form No. NTC 1 24 AFFIDAVIT OF OWNERSHIP AND LOSS WITH UNDERTAKING R6
No ratings yet
Form No. NTC 1 24 AFFIDAVIT OF OWNERSHIP AND LOSS WITH UNDERTAKING R6
1 page
5G New Radio Numerologies and Their Impact On
No ratings yet
5G New Radio Numerologies and Their Impact On
6 pages
Intra-Organizational Electronic Commerce: Chapter 12: Appendix By: Anna Janinah E. Ramos
No ratings yet
Intra-Organizational Electronic Commerce: Chapter 12: Appendix By: Anna Janinah E. Ramos
34 pages
BACnet Usage Notes
No ratings yet
BACnet Usage Notes
6 pages
D1 Mini V3 Setup & Features Guide
No ratings yet
D1 Mini V3 Setup & Features Guide
24 pages
BS241 BR 08 - 04 Commissioning
No ratings yet
BS241 BR 08 - 04 Commissioning
45 pages
Zigbee Characteristics and Benefits: What Is Zigbee Technology
No ratings yet
Zigbee Characteristics and Benefits: What Is Zigbee Technology
3 pages
IoT Skills Workshop for Students
No ratings yet
IoT Skills Workshop for Students
2 pages
Penetration Testing Interview Questions
No ratings yet
Penetration Testing Interview Questions
3 pages
MOR - WEEK - 2 June
No ratings yet
MOR - WEEK - 2 June
30 pages
Optical Fiber Communication Systems
No ratings yet
Optical Fiber Communication Systems
8 pages
Siemens Healthineers CS Kinectus Security Concept
No ratings yet
Siemens Healthineers CS Kinectus Security Concept
6 pages
Link Budget: Produced Using Satmaster Pro
No ratings yet
Link Budget: Produced Using Satmaster Pro
3 pages
RADWIN 5000 PtMP Solution Overview
No ratings yet
RADWIN 5000 PtMP Solution Overview
129 pages
Network Security & PKI Essentials
No ratings yet
Network Security & PKI Essentials
36 pages
MDM3310 Satellite Modem Overview
No ratings yet
MDM3310 Satellite Modem Overview
2 pages
Guide To Network Defense and Countermeasures 3rd Edition Randy Weaver
No ratings yet
Guide To Network Defense and Countermeasures 3rd Edition Randy Weaver
34 pages
Xperia E3 - 1291-4841 - Test & Calibration - Electrical - Rev2 PDF
No ratings yet
Xperia E3 - 1291-4841 - Test & Calibration - Electrical - Rev2 PDF
7 pages
Eltek SP2 SNMP Integration Guide
No ratings yet
Eltek SP2 SNMP Integration Guide
13 pages
How To Read Your RCN Bill
No ratings yet
How To Read Your RCN Bill
1 page
CS101 Spring 2020 Quiz MCQs Guide
No ratings yet
CS101 Spring 2020 Quiz MCQs Guide
15 pages
Documentation On Setting Up SPI Protocol For ADE7878
100% (1)
Documentation On Setting Up SPI Protocol For ADE7878
8 pages
Apnic-Khnog - Day 1 Session 1 - Information Security Overview
No ratings yet
Apnic-Khnog - Day 1 Session 1 - Information Security Overview
55 pages
Computer Security by William Stalling CH 2 MCQ
100% (6)
Computer Security by William Stalling CH 2 MCQ
7 pages
SLC Dataminer TECH DAY Peru 2024
No ratings yet
SLC Dataminer TECH DAY Peru 2024
47 pages
Fiber Optic Communications With References New9docx
No ratings yet
Fiber Optic Communications With References New9docx
3 pages