AWS Certified Solutions Architect Associate— Notes for the Exam

Here are the notes I kept and used to pass the AWS CSA — Associate exam. May it assist you as well.

General Concepts —

A region is a physical location in the world that comprises clusters of highly redundant data centers.

Within each region there are availability zones (AZs). An AZ consists of one to six data centers, with redundant power supplies and networking connectivity.

Data transferred between Amazon EC2, Amazon RDS, Amazon Redshift, Amazon ElastiCache instances, and Elastic Network Interfaces in the same Availability Zone is free.

Vertical scaling means running the same software on bigger machines which is limited by the capacity of the individual server.

Horizontal scaling is adding more servers to the existing pool and doesn’t run into limitations of individual servers.

Amazon VPC comprises a variety of objects that will be familiar to customers with existing networks:

• A Virtual Private Cloud: A logically isolated virtual network in the AWS cloud. You define a VPC’s IP address space from ranges you select.
• Subnet: A segment of a VPC’s IP address range where you can place groups of isolated resources.
• Internet Gateway: The Amazon VPC side of a connection to the public Internet.
• NAT Gateway: A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.
• Virtual private gateway: The Amazon VPC side of a VPN connection.
• Peering Connection: A peering connection enables you to route traffic via private IP addresses between two peered VPCs.
• VPC Endpoints: Enables private connectivity to services hosted in AWS, from within your VPC without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.
• Egress-only Internet Gateway: A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet. Horizontally scaled.

The purpose of an “Egress-Only Internet Gateway” is to allow IPv6 based traffic within a VPC to access the Internet, whilst denying any Internet based resources the possibility of initiating a connection back into the VPC.

• VPC Flowlogs — VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. VPC Flow Logs can be created at the VPC, subnet, and network interface levels. After you’ve created a flow log, you can view and retrieve daya in Amazon CloudWatch Logs where it is stored.

AWS EC2

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. AWS use Xen and Nitro Hypervisors.

• On Demand
• Reserved
• Spot
• Dedicated Hosts

The default termination policy is designed to help ensure that your network architecture spans Availability Zones evenly. With the default termination policy, the behavior of the Auto Scaling group is as follows:

1. If there are instances in multiple Availability Zones, choose the Availability Zone with the most instances and at least one instance that is not protected from scale in. If there is more than one Availability Zone with this number of instances, choose the Availability Zone with the instances that use the oldest launch configuration.

2. Determine which unprotected instances in the selected Availability Zone use the oldest launch configuration. If there is one such instance, terminate it.

3. If there are multiple instances to terminate based on the above criteria, determine which unprotected instances are closest to the next billing hour. (This helps you maximize the use of your EC2 instances and manage your Amazon EC2 usage costs.) If there is one such instance, terminate it.

4. If there is more than one unprotected instance closest to the next billing hour, choose one of these instances at random.

The Reserved Instance Marketplace is a platform that supports the sale of third-party and AWS customers’ unused Standard Reserved Instances, which vary in terms of length and pricing options.

Standard Reserved Instances cannot be moved between regions. You can choose if a Reserved Instance applies to either a specific Availability Zone, or an Entire Region, but you cannot change the region.

Elastic Network Adapter (ENA) for linux instances enables enhanced networking. Amazon EC2 provides enhanced networking capabilities through the Elastic Network Adapter (ENA). To use enhanced networking, you must install the required ENA module and enable ENA support.

Placement Groups

Placement groups help us to launch a bunch of EC2 instances close to each other physically within the same AZ. Being close physically and within the same AZ helps it take advantage of high-speed connectivity to provide low latency, high throughput access.

High Throughput is the measure of the amount of data transferred from/to a storage device in a second. Typically stated in KB/MB/GB/s (e.g., if a storage device can write 1000 blocks of 128K each, throughput is 1000*128K/s = 128MB/s).

When to use a Placement Group?

When applications reaching oversubscriptions or when there is a high latency etc.

Cluster Placement Groups
Cluster placement groups are intended for applications that require low latency and/or high throughput between the instances within the group. These groups provide 10 Gbps connectivity between instances. Internet connectivity by instances is limited to 5 Gbps, and connectivity to an S3 bucket (within a single region) can use all of the available aggregate bandwidth.

If you plan on using a cluster placement group, then Amazon recommends that you create all of the member instances at the same time, so as to avoid capacity related errors. Cluster placement groups can accommodate various types and sizes of instances, but Amazon recommends making all of the instances uniform. It is also worth noting that cluster placement groups cannot span availability zones.

Partition Placement Groups
Partition placement groups provide hardware redundancy, and are best suited to use with distributed or replicated workloads. When you create a partition placement group, AWS defines a number of partitions within the group and scatters the group instances across these partitions. The partitions share a common availability zone, but do not share hardware. In fact, each partition resides within a different rack in the AWS datacenter.

In case you are wondering, a partition group supports a maximum of seven partitions per availability zones. EC2 instances within the partition group are evenly distributed across these partitions. The exception to this is that a partition group containing dedicated instances can only have two partitions.

Spread Placement Groups
The third placement group strategy is the spread placement group. Instances in a spread placement group generally share a common availability zone, but can span availability zones. One of the key differences between a partition placement group and a spread placement group is that a spread placement group is limited to a maximum of seven running instances per availability zone. A partition placement group can accommodate a maximum of seven partitions per availability zone, but a single partition can service multiple instances. Keep in mind that a region can have multiple availability zones, so if a region has two availability zones, then a spread placement group could include up to 14 instances (7 in each of the two availability zones).

Besides the requirements for that pertain to the individual placement group strategies, there are also a few general rules:

• name must be unique within your AWS account (for the region)
• An Instance can only belong to one placement group at a time

It is recommended that you launch the number of instances that you need in the placement group in a single launch request and that you use the same instance type for all instances in the placement group. If you try to add more instances to the placement group later, or if you try to launch more than one instance type in the placement group, you increase your chances of getting an insufficient capacity error.

If you receive a capacity error when launching an instance in a placement group that already has running instances, stop and start all of the instances in the placement group, and try the launch again. Restarting the instances may migrate them to hardware that has capacity for all the requested instances.

The AWS Nitro System is the underlying platform for the latest generation of EC2 instances that enables AWS to innovate faster, further reduce the cost of the customers, and deliver added benefits like increased security and new instance types.

Amazon Elastic Block Store (EBS)

Block storage service for use with EC2

IOPS = Input/Output Operations

AWS provides the following EBS volume types, which differ in performance characteristics and price which can be tailored for storage performance and cost to the needs of the applications:

• SSD-backed volumes optimized for transactional workloads involving frequent read/write operations with small I/O size, where the dominant performance attribute is IOPS
• General Purpose SSD (gp2)
• Provisioned IOPS SSD (io1)
• HDD-backed volumes optimized for large streaming workloads where throughput (measured in MiB/s) is a better performance measure than IOPS
• Throughput Optimized HDD (st1)
• Cold HDD (sc1)
• Magnetic Volumes (standard) (Previous Generation)

Provisioned IOPS SSD (io1) Volumes

• are designed to meet the needs of I/O intensive workloads, particularly database workloads, that are sensitive to storage performance and consistency in random access I/O throughput.
• IOPS rate can be specified when the volume is created, and EBS delivers within 10 percent of the provisioned IOPS performance 99.9 percent of the time over a given year.
• can range in size from 4 GiB to 16 TiB
• have a throughput limit range of 256 KiB for each IOPS provisioned, up to a maximum of 500 MiB/s (at 32000 IOPS)
• can be provision up to 32,000 IOPS per volume.
• Ratio of IOPS provisioned to the volume size requested can be maximum of 50; for e.g., a volume with 5,000 IOPS must be at least 100 GiB.
• can be striped together in a RAID configuration for larger size and greater performance over 20000 IOPS

Throughput Optimized HDD (st1) Volumes

• provide low-cost magnetic storage that defines performance in terms of throughput rather than IOPS.
• is a good fit for large, sequential workloads such as EMR, ETL, data warehouses, and log processing
• do not support Bootable sc1 volumes
• are designed to support frequently accessed data
• uses a burst-bucket model for performance similar to gp2. Volume size determines the baseline throughput of the volume, which is the rate at which the volume accumulates throughput credits. Volume size also determines the burst throughput of your volume, which is the rate at which you can spend credits when they are available.

Cold HDD (sc1) Volumes

• provide low-cost magnetic storage that defines performance in terms of throughput rather than IOPS.
• With a lower throughput limit than st1, sc1 is a good fit ideal for large, sequential cold-data workloads.
• ideal for infrequent access to data and are looking to save costs, sc1 provides inexpensive block storage
• do not support Bootable sc1 volumes
• though are similar to Throughput Optimized HDD (st1) volumes, are designed to support infrequently accessed data.
• uses a burst-bucket model for performance similar to gp2. Volume size determines the baseline throughput of the volume, which is the rate at which the volume accumulates throughput credits. Volume size also determines the burst throughput of your volume, which is the rate at which you can spend credits when they are available.

AWS DataSync is an online data transfer service that simplifies, automates, and accelerates moving data between on-premises storage systems and AWS Storage services.

DataSync can copy data between Network File System (NFS) shares, Server Message Block (SMB) shares, self-managed object storage, AWS Snowcone, Amazon Simple Storage Service (Amazon S3) buckets, Amazon Elastic File System (Amazon EFS) file systems, and Amazon FSx for Windows File Server file systems.

Amazon EC2 Auto Scaling

Amazon EC2 Auto Scaling helps in automatically scaling the Amazon EC2 instances up and down as per the policies you define.

Adding Lifecycle Hooks to the Auto Scaling group puts the instance into a wait state before termination. During this wait state, you can perform custom activities to retrieve critical operational data from a stateful instance. (The default wait period is 1 hour)

Dynamic scaling policy types:

you can configure a scaling schedule in the Auto Scaling group to plan the scaling actions.

Amazon EC2 Auto Scaling supports the following types of dynamic scaling policies:

• Target tracking scaling — Increase or decrease the current capacity of the group based on a target value for a specific metric. This is similar to the way that your thermostat maintains the temperature of your home — you select a temperature and the thermostat does the rest.
• Step scaling — Increase or decrease the current capacity of the group based on a set of scaling adjustments, known as step adjustments, that vary based on the size of the alarm breach.
• Simple scaling — Increase or decrease the current capacity of the group based on a single scaling adjustment.

Autoscaling Groups

1. An Auto Scaling group contains a collection of Amazon EC2 instances that are treated as a logical grouping for the purposes of automatic scaling and management.
2. An Auto Scaling group also enables you to use Amazon EC2 Auto Scaling features such as health check replacements and scaling policies.
3. Both maintaining the number of instances in an Auto Scaling group and automatic scaling are the core functionality of the Amazon EC2 Auto Scaling service.
4. Supports a mix of On-Demand and Spot instances

AWS Lambda

1. AWS Lambda enables you to run code without provisioning or managing any servers or infrastructure. Serverless.
2. You can also run code in response to event triggers such as Amazon S3 uploads, Amazon DynamoDB updates, Amazon Kinesis streams, Amazon API Gateway requests, and so on.
3. The pricing for using AWS Lambda is simple. You pay only for the compute time when the code is getting executed; there is no charge when the code is not running.

Securing Environment variables in AWS Lambda

When you create or update Lambda functions that use environment variables, AWS Lambda encrypts them using the AWS Key Management Service. When your Lambda function is invoked, those values are decrypted and made available to the Lambda code.

The first time you create or update Lambda functions that use environment variables in a region, a default service key is created for you automatically within AWS KMS. This key is used to encrypt environment variables. However, if you wish to use encryption helpers and use KMS to encrypt environment variables after your Lambda function is created, you must create your own AWS KMS key and choose it instead of the default key. The default key will give errors when chosen. Creating your own key gives you more flexibility, including the ability to create, rotate, disable, and define access controls, and to audit the encryption keys used to protect your data.

Amazon EC2 Container Service (ECS)

• Amazon Elastic Container Service (ECS) is a highly scalable, high performance container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon EC2 instances. Amazon ECS makes it easy to use containers as a building block for your applications by eliminating the need for you to install, operate, and scale your own cluster management infrastructure. Amazon ECS lets you schedule long-running applications, services, and batch processes using Docker containers. Amazon ECS maintains application availability and allows you to scale your containers up or down to meet your application’s capacity requirements.
• There are no separate charges for Amazon ECS; you pay only for the AWS resources used such as Amazon EC2 instances, Amazon Elastic Block Storage (EBS) volumes, and so on.

Amazon Lightsail

1. Amazon’s Website Hosting Service (Virtual Private Service).
2. Small Scale deployment

AWS Elastic Beanstalk

• AWS Elastic Beanstalk lets you run and manage web applications without worrying about the underlying infrastructure.
• AWS Elastic Beanstalk automatically handles deployment, load balancing, autoscaling, and application health monitoring. At the same time, you have full control over the AWS resource; you can access the underlying resources at any time using the console
• AWS Elastic Beanstalk supports the deployment of web applications from Docker containers. With Docker containers, you can define your own runtime environment. You can choose your own platform, programming language, and any application dependencies (such as package managers or tools), that aren’t supported by other platforms. Docker containers are self-contained and include all the config infor and software your application requires to run.
• Application files are stored in S3. The server log files can also optionally be stored in S3 or in CloudWatch Logs. AWS Elastic Beanstalk stores your application files and optionally, server log files in Amazon S3.

NETWORKING

Amazon Virtual Private Cloud (VPC)

• A VPC spans all of the Availability Zones in the Region.
• After creating a VPC, you can add one or more subnets in each Availability Zone.
• If you have multiple Amazon VPCs, you can connect them as well using Amazon VPC peering.
• /16 is the largest VPC, and smallest is /28.
• AWS uses 5 IP addresses per subnet.

Elastic IP Address — An Elastic IP address is a static IPv4 address designed for dynamic cloud computing. An Elastic IP address is a public IPv4 address, which is reachable from the internet.

An Elastic IP address doesn’t incur charges as long as the following conditions are true:

1. The Elastic IP address is associated with an Amazon EC2 instance.
2. The instance associated with the Elastic IP address is running.
3. The instance has only one Elastic IP address attached to it.

Bastion or Jump Boxes — A Bastion host allows you to securely administer (via SSH or RDP) an EC2 instance located in a private subnet. Don’t confuse Bastions and NATs, which allow outside traffic to reach an instance in a private subnet.

An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service.

A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. The following AWS services are supported: Amazon S3 and DynamoDB

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different regions (also known as an inter-region VPC peering connection).

AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection and does not rely on a separate piece of physical hardware. There is no single point of failure for communication or a bandwidth bottleneck.

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you create a private connection between AWS and your data center, office, or colocation environment. This can increase bandwidth throughput and provide a more consistent network experience than internet-based connections.

AWS Direct Connect is compatible with all AWS services accessible over the internet, and is available in speeds starting at 50 Mbps and scaling up to 100 Gbps.

After you have downloaded your Letter of Authorization and Connecting Facility Assignment (LOA-CFA), you must complete your cross-network connection, also known as a cross connect. If you already have equipment located in an AWS Direct Connect location, contact the appropriate provider to complete the cross connect.

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups.

• When we create a new security group, all outbound traffic is allowed by default.
• Security Groups operate at the instance level, they support “allow” rules only, and they evaluate all rules before deciding whether to allow traffic.
• A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance.
• Security groups act at the instance level.
• Security groups are stateful.
• Evaluate all rules before deciding whether to allow traffic
• It must be noted that a subnet is tied to only one availability zone. Of course, within an AZ you can have multiple subnets.

An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. An Internet Gateway serves two purposes:

1. To provide a target in your VPC route tables for internet-routable traffic.
2. To perform network address translation (NAT) for instances that have been assigned to public IPv4 addresses.

An egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances.

A Route Table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.

1. You can associate multiple subnets with the same route table.
2. When you create a VPC, Amazon VPC automatically creates the main route table.
3. Route Tables control traffic between subnets.

Network Address Translation (NAT) Devices

You can use a NAT device to allow instances in private subnets to connect to the internet, other VPCs, or on-premises networks. These instances can communicate with services outside the VPC, but they cannot receive unsolicited connection requests.

The NAT device replaces the source IPv4 address of the instances with the address of the NAT device. When sending response traffic to the instances, the NAT device translates the addresses back to the original source IPv4 addresses.

You can use a managed NAT device offered by AWS, called a NAT gateway, or you can create your own NAT device on an EC2 instance, called a NAT instance. We recommend that you use NAT gateways because they provide better availability and bandwidth and require less effort on your part to administer.

Considerations:

• NAT devices are not supported for IPv6 traffic — use an egress-only internet gateway instead.
• NAT Gateway is a better choice than NAT instance as NAT Gateway is highly available. If you’re already using a NAT instance, you can replace it with a NAT Gateway.

A Network Access Control List (NACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC

1. Is stateless: Return traffic must be explicitly allowed by rules.
2. We process rules in number order when deciding whether to allow traffic

Amazon Route 53

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service. You can use Route 53 to perform three main functions in any combination: domain registration, DNS routing, and health checking.

When you create a record, you choose a routing policy, which determines how Amazon Route 53 responds to queries:

• Simple routing policy — Use for a single resource that performs a given function for your domain, for example, a web server that serves content for the example.com website.
• Failover routing policy — Use when you want to configure active-passive failover.
• Geolocation routing policy — Use when you want to route traffic based on the location of your users.
• Geoproximity routing policy — Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another.
• Latency routing policy — Use when you have resources in multiple AWS Regions and you want to route traffic to the Region that provides the best latency with less round-trip time.
• Multivalue answer routing policy — Use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random.
• Weighted routing policy — Use to route traffic to multiple resources in proportions that you specify.
• Failover routing policy — Lets you route traffic to a resource when the resource is healthy or to a different resource when the first resource is unhealthy. The primary and secondary records can route traffic to anything from an Amazon S3 bucket that is configured as a website to a complex tree of records.
• Geolocation routing policy — Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. For example, you might want all queries from Europe to be routed to an ELB load balancer in the Frankfurt region.

When you use geolocation routing, you can localize your content and present some or all of your website in the language of your users. You can also use geolocation routing to restrict distribution of content to only the locations in which you have distribution rights. Another possible use is for balancing load across endpoints in a predictable, easy-to-manage way, so that each user location is consistently routed to the same endpoint.

Elastic Load Balancing (ELB)

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, Lambda functions, and virtual appliances. It can handle the varying load of your application traffic in a single Availability Zone or across multiple Availability Zones. Elastic Load Balancing offers four types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant.

Application Load Balancer operates at the request level (layer 7), routing traffic to targets (EC2 instances, containers, IP addresses, and Lambda functions) based on the content of the request. Ideal for advanced load balancing of HTTP and HTTPS traffic, Application Load Balancer provides advanced request routing targeted at delivery of modern application architectures, including microservices and container-based applications. Application Load Balancer simplifies and improves the security of your application, by ensuring that the latest SSL/TLS ciphers and protocols are used at all times.

Network Load Balancer operates at the connection level (Layer 4), routing connections to targets (Amazon EC2 instances, microservices, and containers) within Amazon VPC, based on IP protocol data. Ideal for load balancing of both TCP and UDP traffic, Network Load Balancer is capable of handling millions of requests per second while maintaining ultra-low latencies. Network Load Balancer is optimized to handle sudden and volatile traffic patterns while using a single static IP address per Availability Zone. It is integrated with other popular AWS services such as Auto Scaling, Amazon EC2 Container Service (ECS), Amazon CloudFormation, and AWS Certificate Manager (ACM).

Gateway Load Balancer makes it easy to deploy, scale, and run third-party virtual networking appliances. Providing load balancing and auto scaling for fleets of third-party appliances, Gateway Load Balancer is transparent to the source and destination of traffic. This capability makes it well suited for working with third-party appliances for security, network analytics, and other use cases.

Classic Load Balancer provides basic load balancing across multiple Amazon EC2 instances and operates at both the request level and the connection level. Classic Load Balancer is intended for applications that were built within the EC2-Classic network.

AWS Direct Connect

AWS Direct Connect is a network service that provides an alternative to using the Internet to connect customer’s on-premises sites to AWS. AWS Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections between your intranet and Amazon VPC.

Using AWS Direct Connect, you can establish private, dedicated network connectivity from your data center to AWS.

AWS Global Accelerator

AWS Global Accelerator is a service that improves the availability and performance of your applications with local or global users. It provides static IP addresses that act as a fixed entry point to your application endpoints in a single or multiple AWS Regions, such as your Application Load Balancers, Network Load Balancers, or Amazon EC2 instances.

A Networking service that improves traffic performance by up to 60%.

Redirects users requests to the nearest edge location and then routes the data to the Amazon Global Network.

It also reroutes requests to healthy IPs

SECURITY AND COMPLIANCE

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. AWS Identity and Access Management (IAM) is used to create users, groups, and roles.

SAML-Based federation for API Access to AWS

AWS supports identity federation with SAML 2.0, an open standard that many identity providers (IdPs) use. This feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call the AWS APIs without you having to create an IAM user for everyone in your organization. By using SAML, you can simplify the process of configuring federation with AWS, because you can use the IdP’s service instead of writing custom identity proxy code.

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. A web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define.

These conditions include:

• IP addresses
• HTTP headers
• HTTP body
• URI strings
• SQL injection
• cross-site scripting.

AWS WAF is tightly integrated with Amazon CloudFront, the Application Load Balancer (ALB), Amazon API Gateway, and AWS AppSync — services that AWS customers commonly use to deliver content for their websites and applications. When you use AWS WAF on Amazon CloudFront, your rules run in all AWS Edge Locations, located around the world close to your end-users. This means security doesn’t come at the expense of performance. Blocked requests are stopped before they reach your web servers. When you use AWS WAF on regional services, such as Application Load Balancer, Amazon API Gateway, and AWS AppSync, your rules run in the region and can be used to protect Internet-facing resources as well as internal resources.

WAF lets you create rules to filter web traffic based on conditions that include IP addresses, HTTP headers and body, or custom URIs.

• You can also create rules that block common web exploits like SQL injection and cross site scripting.
• For application layer attacks, you can use WAF to respond to incidents. You can set up proactive rules like Rate Based Blacklisting to automatically block bad traffic, or respond immediately to incidents as they happen.

WAF provides real-time metrics and captures raw requests that include details about IP addresses, geo locations, URIs, User-Agent and Referers.

• AWS WAF can parse request body JSON content to inspect specific keys or values in the JSON content with WAF rules. This helps you protect your APIs by checking for valid JSON structure, inspecting the JSON content for common threats against your application, and reducing false positives by inspecting only the keys or values in the JSON content.

AWS WAF Security Automations is a solution that automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks. The solution supports log analysis using Amazon Athena and AWS WAF full logs.

Conditions, Rules, and Web ACLs

• You define your conditions, combine your conditions into rules, and combine the rules into a web ACL.
• Conditions define the basic characteristics that you want WAF to watch for in web requests.
• You combine conditions into rules to precisely target the requests that you want to allow, block, or count. WAF provides two types of rules:
• Regular rules — use only conditions to target specific requests.
• Rate-based rules — are similar to regular rules, with a rate limit. Rate-based rules count the requests that arrive from a specified IP address every five minutes. The rule can trigger an action if the number of requests exceed the rate limit. A rate-based rule tracks the rate of requests for each originating IP address and triggers the rule action on IPs with rates that go over a limit. You set the limit as the number of requests per 5-minute time span. You can use this type of rule to put a temporary block on requests from an IP address that’s sending excessive requests.
• WAF Managed Rules are an easy way to deploy pre-configured rules to protect your applications common threats like application vulnerabilities. All Managed Rules are automatically updated by AWS Marketplace security Sellers.
• After you combine your conditions into rules, you combine the rules into a web ACL. This is where you define an action for each rule — allow, block, or count — and a default action, which determines whether to allow or block a request that doesn’t match all the conditions in any of the rules in the web ACL.
• You can insert HTTP headers to a user request when WAF allows the request to reach your application. You can use the custom HTTP headers to validate the requests made to your application passed through WAF, and configure your application to only allow requests that contain the custom header values that you specify. You can also insert headers so your application can process the request differently based on the presence of the header, or log the header in your application logs for reporting and analytics.
• WAF lets you configure the HTTP status code and the response body returned to the user when a request is blocked.

1. Pricing

• WAF charges based on the number of web access control lists (web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive

Amazon Guard Duty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. … With GuardDuty, you now have an intelligent and cost-effective option for continuous threat detection in AWS.

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield — Standard and Advanced.

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.

STORAGE AND CONTENT DELIVERY

Storage offerings of AWS can be divided in 3 categories
1. Object — An object is a piece of data, like a document, image, or video that is stored with some metadata in a flat structure. As a example you can easily develop a web application which can call (API)content on top of Amazon S3
2. File — In file storage, data is presented via a file system interface and with file system semantics to instances.
3. Block — In block storage, data is presented to your instance as a disk volume.

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. Amazon S3 also offers a range of storage classes for the objects that you store. You choose a class depending on your use case scenario and performance access requirements. All of these storage classes offer high durability.

1. 99.999999999 percent durability
2. Object Storage
3. 100 buckets per account
4. You can store unlimited amount of data but each file size can’t exceed 5TB.
5. It is a regional service; that is, content is automatically replicated within a region for durability.
6. Amazon S3 supports multipart uploads (when uploading large objects)
7. Amazon S3 is designed to provide 99.99 percent availability.
8. For DR Using cross-region replication, you can automatically replicate each S3 object to a different bucket in a different region.
9. Two type of consistency — read-after-write consistency/Eventual Consistency.
10. Access Control — Access Policies / Bucket Policies / ACL
11. lifecycle management — Transition action/Expiration Action

To move a file to a different storage class, you can use Amazon S3 or Amazon EFS. Both services have lifecycle configurations. Take note that Amazon EFS can only transition a file to the IA storage class after 90 days.

Amazon S3 Standard used for frequently accessed data, synchronously copied across three facilities and designed to sustain the loss of data in two facilities. Support SSL encryption of data in transit and at rest. Designed for 99.99% availability over a given year

Amazon S3 Intelligent-Tiering (S3 Intelligent-Tiering) Automatically moves objects between two access tiers based on changing access patterns. Designed for 99.9% availability over a given year

Amazon S3 RRS (Reduced Redundancy Storage) is a storage option that is used to store noncritical, non-production data.

Amazon S3 Standard-Infrequent Access (IA) is an Amazon S3 storage class that is often used for storing data that is accessed less frequently. Support SSL encryption of data in transit and at rest. Designed for 99.9% availability over a given year

Amazon S3 One Zone-IA is a new storage class for storing data that is accessed less frequently, but requires rapid access when needed. One Zone-IA stores data in a single AZ. Designed for 99.5% availability over a given year

Amazon Glacier

1. Object Storage
2. expedited (1–5 mins), standard (hours), and bulk retrievals(day).
3. To upload a file in Glacier first, you need to create a vault

Amazon S3 Glacier Deep Archive (S3 Glacier Deep Archive) S3 Glacier Deep Archive is Amazon S3’s lowest-cost storage class and supports long-term retention and digital preservation for data that may be accessed once or twice in a year.

Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORS support, you can build rich client-side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3 resources.

Client-side encryption is the act of encrypting data before sending it to Amazon S3. To enable client-side encryption, you have the following options:

- Use an AWS KMS-managed customer master key or a client-side master key.

Pre-signed URLs are the perfect solution when you want to give temporary access to users for S3 buckets. So, whenever a new profile is created, you can create a pre-signed URL to ensure that the URL lasts for a week and allows users to upload the required objects.

The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket. To enable notifications, you must first add a notification configuration that identifies the events you want Amazon S3 to publish and the destinations where you want Amazon S3 to send the notifications. You store this configuration in the notification subresource that is associated with a bucket.

Amazon S3 supports the following destinations where it can publish events:

- Amazon Simple Notification Service (Amazon SNS) topic

- Amazon Simple Queue Service (Amazon SQS) queue

- AWS Lambda

Elastic File System (EFS)

Amazon EFS is a fully-managed service that makes it easy to set up and scale file storage in the Amazon Cloud.

• File Storage service that can be shared between EC2 instances
• Support NFS v4
• Data is stored across multiple AZ’s
• Read after write consistency
• EFS Storage Classes — Infrequent Access and Standard
• supports full file system access semantics (such as strong consistency and file locking).

Elastic Block Storage (EBS)

1. Block Storage 3 TYPES (Amazon EC2 instance store , Amazon EBS SSD-backed volume, Amazon EBS HDD-backed volume)
2. Amazon EBS replication is stored within the same availability zone, not across multiple zones.
3. EBS Instance Store (Ephemeral Store)
4. A persistent storage (means the storage is independent outside the life span of an EC2 instance)
5. EBS, EFS, and FSx are all storage services base on Block storage
6. Snapshot goes to S3
7. AMI’s can be created from both Snapshot and Volumes
8. EC2 — Take Snapshot — Create AMI (Amazon Machine Images)from Snapshot — Use AMI to Launch Instance

AWS Snowball uses physical storage devices to transfer large amounts of data between Amazon Simple Storage Service (Amazon S3) and your onsite data storage location at faster-than-internet speeds. By working with AWS Snowball, you can save time and money. Snowball provides powerful interfaces that you can use to create jobs, track data, and track the status of your jobs through to completion. Snowball devices are physically rugged devices that are protected by the AWS Key Management Service (AWS KMS). They secure and protect your data in transit. Regional shipping carriers transport Snowballs between Amazon S3 and your onsite data storage location.

80 TB and 50 TB models are available in US Regions; 50 TB model available in all other AWS Regions.

Snowball Edge is up to 100 TB and also has on-device compute capability. For example, the suitcase can run code to pull data in and store it.

Snowmobile is a truck, Exabyte scale data transfer. 100 PB storage limit.

AWS Storage Gateway

AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage.

The service provides three different types of gateways :

File Gateway enables you to store and retrieve objects in Amazon S3 using file protocols, such as NFS. Objects written through file gateway can be directly accessed in S3. Store files as objects in Amazon S3, with a local cache for low-latency access to your most recently used data.

Tape Gateway enables you to replace using physical tapes on premises with virtual tapes in AWS without changing existing backup workflows. Tape Gateway supports all leading backup applications and caches virtual tapes on premises for low-latency data access. Tape Gateway encrypts data between the gateway and AWS for secure data transfer, and compresses data and transitions virtual tapes between Amazon S3 and Amazon S3 Glacier, or Amazon S3 Glacier Deep Archive, to minimize storage costs. It provides your backup application with an iSCSI virtual tape library (VTL) interface, consisting of a virtual media changer, virtual tape drives, and virtual tapes. Virtual tape data is stored in Amazon S3 or can be archived to Amazon S3 Glacier. Back up your data to Amazon S3 and archive in Amazon Glacier using your existing tape-based processes.

Volume Gateway presents cloud-backed iSCSI block storage volumes to your on-premises applications. Volume Gateway stores and manages on-premises data in Amazon S3 on your behalf and operates in either cache mode or stored mode. In the cached mode, your primary data is stored in Amazon S3, while retaining your frequently accessed data locally in the cache for low latency access. In the stored mode, your primary data is stored locally and your entire dataset is available for low latency access on premises while also asynchronously getting backed up to Amazon S3. In either mode, you can take point-in-time copies of your volumes using AWS Backup, which are stored as Amazon EBS snapshots. EBS Snapshots enables you to make space-efficient versioned copies of your volumes for data protection, recovery, migration, etc.

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment.

Amazon CloudFront is a service that speeds up the distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you’re serving with CloudFront, the user is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.

• Amazon CloudFront is the global content delivery network (CDN) service of AWS.
• Amazon CloudFront provides advanced CDN features such as SSL support, geographic restriction, and private content.
• You can control how long your objects stay in a CloudFront cache before CloudFront forwards another request to your origin. Reducing the duration allows you to serve dynamic content. Increasing the duration means your users get better performance because your objects are more likely to be served directly from the edge cache. A longer duration also reduces the load on your origin.

Lambda@Edge lets you run Lambda functions to customize the content that CloudFront delivers, executing the functions in AWS locations closer to the viewer. The functions run in response to CloudFront events, without provisioning or managing servers. You can use Lambda functions to change CloudFront requests and responses at the following points:

- After CloudFront receives a request from a viewer (viewer request)

- Before CloudFront forwards the request to the origin (origin request)

- After CloudFront receives the response from the origin (origin response)

- Before CloudFront forwards the response to the viewer (viewer response)

Set up an origin failover by creating an origin group with two origins. Specify one as the primary origin and the other as the second origin which CloudFront automatically switches to when the primary origin returns specific HTTP status code failure responses.

CloudFront signed URLs and signed cookies provide the same basic functionality: they allow you to control who can access your content. If you want to serve private content through CloudFront and you’re trying to decide whether to use signed URLs or signed cookies, consider the following.

Use signed URLs in the following cases:

• You want to restrict access to individual files, for example, an installation download for your application.
• Your users are using a client (for example, a custom HTTP client) that doesn’t support cookies.
• Use signed cookies in the following cases:
• You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers’ area of website.
• You don’t want to change your current URLs.

If you are not currently using signed URLs, and if your (unsigned) URLs contain any of the following query string parameters, you cannot use either signed URLs or signed cookies:

• Expires
• Policy
• Signature
• Key-Pair-Id

CloudFront assumes that URLs that contain any of those query string parameters are signed URLs, and therefore won’t look at signed cookies.

DATABASE

Amazon Relational Database Service (RDS)

The recommended storage engine for MySQL is InnoDB

• Amazon Relational Database Service (Amazon RDS)- optimized for memory, performance or I/O — and provides you with six familiar database engines to choose from, including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. You can use the AWS Database Migration Service to easily migrate or replicate your existing databases to Amazon RDS.
• RDS runs on VMs. It’s not serverless.
• The volume gateway provides block storage to your applications using the iSCSI protocol. Data on the volumes is stored in Amazon S3. To access your iSCSI volumes in AWS, you can take EBS snapshots which can be used to create EBS volumes.
• Amazon RDS Multi-AZ deployment, automatically provisions and maintains a synchronous “standby” replica in a different Availability Zone.
• You can use Secure Sockets Layer (SSL) to encrypt connections between your client applications and your Amazon RDS DB instances running Microsoft SQL Server. SSL support is available in all AWS regions for all supported SQL Server editions.
• Enhanced Monitoring — Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on. You can view the metrics for your DB instance using the console, or consume the Enhanced Monitoring JSON output from Amazon CloudWatch Logs in a monitoring system of your choice.

Take note that there are certain differences between CloudWatch and Enhanced Monitoring Metrics. CloudWatch gathers metrics about CPU utilization from the hypervisor for a DB instance, and Enhanced Monitoring gathers its metrics from an agent on the instance. As a result, you might find differences between the measurements, because the hypervisor layer performs a small amount of work.

Amazon RDS Multi-AZ deployments provide enhanced availability and durability for Database (DB) Instances, making them a natural fit for production database workloads. When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable.

In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby (or to a read replica in the case of Amazon Aurora), so that you can resume database operations as soon as the failover is complete. Since the endpoint for your DB Instance remains the same after a failover, your application can resume database operation without the need for manual administrative intervention.

Amazon Aurora

1. Amazon Aurora is Amazon’s relational database built for the cloud. It supports two open source RDBMS engines: MySQL and PostgreSQL.
2. By default, the data is mirrored across three AZs, and six copies of the data are kept.

Amazon Aurora is a MySQL and PostgreSQL-compatible relational database built for the cloud, that combines the performance and availability of traditional enterprise databases with the simplicity and cost-effectiveness of open source databases. Amazon Aurora is up to five times faster than standard MySQL databases and three times faster than standard PostgreSQL databases.

It provides the security, availability, and reliability of commercial databases at 1/10th the cost. Amazon Aurora is fully managed by Amazon RDS, which automates time-consuming administration tasks like hardware provisioning, database setup, patching, and backups.

Amazon Aurora MySQL and Amazon Aurora PostgreSQL support Amazon Aurora Replicas, which share the same underlying volume as the primary instance. Updates made by the primary are visible to all Amazon Aurora Replicas. With Amazon Aurora MySQL, you can also create MySQL Read Replicas based on MySQL’s binlog-based replication engine. In MySQL Read Replicas, data from your primary instance is replayed on your replica as transactions. For most use cases, including read scaling and high availability, it is recommended using Amazon Aurora Replicas.

Amazon Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora. An Aurora Serverless DB cluster is a DB cluster that automatically starts up, shuts down, and scales up or down its compute capacity based on your application’s needs. Aurora Serverless provides a relatively simple, cost-effective option for infrequent, intermittent, sporadic or unpredictable workloads. It can provide this because it automatically starts up, scales compute capacity to match your application’s usage and shuts down when it’s not in use.

Take note that a non-Serverless DB cluster for Aurora is called a provisioned DB cluster. Aurora Serverless clusters and provisioned clusters both have the same kind of high-capacity, distributed, and highly available storage volume.

When you work with Amazon Aurora without Aurora Serverless (provisioned DB clusters), you can choose your DB instance class size and create Aurora Replicas to increase read throughput. If your workload changes, you can modify the DB instance class size and change the number of Aurora Replicas. This model works well when the database workload is predictable, because you can adjust capacity manually based on the expected workload.

With Aurora Serverless , you can create a database endpoint without specifying the DB instance class size. You set the minimum and maximum capacity. With Aurora Serverless, the database endpoint connects to a proxy fleet that routes the workload to a fleet of resources that are automatically scaled. Because of the proxy fleet, connections are continuous as Aurora Serverless scales the resources automatically based on the minand max capacity specifications. Database client applications don’t need to change to use the proxy fleet. Aurora Serverless manages the connections automatically. Scaling is rapid because it uses a pool of “warm” resources that are always ready to service requests. Storage and processing are separate, so you can scale down to zero processing and pay only for storage.

Amazon Aurora typically involves a cluster of DB instances instead of a single instance. Each connection is handled by a specific DB instance. When you connect to an Aurora cluster, the host name and port that you specify point to an intermediate handler called an endpoint. Aurora uses the endpoint mechanism to abstract these connections. Thus, you don’t have to hardcode all the hostnames or write your own logic for load-balancing and rerouting connections when some DB instances aren’t available.

Amazon DynamoDB

1. Amazon DynamoDB is a fully managed NoSQL database service of AWS.
2. Stored on SSD, Spread across 3 geographically distinct DCs. Eventual Consistent Reads and Strongly Consistent Reads

The most efficient storage mechanism for just storing metadata is Amazon DynamoDB. Amazon DynamoDB is normally used in conjunction with the Simple Storage service. So, after storing the images in S3, you can store their metadata in DynamoDB. You can also create secondary indexes for DynamoDB Tables.

The partition key portion of a table’s primary key determines the logical partitions in which a table’s data is stored. This in turn affects the underlying physical partitions. Provisioned I/O capacity for the table is divided evenly among these physical partitions. Therefore a partition key design that doesn’t distribute I/O requests evenly can create “hot” partitions that result in throttling and use your provisioned I/O capacity inefficiently.

You can store session state data on both DynamoDB and ElastiCache. These AWS services provide high-performance storage of key-value pairs which can be used to build a highly available web application.

Amazon Redshift

1. DWH (Data Warehouse)
2. Redshift Spectrum is a feature of Amazon Redshift that enables you to run queries against exabytes of unstructured data in S3 with no loading or ETL required.
3. Supports cross region snapshots for Redshift clusters.

Amazon Elasticache improves the performance of web applications by retrieving information from managed in-memory caches instead of relying entirely on slower disk-based databases. ElastiCache supports two open-source in-memory caching engines: Memcached and Redis (also called “ElastiCache for Redis”)

AWS Schema Conversion Tool (AWS SCT) makes heterogeneous database migrations predictable by automatically converting the source database schema and a majority of the database code objects, including views, stored procedures, and functions, to a format compatible with the target database. Any objects that cannot be automatically converted are clearly marked so that they can be manually converted to complete the migration. SCT can also scan your application source code for embedded SQL statements and convert them as part of a database-schema-conversion project. During this process, SCT performs cloud native code optimization by converting legacy Oracle and SQL Server functions to their equivalent AWS service thus helping you modernize the applications at the same time of database migration. Once schema conversion is complete, SCT can help migrate data from a range of data warehouses to Amazon Redshift using built-in data migration agents like AWS Database Migration Service.

Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.

Athena is out-of-the-box integrated with AWS Glue Data Catalog, allowing you to create a unified metadata repository across various services, crawl data sources to discover schemas and populate your Catalog with new and modified table and partition definitions, and maintain schema versioning.

Amazon EMR provides a managed Hadoop framework that makes it easy, fast, and cost-effective to process vast amounts of data across dynamically scalable Amazon EC2 instances Apache Spark, Apache Hive, Apache HBase, Apache Flink, Apache Hudi, and Presto.

Amazon Elasticsearch Service makes it easy to deploy, secure, operate, and scale Elasticsearch to search, analyze, and visualize data in real-time.

Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information.

• Kinesis Data Firehose, Kinesis Data Analytics, and Kinesis Video Streams

Amazon Kinesis Data Streams enables you to build custom applications that process or analyze streaming data for specialized needs. You can continuously add various types of data such as clickstreams, application logs, and social media to an Amazon Kinesis data stream from hundreds of thousands of sources. Within seconds, the data will be available for your Amazon Kinesis Applications to read and process from the stream. massively scalable and durable real-time data streaming service. Amazon Kinesis Data Streams supports resharding, which lets you adjust the number of shards in your stream to adapt to changes in the rate of data flow through the stream. Resharding is considered an advanced operation. There are two types of resharding operations: shard split and shard merge. In a shard split, you divide a single shard into two shards. In a shard merge, you combine two shards into a single shard.

AWS CloudTrail is a web service that records API calls made on your account and delivers log files to your Amazon S3 bucket every 5 minutes.

A trail is a configuration that enables delivery of events to an Amazon S3 bucket that you specify. You can also deliver and analyze events in a trail with Amazon CloudWatch Logs and Amazon CloudWatch Events. You can create a trail with the CloudTrail console, the AWS CLI, or the CloudTrail API. There are two types of events that can be logged in CloudTrail: management events and data events. By default, trails log management events, but not data events.

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control customer master keys (CMKs), the encryption keys used to encrypt your data. AWS KMS CMKs are protected by hardware security modules (HSMs)

MANAGEMENT TOOLS

AWS CloudFormation

IaaC, Infrastructure as Code. The artifacts are called Templates

AWS Service Catalog

Manage a catalog of approved services for the AWS account. Used by enterprises

Amazon CloudWatch

1. Used for monitoring performance
2. Can create CloudWatch Alarms
3. Standard Monitoring — 5 mins
4. Detailed Monitoring — 1 mins
5. Can create dashboards and alarms

DEVELOPER TOOLS

AWS CodeCommit

AWS CodeCommit is a fully managed source control service that makes it easy to host highly scalable private Git repositories securely.

AWS CodePipeline

AWS CodePipeline builds, tests, and deploys code every time the code is modified, updated, and checked in based on the release process models you define.

AWS CodeBuild

Fully managed build service that builds and compiles source code, runs tests, and produces software packages that are ready to deploy,

AWS CodeDeploy

Automates code deployments

MESSAGING

Amazon Simple Queue Service (SQS)

1. SQS is always pull based not push based
2. Messages — 256 KB — can go upto 2G (S3)
3. Visibility timeout
4. Amazon SQS supports both standard and FIFO queues.

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message-oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands.

SQS offers two types of message queues. Standard queues offer maximum throughput, best-effort ordering, and at-least-once delivery. SQS FIFO queues are designed to guarantee that messages are processed exactly once, in the exact order that they are sent.

Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.

The A2A pub/sub functionality provides topics for high-throughput, push-based, many-to-many messaging between distributed systems, microservices, and event-driven serverless applications. Using Amazon SNS topics, your publisher systems can fanout messages to a large number of subscriber systems including Amazon SQS queues, AWS Lambda functions and HTTPS endpoints, for parallel processing, and Amazon Kinesis Data Firehose. The A2P functionality enables you to send messages to users at scale via SMS, mobile push, and email.

Amazon Simple Email Service (SES) is a cost-effective, flexible, and scalable email service that enables developers to send mail from within any application. You can configure Amazon SES quickly to support several email use cases, including transactional, marketing, or mass email communications.

Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. Amazon MQ reduces your operational responsibilities by managing the provisioning, setup, and maintenance of message brokers for you. Because Amazon MQ connects to your current applications with industry-standard APIs and protocols, you can easily migrate to AWS without having to rewrite code.

AWS Directory Service provides multiple ways to use Microsoft Active Directory (AD) with other AWS services. Directories store information about users, groups, and devices, and administrators use them to manage access to information and resources. AWS Directory Service provides multiple directory choices for customers who want to use existing Microsoft AD or Lightweight Directory Access Protocol (LDAP)–aware applications in the cloud. It also offers those same choices to developers who need a directory to manage users, groups, devices, and access.

AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the clFS3oud. AD Connector comes in two sizes, small and large. You can spread application loads across multiple AD Connectors to scale to your performance needs. There are no enforced user or connection limits.

Consider if a company is using a corporate Active Directory, it is best to use AWS Directory Service AD Connector for easier integration. In addition, since the roles are already assigned using groups in the corporate Active Directory, it would be better to also use IAM Roles. Take note that you can assign an IAM Role to the users or groups from your Active Directory once it is integrated with your VPC via the AWS Directory Service AD Connector.

Amazon FSx for Windows File Server provides fully managed Microsoft Windows file servers, backed by a fully native Windows file system. Amazon FSx for Windows File Server has the features, performance, and compatibility to easily lift and shift enterprise applications to the AWS Cloud. It is accessible from Windows, Linux, and macOS compute instances and devices. Thousands of compute instances and devices can access a file system concurrently.

Amazon FSx for Lustre makes it easy and cost-effective to launch and run the popular, high-performance Lustre file system. You use Lustre for workloads where speed matters, such as machine learning, high performance computing (HPC), video processing, and financial modeling.

The open-source Lustre file system is designed for applications that require fast storage — where you want your storage to keep up with your compute. Lustre was built to solve the problem of quickly and cheaply processing the world’s ever-growing datasets. It’s a widely used file system designed for the fastest computers in the world.

APPLICATION SERVICES

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. … Using API Gateway, you can create RESTful APIs and WebSocket APIs that enable real-time two-way communication applications.

Amazon API Gateway provides throttling at multiple levels including global and by a service call. Throttling limits can be set for standard rates and bursts. For example, API owners can set a rate limit of 1,000 requests per second for a specific method in their REST APIs, and also configure Amazon API Gateway to handle a burst of 2,000 requests per second for a few seconds.

API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, CORS support, authorization and access control, throttling, monitoring, and API version management. API Gateway has no minimum fees or startup costs. You pay for the API calls you receive and the amount of data transferred out and, with the API Gateway tiered pricing model, you can reduce your cost as your API usage scales.

Amazon Simple Workflow Service (SWF) is a web service that makes it easy to coordinate work across distributed application components. … Tasks represent invocations of various processing steps in an application which can be performed by executable code, web service calls, human actions, and scripts.

AWS Step Functions is a low-code visual workflow service used to orchestrate AWS services, automate business processes, and build serverless applications. Workflows manage failures, retries, parallelization, service integrations, and observability so developers can focus on higher-value business logic.

Amazon Elastic Transcoder is media transcoding in the cloud. It is designed to be a highly scalable, easy to use and a cost effective way for developers and businesses to convert (or “transcode”) media files from their source format into versions that will playback on devices like smartphones, tablets and PCs.

Amazon CloudSearch is a managed service in the AWS Cloud that makes it simple and cost-effective to set up, manage, and scale a search solution for your website or application.

ACCOUNT SERVICES

AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. Using AWS Organizations, you can programmatically create new AWS accounts and allocate resources, group accounts to organize your workflows, apply policies to accounts or groups for governance, and simplify billing by using a single payment method for all of your accounts.

In addition, AWS Organizations is integrated with other AWS services so you can define central configurations, security mechanisms, audit requirements, and resource sharing across accounts in your organization. AWS Organizations is available to all AWS customers at no additional charge.