Professional Documents
Culture Documents
AWS Certified Cloud Practitioner Slides
AWS Certified Cloud Practitioner Slides
Neal Davis
Recommended knowledge:
• At least 6 months experience with AWS Cloud in
any role including technical, managerial, sales,
purchasing or financial
• No experience necessary for this course!
Question format:
• Multiple-choice: Has one correct response and
three incorrect responses
• Multiple-response: Has two or more correct
responses out of five or more options
Domain % of Exam
TOTAL 100%
Unique email address for this account Check if you can use a
dynamic alias with an
john@gmail.com existing email address
john+ACCOUNT-ALIAS-1@gmail.com
john+ACCOUNT-ALIAS-2@gmail.com
AWS account name / alias
Corporate
data center
The IT equipment
is owned by the
company
A company typically
leases space in a data
center, or may own the
whole building
Router Switch Firewall
Backup System
Corporate
data center
Corporate Office
Corporate
data center
Costs:
• Data center building
• Data center security
• Physical IT hardware
• Software licensing costs
Servers Storage Servers • Maintenance contracts
• Power
• Internet connectivity
• Staff wages (design, build,
operations, maintenance)
Gmail Dropbox
The Internet
Rapid Measured
Salesforce.com
Amazon Web Services
elasticity service
3-6 months
AWS Cloud
Customers
Corporate Office
Website Database
Admin
The Internet
Java WebApp
Hypervisor
Server
Examples:
Java WebApp ➢ Amazon Elastic Compute Cloud (EC2)
➢ Azure Virtual Machines
Data ➢ Google Compute Engine
Managed
by you
Java Runtime
Linux OS
Examples:
Java WebApp ➢ AWS Elastic Beanstalk
Managed ➢ Azure WebApps
by you ➢ Compute App Engine
Data
Managed Examples:
Java WebApp ➢ Google Apps
by you
➢ Salesforce.com
➢ Zoom
Pure consumption
model
Data center
Benefits
➢ Complete control of the
entire stack
➢ Security – in a few
cases, organizations
may need to keep all or
some of their
Network & Firewall Virtualization Cluster Storage & Backup applications and data in
house
Benefits:
➢ Variable expense, instead of capital expense
Public Cloud
➢ Economies of scale
➢ Massive elasticity AWS Cloud
Corporate Office
Compute
Storage
Network Database
Internet
Data center
Internet
Public Cloud
Private Cloud
The Internet
Public Cloud
Private Cloud
Organization
© Digital Cloud Training | https://digitalcloud.training
Overview of Amazon Web
Services (AWS)
Infrastructure is
Sales sitting idle here:
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Subsidiary
Charge for of Amazon Hyperscale
services based Public Cloud
on usage Provider
Machine Learning
Compute
Media Services
Storage
Networking
Many more categories
Database and over 200 services!
End User Computing
Quantity of data
that is
transferred out
from all services
Quantity of data
Amount of resources stored
such as CPU and
RAM and duration
Region – eu-west-1
Availability Zone
AWS Local
Corporate data center Zone
VPC
AWS Outposts Availability Zone
Subnet
Outpost subnet
Instances
VPC
Low latency
Subnet Servers
5G
© Digital Cloud Training | https://digitalcloud.training
AWS Global Infrastructure
Region
Availability Zone
Public subnet Private subnet
Redundant
Redundant Power
Networking Sources
Region Global
Users
CloudFront Origins
Edge location
Edge location
Global
Users
Region – eu-west-1
Region – us-west-1
Region – ap-
southeast-2
Auto Scaling
Staff training Data encryption IAM User Network ACL SSL encryption Elastic load
EC2 Instance balancer
AWS RESPONSIBILITY
Server
Network router Disk drive
Client Builder
Electrician
Web Site
HTTP Protocol
API
Client RESTful API Application
Instructions are sent to
the API using the HTTP
protocol
Database
User searches
for flights
Fight aggregator
makes API calls to
airlines to find tickets
A web-based console
accessed through a
standard web browser
aws s3 ls s3://mys3databucket
Availability Zone
Private services can
Public subnet
Amazon DynamoDB Amazon S3 have public IP
addresses but exist
within the VPC
Public services have EC2 Instance Amazon RDS
public IP addresses /
endpoints
Private subnet
Internet
Public Internet gateway
CAPEX OPEX
What
thought you
Wasted
needed
resources
What you
really needed
Data Center
Innovation
Management
RunInstances
User Role Federated Application
AWS IAM User Actions are
EC2
authorized
A principal is a person or application that on AWS
can make a request for an action or GetBucket resources
Console
operation on an AWS resource
S3
CLI
CreateUser
AWS determines whether Identity- Resource-
to authorize the request based policy based policy
API IAM
(allow/deny)
API
Access keys are used for
programmatic access
AWS Account
User
Identity-based policies
can be applied to users,
groups, and roles
Authentication via
username/password for console
or access keys for API/CLI
© Digital Cloud Training | https://digitalcloud.training
IAM Groups
Groups are
collections of users.
Users can be The main reason to
members of up to use groups is to
10 groups apply permissions to
users using policies
© Digital Cloud Training | https://digitalcloud.training
IAM Roles An IAM role is an IAM identity that
that has specific permissions
AWS Account
sts:AssumeRole
IAM Role
All permissions
are implicitly
AdministratorAccess denied by
default
Identity-based policies
can be applied to users,
groups, and roles Resource-based
User Group Role policies apply to
resources such as
S3 buckets or
DynamoDB tables
Bucket Policy
S3 Bucket
© Digital Cloud Training | https://digitalcloud.training
Setup Individual User
Account
API
Access keys are used for
programmatic access
EJPx!*21p9%
Password
IAM User
Physical MFA
EJPx!*21p9%
Password
Dev
Test
Dev users can only
launch T2.micro
instances
Random Access
Memory (RAM) Measurements:
Processor (CPU) Memory (RAM)
• CPU is measured in Gigahertz
(Ghz)
• RAM is measured in Gigabyte (GB)
• HDD is measured in Gigabyte (GB)
Files/data are loaded • NIC is measured in Megabits per
into memory second (Mbps) or Gigabits per
second (Gbps)
Network
Switch/Router
Network
Data is persistent Interface Card
(NIC) Internet
Network
Switch/Router
Network
Interface Card
(NIC) Internet
Desktop
Server
Laptop
Server Hardware Build:
• Hardware is more specialized
• Much higher prices compared
to desktops / laptops Servers can be used by
• Includes redundancy many users over a network
File Server
Email Server
© Digital Cloud Training | https://digitalcloud.training
Server Virtualization
Limitations:
➢ OS is tied to hardware (no portability)
➢ Hardware resources may be underutilized
Application Website
Hardware
Server
Website
Windows OS
Many VMs can run on
the same physical
hardware
This is known as a Website
virtual server, virtual
machine, or instance
Windows OS
Virtual hardware is
presented to the OS
Hypervisor
The hypervisor creates
a layer of abstraction
Server
© Digital Cloud Training | https://digitalcloud.training
Server Virtualization
Hypervisor
Server
© Digital Cloud Training | https://digitalcloud.training
Server Virtualization
Website
Windows OS
Hypervisor Hypervisor
Server Server
Website
Windows OS
Hypervisor Hypervisor
Server Server
Customized AMI
© Digital Cloud Training | https://digitalcloud.training
Benefits of Amazon EC2
• Elastic computing – easily launch hundreds to thousands of
EC2 instances within minutes
• Complete control – you control the EC2 instances with full
root/administrative access
• Flexible – Choice of instance types, operating systems, and
software packages
• Reliable – EC2 offers very high levels of availability and
instances can be rapidly commissioned and replaced
• Secure – Fully integrated with Amazon VPC and security
features
• Inexpensive – Low cost, pay for what you use
Public subnet
Security group
AWS Management
Console EC2 Instance Internet Gateway
EBS Volume
Admin
Data is stored on an EBS
volume (virtual hard drive) A Security Group controls
inbound and outbound traffic Admin connects to EC2
Instance over the Internet
All operating systems Windows only All operating systems All operating systems
Uses instance key pair Requires RDP client Temporary key pair IAM access control
Port 22 must be open Port 3389 must be open Port 22 must be open No ports must be open
Anyone with key pair Need user name and IAM access control via IAM access control via
can access instance password to login policy policy
Limited to
16 KB
EC2 Instance with a
web service is
EC2 Instance
launched
Public subnet
AWS CLI configured
with access keys
Private subnet
IAM Role
S3 Bucket EC2 Instance
Private subnet
Policy
The policy determines
the access permissions
Website
Windows OS
Docker Engine
Hypervisor Windows OS
Server Server
Windows OS
Server
Order Account
Service Management
Payment Shipping
Service Service
Database
Shipping
Microservice
Order
Microservice
Docker Engine
Linux OS
Server
Task Definition
Auto Scaling group
{
"containerDefinitions": [
{ ECS Container ECS Container Amazon Elastic Container
"name": "wordpress",
"links": [ instance instance Registry
"mysql"
],
"image": "wordpress",
"essential": true,
Registry
"portMappings": [
{
"containerPort": 80,
Task Task Task Task
"hostPort": 80
}
],
"memory": 500, An ECS Task is a
"cpu": 10
running Docker Image Image
}
Docker images can be
container
stored in Amazon ECR
Disk Management
The Operating System
C:Volume D: (OS) can be used to
8001000
GB GB200 GB create volumes. A
Hard drives are volume can be partitioned
block-based and formatted
storage systems
The N S “shares”
filesystems over the
network
NIC
Network Switch Network Attached
Storage Server (NAS)
There is no hierarchy of
User uploads objects objects in the container
using a web browser
Object Storage
Container
Uses a REST
API
The OS reads/writes at A filesystem is
the block level. Disks “mounted” to the OS
can be internal, or using a network share
network attached
EC2 instances
must be in the
same AZ as the
EC2 Instance EC2 Instance EBS volume EC2 Instance
Volume
EC2 Instance
Snapshot taken to Snap A Snap B Snap C
capture a point-in-time
state of an instance Snapshots are
Availability Zone B incremental
Volume
EC2 Instance
A snapshot can
be used to create
You can create an EBS AMI
an AMI
volume in another AZ
from a snapshot
EBS Volume
EBS Volume
• One or more EBS snapshots, or, for instance-store-backed AMIs, a template for the root volume of
the instance
• Launch permissions that control which AWS accounts can use the AMI to launch instances
• A block device mapping that specifies the volumes to attach to the instance when it's launched
• Community AMIs - free to use, generally you just select the operating system you want
• AWS Marketplace AMIs - pay to use, generally come packaged with additional, licensed software
Object
Internet EC2 Instance
An objects consists of: gateway
• Key (name of objects) Public Internet
• Version ID Private subnet
Requester Pays The requester rather than the bucket owner pays for
requests and data transfer
Static Web Hosting Simple and massively scalable static website hosting
Versioning and Replication Retain versions of objects and replicate objects within
and across AWS Regions
Durability Availability
Durability is protection Availability is a measurement
against: of:
• Data loss • The amount of time the
• Data corruption data is available to you
• S3 offers 11 9s durability • Expressed as a percent of
(99.999999999) time per year
• E.g. 99.99%
If you store 10 million objects, then
you expect to lose one object every
10,000 years!
Bucket Bucket
Region
Same-Region Replication (SRR)
Bucket Bucket
https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-transition-
general-considerations.html
© Digital Cloud Training | https://digitalcloud.training
Configure Replication and
Lifecycle
Availability Zone
Public subnet AWS Managed
Microsoft AD
EC2 Instance
(Windows)
VPC
Availability Zone
Public subnet Use for cloud bursting
and data migration Corporate data center
Availability Zone
Public subnet
CC E
Server S3 Standard
File Gateway Can store data in
multiple S3
storage classes
CC E
S3 Standard IA
Server Volume Gateway
S3 One Zone IA
Backup Server Backup Gateway Application servers mount
using block or file protocols
mycompany.local A 192.168.0.1
emailserver.local A 192.168.0.2
DNS Server
Computer connects to
Web Server
192.168.0.1
© Digital Cloud Training | https://digitalcloud.training
Amazon Route 53
Amazon Route 53
A hosted zone represents a
set of records belonging to a
domain
What’s the IP address
for example.com? example.com
Region
VPC
Address is 8.1.2.1
Availability Zone
Public subnet
Amazon Route 53
.net example.com
.com dctlabs.com
.org
EC2 Instances
Application
Windows OS
Windows OS
Scaling up means
adding resources
to the instance
Application Application
Scaling out provides
greater resiliency
Windows OS Windows OS
c5.xlarge, 4
vCPU, 8 GB
RAM
t2.micro, 1
vCPU, 1 GB
RAM
CloudWatch
ASG replaces notifies Auto
failed instance Scaling to scale
Metric reports
CPU > 80% Metrics Metrics
Amazon CloudWatch
Web Server 1
User 1
Network Card
Web Server 1
User 1
Web Server 2
Web Server 3
User 3
Web Server 4
© Digital Cloud Training | https://digitalcloud.training
High Availability and Fault Tolerance
Cloud
Availability Zone
Web Server 5
Web Server 3
User 3
Web Server 4
© Digital Cloud Training | https://digitalcloud.training
High Availability and Fault Tolerance
Cloud
Availability Zone
Web Server 1
User 1
Web Server 5
User 2
Load Balancer
User 3
Instance 2
Auto Scaling
Availability Zone User 2
Elastic Load Balancer
Public subnet
Instance 3 User 3
User 1 is connected
to instance 4
Instance 4
Instance 2
Auto Scaling User 2
Availability Zone
Elastic Load Balancer
Public subnet
User 3
Instance 3
Instance 4 User 4
Application Services
A notification is sent
using SNS and email
User uploads a
Serverless function
file through a
processes file SNS Topic
static website
Function processes
the message and
stores information in
S3 Static Website Lambda Function SQS Queue Lambda Function a database
Processed file is
stored in a bucket
Code is executed
Developer uploads
some code
Lambda function
SQS Queue
PUBLISHERS SUBSCRIBERS
SNS Topic
Amazon CloudWatch
Email / SMS
SNS Topic
Check Yes/No
Create something
Wait
Send notification
Completed?
Check result
• You can quickly build and run state machines to execute the
steps of your application in a reliable and scalable fashion
Simple Queue Service Messaging queue; store and forward Building distributed / decoupled applications
patterns
Simple Notification Service Set up, operate, and send notifications Send email notification when CloudWatch alarm is
from the cloud triggered
Step Functions Out-of-the-box coordination of AWS Order processing workflow
service components with visual
workflow
Simple Workflow Service Need to support external processes or Human-enabled workflows like an order fulfilment
specialized execution logic system or for procedural requests
Check Yes/No
Create something
Wait
Send notification
Completed?
Check result
• You can quickly build and run state machines to execute the steps of your application
How it works:
1. Define the steps of your workflow in the JSON-based Amazon States Language.
The visual console automatically graphs each step in the order of execution
2. Start an execution to visualize and verify the steps of your application are
operating as intended. The console highlights the real-time status of each step
and provides a detailed history of every execution
3. AWS Step Functions operates and scales the steps of your application and
underlying compute for you to help ensure your application executes reliably
under increasing demand
EventBridge
event bus
Event Target
Amazon CloudWatch
Event is written to
CloudWatch Logs
Submit notification
to SNS Topic
User
Private subnet
Website
EC2 Instance
an API that acts as a “front
door” for applications to Any other AWS service
access data, business logic, or
functionality from your back-
end services
VPC
Main Route Table
Subnets are
Availability Zone Destination Target
created
Public subnet
within AZs 10.0.0.0/16 Local
0.0.0.0/0 igw-id
EC2 Instance
VPC VPC
CIDR 10.0.0.0/16 CIDR 10.1.0.0/16
Subnet A segment of a VPC’s IP address range where you can place groups of isolated resources
Internet Gateway/Egress- The Amazon VPC side of a connection to the public Internet for IPv4/IPv6
only Internet Gateway
Router Routers interconnect subnets and direct traffic between Internet gateways, virtual private gateways,
NAT gateways, and subnets
Peering Connection Direct connection between two VPCs
VPC Endpoints Private connection to public AWS services
NAT Instance Enables Internet access for EC2 instances in private subnets managed by you)
NAT Gateway Enables Internet access for EC2 instances in private subnets (managed by AWS)
Virtual Private Gateway The Amazon VPC side of a Virtual Private Network (VPN) connection
Customer Gateway Customer side of a VPN connection
AWS Direct Connect High speed, high bandwidth, private network connection from customer to aws
Security Group Instance-level firewall
Network ACL Subnet-level firewall
• When you create a VPC, you must specify a range of IPv4 addresses
for the VPC in the form of a Classless Inter-Domain Routing (CIDR)
block; for example, 10.0.0.0/16
• A VPC spans all the Availability Zones in the region
• You have full control over who has access to the AWS resources
inside your VPC
• By default you can create up to 5 VPCs per region
• A default VPC is created in each region with a subnet in each AZ
Region
Availability Zone
Internet
Private Route table Main Route table Private Route Table
Private subnet Public subnet gateway
10.0.4.0/24 10.0.2.0/24 Destination Target
10.0.0.0/16 Local
Availability Zone
Availability Zone
Router
Private subnet Public subnet
Security Security NACLs apply only to
Group B Group A
traffic entering /
Security
Group A exiting the subnet
Network ACL Network ACL
Security Groups
apply at the
Instance level
© Digital Cloud Training | https://digitalcloud.training
Security Group Rules
Separate rules
are defined for
outbound traffic
A source can be an IP
address or security
group ID
© Digital Cloud Training | https://digitalcloud.training
Network ACLs
Inbound Rules
No charge
Region
The NAT gateway is created
VPC in the public subnet Main Route Table
Availability Zone Destination Target
Public subnet 10.0.0.0/16 Local
NAT gateway Elastic-IP
0.0.0.0/0 igw-id
Private-IP
Region
VPC
Main Route Table
Availability Zone Destination Target
Public subnet 10.0.0.0/16 Local
NAT Instance Elastic-IP
0.0.0.0/0 igw-id
Private-IP
Region
VPC
Main Route Table
Availability Zone Destination Target
Public subnet 10.0.0.0/16 Local
NAT gateway Elastic-IP
0.0.0.0/0 igw-id
Private-IP
VPCs can be in
different accounts
and Regions
VPC C VPC D
10.3.0.0/16 10.4.0.0/16
VPC Peering
connections are
NOT transitive –
full mesh required
© Digital Cloud Training | https://digitalcloud.training
Amazon VPN and AWS Direct
Connect
VPC
CIDR: 10.0.0.0/16
Public subnet
A VGW is
deployed on Corporate data center
the AWS site
CIDR: 192.168.0.0/16
A customer gateway is
deployed on the
customer side
Customer gateway
A VGW is
VPC
deployed on
Remote offices
Public subnet the AWS site
connect to the
Customer office VGW in a hub-and-
Customer gateway spoke model
Customer office
Customer gateway
VPC A VPC B
Subnet Subnet
Subnet Subnet
Corporate office
VPC
Communication with
private IP addresses
Edge location
Edge locations
are distributed
around the world
Edge location Users are directed
to the nearest
Edge location Users
edge location
Edge location
Edge location
Users
Users Edge location
Users
Users
© Digital Cloud Training | https://digitalcloud.training
S3 Static Website with
CloudFront
Custom Origin
Users are
Requests are redirected to
routed to the another endpoint
optimal endpoint AWS Global Network
CloudFormation builds
Infrastructure patterns are VPC
your infrastructure
defined in a template file
according to the template
using code
Public subnet
Auto Scaling
AWS CloudFormation group
Public subnet
Region
VPC
Elastic Beanstalk environment
Public subnet
Everything within
the EB environment Upload source
is launched and code in ZIP file
managed by EB
Instance
Auto Scaling
group
Availability Zone
Application
Public subnet Load
Balancer
Can launch and manage Instance
EC2 instances or Docker
containers on ECS
Can be used to deploy almost any AWS service Deploys web applications based on Java, .NET, PHP, Node.js,
Python, Ruby, Go, and Docker
Uses JSON or YAML template files Uses ZIP or WAR files (or Git)
Results returned to
Developer Developer
commits code
Code deployed
to application
AWS CodeCommit AWS CodeBuild AWS CodeDeploy
Results returned to
Developer Developer
commits code
Application Application
AWS CodePipeline
Records latency
from client to
application
• Amazon EC2
• Amazon ECS
• AWS Lambda
• Need to integrate the X-Ray SDK with your application and install the
X-Ray agent
© Digital Cloud Training | https://digitalcloud.training
AWS OpsWorks
Configuration changes
Instance
are submitted to
OpsWorks
Relational Non-Relational
Organized by tables, rows and columns Varied data storage models
Supports complex queries and joins Unstructured, simple language that supports any
kind of schema
Amazon RDS, Oracle, MySQL, IBM DB2, Amazon DynamoDB, MongoDB, Redis, Neo4j
PostgreSQL
Relational Database
SELECT FirstName
FROM employees
WHERE Location = Sydney
Relational examples: Amazon RDS, Oracle, IBM DB2, Relational examples: Amazon RedShift, Teradata, HP Vertica
MySQL
Non-relational examples: MongoDB, Cassandra, Neo4j, Non-relational examples: Amazon EMR, MapReduce
HBase
COPY
COPY
COPY
Amazon RDS
• In-memory performance
• Dynamic scaling
• In-memory database
Amazon EMR • Analytics workloads using the Hadoop framework
RDS is a managed,
relational database
Amazon RDS
EC2
RDS supports the following
database engines:
• Amazon Aurora
• MySQL
• MariaDB
• Oracle
• Microsoft SQL Server
• PostgreSQL
db.m4.2xlarge
M4 Instance 4 vCPUs, 32
GiB RAM
M4 instance
db.m4.large 2
vCPUs, 8 GiB
RAM
Region
VPC
Availability Zone
Application servers
can read from the
Multi-AZ creates a
passive standby. Writes read replica and
Primarily used for RDS Standby
write to the master
Writes EC2 App Server EC2 App Server
disaster recovery
Synchronous
replication
Asynchronous
replication
Read Replicas are used
RDS Master RDS Read Replica for scaling database
queries (reads)
• You can encrypt your Amazon RDS instances and snapshots at rest by
enabling the encryption option for your Amazon RDS DB instance (during
creation)
• SQL Server
• Oracle
• MySQL Server
• PostgreSQL
• Aurora
• MariaDB
• Read replicas option for read heavy workloads (scales out for reads/queries only)
DB compatibility Compatible with existing MySQL and PostgreSQL open source databases
Aurora Replicas In-region read scaling and failover target – up to 15 (can use Auto Scaling)
Cross-region cluster with read scaling and failover target – up to 5 (each can have up to 15
MySQL Read Replicas
Aurora Replicas)
Cross-region cluster with read scaling (fast replication / low latency reads). Can remove
Global Database
secondary and promote
Multi-Master Scales out writes within a region. In preview currently and will not appear on the exam
On-demand, autoscaling configuration for Amazon Aurora - does not support read replicas
Serverless
or public IPs (can only access through VPC or Direct Connect - not VPN)
Number of replicas Up to 15 Up to 5
DynamoDB Table
• Tables
• Items
Horizontal scaling Seamless scalability to any scale with push button scaling or Auto Scaling
DynamoDB Accelerator (DAX) Fully managed in-memory cache for DynamoDB that increases performance (microsecond latency)
Backup Point-in-time recovery down to the second in last 35 days; On-demand backup and restore
COPY
Data is loaded
COPY into RedShift
Amazon Redshift
Data can be analyzed
with BI tools such as
JDBC/ODBC
QuickSight using SQL
Availability Zone
Amazon S3 Amazon S3 Glacier Amazon Redshift Amazon DynamoDB Amazon RDS HDFS
Database write
Streaming data dashboards Provide a landing spot for streaming sensor data on the factory floor, providing live real-time
dashboard displays
Amazon Kinesis
Data Streams
Data is ingested
Amazon Kinesis Amazon S3
into Data Streams Data Firehose
Successor to Amazon
Elasticsearch Service
Elasticsearch /
OpenSearch API
AWS Organization
Create accounts
Receive a programmatically
consolidated bill using the
Management Account
Organizations API
You can group accounts
into Organizational Units
(OUs)
• Automation
• Run Command
• Inventory
• Patch Manager
• Session Manager
• Parameter Store
Inventory
Patch Manager
Compliance
Parameter Store
Product is added to
Service Catalog
portfolio
Administrator
Send notifications
with SNS
Amazon EC2 AWS Config Amazon Simple
Notification Service
Not personalized
information so
may not be
relevant to you Shows current status
information on
service availability
No proactive
notification of
scheduled
activities
IdP authenticates
App calls AWS Security Token Service (STS) returns
the user
sts:AssumeRoleWithSAML temporary security credentials
ADFS
AWS STS
Users log in
IdP sends client
SAML assertion App uses credentials to
access DynamoDB
AWS STS
DynamoDB Table
Mobile App
AWS Account C
Azure AD
AWS STS
Cognito User Cognito Identity
Pool Pool
Token returned
(JWT) Token gets exchanged for
temporary security credentials
Mobile App
Amazon DynamoDB
2012 R2 Microsoft AD
RDS Workdocs
VPN
Active Directory Amazon EC2
AD
Connector
Self-managed
Micorosoft AD
AWS Management
Provides federated sign-in to the AWS Console
Management Console by mapping
Active Directory identities to IAM Roles
© Digital Cloud Training | https://digitalcloud.training
AD Connector
• AD Connector is a directory gateway for redirecting
directory requests to your on-premise Active Directory.
• AD Connector eliminates the need for directory
synchronization and the cost and complexity of hosting a
federation infrastructure
• Connects your existing on-premise AD to AWS
• Best choice when you want to use an existing Active
Directory with AWS services.
HTTPS Connection
User ALB
Encryption At Rest
Encryption Decryption
Encrypted
Plaintext data Plaintext data
data
Decryption
The same key is used
for both encryption
and decryption
Data encryption key
Developer creates
customer managed
CMK CMK CMK CMK customer master keys
Developer
(CMKs) in AWS KMS
AWS Managed Keys
Availability Customer-managed durability and Highly available and durable key storage
available and management
Root of Trust Customer managed root of trust AWS managed root of trust
3rd Party Support Broad 3rd Party Support Broad AWS service support
Function requires
Amazon Elasticsearch
permissions to
Service
CloudWatch Logs
AWS Lambda AWS Lambda
© Digital Cloud Training | https://digitalcloud.training
AWS CloudTrail
• CloudTrail logs API activity for auditing
• By default, management events are logged and retained
for 90 days
• A CloudTrail Trail logs any events to S3 for indefinite
retention
• Trail can be within Region or all Regions
• CloudWatch Events can triggered based on API calls in
CloudTrail
• Events can be streamed to CloudWatch Logs
• Subnet
• Network interface
Auto Scaling
Staff training Data encryption IAM User Network ACL SSL encryption Elastic load
EC2 Instance balancer
AWS RESPONSIBILITY
Server
Network router Disk drive
Quantity of data
that is transferred
out from all
Quantity of
Amount of resources services
data stored
such as CPU and
RAM and duration
Standard RI Convertible RI
Term is 1 or 3 years
Requirement:
Uninterrupted for Solution: Spot Block
1-6 hours
Dedicated Instances
Steady-state, business critical,
line-of-business application;
Dedicated Hosts continuous demand
Scheduled Reserved
Database with per-socket
licensing
Spot Instances
Dedicated Instances
Security-sensitive application,
requires dedicated hardware;
Dedicated Hosts per-instance billing
Amazon S3
AWS Application Servers
Migration Service
AWS DataSync
Data center
Use the Schema Conversion Tool
for heterogeneous migrations
Oracle AWS Database Migration
Service Amazon RedShift
database
Can be on-premises,
on EC2, or RDS
Data center
Destinations include Aurora, RedShift
DynamoDB, and DocumentDB
MySQL AWS Database Migration Amazon Aurora
database Service
• You can also use AWS Server Migration Service (AWS SMS) and AWS VM
Import / Export
Data center
Agentless replication
for vCenter
AWS Application EC2 Instances
Migration Service
VMware Hyper-V
NFS or SMB
NAS / File
Server AWS DataSync Amazon FSx for Windows
File Server
Scheduled, automated data transfer
AWS SnowCone
Celebrity recognition
Rekognition publishes
result status to an SNS
Topic
VPC
AWS Managed Microsoft AD
Windows 10 desktop
is streamed to client
Amazon Workspaces
VPC
Application is
AWS Managed Microsoft AD streamed to browser
Streaming Instances
Amazon WorkLink
Amplify is used to
build and host the
WebStore application
and create backend
services
AppSync creates a
unified API layer for
integrating the
microservices