AWS Technical Essentials

What is AWS?
On-premises and cloud computing
Before the cloud, companies and organizations hosted and maintained hardware such as
compute, storage, and networking equipment in their own data centers. They often allocated
entire infrastructure departments to take care of their data centers, which resulted in costly
operations that made some workloads and experimentation impossible.
As internet use became more widespread, the demand for compute, storage, and networking
equipment increased. For some companies and organizations, the cost of maintaining a large
physical presence was unsustainable. To solve this problem, cloud computing emerged.
Cloud computing is an on-demand delivery of IT resources over the internet with primarily
pay-as-you-go pricing. With cloud computing, companies do not have to manage and
maintain their own hardware and data centers. Instead, companies like AWS own and
maintain data centers and provide virtual data center technologies and services to companies
and users over the internet.
To help differentiate between running workloads on premises versus in the cloud, consider a
scenario in which your developers must deploy a new application feature. Before they
deploy, the team wants to test the feature in a separate quality assurance (QA) environment
that has the same configurations as production. In an on-premises solution, an additional
environment requires you to buy and install hardware, connect the necessary cabling,
provision power, install operating systems, and more. These tasks can be time consuming and
expensive. Meanwhile, the new feature’s time-to-market increases while the developers wait
for the QA environment. In contrast, if you run your application in the cloud, you can
replicate an entire production environment, as often as needed, in a matter of minutes or even
seconds. Instead of physically installing hardware and connecting cabling, the solution is
managed over the internet.
Using cloud computing saves time during setup and removes the undifferentiated heavy
lifting. If you look at any application, you’ll see that some of its aspects are very important to
your business, like the code. However, other aspects are no different than any other
application you might make – for instance, the compute the code runs on. By removing
repetitive common tasks that don’t differentiate your business, like installing virtual machines
(VMs) or storing backups, you can focus on what is strategically unique to your business and
let AWS handle the time-consuming tasks that don’t separate you from your competitors.
That's where AWS fits into all of this.
AWS provides cloud computing services. The IT resources mentioned in the cloud
computing definition are AWS services. For the course's corporate directory application, you
will use AWS services to architect a scalable, highly available, and cost-effective
infrastructure to host the corporate directory application. That way, you can get the app out
into the world quickly, without managing heavy-duty physical hardware.
Six advantages of cloud computing
Pay as you go
–Instead of investing in data centres and hardware before you know how you are going to
use them, you pay only when you use computing resources, and pay only for how much you
use.

Benefit from massive economies of scale

–By using cloud computing, you can achieve a lower cost than you can get on your own.
Because usage from hundreds of thousands of customers is aggregated in the cloud, AWS
can achieve higher economies of scale, which translates into lower pay as-you-go prices.

Stop guessing capacity

–Eliminate guessing on your infrastructure capacity needs. When you make a capacity
decision prior to deploying an application, you often end up either sitting on expensive idle
resources or dealing with limited capacity. With cloud computing, these problems go away.
You can access as much or as little capacity as you need, and scale up and down as
required with only a few minutes notice.

Increase speed and agility

–IT resources are only a click away, which means that you reduce the time to make
resources available to your developers from weeks to minutes. This results in a dramatic
increase in agility for the organization, since the cost and time it takes to experiment and
develop is significantly lower.

Realize cost savings

–Companies can focus on projects that differentiate their business instead of maintaining
data centres. Cloud computing lets you focus on your customers, rather than on the heavy
lifting of racking, stacking, and powering physical infrastructure. This is often referred to as
undifferentiated heavy lifting.

Go global in minutes
–Applications can be deployed in multiple Regions around the world with a few clicks. This
means that you can provide lower latency and a better experience for your customers at a
minimal cost.

Resources
 External Site: AWS: What Is Cloud Computing?
 External Site: AWS: Types of Cloud Computing
 External Site: AWS: Cloud Computing with AWS
 External Site: AWS: Overview of Amazon Web Services

 This credential helps organizations identify and develop talent with

critical knowledge related to implementing cloud initiatives. Earning
AWS Certified Cloud Practitioner validates cloud fluency and
foundational knowledge of Amazon Web Services (AWS).
 To learn more, see: AWS Certified Cloud Practitioner
 To earn this certification, you need to take and pass the AWS
Certified Cloud Practitioner exam. The exam features a combination
of two question formats: multiple choice and multiple response.
Additional information, such as a detailed exam content outline, is in
the exam guide.
 To learn more, see: AWS Certified Cloud Practitioner Exam Guide
 Cloud computing provides a simpler way to access servers, storage,
databases and a broad set of application services over the internet. A
cloud services provider, such as AWS, owns and maintains the
network-connected hardware required for these application services,
while you provision and use what you need via a web application.
This style of computing offers many benefits that can help your
business.
 To learn more, see: Six Advantages of Cloud Computing
 When you first start, AWS can seem overwhelming. A cloud-native
paradigm of building infrastructure can be a radical departure from
the traditional on-premises way of doing things. And regardless, if
this is your first time working with infrastructure—or you've been
tuning Linux kernels for the last decade—it can be hard to know
where to start.
 To learn more, see: AWS Fundamentals - Core Concepts
 AWS Cloud Economics developed the Cloud Value Framework to
help organizations build a comprehensive business case for cloud by
measuring and tracking progress against four key dimensions of
value: cost savings, staff productivity, operational resilience, and
business agility. This paper shares how the AWS Cloud is
transforming business and provides an analysis of these four aspects
of business value.
 To learn more, see: Business Value on AWS
 AWS offers a couple of tools geared towards cost and pricing
evaluation. If the workload details and services to be used are
identified, the AWS Pricing Calculator can help you calculate the total
cost of ownership. Migration Evaluator helps you inventory your
existing environment, identify workload information, and design and
plan your AWS migration.
 To learn more, see: AWS Pricing/TCO Tools
 Rightsizing is the process of matching instance types and sizes to
your workload performance and capacity requirements at the lowest
possible cost. It’s also the process of looking at deployed instances
and identifying opportunities to remove or downsize them without
 compromising capacity or other requirements, which results in lower
costs.
 To learn more, see: Optimizing your cost with Rightsizing
Recommendations
 AWS Well-Architected helps cloud architects build secure, high-
performing, resilient, and efficient infrastructure for their applications
and workloads. Based on five pillars—operational excellence,
security, reliability, performance efficiency, and cost optimization—
AWS Well-Architected provides a consistent approach for customers
and AWS Partners to evaluate architectures, and implement designs
that can scale over time.
 To learn more, see: AWS Well-Architected
 When you architect technology solutions on AWS, if you neglect the
five pillars of operational excellence, security, reliability, performance
efficiency, and cost optimization, it can become challenging to build a
system that delivers on your expectations and requirements.
Incorporating these pillars into your architecture helps produce stable
and efficient systems. You can then focus on the other aspects of
design, such as functional requirements.
 To learn more, see: The 5 Pillars of the AWS Well-Architected
Framework

AWS Global Infrastructure

Infrastructure, like data centers and networking connectivity, still exists as the foundation of
every cloud application. In AWS, this physical infrastructure makes up the AWS Global
Infrastructure, in the form of Regions and Availability Zones.
Regions
Regions are geographic locations worldwide where AWS hosts its data centers. AWS
Regions are named after the location where they reside. For example, in the United States, the
Region in Northern Virginia is called the Northern Virginia Region, and the Region in
Oregon is called the Oregon Region. AWS has Regions in Asia Pacific, Canada, Europe, the
Middle East, and South America, and we continue to expand to meet our customers' needs.
Each AWS Region is associated with a geographical name and a Region code.
Here are examples of Region codes:
 us-east-1: The first Region created in the eastern US
area. The geographical name for this Region is N. Virginia.
 ap-northeast-1: The first Region created in the northeast
Asia Pacific area. The geographical name for this Region is
Tokyo.
AWS Regions are independent from one another. Data is not replicated from one Region to
another, without explicit customer consent and authorization.
Choose the Right AWS Region
When you decide which AWS Region to host your applications and workloads, consider four
main aspects – latency, price, service availability, and compliance.

LATENCY
If your application is sensitive to latency (the delay between a request for data and the
response), choose a Region that is close to your user base. This helps prevent long wait times
for your customers. Synchronous applications such as gaming, telephony, WebSockets, and
Internet of Things (IoT) are significantly affected by high latency. Asynchronous workloads,
such as ecommerce applications, can also suffer from user connectivity delays.

PRICING
Due to the local economy and the physical nature of operating data centers,
prices vary from one Region to another. Internet connectivity, imported
equipment costs, customs, real estate, and other factors impact a Region's
pricing. Instead of charging a flat rate worldwide, AWS charges based on the
financial factors specific to each Region.

SERVICE AVAILABILITY
Some services might not be available in some Regions. The AWS documentation
provides a table that shows the services available in each Region.

DATA COMPLIANCE
Enterprise companies often must comply with regulations that require customer
data to be stored in a specific geographic territory. If applicable, choose a Region
that meets your compliance requirements.

If your application is sensitive to latency (the delay between a request for

data and the response), choose a Region that is close to your user base.
This helps prevent long wait times for your customers. Synchronous
applications such as gaming, telephony, WebSockets, and Internet of
Things (IoT) are significantly affected by high latency. Asynchronous
workloads, such as ecommerce applications, can also suffer from user
connectivity delays.
Availability Zones

Inside every Region is a cluster of Availability Zones (AZs). An AZ consists of one or more
data centers with redundant power, networking, and connectivity. These data centers operate
in discrete facilities in undisclosed locations. They are connected using redundant high-speed
and low-latency links.

AZs also have a code name. Since they are located inside Regions, they can be addressed by
appending a letter to the end of the Region code name. For example:
 us-east-1a: An AZ in us-east-1 (N. Virginia Region)
 sa-east-1b: An AZ in sa-east-1 (São Paulo Region)
Therefore, if you see that a resource exists in us-east-1c, you can infer that the resource is
located in AZ c of the us-east-1 Region.
Scope AWS services
Depending on the AWS service you use, your resources are either deployed at the AZ,
Region, or Global level. Each service is different, so you must understand how the scope of a
service might affect your application architecture.

When you operate a Region-scoped service, you only need to select the Region you want to
use. If you are not asked to specify an individual AZ to deploy the service in, this is an
indicator that the service operates on a Region-scope level. For Region-scoped services,
AWS automatically performs actions to increase data durability and availability.

On the other hand, some services ask you to specify an AZ. With these services, you are often
responsible for increasing the data durability and high availability of these resources.
Maintain resiliency
To keep your application available, you must maintain high availability and resiliency. A
well-known best practice for cloud architecture is to use Region-scoped, managed services.
These services come with availability and resiliency built in. When that is not possible, make
sure your workload is replicated across multiple AZs. At a minimum, you should use two
AZs. That way, if an AZ fails, your application will have infrastructure up and running in a
second AZ to take over the traffic.

Resources
 External Site: AWS: Global Infrastructure
 External Site: AWS: AWS Global Infrastructure
Documentation
 External Site: AWS: AWS Regions and Availability Zones
 External Site: AWS: AWS Service Endpoints
 External Site: AWS: AWS Regional Services

Interacting with AWS

Every action you make in AWS is an API call that is authenticated and authorized. In AWS,
you can make API calls to services and resources through the AWS Management Console,
AWS Command Line Interface (AWS CLI), or AWS software development kits (SDKs).
The AWS Management Console
One way to manage cloud resources is through the web-based console, where you log in and
choose the desired service. This can be the easiest way to create and manage resources when
you first begin working with the cloud. Below is a screenshot that shows the landing page
when you first log in to the AWS Management Console.

The services are placed in categories, such as Compute, Storage, Database, and Analytics

On the upper-right corner is the Region selector. If you choose it and change the Region, you
will make requests to the services in the chosen Region. The URL changes, too. Changing the
Region setting directs your browser to make requests to a different AWS Region, represented
by a different subdomain.
The AWS Command Line Interface (AWS CLI)
Consider the scenario where you run tens of servers on AWS for your application’s front end.
You want to run a report to collect data from all the servers. You need to do this
programmatically every day because the server details might change. Instead of manually
logging in to the AWS Management Console and then copying and pasting information, you
can schedule an AWS CLI script with an API call to pull this data for you.

The AWS CLI is a unified tool that you can use to manage AWS services. You can download
and configure one tool that you can use to control multiple AWS services from the command
line and automate them with scripts. The AWS CLI is open-source, and installers are
available for Windows, Linux, and macOS.

For example, if you run the following API call against a service using AWS CLI:
aws ec2 describe-instances

you will get the following response:

{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
AWS SDKs
API calls to AWS can also be performed by running code with programming languages. You
can do this by using AWS software development kits (SDKs). SDKs are open source and
maintained by AWS for the most popular programming languages, such as C++, Go, Java,
JavaScript, .NET, Node.js, PHP, Python, and Ruby.

Developers commonly use AWS SDKs to integrate their application source code with AWS
services. For example, consider an application with a front end that runs in Python. Every
time the application receives a cat photo, it uploads the file to a storage service. This action
can be achieved in the source code by using the AWS SDK for Python. Here is an example of
code you can implement to work with AWS resources using the Python AWS SDK.
import boto3
ec2 = boto3.client('ec2')
response = ec2.describe_instances()
print(response)
Resources
 External Site: AWS: Working with the AWS Management
Console
 External Site: AWS: AWS Command Line Interface
 External Site: AWS: Tools to Build on AWS

Security and the AWS Shared

Responsibility Model
When you work with the AWS Cloud, managing security and compliance is a shared
responsibility between AWS and you. To depict this shared responsibility, AWS created the
shared responsibility model. The distinction of responsibility is commonly referred to as
security OF the cloud versus security IN the cloud.

AWS responsibility
AWS is responsible for security of the cloud. This means AWS protects and secures the
infrastructure that runs the services offered in the AWS Cloud. AWS is responsible for:
 Protecting and securing AWS Regions, Availability Zones,
and data centers, down to the physical security of the
buildings
 Managing the hardware, software, and networking
components that run AWS services, such as the physical
servers, host operating systems, virtualization layers, and
AWS networking components
The level of responsibility AWS has depends on the service. AWS classifies services into
three categories. The following table provides information about each, including the AWS
responsibility.
 Examples of AWS Services in the
Category AWS Responsibility
Category
Compute services, such as Amazon AWS manages the underlying
Infrastructure
Elastic Compute Cloud (Amazon infrastructure and foundation
services
EC2) services.
Services that require less management AWS manages the underlying
from the customer, such as Amazon infrastructure and foundation
Container services
Relational Database Service (Amazon services, operating system, and
RDS) application platform.
AWS operates the infrastructure
Services that require very little
layer, operating system, and
Abstracted management from the customer, such
platforms, in addition to server-
services as Amazon Simple Storage Service
side encryption and data
(Amazon S3)
protection.
Note: Container services refer to AWS abstracting application containers behind the scenes,
not Docker container services. This enables AWS to move the responsibility of managing the
platform away from customers.
Customer responsibility
Customers are responsible for security in the cloud. When using any AWS service, you’re responsible
for properly configuring the service and your applications, in addition to ensuring that your data is
secure.

Your level of responsibility depends on the AWS service. Some services require you to perform all
the necessary security configuration and management tasks, while other more abstracted services
require you to only manage the data and control access to your resources. Using the three
categories of AWS services, you can determine your level of responsibility for each AWS service you
use.
Category AWS Responsibility Customer Responsibility

You control the operating system

Infrastructure AWS manages the infrastructure and application platform, in
services and foundation services. addition to encrypting, protecting,
and managing customer data.

You are responsible for customer

AWS manages the infrastructure
data, encrypting the data, and
Container services and foundation services, operating
protecting it through network
system, and application platform.
firewalls and backups.

AWS operates the infrastructure

You are responsible for managing
layer, operating system, and
Abstracted services customer data and protecting it
platforms, in addition to server-side
through client-side encryption.
encryption and data protection.

Due to the varying levels of effort, customers must consider which AWS services they use
and review the level of responsibility required to secure each service. They must also review
how the shared security model aligns with the security standards in their IT environment, in
addition to any applicable laws and regulations.
A key concept is that customers maintain complete control of their data and are responsible
for managing the security related to their content. For example, you are responsible for the
following:
 Choosing a Region for AWS resources in accordance with
data sovereignty regulations
 Implementing data-protection mechanisms, such as
encryption and scheduled backups
 Using access control to limit who can access to your data
and AWS resources

Resources
 External Site: AWS: Shared Responsibility Model

Protect the AWS Root User

What’s the big deal about auth?

When you configure access to any account, two terms come up frequently
– authentication and authorization. While these terms might seem basic, you must fully
understand them to properly configure access management on AWS.
Authentication
When you create your AWS account, you use the combination of an email address and a
password to verify your identity. If a user types in the correct email and password, the system
assumes the user is allowed to enter and grants them access. This is the process of
authentication.

Authentication ensures that the user is who they say they are. User names and passwords are
the most common types of authentication, but you might also work with other forms, such as
token-based authentication or biometric data, like a fingerprint. Authentication simply
answers the question, “Are you who you say you are?”
Authorization
Once you’re authenticated and in your AWS account, you might be curious about what
actions you can take. This is where authorization comes in. Authorization is the process of
giving users permission to access AWS resources and services. Authorization determines
whether a user can perform certain actions, such as read, edit, delete, or create resources.
Authorization answers the question, “What actions can you perform?”
AWS root user
When you first create an AWS account, you begin with a single sign-in identity that has
complete access to all AWS services and resources in the account. This identity is called the
AWS root user and is accessed by signing in with the email address and password that you
used to create the account.
AWS root user credentials
The AWS root user has two sets of credentials associated with it. One set of credentials is the
email address and password used to create the account. This allows you to access the AWS
Management Console. The second set of credentials is called access keys, which allow you to
make programmatic requests from the AWS Command Line Interface (AWS CLI) or AWS
API.

Access keys consist of two parts:

 Access key ID, for example, A2lAl5EXAMPLE
 Secret access key, for example, wJalrFE/KbEKxE
Similar to a user name and password combination, you need both the access key ID and
secret access key to authenticate your requests via the AWS CLI or AWS API. Access keys
should be managed with the same security as an email address and password.

Best practices when working with the AWS root user

The root user has complete access to all AWS services and resources in your account, in
addition to your billing and personal information. Due to this, you should securely lock away
the credentials associated with the root user and do not use the root user for everyday tasks.
To ensure the safety of the root user, follow these best practices:
 Choose a strong password for the root user
 Never share your root user password or access keys with
anyone
 Disable or delete the access keys associated with the root
user
 Do not use the root user for administrative tasks or
everyday tasks
When is it OK to use the AWS root user? For some tasks, you will want to use the AWS root
user. Check out the links at the end of this section to read about those exceptions.
Delete your keys to stay safe
If you don't have an access key for your AWS account root user, don't create one unless you
absolutely need to. If you have an access key for your AWS account root user and want to
delete the keys, follow these steps:
1. In the AWS Management Console, go to the My Security
Credentials page, and sign in with the root user’s email
address and password.
2. Open the Access keys section.
3. Under Actions, choose Delete.
4. Choose Yes.
Multi-factor authentication (MFA)
When you create an AWS account and first log in to the account, you use single-factor
authentication. Single-factor authentication is the simplest and most common form of
authentication. It only requires one authentication method. In this case, you use a user name
and password to authenticate as the AWS root user. Other forms of single-factor
authentication include a security pin or a security token.

However, sometimes a user’s password is easy to guess. For example, your coworker Bob’s
password, IloveCats222, might be easy for someone who knows Bob personally to guess,
because it’s a combination of information that is easy to remember and includes certain facts
about Bob (Bob loves cats, and his birthday is February 22). If a bad actor guessed or cracked
Bob’s password through social engineering, bots, or scripts, Bob might lose control of his
account. Unfortunately, this is a common scenario that users of any website often face. This
is why using multi-factor authentication (MFA) is important in preventing unwanted account
access.
MFA requires two or more authentication methods to verify an identity. MFA pulls from the
following three categories of information:
 Something you know, such as a user name and password,
or pin number
 Something you have, such as a one-time passcode from a
hardware device or mobile app
 Something you are, such as fingerprint or face scanning
technology
Using a combination of this information enables systems to provide a layered approach to
account access. So even if the first method of authentication, like Bob’s password, is cracked
by a malicious actor, the second method of authentication, such as a fingerprint, provides
another level of security. This extra layer of security can help protect your most important
accounts, which is why you should enable MFA on your AWS root user.
MFA on AWS
If you enable MFA on your root user, you must present a piece of identifying information
from both the something you know category and the something you have category. The first
piece of identifying information the user enters is an email and password combination. The
second piece of information is a temporary numeric code provided by an MFA device.

Enabling MFA adds an additional layer of security because it requires users to use a
supported MFA mechanism in addition to their regular sign-in credentials. Enabling MFA on
the AWS root user account is an AWS best practice.
Supported MFA devices
AWS supports a variety of MFA mechanisms, such as virtual MFA devices, hardware
devices, and Universal 2nd Factor (U2F) security keys. For instructions on how to set up each
method, check out the Resources section.
Device Description Supported Devic
A software app that runs on a phone or other device that
Authy, Duo Mobile, L
provides a one-time passcode. These applications can run
Authenticator, Micro
Virtual MFA on unsecured mobile devices, and because of that, they
Authenticator, Goo
might not provide the same level of security as hardware
Authenticator
or U2F devices.
A hardware device, generally a key fob or display card
Hardware Key fob, display ca
device, that generates a one-time, six-digit numeric code.
A hardware device that you plug in to a USB port on
U2F YubiKey
your computer.
Resources
 External Site: AWS: Enabling a Hardware MFA Device
(Console)
 External Site: AWS: Enabling a U2F Security Key (Console)
 External Site: AWS: Enabling a Virtual Multi-Factor
Authentication (MFA) Device (Console)
 External Site: AWS: Table of Supported MFA Devices