I have passed the AWS Certified Cloud Practitioner exam (CLF-C01) on Sunday. I would like to share my cheat sheet with the world. This is the first part I will add another with the list of services.
6 Advantages of Cloud Computing –
- Trade capital expense for the variable expense (capex)
- Benefit from massive economies of scale
- Stop guessing about capacity (i.e. elasticity)
- Increased speed and agility
- Stop spending money running and maintaining data centres
- Go global in minute
Well-Architecture Framework – CROPS
- Cost optimization
- The ability to run systems to deliver business value at the lowest price point.
- The ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.
- Operational Excellence
- The ability to support development and run workloads effectively, gain insight into their operations, and to continuously improve supporting processes and procedures to deliver business value
- Performance efficiency
- The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve.
- The security pillar encompasses the ability to protect data, systems, and assets to take advantage of cloud technologies to improve your security.
Seven design principles for security in the cloud:
- Implement a strong identity foundation: Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources. Centralize privilege management and reduce or even eliminate reliance on long-term credentials.
- Enable traceability: Monitor, alert, and audit actions and changes to your environment in real time. Integrate logs and metrics with systems to automatically respond and take action.
- Apply security at all layers: Rather than just focusing on protection of a single outer layer, apply a defense-in-depth approach with other security controls. Apply to all layers (e.g., edge network, VPC, subnet, load balancer, every instance, operating system, and application).
- Automate security best practices: Automated software-based security mechanisms improve your ability to securely scale more rapidly and cost effectively. Create secure architectures, including the implementation of controls that are defined and managed as code in version-controlled templates.
- Protect data in transit and at rest: Classify your data into sensitivity levels and use mechanisms, such as encryption, tokenization, and access control where appropriate.
- Keep people away from data: Create mechanisms and tools to reduce or eliminate the need for direct access or manual processing of data. This reduces the risk of loss or modification and human error when handling sensitive data.
- Prepare for security events: Prepare for an incident by having an incident management process that aligns to your organizational requirements. Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery.
5 design principles for reliability in the cloud – STEAM
- Scale horizontally to increase aggregate system availability
- Test recovery procedures – Use automation to simulate different failures or to recreate scenarios that led to failures before
- Stop guessing capacity (elasticity)
- Automatically recover from failure
- Manage change in automation
AWS Cost Governance Best Practices:
- Resource controls (policy-based and automated) govern who can deploy resources and the process for identifying, monitoring, and categorizing these new resources. These controls can use tools such as AWS Service Catalog, AWS Identity and Access Management (IAM) roles and permissions, and AWS Organizations, as well as third-party tools such as ServiceNow.
- Cost allocation applies to teams using resources, shifting the emphasis from the IT-as-cost-center mentality to one of shared responsibility.
- Budgeting processes include reviewing budgets and realized costs, and then acting on them.
- Architecture optimization focuses on the need to continually refine workloads to be more cost-conscious to create better architected systems.
- Tagging and tagging enforcement ensure cost tracking and visibility across organization lines
Greatest impact on cost
- Data Transfer Out
- Case Response Time
- Enterprise: As little as 15 mins Business-critical system down: < 15 minutes
- Business: As little as 1 hour Production system down: < 1 hour
- Developer: As little as 12 hours System impaired: < 12 hours
- Architectural Guidance
- Enterprise: Consultative review and guidance based on your applications
- Business: Contextual to your use-cases
- Developer: General
- Trusted Advisor Checks
- AWS Basic Support and AWS Developer Support customers get access to 6 security checks (S3 Bucket Permissions, Security Groups – Specific Ports Unrestricted, IAM User, MFA on Root Account, EBS Public Snapshots, RDS Public Snapshots) and 50 service limit checks.
- AWS Business Support and AWS Enterprise Support customers get access to all 115 Trusted Advisor checks (14 cost optimization, 17 security, 24 fault tolerance, 10 performance, and 50 service limits) and recommendations.
- Chat access to AWS Support Engineers is available at the Business and Enterprise support tiers only.
- Business support plan has access to Infrastructure Event Management for additional fee
- Concierge Support Team
- Access to online self-paced labs
- Technical Account Manager (TAM)
- Business-critical system down: < 15 minutes
- Proactive Programs and Self Service
- Infrastructure Event Management – No additional cost
- Well-Architected Reviews
- Access to proactive reviews, workshops, and deep dives
- Access to Support Automation Workflows with prefixes AWSSupport and AWSPremiumSupport
Disaster Recovery Plan
RPO: Recovery Point Objective
RTO: Recovery Time Objective
- Backup and restore (RPO in hours, RTO in 24 hours or less)
- Pilot light (RPO in minutes, RTO in hours): copy of your core workload infrastructure
- Warm standby (RPO in seconds, RTO in minutes) : scaled-down but fully functional version
- Multi-region (multi-site) active-active (RPO near zero, RTO potentially zero)
- IAM Resources
The user, group, role, policy, and identity provider objects are stored in IAM. As with other AWS services, you can add, edit, and remove resources from IAM.
- IAM Identities
The IAM resource objects are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.
- IAM Entities
The IAM resource objects that AWS uses for authentication. These include IAM users and roles.
A person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS. Principals include federated users and assumed roles.
Groups are collections of users and have policies attached to them. A group is not an identity and cannot be identified as a principal in an IAM policy.
Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests.
With IAM Roles you can delegate permissions to resources for users and services without using permanent credentials
IAM policies define permissions for action regardless of the method that you use to perform the operation. For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API.
There are 3 types of policies:
- Managed policies: Created and administered by AWS.
- Customer managed policies: Standalone policy that you create and administer in your own AWS account.
- Inline policies:
- Embedded within the user, group or role to which it is applied.
- Strict 1:1 relationship between the entity and the policy
- Less than 10 terabytes of data between your on-premises data centers and Amazon S3, Snowball might not be your most economical choice.
- Snowcone – up to 8 TB
- Snowball – 50 TB & 80 TB
- Snowball Edge – up to 100 TB
- Snowmobile – upto 100PB
The AWS Marketplace provides value to buyers in several ways:
- It simplifies software licensing and procurement with flexible pricing options and multiple deployment methods. Flexible pricing options include free trial, hourly, monthly, annual, multi-year, and BYOL.
- Customers can quickly launch pre-configured software with just a few clicks, and choose software solutions in AMI and SaaS formats, as well as other formats.
- It ensures that products are scanned periodically for known vulnerabilities, malware, default passwords, and other security-related concerns.
The benefits of using AWS CloudFormation include:
- CloudFormation allows you to model your entire infrastructure in a text file. This template becomes the single source of truth for your infrastructure. This helps you to standardize infrastructure components used across your organization, enabling configuration compliance and faster troubleshooting.
- AWS CloudFormation provisions your resources in a safe, repeatable manner, allowing you to build and rebuild your infrastructure and applications, without having to perform manual actions or write custom scripts. CloudFormation takes care of determining the right operations to perform when managing your stack, and rolls back changes automatically if errors are detected.
- Codifying your infrastructure allows you to treat your infrastructure as just code. You can author it with any code editor, check it into a version control system, and review the files with team members before deploying into production.
- CloudFormation allows you to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.
AWS Trusted Advisor
best practice recommendations in five categories: 115 checks 7 Free
- cost optimization,
- fault tolerance
- service limits.
Penetration Testing Permitted Services – CALL REEA
- Amazon RDS
- Amazon CloudFront
- Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
- Amazon Elastic Beanstalk environments
- Amazon Aurora
- Amazon API Gateways
- AWS Lambda and Lambda Edge functions
- Amazon Lightsail resources
A full list of Compute Services
- AWS Batch
- Amazon EC2
- Amazon EC2 Auto Scaling
- Amazon Elastic Container Registry
- Amazon Elastic Container Service
- Amazon Elastic Kubernetes Service
- AWS Elastic Beanstalk
- AWS Fargate
- Amazon Lightsail
- AWS Lambda
- AWS Serverless Application Repository
- AWS Outposts
- VMware Cloud on AWS
- Amazon Web Services Support Features (amazonaws.cn)
- AWS Regional Services (amazon.com)
- Amazon CloudWatch Product Features – Amazon Web Services (AWS)
- What is Amazon Inspector? – Amazon Inspector
- Object Storage Classes – Amazon S3
- Digitalcloud training notes
I have looked into the above notes before the exam and it helped me. If it helps you please let me know. Thanks for reading the post
Update – 11 August 2021 Here is the last part