AWSome Day Bethesda - February 2019

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
02.05.19
AWSOME DAY
B E T H E S D A

Agenda
8:00AM – 9:00AM
Registration & Ask an AWS Expert
9:00AM – 9:15AM
Welcome
9:15AM – 9:50AM
AWS History and Introduction
9:50AM – 10:45AM
AWS Foundational Services , Part 1
10:45AM – 11:15AM
Break & Ask an AWS Expert
11:15AM – 12:30PM
AWS Foundational Services, Part 2
12:30PM – 1:30PM
Lunch & Ask an AWS Expert
1:30PM – 2:10PM
Security, Identity, and Access Management
2:10PM – 2:55PM
AWS Databases
2:55PM – 3:15PM
3:15PM – 3:55PM
AWS Elasticity & Management Tools
3:55PM – 4:00PM
Closing Remarks

Questions?
Visit the Ask an Expert area or
the Training and Cert booth.
Available at Lunch and Breaks:
• 10:45AM – 11:15AM
• 12:30PM - 1:30PM
• 2:55PM - 3:15PM
• 4:00PM - 4:30PM

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. training and
certification
Presenter Introduction
Heiwad Osman
Technical Trainer

AWSOME DAY

certification
Amazon Web Services (AWS)
ComputeMessaging
Mobile
App Services
Database
Networking
Development and
Management Tools
Payments
VPC
On-Demand Workforce
Analytics Content Delivery
StorageEnable businesses and developers to
use web services to build scalable,
sophisticated applications.

certification
Amazon History
1994: Jeff Bezos
incorporated the
company.
1995:
Amazon.com
launched its
online bookstore.
2005:
Amazon
Publishing
was
launched.
2006:
Amazon
Web Services
(AWS) was
launched.
2007: Kindle
was
launched.
2011:
Amazon
Fresh was
launched.
2012: Amazon
Game Studios was
launched.
2013:
Amazon Art
was
launched.
2014:
Amazon
Prime Now
was
launched.
2015: Amazon
Home Services
and Amazon
Echo were
launched.

certification
AWS Pace of Innovation
AWS offers over 129 fully featured services
for compute, storage, databases, networking,
analytics, machine learning and artificial
intelligence (AI), Internet of Things (IoT),
mobile, security, hybrid, and application
development, deployment, and management.
* As of 31 March 2018
2011
82
722
1,430
280
2013 2015 2017

certification
5,089
AWS Direct
Connect
AWS Elastic Beanstalk
Schema Conversion Tool
AWS Shield EFS
WorkSpaces
Amazon Lumberyard
Amazon
Pinpoint
AWS IoT
AWS Managed Services
Amazon Route 53
AWS OpsWorks for
Chef Automate
Redshift
Dynamo DB
Amazon Polly
AWS
Snowball
AWS Organizations
Device Farm
Amazon Config
Amazon RDS
for Aurora
WorkDocs
AWS
Snowball Edge
CodeCommit
AWS CodePipeline
AWS Service Catalog
CloudWatch Logs
Amazon Lex
AWS Greengrass
Amazon EC2
Systems Manager
AWS WAF
Amazon Appstream 2.0
Amazon
Athena
AWS Glue
Amazon Lightsail
Amazon Rekognition
AWS Step Functions
AWS Discovery
Services
AWS Certificate
Manager
Amazon
ElastiCache
Mobile
Analytics
AWS Mobile Hub
AWS Storage Gateway
AWS OpsWorks
AWS Batch
Amazon Inspector
Amazon Cognito
AWS CodeDeploy
AWS Personal Health Dashboard
AWS Snowmobile
Lambda
* As of 31 March 2018
AWS Codebuild
AWS X-Ray
Amazon QuickSight
Amazon Kinesis Firehose
Amazon
Workmail
Amazon Inspector
Machine Learning

certification
Infrastructure Regions Edge LocationsAvailability Zones
Foundation
Services
Compute
(Virtual, Auto-scaling and
Load Balancing)
Networking
Applications Virtual
Desktops
Collaboration and Sharing
Platform
Services
Databases
Relational
NoSQL
Caching
Analytics
Cluster
Computing
Real-time
Data
Warehouse
Data
Workflows
App Services
Queuing
Orchestration
App Streaming
Transcoding
Email
Search
Deployment and
Management
Containers
Dev/ops Tools
Resource Templates
Usage Tracking
Monitoring and Logs
Mobile Services
Identity
Sync
Mobile Analytics
Notifications
Storage
(Object, Block and Archive)
AWS Cloud Computing

certification
Traditional Infrastructure Amazon Web Services
AWS Core Infrastructure and Services
Security
Network
Security
Network
VPCVPC
ELB
Servers
AMI Amazon EC2 InstancesOn-Premises Servers
Security
Security Groups Network ACLs AWS IAMFirewalls ACLs Administrators
Storage and
Database
RDBMSDAS SAN NAS Amazon
EBS
Amazon
EFS
Amazon
S3
Amazon
RDS
Networking
VPCELBRouter Network Pipeline Switch

certification
AWS Customers
Public Sector
Paving the way for innovation and
supporting world-changing projects
in government, education and
nonprofit organizations.
Startups
From the spark of an idea, to your
first customer, to IPO and beyond, let
Amazon Web Services help you build
and grow your startup.
Enterprise Customers
Amazon Web Services delivers a
mature set of services specifically
designed for the unique security,
compliance, privacy, and governance
requirements of large organizations.

certification
Advantages and Benefits of AWS Cloud Computing
Trade capital expense
for flexible expense.
Benefit from massive
economies of scale.
Eliminate guessing on
your capacity needs.
Go global in minutes.
Increase speed and
agility.
Stop spending money
on running and
maintaining data centers.

certification
A single data center typically houses several thousands of
servers.
All data centers are online.
No data center is “cold”.
AWS custom network equipment:
Multi-ODM sourced.
Amazon custom network protocol stack.
AWS Data Centers
Data center

certification
Each Availability Zone is:
Made up of one or more data centers.
Designed for fault isolation.
Interconnected with other Availability Zones
using high-speed private links.
You choose your Availability Zones.
AWS recommends replicating across AZs
for resiliency.
AWS Availability Zones (AZ)
Availability Zone

certification
Each region is made up of two or
more Availability Zones.
AWS has 20 regions worldwide.
You enable and control data
replication across regions.
Communication between regions
uses AWS backbone network
connections infrastructure.
AWS Regions
AWS Region
Availability Zone
Data center Data center
Availability Zone
Availability Zone

certification
AWS Global Infrastructure Map
# AWS Regions
Availability Zones
Planned Regions
#

certification
AWS Global Infrastructure – Edge Locations
149* Edge Locations in 65 cities
Local points of presence that support AWS services like:
Amazon Route 53
Amazon CloudFront
AWS WAF
AWS Shield
Lambda@Edge
*as of January 2019

certification
AWS Global Infrastructure:
Edge Locations and Regional Edge Caches

Instructor Demo
AWS Management Console

certification
By the end of the day, you’ll understand this
Region: us-east-2
Availability Zone A: us-east-2a
awsome-vpc (10.10.0.0/16)
Availability Zone B: us-east-2b
Public Subnet A (10.0.0.0/24)
internet-gateway
Public Subnet B (10.0.1.0/24)
Private Subnet A (10.0.2.0/23) Private Subnet B (10.0.4.0/23)
web-server
webserver-security-group
my-s3-bucket
webserver-ami
ec2-s3-access-role
Browser
http://IPv4PublicIP
Web Servers
NAT
Gateway A
NAT
Gateway B

Module 2
AWS Foundational Services

certification
Amazon Elastic Compute Cloud (EC2)
Amazon Elastic Block Store (EBS)
Amazon Virtual Private Cloud (VPC)
Demo: Launching a Web Server
Amazon Simple Storage Service (S3)
Demo: Amazon S3
Module 2 Layout

certification
Resizable compute capacity
Complete control of your computing
resources
Reduced time required to obtain and boot
new server instances
Amazon
EC2

certification
Amazon EC2 Facts
Scale capacity as your computing requirements change
Pay only for capacity that you actually use
Choose Linux or Windows
Deploy across AWS Regions and Availability Zones for reliability
Use tags to help manage your Amazon EC2 resources

certification
1. Determine the AWS Region in which you want to launch the
Amazon EC2 instance.
2. Launch an Amazon EC2 instance from a pre-configured Amazon
Machine Image (AMI).
3. Choose an instance type based on CPU, memory, storage, and
network requirements.
4. Configure network, IP address, security groups, storage volume,
tags, and key pair.
Launching an Amazon EC2 Instance

certification
An AMI includes the following:
A template for the root volume for the instance (for example,
an operating system, an application server, and applications).
Launch permissions that control which AWS accounts can use
the AMI to launch instances.
A block device mapping that specifies the volumes to attach
to the instance when it is launched.
Amazon Machine Image (AMI) Details

certification
Instances and AMIs
Select an AMI based on:
Region
Operating system
Architecture (32/64bit x86 or 64-bit ARM)
Launch permissions
Storage for the root device AMI
Instances
Instance
Launch instances
of any type
Host
computer
Host
computer

certification
Online store to discover, purchase, and deploy IT
software on top of the AWS infrastructure.
Catalog of 4,500+ IT software solutions including
Paid, BYOL, Open Source, SaaS, and free-to-try
options.
Pre-configured to operate on AWS.
Software checked by AWS for security and
operability.
Deploys to AWS environment in minutes.
Flexible, usage-based billing models.
Software charges billed to AWS account.
Includes AWS Test Drive.
AWS Marketplace – IT Software Optimized for the Cloud
https://aws.amazon.com/marketplace

certification
OS, Applications,
and Configuration
AMI
Running or
Stopped VM
Instances
AZ
Region
AZ
Instances Instances
Amazon EC2 Instances

certification
Instance Lifecycle
AMI
pending
Launch
runningrebooting
Reboot
Start
terminated
shutting down
Terminate
Terminate
EBS-backed instances only
Stop
stopping stopped
hibernated
Stop-Hibernate

certification
EC2 instance types are optimized for different use cases and
workload requirements and come in multiple sizes.
Consider the following when choosing your instances:
Core count
Memory size
Storage size and type
Network performance
CPU technologies
Choosing the Right Amazon EC2 Instance

certification
Intel Processor Technologies
AWS customers can choose EC2 instances with Intel® Xeon®
processors for high performance.
Intel AVX (AVX, AVX2 and AVX-512) – Highly parallel HPC workloads.
Intel AES-NI – Accelerates encryption/decryption of data.
Intel Turbo Boost Technology – More computing power when you
need it with performance that adapts to spikes in your workload.
Intel Transactional Synchronization (TSX) Extensions – Enable
execution of transactions that are independent to accelerate
throughput.
P state & C state control – Ability to individually tune each cores
performance & sleep states to improve application performance.

certification
C5n Instance Example
c5n.18xlarge offers 72 vCPUs and 192 GiB of memory
Up to 100 Gbps of network bandwidth
3.0 GHz Intel Xeon Platinum processors with Intel Advanced
Vector Extension 512 (AVX-512) instruction set
Run each core at up to 3.5 GHz using Intel Turbo Boost
Technology
Based on the next generation AWS Nitro System
42

certification
Broad Set of Compute Instance Types
General
Purpose
Compute
optimized
Storage and I/O
optimized
GPU- or FPGA-
enabled
Memory
optimized
C5
C5n
M5
M5a
A1
I3
D2
H1
X1
R4
X1e
z1d
P3
P2
G3
F1
Burstable
Performance
T3
T2

certification
On-Demand
Instances
Pay as you go.
Reserved
Instances
Purchase, at a
significant
discount,
instances that
are always
available
1-year to 3-
year terms.
Scheduled
Instances
Purchase
instances that
are always
available on
the specified
recurring
schedule, for a
one-year term.
Spot
Instances
Bid on unused
instances,
which can run
as long as they
are available
and your bid is
above the
Spot price.
Amazon EC2 Purchasing Models
Dedicated
Hosts
Pay for a
physical host
that is fully
dedicated to
running your
instances.
By the instance By the host

certification
Can be passed to the instance at launch.
Can be used to perform common automated configuration
tasks.
Runs scripts after the instance starts.
Instance User Data

certification
You can specify user data when launching an instance.
User data can be:
Linux script – executed by cloud-init
Windows batch or PowerShell scripts – executed by EC2Launch or
EC2Config service
User data scripts run once per instance ID by default.
Adding User Data

certification
#!/bin/sh
yum -y install httpd
chkconfig httpd on
/etc/init.d/httpd start
User Data Example Linux
User data shell scripts must start with the #!
characters and the path to the interpreter you
want to read the script.
Install Apache web server
Enable the web server
Start the web server

certification
<powershell>
Import-Module ServerManager
Install-WindowsFeature web-server, web-webserver
Install-WindowsFeature web-mgmt-tools
</powershell>
User Data Example Windows
Import the Server Manager module for
Windows PowerShell.
Install IIS
Install Web Management Tools

certification
Is data about your instance.
Can be used to configure or manage a running instance.
To get the instance metadata from within a running instance,
use the following URI:
http://169.254.169.254/latest/meta-data/
Instance Metadata
Metadata:
Availability Zone:
us-east-1d
Instance type:
c5.18xlarge
Public IP:
34.234.30.48
Metadata:
Availability Zone:
us-east-1a
Instance type:
i3.2xlarge
Public IP:
52.7.197.98

certification
Other compute services
AWS Lambda
Run your Code in Response to Events
Amazon Elastic Container Service
Run and Manage Docker Containers
Amazon Elastic Container Service for Kubernetes
Run Managed Kubernetes on AWS
AWS Fargate
Run Containers without Managing Servers or Clusters
VMware Cloud on AWS
Build a Hybrid Cloud without Custom Hardware

Block Storage Service

certification
Persistent block level storage volumes offer
consistent and low-latency performance.
Stored data is automatically replicated within
its Availability Zone.
Snapshots are stored durably in Amazon S3.
Amazon
EBS

certification
OS, Applications,
and Configuration
AMI
Running or
Stopped VM
Instances
AZ
VPC
Region
EBS EBS EBS EBS EBS EBS
AZ
Instances Instances
Persistent EC2 Instance storage

certification
Availability Zone B
Amazon EBS volumes are in a single Availability Zone
Volume data is replicated across multiple servers in an Availability Zone.
Availability Zone A
EBS Volume 1 EBS Volume 2
Amazon EBS Scope

certification
Vast amounts of
unused space
Create
Call CreateVolume
1 GiB to 16 TiB
Attach
Call AttachVolume to affiliate with
one Amazon EC2 instance
Attached
and
In Use
• Format from Amazon EC2
instance OS
• Mount formatted drive
CreateSnapshot
Snapshot to
Amazon S3
Detach
Call DetachVolume
Deleted
Call DeleteVolume
Amazon EBS Lifecycle

certification
SSD-backed volumes are
Optimized for transactional workloads that involve frequent
read/write operations with small I/O size.
Dominant in IOPS performance.
HDD-backed volumes are
Optimized for large streaming workloads.
Dominant in throughput (measured in MiB/s).
Amazon EBS Volume Types

certification
EBS is recommended when data must be quickly accessible
and requires long-term persistence.
You can launch your EBS volumes as encrypted volumes –
data stored at rest on the volume, disk I/O, and snapshots
created from the volume are all encrypted.
You can create point-in-time snapshots of EBS volumes,
which are persisted to Amazon S3.
Amazon EBS Facts

certification
Amazon EC2 Instances
OS, Applications
and
Configuration
AMI
Running or
Stopped VM
Instances
AZ
VPC
Region
EBS
EBS Snapshots
EBS EBS EBS EBS EBS
AZ
Instances Instances

certification
Is local, complimentary direct attached block storage.
Includes availability, number of disks, and size based on EC2
instance type.
Is optimized for up to 3.3 million random Read IOPS and
1.4 million Write IOPS. (i3.16xlarge)
Is SSD or HDD.
Has no persistence.
Automatically deletes data when an EC2 instance stops, fails
or is terminated.
Amazon EC2 Instance Store

certification
Amazon EBS
Data stored on an Amazon EBS volume can persist independently of
the life of the instance.
Storage is persistent.
Amazon EC2 Instance Store
Data stored on a local instance store persists only as long as the
instance is running or rebooting.
Storage is ephemeral.
Amazon EBS vs. Amazon EC2 Instance Store

certification
Provision a private, isolated virtual network
on the AWS cloud.
Have complete control over your virtual
networking environment.
Amazon Virtual Private Cloud (VPC)
Amazon
VPC

certification
OS, Applications,
and Configuration
AMI
Running or
Stopped VM
Instances
AZ
VPC
Region
AZ
Instances Instances
EC2 networking with VPC

certification
VPC Example
Availability Zone A
10.0.0.0/16
Availability Zone B
Internet Customer
Network

certification
A VPC resides within a single Region
A subnet defines a range of IP addresses within your VPC.
Each subnet must reside entirely within one Availability Zone
and cannot span zones.
You can launch AWS resources into a subnet that you select.
A public subnet (DMZ) should be used for resources that will
be accessed directly over the Internet.
VPC and Subnets

certification
Public Subnet Example
Public Subnet 2 (10.0.1.0/24)Public Subnet 1 (10.0.0.0/24)
Availability Zone A
10.0.0.0/16
Availability Zone B
Internet Customer
Network

certification
Availability Zone A
10.0.0.0/16
Availability Zone B
Instance in Public Subnet Example
Web Server
Internet Customer
Network

certification
An Internet Gateway allows communication to and from the
Internet
VPC and Gateways

certification
Availability Zone A
10.0.0.0/16
Availability Zone B
Internet
Gateway
Internet Gateway Example
Internet Customer
Network
Web Server
Region – US East (Ohio)

certification
A VPC resides within a single Region
A subnet defines a range of IP addresses within your VPC.
Each subnet must reside entirely within one Availability Zone
and cannot span zones.
You can launch AWS resources into a subnet that you select.
A public subnet (DMZ) should be used for resources that will
be accessed over the Internet.
A private subnet should be used for resources that won’t be
accessible over the Internet.
VPC and Subnets

certification
Availability Zone A
10.0.0.0/16
Availability Zone B
Internet
Gateway
Private Subnet Example
Internet Customer
Network
Web Server
Private Subnet 2 (10.0.4.0/23)Private Subnet 1 (10.0.2.0/23)

certification
Availability Zone A
10.0.0.0/16
Availability Zone B
Internet
Gateway
Instance in Private Subnet Example
Internet Customer
Network
Web Server
App Server

certification
Internet
A NAT Gateway enables instances in the private subnets to
initiate outbound traffic to the Internet
VPC and Gateways

certification
Availability Zone A
10.0.0.0/16
Availability Zone B
Internet
Gateway
NAT Gateway Example
Internet Customer
Network
Web Server
App Server
NAT
Gateway
NAT
Gateway

certification
Availability Zone A
10.0.0.0/16
Availability Zone B
Internet
Gateway
Instance in Private Subnet Example
Internet Customer
Network
Web Server
App Server
NAT
Gateway
NAT
Gateway

certification
Internet
A NAT Gateway enables instances in the private subnets to
initiate outbound traffic to the Internet
A Virtual Private Gateway enables access to and from your
remote network
Hardware VPN
Direct Connect
VPC and Gateways

certification
Availability Zone A
10.0.0.0/16
Availability Zone B
Internet
Gateway
Virtual Private Gateway Example
Internet Customer
Network
Web Server
App Server
NAT
Gateway
NAT
Gateway
Virtual Private
Gateway

certification
Availability Zone A
10.0.0.0/16
Availability Zone B
Internet
Gateway
Instance to Customer Network Example
Internet Customer
Network
Web Server
App Server
NAT
Gateway
NAT
Gateway
Virtual Private
Gateway

certification
AWS Multi-Tier Security Groups
www server
www server
www server
app server
app server
app server
DBTier
security group
db server
db server
db server
Internet
HTTP/S API port 8080 SQL port 3306
(all other ports are blocked)
WebTier
security group
AppTier
security group

certification
Internet Gateway
Route Table
Network access
control lists (ACLs)
Security groups
EC2 Key Pairs
Security in Your VPC
Subnet
10.0.1.0/24
Internet Gateway
VPC Router
10.0.0.0/16
Security
Group
Security
Group
Network ACL Network ACL
Routing Table Routing Table
Subnet
10.0.0.0/24
Security
Group
Security
Group
instance instance instance instance

certification
Security Groups
Stateful Firewall for an EC2 Instance
Network ACLs:
Optional Stateless Firewall for a Subnet
Layered Security
Security Group
Subnet Routing
Network ACLs
VPC
Instance

Instructor Demo
Launch a Web Server

certification
What We’re Starting With
Availability Zone A
Public Subnet 2 (10.0.1.0/24)
10.0.0.0/16
Availability Zone B
Private Subnet 2 (10.0.4.0/23)
Internet
Gateway

certification
Internet
Gateway
Launch a Web Server
Availability Zone A
10.0.0.0/16
Web Server 1
Availability Zone B
security group
Configure a new
security group
(WebSecurityGroup)

certification
Internet
Gateway
Launch a Web Server
Availability Zone A
10.0.0.0/16
Availability Zone B
security group
Web Server 1
Launch a new web
server Instance

certification
Launch a Web Server
Availability Zone A
Web Server 1
10.0.0.0/16
security group
Availability Zone B
Internet
Gateway

Object Storage Service
Amazon S3

certification
Storage for the Internet
Natively online, HTTP/S access
Storage that allows you to store and retrieve
any amount of data, any time, from anywhere
on the web
Highly scalable, reliable, fast and durable
Amazon Simple Storage Service (S3)
Amazon S3

certification
Amazon
S3
Bucket
with
Objects
Bucket
Object
Amazon S3 Concepts
Amazon S3 stores data as objects
within buckets
An object is composed of a file and
optionally any metadata that
describes that file
You control access to the bucket and
its objects

certification
An object key is the unique identifier for an object in a bucket.
Object Keys
http://doc.s3.amazonaws.com/2018-06-07/photo.gif
Bucket Object Key

certification
Storage and backup
Application file hosting
Media hosting
Software delivery
Store AMIs and snapshots
Common Use Scenarios

certification
Can store an unlimited number of objects in a bucket
Objects can be up to 5 TB; no bucket size limit
Designed for 99.999999999% durability and 99.99%
availability of objects over a given year for S3 Standard
Can use HTTP/S endpoints to store and retrieve any amount
of data, at any time, from anywhere on the web
Can use optional server-side encryption using AWS or
customer-managed provided client-side encryption
Auditing is provided by access logs
Amazon S3 Facts

certification
OS, Applications,
and Configuration
AMI
Running or
Stopped VM
Instances
AZ
VPC
Region
EBS EBS EBS EBS EBS EBS
AZ
Instances Instances
S3 Data is stored within the AWS Region
S3
EBS
Snapshots
S3 Buckets

certification
Amazon S3 creates a bucket in the region you select.
You can choose a region to:
Optimize latency
Minimize costs
Address regulatory requirements
Objects stored in a region never leave the region unless you
explicitly transfer them to another region.
Amazon S3 Region Considerations

certification
You can control access to buckets and objects with:
Access Control Lists (ACLs)
Bucket policies
Identity and Access Management (IAM) policies
You can upload or download data to Amazon S3 via SSL/TLS
encrypted endpoints.
You can encrypt data Client-Side and/or Server-Side.
Amazon S3 Security

certification
Protects from accidental overwrites and deletes with no
performance penalty.
Generates a new version with every upload.
Allows easily retrieval of deleted objects or roll back to previous
versions.
Two states of an Amazon S3 bucket
Versioning-suspended
Versioning-enabled
Amazon S3 Versioning
Versioning Enabled
Key: photo.gif
ID: 121212
Key: photo.gif
ID: 111111

certification
Pay only for what you use
No minimum fee
Estimate monthly bill using the AWS Simple Monthly
Calculator (https://calculator.s3.amazonaws.com/index.html)
Pricing is available as:
Storage Pricing
Request Pricing
Data Transfer Pricing: data transferred out of Amazon S3
Amazon S3 Pricing

certification
Lifecycle management defines how Amazon S3 manages objects during
their lifetime.
Some objects might have a well-defined lifecycle:
Log files
Archive documents & digital media
Financial and healthcare records
Raw genomics sequence data
Long-term database backups
Data that must be retained for regulatory compliance
Amazon S3 Object Lifecycle

certification
S3 Lifecycle policies allow you to delete or move
objects based on age and set rules per S3 bucket.
Amazon S3 + Amazon Glacier
bucket with
objects
30 Days
Glacier
archive
365 Days

certification
Storage Class Durability Availability Other Considerations
Amazon S3 Standard 99.999999999% 99.99%
• For frequently accessed data
Amazon S3 Standard -
Infrequent Access (IA)
99.999999999% 99.9%
• For infrequently accessed data
• Retrieval fee associated with objects
Intelligent Tiering
99.999999999%
99.9%
• Data with changing or unknown access patterns
• Monitoring and automation fees per object apply.
No retrieval fees.
One Zone-IA 99.999999999% 99.5%
• Infrequently accessed data
• No physical AZ lost resiliency
Amazon S3 Storage Classes

certification
Long term low-cost archiving service
Optimal for infrequently accessed data
Designed for 99.999999999% durability
Retrieval time:
Expedited: 1 – 5 minutes
Standard: 3 – 5 hours
Bulk: 5 – 12 hours
Amazon Glacier

certification
Storage Class Durability Availability Other Considerations
Amazon S3 Standard 99.999999999% 99.99%
• For frequently accessed data
Amazon S3 Standard -
Infrequent Access (IA)
99.999999999% 99.9%
• For infrequently accessed data
Intelligent Tiering
99.999999999%
99.9%
• Data with changing or unknown access patterns
• Monitoring and automation fees per object apply.
No retrieval fees.
One Zone-IA 99.999999999% 99.5%
• Infrequently accessed data
• No physical AZ lost resiliency
Glacier
99.999999999%
N/A
• Long term data archiving
• Per GB retrieval fees apply.
• 99.99% availability once restored
Amazon S3 + Glacier

certification
Amazon EBS Amazon S3
Paradigm Block storage with file system Object store
Performance Very fast Fast
Redundancy Across multiple servers in an
Availability Zone
Across multiple facilities in a
Region
Security EBS Encryption – Data
volumes and Snapshots
Encryption
Direct Access from
the Internet?
No Yes
(with proper credentials or ACL)
Typical use case It is a disk drive Online storage
Amazon EBS and Amazon S3

Module 3
Security, Identity, and Access
Management

certification
CustomerAWS
Customer Data
Platform, Applications, Identity and Access Management
Operating System, Network, and Firewall Configuration
Client-Side Data Encryption and
Data Integrity Authentication
Server-Side Encryption (File System
and Data)
Network Traffic Protection
(Encryption/Integrity/Identity)
Compute Storage Database Networking
Edge Locations
Regions
Availability Zones
AWS Global
Infrastructure
Responsible For
Security “IN” The
Cloud
Responsible For
Security “OF” The
Cloud
Shared Responsibility ModelShared Responsibility Model

certification
24/7 trained security staff
AWS data centers in nondescript and
undisclosed facilities
Two-factor authentication for authorized
staff
Authorization for data center access
Physical Security

certification
Automated change-control process
Bastion servers that record all access attempts
Firewall and other boundary devices
AWS monitoring tools
Hardware, Software, and Network

certification
Assurance Programs

certification
Network Security
VPC
Secure Transmission
Use secure endpoints
to establish secure
communication
sessions (HTTPS).
Instance Firewalls
Use security groups
to configure firewall
rules for instances.
Security Groups
Network Control
Use public and
private subnets, NAT,
and VPN support in
your virtual private
cloud to create low-
level networking
constraints for
resource access.
SSL EndpointsSSL Endpoints

certification
AWS Identity and Access Management (IAM)
AWS IAM
3
Manage federated users
and their permissions
2
Manage AWS IAM roles
and their permissions
1
Manage AWS IAM users
and their access

certification
AWS Management Console:
User Name and Password
AWS IAM Authentication
IAM User

certification
AWS CLI or SDK API:
Access Key and Secret Key
AWS IAM Authentication
Access Key ID: AKIAIOSFODNN7EXAMPLE
Secret Access Key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Java Python .NET
AWS SDK & APIAWS CLI
IAM User

certification
AWS IAM User Management - Groups
User D
DevOps Group
User C
AWS Account
Admin Group
User BUser A

certification
Authorization
Policies:
Are JSON documents to describe permissions.
Are assigned to users or groups.
AWS IAM Authorization
IAM User IAM Group

certification
AWS IAM Policy Elements{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1453690971587",
"Action": [
"ec2:Describe*",
"ec2:StartInstances",
"ec2:StopInstances”
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "54.64.34.65/32”
}
}
},
{
"Sid": "Stmt1453690998327",
"Action": [
"s3:GetObject*”
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::example_bucket/*”
}
]
}
IAM Policy

certification
AWS IAM Policy Assignment
IAM User
IAM Group
IAM Roles
Assigned Assigned
Assigned
IAM Policy

certification
An IAM role uses a policy.
An IAM role has no associated credentials.
IAM users, applications, and services may assume IAM
roles.
AWS IAM Roles
IAM Roles

certification
AWS IAM Policy Assignment
IAM User
IAM Group
IAM Roles
Assigned Assigned
Assigned
IAM Policy
IAM User
Assumed Assumed
AWS Resources

certification
Python application hosted on an Amazon EC2 Instance
needs to interact with Amazon S3.
AWS credentials are required:
Option 1: Store AWS Credentials on the Amazon EC2 instance.
Option 2: Securely distribute AWS credentials to AWS Services
and Applications.
Example: Application Access to AWS Resources
IAM Roles

certification
AWS IAM Roles - Instance Profiles
Amazon EC2
App &
EC2 MetaData Service
http://169.254.169.254/latest/meta-data/iam/security-credentials/rolename
Amazon S3
1
2
3
4
Create Instance
SelectIAMRole
ApplicationinteractswithS3

certification
AWS IAM Roles – Assume Role
IAM Restricted Policy
IAM User A-1
AWS Account A
IAM Admin RoleIAM Admin Policy
Assigned
Assume
Assigned
1
2
IAM User B-1
AWS Account B
Amazon S3
Assume
4
Access
53
Access
1

certification
Application Authentication
AWS IAM Application
No Support No Support
OS

certification
Authentication
AWS Management Console
User Name and Password
AWS CLI or SDK API
Access Key and Secret Key
Authorization
Policies
AWS IAM Authentication and Authorization
IAM User IAM Group
IAM Roles
IAM Policy

certification
Records AWS API calls for accounts.
Delivers log files with information to an Amazon S3
bucket.
Logs calls made using the AWS Management Console,
AWS SDKs, AWS CLI and higher-level AWS services.
AWS CloudTrail
AWS CloudTrail Amazon S3 Bucket
Logs

certification
Delete AWS account (root) access keys.
Create individual IAM users.
Use groups to assign permissions to IAM users.
Grant least privilege.
Configure a strong password policy.
Enable MFA for privileged users.
Use roles for applications that run on Amazon EC2
instances.
Delegate by using roles instead of by sharing credentials.
AWS IAM Best Practices

until 3:30PM

certification
AWS Managed Database Services
Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment and Administration
Networking
Amazon DynamoDB
Amazon ElastiCache
Amazon RDS
Amazon Redshift
Amazon Neptune
Amazon DocumentDB

certification
No one size fits all.
Analyze your data requirements by considering:
Data formats
Data size
Query frequency
Data access speed
Data retention period
Data Storage Considerations

certification
Cost-efficient and resizable capacity
Manages time-consuming database administration tasks
Access to the full capabilities of Amazon Aurora, MySQL,
MariaDB, Microsoft SQL Server, Oracle, and PostgreSQL
databases
Deployable on-premises on Vmware (in preview)
Amazon Relational Database Service (RDS)
Amazon
RDS

certification
Simple and fast to deploy
Manages common database administrative tasks
Compatible with your applications
Fast, predictable performance
Simple and fast to scale
Secure
Cost-effective
Amazon RDS

certification
DB Instances are the basic building blocks of Amazon
RDS.
They are an isolated database environment in the
cloud.
They can contain multiple user-created databases.
DB Instances

certification
Automatic Backups:
Restore your database to a
point in time.
Are enabled by default.
Let you choose a retention
period up to 35 days.
Manual Snapshots:
Let you build a new database
instance from a snapshot.
Are initiated by the user.
Persist until the user deletes
them.
Are stored in Amazon S3.
How Amazon RDS Backups Work

certification
Are a copy of a database
snapshot stored in a
different AWS Region.
Provide a backup for disaster
recovery.
Can be used as a base for
migration to a different
region.
Cross-Region Snapshots

certification
Use IAM policies to grant access to RDS resources.
Use Security Groups.
Use Secure Socket Layer (SSL) connections with DB instances (Amazon
Aurora, Oracle, MySQL, MariaDB, PostgreSQL, Microsoft SQL Server).
Use RDS encryption to secure instances and snapshots at rest.
Use network encryption and transparent data encryption (TDE) with
Oracle DB and Microsoft SQL Server instances.
Use security features of your DB engine to control access to DB instance.
Amazon RDS Security

certification
A Simple Application Architecture
Amazon RDS database
instance
Amazon EC2 Application
Servers
DB snapshots in
Amazon S3

certification
With Multi-AZ operation, your database is synchronously
replicated to another Availability Zone in the same AWS
Region.
Failover to the standby automatically occurs in case of master
database failure.
Planned maintenance is applied first to standby databases.
Multi-AZ RDS Deployment

certification
A Resilient, Durable Application Architecture
Amazon RDS database instances:
Master and Multi-AZ standby
Application, in Amazon
EC2 instances
DB snapshots in
Amazon S3

certification
Monitor your memory, CPU, and storage usage.
Use Multi-AZ deployments.
Enable automatic backups.
Set the backup window to occur during the daily low in WriteIOPS.
To increase the I/O capacity of a DB instance:
Migrate to a DB instance class with high I/O capacity.
Convert from standard storage to provisioned IOPS storage and use a DB instance
class optimized for provisioned IOPS.
Provision additional throughput capacity (if using provisioned IOPS storage).
Test failover for your DB instance.
Amazon RDS Best Practices

Instructor Demo (Part 1)
Build a database cluster

certification
Availability Zone A
Web Server 1
10.0.0.0/16
security group
Availability Zone B
Internet
Gateway

certification
Build a Database Cluster
Availability Zone A
10.0.0.0/16
security group
Availability Zone B
Internet
Gateway
RDS DB SecondaryRDS DB Master
Web Server 1
Create a security
group for the RDS
instances
security group security group

certification
security group security group
Build a Database Cluster
Availability Zone A
10.0.0.0/16
security group
Availability Zone B
Internet
Gateway
Web Server 1
RDS DB SecondaryRDS DB Master
Deploy Amazon RDS
in a multi-AZ
configuration

certification
Allows you to store any amount of data with no limits.
Provides fast, predictable performance using SSDs.
Allows you to easily provision and change the request
capacity needed for each table.
Is a fully managed, NoSQL database service.
Amazon DynamoDB
Amazon
DynamoDB

certification
DynamoDB Data Model
Table:
Music
Items
Attributes (name-value pairs)
Artist Song
Title
Album
Title
Year Genre

certification
Primary Keys
Partition Key
Sort Key
Table: Music
Partition Key: Artist
Sort Key: Song Title
Table:
Music
Artist Song
Title
Album
Title
Year Genre

certification
Query:
Query a table using the partition key and an optional sort key filter.
If the table has a secondary index, query using its key.
It is the most efficient way to retrieve items from a table or
secondary index.
Scan:
You can scan a table or secondary index.
Scan reads every item – slower than querying.
Supported Operations

certification
You specify how much provisioned throughput
capacity you need for reads and writes with optional
auto-scaling.
Alternatively, use on-demand capacity mode
Amazon DynamoDB allocates the necessary machine
resources to meet your needs.
Provisioned Throughput

certification
Architecture
Elastic Load
Balancing Amazon EC2
application
instances
Clients
Amazon
DynamoDB
Business logic

certification
Amazon RDS and Amazon DynamoDB
Factors Relational (Amazon RDS) NoSQL (Amazon DynamoDB)
Application Type
Existing database apps
Business process–centric apps
New web-scale applications
Large number of small writes and reads
Application
Characteristics
Relational data models,
transactions
Complex queries, joins, and
updates
Simple data models, transactions
Range queries, simple updates
Scaling
Application or DBA–architected
(clustering, partitions, sharding)
Seamless, on-demand scaling based on
application requirements
QoS
Performance–depends on data
model, indexing, query, and
storage optimization
Reliability and availability
Durability
Performance–Automatically optimized by
the system
Reliability and availability
Durability

certification
If You Need Consider Using
A relational database
service with minimal
administration
Amazon RDS
Choice of Amazon Aurora, MySQL, MariaDB, Microsoft SQL Server, Oracle, or
PostgreSQL database engines
Scale compute and storage
Multi-AZ availability
A fast, highly scalable
NoSQL database service
Amazon DynamoDB
Extremely fast performance
Seamless scalability and reliability
Low cost
A database you can
manage on your own
Your choice of AMIs on Amazon EC2
and EBS that provide scaling for compute and
storage, complete control over instances, and more.
Database Considerations

Instructor Demo (Part 2)
Interact with the database using an
application

certification
Build a Database Cluster and Connect to It
Availability Zone A
10.0.0.0/16
security group
Availability Zone B
Internet
Gateway
RDS DB Secondary
security group
RDS DB Master
security group
Web Server 1
Navigate to the Web
Server and configure
the ODBC connection

certification
Build a Database Cluster and Connect to It
Availability Zone A
10.0.0.0/16
security group
Availability Zone B
Internet
Gateway
RDS DB Secondary
security group
RDS DB Master
security group
Web Server 1

Module 5
AWS Elasticity and Management Tools

certification
Latency
Utilization
CloudWatch
Elastic Load
Balancing
Auto Scaling group
Execute AS Policy
Trio of Services
EC2 Auto Scaling

certification
Distributes traffic across multiple EC2 instances, in
multiple Availability Zones
Supports health checks to detect unhealthy Amazon
EC2 instances
Supports the routing and load balancing of HTTP,
HTTPS, SSL, and TCP traffic to Amazon EC2 instances
Elastic Load Balancing
Elastic Load
Balancing

certification
Elastic Load Balancing types
Application Load Balancer
(ALB)
• Flexible application management
• Advanced load balancing of HTTP
and HTTPS traffic
• Operates at the request level
(layer 7)
Network Load Balancer
(NLB)
• Extreme performance and static IP
for your application
• Load balancing of TCP traffic
• Operates at the connection level
(Layer 4)
Classic Load Balancer
(CLB)
PREVIOUS GENERATION
for HTTP, HTTPS, and TCP
• Existing application that was built
within the EC2-Classic network
• Operates at both the request level
and connection level
HTTP
HTTPS
TCP

certification
Register instances as
targets in a target group,
and route traffic to a
target group.
Application Load Balancer
Target Group /mobile
load balancer
Listener ListenerRule Rule Rule
Target Group Target Group /api
Target Target Target Target Target Target Target
Health
Check
Health
Check
Health
Check

certification
Register instances as
targets in a target group,
and route traffic to a
target group based on
port.
Network Load Balancer
load balancer
Listener :80
Target Group
Target Target
Health
Check
Listener :443
Target Group
Target Target
Health
Check

certification
A monitoring service for AWS cloud resources and the
applications you run on AWS
Visibility into resource utilization, operational
performance, and overall demand patterns
Custom application-specific metrics of your own
Accessible via AWS Management Console, APIs, SDK,
or CLI
Amazon CloudWatch
Amazon
CloudWatch

certification
Collects metrics from other AWS resources
View graphics and statistics
Set and Trigger Alarms
Collect Logs
Amazon CloudWatch Facts

certification
CloudWatch Metrics Examples

certification
Amazon CloudWatch Architecture
AWS resources
that support
CloudWatch
Amazon
CloudWatch
Amazon
CloudWatch
Alarm
Auto Scaling
Available
Statistics
Statistics
Consumer
AWS Management
Console
CloudWatch Metrics
CPUUtilization
StatusCheckFailed
Custom
Application-
Specific Metrics
PageViewCount

certification
Scale your Amazon EC2 capacity automatically
Well-suited for applications that experience variability
in usage
Available at no additional charge
EC2 Auto Scaling
Auto
Scaling

certification
EC2 Auto Scaling Benefits
Better Cost
Management
Better
Availability
Better Fault
Tolerance

certification
EC2 Auto Scaling Components
Auto Scaling GroupLaunch Configuration Scaling Plan

certification
A launch configuration is a template that an Auto Scaling group uses to
launch EC2 instances.
When you create a launch configuration, you can specify:
AMI ID
Instance type
User data
Block device mapping
Security groups
Key pair
EC2 Auto Scaling Launch Configurations

certification
Contain a collection of EC2 instances that share similar
characteristics.
Instances in an Auto Scaling group are treated as a logical
grouping for the purpose of instance scaling and
management.
EC2 Auto Scaling Groups
Auto Scaling group
Minimum size
Desired capacity
Maximum size
Scale out as needed

certification
Auto Scaling
Minimum
Health Check
monitors
running
instances within
an Auto Scaling
group.
If an unhealthy
instance is
found, it can be
replaced.
Manual Scaling
Specify a new
minimum for
your Auto
Scaling group.
Manually invoke
Auto Scaling
policies.
Scheduled
Scaling
Scaling
functions are
performed as a
function of time
and date.
On Demand
Scaling
Create a policy
to scale your
resources.
Define when to
scale using
CloudWatch
Alarms.
Predictive
Scaling
Automatically
forecast load
Proactively
schedule
capacity
EC2 Auto Scaling

certification
EC2 Auto Scaling Basic Lifecycle
instances
Auto Scaling group
Scale Out
Amazon CloudWatch
Scheduled Event
Scale In
Amazon CloudWatch
Scheduled Event
Launch Instance
Attach to Group
Detach from
Group
Terminate
Instance X

certification
Monitors your applications and adjusts capacity
Build scaling plans for resources including:
Amazon EC2 instances and Spot Fleets
Amazon ECS tasks
Amazon DynamoDB tables and indexes
Amazon Aurora Replicas
Amazon EC2 Auto Scaling is part of AWS Auto Scaling
AWS Auto Scaling

Instructor Demo
Scale and Load Balance the
Architecture

certification
Availability Zone A
10.0.0.0/16
security group
Availability Zone B
Internet
Gateway
RDS DB Secondary
security group
RDS DB Master
security group
Web Server 1

certification
Scale and Load Balance the Architecture
Availability Zone A
10.0.0.0/16
security group
Availability Zone B
Internet
Gateway
RDS DB
Secondary
security group
RDS DB
Master
security group
Application
Load Balancer
Web Instance Web Instance
security group
Web Server 1
Create an AMI
image from an
existing instance

certification
Availability Zone A
10.0.0.0/16
security group
Availability Zone B
Internet
Gateway
RDS DB
Secondary
security group
RDS DB
Master
security group
Application
Load Balancer
security group
Web Server 1
Deploy an Application
Load Balancer

certification
Availability Zone A
10.0.0.0/16
security group
Availability Zone B
Internet
Gateway
RDS DB
Secondary
security group
RDS DB
Master
security group
Application
Load Balancer
security group
Web Server 1Configure a Launch
Configuration and Auto
Scaling Group

certification
Availability Zone A
10.0.0.0/16
security group
Availability Zone B
Internet
Gateway
RDS DB
Secondary
security group
RDS DB
Master
security group
Application
Load Balancer
security group
Web Server 1
Test and
monitor your
Auto Scaling
Group
Application
Load Balancer

certification
Availability Zone A
10.0.0.0/16
security group
Availability Zone B
Internet
Gateway
RDS DB
Secondary
security group
RDS DB
Master
security group
Application
Load Balancer
security group
Web Server 1Application
Load Balancer

certification
Best practice and recommendation engine.
Provides AWS customers with performance and
security recommendations in four categories:
Cost optimization
Security
Fault tolerance
Performance improvement.
AWS Trusted
Advisor
AWS Trusted Advisor

certification
AWS Trusted Advisor?
A service providing guidance to help you reduce cost,
increase performance, and improve security

certification
Trusted Advisor: Core vs. Full
Core Checks and Recommendations
(included)
• Seven core checks around
security and performance
• Service Limits
Full Trusted Advisor Benefits
(With Business or Enterprise support)
• Full set of checks
• Notifications
• Programmatic Access via API

certification
Cost Optimization
Amazon EC2 Reserved Instance Optimization
Low-utilization Amazon EC2 Instances
Idle load balancers
Underutilized Amazon EBS volumes
Amazon RDS idle DB instances
Amazon EC2 Reserved Instance Lease Expiration

certification
Security
Security groups – Unrestricted Access
AWS IAM use
Amazon S3 bucket permissions
MFA on Root Account
AWS IAM password policy
Amazon RDS security group access risk

certification
Fault Tolerance
Amazon EBS Snapshots
Load balancer optimization
Auto Scaling Group Resources
Amazon RDS Multi-AZ
Amazon RDS Backups
ELB connection draining

certification
Performance Improvement
High-utilization Amazon EC2 instances
Service limits
Large number of rules in EC2 security group
Overutilized Amazon EBS Magnetic volumes
Amazon EC2 to EBS throughput optimization

certification
Support Comparison
Basic Developer Business Enterprise
Customer Service and
Communities
24x7 access to
customer service, documentation,
whitepapers, and
support forums
24x7 access to
whitepapers, and
support forums
24x7 access to
whitepapers, and
support forums
24x7 access to
whitepapers, and
support forums
Best
Practices
Access to 7 core
Trusted Advisor checks
Access to 7 core
Access to full set of
Access to full set of
Technical
Support
Business hours access
to Cloud Support Associates
via email
24x7 access
to Cloud Support Engineers
via email, chat & phone
24x7 access
to Sr. Cloud Support Engineers
via email, chat & phone
Case Severity/
Response Times
Production system impaired:
< 4 hours
Production system down:
< 1 hour
Production system impaired:
< 4 hours
Production system down:
< 1 hour
Business-critical system down:
< 15 minutes
Pricing Included Starts at $29 per month Starts at $100 per month Starts at $15k per month

certification
Expand Your Cloud Skills with AWS
aws.amazon.com/certificationaws.training aws.amazon.com/training
Digital Training
Free, self-paced
online courses
built by AWS
experts
Classroom Training
Classes taught by
accredited AWS
instructors
AWS Certification
Exams to validate
expertise with an
industry-recognized
credential

certification
AWS ILT Training Courses
204
AWS Technical Essentials
1 day
Architecting on AWS
3 days
Developing on AWS
3 days
Systems Operations on AWS
3 days
Big Data on AWS
3 days
Advanced Architecting on AWS
3 days
DevOps Engineering on AWS
3 days
Security Operations on AWS
3 days
Migrating to AWS
2 days
Data Warehousing on AWS
3 days
https://aws.training

certification
AWS Certification
205

certification
A Scalable Architecture
Availability Zone A
10.0.0.0/16
Availability Zone B
Internet
Gateway
RDS DB
Secondary
security group
RDS DB
Master
security group
Application
Load Balancer
security group

Thank you!
AWSOME DAY
Heiwad Osman

AWSome Day Bethesda - February 2019

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a AWSome Day Bethesda - February 2019

Similar a AWSome Day Bethesda - February 2019 (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

AWSome Day Bethesda - February 2019