AWS Cloud Practitioner (ACP) CLS-C01 Cheat Sheet

The Amazon AWS Cloud Practitioner (ACP) certification requires learning the basics of the AWS service suite (over 200 services!), fundamental AWS pricing, and cloud architecture best practices such as high-availability architectures, hybrid on-prem/cloud, and disaster recovery. Here are my study notes that may serve as a "cheat sheet" for others preparing for this exam.

Useful AWS Cloud Practitioner (ACP) Study Material:​
AWS Cloud Practitioner Preparatory Notes
The 6 Pillars of the AWS Well-Architected Framework
AWS Solutions Architect Associate (SAA-C03) Cheat Sheet

EC2: Elastic Cloud Compute, a highly configurable server (CPU, memory, network, OS)

• EC2 is an Infrastructure-as-a-Service (IaaS) solution 
• ​An EC2 instance is ephemeral and deleted when stopped 
• a golden image is a snapshot of a state of the resource
• can host a static website, but not a dynamic website, because it can’t allow server-side scripting
• on an EC2 instance you are mainly charged for compute uptime and amount of data provisioned

Instance Purchasing Options

• On-Demand Instances - the default option, for short-term ad-hoc requirements where the job can't be interrupted
• On-Demand Capacity Reservations - the only way to reserve capacity for blocks of time such as 9am-5pm daily
• ​Spot instance - highest discount potential (50-90%) but no commitment from AWS, could be terminated with 2min notice. Could use for grid and high-performance computing.
• Reserved Instances - for long-term workloads, 1 or 3 year commitment in exchange for 40-60% discount
• Dedicated Instances - run on hardware dedicated to 1 customer (more $$)
• Dedicated Host - fully dedicated and physically isolated server. Allows you to use your server-bound software licenses (e.g. IBM, Oracle) and addresses compliance and regulatory requirements and potentially reduce cost (note: billing is per-hour not per-instance)
• Bare metal EC2 instance - for when the workload needs access to the hardware feature set (e.g. Intel hardware)

REGIONS AND AVAILABILITY ZONES

• AWS Regions are large and widely dispersed into separate geographic locations.
• Availability Zones (AZs) are distinct locations within a Region that are engineered to be isolated from failures in other Availability Zones.
  • each AZ is a data centre or group of data centres
  • each AZ is isolated, but AZs in a Region are connected via low-latency links
  • each AZ is fed from a different power grid and has redundant power

HORIZONTAL SCALING, HIGH AVAILABILITY, FAULT TOLERANCE, DISASTER RECOVERY

• Horizontal scaling: if you have a big workload, you can use multiple AWS instances. This is preferred to vertical scaling where you would have to stop an instance, add CPU/RAM/etc to it, then restart it. Horizontal scaling is also called "scaling out".
• A high availability cluster can be achieved by using multiple EC2 instances that act as a single server to provide continuous uptime. These instances will have access to the same shared storage for data, so if one is unavailable, the other instances pick up the load. This structure is said to be fault tolerant because it allows for instances to be unavailable at times (e.g. in the case of a data centre power failure) and still continue running.
• Availability Zones (AZs) within a Region are the key achieving high availability and fault tolerance by synchronously replicating data and automating failover. In the event of a failure, Elastic IP addresses can be re-mapped between EC2 instances across AZs.
• EC2 Auto-Scaling Group (ASG) can launch and remove EC2 instances automatically. It can be configured with different policies:
  • predictive scaling uses daily and weekly trends to scale
  • scheduled scaling allows you to set up your own schedule for predictable loads
  • step scaling launches resources in response to demand
  • target tracking scaling tries to keep resource utilization at a constant value (like cruise control!)
• Elastic Load Balancers (ELBs) can distribute requests to different EC2 instances in different AZs.
• An ASG and ELB are often used together to horizontally scale instances according to policy, and ensure network traffic is distributed to the group of instances.  
• Regions are important for disaster recovery.
  • Distributing EC2s instances across multiple AZs in a Region can ensure high availability, however what if a disaster affects the entire Region? Some system need a disaster recovery measures across multiple Regions.
  • Create a replica of your application in another Region. That way if one Region has a disaster, you can sfail over to another Region in another geography. However, do not split your active application across Regions or you will introduce latency and maybe data sovereignty issues.

TOOLS FOR SETTING UP AND MANAGING THE ARCHITECTURE

• AWS CloudFormation - use templates to deploy architecture following a pattern
• AWS QuickStarts - packages CloudFormation templates and help guides to quickly deploy best practice architectures created by AWS and partners
• Amazon Machine Images (AMIs) - pre-configured EC2 snapshot that is ready to be launched
• AWS Directory Service - managed Microsoft Active Directory. Single sign-on only works if on a computer that is joined to Directory Service
• To achieve loose coupling, use messaging services such as Amazon SQS (simple queue service), Amazon SNS (simple notification service), or Amazon MQ (Apache ActiveMQ message broker)

HYBRID CLOUD

• Virtual Private Cloud (VPC) 
  • exists within 1 region and spans all the AZs within that region
  • configure subnets within an AZ
  • configure endpoints
  • configure security groups (instance-level firewalls that protect EC2 instances)
  • VPC peering connection = connection between 2 VPCs
• Internet Gateway vs. NAT Gateway
  • Internet Gateway = ​communicate between instances in your public subnet and the internet
  • NAT Gateway = connect instances in a private subnet to the Internet
• VPC Router performs routing within a VPC (not Route 53)
• AWS Outposts: managed service to extend Virtual Private Cloud to on-prem
• AWS Direct Connect: private connection (not over the internet) from on-prem to VPC. Ensure consistent and dedicated performance and reduces latency since it is a direct connection. 
• AWS Transit Gateway: whereas Direct Connect and VPN only connect to 1 single VPC, Transit Gateway is a Hub that connects multiple VPCs, on-prem data centres, and remote offices to a single gateway

Amazon Route 53: DNS global service.

• More than just DNS! It provides: domain registration, traffic flow, health checking, and failover
• Health checking: monitor the health and performance of your web applications, web servers, and other resources
• Does not do what VPC Router or Direct Connect do.

VPN 

• AWS VPN: point-to-point connection between on-prem, remote offices, client devices, and the AWS global network 
• AWS Managed VPN: IPSec VPN, fast to setup but uses the public internet so latency is worse
  • VPN connection is made between VPN gateway on the VPC side and Customer gateway to the on-prem side
• AWS VPN CloudHub: secure connection over the internet
• AWS VPC Endpoint: private connectivity to AWS services within VPC (without using Internet Gateway, NAT device, or firewall proxies)​
• AWS Client VPN: end-users connect to AWS using a VPN client

CONTAINERS

• Amazon ECS (Elastic Container Service): Docker as a Service runs Docker containers as tasks in AWS
• ​Amazon ECR (Elastic Container Registry) is a docker container registry for developers to store, manage and deploy Docker container images 
• Amazon EKS (Elastic Kubernetes Service): helps teams build Kubernetes clusters on AWS without having to install Kubernetes on EC2 instances manually 
• Amazon Fargate is a serverless compute engine for ECS and EKS that can be used to run Docker containers 

COMPUTE SERVICES

• AWS Batch - allow scientists and others to run 100,000s of computing jobs in batch
• AWS Lambda - serverless way to run code. Only pay for compute time.
• Elastic Beanstalk - ​PaaS service for deploying and scaling Web Applications (e.g. Java, .NET). Upload a zip or git of code and it deploys and manages the web app for you.
• In general, try to use serverless compute instead of EC2 instances so that you don't have to plan for capacity. Includes: Lambda, ELB, CloudFront, SQS, Kinesis Firehose, SES, CloudSearch.

DATABASE SERVICES

• Database on EC2: if you need full control over the database, or a specific 3rd-party database product not supported by any of AWS' managed services
• Amazon RDS - managed relational DB that you choose (e.g. MySQL, Postgres, Oracle, MS SQL, Aurora).
  • Amazon does DB admin work: provisioning hardware, setup, patching and backups
  • auto-backup is on by default. Full daily snapshot to S3 and captures logs throughout the day. PITR can be configured to be as little as every 5min, then use the logs to roll back.
  • ​can enable a multi-AZ mode that replicates the DB to a standby instance in another AZ that can be used automatically in case of failover
  • use the “Snapshots” feature to create globally redundant DBs
  • RDS scales up by moving to a larger instance / more storage, then you reboot the DB.
    • You can sort of scale out read operations by using read replicas.
• Amazon DynamoDB: NoSQL, schemaless
  • items (not objects) by key/value
  • scale dynamically without any downtime ("push-button scaling"), as opposed to RDS and EBS which you need to reboot
  • for in-memory performance, for high I/O needs 
  • can do guaranteed reads/second
  • you can manually enable point-in-time recovery (PITR). Amazon then takes regular backups based on what you configured, and can restore to those backups​
  • DynamoDB Accelerator (DAX) is an in-memory cache that delivers 10x performance improvement
• ​Amazon Redshift: 
  • ​data warehouse for large volumes of aggregated data
  • analytics DB (as opposed to RDS which is a transactional DB) using SQL queries
  • columnar (it reads via columns instead of rows)
• Amazon ElasticCache: fast temporary storage for small amounts of data
  • In-memory DB
• Amazon DocumentDB: NoSQL document database that is MongoDB compatible
• Amazon Aurora: relational DB that is MySQL and PostgreSQL-compatible
  • ​fully managed and automatically scales
  • combines speed and availability of commercial DB with simplicity and cost of open source
  • up to 5x the throughput of MySQL DB
• Note some AWS DB services can be reserved for up to 75% discount - RDS, DynamoDB, ElastiCache, Redshift

S3: Simple Storage Services

• buckets that hold objects that are comprised of key/value pairs
• unlimited data
• standard storage is 99.99% availability
• lowest-cost durable storage option for DB snapshots for immediate retrieval (as opposed to Glacier)
• serverless
• accessed via RESTful API over http(s)
• Use cases: backup and storage, application hosting, media hosting, software delivery, hosting a static website 
• S3 comes in different storage classes
  • S3 Standard Storage class -> pay per GB/mo and data transfer out
  • Standard-IA, One Zone-IA -> also have minimum capacity charge and a data retrieval fee 
  • Amazon S3 Glacier: low cost storage: good for backups and archives. You have to wait to get your data back (3-5 hours for Standard, 1-5min for Expedited), and there’s a cost of retrieval. 
• S3 utilities include
  • S3 Transfer Acceleration: fast transfer of files over long distances to S3 bucket
  • S3 Cross Region Replication (CRR)
  • S3 Static Websites: host static website
  • S3 Copy: create a copy of objects up to 5GB in a single atomic operation
  • Multipart Upload: speed up uploads to S3
  • S3 Lifecycle: configure groups of objects to move to a different storage class (e.g. move to Glacier after XX days), or delete groups of objects altogether after a certain time

OTHER STORAGE SERVICES

• EBS: Elastic Block Storage:
  • stores blocks
  • often described as "virtual hard drive in the cloud"
  • can attach to 1 EC2 instance
  • you are charged for the amount of data provisioned, not the actual amount stored
  • snapshots are stored in S3
• EFS: Elastic File Storage: file storage that is mountable in multiple EC2 instances. Stores files.
• ​Elasticache: DB Caching
• AWS Storage Gateway: enables on-prem applications to use cloud storage ("hybrid" storage model)
  • Use cases: moving tape backup to cloud, reduce on-prem storage with cloud-backed files shares, low-latency access from on-prem app to cloud data, disaster recovery
  • 3 storage interfaces supported: file (retrieve files as objects in S3), volume (block-based), tape (virtual media and tape drives)
  • Uses local caching
• AWS Snowball: physically migrate many TBs of data. 
• AWS Snowball Edge: bigger snowball (100 TB) 
• AWS Snowmobile: shipping container, 100 PB. 
• AWS Database Migration Service (DMS) to migrate databases
• AWS Server Migration Service (SMS) to migrate VMs / on-prem workloads to AWS

CLOUDFRONT: content delivery network (CDN)

• If you had a lot of data that you needed to get to different parts of the world as fast as possible, CloudFront helps you find the shortest path. CF will take static content, then break it down to multiple edge locations
• global, low latency, high transfer speeds​

​​
COMPLIANCE PROGRAM

• Verifies that hosted workloads are automatically compliant with the controls of supported compliance frameworks
• AWS is responsible for common compliance framework documentation

STORAGE GATEWAY

• Enable hybrid cloud storage, on-prem apps use cloud storage through standard file storage protocols

AWS DATA MANAGEMENT UTILITIES

• Amazon Athena: query S3 buckets using SQL queries and analyze the data
• Amazon S3 Select: get subset of data from an object via SQL
• AWS Glue: ETL
• Amazon Elastic Map Reduce (EMR): Big Data web service that businesses, researchers and analysts use to process vast amounts of data. Runs on EC2 and S3 using hosted Hadoop and open source tools like Apache Spark.
• AWS Neptune: managed Graph database
• AWS Data Pipeline: move data between resources (web service)

AWS PRODUCTS FOR SECURITY

• AWS CloudTrail audit trail
• AWS Inspector: automated security and compliance assessment of applications deployed to AWS
• AWS Artifact: provides access to security and compliance reports (e.g. SOC reports, PCI reports, NDAs)
• Amazon GuardDuty: threat detection
• Amazon Macie: discover and protect sensitive data using ML and pattern matching (like Titus Illuminate, which I worked on when I was the VP Product at Titus!)
• Amazon Detective: process terabytes of event data records, similar to a SIEM but not quite
• AWS Policy Generator: create policies that control access to AWS products and resources 
• AWS Secrets Manager: rotate, manage and retrieve DB credentials, API keys and other secrets
• AWS Key Management Service (KMS): create and manage encryption keys
• AWS Certificate Manager: create SSL/TLS certificates for use with HTTPS connections
• AWS Shield: managed DDOS protection
  • AWS DDoS Response Team available 24/7 for Business and Enterprise 
• Firewalls
  • ​Security Groups: firewalls for an EC2 instance, controlling inbound and outbound traffic
  • Network ACLs: firewalls applied at subnet level
  • AWS WAF: web application firewall, helps prevent web app hacking but not DDoS
  • AWS Firewall Manager: manage WAF, Shield, Security Groups

​
IDENTITY AND ACCESS MANAGEMENT (AWS IAM)

• ​IAM Principles
  • lock root access keys
  • create individual IAM users
  • use groups to assign permissions to users
  • ​assign least privilege
  • get started using AWS managed policies
  • use customer managed policies, not inline policies
  • use access levels to review IAM permissions
  • strong password policy
  • MFA
  • use roles 1) for users who need specific permissions 2) for applications that want to run on EC2
  • don't share access keys
  • rotate credentials regularly
  • use policy conditions 
  • monitor activity in your account
• IAM is not used for creating accounts. You use other services like AWS Organizations to create accounts.
• By default new users have no access to services except the console. You must grant them permissions.
• Auth methods include
  • console passwords
  • access keys (access key ID + secret access key) --> for programmatic API calls
    • don't confuse access keys with key pairs! Key pairs are to login to EC2 instances.
  • server certificates
• IAM policies:
  • the Principal is the user, service or account that is granted access
  • the Resource is what the Principal is granted access to (or whatever other Action)
  • the Action is what the Principal gets to do on the Resource
• ​An IAM role is a predefined identity. You assign an IAM policy to the role to associate it with specific permissions.
  • A user can take on a role temporarily. When this happens, the user gets temporary security credentials for the role session.  
  • An AWS service can take on a role temporarily as well
• Amazon Cognito: used as Identity Provider (IdP) e.g. like Okta. Sign-in with Facebook, Google, etc. via SAML 2.0. Provide logins on web and mobile.
• Amazon Security Token Service (STS): request temporary limited credentials for IAM or federated users

AWS PRODUCTS FOR SOFTWARE DEVELOPERS

• AWS CodeBuild: compile and test. This is the Continuous Integration (CI) part of CI/CD. 
• AWS CodeDeploy: deploy
• AWS CodeCommit: repository (of Gits)
• AWS CodePipeline: This is the Continuous Delivery (CD) part of CI/CD.
• AWS Cloud Development Kit (CDK): different from the SDK, this is Infrastructure as Code
• Amazon CodeGuru: code review
• AWS OpsWorks: automated config, deploy and manage your servers (managed instances of Chef or Puppet, which are automation platforms that allow you to use code to automate the config of your servers)
• AWS Mobile Hub : for building, testing and monitoring mobile apps
• Amazon API Gateway: API to access AWS services. Amazon CloudFront is the public endpoint to API Gateway to ensure reduced latency and DDoS protection
• AWS X-Ray: debug production distributed applications, e.g. debug microservices
• Amazon SWF (Simple Workflow Service): workflow orchestration. Coordinate tasks across distributed app components and background jobs - media processing, web app back-ends, business process workflows, analytics pipelines 
• ​Amazon Step Functions: visual workflow tool for orchestration - coordinate AWS services into serverless workflows so that you can build and update applications quickly
• AWS CodeStar quickly develop, build and deploy applications on AWS

AWS DASHBOARD AND ADVISORY UTILITIES

• AWS Service Health Dashboard: general status of AWS services overall (not specific to your personal resources). Includes known issues across Regions.  
• AWS Personal Health Dashboard: personalized view into the performance & availability of AWS services underlying your resources. Alerts and remediation guidance on events that may impact you personally.
• AWS Trusted Advisor: optimize your resources across 5 major areas:
  1. Cost Optimization
  2. Performance
  3. Security (e.g. checks Security Groups for 0.0.0.0/0 rules that allow unrestricted access to specific ports and colors the ones that present a risk as yellow or red)
  4. Fault Tolerance
  5. Service Limits
• AWS Organizations: create and manage accounts and leverage consolidated billing
  • all accounts in the org are treated as 1 account, so they can share Reserved Instances 
  • can be used to automate AWS account creation via the Organizations API
  • service control policies (SCPs) provide a way to centrally manage AWS account permissions in the organization
• AWS Systems Manager: unified UI that shows operational data from EC2 instances and multiple AWS services. Can use to take action and automate tasks.
• AWS CloudWatch: performance monitoring. Includes monitoring your estimated charges. 
  • generates log files. Basic monitoring is every 5min, detailed monitoring every 1min
• AWS Management Console: launch resources
  • EC2 section: EBS volumes, ELB
  • VPC section: subnet and endpoints
  • Route53 section: for DNS

• EC2 Dashboard

AWS COST ADVISORY TOOLS

• AWS Pricing Calculator aka Simple Monthly Calculator: estimate monthly bill for a set of resources
• AWS TCO Calculator: enter # on-prem servers, their CPU+RAM, and whether they have a DB
• AWS Budgets: set custom budgets to track your cost and usage against specific use cases. Alerts when you exceed or are about to exceed a threshold.
• AWS Cost Explorer: forecast and manage costs. Manage AWS costs and usage over time. Use cost allocation tags to divide resources into groups and estimate costs for each
• AWS Cost Management Tools: break down AWS costs by day, service and account. Can send notifications if a threshold was exceeded. That notification can be consumed by other applications which can be configured to terminate.
• Note that other tools help advise on cost
  • AWS CloudWatch for performance management includes monitoring estimated charges
  • AWS TrustedAdvisor helps you optimize your resources, including costs

MACHINE LEARNING PRODUCTS

• AWS Glue: ETL
• Amazon Rekognition: image and video analysis for your applications
• Amazon Comprehend: NLP 
• ​Amazon Sagemaker: build, train and deploy ML models

MORE AWS PRODUCTS

• Amazon Connect: call centre
• Amazon SES: Simple E-mail Service for sending marketing e-mails (like a Marketo or ConstantContact)
• Amazon QuickSight: BI
• Amazon Elasticsearch Service: "operational analytics" that you visualize
• Amazon Neptune: interactive graphs of DBs
• AWS Config: tracks resource inventory, config history and config change notifications for the purpose of security and compliance. Assess, audit and evaluate the configurations of AWS resources.
• Amazon AppStream: streaming service
• Amazon Kinesis: collect and process streaming data
• Amazon Elastic Transcoder: convert video and audio files into versions that play on phones, tablets and PCs
• CloudSearch: search engine for your site
• CLI: command-line interface. To use, it requires an IAM access key ID & secret access key
• AWS LightSail: easy alternative to setting up a VPC. Product set includes virtual servers (instances), MySQL DBs, HA storage and load balance 
• Amazon MSK
• AWS IoT Core: connected devices interact securely with cloud applications
• AWS App Mesh = for application networking for microservices applications
• Amazon Lex builds conversational interfaces into an application using voice and text
• AWS Import/Export send HDDs with data to AWS and they import the data into S3

TYPES OF AWS SUPPORT

• Support Plans
  • Basic: 24x7 customer service, documentation, and forums. No email support, no support cases.
  • Developer: get Cloud Support Associates, open unlimited support cases
  • Business, Enterprise: get email, 24x7 phone, and chat with Cloud Support Engineers 
• AWS Concierge: billing and account experts. For Enterprise. 
• AWS Professional Services
• AWS Partner Network (APN) 
• AWS Technical Account Manager (TAM): for Enterprise
• AWS Trust & Safety team: to report abuse of AWS
• AWS DDoS Response Team: 24/7 support for DDoS attacks for Business and Enterprise

BENEFITS OF AWS

• Reduce costs by right-sizing workload
• Agility and elasticity (auto-scaling, elastic load balancing, S3 and lambda)
• Increase speed and agility  (speed bc you can experiment in just mins)
• Moving from upfront capital expense (capex) to variable operational expense (opex).
• Lower variable costs and lower upfront costs
• Asset management is easier because AWS performs infrastructure discovery scans on behalf of the customer. Assets are centrally managed by AWS
• Reduce project management costs of the data centres and infrastructure

BENEFITS OF AWS FOR STARTUPS

• optimize your spend 
• keep your development costs low by making sure you revisit your architecture often, to adjust to your startup growth.
• manage your cost further by leveraging different options such as S3 CloudFront for caching & offloading to reduce cost of EC2 computing, as well as Elastic Load
• balancing which prepares you for massive scale, high reliability and uninterrupted growth. 
• another way to keep costs down is to use IAM to manage governance of your cost drivers effectively and by the right teams.

SHARED RESPONSIBILITY MODEL

• AWS: security OF the cloud, Customer: security IN the cloud
• Shared: Patch and Config
• Users fully inherit user and access management controls from AWS

SERVICES OFFERED BY AWS

• encryption
• automated pen testing
• patching DB software for you

6 CLOUD ARCHITECTURE PRINCIPLES
There are 6 design principles for operational excellence in the cloud:

1. Perform operations as code
2. Annotate documentation
3. Make frequent, small, reversible changes
4. Refine operations procedures frequently
5. Anticipate failure
6. Learn from all operational failures

6 PILLARS OF THE WELL-ARCHITECTED AWS FRAMEWORK

1. Operational Excellence

• Perform operations as code
• Make frequent, small, reversible changes
• Refine operations procedures frequently
• Anticipate failure
• Learn from all operational failures

2. Security

• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Keep people away from data
• Prepare for security events

3. Reliability

• Automatically recover from failure
• Test recovery procedures
• Scale horizontally to increase aggregate workload availability
• Stop guessing capacity
• Manage change in automation

4. Performance Efficiency

• Democratize advanced technologies
• Go global in minutes
• Use serverless architectures
• Experiment more often
• Consider mechanical sympathy

5. Cost Optimization

• Implement cloud financial management
• Adopt a consumption model
• Measure overall efficiency
• Stop spending money on undifferentiated heavy lifting
• Analyze and attribute expenditure

6. Sustainability

• Understand your impact
• Establish sustainability goals
• Maximize utilization
• Anticipate and adopt new, more efficient hardware and software offerings
• Use managed services
• Reduce the downstream impact of your cloud workloads