loading...

A guide to AWS Cloud Practitioner Exam

mraza007 profile image Muhammad ・16 min read

AWS Cloud Practioner

This certification is mostly used by people to get the understanding of the AWS services.

Where you can take this exam ?

You can take this exam on Pearson VUE online.

  • This cost $100
  • 90 mins
  • 65 Questions
  • 70% passing score
  • Valid for 3 years.

Exam Guide

This is what exam mostly comprises of

  • Cloud Concepts 28%.
  • Security 24%
  • Technology 36%
  • Billing & Pricing 12%

We have total of 65 questions and most of them are mutiple choice or multiple response questions.

What is Cloud Computing

Its the practice of using a network of remote servers hosted on the internet to store,manage and process data rather using a local server or personal computer.

Benefits of the cloud computing

  • No upfront costs such as paying for server. You can Pay On Demand.
  • Economies of sale you can simply save alot of money since there are so many people using the cloud.
  • You can scale up or scale down based on your need.
  • With few clicks of a button your service is deployed.
  • No more maintenance costs.
  • Go global in few minutes since there are global regions where cloud servers are hosted.

Types of Cloud Computing

  • SaaS --> Software as a Service. Basically a complete product that is ran and managed by the service provider.(Examples: Salesforce,Gmail,GoogleDocs)
  • PaaS --> Platform as a Service. Focusing on deploying applications without worrying about managing the infrastructure. (Examples: Heroku,Netlify and etc)
  • IaaS --> Infrastructure as a Service. The building blocks of the IT. Providing computers access and storage needs and etc. (Examples: AWS,GCP and Azure).

Cloud Computing Models

  • Cloud (Fully hosted on Cloud such as startups)
  • Hybrid (On-Premise and Public Cloud such as Banks)
  • On-Premise (On Private Cloud where sensitive data is being stored).

AWS Global Infrastructure

  • There over a million active customers using aws.
  • there are total 69 Availability Zones 22 Geographic Regions around the world.
  • Regions --> physical location with multiple availabilty zones.
  • Availability Zones(AZ) --> one or more discrete data locations.(owned by aws)
  • Edge Locations --> data center owned by trusted partner of aws

Regions AWS

  • A geographically distinct location with multiple data centers.
  • Each region has two AZs.
  • US-EAST(North Virginia) is the largest AWS region and services almost always become available first in this region.
  • Not all services are available in the all regions.
  • US-EAST-1 is where you see your billing information.

AZs(Availability Zones)

  • Each Region has two AZs.
  • An AZ is a data center ran and owned by AWS.
  • less than 10ms latency between AZs

Edge Locations (Get Data Fast or Upload Data Fast)

  • A data center owned by trusted partner of AWS and has direct connection to the aws network.
  • These location serve requests for CloudFront and Route53. Requests going to either of these services will be routed to the nearest edge location automatically.
  • S3 Transfer accelaration and API Gateway endpoint also use the AWS Edge Network.
  • This allows for low latency no matter where ever you are located.

Gov Cloud

An AWS service that allows customers to host sensitive Controlled
Unclassified Information or other types of workloads

  • Only operated by US Citizens or on the US Soil.
  • Should follow several compliance guidelines.
  • GovCloud

EC2 Instances

  • In order to create a EC2 instance head over to AWS Console.
  • Choose EC2 and follow along. Make sure you select Amazon Linux 2 AMI and select the type as t2.micro since that is offered with free tier.
  • Now follow along and make sure to set IAM role.
  • lastly make sure you have billing alerts turned on.
  • You can either use ssh or sessions manager to get into ec2 instance.
  • You can also get to sessions-manager by going to systems manager.
  • sessions-manager opens a simple bash shell that can help you access your ec2 instance.

AMI (Amazon Machine Image)

  • You can create an image by going into ec2 management console and clicking on actions and selecting image.
  • Basically this creates a copy that allows you launch multiple servers.

AutoScaling

  • This allows you ensure that multiple instances and multiple servers are running.
  • This also allows you meet the demand of web traffic.
  • In order to configure this its located in ec2 management console.

Elastic Load Balancer (ELBs)

  • This allows reroute the traffic. especially when doing updates to the application.

S3 Buckets

  • Its usually global and the buckets are usually region specific.
  • its a block storage used to store the files.

CloudFront (CDN)

  • CloudFront is basically Cotent Delivery Network.
  • It makes easier for companies to distribute there content.
  • Hook it up to S3 Bucket and deliver your content around the world.

RDS (Relational Database Service)

  • It's used to setup a relational database (Examples: SQL,PSQL).
  • Amazon aurora would be default when setting up this service
  • It has auto scaling.

AWS Lambda

  • Serverless framework.
  • Allows you to run simple functions you can think of it as cronjobs.

EC2 Pricing Models

E2 has four different pricing models

On Demand

  • Low Cost and Flexible.
  • only charges per hr
  • short term
  • good for first time apps or prototypes.
  • No upfront payment.

Reserved Instances

  • Good for committed applications.
  • Standard savings 75% (Cannot change the RI attributes.)
  • Best for long term
  • You can schedule to reserve the instances.
  • there's a commitment like 1 to 3 year with AWS.
  • RI's can be shared between multiple accounts.
  • You can even sell your unused instances.

Spot instances

  • You can think of it has a hotel who offers discounts to fill there spots.
  • Just like hotel aws uses similar approach to maximize the usage of there idle servers.
  • There are conditions such as,
    • Instances can be terminated anytime.
    • If you instance gets terminated you dont get charged for partial hour of usuage.
    • If you terminate an instance you will be charged for any hour that it ran.
  • Good for applications feasible for very low usage.
  • It provides you 90% savings.

Dedicated

  • Its the most expensive EC2 instance.
  • Its built for tenant customers. Its more useful for large enterprises.
  • Its offered both in demand and reserved.

Billing and Pricing

AWS Free Services

  • IAM (Identity Access Management) --> used for creating user roles.
  • Auto Scaling
  • CloudFormation
  • Elastic Bean
  • Opswork
  • Amplify
  • AppSync
  • CodeStar
  • AWS Cost Explorer

NOTE: Services in bold are free but they can provision AWS Services to cost money.

AWS Support Plan

  • $0/month - Basic (Support Only by Email).
  • $20/month - Developer (Tech Support Via Email reply within 24hrs)
    • No Third Party Support.
    • General Guidance only.
  • $100/month - Business (Tech Support Via Chat/Phone 24/7)
    • Does support third party.
    • Production system down less than 1hr response time (business downtime)
  • $15000/month - Enterprise (Tech Support Via Chat/Phone 24/7)
    • Personal Concierge.
    • TAM (Technical Account Manager)
    • Response time less than 15min. (business downtime)

AWS MarketPlace

  • A place where you will thousands of software listings from independant software vendors.
  • The product is free to use or can have a charge which becomes part of the
  • AWS bill.

AWS Trusted Advisor Check

  • This advises customers on security,saving money,performance , service limits and fault tolerance.
  • FREE has 7 trusted Advisor Checks
  • Enterprise and Business - All trusted advisor checks.

Consolidated Billing

  • One Master account for all member accounts.
  • Cost Explorer tool for visualizing the usage.
  • It also offers volume discounts (The more you use the cheaper it gets.)

AWS Cost Explorer

  • Allows you to visualize the usage of the multiple accounts.

AWS Budgets

  • First two budgets are free of charge.
  • Allows you setup alerts when you exceed your limits.
  • You can set three types of alerts Budget,Usage and instance reservation
  • Alerts supports EC2,RDS,RedShift and Elastic Cache.
  • You can manage budgets from AWS Budget Dashboard or Budgets API.
  • Get notified through email or ChatBot.

TCO Calculator

The Total Cost of Ownership calculator allows you show how much can save by shifting to aws.

  • A tool that allows you build reports for execs to show how much you can save.
  • Only for approximation purposes.

AWS Landing Zone

  • Meant for enterprises.
  • Automatically provisions and configure new accounts via Service Catalog template.
  • uses SSO.

AWS Resource Groups & Tagging

  • Tags are words or phrases that act as metadata for organizing AWS resources.
  • Resource Groups are collection of resources that share one or more tag.
  • Resource Group can display following details of about a group of resource based on.
    • Metrics
    • Alarms
    • Configuration Settings.

AWS QuickStart

Prebuilt templates offered by AWS or AWS partners that helps you deploy popular stacks on AWS. This allows to reduce the manual effort.

It's divided into three steps.

  • A reference architecture for deployment.
  • AWS CloudFormation templates that automate and configure the deployment.
  • A guide explaining the architecture and implementation in detail.

AWS Cost and Usage Report

This allows you to generate a detailed report of your AWS costs.
You'll get a spreadsheet highlighting the costs.

  • Reports are stored in S3.
  • You can use ATHENA to turn this into queryable database.
  • QuickSight for analyzing.

AWS Networking

  • Region -> The geographic location of the network.
  • VPC -> An isolated space of aws where you can launch aws resources.
  • AZ -> the data center of the aws resources.
  • Security Groups -> Acts as a firewall at the instance level.
  • Internet Gateway -> Enables access to the internet.
  • NACLs -> acts as a firewall at the subnet level.
  • Route Tables -> determine where network traffic from your subnets are directed.
  • Subnets -> A logical partition of an IP network into multiple,smaller network segments.

AWS Database Services

  • DynamoDB -> NoSQL key/value database. (Examples:Cassandra).This is really fast for read and write access.
  • DocumentDB -> NoSQL Document database that is compatible to MongoDB.
  • RDS -> Relational DataBase Service that supports multiple engines MySQL,Postgres,MariaDB. (Most Popular DB)
  • AuroraDB -> MySQL (5x fast) and PSQL (3x Fast) fully managed database. (Runs 6 copies of the Database when used and more expensive DB)
  • Aurora Serverless -> Only runs when needed.
  • Neptune -> Graph DataBase.
  • RedShift -> Columnar Database petabyte warehouse.
  • Elastic Cache -> Redis or Memecached database.

AWS Provisioning Services

  • Elastic BeanStalk -> Think of it as Heroku. Its a service used for deploying and scaling the web applications and services deployed with Java,python,c++ and etc (Perfect for deploying WebApps)
  • OpsWork -> Configuration management service that provides managed instances of CHEF and Puppet.(It has layers like tier 2 or tier 3)
  • CloudFormation -> IaaS , Infrastructure as Code JSON or YAML.
  • AWS QuickStart -> ready made templates that can launch and configure your aws compute, network, and other services.
  • AWS MarketPlaces A place where you can buy or sell software or services for AWS Cloud.

AWS Compute Services

  • EC2 -> Elastic Compute Cloud highly configurable server.
  • ECS -> Elastic Container Service Docker As Service highly scalable,high performance and good for microservices.
  • Fargate -> You don't chose the ec2 like you might chose in ECS. You define and AWS will run the service. (Like Lambda since you dont pay for EC2)
  • EKS -> Kuberenetes as services makes it easy to deploy ,manage and scale.
  • Lambda Serverless. Just upload code as function and AWS will run the code for you.
  • Elastic BeanStalk -> upload the code and it will do the rest for you. Good for developers who want to just upload there apps.
  • AWS Batch -> Its for Batch Processing where you can schedule Batch jobs.

AWS Storage Services

  • S3 -> A simple storage service - Object Store (Simply Upload Files).
  • S3 Glacier -> low cost for storage and good for archiving the data for long term backup.
  • Storage Gateway -> A hybrid solution from on premisis to cloud for storage.
  • EBS (Elastic Block Storage) -> A hard drive in cloud you attach to ec2 instance such as SSDs,HDDS.
  • EFS (Elastic File Storage) -> file storage moutable to multiple EC2 instances at the same time.
  • Snowball -> A way of moving data from on premise to aws.
    • Snowball Edge -> 100 TB (better version and additional features).
    • SnowMobile -> Allows to move petabytes of data (DataCenter on Wheels).

AWS Business Centric Services

  • Amazon Connect -> Cloud Based call center service you can setup in few minutes and later you can save the calls in s3 for furhter analysis.You can even route calls based on defined rules
  • WorkSpaces -> Secured managed virutal desktops.
  • WorkDocs -> aws version of sharepoint where you can collaborate and share documents.
  • Chime -> Think of it as skype where you can do business calls and meetings.
  • WorkMail -> Managed aws email service just like Microsoft Outlook Exchange uses IMAP Protocol
  • PinPoint -> For marketing campaigns for targetted sending emails and sms notifications.
  • SES (Simple Email Service) A cloud based email sending service used to send emails and notifications (Good for webapps that supports sending email notifications and has HTML format email option)
  • QuickSight. Think of it as QlikSense or Tableau as this allows you to visualize the data.

AWS Enterprise Integration

  • Direct Connect -> A dedicated Gigabit connection from on premise to aws.
  • VPN
    • Site to Site -> Connecting to on premise to aws.
    • Client Vpn -> Connecting a client to AWS network.
  • Storage Gateway A hybrid storate service that enables on premise applications to use AWS cloud storage.
    • Good for backup.
    • Archiving
    • Disaster Recovery.
    • migration
    • data processing.
  • AD (Active Directory) An AWS directory service for Microsoft Active Directory also known as AWS Managed Microsoft AD - Enables your workloads and AWS related resources to use managed AD in aws cloud.

AWS Logging Services

  • CloudTrail -> a logging service that logs all the api calls (SDK,CLIs) between AWS services.

    • Who created the service.
    • Who spun up the EC2 instance.
    • Who launched sagemaker notebook
    • Detects developer misconfigurations.
    • Detects Malicious Activity.
    • Automates responses.
  • CloudWatch A collection of multiple services. Its more like a storage solution for all the logs.

    • Stores all types of the logs.
    • CloudWatch Metrics -> timeseries data of logs.
    • CloudWatch Events -> trigger event based on a condition.(Taking the snapshot of the server)
    • CloudWatch Alarms -> trigger notifications based on metrics.
    • CloudWatch Dashboard -> create visualizations based on metrics.

Most Common AWS Initials

  • IAM:Identity Access Management.
  • S3: Simple Storage
  • SWF: Simple Workflow Service.
  • SNS: Simple Notification System.
  • SQS: Simple Queue Service.
  • SES: Simple Email Service.
  • SSM: Simple Systems Manager.
  • RDS: Relations DataBase Service.
  • VPC: Virtual Private Cloud.
  • VPN: Virtual Private Network.
  • CFN: Cloud Formation
  • WAF: Web Application Firewall.
  • MQ: Amazon ActiveMQ.
  • ASG: AutoScaling Groups.
  • TAM: Technical Account Manager.
  • ELB: Elastic Load Balancer.
  • ALB: Application Load Balancer.
  • NLB: Network Load Balancer.
  • EC2: Elastic Cloud Compute .
  • ECS: Elastic Container Service.
  • ECR: Elastic Container Repository.
  • EBS: Elastic Block Storage.
  • ELF: Elastic File Storage.
  • EMR: Elastic MapReduce.
  • EB: Elastic Beanstalk.
  • ES: Elastic Search.
  • EKS: Elastic Kubernetes Service.
  • MKS: Managed Kafka Service.
  • IoT: Internet of Things.
  • RI: Reserved Instances.

AWS Security

In the Shared Responsibility Model the customer is responsible for the security of the cloud such as securing the data and using the right configuration.
and anything the customer can't touch or get access is secured by aws. Such as Hardward,Operation of Managed Services and Global Infrastructure.

Things Customer should take care of

  • IAM
  • Customer Data
  • OS,Network and Firewall Configs.
  • Maintaining Encryption Protocols.

Things AWS takes care of

  • Software
  • Hardware
  • Services that aws provides.

AWS Compliance Programs

A set of internal policies and procedures of a company to comply with rules and regulations or to uphold reputation.

two most popular ones

  • HIPPA
  • PCI (Payment Card Data/You can readmore by googling it)

  • ReadMore Here

AWS Artifact

A no cost, self service portal for on demand access to AWS compliance reports.

AWS Inspector

AWS inspector is a tool that runs a security benchmarks against specific EC2 instances. The most popular one is run by CIS (Center for Internet Security) which has 699 benchmarks.It can even inspect the network to check if there are any ports are open and running.

AWS WAF (Web Application Firewall)

It allows you protect your web application against the most common exploits.
You can write your own rules that will allow the traffic based on the contents of HTTP requests. You can use ruleset from AWS trusted secuirty partner. It can be either attached to CloudFront or Application Load Balance (ALB).

Most Common Attacks Include

  • Injection
  • Broken Authentication
  • Sensitive Data Exposure
  • XML External Entities XXE
  • Broken Access Control
  • Security Misconfigurations
  • XSS Cross Site Scripting
  • Insecure Deserialization
  • Using Components with known Vulnerabilities
  • Insufficient logging and Monitoring

AWS Shield

A managed DDOS(Distributed Denial of Service) protection service that safeguards applications running on aws.

All AWS customers benefit from the automatic protections of AWS shield standard at no charge.

When you route your traffic through ROUTE53 or CloudFront you are using AWS Shield.

Protects you against Layer3,Layer4, and Layer7 attacks

  • 7 Application
  • 4 Transport
  • 3 Network

There's also a paid tier known as Shield Advance and that costs $3000/Year(upfront or Commitment).
It gives you extra protection with 24/7 support and its available on

  • Amazon Route 53
  • Amazon CloudFront
  • ELB
  • AWS Global Accelarator
  • Elastic IP(Amazon Elastic Compute Cloud and Netword and Load Balancer).

AWS Penetration Testing

An authorized service that allows you simulate a cyber attack on a computer system, performed to evaluate the security of the system.

Permitted Services

  • EC2 Instances,NAT Gateways, and ELB.
  • RDS
  • CloudFront
  • Aurora
  • API Gateways
  • AWS Lambda and Lambda@Edge function
  • LightSail resources.

Prohibited Services

  • DNS zone walking via Amazon Route 53 Hosted Zones.
  • DoS(Denial Of Service),DDoS,Simulated DoS,Simulated DDoS.
  • Port flooding
  • Protocol flooding
  • Request flooding

Amazon Guard Duty Service

IDS: Intrustion Detection System

IPS: Intrustion Protection System

A device or software that monnitors a network or systems for malicious activity or policy violations.

Guard Duty is a threat detection service that continuously monitors for the malicious,suspicious activity and unauthorized behavior. It uses machine learning ty8111o analyze following AWS logs.

  • CloudTrail Logs.
  • VPC Flow Logs
  • DNS logs.

It will alert you of the findings which you can automate an incident response via CloudWatch Events or 3rd Party Software.

KMS (Key Management System)

A managed service that makes it easy for you to create or control the encryption keys used to encrypt that data.

  • KMS is a multi-tenant HSM (Hardware Security Model).
  • Many AWS services are intergrated to use KMS to encrypt your data with simple checkbox.
  • KMS uses Envelope Encryption.

Envelope Encryption

When you encrypt your data, your data is protect but you have to protect your encryption key. When you encrypt your data key with master key as an additional layer of security. READMORE

Amazon Macie

Macie is fully managed service that continuously monitors S3 data access activity for anomalies and generates detailed alerts when it detects risk of unqthorized access or inadvertent data leaks.

It uses machine learning to analyze CloudTrail logs.

It provides you with following alerts.

  • Anonymized Access.
  • Config Compliance
  • Credential loss
  • Data Compliance
  • File Hosting
  • Identity Enumeration
  • Information Loss
  • Location Anomaly
  • Open Permisson
  • Privilege Escalation
  • Ransomware
  • Service Disruption
  • Suspiscious Activity

Security Groups VS NACLs(Network Access Control Lists)

Security Groups Network Access Control Lists (NACLs)
Acts as a firewall at the instance level. Acts as a firewall at the subnet level
Implicitly denies all traffic. You create Allow rules (For Example allow an `EC2` Instance to access `port 22`) You create `allow` and `deny` rules

AWS VPN(Virtual Private Network)

It allows you create a secure and private tunnel from your network or device to the aws global network.

AWS Site-to-Site VPN : Securely connect to on premises network or branch office site to VPC.
AWS Client VPN: Securely connect users to AWS or on premises networks.

Same Name But Different Services (Don't Get Confused)

  • CloudFormation: IaaS (Infrastructure as a Service) used to setup template scripting (YAML,JSON).
  • CloudTrail: logs all the api calls between aws-services (who to blame).
  • CloudFront: CDN(Content Delivery Network),It is used to distribute the content (Such as videos,static assets and etc).
  • CloudWatch: a collection of multiple services
  • CloudSearch: search engine for your site (Ecommerce).

AWS Connect Services

  • Direct Connect: A dedicated fiber optics connections from data center to AWS.
    Lets say an enterprise want a direct connection from there on premise datacenter to aws they might use this service to connect to AWS.
    If you want to add extra layer of security you might need a vpn connection.

  • Amazon Connect: Call Center Service.

  • Media Connect: A new version of Elastic Transcoder, Converts videos to different formats.

Lets say you have 1000 videos and you need to transcode them into different formats then this might be a useful service. You can even add watermarks and insert intro infront of every video.

Elastic Transcoder VS AWS Elemental MediaConvert

Elastic Transcoder `OldWay` AWS Elemental MediaConvert `NewWay`
Transcodes videos to
streaming formats
Transcodes videos to
streaming formats
Overlay images
Insert Video Clips
Extract captions data
Better and Robust UI

SNS vs SQS

They Both Connect Apps via Messages.

SNS

  • It uses PubSub model which is also known as publisher subscriber model.
  • It sends notifications to subscribers via protocols such as HTTP,Email SQS and SMS.
  • It is generally used for sending plaintext emails which is triggered via other aws services. The best example can be billing alerts.
  • Can retry sending in case of failure for HTTPS.
  • Its good for webhooks,internal emails and triggering lambda functions.

SQS (Examples RabbitMQ) - (think of it as message broker service)

Queue Up Messages, Guaranteed Delivery

  • It places messages into a queue and applications pull queue using AWS SDK.
  • It can retain a message for up to 14 days.
  • Can send them in sequential order or parallel.
  • Can ensure only one message is sent.
  • Can ensure messages are delivered at least once.
  • Really good for delayed tasks,queueing up emails.

You can readmore about this here

NLB vs ALB vs CLB

Application Network Classic
Layer 7 Requests Layer 4 IP protocol data
Layer 4 and Layer 7
HTTPS and HTTP traffic TCP and TLS traffic where extreme
performance is required (Example: Netflix)
Intended for applications
that were built within the

EC2 Classic network
**Routing Rules**,more usability

from one load balancer
Capable of handling millions of requests
per second while maintaining `ultra-low-latencies`
Doesn't use Target Groups
Can attach WAF(WebApp Firewall) Optimized for `sudden and volatile` traffic patterns
while using a single static IP address per AZ

Can Attach ACM (Amazon Certification Manager) SSL Manager


Anyways this all you need to know for your AWS Cloud Practitioner Exam and I hope you found these helpful.

I am always available through twitter
and email

Originally Posted here

Posted on by:

Discussion

markdown guide