AWS Certified

Cloud Practitioner
Bootcamp
January 2023
Learning Objectives

By the end of this course, you will understand:

● AWS economics and how to build in the cloud

● Key AWS serverful and serverless resources
● How to be prepared for the Cloud Practitioner certification
exam
About Me - I’m Bill Boulden, Your Instructor

● Fractional CTO of between three and

twelve tech startups at any given time
● Book With Tote, Dovey Dates, Quan
Wellbeing, Favordrop, UseKitch, Hello
Audio, Studious are some of my
accomplishments
● AWS Certified Developer and former AWS
Certified Solutions Architect
Image Placeholder
● In my spare time I am the DJ and
Producer known as “Downupright”
Ask me questions after the fact!

● https://linkedin.com/in/billboulden
● https://twitter.com/downupright

4
About You - What Qualifies You To Take This Course

● Almost no prerequisites
● This can be anybody’s first AWS course
● If you want to play along during the exercises you’ll need an AWS account
● This course assumes basic knowledge of networking essentials such as IP addresses and
domain names

5
Why AWS?

The Basics
What is AWS?

AWS is a collection of hundreds of individual products and services that work well together that
are hosted for you “in the cloud” on a secure and reliable network.

These services are accessible through an online user interface known as the console or
programmatically via API calls.

7
The Console

Easily search for and find individual services here.

8
What is “In The Cloud”?

All the computers (servers), networking equipment, storage media, facilities management, and trusted
personnel management happens somewhere else, without you having to concern yourself with many
details. You access everything over the internet either through the console or via API calls.

This is as opposed to “On Premises,” the historically conventional way of running server farms.

9
Historical “On Premises” Costs & Problems

● Facility Management ● Personnel Management ● “CapEx” costs

10
Advantages of the Cloud: Security

Security: The ability to defend against malicious traffic and protect customer resources and data.

● The Datacenter is itself secure

● Different clients’ resources and traffic are kept separated
● Many best practices come included
● Bring your own security to the individual resources you create (Shared Responsibility Model)

11
Advantages of the Cloud: Reliability & High
Availability

Reliability: The ability of resources to stay up and responding successfully on a highly available basis,
as measured in 9’s. (4 9’s is slang for 99.99%)

● 99.9% = guaranteed to be down no more than 43 minutes out of a month

● 99.99% = guaranteed to be down no more than 4 minutes out of a month

If these thresholds are breached you are compensated with credits.

12
Advantages of the Cloud: Elasticity

Elasticity: the ability to provide more or fewer resources based on size of workload. If the workload
doubles, the amount of resources allocated and that you pay for can also double. If the workload
shrinks to nothing, the amount of resources allocated and that you pay for can also shrink to
near-nothing.

Example:

We run 10 Lambda containers to answer API calls. Our service goes viral in a Tiktok and
suddenly 50 times the normal volume of calls come in rapidly. AWS can provision 500 additional
Lambda containers to smoothly handle these requests.

13
Advantages of the Cloud: Agility

Agility: the ability of an organization to try out new things rapidly, experiment, pivot, and respond to
changing business demands at low cost.

● Without AWS:

I wish there was a way to process images to determine their contents. Time to hire a Machine
Learning engineer, a data scientist, and spend months building a product.

● With AWS:

AWS offers the service Rekognition. Cool. I can experiment with it and have a proof of concept
running in a few hours.

14
Advantages of the Cloud: Pay-As-You-Go Pricing

Instead of spending money up front (“I will buy five Dell servers and mount them in a datacenter”) you
are billed by the amount you consume in real time (“I will provision five EC2s and pay a few cents an
hour for running them”).

15
Advantages of the Cloud: Scalability

Scalability: What works now at an initial scale will also work later at a greater scale with only minor
changes.

Example

When your developers are working on a new product that they’re hitting with a small 10 requests
per hour, things will work. When the product goes live and thousands of people are hitting the
same webpage, the same services still work, just with more resources provisioned and at
greater cost.

16
Advantages of the Cloud: Global Reach

AWS already spans the globe and has built out a network of edge servers in all major metro areas; put
that to work for you rather than reinventing it.

17
Advantages of the Cloud: Economy of Scale

AWS benefits from economy of scale by running massive amounts of computing with fixed overhead
costs, personnel costs, and facilities costs and can pass those savings on to you, making compute
resources in the cloud cheaper than their On Premises counterparts for anything but the largest
scales.

18
Advantages of the Cloud: Focus

Opportunity Cost: when you choose to focus energy, time, and resources on addressing a certain
issue, you are choosing not to spend that energy, time, and resources on something else that could be
more revenue-generating, referred to as the “opportunity cost”.

Example:

An engineer works at your company. A hard drive in one of the servers fails and needs to be replaced.
The engineer physically replaces the hard drive, runs a restore, then spends days configuring RAID so
this does not happen again.

Or:

We use Simple Storage Service (S3) to store files with 99.999999999% durability. The engineer uses
their day to code a new feature for the software that users love.
19
Questions?
AWS Cloud
Economics

CapEx, OpEx, and TCO

CapEx - Capitalizable Expenses

● Upfront costs that are paid at the outset, therefore needing capital.
● “We are going to start a server farm and it needs five hundred Dell servers all running licensed
Windows.”
● That’s six or seven figures before you write your first line of code.

22
OpEx - Operational Expenses

● Ongoing costs that are paid over time (usually monthly) like salaries, bills, and utilities to keep a
service operating.
● “Our 500-server Dell farm requires two on-staff systems engineers across three shifts, costs
$150,000 a month to power, and $80,000 in bandwidth costs for traffic.”

Or

“Our 500 c4.large servers cost $60,000 a month in AWS bill to run.”

23
TCO- Total Cost of Ownership

● The entire price paid for the whole effort, combining up-front CapEx with ongoing OpEx on a
recurring basis.
● “This server farm will cost us $1,000,000 initially and also $350,000 per month”
● “This selection of AWS EC2 instances (individual virtual servers) will cost us $60,000 per month
with no upfront costs”

24
TCO Includes:

● Equipment costs
● Software licensing fees (Windows and Oracle among others)
● Salaries (OpEx) & cost of job search finding those people (CapEx)
● Facility Fees (power, A/C, rent)
● Network fees (internet bandwidth)

25
AWS Transforms CapEx into OpEx,
and usually, less of it.
Right-Sized Infrastructure

Via elasticity, by only paying for the resources necessary at any given time, you eliminate waste.

In the 500-server dell server farm example, there’s no ability to get your money back for all the times
only 100 of the servers are being used. There’s also no ability to summon 500 more servers if
necessary.

27
Benefits of Automation

Elasticity can be automated in ways it can’t with on-premises solutions.

28
Reduce Compliance Scope

Thanks to the Shared Responsibility Model and some help from AWS Artifact, when you are doing a
security audit, you can skip all the sections regarding your physical datacenter and access to it.

If you are using specialized services such as Relational Database Service (RDS) or DynamoDB, the
shared responsibility model covers even more, and you can skip straight to the parts about protecting
customer data.

29
Questions?
Design
Principles

Designing for Failure

Modularity
Decouple components rather than designing
Monoliths

Monolith:

● One massive Ruby on Rails server that acts as a database host, mail-sending server, web
application server, API call server, and image storage

Decoupled components:

● A farm of highly available small Ruby on Rails servers that act as application servers
● SES (Simple Email Service) for email sending
● RDS for a MySQL database
● S3 for image storage
● API Gateway that calls Lambdas for API hosting functionality

33
Use the right service for the job.
Calculating Failure Rates

The total reliability/availability of a service is the 9’s of all the services it relies upon multiplied together.

● Lambda has availability of 99.95% as measured in five minute increments

● S3 Infrequent Access (IA) Storage class has availability of 99.9%

A Lambda that writes a file to an IA S3 bucket has a 99.0% availability.

35
Design For Failure

● The atomicity of different AWS services makes it so that parts of your application might go down
but the rest remain up.
● HTTP request -> API Gateway -> Lambda -> SQS Queue -> Lambda -> DynamoDB
● Design your system to be resilient so that the most satisfactory behavior is still followed even if
one of these components is currently down.

36
Think Parallel

● Could there be two EC2 servers in an Elastic Beanstalk pool rather than one?
● Could there be a failover replica of the database in another region?

37
Questions?
AWS Cloud
Adoption
Framework
(CAF)

A new “official” AWS

ruleset for how to
adopt the cloud
Basics of the Cloud Adoption Framework (CAF)

● New to the test in September 2023.

● Short version: “Here are some principles that you can use when you do adopt the cloud.”
● Everything I taught in the last several chapters still applies.
● You continually go through four phases across four domains across six perspectives.

40
Six Categories and Lifecycle of the CAF

41
Four Phases of the CAF

● Envision: in other words, plan/identify. Brainstorm the things the cloud can make better.
● Align: get your ducks in a row across different departments. 🦆🦆🦆🦆
● Launch: small pilot phase
● Scale: take the small pilot from the last phase and adopt it at scale

Then, lather, rinse, repeat!

42
Four “Transformation Domains”

● Technology
● Process
● Organization
● Product

43
Six “Perspectives”

● Business
● People
● Governance
● Platform
● Security
● Operations

44
Questions?
The
Difference
Between
Serverful &
Serverless
Serverful: There is an application running on a
Server

● The most basic and essential AWS service

is EC2, which is virtual servers. They are
virtualized machines that run in the cloud.
● They have operating systems.
● They have users and groups and
permissions.
● They can do general purpose computing.
● They can be remotely accessed to do work
on them.
● They can (and probably will) be attacked.
Serverless: There is a service being provided that is
abstracted away from any particular server

● Serverless services, while of course at the end of the day they do run on servers, abstracts
away the reality of operating systems, groups and users and permissions, and configuration
details to simply perform some service in response to requests.
● They are associated with scalability and elasticity.
● They tend to charge by the individual request.
● They are harder to attack and compromise.
● They have specialized purposes rather than general purpose computing.

48
Examples of Serverful Services

● EC2
● Elastic Beanstalk
● RDS
● Elasticache
● Lightsail
Examples of Serverless Services

● Lambda
● DynamoDB
● Aurora Serverless
● Simple Storage Service (S3)
● Simple Notification Service (SNS)
● Simple Queuing Service (SQS)
In general, prefer serverless
services to serverful ones.
Questions?
On-Demand,
Reserved,
Spot

Three ways to buy

resources
On-Demand

● With On-Demand you pay for the amount of time that your server is running. (If the server is
stopped/off you do not pay.)
● It is expressed in a cost per hour. For example, as of the time of writing these slides, a c4.large
costs 3.8¢ per hour to run.
● Costs can be reduced by running the minimal elastic servers needed to meet demand at any
particular time, and by turning servers off when they are not needed (for instance, the
development environment at the end of the workday).

54
Reserved

● Pay a larger fee up front to commit to pre-buying an instance for a term of one or three years, at
a savings of roughly 40%.
● Costs cannot be reduced after the commitment.
● A wise strategy is to reserve the servers you know will always be on. For example, if you are
running an Elastic Beanstalk pool that can scale down to two servers but under periods of high
load is allowed to scale as high as 16, purchase two reserved instances since at least two
servers will always be running to serve the bare minimum of requests.
● They do not need to consistently be the same two servers.

55
Spot

● A live bidding auction that asks for your service to only run when the price of computing falls
below a certain threshold.
● E.g. I am not interested in paying 3.8¢ per hour for my c4.large to run. Instead I will bid at 3.6¢
per hour. I am willing to wait and possibly have my service not run if computing remains
expensive, but if AWS has extra capacity to spare at any given moment, they will auction it off to
those who bid highest, and those spot instances will run.

56
On-Demand Use Case

● “I am playing with a new server pool. I don’t know how big it needs to be yet.”
● “I am spinning up a new database from a snapshot so I can run some historical reports on it,
then I’ll be deleting it later.”
● “My Elastic Beanstalk server pool can oscillate from two to eight servers in size. It will rarely
need the full eight. I’ll buy some of those on-demand so I only pay when they’re necessary.”

57
Reserved Use Case

● “My Elastic Beanstalk pool can oscillate from two to eight servers depending on load. At a
minimum, though, there needs to be two servers running to redundantly serve traffic even if
demand is low. Since I will always have at least two servers running, I will reserve two
instances.”
● “The database server RDS is central to our application and is always on and there is no reason
for it to ever turn off or go away. I will reserve one database instance for one year.”

58
Spot Use Case

“I have a large neural network ML model to train. It is going to cost me approximately $160,000 in
computing costs to process the entire training data set. It is not important to me when it gets done but
even a slight savings on computing time will be significant. I will ask for servers that only run when the
price of compute falls below 2¢ per hour and if it takes months for me to get my turn so be it.”

59
Questions?
Organizations

Consolidated Billing
Organizations: Several Accounts Under One Roof

● Organizations bring several AWS accounts

together under one entity.
● One AWS Organization is billed as one
entity, but it’s budgeting and appropriation
is per-account within that organization.
Popular Ways to Use Organizations

By environment: By department: By developer:

● Separate out the budget ● Separate out the budget ● Christie has a budget of
for production from the for Product to use $100 she can use in a
budget for running resources as opposed to sandbox to try out new
development Marketing and services and agile-ly
environments Development and experiment; so does
Operations Clayton. Neither can run
up a bill of thousands on
their own.

63
Questions?
Support

How to get help with

your account and how
you pay for it
Support Basics

● Available in five tiers

● Has a different SLA (response time) depending on severity of business impact
○ “I have a billing question.”
○ “THE WHOLE US-EAST-1 IS DOWN ARGLEBARGLE MY BUSINESS IS DOWN”
● Has “cases” that are resolved individually
● Three methods of interaction
○ Phone call
○ Email
○ Live Chat with a representative (my favorite)

66
Trusted Advisor

Automated service that identifies common mistakes or warning signals in your AWS account

67
Basic Support: The Default

● Support only covers Customer Service

● Access to basic Trusted Advisor
● Free
● In my experience they can’t help with very much aside from very basic billing.

68
Developer Support

● $29/mo or 3% of bill, whichever is greater

● 24-hr SLA for general guidance, 12-hour SLA for system impairment
● General Architectural Guidance
● I use this at most of my startups

69
Business Tier Support

● $100/month or 10% of bill (0-10K) + 7% of bill (10K-80K) + 5% of bill (80K-250K) + 3% of bill

(over 250K), whichever is greater
● Full suite of Trusted Advisor checks
● Architectural guidance: Unique to your use-cases
● General guidance: < 24 hours
● System impaired: < 12 hours
● Production system impaired: < 4 hours
● Production system down: < 1 hour

70
Enterprise On Ramp Tier Support

● $5,500/month or 10% of bill, whichever is greater

● Full suite of Trusted Advisor checks
● Architectural guidance: Consultative review
● Technical Account Managers provide proactive guidance
● General guidance: < 24 hours
● System impaired: < 12 hours
● Production system impaired: < 4 hours
● Production system down: < 1 hour
● Business-critical system down: < 30 minutes

71
Enterprise Tier Support

● $15,500/month or 10% of bill (0-150K) + 7% of bill (150-500K) + 5% of bill (500K-1M) +3% of bill
(over 1M), whichever is greater
● Full suite of Trusted Advisor checks
● Prioritized Trusted Advisor checks curated by your team
● Architectural guidance: Consultative review
● Technical Account Managers provide proactive guidance
● Business-critical system down: < 15 minutes

72
All tiers include:

● Some level of Trusted Advisor

● Customer-service-level help via the three communication mediums
● Personal Health Dashboard: it’s an instantiated status.aws.amazon.com that reports specifically
on outages that are relevant to the services you use
● Communities
● Documentation
● White Papers

73
Questions?
Budgets and
Tags
Understanding Budgets

● Budgets can’t actually stop you from spending money.

● They can warn you when you’re about to spend money.
● If you spend money in excess of your budget you’ll still be billed for it.

76
Budget Use Case

“For the last few months, my AWS bill has been around $2,500. It has been as low as $2,300 and as
high as $2,600. If it was to go over three grand, though, something has gone wrong. I will institute a
budget for $3,000 and be warned if my bill surpasses this amount.”

77
Sample Budget from my AWS account

78
Savings Plans

● An alternative to Reserved Instances that does not care about region or type of instance.
● More flexible than Reserved Instances, newer.

79
Helpful Templates for Common Use-Cases

80
Tags

● Tags, like Organizations, help you separate out different costs and spends. You can set a budget
for a specific tag (“Alert me if things tagged Christie or Staging-Area are forecasted to exceed
$500”).
● Any resource in AWS can be tagged. Individual servers, individual DynamoDB tables, individual
Lambdas.

81
Tags Continued

82
QuickSight for Budgeting

Is a BI (business intelligence) tool but can also be used to report on Budgets and Costs.

83
The “Concierge” team unlocked at Enterprise Tier…

Specializes in assisting with lowering your bill and working on budgets and costs to keep your monthly
spend as low as possible.

84
AWS Pricing Calculator Demo
Questions?
Cost Explorer

Live Walkthrough
Questions?
The Shared
Responsibility
Model
Formal Definition
Security and Compliance is a shared
responsibility between AWS and the customer.
This shared model can help relieve the
customer’s operational burden as AWS
operates, manages and controls the
components from the host operating system and
virtualization layer down to the physical security
of the facilities in which the service operates.
The customer assumes responsibility and
management of the guest operating system
(including updates and security patches), other
associated application software as well as the
configuration of the AWS provided security
group firewall.
AWS’s Responsibility

● Facility Management
● Personnel Management
● Physical Security of the Datacenter
● Separating compute assets and network
traffic so that even on shared hardware, no
customers’ data ever crosses lines
● Accurately enforcing those rules which you
do specify
Your Responsibility

● Accurately specifying the rules you wish to

be enforced
● Patching the operating systems and
software of servers you run
● Protecting and safeguarding customer
data
Example

● A bad packet arrives on port 5432 and crashes your server.

● If you left that port open, that’s on you.
● If you specified that you wanted all network traffic blocked on that port and it somehow made it in
anyway (never happens in practice) that would theoretically be on AWS.

93
Example Part II: S3 Bucket
Permissions
As you move from generalized computing to
specialized services, the SRM (Shared Responsibility
Model) changes
● When you are using general purpose computing (EC2’s which run their own operating systems)
you have to keep their OS and software patches and updates; you have to administer users and
groups; and manage security groups.
● When you move one level more specialized to a service like RDS (databases-as-a-service)
AWS takes over some of this and reduces your exposure.

95
Questions?
AWS Artifact

Compliance &
Documentation
Amazon’s documentation about its half of the SRM
lives in AWS Artifact

● Swift ● ISO ● Country-Specific Matters

● Sarbanes Oxley ● Tax Forms ● Policies & Procedures,
● PCI Security Audits

98
Note about HIPAA

● HIPAA compliance is on a service by service basis.

● If you need a Business Associate Agreement (BAA) those can be found in Artifact.

99
AWS Artifact Walkthrough
Questions?
Encryption

At-rest and in-transit

At-Rest Encryption

● Means the data is stored in an encrypted state when it is being left alone on a hard disk or in
storage of some kind.
● EBS (Elastic Block Store): enabled via a checkbox
● RDS (Relational Database Service): enabled via a checkbox
● DynamoDB (NoSQL Document Database): enabled via a checkbox

103
In-Transit Encryption

● Data is automatically encrypted as it leaves any AWS facility

● Data is automatically encrypted when it travels between Availability Zones
● Data sent between certain types of EC2s can be encrypted in transit as it travels through the
network within a single availability zone
● Many services such as Lambda and DynamoDB already operate off HTTPS endpoints as it is so
they are encrypted in transit too.

104
Questions?
Observability

Understand what is
going on in your
account
Cloudwatch

● All logs generated by the operation of individual AWS services are aggregated here
● Logs generated on specific servers need to be collected via Cloudwatch Logs Agent
● Metrics
● Alarms

107
Alarms can be in three states

● OK: the metric is below the threshold

● ALARM: the metric is above the threshold
● INSUFFICIENT_DATA: the metric is not
being reported (for instance, an AVG
metric when there are no events)
Live CloudWatch Demo
CloudTrail vs. Cloudwatch

● CloudTrail logs all configuration changes to AWS resources along with the IAM information of
who took the operation.
● CloudTrail needs to be enabled, unlike CloudWatch, which collects logs by default
● CloudWatch would log what happens ON your server; CloudTrail would log what happens TO
your server.

110
Live CloudTrail Demo
AWS Config

● AWS Config stores historical data about server configurations and can go back in time to see
what a server looked like on a given day.
● It can also track compliance across servers.

112
Questions?
Root Account
vs. IAM
Root Account: When you log in with email & pw

115
IAM: When you log in with account id, user name &
pw

116
Legitimate reasons to log in as root

● Change core account settings like account info

● Delegate the IAM permission to view Billing information
● Changing your root password
● To enable MFA on the root account
● Initially, to create a different IAM user you can use going forward
● Ask for access to restricted regions (GovCloud)
● Close your account

117
Never use Root Account otherwise.
Should Root Account have MFA enabled?

119
I was wondering if I would ever not enable MFA on
my root account-

120
Questions?
Understanding
IAM

Users, groups, policies,

and roles
IAM Users

● Can log in
● Can have console passwords
● Can have programmatic API access keys
● Can have policies attached directly
● Can belong to groups
● Can assume roles

123
IAM Policies

Say that an entity is ALLOWed or DENYed to perform a given operation on a given resource.

124
IAM Groups

● Can have policies attached directly

● Conflicting policies, DENY takes precedence

125
IAM Roles

● SUPERCEDE user and group policies

● You become acting “as” the role for as long as it’s assumed
● Preferred in complex setups and for Organizations
● Can be directly attached to servers and services
○ “This EC2 has the right to upload images to S3”
○ “This CodePipeline has the right to deploy CloudFormations”

126
IAM Live Walkthrough
Questions?
Overall Q&A on the day
Ask me questions after the fact!

● https://linkedin.com/in/billboulden
● https://twitter.com/downupright

130
Global,
Regions, AZs,
Edge
AWS services exist at one of four tiers

A service is either:

● Global
● Regionally Based
● Availability Zone Based
● Edge Based
Global

A global service is one that is effective worldwide, because it would not make sense for the
“computing” to happen in a specific place.

133
Examples of Global Services

● Route 53: the entire point of DNS is to be worldwide

● Cloudfront: it distributes content to edge locations across the globe
● IAM: saying a user does or doesn’t have these rights or can log into the console or is a member
of groups is not a region-specific thing

134
Region

● A region is a set of datacenters in one area of the globe comprised of several individual
availability zones.
● Most abstract and serverless services are regional.
● Sample regions include us-east-1 (Virginia), us-east-2 (Ohio), ap-southeast-2 (Sydney),
eu-west-2 (London).
● There are two special regions you need to be granted special allowance to: China (which
requires its own account and cannot coexist with a non-China account) and US GovCloud.

135
Examples of Regional Services

● S3
● Lambda
● Kinesis
● DynamoDB
● SNS
● SQS

136
Availability Zones

● One or more redundantly connected individual datacenters where things actually run. The
specific locations are not disclosed.
● Most services that are serverful (think: devices that have IP addresses) are instantiated on the
availability-zone level.
● As an example, us-east-2 (Ohio) has three availability zones:
○ us-east-2a
○ us-east-2b
○ us-east-2c

137
Examples of Availability Zone-Based Services

● EC2s
● RDSs
● Elastic Beanstalk
● Elasticache

138
Edge Locations

● AWS maintains a global network of Edge Locations, which is caching infrastructure that holds
files “close” to where users live. Most major metro areas have an Edge Location.
● This prevents cross-global trips for fetching basic data.

139
Examples of Edge Location-Based Services

● Cloudfront (the caching half)

● Lambda @ Edge

140
Questions?
Ways of
Working

Different ways to use

AWS
Console

143
The CLI (Command Line Interface)

● You will need an AWS Access Key and

AWS Secret Key that accompanies it
● Download the CLI
● Run “aws configure” once
● Run commands in the format “aws
(servicename) (commandname) (details)”
● Example:
● “aws s3 cp localFile.txt
s3://bucket/localFile.txt”

144
API Calls

● Make RESTful GETS, PUTS, POSTS, and

DELETES to resources
● Sign calls with a special AWS Signature
Version 4 in the Authorization header
● Kind of a pain :(

145
Javascript SDK

146
Other SDKs (one for most languages)

● Python SDK referred to as Boto

● Ruby
● .NET
● Rust
● Go
● Java
● And many more!

147
CloudFormation

Infrastructure as code. Specify the resources you

wish to be created in a template file and AWS will
spin them up.

Update the template file (called a Stack) and the

resources will also update.

148
Questions?
Networking
Basics

VPCs, Subnets, and

more
CIDR (Classless Inter Domain Routing)

● A way of writing IP addresses. The number N after the slash essentially says “the last N bits of
this IP address are wildcard.” Remember, one number = 8 bits.
● 10.10.0.0/16 -> the last 16 bits are wildcard -> basically means 10.10.0.0 thru 10.10.255.255.
● 192.168.0.0/8 -> the last 8 bits are wildcard -> basically means 192.168.0.0 thru 192.168.0.255

151
VPC (Virtual Private Cloud)

● Virtually reserves an IP range for your private usage.

● There are three IP umbrellas you’ll see all over again:
○ Class A: 10.0.0.0 to 10.255.255.255
○ Class B: 172.16.0.0 to 172.31.255.255
○ Class C: 192.168.0.0 to 192.168.255.255
● Within a VPC, traffic is private.

152
Subnets

● Reserve a particular subset of a VPC’s CIDR for application to a particular availability zone.
● Sample setup:
○ The entire VPC is 10.0.0.0/24
○ But a subnet of it is 10.10.1.0/8 covering us-east-2a.
● Devices in us-east-2a will get ip addresses such as 10.10.1.6 and the like.
● The first four and final IP addresses in a subnet are reserved for routing purposes.

153
Network ACLs

● Each Subnet has an associated Network ACL. This is a set of rules about protocols and ports
that are allowed to traverse within that subnet.
● Network ACLs are made up of precedence-ordered ALLOW and DENY statements that say that
certain ports or protocols to given sources can traverse the network.
● 1 Allow HTTPS 10.10.1.6
● 2 Allow SSH 10.10.1.6
● 100 DENY all, all

154
Route Tables

● Each subnet has an associated Route Table. A Route Table says where traffic routes to.
● For instance:
○ Route all traffic matching 10.10.1.0/16 locally
○ Route all traffic matching 0.0.0.0/0 to the NAT Gateway

155
Internet Gateway

● A two-way configuration that allows traffic in from the public internet and out from the VPC.
● Use with a route table to create publicly accessible resources.

156
NAT Gateway

● A one-way virtual appliance that allows traffic from inside the VPC out to the public internet but
does not route traffic from the public internet back in.
● Is secretly an EC2 instance.

157
Elastic IP

A free-standing public IP address that can be associated with different devices without needing to
relinquish the IP address should the server change.

158
Security Groups

Abstract classifications of servers that can be used in conjunction with EC2s and RDSs to allow some
kinds of connections and deny others

159
Live VPC Walkthrough
Questions?
EC2
Virtual Computing

● A virtual machine is a hardware (real)

server pretending to be another server.
● One real server can host hundreds of
virtual servers.
● They have Virtual CPUs for processing
instructions and Virtual RAM for memory.
● Virtual servers can also change which
machines are currently servicing them.
They could be running off of one piece of
real hardware, then smoothly transfer to
another, different real machine.
EC2

● Elastic Cloud Compute (EC2) is the most important AWS service. It creates virtual servers with
AMIs (Amazon Machine Images) and allocates them computing resources.
● You can do virtually anything with an EC2. By installing specific software on it, you can make it
into any kind of server.
● Remember that if AWS offers “Thing As A Service”, it is more correct to use that specific service
than to recreate the service by building from the ground up on an EC2.

164
AMI (Amazon Machine Image)

● The pre-installed operating system as well as pre-installed software packages that the server will
be “born with.”
● Amazon Linux
● Microsoft Windows (license fees included in server costs)
● Mac OS
● Other Linux distributions (Ubuntu, Red Hat, SUSE, more)
● Marketplace: vetted by Amazon
● Community: use at your own risk

165
Class - generation - size

● For example, r5.large or t2.nano

● The first letter is the class: the family of servers it belongs to
● The number is the generation: how recent it is- higher numbers are newer
● The third word is the size: how much of it you’re getting- each size tends to be double the
allocated resources of the previous size

166
Commonly Used Classes

● M (stands for Medium): ● G (stands for Graphics ● T - doesnt stand for

an even distribution of Card): machines will anything: saves up
resources have access to a real unused CPU cycles in a
● R (stands for RAM): NVIDIA or AMD graphics credit balance that can
allocates larger amounts processor be borrowed against
of RAM with less focus ● I (stands for Input output when server comes
on CPUs focused) allocates strong under heavier load - ideal
● C (stands for CPU): disk performance for web servers
allocates more virtual
processors with less
focus on RAM

167
Live EC2 Walkthrough
Questions?
Databases as
a Service

RDS, Elasticache, and

more
RDS - Relational Database Service

● SQL, relational databases as a service

● In the Shared Responsibility Model, you no longer need to administer the servers, let AWS do it,
you still need to protect customer data and choose encryption responsibly
● MariaDB, MySQL, PostgresQL
● Microsoft SQL Server and Oracle (license feeds included in cost of server)
● Instantiates redundantly across multiple availability zones

171
ElastiCache

● Redis or memached as a service

● Key-value store
● Often scales extremely well despite not technically being serverless

172
DynamoDB

● Serverless document database-as-a-service

● Calls tables “Tables” and rows “Items”
● Rows are secretly JSON
● Do NOT just leap in without understanding indexing first

173
Redshift

● Data Warehouse
● Offers serverless option
● Use any SQL client to query
● Built-in Machine Learning

174
Special Purpose Databases

● Won’t be on the exam

● Neptune: Graph database
● Quantum Ledger Database (QLDB): Immutable ledger chronological data store
● Amazon Managed Blockchain: Hyperledger Fabrik or Etherium

175
Live RDS Walkthrough
Questions?
EC2
Advanced
Serving

Load Balancers, Auto

Scaling, and Elastic
Beanstalk
Auto Scaling

● Auto Scaling creates “pools” of interchangeable servers based off of a template.

● Configure one server to behave as expected, save it as an AMI, and then new ones can be spun
up.
● An Auto Scaling group has configuration parameters:
○ In each of several availability zones:
■ A minimum number of servers that can be running at any given time
■ A maximum number of servers that can be running at any given time
○ A “scaling policy” that tracks a metric (eg CPU usage over time) that determines when it is
time to make more servers or remove servers

179
Benefits of Auto Scaling

● Resilience/Redundancy/Fault Tolerance
○ If one AZ suffers failures other AZs can cover
○ Each server is individually unremarkable so there is no single point of failure
● Pay-as-you-go pricing at its finest
○ More servers when load demands that you need them, fewer servers when things are
quiet

180
Load Balancer

● A Load Balancer is a configuration with one IP address that can farm out traffic that reaches it to
any number of individual instances. It’s how you make an Auto Scaling Group pool of 10 servers
all effectively function behind one facade, e.g. MyApp.com.
● When a request arrives at a Load Balancer, it selects one of the devices in the target group and
forwards the request to that server, receives a response, and forwards the response back to the
original requester.

181
Three Types of Load Balancer

● Classic: these are ● Application: exists at ● Network: exists at layer

disfavored and only exist layer 7 of the OSI model. 4 of the OSI model.
for Legacy reasons. Do Can inspect and route Cannot inspect or route
not use. based on HTTPS traffic based on HTTP
and its properties such properties but can route
as headers and content. low level traffic packets
like UDP and other
protocols.

182
Elastic Beanstalk

● Elastic Beanstalk bundles together EC2’s, Auto Scaling Groups, and Load Balancers into one
service that makes web application serving easy.
● It doesn’t do anything you couldn’t do manually by configuring all these services yourself, but it
does so seamlessly and manages deploys of new versions of the app elegantly.

183
Live Elastic Beanstalk Walkthrough
Questions?
S3
S3 - Simple Storage Service

● Unlimited storage (usually of files) with 99.999999999% durability (the files are intact and their
contents match what was originally written).
● Supports multiple tiers of availability (called Storage Classes).
● The basic unit is called a Bucket and the things in Buckets (usually files) are called Objects that
have Keys (usually filenames).
● You PUT Objects into Buckets and then GET them later by their Key.

187
Standard Class

● As of the time of writing this presentation,

about 2.4 cents per gigabyte per month
● 99.99% availability
Infrequent Access Class

● Half the price as Standard storage

● 99.9% availability
● Mildly slower
Glacier Class

● As of the time of making this presentation,

about .4 cents per gigabyte per month
● Files are not on-demand accessible
● First you have to put in a request to
retrieve the key you want from deep
storage
● Then within four hours you will receive a
notification that the files are ready to be
accessed
● Ideal for “forever storage”, log files, legacy
files
Lifecycles & Replication

● Lifecycles change an Object’s storage class N days into its life

● Replication automatically copies Objects from one bucket into another

191
Live S3 Walkthrough
Questions?
Other, related
Storage
Services
EBS (Elastic Block Store)

● Disk space-as-a-service
● Can be attached to EC2 Instances
● SDD or HDD based
● 99.999% Availability
● Can’t be easily scaled later (I had a 100 GB hard drive and now need 200 GB)

195
EFS (Elastic File Store)

● Instead of just abstract disk space it’s specifically file storage

● Attach to EC2s or Lambdas or ECS (containers)
● 99.99% availability, 11 9’s of durability
● Pay-as-you-go for storage space consumed

196
Snowball

● For one-time massive data uploads as part

of a transformation from on-prem to cloud
● Order one to your datacenter and it arrives
in 4-6 days
● Upload all your on-premises data onto the
Snowball’s disks
● Holds petabytes of data
● Ship it back to AWS
Image Placeholder
● They transform its contents into an S3
bucket and give you access
Snowmobile

● An armored truck full of Snowballs

● Exabytes of data
● For truly massive one-time
on-prem-to-cloud transformations

Image Placeholder
AWS Storage Gateway

● A bridge between an on-prem data center and cloud storage

● Still run your application locally but keep your files in the cloud
● Supports on-prem caching
● Encryption in transit, it’s like your on-prem network extends to the cloud

199
Questions?
Quick Hits

A miscellany of
services you may have
to identify
Lambda

● Code execution as a service.

● Upload code and it runs, and you’re billed by the amount of RAM and computation time it
consumed.
● Serverless and endlessly scalable.

202
ECS (Elastic Container Service)

Run secure and scalable containers, for container-based applications

203
EKS (Elastic Kubernetes Service)

Same as ECS but specifically uses the popular Kubernetes framework to orchestrate the containers

204
Fargate

Containers, completely serverless, no need to orchestrate

205
Athena

Analyze unstructured data that is stored in S3 with SQL

206
Kinesis

Pipelines that process streaming data. Also Kinesis Firehose which is scalable and serverless. Good
way to load data into data warehouses.

207
SNS (Simple Notification Service)

● PUSH notification management as a service.

● You create Topics that any number of Publishers can publish Messages to and any number of
Subscribers are immediately notified/triggered of the contents of the Message.
● Sample subscribers:
○ Email addresses
○ SMS numbers
○ Mobile push notifications
○ An HTTP endpoint
○ A Lambda

208
SQS (Simple Queue Service)

● PULL/POLLING based notifications as a service.

● You create a Queue and any number of Publishers publish Messages to that Queue, then those
messages sit there in single-file line while some sort of consumer or worker periodically asks for
the item at the front of the line.
● Supports Visibility Timeouts and Long Polling.

209
Lightsail

● EC2s in a greatly specific and simplified interface.

● Just choose how big of a server you want and you’re done.
● Commonly used for wordpress servers.

210
WorkSpaces

Virtual desktops as a service. They’re VMs just like EC2s are but the purpose is not to serve an
application, but to be remoted into for performing work on.

211
Amazon Aurora

A special RDS that exposes the same interface as Postgres or MySQL but optimized to run at Amazon
well. Available in a serverless flavor.

212
CodeCommit

Hosted Git source code version control. Very much like a less-featureful GitHub.

213
CodeBuild

Watches a Git repository for commits and then runs an automated script (called buildspec.yml) on a
short-lived EC2 instance to compile, test, or otherwise build the code.

214
CodeDeploy

An agent that deploys the results of a CodeBuild to servers or containers or Lambdas. Supports
advanced deploy scripts and manages rollbacks.

215
CodePipeline

Marries a CodeCommit, CodeBuild, and CodeDeploy under one roof to create a complete CI/CD
pipeline (Continuous Integration Continuous Deployment).

216
CodeStar

Marries CodeCommit, CodeDeploy, and CodePipeline together with Cloud9, an in-browser code
editor, to create a truly cloud-based application development platform.

217
Amazon Connect

Customer support as a service. Combine phone numbers or online chatbots with business logic.

218
API Gateway

An API “facade” that provides a unified RESTful interface that can use Lambdas or EC2s or proxies to
serve the requests behind the scene.

219
Route 53

Buy domain names, configure DNS records

220
AWS Cognito

Consumer identity as a service. Manages usernames, passwords, and social logins so you don’t have
to. Like Auth0.

221
AWS WAF (Web Application Firewall)

A global firewall that can be imposed on Cloudfront, Application Load Balancer, and API Gateway

222
Questions?
Quick Hits,
Part II

Yes, there are many

one-off services you
need to be able to
identify without
understanding deeply
AWS Data Exchange

Two-sided marketplace for complete third-party data sets of health, retail, finance, government, and
more information

225
AWS Glue

A pipeline that
helps prepare
many data sources
for transformation
and ingestion into
a data lake

226
OpenSearch Service

Essentially a managed ElasticSearch - compare to elastic.co

227
Step Functions

A workflow system of Lambdas glued together. You can stitch little Lambdas together in distinct
sequences and steps to create workflows, like Zapier, Fiorano, Mule, etc.

228
Simple Email Service (SES)

Transactional email service, for sending individual emails at scale. Absolutely comparable to Sendgrid
or Mandrill. Don’t think of it as a substitute for MailChimp or ConstantContact, though一it’s not a
marketing tool.

229
Batch

● Kind of a bridge between S3 Storage and ECS/EKS/Fargate/EC2 Spot Instances

● You can upload massive amounts of records to S3 and then introduce an individual “job” that
uses one of the above compute services to “process” that record.
● Batch orchestrates the whole thing and makes sure every record gets its turn.

230
AWS Local Zones

“Local Zones” are a new “mini region.” They are like tiny regions that are very specifically in one
specific urban center. They don’t offer all services or all instance types in all locations, though!

Furthermore, they haven’t been launched in the burgeoning urban metropolis of Buffalo, NY yet, so
how serious can they really be? :)

231
AWS Outposts

An AWS Outpost is a server rack you order and

install in your own datacenter, and it runs “AWS
services,” except locally.

Why? It’s a little odd, but maybe you want the

interface or API that you are used to from AWS
services, but for the CPU and Storage to literally
happen inside your own building.

In functioning they are indistinguishable from the

cloud!

232
AWS Activate

Tens of thousands of dollars in credits for your startup if you launch it on AWS!

Can say firsthand: I use this at every single startup I launch. :)

233
AWS IQ

Two sided marketplace for seeking and providing AWS help. Pretty straightforward. I haven’t used it,
although maybe I should! 😎

234
Amazon AppStream

Install desktop software in the cloud, but end-users can interact with it in their browsers as though it
was browser-native SaaS software. Including appropriate encryption and VPN.

I ~think~ (?) this is similar to what some applications like Citrix do, but I haven’t used Citrix in a
decade.

235
AWS Amplify

● Sort of an all-in-one for launching lean new startup codebases.

● Stitches together some automagical React, some automagical Cognito, some automagical
DynamoDB, and some Lambdas and deployment scripts, all in an attempt to fulfill a promise:
that you could run a command “amplify this that deploy” and boom, you have a working app.
● Very much an answer to Firebase.

I have had EXTREMELY mixed results, across many attempts. Use at your own risk as far as I am
concerned.

236
AWS AppSync

A GraphQL server that directly competes with Apollo, but is at present far, far inferior to Apollo.

237
AWS Device Farm

Farms of thousands of distinct mobile devices, in

real hardware, that you can rent screen time on,
to test your mobile apps on actual varied
hardware.

Not simulated一these are actual IRL mobile

phones in giant arrays that you are fractionally
reserving!

238
AWS Detective

Analyzes observability services and security logs to try to automatically triage and detect potential
security violations.

239
AWS Directory Service

This is straight up just Microsoft Active Directory, but as-a-service.

240
AWS Secrets Manager

Very robust, IAM-integrated encrypted secret storage. You won’t need to put API keys and other such
sensitive data in source code anymore!

241
Questions?
AI/ML Shallow
Dive

Embrace our robot

overlords 🤖
Questions?
Test Taking
Tips
Exam Logistics (Pearson)
Remember the definitions and
answer the question appropriately
Use the most specific AWS service
for the job
Serverless, scalable preferred
Memorize the Support screen
Answers mentioning MFA are often
among the correct answers
Questions?
Sample
Questions

The fun part

What is the name of an AWS service where Domain
Names can be purchased?

1. AWS Elastic Block Store (EBS)

2. Lambda
3. Route 53
4. AWS Storage Gateway

254
Which of the following is a benefit of Agility?

1. Quickly try out new features and strategies

2. Your software runs faster
3. Your bill goes down
4. Software is less hackable

255
I need to connect an on-premises datacenter with
S3 storage securely. What do I use?

1. Storage Gateway
2. Elastic Block Store
3. Elastic File System
4. An FTP Server

256
Which of the following is NOT your responsibility
under the Shared Responsibility Model?

1. Protecting customer data

2. Securely storing the keys that are used to access servers
3. Physically securing the hardware
4. Defining access limitations of users under IAM

257
Which of the following is true about AWS
Marketplace Amazon Machine Images (AMIs)?

1. They are vetted by AWS before being allowed into the Marketplace.
2. They are use-at-your-own-risk.
3. They are only available in us-east-1.
4. They need their own domain name to function.

258
What AWS service lets me run Kubernetes in the
cloud?

1. ECS
2. EBS
3. EFS
4. EKS

259
What S3 storage class is not appropriate for files
that need to be available on-demand and
immediately? (choose two)
1. Standard
2. Infrequent Access
3. Glacier
4. Glacier Deep Archive

260
Which of the following is not a benefit of Scalability?

1. The same things that work today at small scale will work tomorrow at a larger scale.
2. The software runs faster.
3. You only pay for the resources you consume at each point in time.
4. New resources can be provisioned as the need arises.

261
I need a Business Intelligence Dashboard that can
report on my AWS usage. What service do I want?

1. AWS Athena
2. AWS Superbytes
3. AWS QuickSight
4. AWS Lambda

262
Which of the following is not a feature of Enterprise
Level Support?

1. A guarantee that your software will never go down

2. A Technical Account Manager
3. 15-minute response times to issues
4. Guidance from dedicated architects

263
I just made an AWS account. What steps should I
take immediately to make it secure? (Choose Two)

1. Enable MFA on the root account.

2. Change your password immediately after creating the account.
3. Create an IAM user to log in as in the future for day to day operations rather than continuing to
use the root account.
4. Deactivate the us-east-1 region as it is a security vulnerability.

264
What describes a system that continues to work
even as an individual component of its functioning
fails?
1. Scalable
2. Agile
3. Durable
4. Fault Tolerant

265
What service can track how AWS systems were
configured in the past?

1. CloudTrail
2. X-Ray
3. AWS Config
4. AWS EBS

266
What reason might you select EFS over EBS for
storing files for a particular application?

1. As your storage needs grow, EFS grows, whereas EBSs are locked in to the same size.
2. EFS is notoriously faster.
3. EBS can’t be attached to EC2 instances while EFS can.
4. EBS’s are not covered under the SHared Responsibility Model.

267
What is the name for ongoing monthly expenses
rather than fixed up-front capital expenses?

1. CapEx
2. OpEx
3. TCO (Total Cost of Ownership)
4. AWS Budgets

268
What service lets me deliver content around the
globe quickly using Edge Locations?

1. CloudWatch
2. EC2 Availability Zones
3. CloudFront
4. IAM Policies

269
Which of the following is true of the Shared
Responsibility Model?

1. When you use more specifically tailored services, AWS’s share of the SRM grows.
2. When you use more specifically tailored services, AWS’s share of the SRM shrinks.
3. When you use more specifically tailored services, AWS replaces the Shared Responsibilty
Model with the Business Responsibility Model.
4. All services are treated equally under the Shared Responsibility Model.

270
Which of the following is not true about VPC’s?

1. They are specific to a region.

2. They can specify a CIDR of IPs such as 10.10.0.0/16.
3. They are routinely penetration tested by AWS.
4. Traffic is kept separated between VPCs even as it might share the same pipes and hardware.

271
What service allows me to deny traffic on certain
ports and protocols within a VPC?

1. Network ACLs
2. Route 53
3. Subnets
4. AWS WAF (Web Application Firewall)

272
Which class of server is ideal for web serving
applications and why?

1. C’s, because they have more CPU.

2. T’s, because they save unused CPU cycles in a credit balance.
3. G’s, because they have onboard graphics cards to render the webpage faster.
4. M’s, because they are well-balanced.

273
What AWS service enables a single facade to farm
out traffic to many distinct EC2 instances?

1. Elastic Beanstalk
2. Elastic Load Balancer
3. Auto Scaling Groups
4. AWS RDS

274
What package can Python scripts use to
communicate with AWS services?

1. PyAws
2. aws-python-sdk
3. boto
4. The AWS Console

275
Which service allows me to run my infrastructure as
code rather than manually spinning everything up?

1. AWS SageMaker
2. AWS Workspaces
3. Network ACLs
4. AWS Cloudformation

276
Which of the following is true about an IAM user who
has a group policy DENYing the right to delete EC2s?

1. They can still delete EC2’s if they choose to use MFA.

2. If the individual user is given ALLOW access to delete EC2’s, they will still be denied.
3. CloudTrail will not allow them to Delete EC2’s.
4. If the user assumes a Role that has ALLOW access to delete EC2’s, they will still be denied.

277
Which of the following is not true of AWS root
accounts? (Choose Two)

1. They should have MFA enabled.

2. They can switch to the China regions from the US regions.
3. They can delete the entire AWS account.
4. They cannot update credit card information.

278
I wake up and my EC2 is gone. What service will help
me see who deleted it?

1. AWS CloudWatch
2. AWS Cloudfront
3. AWS CloudTrail
4. AWS CloudFormation

279
Which of the following is not true about AWS
regions?

1. They are made of multiple availability zones.

2. They can have VPCs in that region.
3. They can have subnets.
4. They are all available to all accounts at all times.

280
In what scenario is AWS Artifact appropriate?

1. You are developing an application in total secrecy.

2. You are updating legacy code to modernize it and need to import it into AWS.
3. You are trying to stop malicious traffic from an overseas block of IP addresses.
4. You are undergoing an audit for HIPAA compliance.

281
Which of the following is not a reason to use Route
53?

1. I would like to buy a new domain name for mysite.com.

2. I would like to defend my new mysite.com from malicious traffic.
3. I would like to create A and CNAME records to serve mysite.com.
4. I would like to create TXT and MX records to receive mail at mysite.com.

282
Which of the following is not a state a Cloudwatch
alarm can be in?

1. OK
2. ERROR
3. ALARM
4. INSUFFICIENT DATA

283
How does one encrypt a DynamoDB table at AWS?

1. Check the box that says Encryption.

2. Run the Blowfish algorithm against it.
3. Run the HMAC-256 algorithm against it.
4. Store it inside another EC2.

284
Overall Q&A on the day
Ask me questions after the fact!

● https://linkedin.com/in/billboulden
● https://twitter.com/downupright

286