aws fundamentals student material

ut e ib tr is D or STUDENT MANUAL D o N ot D up lic at e AWS™ Fundamentals o D N ot D at e up lic or tr is D ib AWS™ Fundamentals ut e ut e AWS™ Fundamentals Part Number: 093025 Course Edition: 1.0 ib Acknowledgements tr PROJECT TEAM Media Designer Content Editor Chrys Thorsen Brian Sullivan Michelle Farney D is Author Notices or DISCLAIMER up lic at e While Logical Operations, Inc. takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. The name used in the data files for this course is that of a fictitious company. Any resemblance to current or future companies is purely coincidental. We do not believe we have used anyone's name in creating this course, but if we have, please notify us and we will change the name in the next revision of the course. Logical Operations is an independent provider of integrated training solutions for individuals, businesses, educational institutions, and government agencies. The use of screenshots, photographs of another entity's products, or another entity's product name or service in this book is for editorial purposes only. No such use should be construed to imply sponsorship or endorsement of the book by nor any affiliation of such entity with Logical Operations. This courseware may contain links to sites on the Internet that are owned and operated by third parties (the "External Sites"). Logical Operations is not responsible for the availability of, or the content located on or through, any External Site. Please contact Logical Operations if you have any concerns regarding such links or External Sites. TRADEMARK NOTICES Logical Operations and the Logical Operations logo are trademarks of Logical Operations, Inc. and its affiliates. D Amazon Web Services™ and AWS™ are trademarks of Amazon.com, Inc. in the U.S. and other countries. The other Amazon products and services discussed or described may be trademarks or registered trademarks of Amazon.com, Inc. All other product and service names used may be common law or registered trademarks of their respective proprietors. N ot Copyright © 2016 Logical Operations, Inc. All rights reserved. Screenshots used for illustrative purposes are the property of the software proprietor. This publication, or any part thereof, may not be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, storage in an information retrieval system, or otherwise, without express written permission of Logical Operations, 3535 Winton Place, Rochester, NY 14623, 1-800-456-4677 in the United States and Canada, 1-585-350-7000 in all other countries. Logical Operations’ World Wide Web site is located at www.logicaloperations.com. D o This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or other products is the responsibility of the user according to terms and conditions of the owner. Do not make illegal copies of books or software. If you believe that this book, related materials, or any other Logical Operations materials are being reproduced or transmitted without permission, please call 1-800-456-4677 in the United States and Canada, 1-585-350-7000 in all other countries. ut e tr ib AWS™ Fundamentals is Lesson 1: Getting Started with AWS.................................1 Topic A: AWS.................................................................................. 2 D Topic B: Leverage AWS in Your Business Strategy..........................14 or Topic C: Work with the AWS Management Console....................... 19 at e Lesson 2: Implementing AWS Storage and Database Services................................................................. 31 Topic A: Configure AWS Storage .................................................. 32 up lic Topic B: Deploy Amazon Database Services ................................. 43 Lesson 3: Implementing Compute and Network Services................................................................. 57 D Topic A: Implement Elastic Cloud Compute Services..................... 58 N ot Topic B: Implement Virtual Networks............................................ 71 D o Lesson 4: Using AWS Management Tools...................... 77 Topic A: Automate AWS Resource Provisioning............................. 78 Topic B: Manage AWS Resources...................................................83 Lesson 5: Securing an AWS Deployment........................ 93 Topic A: Enforce AWS Security ..................................................... 94 | AWS™ Fundamentals | Topic B: Optimize AWS Security............................................................ 100 Solutions............................................................................................ 115 Glossary............................................................................................. 119 Index.................................................................................................. 123 ib ut e About This Course is tr Welcome to the AWS™ Fundamentals course! Congratulations on choosing the finest materials available on the market today for expert-facilitated learning in any presentation modality. D Course Description up lic at e or Target Student The AWS™ Fundamentals course is designed for technology enthusiasts who are working in IT (as an administrator, software developer, or manager), or any other interested individual who would like to learn about the core cloud services provided by AWS, such as: • Information Technology practitioners and leaders who are new to AWS and who will be supporting or implementing AWS in their organizations. • Business and technology leaders responsible for articulating the technical and business benefits of using AWS. • Administrators and developers who are evaluating the use of AWS services. D o N ot D Course Prerequisites You should have the following prerequisite skills before taking this class: • Be able to navigate Windows. • Be able to use a web browser. • Experience logging on to, navigating, and searching a website. • Basic end-user skills with personal productivity software such as Microsoft® Office or Google Apps™. • Familiarity with networking concepts such as server, database, storage, IP subnet, load balancing, authentication, authorization. • Some experience as an IT practitioner, manager, or leader may be helpful. Course Objectives By the end of this course, you will be able to: • Reach customers with AWS. • Implement AWS storage and database services. • Optimize compute and network services. • Use AWS management tools. • Secure an AWS deployment. | AWS™ Fundamentals | The CHOICE Home Screen up lic at e or D is tr ib ut e Logon and access information for your CHOICE environment will be provided with your class experience. The CHOICE platform is your entry point to the CHOICE learning experience, of which this course manual is only one part. On the CHOICE Home screen, you can access the CHOICE Course screens for your specific courses. Visit the CHOICE Course screen both during and after class to make use of the world of support and instructional resources that make up the CHOICE experience. Each CHOICE Course screen will give you access to the following resources: • Classroom: A link to your training provider's classroom environment. • eBook: An interactive electronic version of the printed book for your course. • Files: Any course files available to download. • Checklists: Step-by-step procedures and general guidelines you can use as a reference during and after class. • Spotlights: Brief animated videos that enhance and extend the classroom learning experience. • Assessment: A course assessment for your self-assessment of the course content. • Social media resources that enable you to collaborate with others in the learning community using professional communications sites such as LinkedIn or microblogging tools such as Twitter. Depending on the nature of your course and the components chosen by your learning provider, the CHOICE Course screen may also include access to elements such as: • LogicalLABS, a virtual technical environment for your course. • Various partner resources related to the courseware. • Related certifications or credentials. • A link to your training provider's website. • Notices from the CHOICE administrator. • Newsletters and other communications from your learning provider. • Mentoring services. Visit your CHOICE Home screen often to connect, communicate, and extend your learning experience! How to Use This Book D o N ot D As You Learn This book is divided into lessons and topics, covering a subject or a set of related subjects. In most cases, lessons are arranged in order of increasing proficiency. The results-oriented topics include relevant and supporting information you need to master the content. Each topic has various types of activities designed to enable you to solidify your understanding of the informational material presented in the course. Information is provided for reference and reflection to facilitate understanding and practice. Data files for various activities as well as other supporting files for the course are available by download from the CHOICE Course screen. In addition to sample data for the course exercises, the course files may contain media components to enhance your learning and additional reference materials for use both during and after the course. Checklists of procedures and guidelines can be used during class and as after-class references when you're back on the job and need to refresh your understanding. At the back of the book, you will find a glossary of the definitions of the terms and concepts used throughout the course. You will also find an index to assist in locating information within the instructional components of the book. | About This Course | | AWS™ Fundamentals | As You Review Any method of instruction is only as effective as the time and effort you, the student, are willing to invest in it. In addition, some of the information that you learn in class may not be important to you immediately, but it may become important later. For this reason, we encourage you to spend some time reviewing the content of the course after your time in the classroom. Description tr Icon ib Course Icons Watch throughout the material for the following visual cues. ut e As a Reference The organization and layout of this book make it an easy-to-use resource for future reference. Taking advantage of the glossary, index, and table of contents, you can use this book as a first source of definitions, background information, and summaries. is A Note provides additional information, guidance, or hints about a topic or task. D A Caution note makes you aware of places where you need to be particularly careful with your actions, settings, or decisions so that you can be sure to get the desired results of an activity or task. or Spotlight notes show you where an associated Spotlight is particularly relevant to the content. Access Spotlights from your CHOICE Course screen. at e Checklists provide job aids you can use after class as a reference to perform skills back on the job. Access checklists from your CHOICE Course screen. D o N ot D up lic Social notes remind you to check your CHOICE Course screen for opportunities to interact with the CHOICE community using social media. | About This Course | ut e Lesson Time: 1 hour, 45 minutes tr ib 1 Getting Started with AWS is Lesson Objectives D In this lesson, you will: • You will describe the AWS global infrastructure. or • You will leverage AWS benefits in your business strategy. • You will work with the AWS Management Console. at e Lesson Introduction D o N ot D up lic AWS™ provides a rich and vast array of cloud services. So much so that it's easy to become bewildered when first starting out. For this reason, it is important to first understand what AWS is, how its services are organized, and how it can help your organization achieve its goals. 2 | AWS™ Fundamentals TOPIC A AWS ut e In order to get started with AWS, you must first have a larger understanding of what cloud services are, the various service types that exist, and how AWS fits into the world of cloud computing. Web Service Hosting Types up lic at e or D is tr ib In the early 1990's, if a company wanted a website they had to purchase their own server and set it up on their own network. They needed to provide all of their own expertise in developing the website and managing the network and server infrastructure that the website ran on. By the mid 90's, third party companies started offering to host websites on their servers, relieving customers of the need to purchase and manage their own equipment. Hosting was shared, meaning that multiple customer websites ran on the same physical server. These services were managed. The provider did all the work, while the customer did not need much technical expertise. They uploaded their web content onto the provider's server, without worrying about configuring or managing the hardware. As the need for more reliability and scalability grew, additional types of web hosting emerged to address these needs. These hosting types included dedicated, Virtual Private Server (VPS) , and grid. You could also choose to have the provider do all the work (managed services) or you be in complete control (dedicated, colocated). By 2009, cloud services were starting to replace traditional hosting as customer needs evolved and became more sophisticated. Traditional web hosting still exists and is still an excellent choice for a small organization with modest requirements and limited resources. With the cost savings associated with virtual platforms today, most traditional hosting now is virtual. All cloud hosting is virtual. The following table compares the different types of hosting solutions. Solution Technical Knowledge Required by Customer Pros and Cons On premises The customer owns, installs, and manages its own equipment. Very high • Customer has complete control over the service and site • The most expensive • Requires the most expertise • Sometimes still chosen for high security environments D o N ot D Web Service Hosting Types Some students may not be familiar hosting types other than traditional web hosting. As you go over the differences in the table in this section, ask students if they have ever used any of these hosting types, and to share their experience to help compare and contrast the different style of offerings. Point out to students that many of today's hosting providers have combined solutions into a single package to be more competitive. For example, you might have VPS hosting that offers scalability and load balancing, or direct hosting that is also managed. Lesson 1: Getting Started with AWS | Topic A AWS™ Fundamentals | 3 • • • • • Customer does not have to purchase equipment • Typically unmanaged • Customer has to pay for the server whether it's fully utilized or not • Customer is completely responsible for setting up, configuring, and managing the site • Equipment is chosen by the provider, usually with no service level agreement (SLA) • A sudden spike in traffic could crash the server or D Very high Very high • Unrestricted in nature • Customer places anything they want in the data center • Customer saves on floor space, power, and physical security • Gives businesses ability to plan for growth, and deploy mirroring, load balancing, and other options that may not be available from a dedicated hosting solution • Colocation provider does not provide any service or support D o N ot D Colocation Customer places their own equipment into a provider's data center. up lic at e Dedicated Hosting Customer leases the server from the provider on a monthly or yearly basis. Equipment is typically located at the provider's site. Most commonly used for web services. Good entry level option Easy to use and set up Inexpensive Provider does all the work Customer has little flexibility and no control Meant for only smaller websites Single server is a single point of failure Heavy traffic or denial-of-service attack on one website could take down all websites Classic example of a managed service ut e • • • • • ib Shared Hosting Very low Multiple customers have their websites on a single server, sharing its CPU, RAM, disk space, and network bandwidth. Pros and Cons tr Technical Knowledge Required by Customer is Solution Lesson 1: Getting Started with AWS | Topic A 4 | AWS™ Fundamentals Technical Knowledge Required by Customer Pros and Cons Virtual Private Server (VPS) Hosting Provider isolates customer website into its own virtual machine. Also known as dedicated virtualization or private cloud. Depends on the service provided • Customer can choose from a variety of options • You can stand up the server quickly with a few mouse clicks • Website gets more resources than a shared environment • Price is variable • Less efficient than cloud computing • Resources are dedicated to a virtual machine, whether they are used or not Grid Hosting Several physical computers are combined into one computing grid. Different computers execute different tasks. Depends on the service provided • Allows the webmaster some level of resource scaling • Scaling does not go beyond the physical capabilities of the servers involved Cloud Computing Takes virtualization to a whole new level. Virtualizes all services across many (even thousands) of physical computers. Very high is D • Robust, reliable • Scales very well very quickly (depending on the provider, the scaling can be global) • Has excellent performance and uptime • Unless there are regional bandwidth or cost restrictions, can be used for nearly any computing solution • Minimizes operational expenses • Customers only pay for what they use • Because of the high level of virtualization, is the most cost effective for the performance delivered • Has a higher technical and managerial learning curve • Providers today, including AWS and Google Cloud Services™, offer a dizzying array of services and features that may initially overwhelm the customer or at e up lic D N ot D o IaaS and Cloud Computing Remind students that IaaS only provides the infrastructure. It will be up to the AWS customer to design, develop, and deploy their websites, applications, databases, and other services on that infrastructure. Most large companies employ teams of software developers to customize their online services for tr ib ut e Solution IaaS and Cloud Computing Cloud computing is a way of delivering IT resources on-demand, usually across the Internet. Customers pay to use someone else's servers to accomplish computing tasks. The servers are networked together in the provider's data center. The customer then makes a remote connection to those servers, usually via a web browser across the Internet. Cloud computing is very popular because a customer does not have to invest huge amounts of money in equipment, infrastructure, and expertise to get world-class computing capabilities. Instead, the customer pays only for what is used, when it is used, and no more. Infrastructure-as-a-Service (IaaS) is one of three primary cloud computing services, along with Softwareas-a-Service (SaaS) and Platform-as-a-Service (PaaS). In IaaS, the provider offers servers, storage, Lesson 1: Getting Started with AWS | Topic A ib hardware, networking, and other infrastructure components that a customer (usually a company) would otherwise have to purchase and install on their own premises. The customer in turn builds their website (or other service) on top of the IaaS service. The website then offers services to be delivered to the end user. The end user could be employees or members within the customer's organization, or the general public that the customer is trying to sell goods or services to. To make the IaaS model viable, the services are virtualized, meaning they are actually applications that run on the provider's physical hardware. Before virtualization, it was commonplace to find that servers in a server room were very under-utilized. With virtualization, many customers share the same hardware, thus making better use of the equipment. Customers are then only charged for the amount of resources (CPU time, memory, disk space, bandwidth, etc.) that they actually use. The provider maximizes their hardware investment by accommodating as many customers as their servers can handle. The customer pays dramatically less for professionally-managed computing power than if they installed and managed the equipment themselves. ut e AWS™ Fundamentals | 5 is tr Note: While using a browser across the Internet is the most common way to manage your AWS services, some companies also opt to pay for a virtual private network (VPN) connection between their own premises and the AWS cloud. D AWS AWS Explain to students that web-scale does not refer to a specific technology, but rather an approach to creating and delivering an infrastructure that can serve the diverse requirements of organizations of any size and purpose. D o N ot D up lic at e or Amazon Web Services is a collection of cloud-based services designed to give customers an instant, pay-as-you-go infrastructure for developing their own web-based services. Some common uses for AWS include: • Host a website (static or dynamic). • Store data (public or private). • Provide Internet-based services to customers and employees. • Provide online training or other meeting forums. • Conduct scientific research. • Collect and analyze business data. Amazon had already built a very strong, resilient global infrastructure to deliver its own online retail services. They knew from their own experience that building a traditional reliable, scalable data center is extremely expensive, not only in price but also time and expertise. Since Amazon already had a very reliable infrastructure of its own, they decided to replicate their own model and sell it to the general public. As Jeff Bezos, founder of Amazon, once said in an interview: "...we wanted [Amazon's] data-center guys to give the apps guys a set of dependable tools, a reliable infrastructure that they could build products on top of. Then we realized, Whoa, everybody who wants to build web-scale applications is going to need this. We figured with a little bit of extra work we could make it available to everybody. We’re going to make it anyway—let’s sell it." (https://www.quora.com/ How-and-why-did-Amazon-get-into-the-cloud-computing-business) Lesson 1: Getting Started with AWS | Topic A 6 | AWS™ Fundamentals The AWS Utility Pricing Model ut e The AWS Utility Pricing Model takes the concept of pay-as-you-go and applies it to software licensing. The customer does not have to pay software licensing fees up front. Instead, licensing is only paid for based on use, with no need to pay once you stop using the service. Currently Red Hat®, Novell, IBM®, and a few other software companies permit this model on AWS. You can also pay as you go if you select a pre-built Amazon Machine Image (AMI) with Windows Server® and (optionally) Microsoft® SQL Server® pre-installed. Other Microsoft products, Adobe®, Oracle®, and Sybase still require traditional licensing if you use their products in the AWS cloud. Note: For more information on licensing, see https://aws.amazon.com/windows/ resources/licensing/. ib The AWS Utility Pricing Model Inform students that more and more software vendors are adopting the pay-go pricing model when their products are used in AWS. Currently, ® Microsoft offers pay-go for some of its products, ® such as Windows and ® SQL Server , but not all. Elastic Capacity in Cloud Computing tr Elastic capacity in cloud computing is a design architecture that allows the amount of resources allocated to your cloud service to be quickly and easily scaled up or down. It is the basic principle behind all AWS services. The scaling can be configured to happen automatically, or if manually configured, in a matter of minutes. It means that if your website suddenly becomes very popular, it can seamlessly handle the spike in demand. Once the traffic returns to more normal levels, the amount of allocated resources are also trimmed to only provide what's needed. The benefit is that your organization can handle any sudden increase in online traffic, paying for the extra only as it is needed. When it is no longer needed, you no longer use it and you no longer pay for it. or D is Elastic Capacity in Cloud Computing up lic The AWS Global Infrastructure is one of distributed, redundant data centers scattered through the world. The infrastructure is based on the concept of an Availability Zone (AZ), which is a subdivision of a geographical region. There are currently thirty-five Availability Zones divided among thirteen regions, For fault tolerance, each region has at least two AZs, which are designed so that a failure in one AZ does not affect the others. AWS is planning to deploy 9 more Availability Zones and five more regions in 2016. In addition, there are 55 edge locations distributed across most of the major cities around the world. These edge locations serve your website's actual content to end users. They are geographically close to the people they serve. This is particularly important if your website includes video content, or has features that are time sensitive. When a user connects to your web service they use a URL, also known as an endpoint, that points to a server that is geographically closest to them. Having the content physically close to the end user reduces latency and improves the end user experience. When setting up your AWS services, you choose which regions and Availability Zones you would like your data to be hosted in. AWS AZs are connected to each other via fast, private fiber optic networks. They continuously replicate with each other, providing automatic redundancy, fault tolerance, and load balancing. In addition to replicating between AZs in the same region, you can also replicate between regions. Choosing AZs near your end users not only provides for a faster and better experience for your customers, but it also allows you to comply with regional legal and data residency requirements. D o N ot D The AWS Global Infrastructure Inform students that they will need to know their region, region code, and Availability Zone as they perform the activities. Advise them to always select the same region and Availability Zone in the activities throughout this course. at e The AWS Global Infrastructure Lesson 1: Getting Started with AWS | Topic A Figure 1-1: AWS Global Infrastructure. at e or D is tr ib ut e AWS™ Fundamentals | 7 up lic Note: For a visual map of regions, AZs, endpoints, and other AWS service locations, see https://www.google.com/maps/d/u/0/viewer? mid=1m6v8XPxwp0Dx4THiakRKFkZwIGE&hl=en_US. D Note: For more information on regions, AZs, and endpoints, see the article "Amazon Elastic Compute Cloud" at http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingregions-availability-zones.html. Region N ot Regions and AZs AWS frequently updates regions and AZs. The following table lists both current and planned AWS Regions and Availability Zones. Region Code Availability Zones us-east-1 us-east-1a, us-east-1c, us-east-1d, useast-1e us-west-2 us-west-2a, us-west-2b, us-west-2c US West (N. California) us-west-1 us-west-1a, us-west-1b, us-west-1c EU (Ireland) eu-west-1 eu-west-1a, eu-west-1b, eu-west-1c EU (Frankfurt) eu-central-1 eu-central-1a, eu-central-1b Asia Pacific (Singapore) ap-southeast-1 ap-southeast-1a, ap-southeast-1b o US East (N. Virginia) D US West (Oregon) Lesson 1: Getting Started with AWS | Topic A 8 | AWS™ Fundamentals Region Code Availability Zones Asia Pacific (Tokyo) ap-northeast-1 ap-northeast-1a, ap-northeast-1b, apnortheast-1c Asia Pacific (Sydney) ap-southeast-2 ap-southeast-2a, ap-southeast-2b, apsoutheast-2c Asia Pacific (Seoul) ap-northeast-2 ap-northeast-2a, ap-northeast-2b, apnortheast-2c Asia Pacific (Mumbai) ap-south-1 ap-south-1a, ap-south-1b South America (São Paulo) sa-east-1 sa-east-1a, sa-east-1b, sa-east-1c AWS GovCloud (US) us-gov-west-1 us-gov-west-1a, us-gov-west-1b China (Beijing) - - Montreal (coming soon) - unknown Ohio (coming soon) - unknown Ningxia (coming soon) - unknown UK (coming soon) - India (coming soon) - D is tr ib ut e Region or unknown unknown up lic Amazon's Core Infrastructure Services are organized into four major categories: • Compute • Storage & Content Delivery • Database • Networking Each category has its own set of services, as shown in the following table. Service Name Amazon EC2™ Virtual servers in the Cloud Amazon EC2 Container Registry Containers to store and retrieve Docker images for automating application deployments N ot o D Description COMPUTE D AWS Core Infrastructure Services Explain to students that the Core services comprise less than half of all AWS offerings. Additionally, not all of these technologies will be covered in this course. Many are out-ofscope for a foundations course. at e AWS Core Infrastructure Services Amazon EC2 Container Service Docker container management AWS Elastic Beanstalk One-click web app deployment AWS Lambda Event-driven code execution Auto Scaling Automatic elasticity Elastic Load Balancing High scale load balancing STORAGE & CONTENT DELIVERY Amazon S3 Scalable object storage in the Cloud Amazon EBS EC2 block storage volumes Lesson 1: Getting Started with AWS | Topic A AWS™ Fundamentals | 9 Service Name Description AWS Import/Export Snowball Large scale data transport AWS Storage Gateway Hybrid storage integration Amazon CloudFront™ Global content delivery network Managed relational database service AWS Database Migration Service Database migration with minimal downtime Amazon DynamoDB™ Managed NoSQL database Amazon ElastiCache™ In-memory caching service Amazon Redshift™ Cost-effective and simple data warehousing Isolated virtual private clouds AWS Direct Connect Dedicated network connection to AWS Elastic Load Balancing High scale load balancing Amazon Route 53™ Scalable Domain Name System or D Amazon VPC™ is tr NETWORKING ib Amazon RDS ut e DATABASE Note: You will learn about many of these services throughout this course. up lic at e Note: A Docker image is a new way of bundling a Linux® application together with all of its dependencies into a single container. Docker images are much lighter weight and more portable than virtual machines, allowing more applications to run on the same server hardware. AWS Security Features AWS provides a number of security features to help keep your network operational and your data safe. The following table summarizes the security features available in the AWS cloud. Security Feature Description Isolate your virtual networks and servers from the rest of the cloud. D Virtual Private Clouds (VPCs) Filter unwanted client connections and malicious web traffic. Infrastructure Security Apply firewall rules, data in transit encryption, and private dedicated connectivity Distributed Denial-of-Service (DDoS) Mitigation Deploy redundant content delivery and DNS lookups o N ot Traffic Filtering D Encryption AWS Security Features Inform students that they will study AWS security in greater detail in Lesson 5. Encrypt both data at rest (stored) and data in transit (transmitted) with public key cryptography. Inventory and Configuration Management Determine asset vulnerability, use change management tools to adhere to your organization's standards. Logging and Monitoring Obtain deep visibility into API calls, log aggregation, compliance reporting, alert thresholds and notifications. Lesson 1: Getting Started with AWS | Topic A 10 | AWS™ Fundamentals Description Identity and Access Control Implement directory services, multi-factor authentication, individual account permissions and authorization. Penetration Testing Policies Use policies to distinguish legitimate customer vulnerability testing from unwanted malicious hacking. Security Assessment Tools Make security recommendations and analyze application security. ut e Security Feature Shared Security Model ib AWS insists on a shared security model, in which AWS is responsible for the security of its infrastructure services, while the customer is responsible for the security of anything they build on top of that infrastructure. The following diagram shows this division of responsibility. up lic at e or D is tr Shared Security Model D Figure 1-2: AWS Shared Security Model. N ot Guidelines for Selecting AWS Infrastructure Components D o Guidelines for Selecting AWS Infrastructure Components Note: All of the Guidelines for this lesson are available as checklists from the Checklist tile on the CHOICE Course screen. Here are some guidelines you can use for selecting AWS infrastructure components: • Whenever possible, choose products that use the AWS Utility Pricing Model to reduce up-front licensing costs. • Design your application to take advantage of AWS elastic capacity. • Identify where your end users will be geographically, and select Availability Zones, regions, and endpoints closest to them to provide the best performance and end user experience. • Also consider legal and business requirements when choosing AZs, regions, and endpoints. • Whenever designing or deploying AWS services, take advantage of that service's embedded security features. Lesson 1: Getting Started with AWS | Topic A AWS™ Fundamentals | 11 • Keep in mind that, as an AWS customer, you are responsible for the security of everything you build in the AWS cloud. AWS is only responsible for the security of its infrastructure. Lesson 1: Getting Started with AWS | Topic A 12 | AWS™ Fundamentals ACTIVITY 1-1 Introducing That's Cheezy Cheese Emporium ut e Data File C:\093025Data\Getting Started with AWS\Introducing That's Cheezy Cheese Emporium.docx is D 1. Read the scenario in C:\093025Data\Getting Started with AWS\Introducing That's Cheezy Cheese Emporium.docx. As a consultant for That's Cheezy Cheese Emporium, what challenges to you foresee in helping That's Cheezy understand the world of AWS cloud services? at e or A: Answers will vary. AWS will likely introduce new concepts to the company and its management. You may need to help the company understand terminology and concepts before they can make any informed decisions. You might also face opposition by those who see no value in changing their operational model. 2. How do you think the AWS Global Infrastructure can assist a company like That's Cheezy Cheese Emporium? D up lic A: Answers will vary. Since AWS has a global infrastructure, it is well positioned to provide service to a company that is trying to expand into a global market. In addition, its global network of Availability Zones will make it easier for That's Cheezy to build in redundancy and fault tolerance. D o N ot Introducing That's Cheezy Cheese Emporium That's Cheezy Business and Technical Goals This case study introduces That's Cheezy Cheese Emporium, a fictitious business that is moving towards AWS cloud services. It outlines the immediate business needs that the company wants AWS to address, as well as sets the scope for activities throughout this course. Allow the students a few minutes to absorb the scenario, and then lead the group in answering the questions. Ask the class if they think using cloud services must always involve hosting a website. This question will be answered in the next topic, "Leverage AWS in Your Business Strategy." tr ib Scenario That's Cheezy Cheese Emporium sells gourmet cheeses and other specialty food items. The company is interested in AWS cloud services. You have been brought on board to assist the company in exploring their AWS options. Lesson 1: Getting Started with AWS | Topic A AWS™ Fundamentals | 13 ACTIVITY 1-2 tr ib Scenario Not all of the managing directors at That's Cheezy Cheese Emporium are on board with the idea of using cloud services. They are wondering why the current website hosting provider can't supply the necessary facilities that the sales, marketing, and IT teams need. Some are also asking if That's Cheezy should host its own servers, or even colocate them to a data center. The CEO has asked you to help the group understand the pros and cons of using different hosting solutions, including cloud services. ut e Selecting Appropriate Infrastructure Options D is Note: In this activity, you will consider That's Cheezy's scenario and discuss possible hosting options for the company. If you have any real-world experience with the various solutions, you are encouraged to share your experience with the rest of the group. or 1. Consider That's Cheezy's business scenario in light of what you have just learned, and answer the following questions. With regard to That's Cheezy's need to support growth trends and new marketing initiatives, which online solution or solutions would be a good fit for their new requirements? Lead the group in an open discussion to consider possible hosting solutions for That's Cheezy. If any of the students have realworld experience with the various options, encourage them to share it with the group. up lic at e A: Answers will vary. The company's current website hosting provider hosts websites but does not offer the other services that the company desires. Any solution chosen must be one that scales. Cloud computing, grid computing, and colocation all support scalability to some level or another. However, the desire to extend into a global market requires a service provider that can scale globally. In this case, cloud computing is the best choice. Selecting Appropriate Infrastructure Options 2. How can AWS help That's Cheezy achieve its business objectives? A: Answers will vary. First of all, it provides all of the services that the company desires. Its regions and Availability Zones make it easy to scale and provide service to any part of the globe. It is also convenient and economical to use. D 3. If That's Cheezy chooses AWS cloud computing, what are some of the biggest challenges they will face? D o N ot A: Answers will vary. AWS provides only the infrastructure. That's Cheezy's IT department will have to know how to build its online services on top of that infrastructure. It will need to be able to choose the right services for its needs, build those applications, and secure the servers, networking components, applications, and data. Lesson 1: Getting Started with AWS | Topic A 14 | AWS™ Fundamentals TOPIC B Leverage AWS in Your Business Strategy ut e Now that you have seen the AWS global infrastructure, it is time to explore how AWS can benefit your organization. AWS Cloud Benefits The real benefit of using the AWS cloud is that you can stand up a high-performing global infrastructure in a matter of minutes with little to no startup money. You can also have that infrastructure respond quickly and dynamically to increased or decreased capacity needs. All of the complexity, up-front cost, and required expertise has been taken care of for you. You pay for what you use and no more. AWS claims that your total cost of ownership will be less than 30% (and in some cases below 10%) of what you would otherwise spend to set up your own equipment. The speed and convenience means your own project will have reduced time to market. AWS lists the following benefits for using their cloud services: • High reliability • Quick scalability • Excellent performance • Cost effectiveness • Pervasive security • Convenience • Flexibility • Ease-of-use Although one might think that the AWS IaaS is only useful for large companies, small organizations can also really benefit from the convenience, redundancy, and security best practices built into the AWS cloud. Your cloud-based applications do not have to be only for the general public. They can also be for internal use. The only issue that might interfere with choosing a cloud platform for internal operations is that to use it, one has to have good, consistent Internet connectivity with sufficient bandwidth. While that is not an issue in most cases, there are still places in the world where bandwidth costs are too prohibitive to move a company's internal operations to the cloud. up lic at e or D is tr ib AWS Cloud Benefits AWS has a very diverse range of customers, from start-ups to global enterprises, government departments to scientific research firms, retailers to schools. AWS need not be limited to ecommerce applications. Remember that it is an infrastructure that can house and deliver practically any software or application. Its high-power, highly resilient, quickly scalable capabilities make it suitable for any number of uses. You could use the AWS platform for nearly any purpose that requires scalable, distributed, high-power computing. Possibilities include: • An election campaign committee collecting, tracking, and analyzing voter registration, polling, and donation data. • A global company deploying an internal application to its business units around the world. • A scientific research firm using massive computing power to perform large-scale simulations or data analysis. • An e-commerce website that must be able to respond immediately to sudden increased traffic. • A news or entertainment organization delivering video and other multimedia content to end users. D o N ot Assure students that, while the sheer scope of AWS services can seem overwhelming at first, they have evolved to provide for the needs of practically any type of organization. A quick look at the AWS customer case studies will give an idea of how others have used AWS. D AWS Platform Uses Lesson 1: Getting Started with AWS | Topic B AWS™ Fundamentals | 15 • A utilities company tracking substation and device status, customer power usage, outages, and trends. • A software company providing high-speed downloads to its customers. • A university providing online classes. • A large non-profit coordinating thousands of volunteers and outreach programs. • A municipality or local government department offering many of its traditional walk-in services online. ib AWS Strategy and Business Goals Alignment ut e Note: AWS has published case studies of hundreds of its customers. You can scan these case studies to get a sense of the diversity of purpose that others have used AWS for. For more information see https://aws.amazon.com/solutions/case-studies/. AWS Strategy and Business Goals Alignment or D is tr Amazon has the following key recommendations for aligning your AWS IT strategy with business goals: • Make your AWS IT strategy a part of the overall business strategy, and not a separate strategy by itself. • Have a plan to identify both cost and value when making needed changes. • As you move to the cloud, consider the impact to all aspects of the business and IT. • Make adjustments as you go and stay flexible. AWS CAF up lic at e The AWS Cloud Adoption Framework (CAF) is a tool you can use to help align your AWS IT strategy with your business strategy. It contains guidance that helps all aspects of your business adapt its existing practices, as well as introduce any new practices necessary to move to a cloudbased environment. CAF guidance is organized into seven areas of focus, called perspectives. The following table summarizes each perspective and its role in moving your organization to the cloud. Description Business Perspective Align technical delivery to business strategic goals. Identify and measure business impact. Platform Perspective Make optimal use of technology for implementation. People Perspective Identify and acquire technical skills needed to adopt AWS cloud. Manage programs and projects to deliver outcome on time and in budget. Manage risk. N ot Process Perspective D Perspective Name AWS CAF Inform students that the CAF will be especially interesting to managers and those who must consider AWS from a business perspective. Optimize management of the AWS environment. Security Perspective Determine and implement risk management, governance, and any required security mechanisms to achieve compliance. Maturity Perspective Define desired state of the overall system including all processes, and create roadmaps for achieving that state. D o Operations Perspective Note: For more information on the CAF, see the whitepaper "An Overview of the Cloud Adoption Framework" at https://d0.awsstatic.com/whitepapers/ aws_cloud_adoption_framework.pdf. Lesson 1: Getting Started with AWS | Topic B 16 | AWS™ Fundamentals AWS Marketplace ut e AWS Marketplace™ is a place to shop for thousands of third-party products and services as you build your cloud-based presence. It is for organizations that do not have the desire or in-house expertise to create what they need for their site. There are thousands of products and service offerings available. The marketplace changes frequently as new offerings become available. at e or D is tr ib AWS Marketplace Inform students that AWS Marketplace is a great place to go if your organization does not have the expertise to build its own apps and services. This is especially useful for small to medium sized organizations. Figure 1-3: The AWS Marketplace. up lic Note: For more information, visit the site at https://aws.amazon.com/marketplace. Free Tier Eligible D Many, but not all, AWS services permit you to test drive them for little or no money. There are, however, limits to how long you can use something for free. Usually, when you exceed your maximum free usage allotment, charges start to automatically accrue. If you are exploring AWS services for the sake of learning, make sure that when you select and launch any service that it is marked Free Tier Eligible. Be sure to delete anything you launch once you are through practicing with it. When you are through exploring and practicing, consider deleting your AWS account. For more information on Free Tier Usage, see http://docs.amazonwebservices.com/ gettingstarted/latest/awsgsg-freetier/TestDriveFreeTier.html. D o N ot Free Tier Eligible Warn students that it is very easy to accidentally incur credit card charges in AWS, even when just exploring the features. Encourage them to take the time (after class is over) to really study the guidelines for using Free Tier Eligible services. Guidelines for Leveraging AWS in Your Business Strategy Guidelines for Leveraging AWS in Your Business Strategy Here are some guidelines you can follow when leveraging AWS in your business strategy: • Keep in mind that even small organizations can benefit from the features, convenience, and security provided by the AWS cloud. • Peruse the case studies on the AWS website to get a better idea of how different organizations have used AWS for their diverse needs. Lesson 1: Getting Started with AWS | Topic B AWS™ Fundamentals | 17 • As a manager, use the Cloud Adoption Framework (CAF) to help prepare your organization to move its IT infrastructure to the cloud. • Take advantage of third party solutions and services available at the AWS Marketplace. Lesson 1: Getting Started with AWS | Topic B 18 | AWS™ Fundamentals ACTIVITY 1-3 Leveraging AWS in Your Business Strategy D 1. You instructor will divide you into small teams. 2. As a team go to the AWS Case Studies web page at https://aws.amazon.com/solutions/case-studies/all/ and select a case study. Choose a case study that is different from the other teams' choices. Announce your choice to the rest of the class. or Leveraging AWS in Your Business Strategy After the teams present their findings, lead the class in answering the question in Step 5. is tr ib ut e Scenario As That's Cheezy Cheese Emporium considers moving to AWS, the managing directors would like to see how other organizations have benefited from moving to the cloud. They have asked you to walk them through some case studies, highlighting the challenges those businesses faced, and how those challenges were resolved. In this activity, you will divide into small teams. Each team will choose a different case study from the AWS website. Spend about 10 minutes as a team examining the case study, looking for both challenges and solutions that the business encountered when moving to the AWS cloud. Be prepared to report your key findings to the rest of the class. You will then spend a few minutes presenting your findings. up lic 4. When invited by the instructor, present your findings to the rest of the class. 5. What can That's Cheezy Cheese Emporium do if it does not have the managerial or technical expertise necessary to take advantage of AWS? D A: Answers will vary. Management can follow the guidelines laid out in the AWS CAF. The IT department can engage third-party services and products available at the AWS Marketplace. IT can also learn how to use the various services by first deploying the Free Tier Eligible versions. D o N ot Findings might include: ability to deploy new services or programs that they previously could not; ability to reach a broader market; reduced cost; improved uptime/reliability; easier management; ability to consolidate servers or services; ability to use analytics or Big Data for the first time; ability to more easily track and manage remote devices; ability to more easily monitor and manage staff workflows. at e 3. Examine the case study and discuss your findings. Look for the challenges the business needed to overcome, and how AWS solved those challenges. Prepare to share your key findings with the class. Spend about 10 minutes on this step. Lesson 1: Getting Started with AWS | Topic B AWS™ Fundamentals | 19 TOPIC C Work with the AWS Management Console The AWS Management Console User Interface The AWS Management Console User Interface Remind students that the purpose of AWS is to provide building blocks for organizations and developers to build their own online services. D up lic at e or D is tr ib The AWS Management Console user interface is a web page with links to tools. It has over fifty tools organized into thirteen categories, depending on what you want to build. In addition, there are links to create resource groups and tags, as well as additional resource links. It also has a Service Health section that allows you to see at-a-glance if your services are operating normally. After creating your AWS account, you can log into the Management Console using your Amazon login credentials. In addition to using a browser, you can also download the AWS Console mobile app from the Amazon Appstore, Google Play™, or iTunes®. ut e Now that you understand the various AWS service offerings and how they can benefit your organization, it is time to start using the AWS Management Console. N ot Figure 1-4: Amazon Web Services Management Console. AWS Management Console Tools o The following table summarizes the categories and tools you can find in the AWS Management Console. D Note: You will use a number of these tools throughout this course. Category Tools Description Compute EC2, EC2 Container Service, Elastic Beanstalk, Lambda Create and manage virtual servers and web apps Remind students that AWS regularly updates their offerings, and to expect the console to change periodically to reflect new tools and services. Lesson 1: Getting Started with AWS | Topic C 20 | AWS™ Fundamentals Tools Storage and Content Delivery S3, CloudFront, Elastic File Manage storage and deliver System, Glacier, Snowball, Storage multimedia content to end users Gateway Database RDS, DynamoDB, ElastiCache, Redshift, DMS Create, manage, and optimize databases Networking VPC, Direct Connect, Route 53 Create and optimize virtual networks, as well as connections to AWS Developer Tools CodeCommit, CodeDeploy, CodePipeline Store code and automate code deployment Management Tools CloudWatch, CloudFormation, CloudTrail, Config, OpsWorks, Service Catalog, Trusted Advisor Monitor and manage resources, track activity, optimize performance and security Security & Identity Identity and Access Management, Directory Services, Inspector, WAF, Certificate Manager Create and manage user accounts, authentication and authorization, analyze application security, and filter malicious web traffic Analytics EMR, Data Pipeline, Elasticsearch Manage workflows, Big Data, Service, Kinesis, Machine Learning streaming data, and build smart applications Internet of Things AWS IoT ib tr is D or Create multiplayer games Mobile Hub, Cognito, Device Farm, Mobile Analytics, SNS Develop mobile apps including authentication, collect and analyze mobile usage data Application Services API Gateway, AppStream, Cloud Search, Elastic Transcoder, SES, SQS, SWF Create and deploy APIs, manage application streaming, search, media transcoding, email, message queueing, and workflows Enterprise Applications WorkSpaces, WorkDocs, WorkMail Desktops in the cloud, enterprise storage and sharing, email and calendaring up lic D N ot o D Connect everyday devices to the cloud GameLift Mobile Services AWS New Console Preview At the time of writing this course, the new preview version of the AWS Management Console requires a $1.00 credit card pre-authorization for each new service you wish to try out. The existing (previous or classic) console view has no such requirements. Explain to students that, in order to avoid excessive charges, delays, or other logistical issues, this course will use the at e Game Development Description ut e Category AWS New Console Preview AWS regularly updates its products and services to improve your experience. This includes updating the Management Console from time to time as well. At the time of writing this course, AWS started previewing a new layout for the Management Console. All of the same tools are available, only they are organized a little differently with shortcuts and quick starts to make it easier to get started. When you first sign up for AWS, this new preview is your default view. You can switch back to classic view by selecting the You can switch back to the previous version anytime. link at the bottom of the page. Once you have switched to the previous view, you cannot switch back to the new view without creating a new account. Lesson 1: Getting Started with AWS | Topic C D is tr ib ut e AWS™ Fundamentals | 21 or Figure 1-5: AWS new console preview. AWS Command Line up lic at e If you do not wish to use the graphical AWS Management Console to administer your cloud, you can alternatively use the command line interface. This is particularly useful for those who wish to include commands in scripts or code. You can use the tool manually by opening a Windows command line, and then entering the command aws <subcommand>. For example: aws configure allows the command line to use an access key, set the default region, and choose the output format. You can download the AWS command line tool at https://aws.amazon.com/cli/. Keys Tags N ot D AWS uses public/private key pairs for authentication and encryption. These keys are assigned to user accounts, applications, roles, servers, and other entities that need to be authenticated. They are also used to encrypt data and data communications. You can obtain your own keys from a third party certification authority, or you can use AWS tools to request and create keys. D o A tag is an optional label that you can assign to your AWS resources to better manage them. It contains metadata, which describes the resource. A resource is anything you create and use in AWS. It can be a virtual machine, a storage volume, an IP address, a database, a policy or rule, etc. You can create tags using the AWS Management Console, as well as the command line. They help you categorize your resources. These categories can be anything that makes sense to you such as purpose, owner, project, cost center, department, environment, etc. Tags are useful when you have a lot of similar resources, but you want to find only the ones that are for, say, a particular project or developer team. Once you find the resource(s) you want by searching for its tag(s), you can then edit or administer it as desired. A tag is a case-sensitive string of characters that has two parts: key and value. Examples of tags include: • Owner = DBAdmin Keys Inform students that they will create a key pair in a later activity. Tags Remind students that metadata is data about the data. It describes and gives context to the data it is attached to. For example, metadata associated with a picture could include who created it and when, size of the picture, color depth, resolution, and the like. Lesson 1: Getting Started with AWS | Topic C 22 | AWS™ Fundamentals • Project = EastCoastPilot • Team = DevTeam1 • Stack = Production Note: A stack is a group of resources such as virtual machines that are managed as a single unit. ib ut e You must create tags that have meaning to your environment, and assign them to resources you create. They will not be assigned automatically. Not all resources support tagging. There are also restrictions to using tags including: • You can have up to 10 tags per resource. • Tag keys and values are case sensitive. • The aws: prefix is reserved for AWS system use and should not be used in tag keys or values. is tr Note: For more information on using tags, see the article "What is a Tag?" at http:// docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-what.html. The Tag Editor or D The Tag Editor allows you to find resources, and then assign one or more tags to those resources. You can assign multiple tags to multiple resources in multiple regions at the same time. You can also choose tags you've already created, change the value of the key, or create new tags on the fly. N ot D up lic at e The Tag Editor Ask students how they might categorize their AWS resources. By department? Project? Owner? o Figure 1-6: Tag Editor. D Resource Groups Resource Groups Resource groups exist for administrative convenience. A resource group is a collection of resources that you can manage together. You create the group, and then you can create a custom console to consolidate and organize information about that group into a single view. Your group can even include different types of resources, including ones from different regions. When creating a resource group, you assign the same tag (or portion of a tag) to all of the resources you want to group together. Your various users can each have their own resource groups that are only visible to them, or they can share with others. Lesson 1: Getting Started with AWS | Topic C AWS™ Fundamentals | 23 Figure 1-7: Resource Group Editor. Note: To learn more, check out the Spotlight on AWS Resource Groups presentation from the Spotlight tile on the CHOICE Course screen. Access the Checklist tile on your CHOICE Course screen for reference information and job aids on How to Use AWS Management Tools. You may want to show the Spotlight on AWS Resource Groups presentation available on the Spotlight tile on the CHOICE Course screen. You might choose to include it in your instructional plans, or you can remind students about the tile and the supplemental information it contains. Lesson 1: Getting Started with AWS | Topic C 24 | AWS™ Fundamentals ACTIVITY 1-4 Creating an AWS Account ut e Before You Begin You have Internet access, a mobile phone, and a credit/debit card with at least $1.00 available on it. D is Note: Activities may vary slightly if the software vendor has issued digital updates. Your instructor will notify you of any changes. 1. Create an AWS account. at e or a) Open a browser and navigate to https://aws.amazon.com/console/. b) Select Create an AWS Account. c) On the Sign In or Create an AWS Account page, enter your email address, select I am a new user, and then select Sign in using our secure server. d) On the Login Credentials page, enter your details and select Create account. e) On the Amazon Web Services Sign Up page, fill out the page, enter the Security Check text, select the AWS Customer Agreement check box, and select Create Account and Continue. f) On the Payment Information page, enter your credit card details and select Securely Submit. g) On the Identity Verification page, enter a phone number and select Call Me Now. Make note of the 4-digit PIN number that appears in the browser. h) When Amazon calls your phone, answer, and when prompted, enter the 4 digit PIN number displayed in your browser. i) When identity verification is complete, hang up your phone and in the browser select Continue to Select Your Support Plan. j) On the Support Plan page, ensure that Basic is selected and then select Continue. k) On the Welcome to Amazon Web Services page, select Complete Sign Up. l) On the Sign In or Create an AWS Account page, log in using your new Amazon account. D up lic Creating an AWS Account Remind students that they will switch to the "previous" version of the console to avoid excessive preauthorization charges and delays. Notify students of any changes to activities based on digital software updates issued by the software vendor. tr ib Scenario Now that the managing directors at That's Cheezy Cheese Emporium are on board with the idea of moving to the cloud, the CIO wants to get started. You have been asked to help set up an AWS account for the company to use. D o N ot 2. Configure the Management Console. Note: Using the previous version of the Management Console will prevent AWS from placing a $1 pre-authorization on your credit card for every service you use during the course. a) On the console home page, scroll to the bottom and select the switch back to the previous version link. b) On the Switching back to the previous experience page, select Remove this account from the preview. Lesson 1: Getting Started with AWS | Topic C AWS™ Fundamentals | 25 c) Verify that you can see the (previous) AWS Management Console home page. d) Leave the console open. License Lesson 1: Getting Started with AWS | Topic C 26 | AWS™ Fundamentals ACTIVITY 1-5 Working with the AWS Management Console ut e Before You Begin You have already signed into the AWS classic Management Console. is 1. Identify tools in the console. D a) Examine the tools in the Management Console. Verify that they are grouped by general function such as Compute, Storage and Content Delivery, Database, Networking, and so on. or 2. Which tools do you think you might use when building That's Cheezy's cloud-based infrastructure? A: Answers will vary, though many will choose Compute, Storage and Content Delivery, and Database. at e 3. Set your region to US East (N. Virginia). a) In the upper-right corner, locate your account name. b) To the right of your account name, select the region drop-down list, and set the region to US-East (N. Virginia). D o N ot D up lic Working with the AWS Management Console Each step has some questions for the group to answer. Lead the class in answering these questions. Inform students that it is important that they use the same region throughout this course, and that US East has all AWS features available to it, whereas some other regions do not. tr ib Scenario The technical team at That's Cheezy Cheese Emporium is eager to get started on the new AWS project. Management has asked you to help the IT department become familiar with the AWS console. You will show them how the tools are organized, help them determine their region and Availability Zone, how to track costs, and how to access additional resources. c) On a sheet of paper or in a text file, record your region as US East (N. Virginia), and your region code as us-east-1. Note: You will use this information in a later activity. 4. Record your Account Id, and view the Dashboard. Lesson 1: Getting Started with AWS | Topic C AWS™ Fundamentals | 27 D is tr ib ut e a) Select the drop-down arrow next to your name. Examine the menu choices in the drop-down box. b) Select My Account. up lic at e or Your account information opens in a new web page. c) In the center pane, under Account Settings, find your Account Id. Record it in the same place you recorded your region and region code in the previous step for future reference. N ot D d) On the left-hand side, select Dashboard. Examine the charts and reporting features that are available. e) In the upper-left corner, select the orange cube to quickly return to the console home page. 5. How will the Dashboard help you track your AWS costs? D o A: Answers will vary. You can use the Spend Summary and Month-to-Date Spend by Service charts to track the cost of various AWS services you are using. You can also set alerts to automatically email you when a cost threshold has been reached. 6. Examine additional resources. a) In the right pane, under Additional Resources and Service Health, explore the various resource links including Getting Started, AWS Console Mobile App, AWS Marketplace, and Service Health Dashboard. b) Return to the console home page. Lesson 1: Getting Started with AWS | Topic C 28 | AWS™ Fundamentals 7. Which of the additional resources do you think will be useful in your daily operations? A: Answers will vary. In the beginning, admins might find Getting Started and AWS Marketplace to be very useful. If they want to access the console via a mobile device, they might use the AWS Console Mobile App. For daily operations, some may want to use the Service Health Dashboard. 8. What is the current Service Health status? A: Answers may vary, but most likely it will show all services operating normally. Lesson 1: Getting Started with AWS | Topic C AWS™ Fundamentals | 29 Summary In this lesson, you learned about AWS cloud services and the AWS global infrastructure. You learned different ways AWS can benefit organizations, and the resources available to learn more about AWS. You learned about the AWS security model, and how to minimize cost. You also learned about AWS management tools including the AWS Management Console, the command line, keys, tags, and resource groups. In what way do you think AWS can benefit your organization? A: Answers will vary. Some may wish to move internal IT operations to the cloud. Others may wish to improve the performance of their website, database, storage, or other services. Still others may wish to implement services or technologies that they currently do not have the infrastructure or resources to deploy on premises. Which AWS management tool do you think you will use the most? A: Answers will vary. System administrators will probably start out using the AWS Management Console. Over time, they will start to use the command line more and more. Application developers will probably use coding language to deploy and manage AWS services. Encourage students to use the social networking tools provided on the CHOICE Course screen to follow up with their peers after the course is completed for further discussion and resources to support continued learning. Note: Check your CHOICE Course screen for opportunities to interact with your classmates, peers, and the larger CHOICE online community about the topics covered in this course or other topics you are interested in. From the Course screen you can also access available resources for a more continuous learning experience. Lesson 1: Getting Started with AWS | ut e ib 2 Implementing AWS Storage and Database Services In this lesson, you will: or Lesson Objectives D is tr Lesson Time: 1 hour, 30 minutes at e • You will configure AWS storage options. • You will deploy different AWS database types. up lic Lesson Introduction D o N ot D The most basic, practical usage of AWS™ is to store data. For this reason, it is important to understand the various data storage services that AWS has to offer. 32 | AWS™ Fundamentals TOPIC A Configure AWS Storage ut e Now that you understand how the AWS Management Console is organized, it is time to create your first AWS deployment. AWS Storage Options D is tr ib AWS has a number of storage options for its cloud services. They each have their own advantages and can be used independently or in combination. They are: • Amazon Elastic Block Store (Amazon EBS) • Amazon Simple Storage Service (Amazon S3) • Amazon Elastic File System (EFS) • Amazon EC2™ Instance Store • Amazon Glacier™ Storage • Amazon CloudFront™ Content Delivery Network at e Amazon Simple Storage Service (S3) is general-purpose, Internet-based storage. It was designed to make it easier for developers to use web-scale computing. Amazon S3 uses the concept of a bucket and an object for managing data. A bucket is an allocated amount of storage. An object is any file you wish to store in the bucket. The object is a key-value combination that contains the object name (key) and the data (value). It also contains access control information, version ID, and other metadata (information about the data). You can retrieve the object by using an HTTP URL address. For example: /photos/mystuff.jpg is stored in a bucket named mybucket. It has an addressable URL:http://mybucket.s3.amazonaws.com/photos/mystuff.jpg. When you create a bucket, keep the following in mind: • Bucket objects can only be folders or files. • You cannot edit an object once it is placed in a bucket. You can only replace it with an updated object of the same name. • Choose a region that is geographically close to those who will use it such as EU (Ireland) or US West (N. California). • You must give your bucket a globally unique name. If you choose a name that is already in use, AWS will notify you. • As a best practice, use all lowercase letters when naming your bucket. • A good bucket naming strategy is to include your domain name and region in the name. For example, mycompany-com-us-east. • You can have up to 100 buckets for every AWS account. • Each file you upload to a bucket cannot exceed 5 GB in size. • In order to minimize latency in the different geographical regions your website might service, you can have buckets in multiple regions. • The bucket, as well as the objects it contains, stays in the region you specify. D o N ot D up lic Amazon S3 Inform students that Dropbox, Netflix, and Amazon itself all use S3 to store content. or Amazon S3 Amazon EBS Inform students that they will learn more about Amazon virtual machines, also known as EC2 instances, later in the course. Amazon EBS Amazon Elastic Block Store (EBS) is a cloud-based service that provides blocks of storage for cloudbased virtual machines. It is essentially a hard drive that you can custom design and use in the cloud. When you create an EBS volume, it is initially not associated with any specific virtual machine, but Lesson 2: Implementing AWS Storage and Database Services | Topic A tr ib can be attached or detached as desired. It is optimized for data that must be quickly accessible and persistently available. EBS volumes behave like raw, unformatted block devices. You can create a file system on them, encrypt them, and take point-in-time snapshots that can be used to create new EBS volumes. You can copy EBS volumes across regions and AZs. You can also restore snapshots to EBS volumes for disaster recovery or to quickly provide data to an application. You can use Amazon CloudWatch to monitor the performance of your EBS volumes. EBS is the recommended primary storage choice for file systems, databases, and any applications that need fine-grained access to raw, unformatted, block-level storage. It's good for databases that depend on random reads and writes. It's also good for applications that are throughput-intensive, performing reads and writes that are long and continuous. Depending on the limits of your AWS account, you can attach multiple EBS volumes to a single virtual machine. Although each virtual machine can have multiple attached volumes, each volume can only be attached to one virtual machine at a time. There are four types of EBS volumes you can create. ut e AWS™ Fundamentals | 33 Volume Description EBS General Purpose SSD gp2 Broad use including boot volumes, small- and mediumsized databases, and development and test environments. Provisioned IOPS SSD io1 For provisioning a specific level of I/O performance. Throughput Optimized HDD st1 Low-cost magnetic storage focused on throughput rather than IOPS. Cold HDD sc1 Inexpensive magnetic block storage for infrequent data access. at e or D is Type D up lic As you create EBS volumes, keep in mind the following: • A volume can be from 1 GB to 1 TB in size. • As with physical drives, you can organize the disks into any of the standard RAID configurations to improve throughput and fault tolerance. • If you need to store files larger than 1 TB (such as a database) you can created multiple EBS volumes and stripe (split) the file across them. • An EBS volume must be in the same AZ as the virtual machine that uses it. • You can create a snapshot (point in time backup) of an EBS volume, and use that snapshot to create another, fully populated, EBS volume in the same or different AZ or region. N ot Note: Amazon uses the word instance to refer to its virtual machines. Amazon EFS D o Amazon Elastic File System (EFS) is a managed file system for your virtual machines. It is meant for file hosting and collaborating, and was developed primarily for enterprise or developer environments. It is essentially Network Attached Storage (NAS). The key difference between EFS and EBS is that you can mount EFS onto several virtual machines at the same time. This is very useful if you have an application that runs on multiple virtual machines, and needs access to a common file system. When mounting EFS to a virtual machine, you create a mount target in your Virtual Private Cloud (VPC). The mount target has an IP address that you connect to using Network File System (NFS) v4. The amount of storage grows and shrinks automatically on a need basis up to petabytes in size. Performance also auto-scales as the volume size increases. You can use Amazon EFS to store both Amazon EFS Explain to students that a "managed" service is one in which AWS has already set up the service for your immediate use. You do not need to set up a server or configure any infrastructure to use the service. You can start to use it without worrying about managing or configuring the Lesson 2: Implementing AWS Storage and Database Services | Topic A 34 | AWS™ Fundamentals your data and metadata across multiple Availability Zones in a region. It has parallel access that provides high amounts of data throughput for your application. Amazon EFS uses POSIX-style permissions for access control. Note: You will learn more about Virtual Private Clouds (VPCs) later in the course. ib ut e When using EFS, keep in mind the following: • Currently, EFS only supports connections from Unix®/Linux® virtual machines. You cannot connect a Windows® virtual machine to it. • You can mount an Amazon EFS file system on virtual machines in only one VPC at a time. • Both the file system and VPC must be in the same AWS region. tr Note: POSIX is a set of standards to make application programming interfaces (APIs) uniform in Linux and UNIX systems. This makes applications portable across a wide range of Unix/ Linux operating systems. D Amazon S3, EBS, and EFS are different types of storage with different strengths and use cases. You can use them in combination if desired. The following table summarizes the differences between S3, EBS, and EFS. or Comparison of S3, EBS, and EFS is Comparison of S3, EBS, and EFS Amazon S3 Amazon EBS up lic at e A web-oriented general purpose A device you can mount onto a data store. virtual machine. Behaves like a raw, unformatted external hard drive. A managed, shareable file service that behaves like a Network Attached Storage (NAS) volume. It is highly scalable in both size and performance. Stores editable files the way a normal hard drive does. Good for immediately getting started. Good for applications that Good for providing shared need a conventional file system storage across multiple virtual such as Linux ext3 and machines. Windows NTFS, or just raw, block-level storage. D Stores files as uneditable objects. If you update the file, you will have to replace the existing stored object with the new version. N ot o D Amazon EFS Stores shareable, editable files that multiple operating systems can access. Files are accessed via a browser Files are accessed through the from anywhere on the Internet. virtual machine operating system's file system. Files can be accessed through an IP-based mount point on a virtual machine. Effectively no size limits. Can scale to petabytes. Maximum volume size is 1 terabyte (TB). Used by Amazon to run its own Designed to be the disk for global network of websites, your virtual machine. including storing virtual machine images and snapshots. Designed for enterprise and development environments. Higher latency with eventual consistency. High throughput with readafter-write consistency and lowlatency file operations. Low latency with write-back caching for very low write latency. Lesson 2: Implementing AWS Storage and Database Services | Topic A AWS™ Fundamentals | 35 Amazon S3 Amazon EBS Amazon EFS Figure 2-1: Using different storage types. at e or D is tr ib The following image shows how AWS EC2 instances (virtual machines) can use the different types of storage. ut e Snapshots can be shared among An EBS volume can only be EFS can be mounted by virtual machines. accessed by one virtual machine multiple virtual machines in the at a time, and must be in same same VPC. Virtual machines in AZ. different subnets must have their own mount point. up lic Note: Remember that an AWS virtual machine is known as an "EC2 instance." Amazon Glacier Amazon Glacier Inform students that while you can use the GUI to create a storage vault, there is currently no GUI tool for uploading or downloading files. D o N ot D Another type of storage is Amazon Glacier. Amazon Glacier is a very low cost, cloud–based, longterm storage solution. It is designed to offer a secure and durable alternative to storing your archive data on premises, or physically sending it to a storage facility. It is meant for infrequently used or cold data such as archives and backup copies that might go for years before being accessed again. Amazon protects your data by storing it redundantly across multiple devices in multiple sites. You can store as much or as little data is you wish, and can even choose which geographical region to store the data in order to comply with any business or regulatory criteria. Once you've created a Glacier vault, you can use the aws command line tool to upload and download archives. When creating a Glacier vault keep in mind the following: • You must use the command line or an API in code to upload or download files. • Files can be as large as 40 TB. • For manageability, consider uploading multiple related files together in an archive file such as .zip, .tgz, .rar, .7z, etc. • If you send a multi-part file (such as a zip file that has been split into multiple evenly-sized pieces), you will need to calculate a Secure Hash Algorithm (SHA) 256 hash for each piece, and then combine the hashes into a single tree hash for Glacier to use during the upload. • Data transmission is encrypted by SSL. • The Glacier Vault inventory is updated only once per day, so uploads might not appear in the GUI for 24 hours or more. Lesson 2: Implementing AWS Storage and Database Services | Topic A 36 | AWS™ Fundamentals • Data retrieval can take 5 hours. Note: For more information on using Amazon Glacier, see https://docs.aws.amazon.com/ amazonglacier/latest/dev/working-with-archives.html. Amazon CloudFront CDN ib ut e Amazon CloudFront is a global content delivery network (CDN) that brings your website content as close as possible to the customers who will need it. The Amazon CloudFront Global Edge Network currently has 55 locations across six continents. Most of the major cities around the world have an edge location. Their physical closeness to end users helps reduce latency when a user accesses content from your website. tr Note: As with many AWS services, you can test the CDN for free using the Free Usage Tier. is In order to use the CloudFront, you must store your files on an origin server. This can be: • Your own server • An Amazon S3 bucket • An Amazon EC2 instance • An Elastic Load Balancer You then create a distribution to tell CloudFront which origin server to retrieve the data from. CloudFront then retrieves and caches copies of the files for distribution. or D Amazon CloudFront CDN Explain to students that while CloudFront is not a standard storage system like S3, EBS, or EFS. It stores cached copies of your website, bringing the content geographically closer to end users for improved performance. at e Note: You will learn about Elastic Load Balancers later in the course. up lic Access the Checklist tile on your CHOICE Course screen for reference information and job aids on How to Configure AWS Storage. Guidelines for Selecting AWS Storage Guidelines for Configuring AWS Storage D Note: All of the Guidelines for this lesson are available as checklists from the Checklist tile on the CHOICE Course screen. D o N ot Here are some guidelines you can follow for selecting an AWS Storage solution: • Choose S3 when you need a highly scalable object store. • S3 storage is regionally scoped. • S3 uses URLs to make objects available from anywhere on the Internet. • Choose EBS when your virtual machines need to have more traditional volumes attached to them. • EBS volumes are highly persistent, and can be attached to, and detached from, running virtual machines. • An EBS volume must be in the same Availability Zone as the virtual machine that uses it. • Choose Glacier when you need inexpensive, highly durable, long-term archive storage. • Glacier ensures that critical data is never lost. • It is very low cost, but at the expense of slow performance. • You must use a command line or code to upload/download archive files. • Choose CDN when you need high performance, low latency delivery of files, especially multimedia, close to your end users. Lesson 2: Implementing AWS Storage and Database Services | Topic A AWS™ Fundamentals | 37 • CDN copies content from a source into edge servers of your choosing. Lesson 2: Implementing AWS Storage and Database Services | Topic A 38 | AWS™ Fundamentals ACTIVITY 2-1 Choosing an AWS Storage Solution tr is 1. The IT team at That's Cheezy Cheese Emporium would like to deploy an application that stores its data on the network. The application is actually comprised of several parts that work together. Each part runs on a different server, though all of the parts store and share data in a common location. The data is constantly updated by the application. For performance reasons, the team would like the servers to be in the same subnet. D Choosing an AWS Storage Solution Lead the group in considering the scenarios and answering the questions. ib ut e Scenario Department managers at That's Cheezy Cheese Emporium have heard about the different storage solutions AWS offers. They would like to know more, as they see a benefit in moving their everincreasing storage needs to the cloud. Some departments want to deploy AWS storage immediately. Others will add it to next year's budget. They have asked your help in assessing their needs and in recommending an appropriate AWS solution. Which storage solution would best serve the IT department's needs? at e or A: Because several servers need to share data in a common network location, EFS would be the best choice. EBS, like a physical hard drive, is mounted to only one server so it's not a good choice. S3 does not allow objects in a bucket to be edited, but rather replaced by a new version. For that reason, S3 is also not a good choice. Glacier is not meant for constant data access, so it is not the right choice either. up lic 2. The graphics team creates promotional pictures and videos for the company. Some of the video clips they work with are 20 GB in size. Rendering them all into a single video is time consuming, involving large amounts of disk throughput. Additionally, they cannot use their workstations during the time that the video is being rendered. Sometimes this takes hours. What they want to do is to be able to edit individual clips on their workstations, and then quickly move the data to another computer where the clips can be rendered into a single video. They would also like the rendering machine to have the highest possible disk throughput to shorten video post production time. Which storage solution would be the best fit for the graphics team? D o N ot D A: The graphics team has two needs, and EBS can serve both. Each graphic artist should have an editing computer with at least one additional EBS volume attached. As they edit, they can save the clips to this volume. The EBS volume can then be detached from the artist's workstation and reattached to a computer dedicated to rendering video. The rendering machine can have additional EBS volumes configured in a RAID 0 disk striping array for maximum throughput. EFS is not a good choice because of the latency added by network access between the workstation and storage. Additionally, you cannot stripe EFS shares. S3 also cannot be striped, and has network latency. It is also not meant for continuous editing of the same files. Glacier is meant for cold storage only, so could not possibly be used for this purpose. 3. The sales team needs a web-based location where they can download the latest product literature and price sheets from. Because team members travel all over the world to visit customers, they need to be able to access the documents from anywhere. There are not that many documents, so they don't need a complex hierarchy for organizing the files. They just want something simple, with fast response time, that they can access wherever they are. In the past, they used an FTP site to host these files. This caused a lot of problems for team members as some hotels and airport hotspots block the FTP protocol. Which storage solution would be best for the sales team? A: Because they need files to be available from anywhere in the world, an S3 bucket is a good choice. It's easy to set up, requiring little effort. Although S3 does not allow objects to be directly edited, this should not be a problem. When new product literature and price sheets are available, Lesson 2: Implementing AWS Storage and Database Services | Topic A AWS™ Fundamentals | 39 4. The legal department just reminded management that accounting records need to be stored for at least 7 years. Although the files are unlikely to be used, they should nonetheless always be available in case the company gets audited. Because of the long term storage requirements, they need a solution they can depend on for years to come. Which storage solution would satisfy the company's legal requirements? A: Glacier is by far the best choice in this scenario. It is meant for long term, safe storage of data at a very low cost. Lesson 2: Implementing AWS Storage and Database Services | Topic A 40 | AWS™ Fundamentals ACTIVITY 2-2 Creating an S3 Bucket ut e Data File C:\093025Data\Implementing AWS Storage and Database Services\cheese.jpg ib Before You Begin You will need to know your region code (recorded in step 2 of the activity "Working with the AWS Management Console"). D 1. Create an S3 bucket. or a) On the console home page, under Storage & Content Delivery, select S3. b) Select the Create Bucket button. c) In the Create a Bucket - Select a Bucket Name and region dialog box, in the Bucket Name text box, enter thats-cheezy-<your-name>-<your region>, for example thats-cheezy-moo-dharma-us-east-1 d) From the region drop-down menu, select your region (note: if you are in us-east-1, select US Standard as your region). at e Creating an S3 Bucket Remind students that they recorded their region and region code in step 2 of the activity "Working with the AWS Management Console." is tr Scenario Now that the sales team has settled on using an S3 bucket to store product literature and price sheets, they are ready to deploy. They have asked you to set up the bucket and test it with a file. Remind students to be consistent in selecting the same region and Availability Zone throughout the course. N ot D up lic Note: Make sure you select the same region in every activity throughout this course. D o e) Select Create. It may take a moment for your bucket to appear. 2. Populate the bucket with content. a) In the left pane, under All Buckets, select the bucket you just created. b) Select the Upload button. c) In the Upload - Select Files and Folders pop-up dialog box, select the Add Files button. d) In the Open dialog box, browse to and select C:\093025Data\Implementing AWS Storage and Database Services\cheese.jpg. e) Select Open. Lesson 2: Implementing AWS Storage and Database Services | Topic A AWS™ Fundamentals | 41 f) Select the Start Upload button. It may take a moment for your file to upload. g) In the left pane, verify that cheese.jpg appears in the bucket. 3. Set permissions on the bucket. i) or D is tr ib ut e a) Select cheese.jpg. b) In the upper-right, select the Properties button. c) In the Object: cheese.jpg pane, examine the information about the uploaded file. d) Expand the Permissions section. e) In the first Grantee drop-down box, verify that you see your account. f) Select Add More Permissions. g) From the second Grantee drop-down box, select Everyone. h) Check the Open/Download check box. Select Save. at e 4. Test the bucket. a) In the Object: cheese.jpg section, next to Link, select the link. up lic A new browser page should open to your uploaded picture. b) Verify that you can see the image in your browser. c) Verify that you can download the image to your computer. d) Close the tab showing the cheese.jpg file, then select All Buckets to return to the S3 Management Console. 5. Create a logs-<your-name>-<your-region> bucket. a) Create another bucket called logs-<your-name>-<your-region>, for example logs-moo-dharma-us- Remind students to refer to Steps 1 & 3 if necessary. D o N ot D east-1 b) Verify that you can see both of your buckets in the console. You do not need to change permissions or upload a file to the logs bucket. c) Return to the console home page. Lesson 2: Implementing AWS Storage and Database Services | Topic A 42 | AWS™ Fundamentals ACTIVITY 2-3 Creating EBS Storage ib ut e Scenario The graphics department at That's Cheezy Cheese Emporium is anxious to get started with their new EBS solution. With the help of the IT department, they will soon be migrating all of their editing operations to the cloud. The IT team wants to make sure they understand how to create EBS volumes, which they will attach to the new graphics workstations. The IT manager has asked you to lead the team in creating the first EBS volume. tr Creating EBS Storage is 1. Create an EBS Volume. D Note: You will attach this EBS volume to a Windows virtual machine in a later activity. at e or a) On the console home page, under Compute, select EC2. b) On the EC2 Dashboard, on the left pane, under ELASTIC BLOCK STORE, select Volumes. c) Select the Create Volume button. d) In the Create Volume pop-up dialog box, from the Availability Zone drop-down box, select an Availability Zone of your choice. Record your EBS Availability Zone. e) Accept the remaining default settings and then select Create. It may take a moment for your volume to be ready. You might need to select the Refresh button if it is not displayed after a few moments. 2. Name the volume. up lic a) In the volume list, verify that you new have a new volume with a State of available. D o N ot D If you have more than one volume, look at the date and time in the Created column to identify the newest volume. b) In the Name column of your new volume, hover your cursor over the text area so that a pencil icon appears. c) Select the pencil icon. d) In the pop-up dialog box, type EBS for Windows and press Enter. e) Verify that your new EBS volume appears. f) Return to the console home page. Lesson 2: Implementing AWS Storage and Database Services | Topic A AWS™ Fundamentals | 43 TOPIC B Deploy Amazon Database Services ut e Having deployed your first AWS storage services, it is now time to deploy managed database services. D is Note: To learn more, check out the Spotlight on AWS Managed Services presentation from the Spotlight tile on the CHOICE Course screen. or Amazon RDS Inform students that they will learn about the individual database services in this topic. Remind students that "managed" means the user does not have to set up a server or install the database application. They simply choose which database application they want and AWS does all the provisioning and management for them. You may want to show the Spotlight on AWS Managed Services presentation available on the Spotlight tile on the CHOICE Course screen. You might choose to include it in your instructional plans, or you can remind students about the tile and the supplemental information it contains. Amazon RDS Remind students that a relational database system is one in which data integrity and accuracy have the highest priority. Tables have common columns called keys that ensure data remains consistent (agrees) across all tables throughout the database. tr Amazon provides managed services for every major database type. These services are: • Amazon RDS—traditional relational database system • Amazon DynamoDB™—NoSQL database • Amazon Redshift™—data warehouse ib Amazon Managed Database Services D o N ot D up lic at e Amazon Relational Database Services (RDS) is a traditional relational database system that is fully managed. It provides fast, predictable performance, is easy to set up, and scales quickly. You can choose from database systems you already know including MySQL™, MariaDB®, PostgreSQL, Oracle®, Microsoft® SQL Server®, and Amazon Aurora DB engine (a new system that is MySQL compatible). As with other AWS services, you only pay for what you use. The basic building block of RDS is the database instance—an isolated environment that can contain one or more user-created databases. Once your databases are created, you can access them using your favorite database management tools such as MySQL Workbench, EMS SQL Manager for Oracle, or Microsoft SQL Server Management Studio. You can use Amazon RDS whenever you need a relational database including: • Online banking and other financial transactions. • Tracking related entities such as customers, products, and orders. • Complex queries, analysis, and reporting. • Any scenario where the data must be consistent with high integrity. Amazon RDS can be very high performing. Depending upon the hardware configurations you choose, you can have the following performance features: • 500,000 reads/sec • 100,000 writes/sec • 99.99% uptime • 6-way replicated storage, across 3 availability zones • On-demand scalability to 64 TB with 15 read replicas Because RDS is fully managed, you do not need to deploy and manage the server that the database runs on. Backups are also automatic, but you can also choose to manually create point-in-time snapshots that are stored in S3. Amazon DynamoDB Amazon DynamoDB is a NoSQL database that is fully managed. NoSQL is a schema-less, nonrelational database system that scales horizontally across many geographically-dispersed clusters of computers. DynamoDB tables are simple, with data stored as key-value pairs. Amazon DynamoDB Inform students that NoSQL is typically used for Big Data. Lesson 2: Implementing AWS Storage and Database Services | Topic B 44 | AWS™ Fundamentals ut e Because a NoSQL database does not use Structured Query Language (SQL) to add, edit, and query data, an application is needed to search the tables and present the data to the user. Usually, the application accesses the data using an object-oriented application programming interface (API). As an administrator, you can use a tool such as RazorSQL's DynamoDB Database Query Tool to manage your database. The following image shows the structure of a NoSQL-based online forum. The database has three tables. The first table, Our_Cheezy_Forum, has a simple primary key. The other two tables have composite primary keys. In addition, the Reply table has an index named PostedBy-Message-Index that has its own composite primary key. D o N ot D up lic at e or D is tr ib Note: Although the tables have primary keys, these are used for indexing, and not referential integrity. There is no foreign key that ties one table to another table's primary key. Figure 2-2: NoSQL online forum database structure. NoSQL was designed to address scalability and performance issues that are inherent in traditional relational databases. It favors high performance and regional high availability over immediate consistency between all database nodes. Data consistency between nodes is eventual, though Amazon advertises that the latency is low, usually within one second. NoSQL is used by companies such as Facebook, Google™, and Amazon itself. To enable high availability and data durability, DynamoDB stores three geographically distributed replicas of each table in a ring topology. Lesson 2: Implementing AWS Storage and Database Services | Topic B tr ib Data is automatically replicated between nodes and Availability Zones. You can have millions of IOPS provided by SSD storage. You can get started with DynamoDB at no cost, and pay for only what you consume. Use cases for DynamoDB include: • Internet of Things (IoT) for tracking and obtaining real-time data from millions of devices. • Gaming including game details, usage history, logs, and session information. • Real-time bidding. • Ad serving. • User profile management, ID lookups, and session tracking. • Real-time fraud detection. • Law enforcement real-time tracking of citizen movement and usage of credit cards, loyalty cards, and travel reservations. • Hierarchical archived data that must also be online such as forums and discussions. • Caching. • Social media posts and timelines. ut e AWS™ Fundamentals | 45 is RDS vs. DynamoDB RDS vs. DynamoDB N ot D up lic at e or D Most environments still need RDS, the relational database system. However, if you intend to expand your services into Big Data, you will want to consider using DynamoDB, which is based on NoSQL. As the amount of data increases, the performance of traditional RDS drops to the point where it can no longer function effectively. DynamoDB, on the other hand, scales horizontally with the same performance level regardless of the amount of data. Use the following table to determine which database type is better for your situation. RDS DynamoDB NoSQL database model Strong schema, complex table relationships, transactions and table joins Schema-less, easy reads and writes, simple data model Data is manipulated through SQL queries Data is manipulated through object-oriented programming APIs Difficult scaling Easy scaling Consistency over scale or availability Performance and availability at any scale, with eventual consistency D o Traditional relational database model Lesson 2: Implementing AWS Storage and Database Services | Topic B 46 | AWS™ Fundamentals RDS DynamoDB Excellent choice for transaction-based data that Excellent choice where flexibility, low-latency, must be highly consistent and accurate, or where and always available reading and writing are tables must be tightly related required real-time Amazon Redshift Amazon Redshift Inform students that Redshift is a proprietary competitor to the popular open source Apache Hive™ data warehouse. Remind students that a data warehouse stores a large amount of data from many sources, and is used for analysis as opposed to processing transactions. Amazon Redshift is a relational data warehouse. It is meant to be simpler, cheaper, and higherperforming than traditional data warehouses. It can scale massively with many sites in parallel, containing up to petabytes of data. It uses column-based storage, dramatically reducing the unnecessary I/O associated with row storage. This is because with column storage, you only retrieve the columns you want, rather than entire rows which you then have to filter for the columns you need. It is fully managed, can be provisioned in minutes, and uses HDD and SSD storage. You pay per hour, or per terabyte per year. Once you install Amazon Redshift, you can use a tool such as SQL Workbench/J or Aginity Workbench to manage your database. Use cases for Amazon Redshift include: • Extending or migrating away from your existing data warehouse • Adding analytic functionality to applications • Software-as-a-Service (SaaS) organizations Redshift architecture is two-tier, with a Leader node that stores metadata, coordinates query execution, and optimizes the query plan. Below the Leader node, connected by very high-speed links, are Compute Nodes that provide local columnar storage, and parallel/distributed execution of all queries. The storage can be Amazon S3, DynamoDB, or Amazon EMR (a web service for quickly processing vast amounts of data). Note: Amazon EMR is Elastic Map Reduce—a service for data processing and analysis. Studying EMR is beyond the scope of this class. Lesson 2: Implementing AWS Storage and Database Services | Topic B D is tr ib ut e AWS™ Fundamentals | 47 or Figure 2-3: Amazon Redshift. at e Access the Checklist tile on your CHOICE Course screen for reference information and job aids on How to Deploy an Amazon Database. Guidelines for Selecting an Amazon Database Guidelines for Selecting an Amazon Database D o N ot D up lic Here are some guidelines you can follow when selecting an Amazon database. • Keep in mind that all AWS databases are fully managed, meaning you will not have to set up the server or install the database application. You simply choose the database you want and AWS sets it up for you. • Choose RDS when: • You need a traditional relational database system. • You need a strong schema, complex table relationships, transactions and/or table joins. • You need a database based on the Structured Query Language (SQL). • You need data integrity and consistency more than performance or scalability. • Choose DynamoDB when: • You need a NoSQL schema-less database. • You expect to store large amounts of data, including archived historical data. • You need a database that is always available for reads or writes, even at the expense of data consistency. • You need a database that is regionally disbursed for low latency. • You need a database that favors performance over data integrity. • Choose Redshift when: • You need a relational data warehouse. • You need to store different types of data coming from different sources. • You need to add analytics to your application. Lesson 2: Implementing AWS Storage and Database Services | Topic B 48 | AWS™ Fundamentals ACTIVITY 2-4 Selecting an AWS Database Service ib ut e Scenario The managers at That's Cheezy Cheese Emporium are pleased with the AWS storage solutions you implemented for them. Now they are asking what database options exist. The sales and marketing teams need to continue implementing the company's new cloud initiatives. In addition, uppermanagement wants to see what impact these initiatives have on revenue. You have been asked to assess the needs and recommend solutions. tr Selecting an AWS Database Service or D is 1. The marketing team needs to create an online forum to capture customer feedback about its various products. They would like That's Cheezy's website to include a place for customer reviews of the various products they purchase. They want customers to be able to see what others are posting, as well as to add their own comments. Because the team intends to deploy regional websites in different languages around the world, it is not important for customer comments in one country to immediately appear on websites in other countries. The marketing team has no idea how many comments might be collected, but they expect the amount of data to become quite large over time. Eventually, they want to use the feedback to track trends in customer preference. Which database solution would be best suited for capturing and displaying customer reviews and discussion threads? at e A: DynamoDB would be the best choice in this case. Because the data can have loose consistency (need not be immediately replicated to other websites) and may end up being quite large, a NoSQL database is a good choice. up lic 2. The sales team needs to be able to register new corporate customers, take orders, check product availability, and check the status of an order. They need a database type that ensures that customer accounts cannot be deleted while the customer still owes money, that accounts and orders are not accidentally duplicated, and that they can perform complex queries and run reports. They need to be able to do this online from anywhere in the world. Which database type would best satisfy what the sales team wants? D A: RDS is the only realistic choice here. Because there must be tight consistency between customers and their orders, a relational database will be required. Once RDS is set up, the database team can create a customer database with tables for customers, orders, and products. They can also create relationships between the tables to ensure data integrity and consistency. D o N ot 3. Management wants to be able to analyze sales and marketing data captured from the many That's Cheezy websites. There will be websites all over the world, each serving that particular region and customer base. All of the data eventually needs to be copied to a single location where it can be queried in different ways. Management wants to use this data to forecast sales and develop longer term strategies. What database type would best suit management's needs? A: Redshift would be the choice in this scenario. Because the data will be coming from diverse sources, it should be copied to a data warehouse. The data can then be queried and analyzed to spot trends. Lesson 2: Implementing AWS Storage and Database Services | Topic B AWS™ Fundamentals | 49 ACTIVITY 2-5 D o N ot D up lic at e or D is tr ib Scenario The marketing department at That's Cheezy Cheese Emporium is looking forward to using their new online forum. They are getting ready for a massive new product launch, and want to be able to interact with consumers during the launch and capture customer feedback. They are on board with the idea of deploying a DynamoDB NoSQL forum, and have asked you to set it up. The database will have the following structure. ut e Creating a DynamoDB NoSQL Discussion Forum 1. Create the Forum table. a) On the console home page, under Databases, select the DynamoDB link. b) On the Amazon DynamoDB page, select the Create Table button. c) In the Table Name field, enter Our__Cheezy_Forum d) In the Primary key* section, in the Partition Key field, enter ForumName Creating a DynamoDB NoSQL Discussion Forum Remind students that NoSQL does not use relationships between tables. Tables are simple, storing data as key-value pairs. Remind students to be mindful of the spelling, and to not add spaces to the names. Otherwise, an error will occur when they try to create their tables. Lesson 2: Implementing AWS Storage and Database Services | Topic B 50 | AWS™ Fundamentals is f) Select the Create button. g) In the left pane, verify that you see Our_Cheezy_Forum. tr ib ut e e) Ensure that the data type is set to String. Leave all other settings at default. 2. Create the Thread table. D up lic at e or D a) Use the procedure in Step 1 to create another table with these parameters: Table name = Thread, Partition Key = ForumName, Partition Key data type = String. Check the Add sort key check box and in the Sort key text field enter Subject. Ensure that the Sort key data type = String. N ot b) Leave all other settings at default, and select the Create button. D o 3. Create the Reply table. a) Use the procedure in Step 2 to start creating another table with these parameters: Table name = Reply, Partition Key = Id, Partition Key data type = String. Check the Add sort key check box and in the Sort key text field, enter ReplyDateTime. Ensure that the Sort key data type = String. b) In the Table settings section, uncheck the Use default settings check box. c) In the Secondary indexes section, select +Add index. d) In the Add index pop-up dialog box, in the Primary key* section, in the Partition key text field, enter PostedBy and ensure that the data type is set to String. e) Check the Add sort key check box, and in the text field that appears, enter Message and ensure that the data type is set to String. Lesson 2: Implementing AWS Storage and Database Services | Topic B AWS™ Fundamentals | 51 is tr ib ut e f) Accept the remaining defaults. 4. Examine your tables. N ot D up lic at e a) On the DynamoDB page, in the left pane, select Tables. b) Verify that your three tables appear and are active. or D g) Select Add index. h) On the Create DynamoDB table page, leave all other settings at default and select the Create button. c) Select the table Our_Cheezy_Forum. d) In the properties, select each tab to examine the information and configuration options. 5. Add an item to the Our_Cheezy_Forum table. o Note: Ordinarily, you would use an application to present the forum to a user. For the purposes of this activity, you will manually enter items directly into the tables. D a) Make sure that the table Our_Cheezy_Forum is selected. b) Select the Items tab. c) Select the Create item button. Lesson 2: Implementing AWS Storage and Database Services | Topic B 52 | AWS™ Fundamentals tr e) Select the Save button. f) Verify that you now see My Favorite Cheese under ForumName. ib ut e d) In the Create item dialog box, in the ForumName String text field, enter My Favorite Cheese D up lic at e or D is You might have to drag the column heading to the right to see the entire forum name. N ot 6. Create a discussion thread. D o a) Select the Thread table. b) If necessary, select the Items tab. c) Select the Create item button. d) In the ForumName String text field, enter My Favorite Cheese Lesson 2: Implementing AWS Storage and Database Services | Topic B AWS™ Fundamentals | 53 ut e e) In the Subject String field, enter a comment of your choice. For example: Gruyere or Fontina? Which one is better for fondue? ib f) Select the Save button. g) Verify that you can see your discussion thread. up lic at e or D is tr Again, adjust the columns as needed to see the text. 7. Post a reply. D a) Select the Reply table. b) In the Items tab, select the Create item button. c) In the Id String text field, enter 01 d) In the ReplyDateTime String text field enter 2016:08:04:14:32:07 N ot Note: You may substitute the current date and time in the format YYYY:MM:DD:HH:MM:SS. D o e) In the PostedBy String text field, enter your name. Lesson 2: Implementing AWS Storage and Database Services | Topic B 54 | AWS™ Fundamentals g) Select the Save button. h) Verify that you see your reply. N ot D up lic at e or D Again, adjust columns if necessary to see the full text. is tr ib ut e f) In the Message String text field, enter a reply of your choice. For example Gruyere for sure! Return to the console home page. D o i) Lesson 2: Implementing AWS Storage and Database Services | Topic B AWS™ Fundamentals | 55 Summary In this lesson, you learned about the different kinds of AWS storage and when it is appropriate to choose one over the other. You also learned about AWS managed database services, and how to work with each database type. Which storage type do you think you will use in your environment? A: Answers will vary. If you want a simple website for uploading and downloading files on the Internet, you will probably deploy S3. If you wish to have additional drives for your virtual machine, you will choose EBS. Those wanting a NAS-style network storage device for their Linux virtual machines will choose EFS. Anyone who wants inexpensive long-term storage will probably choose Glacier. And those who want to bring web-based content physically closer to end users will probably deploy a CloudFront distribution. Which database type do you think will be useful in your environment? Encourage students to use the social networking tools provided on the CHOICE Course screen to follow up with their peers after the course is completed for further discussion and resources to support continued learning. A: Answers will vary. The real decision will come down to if you need a traditional database, a NoSQL database, or a data warehouse. If you need a traditional relational database, you will find RDS to be the most useful. If you want a NoSQL database with its flexibility and performance, you'll probably choose DynamoDB. Or, if you want to store multiple data types in a single location and/or perform analytics on your data, you will probably find Redshift to be useful. Note: Check your CHOICE Course screen for opportunities to interact with your classmates, peers, and the larger CHOICE online community about the topics covered in this course or other topics you are interested in. From the Course screen you can also access available resources for a more continuous learning experience. Lesson 2: Implementing AWS Storage and Database Services | 3 Implementing Compute and Network Services Lesson Time: 1 hour, 15 minutes Lesson Objectives In this lesson, you will: • You will implement AWS Compute Services. • You will implement a virtual network. Lesson Introduction AWS™ services are, of course, not limited to storing and accessing data. One of the most powerful features of AWS is its computational abilities. In order to move your compute services to the cloud, you need to understand how those services are implemented and networked together. 58 | AWS™ Fundamentals TOPIC A Implement Elastic Cloud Compute Services Now that you have deployed fully managed services, it is time to deploy AWS services that are largely unmanaged. Amazon EC2 Amazon EC2 Inform students that EC2 is Amazon's virtual machine technology. Unlike the database services, it is not fully managed. Once you provision an EC2 instance (virtual machine), you are responsible for configuring, managing, and securing it. EC2 Instance Inform students that from this point on, virtual machines will be referred to as EC2 instances. The term virtual machine was used earlier in the course to avoid confusion. The EC2 instance is the basis for AWS scalability. EC2 Instance Types Point out to students that the T2 instance type is used in Free Tier Eligible services. Amazon Elastic Cloud Compute (EC2™) is a service that allows you to scale your computing capacity in the AWS cloud. Designed to make web-scale cloud computing easier for developers, it provides as many or as few virtual machines as you need, including configurations for CPU, memory, storage, networking, and security. It can automatically respond to spikes in user demand, so that you don't have to worry about forecasting traffic. EC2 Instance An EC2 instance is a single copy of a virtual machine that is running in the AWS cloud. It is a server operating system, usually configured to provide some kind of service or application. An instance is launched based on a virtual machine image. The image can be a basic operating system, or it may come with an application pre-installed on it. You can have as many instances of the same image running as you please. Being able to launch multiple simultaneous copies of your website or application allows you to scale your service as demand increases. Because instances are virtual, they launch immediately with no preplanning on your part. EC2 Instance Types An EC2 instance type is a combination of CPU, memory, storage, and network capabilities allocated to your instances. When you launch your EC2 instance, you select the instance type. Different instance types have been designed for different load levels and use cases. The following table summarizes the various instance types. Instance Type Description Use Case T2 Baseline performance with burst capabilities. 1 - 2 CPUs, 0.5 - 8 GB RAM Good for workloads such as web servers, developer environments and databases that don't consistently need full CPU, but occasionally need to burst. t2.micro is typically used for Free Tier Eligible instances. M4 Latest generation of General Purpose Instances. 2 - 40 CPUs, 8 160 GB RAM Good for applications that need a balance of compute, memory, and network resources. M3 General purpose Instance. 1 - 8 CPUs, 4 - 80 GB RAM Good for small to mid-sized databases such as SAP, Microsoft® SharePoint®, cluster computing, and other enterprise applications. GENERAL PURPOSE Lesson 3: Implementing Compute and Network Services | Topic A AWS™ Fundamentals | 59 Instance Type Description Use Case C4 High performing Intel Xeon E5-2666 v3 (Haswell) processors, optimized for EC2 computation. 2 36 CPUs, 3.75 - 60 GB RAM, EBSonly storage Good for high performance frontend fleets, web servers, batch processing, distributed analytics, high performance science and engineering applications, ad serving, massively multiplayer online (MMO) gaming, and video-encoding. C3 Slightly scaled down version of C4 using 2 - 32 Intel Xeon E5-2680 CPUs, 3.75 - 60 GB RAM, and SSD storage Good for high performance frontend fleets, web servers, batch processing, distributed analytics, high performance science and engineering applications, ad serving, massively multiplayer online (MMO) gaming, and video-encoding. COMPUTE OPTIMIZED MEMORY OPTIMIZED X1 Large-scale, enterprise-class, inIn-memory databases such as SAP memory applications, with 128 CPUs HANA®, big data processing engines and 1952 GB RAM such as Apache Spark™ or Presto, and high performance computing (HPC) applications. R3 Memory-intensive applications with 2 - 32 CPUs, 15.25 - 244 GB RAM High performance databases, distributed memory caches, inmemory analytics, and genome assembly and analysis. GPU G2 Intended for graphics and general 3D application streaming, video purpose GPU compute applications. encoding, machine learning, and 1 - 4 GPUs, 8 - 32 CPUs, 15 - 60 GB other GPU workloads. RAM STORAGE OPTIMIZED I2 D2 Very fast SSD-backed instance storage optimized for very high random I/O performance, with 1x800 GB - 8x800 GB SSD storage NoSQL databases such as Cassandra® and MongoDB®, Hadoop®, scale out transactional databases, data warehousing, and cluster file systems. Dense storage with up to 48 TB HDD-based local storage with high disk throughput. 2x2000 GB 24x2000 GB HDD storage Note: To learn more, check out the Spotlight on Determining What Type of Storage Your EC2 Instance Can Use presentation from the Spotlight tile on the CHOICE Course screen. You may want to show the Spotlight on Determining What Type of Storage Your EC2 Instance Can Use presentation available on the Spotlight tile on the CHOICE Course screen. You might choose to include it in your instructional plans, or you can remind students about the tile and the supplemental Lesson 3: Implementing Compute and Network Services | Topic A 60 | AWS™ Fundamentals Note: For more information on Instance Types, see the article "Amazon EC2 Instance Types" at http://aws.amazon.com/ec2/instance-types/. AMI AMI Inform students that precreated AMIs exist for the most common deployment scenarios. An Amazon Machine Image (AMI) is a virtual machine image file that sits in storage until you need it. It provides a pre-configured template for your instance. When you launch an EC2 instance, you must choose an AMI. You can either use a pre-created AMI, or create and register your own. Precreated AMIs often come pre-installed with an application such as WordPress, SQL or Microsoft® Active Directory®. A single AMI can be used to launch as many instances as desired. AMIs have the following features: • A template for the root volume of the instance, including operating system, application server, and applications. • Permissions that control which AWS accounts are used to launch instances. • A block device mapping that specifies which volumes to attach to the instance. Note: Do not confuse an AMI with an instance type. An AMI is a pre-created virtual machine used to launch an EC2 instance. When you launch an instance, you choose the instance type, which determines the level of virtual hardware assigned to that instance. AMIs can be copied to the same or different regions. Once you have launched the instance, you can de-register its AMI. In addition to creating your own AMI, you can search for and use existing AMIs provided by AWS or the online community. Some commercial third parties charge for their AMIs. Note: There are currently over 3000 commercial (paid) AMIs and over 66,000 community (free) AMIs to choose from. EC2 Security Groups EC2 Security Groups Point out to students that group in this context refers to a group of traffic rules, not a group of users. A security group is a type of virtual firewall that controls traffic to or from one or more of your EC2 Instances. Each launched instance has one or more security groups associated with it. You add rules to the security group to determine what traffic is allowed. Like a firewall, security groups have the following default settings: • Allow no inbound traffic • Allow all outbound traffic You can then create additional rules to define permitted or prohibited protocols, ports, and IP address ranges. When you create a rule, it affects all EC2 instances associated with that security group. Note: For more information on Security Groups, see the article "Amazon EC2 Security Groups for Windows Instances" at http://docs.aws.amazon.com/AWSEC2/latest/ WindowsGuide/using-network-security.html#ec2-classic-security-groups. EC2 Storage EC Be ge types an nces were introduced separately, their relationship is now highlighted here. Your EC2 instance can, with varying levels of effort, use any of the storage types previously discussed. The following table summarizes how an instance can use these storage types. Lesson 3: Implementing Compute and Network Services | Topic A AWS™ Fundamentals | 61 Storage Type EC2 Use EBS Can be used by the instance as a local hard disk that contains the operating system or data. Can be formatted with a file system supported by the instance operating system. Meant to be the primary storage device for most EC2 instances. EFS Can be used by the instance as a NAS. You can connect a Linux®/Unix® instance to EFS using the NFSv4 protocol. CDN The instance can be the origin server for CDN copies. S3 Used by a user to store AMIs and volume snapshots. Can be directly accessed by a running instance using third party tools. Glacier™ Used by a user to store long term data. Can be directly accessed by a running instance using third party tools. Note: It is beyond the scope of this class to discuss the use of third party tools for EC2 instances. However, a Google™ search will easily provide additional information on tool choices and their use. EC2 Instance Store An EC2 instance store is yet another type of storage your EC2 instance can use. When AWS first introduced EC2, all AMIs were backed by an Amazon EC2 instance store. This meant that the root drive was actually an instance store volume, created from a template stored in Amazon S3. When AWS introduced EBS, many instances became EBS-backed instead of instance store-backed. Depending on your instance type, the root drive can be an instance store or EBS. Again, depending on the type, you can also add more EBS or instance store volumes to the instance. Instance store volumes have to be added at time of launch. EBS volumes can be added at any time. If you add an additional instance store volume to your instance, it should be treated as a scratch disk or temp drive. It has very low latency, but is not meant for permanent storage of any kind. This makes it perfect for anything that is only needed for a short period of time such as temp files, buffers, caches, or data replicated across load balanced websites. An instance store is actually located on physical disks attached to the host computer. The volumes on an instance store appear as block devices with names such as ephemeral 0, ephemeral 1, etc., up to ephemeral 23. Although an instance store is for a particular instance, the disk subsystem it is on is shared by all instances on that host. Amazon EC2 Instance Store Explain to students that instances should really use EBS volumes. An instance store today is the equivalent of a temp disk. Lesson 3: Implementing Compute and Network Services | Topic A 62 | AWS™ Fundamentals Figure 3-1: EC2 instance store. When you launch an EC2 instance, you can specify any instance store volumes. You cannot add an instance store after the instance has been launched. The data persists if the instance reboots, but is deleted when the instance stops or is terminated. It also cannot be detached and moved to a different instance. Because an instance store is meant to be a scratch disk, you should not use it for valuable, long-term data. When you terminate an EC2 instance, you effectively delete it. After a short while, a terminated instance will disappear from the list of instances. And all data in the related instance stores will be deleted as well. Note: Not all instance types support instance stores. The T type instances, including the Free Tier Eligible t2.micro, do not support instance stores. They are strictly EBS. You will not be able to choose an instance store volume when launching a t2.micro instance. EC2 Implementation EC2 Implementation Point out to students that the full power of AWS is used when your application's code automatically launches or terminates EC2 instances on a need basis. You can implement Amazon EC2 using the following methods: • Manually using the AWS Management Console • Manually or automatically (scripted) using the AWS Command Line Tool • Automatically using the AWS SDK (Solution Developer Kit) Additional EC2 instances can be automatically launched from your application code in order to scale your service up or down as needed. An EC2 instance does not cost anything to get started. Once you create your account, you can launch the EC2 Dashboard to select the desired AMI and instance type for your virtual machine. Your EC2 instances, along with any snapshots, are stored in Amazon S3 by default. Lesson 3: Implementing Compute and Network Services | Topic A AWS™ Fundamentals | 63 Note: It is beyond the scope of this course to discuss how to use code to scale your EC2 instances. For more information, see https://docs.aws.amazon.com/codedeploy/latest/ userguide/auto-scaling-integ.html. EC2/EBS Integration As you create an EC2 instance, you can create and attach EBS volumes at the same time. If you have an existing EC2 instance, you can create an EBS volume, attach it to the instance, and mount the volume inside the instance's operating system. This is the equivalent of adding a physical hard drive to your computer, then using the operating system to initialize and mount the disk. EBS volumes can be used for regular storage or even a boot partition for your instance. If you need to restart an instance that boots from an EBS volume, you can do so while preserving the instance's state. This provides for very fast startup time. EBS volumes must belong to the same Availability Zone as the instance. They replicate automatically to provide 99.999% availability for your EC2 instance. A single instance can have one or multiple volumes attached to it. In this way, you can stripe your data across the volumes (as in a RAID array) to increase disk I/O and throughput performance. If the instance fails or is detached from the volume, the volume can be assigned to any other instance in the same Availability Zone. EBS/EC2 Inte Inform student 99.999% ("five availability me the volume is about 5 minute year. EC2/EFS Integration Because EFS acts as Network Attached Storage (NAS) for one or more instances, it helps your data be more independent and resilient. A single application or service running on multiple instances can use the same EFS file share. A single EFS file system can manage thousands of web pages for one website. You don't have to provision anything ahead of time. It will grow or shrink automatically in response to increased or decreased need. EFS also provides a standard I/O API and file system access semantics such as file locking and strong data consistency. This makes its integration with a Linux/Unix EC2 more seamless. Once you launch your EC2 instance, you can create a separate EFS file system and mount it to your instance. You can then use it for diverse uses such as Big Data, analytics, home directories, media content processing, or any application that requires rapid scaling for dynamic data sets. EC2/EFS Integration ELB Elastic Load Balancer (ELB) is a virtual version of load balancing. It allows you to distribute client traffic to multiple EC2 instances in multiple Availability Zones that are running the same service. As with traditional load balancing, incoming client requests are automatically distributed among the instances to improve reliability and performance. Should one instance stop working or be flooded with too much traffic (say, in the case of a denial-of-service attack) ELB will stop routing requests to it. ELB Inform students that HTTP/2 is a new version of HTTP. It can multiplex (intersperse) multiple requests onto a single connection for improved efficiency. Lesson 3: Implementing Compute and Network Services | Topic A 64 | AWS™ Fundamentals Figure 3-2: ELB routing client requests to healthy EC2 instances. ELB has two types of load balancers, as summarized in this table. Type Description Classic Internet-facing. Works at either the transport/session layer (TCP/SSL) or the application layer (HTTP/HTTPS) Application Internal-facing. Works at the application layer, load balancing HTTP, HTTPS, and HTTP/2 requests between nodes. If your application has different services, can route the client request to different ports on different EC2 instances, based on the content of the client's request. The ELB can be Internet-facing, such as for web front ends, or internal (not Internet-facing). ELB features include: • SSL termination for websites that accept HTTPS connections. • Centralized management of SSL certificates. • Encryption to back-end (non Internet-facing) instances. • Different ciphers and encryption protocols. • Sticky sessions (traffic from the same client will always be routed to the same instance). • IPv6 support. • Layer 4 (transport protocol) or Layer 7 (application protocol) load balancing. • Operational monitoring by Amazon CloudWatch. • Logging of all requests as well as API calls using AWS CloudTrail. Access the Checklist tile on your CHOICE Course screen for reference information and job aids on How to Implement Elastic Cloud Compute Services. Lesson 3: Implementing Compute and Network Services | Topic A AWS™ Fundamentals | 65 ACTIVITY 3-1 Implementing Elastic Cloud Compute Services Before You Begin You have created an EBS volume, and you know the Availability Zone that the EBS volume was created in. Scenario Now that the online Cheezy Forum is up and running, the marketing team would like to create an online blog site where they can make announcements and generate customer excitement for new products. At the same time, the graphics department is ready to test its multimedia editing application in the cloud. You have decided to launch two EC2 instances: a Linux AMI preconfigured with WordPress for the marketing team, and a Windows server with the EBS volume you previously created for the graphics team. Implementing Elastic Cloud Compute Services 1. Choose a Free Tier Eligible WordPress instance. a) In the console home page, under Compute, select EC2. Alternatively, if you have a shortcut to the EC2 Management Console, you may use it. b) On the EC2 home page, under Create Instance, select the Launch Instance button. c) On the Step 1: Choose an Amazon Machine Image (AMI) page, in the left pane, select AWS Marketplace. d) In the Search text box, type wordpress and press Enter. Note: HVM stands for Hardware Virtual Machine. e) In the results, find the first available WordPress powered by BitNami AMI and select its Select button. f) Examine the various pricing options, then scroll to the bottom of the page and select Continue. Lesson 3: Implementing Compute and Network Services | Topic A 66 | AWS™ Fundamentals g) On the Choose an Instance Type page, under the Type column, find and select t2.micro Free tier eligible. 2. Configure the instance in the wizard. a) In the lower-right corner, select the Next: Configure Instance Details button. b) On the Step 3: Configure Instance Details page, examine the available options. Accept the defaults and then select the Next: Add Storage button. c) On the Step 4: Add Storage page, under Volume Type, verify that the image has a Root volume, then select the Add New Volume button. Verify that the new volume will be an EBS volume. d) Select the Next: Tag Instance button. e) On the Step 5: Tag Instance page, in the text field under Key, delete any existing text and enter Department f) In the Value text field, enter Marketing g) Select the Next: Configure Security Group button. Note: In a production environment, you would change 0.0.0.0/0 to known public IP addresses to help protect your site from hacking. h) On the Step 6: Configure Security Group page, examine the configuration options, leave the defaults, and select the Review and Launch button. i) On the Step 7: Review Instance Launch page, review the summary, including the security warning, and select the Launch button. 3. Assign a key pair and launch the instance. Note: In a production environment, you would ordinarily create a key pair so you can retrieve the root password to log into your instance. In this activity, you will not log into your WordPress instance, so you can proceed without creating a key pair. If you ever desire to log into an instance that you did not create a key pair for, you must find out from the team that created the AMI what the default password is. a) In the Select an existing key pair or create a new key pair pop-up dialog box, in the first drop-down box, select Proceed without a key pair. b) Check the I acknowledge that I will not be able to connect to this instance unless I already know the password built into this AMI check box. c) Select the Launch Instances button. It may take a few minutes for your EC2 instance to enter a Running state. d) Review the information on the Launch Status page, and in the lower-right corner, select the View Instances button. e) Verify that you see your new instance. It may show an Instance State of running, but the Status Checks will probably display Initializing. 4. Perform post-launch tasks. Lesson 3: Implementing Compute and Network Services | Topic A AWS™ Fundamentals | 67 a) In the Name column, hover your cursor over the empty text field until a pencil icon appears, then select the pencil icon. b) In the pop-up text field, type Cheezy Blog and then press Enter. c) Verify that the instance now has a name. d) In the properties pane below, on the Description tab, examine the various properties. Verify that the AMI ID includes the words bitnami-wordpress. You can always verify which instance you are working on by checking the AMI ID. Note: Your WordPress instance will take a few minutes to become ready. In the mean time, you will create a Windows instance. You will return to the WordPress instance after this next step. 5. Launch a Free Tier Eligible Windows Server 2012 R2 instance. a) Again, select the Launch Instance button. b) On the Step 1: Choose an Amazon Machine Image (AMI) page, on the left pane, select Community AMIs. c) Under Operating system, scroll down and select Windows. d) Locate the first Windows_Server-2012-R2 AMI and select it. It should be at the top of the list. e) On the Step 2: Choose an Instance Type page, ensure that t2.micro Free tier eligible is selected and select the Next: Configure Instance Details button. f) On the Step 3: Configure Instance Details page, from the Subnet drop-down box, select the subnet in the same Availability Zone as your EBS for Windows volume (for example, us-east-1b), then select the Review and Launch button. It is very important that your EBS volume and Windows instance are in the same Availability Zone. g) On the Step 7: Review Instance Launch page, review the settings and then select the Launch button. 6. Assign a key and launch. Lesson 3: Implementing Compute and Network Services | Topic A 68 | AWS™ Fundamentals Note: You will log into this Windows instance in a later activity, so you will need a key pair to retrieve the administrator password. a) In the Select an existing key pair or create a new key pair pop-up dialog box, from the first dropdown box, select Create a new key pair. b) In the Key pair name text field, enter My Windows Server Key and then select the Download Key Pair button. Note: Depending on your browser, the key might be automatically downloaded to your Downloads folder. c) Save the key to your Downloads folder. 7. Perform post-launch tasks. a) Select the Launch Instances button. b) On the Launch Status page, select the View Instances button. c) Verify that you see two instances. After a moment, they should both be in a running state, though the Windows instance will probably show its Status Checks as Initializing. Record the Instance ID of the Windows Server for later use. Alternatively, you can copy the Instance ID from the Description tab. d) Locate the Windows instance. In the empty Name text field, enter Windows Server 2012 R2 and then press Enter. Instruct the students to wait until the Instance State shows running, before proceeding to the next step. The Status Checks may still show Initializing. e) Verify that the Windows instance is now named Windows Server 2012 R2. 8. Attach the EBS for Windows volume to the Windows instance. a) In the left pane, under ELASTIC BLOCK STORE, select Volumes. b) Locate and select your EBS for Windows volume. c) Select Actions→Attach Volume. Lesson 3: Implementing Compute and Network Services | Topic A AWS™ Fundamentals | 69 d) In the Attach Volume pop-up dialog box, in the Instance text field, enter or paste the Windows Instance ID. AWS should recognize the Instance ID and display <instance id>(running). Select the displayed choice. e) Verify that the Device text field is automatically populated and then select the Attach button. Record the Device name. f) On the Volumes page, in the EBS for Windows record, scroll to the right, and under Attachment Information verify that the device name appears and is attached. g) Navigate to the Instances page, and select the Windows instance. h) On the Description tab, in the Block devices section, verify that the EBS for Windows device name appears. 9. Test your Cheezy Blog site. a) On the Instances page, verify that the Cheezy Blog instance is running, and select it. Deselect the Windows instance. Lesson 3: Implementing Compute and Network Services | Topic A 70 | AWS™ Fundamentals b) On the Description tab, locate and copy the Public DNS name. c) Paste the public DNS name into a new browser tab and press Enter. Verify that the blog home page appears with a "Hello World!" greeting. Because you have not yet customized the blog website, the home page will still refer to WordPress. Note: In a production environment, you would now want to customize your blog. For more information, see: https://en.support.wordpress.com/customize/. d) Close the blog browser tab and return to the console home page. Lesson 3: Implementing Compute and Network Services | Topic A AWS™ Fundamentals | 71 TOPIC B Implement Virtual Networks Now that you understand how to deploy your own unmanaged compute services, it is time to learn how to organize those compute services into a virtual private cloud. Amazon VPC Amazon Virtual Private Cloud (VPC) allows you to provision a logically isolated segment of the AWS cloud for your own use. It is an entire virtual network that gives you complete control. When you create an EC2 instance, you put it into a VPC. If you do not specify which VPC, the instance will go into the default. EC2 instances obtain their IP addresses from their VPC. In your VPC, you can specify any of the following: • IP address ranges • Public and private facing IP addresses and subnets • Route tables • Network gateways • Security groups and network access control lists • A hardware-based Virtual Private Network (VPN) connection between your organization's data center and your AWS VPC If you create a VPN between your VPC and physical data center, it allows you to extend your data center into the cloud without investing in additional floor space, server hardware, power management, or environmental control capabilities. You can choose to leave your VPC as an isolated private network with no connectivity to the outside world or you can connect it in the following ways: • Direct connection to the Internet using public subnets • Using Network Address Translation (NAT) to keep internal IP addresses private • Using an encrypted IPsec hardware VPN to connect to your data center • Privately to other VPCs • Direct connection to Amazon S3 without the need for an Internet gateway or NAT, allowing you to control which buckets, requests, users, or groups are allowed through a VPC Endpoint to S3 • Any combination of the above Amazon VPC Point out to students that VPC is a complete virtual network with its own subnets and connectivity. You put your EC2 instances into your VPC, but there are many services you can create that do not go into a VPC. These include S3 buckets, Glacier vaults, the databases (Dynamo, RDS, Redshift), and others. Elastic IP Address An Elastic IP address is a static public IP address associated with your account. You can map (assign) the address to any instance or software in your account. An instance or service that does not use an Elastic IP address may have its public IP address change from time to time. This forces DNS entries for your service to be updated periodically. An Elastic IP addresses has two main benefits: • Should the instance fail, you can quickly re-map (reassign) your Elastic IP address to another instance with little or no noticeable downtime. • Your server or service will always have the same IP address assigned to your service, providing a stable and unchanging DNS entry for that service. Elastic IP Address Note: Elastic IP addresses are free only if in use. If they are reserved for later use, you must pay for them. Lesson 3: Implementing Compute and Network Services | Topic B 72 | AWS™ Fundamentals Amazon ElastiCache Amazon ElastiCache Inform students that ElastiCache is not free. If they wish to test it, they should be aware that it will incur cost, even if they do not use it. Memcached is pronounced "mem-cashdee" Amazon ElastiCache™ is a web service that improves web app performance. It works by caching data in memory, rather than retrieving it from disk. This is very useful when the same data needs to be repeatedly read and delivered to your clients. In this way, ElastiCache is a good companion for online databases. ElastiCache uses two high performance open source caching applications: • Memcached • Redis When you set up ElastiCache, you create an ElastiCache cluster. You choose either Memcached or Redis to form the basis of your ElastiCache. Many applications natively support one of these, so you might be able to immediately use your caching with little or no additional configuration. Use cases for ElastiCache include: • Storing ephemeral (cached) key-value data. • Database applications that require very low latency. • High-performance application patterns such as leaderboards for gaming users, session management, event counters, and in-memory lists. The ElastiCache architecture is simple. EC2 app instances can use the cache for quick temporary storage of key-value data, while also using an RDS database for more permanent storage. Figure 3-3: ElastiCache architecture. Note: Amazon ElastiCache can quickly run up a bill, even if you do not use it. Access the Checklist tile on your CHOICE Course screen for reference information and job aids on How to Implement Virtual Networks. Lesson 3: Implementing Compute and Network Services | Topic B AWS™ Fundamentals | 73 ACTIVITY 3-2 Implementing Virtual Networks Scenario The IT manager at That's Cheezy Cheese Emporium has been reading about some of AWS' network virtualization services. He can foresee a time when more and more of That's Cheezy's network infrastructure is migrated to the cloud. The team understands general networking principles such as segmentation and IP addressing, but they are not sure how such things are implemented in a virtual environment. The manager has asked you to prepare the team for future network migrations by making sure they first understand some fundamentals of Virtual Private Clouds. 1. Examine your existing VPCs. a) On the console home page, under Networking, select VPC. Alternatively, you can use the breadcrumb trail to navigate to Services→VPC. b) In the Resources section, examine the summary of VPC resources you are using in your region. c) Select the VPC link. d) Examine the VPC you have running. Record the VPC ID and VPC CIDR IP address block. e) Verify that this is the Default VPC. 2. Identify and record the VPC ID, public IP address, and private IP address for your instances. a) On the left pane, select VPC Dashboard. b) In the Resources section, select the Running Instances link. c) On the Instances page, scroll to the right and for both the Cheezy Blog and Windows instances, record the Public IP, VPC ID, and Private IP Addr. Alternatively, your console might display all three items in the Description tab. Implementing Virtual Networks Inform students that, since Elastic IP addresses and Amazon ElastiCache are not free, there will be no handson activity for these services. Lead the class in answering the questions at the end of Step 2. The term CIDR refers to the block of IP addresses being used by the VPC. It is pronounced "cider". Remind students that when they created their instances, they did not specify any particular VPC, which automatically put the instances in the default VPC. For the question in Step 5, do not spend too much time explaining IP subnetting. Remind students that all instances get an IP address based on the VPC CIDR address. The /16 means that all instance IP addresses will start with the same two numbers as their VPC (such as 172.30, or 172.31). This means they are all in the same private network and will thus be able to communicate with each Lesson 3: Implementing Compute and Network Services | Topic B 74 | AWS™ Fundamentals 3. Do both the WordPress instance and Windows instance belong to the same VPC? If so, which one and why? A: Unless a mistake was made when creating the instances, the answer should be yes. They will both be in the default VPC because when you created the instances, you did not specify which VPC to put them in. 4. How will being in a VPC help improve security for the two instances? A: Answers will vary, but since the VPC is isolated from the rest of the world, you can control exactly what kind of traffic is permitted to and from your servers. 5. Compare the VPC CIDR IP address with the Private IP addresses for the instances. Are they in the same subnet? If so, what does this imply regarding connectivity between the instances? A: Unless a mistake was made when creating the instances, they should belong to the same VPC and thus the same subnet. Belonging to the same subnet means that even though the VPC is isolated from the rest of the world, the instances can communicate with each other. 6. Return to the console home page. Lesson 3: Implementing Compute and Network Services | Topic B AWS™ Fundamentals | 75 Summary In this lesson, you learned about EC2 instances, and how they integrate with the various types of storage. You also learned about Virtual Private Clouds, how they use public and private IP addresses, and how they relate to your EC2 instances. In addition, you learned about Elastic IP addresses and Amazon ElastiCache. In your environment, do you think you will create additional VPCs for resources, or use the default VPC for all resources? A: Answers will vary. Those who wish to isolate different resources from the rest of the network will probably create separate VPCs. If your focus of study is EC2 instances, and you are less concerned with the networking aspect of your cloud, you might just use the default VPC. Do you foresee the need to use Elastic IP addresses in your environment? Why or why not? A: Answers will vary. If you want a fixed public IP address that does not change, you will definitely want to use an Elastic IP address. If you are fine with your IP address changing from time to time, you might not bother with an Elastic IP address. Encourage students to use the social networking t provided on ICE Course scre ow up with their fter the course is completed for further discussion and resources to support continued learning. Note: Check your CHOICE Course screen for opportunities to interact with your classmates, peers, and the larger CHOICE online community about the topics covered in this course or other topics you are interested in. From the Course screen you can also access available resources for a more continuous learning experience. Lesson 3: Implementing Compute and Network Services | 4 Using AWS Management Tools Lesson Time: 1 hour Lesson Objectives In this lesson, you will: • You will learn how to provision AWS resources. • You will manage AWS resources. Lesson Introduction As you continue to build your AWS™ services, you'll want to deploy and manage them in a systematic manner. Being able to save time by automating deployments, as well as keeping an eye on performance and cost, will continue to become more and more critical. 78 | AWS™ Fundamentals TOPIC A Automate AWS Resource Provisioning Now that you have manually deployed compute resources, it is time to learn how to automate those deployments. AWS Resource Provisioning AWS Resource Provisioning Inform students that JavaScript Object Notation (JSON) is a lightweight datainterchange format. It is easy for machines to create and interpret, and is easy for humans to read and write. Resource provisioning is the act of specifying and deploying whatever features you want in your virtual machine, virtual network, or service. For example, when provisioning an EC2 instance, some of the resources you can specify include: • Instance Family • Instance Type • vCPUs • Memory (GB) • Instance Storage (GB) • EBS-Optimized (if available) • Network Performance • Security Groups • Tags • Encryption key pair • IP routes • IP subnets • Volumes With AWS, you can either manually provision your resources in the Management Console or automate the provisioning process. With the IT industry moving towards orchestration, white box hardware, and Infrastructure as Code, AWS provides tools to allow you to provision infrastructure resources very quickly. Virtualization makes this all possible. You can integrate setting up and configuring your infrastructure into application code. Because the AWS cloud is a virtual system, the idea is to move away from manually configuring your part of the cloud to full automation. Reusable templates allow you to: • Deploy as many servers with identical configurations as you like. • Easily create variations of your servers. • Use code to automatically deploy servers. AWS templates are simple JavaScript Object Notation (JSON) formatted text files. They can be managed using your normal source control mechanisms, and be stored publicly or privately. They are even small enough to be emailed between employees. Resource provisioning allows you to set up and manage anything, from a single EC2 instance to a multi-tier, multi-region application. You can use templates to model your infrastructure architecture covering everything from subnets to services. AWS CloudFormation AWS CloudFormation AWS CloudFormation is a tool that helps you to automate AWS deployments. It has two parts: • Templates—text files that define what resources are needed to run your application. • Stacks—running instances built from templates and administered as a single unit. Lesson 4: Using AWS Management Tools | Topic A AWS™ Fundamentals | 79 Templates are JSON-formatted text files that can be used repeatedly in any region for development, test, and production purposes. They can be used manually, or automatically in code or scripts. You can create templates from scratch using AWS tool kits such as CloudFormation Designer and CloudFormer, Microsoft® Visual Studio®, and Eclipse. You can also take a running instance and create a template from it. The AWS CloudFormation Designer Console is a visual tool used to create stacks and templates. It allows you to drag and drop what you want on a palette and configure the values. The template is then saved in an S3 bucket. Figure 4-1: AWS CloudFormation Designer Console. AWS CloudFormer AWS CloudFormer is a prototype application that allows you to create a template based on resources already running in your account. CloudFormer is itself a CloudFormation stack and is currently in beta version. You select it from the various sample templates when you run the Create Stack wizard. AWS CloudFormer Lesson 4: Using AWS Management Tools | Topic A 80 | AWS™ Fundamentals Figure 4-2: CloudFormer. Note: Before you use CloudFormer, make sure you have a pre-existing encryption key pair. You'll need to specify this in the wizard. You either use a third party tool, or you can use the AWS EC2™ console to create the key pair. Access the Checklist tile on your CHOICE Course screen for reference information and job aids on How to Automate AWS Resource Provisioning. Lesson 4: Using AWS Management Tools | Topic A AWS™ Fundamentals | 81 ACTIVITY 4-1 Automating AWS Resource Provisioning Scenario The IT team at That's Cheezy Cheese Emporium wants to be able to automate the future deployment of production servers. They need to know how to create and launch a stack of Windows servers from a CloudFormation template. Management has asked that you help the team prepare by leading them through creating and launching a stack. Automating AWS Resource Provisioning 1. Select a template. a) From the console home page, under Management Tools, launch CloudFormation. b) Select the Create Stack button. c) On the Select Template page, in the Choose a template section, ensure that Select a sample template radio button is selected, and then select the drop-down list arrow. d) Under Windows Samples, select Windows features and roles, and then select the Next button. 2. Modify the template and launch the stack. a) On the Create Stack page, in the Specify Details section, in the Stack name text box, enter My- Windows-Server-Stack b) In the Parameters section, leave the Features text field default of None. c) From the InstanceType drop-down box, select t2.micro. d) From the KeyName drop-down box, select My Windows Server Key. e) In the Roles text field, delete None and enter Web-Server f) In the SourceCidrForRDP text field, enter 0.0.0.0/0 g) Select the Next button. h) On the Options page, select the Next button. i) On the Review page, review your settings and then select the Create button. j) Verify that My-Windows-Role-Stack appears. If necessary, select the stack to see its creation details. You can refresh the page to see status updates. It can take up to 15 minutes for your stack to be created. Your instructor may have the class move on to the next topic, and optionally return later to examine the new running instance. 3. (Optional) Verify the stack. a) In the CloudFormation console, verify that you see My-Windows-Server-Stack, and select the stack. b) On the Stack Detail: My-Windows-Server-Stackpage, expand the Resources section. c) Verify that, among other resources, an EC2 security group and an EC2 instance are part of the stack. d) If necessary, expand the Events section, and review the timeline involved in creating the stack. e) Expand the Template section, and review the code in the template that was used when creating the stack. f) Expand the Parameters section and verify that the parameters are the same as what you specified when creating the stack. g) Expand the remaining sections and verify that they are empty. 4. (Optional) Verify the new running instance. a) Navigate to EC2→Instances, and verify that you have a new instance running. It can take up to 15 minutes for the stack to be created. Consider moving on to the next topic and optionally returning afterwards. If students ask, inform them that the WaitCondition resources are used to coordinate the stack creation process with external configuration actions. They are also used to track status during configuration. You should have a total of three instances now. b) Name the new instance My Windows Server Stack Lesson 4: Using AWS Management Tools | Topic A 82 | AWS™ Fundamentals c) Scroll to the right and verify that the new instance uses the My-Windows-Server-StackInstanceSecurityGroup resource. d) Return to the console home page. Lesson 4: Using AWS Management Tools | Topic A AWS™ Fundamentals | 83 TOPIC B Manage AWS Resources Now that you know how to deploy resources both manually and automatically, it is time to learn how to manage those resources. AWS Resource Metrics and Alarms Central to effectively managing any system is the ability to get good performance metrics from that system. Metrics give you an insight into how that system is performing. Amazon EC2 instances, Amazon EBS volumes, Amazon RDS database instances, and Elastic Load Balancing all provide their own sets of free metrics. As an example, EC2 has 50 built-in metrics that can be used to monitor: • CPU • Disk • Network • Status You can also create and add your own metrics. You can view metrics for a single instance or group and view metrics by category. By default, metric data is kept for two weeks, providing up-to-theminute data, as well as historical information. AWS and Al Metrics Figure 4-3: Per-Instance Metrics. You can also set alarms on the metrics. When a metric exceeds your set threshold, the alarm can trigger an email or be recorded in a database. Additionally, you can configure a response action including auto-scaling to handle the increased load. Lesson 4: Using AWS Management Tools | Topic B 84 | AWS™ Fundamentals Figure 4-4: Configuring an alarm. To monitor your data, you can use Amazon CloudWatch, the list-metrics command, or the ListMetrics API with third party tools to view your available metrics. Amazon CloudWatch Amazon CloudWatch Amazon CloudWatch is your built-in, comprehensive, performance monitoring and response tool. It lets you load all metrics (AWS provided as well as your own) into your account. From there you can search, graph, and set alarms on your various cloud resources using the AWS Management Console. Lesson 4: Using AWS Management Tools | Topic B AWS™ Fundamentals | 85 Figure 4-5: Creating a CloudWatch alarm. When you open the console, you will see that metrics are grouped by category. The categories are first organized by namespace (service) such as Billing, EC2, ELB, DynamoDB™, etc. Metrics from each namespace are kept isolated from each other so they cannot be accidentally aggregated into the same statistics. You can then drill down further, looking at individual instances and metrics. Note: Only AWS services that you are using will send metrics to Amazon CloudWatch. AWS Cost Monitoring As you learn to work with the various AWS services, you should take care to monitor cost. Not all services are Free Tier Eligible, and the ones that are have limits imposed on how long you can use them for free. You should regularly check your account's Billing & Cost Management Dashboard to verify that costs are as expected. AWS Cost Monitoring Inform students that it is easy to accidentally incur cost while experimenting with AWS services. They should carefully read the documentation to understand which services are not Free Tier Eligible, and the limits of services that are Free Tier Eligible. Students should regularly check their account to make sure that billing has not gotten out of control. Lesson 4: Using AWS Management Tools | Topic B 86 | AWS™ Fundamentals Figure 4-6: Billing & Cost Management Dashboard. You may want to show the Spotlight on AWS Billing and Cost Management presentation available on the Spotlight tile on the CHOICE Course screen. You might choose to include it in your instructional plans, or you can remind students about the tile and the supplemental information it contains. Remind students that the How Tos in this course contain sections for both creating and deleting resources. Note: To learn more, check out the Spotlight on AWS Billing and Cost Management presentation from the Spotlight tile on the CHOICE Course screen. Note: For more information on AWS billing and cost management, see https:// docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/free-tier-limits.html. AWS Resource Deletion If you find that you have AWS resources that are unnecessarily incurring cost, you can delete them. Use the same console tool that you used to create the resource. In most cases, you can select the resource and then from the Actions button, find an option to delete or terminate the resource. Access the Checklist tile on your CHOICE Course screen for reference information and job aids on How to Manage AWS Resources. Lesson 4: Using AWS Management Tools | Topic B AWS™ Fundamentals | 87 ACTIVITY 4-2 Managing AWS Resources Before You Begin Your region is set to the same one you have been using throughout the course. Scenario The IT department at That's Cheezy Cheese Emporium would like to monitor server performance in the AWS cloud. They are particularly concerned about excessive CPU utilization on the blog site. In addition, management would like to monitor AWS billing. The CFO was warned by a friend that AWS costs are variable based on usage, and to monitor how costs scale as demand and usage increase. Management has asked you to create a dashboard that tracks CPU utilization on the blog site, and to set an alert if performance and cost thresholds are exceeded. 1. Enable billing alerts. a) In the management console, next to your account name, select the drop-down arrow. b) Select My Account. c) In your account page, on the left pane, select Preferences. d) On the Preferences page, check the Receive Billing Alerts check box. e) Select Save preferences. Managing AWS Resources Lead the group in answering the questions at the end of Steps 1c and 1e. 2. Browse metrics types. a) On the Management Console, under Management Tools, select CloudWatch. b) Select the Browse Metrics button. c) Verify that the metrics are organized by major resource type, as well as by billing. 3. What is the relationship between the categories of metrics that you see and the resources you have deployed? A: You will only see metrics for services you have deployed. Services that are not in use will not send metrics to CloudWatch. 4. Continue browsing metric types. a) Select Billing Metrics. b) If necessary, expand the Billing > By Service section to view the possible services you can be charged for. 5. Now that you have created different AWS resources in this course, which billing metrics do you think you might also wish to monitor? A: Answers will vary. Many will say that they wish to monitor billing for every type of resource they have created so far. Others may wish to focus on specific resources such as EC2 or DynamoDB. 6. Examine the CPU utilization of the Cheezy Blog instance. a) On the left pane, under Metrics, select EC2. Lesson 4: Using AWS Management Tools | Topic B 88 | AWS™ Fundamentals b) Scroll down and locate the row that contains both Cheezy Blog and CPUUtilization. Check the row's check box. Verify that a graph appears below showing the last 12 hours of activity. Your results may look different. c) Select the Add to Dashboard button. d) In the Add to dashboard pop-up dialog box, in the Add to: text field, enter Server Performance Stats and select the Add to dashboard button. e) Examine your dashboard, and select the Save dashboard button. f) Browse some of your other instance metrics, and add them to your dashboard as desired. 7. Create an alarm on CPU utilization. a) In the CloudWatch console, on the left pane, select Alarms. b) Select the Create Alarm button. c) From the Create Alarm pop-up dialog box, select the EC2 Metrics link. d) Locate and select the record that contains both Cheezy Blog and CPUUtilization, then select Next. e) In the Create Alarm pop-up dialog box, in theName text field, enter Cheezy Blog CPU f) In the Description text field, enter CPU utilization has reached 75% g) In the Whenever section, set is >= to 75 h) Under Actions, in the Notification section, select the New list link. i) In the Send notification to text field, enter Cheezy-Alert-Watchers Lesson 4: Using AWS Management Tools | Topic B AWS™ Fundamentals | 89 j) In the Email list text field, enter your email address. k) Select the Create Alarm button. l) In the Confirm new email addresses pop-up dialog box, select the I will do it later button. m) Confirm that the Cheezy Blog CPU alarm appears in the alarm list. 8. Create a billing alarm. a) Return to the CloudWatch console, and under Alarms, select Billing. b) On the Billing Alarms page, select the Create Alarm button. c) In the When my total AWS charges for the month exceed text field, enter 1.00 d) From the send a notification to: drop-down box, select Cheezy-Alert-Watchers. Verify that your email address appears directly below. e) Select Create Alarm. f) If desired, check your email for a confirmation email from AWS Notifications, and select Confirm subscription. g) In the CloudWatch Alarms console, confirm that your alarm appears in the alarm list. Your alarm Config Status will display Pending confirmation until you confirm the alarm subscription in your email. h) In the upper-right corner, next to your account name, select the drop-down list. i) Select Billing & Cost Management. Lesson 4: Using AWS Management Tools | Topic B 90 | AWS™ Fundamentals j) Examine your current costs. Note: Hopefully at this point, your costs will be $0.00. If you incurred any costs, identify any resources that are causing the cost and delete or terminate them. You will see how in the final activity of the course. k) Return to the console home page. Lesson 4: Using AWS Management Tools | Topic B AWS™ Fundamentals | 91 Summary In this lesson, you learned how to automate resource provisioning with AWS CloudFormation and CloudFormer, how to monitor resource performance and billing costs, and how to safely delete resources. Do you think that you will automate AWS resource provisioning in your environment? If so, which tools do you expect to use? A: Answers will vary. Many will use CloudFormation templates to launch instance stacks. Some may wish to use the CloudFormation Designer tool to create their own templates. Developers will probably want to use templates in their code to automate stack creation. What tools do you expect to use to monitor AWS billing costs in your environment? A: Answers will vary. Most will want to check the Billing & Cost Management Dashboard in their account. Many will also wish to create billing alerts to automatically notify them when cost thresholds have been met. Encourage students to use the so networking provided o Course scr up with thei the course for further and resources to support continued learning. Note: Check your CHOICE Course screen for opportunities to interact with your classmates, peers, and the larger CHOICE online community about the topics covered in this course or other topics you are interested in. From the Course screen you can also access available resources for a more continuous learning experience. Lesson 4: Using AWS Management Tools | 5 Securing an AWS Deployment Lesson Time: 1 hour Lesson Objectives In this lesson, you will: • You will secure an AWS deployment. • You will optimize AWS security. Lesson Introduction Of course, any IT infrastructure must be kept secure. Cloud services is no exception. In order to keep your AWS™ services running smoothly, it's critical that you learn how to limit access, and ensure that vulnerabilities are minimized. 94 | AWS™ Fundamentals TOPIC A Enforce AWS Security Now that you know how to deploy and manage AWS resources, it is time to learn how to secure those resources. AWS IAM AWS IAM Remind students that before IAM, if you wanted people such as developers or administrators to work with your resources, you had to share your Amazon account user name and password. This meant they had full control over your cloud. There were no controls and no accountability. AWS Identity and Access Management (IAM) allows you to control who can access what is in your cloud. With IAM, you can create the following: • User—this allows someone under your control to log in to your cloud and work with your resources. • Group—this is a group of IAM users. • Role—this allows an application to have limited access to a resource; it is similar to a group, but is for applications, not users. • Policy—this is the set of permissions you assign to a user, group, or role. Typically, people who need IAM user accounts will be internal company users such as developers, system administrators, and managers. IAM users can use the AWS Management Console with whatever restrictions you place on them by policy. IAM is not meant to authenticate users from the general public. If you need to have the general public be authenticated to access a resource, create an application that the general public will use to access the resource. Assign an IAM role to that application. Then to authenticate the users, use a third-party authentication service such as Facebook, Google™, or Amazon Login. After the user successfully authenticates, the application will access the resource on behalf of the user. As with resources such as instances, databases, and storage volumes, IAM users, groups, and roles are under your account's control. When you create an IAM user, that person must use a special URL to sign into the Management Console. The endpoint for IAM users to sign in will look something like this: https://AWS-account-ID-or-alias.signin.aws.amazon.com/console. AWS Directory Service AWS Directory Service Inform students that they can create and use a single directory for a free one month trial. Alternatively, they can create multiple directories, using them for ed tot fter tha crue. As cur soft Act aut AWS Directory Service allows you to create and use a cloud-based Microsoft® Windows Server® 2012 R2 Active Directory Domain Services (AD DS) service to manage up to 50,000 user accounts. Typically, these users are employees who normally log on to access internal resources inside your company. You use cloud-based AD DS when you prefer to move your directory service domain controllers to the cloud, rather than have them on premises. Using the directory service allows you to do all the things you would normally do in Active Directory: create and manage user accounts and groups, provide single sign-on to access resources, deploy Microsoft Group Policies to users, etc. This is very useful if your AWS applications are dependent on directory services to authenticate and authorize users. Once you create your directory service, you use a standard LDAP compliant tool such as Active Directory Users and Computers to log into and use the directory service. In addition to being purely cloud-based, you can also extend your on-premises Active Directory installation into the cloud by using the AD Connector to connect it to AWS Directory Service. This means you would have some domain controllers on premises, and some in the cloud. The most common use case would be to allow corporate users to use their existing credentials to access AWS resources, or to authenticate from anywhere in the world. You could also use it as a backup to your on-premises AD DS. Lesson 5: Securing an AWS Deployment | Topic A AWS™ Fundamentals | 95 If you don't want to use Microsoft AD DS, you can opt to instead use the smaller Simple AD service, which is a Linux® Samba-based LDAP directory service. It is compatible with Microsoft AD DS, and suitable for up to 5000 users. To create a directory, you will be required to create a Virtual Private Cloud (VPC) extended over two subnets and two Availability Zones. This will give you a redundant and isolated directory that only your instances can reach. ACM With AWS Certificate Manager (ACM), you can easily create, deploy, manage, and renew X.509 SSL/TLS certificates for AWS Elastic Load Balancers and CloudFront distributions. The certificate proves the server's identity to the client, and works with the client application to create an encrypted connection. When creating the certificate, you will need to provide a domain name that you legitimately own. Certificates created by ACM are free and easy to use. Although you can use thirdparty certificates if you wish, you do not need to. Amazon API Gateway Amazon API Gateway is a service that allows developers to securely connect mobile or web apps to AWS EC2, AWS Lambda, and other web services, whether they are hosted by Amazon or not. The API gateway provides the infrastructure necessary to create, deploy, test, and manage RESTful APIs using HTTP request methods such as GET, PUT, POST, DELETE, etc. This allows your app to access the website's back end functionality in a secure and scalable manner. While creating your API, you choose the authentication/authorization mechanism, the HTTP method, the location of the resource, and where and how the API will be deployed. You can use either a graphical or commandline tool to create and deploy your API. ACM Remind st that certificate absolutely d to create a s ebsite, as HTTPS connections use them to digitally sign and encrypt communications. Amazon API Gateway Explain to students that the Amazon API Gateway has an easyto-use graphical interface that may be interesting to many system administrators. With the current industry movement towards DevOps (integrated development and operations teams), admins who are interested in the development side of AWS will find it easy to create their own APIs using the Amazon API Gateway tools. Figure 5-1: Amazon API Gateway Console. RESTful API A RESTful API is an application programming interface that is in compliance with REST. REST stands for Representational State Transfer. It is an architecture that breaks down web-based transactions into smaller modules, giving developers a lot of flexibility. REST typically uses standard HTTP requests to retrieve data from a website or to update that website. Lesson 5: Securing an AWS Deployment | Topic A 96 | AWS™ Fundamentals AWS API Authentication AWS API Authentication Ask the class if anyone is a system administrator who must also work closely with the developer team. If so, the API tools may be of interest to them. When an application wants to interact with another application or access a resource, it makes an API call to that application or resource. This is a structured request for service, formatted in a way that the receiving application or resource understands. The application must authenticate itself to prove that it has the authorization to make such calls. AWS does not permit any application to access a resource unless it is first authenticated. Although many developers embed a user name and password into their applications, from a security perspective, this is a bad practice. Rather than allowing an application to use your Amazon account name and password, you should do the following: • Create an IAM role that an application can use to access resources (preferred). • (Alternatively) Create an access key and secret key pair for the application to use. You then assign the IAM role to your application so that it can access the desired resource. Or, you include the key in your code so the application can use the key when accessing the resource. Note: Learning the steps to authenticate APIs is beyond the scope of this course. For more information, see https://aws.amazon.com/blogs/aws/iam-roles-for-ec2-instancessimplified-secure-access-to-aws-service-apis-from-ec2/. IAM Policy Simulator IAM Policy Simulator Inform students that the simulator does not actually set or change policy, so you can use it to safely test requests that might otherwise make unwanted changes to your live deployment. The IAM policy simulator allows you to test policies that are currently attached to IAM users, groups, and roles. It also allows you to test what-if scenarios, determining the impact of applying other policies without actually doing so. Any test you run will return an allowed or denied result. You can use the simulator in the following ways: • Test current policies attached to a user, group, or role. • Test policies not yet attached to a user, group, or role. • Test policies attached to AWS resources. • Test how a policy impacts a service or request to a resource. • Simulate real-world scenarios by applying conditions such as a particular IP address or key in the simulation. • Identify specific statements in the policy that are resulting in allowing or denying access. Access the Checklist tile on your CHOICE Course screen for reference information and job aids on How to Secure an AWS Deployment. Lesson 5: Securing an AWS Deployment | Topic A AWS™ Fundamentals | 97 ACTIVITY 5-1 Securing an AWS Deployment Before You Begin Ensure that your account is set to use the same region you have been using throughout the course. Scenario The IT manager at That's Cheezy Cheese Emporium would like to assign the task of monitoring AWS resources to a team member. He does not want to give that person their own AWS account. Instead, he wants to create a user under the existing account and grant read-only permissions to that user. He has asked you create an IAM user under the AWS account, and to verify that the user has read-only permissions. Securing an AWS Deployment 1. Create an IAM user. a) On the Management Console home page, under Security & Identity, select Identity & Access Management. b) On the Welcome to Identity and Access Management page, under IAM Resources, select Users. c) Select the Create New Users button. d) Under Enter User Names, in the first text field, enter any name you like. Ensure that Generate an access key for each user is selected and select the Create button. e) On the next page, select the Show User Security Credentials link. Examine the user's Access Key ID and Secret Access Key, then select the Download Credentials button. f) Save the credentials.csv file to C:\downloads. Note: Some browsers may not let you choose the download location. g) Browse to the file and open it. Verify that it contains the same information you saw under Show User Security Credentials. h) Close credentials.csv. i) On the Create User web page, select Close. 2. Grant the new user EC2 read only permissions. a) In the Users list, select the name of your new user. b) On the user's summary page, select the Permissions tab, then select the Attach Policy button. Lesson 5: Securing an AWS Deployment | Topic A 98 | AWS™ Fundamentals c) On the Attach Policy page, examine the many policy choices. Scroll down and select the AmazonEC2ReadOnlyAccess check box, then select the Attach Policy button. The Permissions tab now shows the policy the user has. d) Select the Security Credentials tab. e) In the Sign-In Credentials section, select Manage Password. f) Select the Assign a Custom Password radio button. g) In the Password text field, enter Pass1234 and in the Confirm Password text field, enter the password again. h) Select the Apply button. i) Select the Access Advisor tab and examine the permissions the user has. 3. Test the new IAM user. a) On the left pane, select Dashboard. b) Verify that there is an IAM users sign-in link, and copy the link into a new browser window and open the page. c) When prompted to sign in, provide the user name of the IAM user you created, with the password of Pass1234, and select Sign In. Lesson 5: Securing an AWS Deployment | Topic A AWS™ Fundamentals | 99 d) Verify that you see the Management Console, and that the IAM user name appears in the top-right corner, followed by @<your account ID>. Verify also that the IAM user inherits your region. e) While logged in as your IAM user, in the Compute section, select EC2. f) Under Resources, select Running Instances. g) Locate the Cheezy Blog instance, and attempt to change its name to a name of your choice. h) Verify that after a moment, an Error Applying Tag pop-up dialog box appears informing you that you are not authorized to perform the operation. Close the error dialog box. i) Attempt to rename the Windows Server 2012 R2 instance. Verify that this operation also fails. j) Close the error dialog box. 4. Verify that you can edit the instance using your AWS account. a) In the upper-right corner of the console, select the drop-down arrow next to the IAM user name, and then select Sign Out. b) Select Sign In to the Console. c) On the IAM login dialog box, select the Sign-in using root account credentials link. d) Sign in to the console using your normal AWS account credentials. e) Return to the EC2 Instances page. f) Under Resources, select Running Instances. g) Attempt to rename the Cheezy Blog and Windows Server 2012 R2 instances. h) Verify that the operation is successful. i) Rename your instances back to their original names of Cheezy Blog and Windows Server 2012 R2. 5. Use the AWS policy simulator to verify your IAM user's permissions. a) Open a browser tab to https://policysim.aws.amazon.com/ and log in. b) In the left pane, in the Users, Groups and Roles section, select the IAM user you created earlier. c) In the Policies section, under IAM Policies, select the AmazonEC2ReadOnlyAccess policy. d) In the right pane, under Policy Simulator, in the Select service drop-down box, scroll down and select EC2. You may have to use your mouse scroll wheel to scroll down and find EC2. e) Select the Select All button. Verify that a large list appears under Action Settings and Results. f) Select the Run Simulation button. g) When the simulation is finished, examine the various permissions. Verify that permissions beginning with Describe (read-only) are allowed, while the others are denied. h) Close the policy simulator. i) Return to the console home page. Lesson 5: Securing an AWS Deployment | Topic A 100 | AWS™ Fundamentals TOPIC B Optimize AWS Security Now that you can provide basic security for your AWS deployments, you will finally learn how to optimize your AWS security. AWS Security Isolation Models AWS Security Isolation Models AWS services uses an isolation model to protect customer data and systems. The following table summarizes the different isolation mechanisms you can use in AWS. Isolation Mechanism Description Virtual Private Cloud (VPC) Keeps different customer (and their tenants) networks separate at different tiers in the architecture. Direct Connect VLANs Allows a customer to use the same VPN to access both public and private resources separately and securely. Private Compute Creates different stages of isolation. You can have a user name and password, a software-defined network, or dedicated instances providing isolation at the hardware level. Private Storage Only bucket and object owners have access to the Amazon S3 resources they create. AWS Multi-Tier Security Groups AWS Multi-Tier Security Groups Inform students that a multi-tier security group is not a special type of security group. It is simply the ability to assign security groups at any of three levels in your VPC. AWS uses security groups to provide security not only from the Internet to your website, but also from one level to the next in your service architecture. This allows you to create multi-tier security that is equivalent to what is found in a traditional three-tier architecture. AWS security groups are essentially firewall rules. They can be applied to inbound and outbound traffic, and define: • The permitted protocol (TCP or UDP). • The permitted source IP address range OR security group. • The permitted destination port range. Security groups can be applied at three levels: • Website • Application • Database When specifying the source IP address range, you can alternatively specify another security group as the source (known as an origin). In addition to allowing external traffic from the Internet, your network, or vendor support, this allows you to control traffic between layers, such as from your website to your application, or from your application to your database. The following image shows this relationship. Lesson 5: Securing an AWS Deployment | Topic B AWS™ Fundamentals | 101 Figure 5-2: Multi-tier security groups. You can use the Management Console or code to create your security groups. Amazon Inspector Amazon Inspector is a tool that will automatically assess security and compliance of your deployed applications. It searches resources that run on EC2 for vulnerabilities or deviations from best practice. It then reports its findings prioritized by severity. The inspector has a default database of hundreds of rules that are used to detect vulnerabilities. These rules are updated regularly by the AWS security research team. The Inspector works with AWS agents. These are pieces of software that you install in your EC2 instances that communicate with the Inspector. The Inspector regularly polls its agents, and then analyzes the data. You can automate the process via an API, which allows you to build security testing into your development process. Inspector requires an IAM role to work. You must also identify and tag assessment targets, which are resources you want to scan. Before you launch your assessment, you will also have to choose or create an assessment template that defines the configuration for your analysis. Amazon Inspector Figure 5-3: Amazon Inspector. Lesson 5: Securing an AWS Deployment | Topic B 102 | AWS™ Fundamentals AWS WAF AWS WAF Explain to students that cross-site scripting is the most common form of website attack. SQL injection is an exploit where you can use a web front end to run illegal SQL commands on a back end database. AWS WAF is a web application firewall that protects your web apps from common exploits. You can block malicious requests such as cross-site scripting and SQL injection. You can also filter traffic based on IP source address or strings in web requests. Additionally, you can tune your rules and monitor traffic to your web app. New rules are quickly deployed. AWS WAF also has an API that allows you to create, deploy, and manage rules automatically. As with other AWS services, you only pay for WAF as you use it. Figure 5-4: AWS WAF. AWS Trusted Advisor AWS Trusted Advisor Inform students that Trusted Advisor only provides limited functionality unless you pay for a Business Level or Enterprise Level support plan. AWS Trusted Advisor helps you optimize your AWS environment. It regularly inspects your cloud setup and makes recommendations in four categories: • Cost optimization • Performance • Security • Fault tolerance Any customer can use Trusted Advisor's core reporting capabilities including: • Firewall rules that allow unrestricted access to specific ports • Whether or not multi-factor authentication is required for the root (administrator) account • Utilization of IAM accounts • Whether or not any service has exceeded 80% utilization Lesson 5: Securing an AWS Deployment | Topic B AWS™ Fundamentals | 103 Figure 5-5: AWS Trusted Advisor. Note: To learn more, check out the Spotlight on AWS Trusted Advisor presentation from the Spotlight tile on the CHOICE Course screen. Note: If you pay for a subscription, you can also get notifications and programmatically access results. Access the Checklist tile on your CHOICE Course screen for reference information and job aids on How to Optimize AWS Security. You may want to show the Spotlight on AWS Trusted Advisor presentation available on the Spotlight tile on the CHOICE Course screen. You might choose to include it in your instructional plans, or you can remind students about the tile and the supplemental information it contains. Lesson 5: Securing an AWS Deployment | Topic B 104 | AWS™ Fundamentals ACTIVITY 5-2 Optimizing AWS Security Before You Begin You have a Windows Server 2012 R2 instance. Scenario The IT department at That's Cheezy Cheese Emporium wants to make sure that any Windows servers running in the AWS cloud are as secure as possible. They have asked you to run a vulnerability assessment against the new Windows Server 2012 R2 instance. You have decided to use Amazon Inspector to run the vulnerability assessment. Optimizing AWS Security 1. Open Inspector. a) If necessary, log in to your AWS account. b) On the breadcrumb trail, select Services→Security & Identity→Inspector. c) On the Amazon Inspector page, select Get Started. d) On the Get started with Amazon Inspector page, in the Amazon Inspector prerequisites section, under Create a role, select the Choose or create role button. e) On the next page, select the Allow button. If a tab opens prompting you to log in, close the tab to return to the Get started with Amazon Inspector page. f) Verify that an Amazon Inspector role named inspector has been created, and then select the Next button. g) On the Define an assessment target page, configure your target as seen in the following image. h) Select the Next button. Lesson 5: Securing an AWS Deployment | Topic B AWS™ Fundamentals | 105 i) On the Define an assessment template page, configure settings as seen in the following image. j) Select the Next button. k) On the Review page, read the reminder that an assessment requires the AWS agent and select Create. 2. (Optional) Log into your target Windows Server 2012 R2 EC2 instance. a) In EC2 Instances, select your Windows Server 2012 R2 instance. b) Select Actions→Get Windows Password. c) In the Retrieve Default Windows Administrator Password pop-up dialog box, verify that Key Name is My Windows Server Key. d) Next to the Key Pair Path, select the Browse button. e) Browse for MyWindowsServerKey.pem and select the Open button. f) Verify that the RSA PRIVATE KEY appears in the text field, and then select Decrypt Password. g) Record the User name and Password, then select the Close button. Alternatively, you can just copy the password to your clipboard. h) With your Windows instance still selected, select Actions→Connect. i) In the Connect To Your Instance pop-up dialog box, select Download Remote Desktop File. Make a note of the name of the RDP connection file, and record the location where the file is saved. If you browser permits, you may save it in a location of your choosing. j) Close the Connect to Your Instance dialog box. k) When your RDP connection file is done downloading, locate and open it. l) In the Remote Desktop Connection dialog box, select Connect. m) In the Windows Security dialog box, under Administrator, enter the password you decrypted (if you copied the password to your clipboard, you can just paste it) and then select OK. n) When prompted about the certificate, select Yes. The desktop of your Windows 2012 R2 server appears. 3. (Optional) Install the AWS agent. a) On the Windows Server 2012 R2 desktop, in the lower-left corner, select the Start page launcher. b) On the Start page, select the Internet Explorer tile. c) Open the browser to https://d1wk0tztpsntt1.cloudfront.net/windows/installer/latest/ AWSAgentInstall.exe. If prompted to add the website to Trusted sites, select Add. Alternatively, you can do a browser search for Working with AWS Agents. In the search results, select the Working with AWS Agents - Amazon Inspector link. On the Working with AWS Agents page, under Topics, select the link Working with AWS agents on Windows-based operating systems to copy and paste the URL for downloading the agent. d) Download and install the executable. If prompted by any security alerts, select Yes. If prompted to add the site to Trusted sites, do so. Lesson 5: Securing an AWS Deployment | Topic B 106 | AWS™ Fundamentals e) Save and Run the downloaded executable. Accept the license agreement and select Install. When the AWS agent is finished installing, close the agent setup dialog box. f) Close your Remote Desktop Connection. If prompted, select OK. 4. (Optional) Run the Amazon Inspector vulnerability assessment against your target instance. a) Return to the Amazon Inspector console. If necessary, in the left pane, select Assessment templates. b) In the Amazon Inspector - Assessment Templates section, select My-assessment-template, and then select the Run button. c) Verify that the Last run column shows Collecting data. It will take about 15 minutes for the assessment to complete. You may finish the activity at this point, or optionally return in 15 minutes to check your findings. Note: You may need to refresh the page to see that the analysis is completed. 5. (Optional) Check your findings. Lesson 5: Securing an AWS Deployment | Topic B AWS™ Fundamentals | 107 a) On the left pane, if necessary, select Findings, and examine any findings and recommendations. Since your AMI was already preconfigured, you are not likely to have any findings. Your findings will probably look similar to the following image. b) Return to the console home page. Lesson 5: Securing an AWS Deployment | Topic B 108 | AWS™ Fundamentals ACTIVITY 5-3 (Optional) Deleting Your AWS Resources and Account Scenario In this activity, you will delete the AWS resources you created in this course, as well as delete your AWS account. Remind students that any resources they have created, particularly EC2 instances, will continue to accrue charges, even if they are not used. Note: If you wish to continue using any of the resources you created, including your AWS account, you can skip any of the following steps. Deleting resources will ensure that they will not incur additional charges. Deleting your account will delete all of your resources at the same time. If you plan to use your account for production purposes, or to take the AWS™: Systems Operations course, you can delete your resources but keep your account. 1. Check your AWS account for charges. a) From the drop-down box next to your account name, select My Account. b) In the left pane, select the Dashboard link. c) Examine any costs you may have accrued. Any charges will appear on your next month's credit card bill. 2. Delete your S3 bucket. a) On the Management Console, under Storage and Content Delivery, select S3. b) Move your mouse over the bucket until the row becomes highlighted. Select in the highlighted area to the right of the bucket link, but do not select the bucket link itself. c) Select Actions→Delete Bucket. d) In the Delete pop-up dialog box, in the Bucket name text field, enter the name of the bucket (it will be displayed in the pop-up dialog box) and select the Delete button. e) Verify that the bucket has disappeared from the All Buckets list. f) Repeat this step for any other S3 buckets you created. Lesson 5: Securing an AWS Deployment | Topic B AWS™ Fundamentals | 109 3. Delete your EC2 instances. Note: You need to delete the instances before you can delete any volumes. a) Navigate to the EC2 console page. b) In the left pane, under INSTANCES, select Instances. c) Select all of your instances. d) Select Actions→Instance State→Terminate. e) Select Yes, Terminate. f) After a few moments, verify that all instances have entered the terminated state. You may need to refresh the page to update the Instance State column. Eventually, all terminated instances will disappear. 4. Delete your EBS volumes. a) In the left pane, under ELASTIC BLOCK STORE, select Volumes. b) Select all of your EBS volumes. c) Select Actions→Delete Volumes. d) Select Yes, Delete. e) Verify that all EBS volumes have disappeared from the console. You may need to refresh the page to verify the deletion. 5. Delete your DynamoDB database. a) Navigate to the DynamoDB console page. b) In the left pane, select Tables. c) Select the Our_Cheezy_Forum radio button. d) Select Actions→Delete table. e) Select Delete. f) Use the same steps to delete the Thread and Reply tables. g) Verify that all tables have disappeared from the DynamoDB console. Inform students that if they wish to use their AWS account in production or in the 6. Delete any non-default VPCs. a) Navigate to the VPC console. b) Select the VPC link. c) In the list of VPCs, identify if you have more than one VPC. Note: Only continue if you have more than one VPC. If you have only one VPC, skip to Step 7. d) In the list of VPCs, identify the VPC that shows Default VPC as No. e) Select your non-default VPC. f) Select Actions→Delete VPC. g) Select Yes, Delete. h) If necessary, delete any additional non-default VPCs you might have. i) Verify that you have only a default VPC remaining. AWS™: Systems Operations course, they should keep their default VPC. If they delete the default VPC, they will have to contact AWS Services to create a new one. If they do not intend to keep their AWS account, the default VPC will be deleted when they delete their account in the last step. 7. Delete your CloudFormation stack. a) Navigate to the CloudFormation Management Console. b) Select your stack. c) Select Actions→Delete Stack. d) Select Yes, Delete. e) Verify that your stack Status has changed to DELETE_IN_PROGRESS. After a moment, your stack will disappear. 8. Delete your IAM user. Lesson 5: Securing an AWS Deployment | Topic B 110 | AWS™ Fundamentals Note: IAM users do not incur any charge. If you intend to use your IAM user in production, you can skip to Step 9. a) Navigate to the Identity & Access Management console. b) Under IAM Resources, select the Users link. c) Check the check box for your IAM user. d) Select User Actions→Delete User. e) Select Yes, Delete. f) Verify that you have no IAM users. 9. Delete your Inspector assessment template. a) Navigate to the Inspector Management Console. b) On the left pane, select Assessment templates. c) Select your template. d) Select Delete. e) Select Yes. f) Verify that you have no assessment templates. 10. Delete your account. Note: Skip this step if you intend to use your AWS account in the future. a) From the drop-down box next to your account, select My Account. b) Scroll to the bottom of the page. c) Under Close Account, check the check box and then select the Close Account button. d) In the Close Account pop-up dialog box, select the Close Account button. e) Under your account name, select Sign out. f) Select the Sign in to the Console button. g) Attempt to sign in using your account. Verify that you receive an error message stating that the AWS account is not accessible. Closing your AWS account will delete any remaining resources, and prevent any further AWS charges from occurring on your credit card. It will not impact the account you use to make online purchases on Amazon.com. 11. Close all browsers. Lesson 5: Securing an AWS Deployment | Topic B AWS™ Fundamentals | 111 Summary In this lesson, you learned how to secure your AWS deployment using IAM users and policies, directory services, and certificates. You learned how to use an API Gateway, and how to authenticate APIs. You also learned how to optimize and verify AWS security using isolation models, multi-tier security groups, Inspector, WAF, and Trusted Advisor. Do you foresee creating IAM users in your environment? Why or why not? A: Answers will vary. If you have no need to delegate administrative or developer access with different permissions levels, you might not bother creating IAM users. On the other hand, if you wish to delegate control to colleagues, and do not wish to give them full access to the account, you will want to create IAM users. Which AWS security optimizing tool do you think you will use in your environment? A: Answers will vary. Since Inspector and Trusted Advisor are both free to use, most people will probably use those tools. If you have websites that you wish to protect from malicious requests, you may want to use AWS WAF. Encourage students to use the social networking tools provided on the CHOICE Course screen to follow up with their peers after the course is completed for further discussion and resources to support continued learning. Note: Check your CHOICE Course screen for opportunities to interact with your classmates, peers, and the larger CHOICE online community about the topics covered in this course or other topics you are interested in. From the Course screen you can also access available resources for a more continuous learning experience. Lesson 5: Securing an AWS Deployment | AWS™ Fundamentals | 113 Course Follow-Up Congratulations! You have completed the AWS™ Fundamentals course. You have successfully learned the basics of choosing and deploying AWS cloud services. What's Next? AWS™: Systems Operations is the next course in this series. In it, you will deepen your knowledge of implementing, supporting, and maintaining Amazon Web Services in your organization. You are encouraged to explore Amazon Web Services further by actively participating in any of the social media forums set up by your instructor or training administrator through the Social Media tile on the CHOICE Course screen. Course Follow up Solutions ACTIVITY 1-1: Introducing That's Cheezy Cheese Emporium 1. As a consultant for That's Cheezy Cheese Emporium, what challenges to you foresee in helping That's Cheezy understand the world of AWS cloud services? A: Answers will vary. AWS will likely introduce new concepts to the company and its management. You may need to help the company understand terminology and concepts before they can make any informed decisions. You might also face opposition by those who see no value in changing their operational model. 2. How do you think the AWS Global Infrastructure can assist a company like That's Cheezy Cheese Emporium? A: Answers will vary. Since AWS has a global infrastructure, it is well positioned to provide service to a company that is trying to expand into a global market. In addition, its global network of Availability Zones will make it easier for That's Cheezy to build in redundancy and fault tolerance. ACTIVITY 1-2: Selecting Appropriate Infrastructure Options 1. With regard to That's Cheezy's need to support growth trends and new marketing initiatives, which online solution or solutions would be a good fit for their new requirements? A: Answers will vary. The company's current website hosting provider hosts websites but does not offer the other services that the company desires. Any solution chosen must be one that scales. Cloud computing, grid computing, and colocation all support scalability to some level or another. However, the desire to extend into a global market requires a service provider that can scale globally. In this case, cloud computing is the best choice. 2. How can AWS help That's Cheezy achieve its business objectives? A: Answers will vary. First of all, it provides all of the services that the company desires. Its regions and Availability Zones make it easy to scale and provide service to any part of the globe. It is also convenient and economical to use. 116 | AWS™ Fundamentals 3. If That's Cheezy chooses AWS cloud computing, what are some of the biggest challenges they will face? A: Answers will vary. AWS provides only the infrastructure. That's Cheezy's IT department will have to know how to build its online services on top of that infrastructure. It will need to be able to choose the right services for its needs, build those applications, and secure the servers, networking components, applications, and data. ACTIVITY 1-3: Leveraging AWS in Your Business Strategy 5. What can That's Cheezy Cheese Emporium do if it does not have the managerial or technical expertise necessary to take advantage of AWS? A: Answers will vary. Management can follow the guidelines laid out in the AWS CAF. The IT department can engage third-party services and products available at the AWS Marketplace. IT can also learn how to use the various services by first deploying the Free Tier Eligible versions. ACTIVITY 1-5: Working with the AWS Management Console 2. Which tools do you think you might use when building That's Cheezy's cloud-based infrastructure? A: Answers will vary, though many will choose Compute, Storage and Content Delivery, and Database. 5. How will the Dashboard help you track your AWS costs? A: Answers will vary. You can use the Spend Summary and Month-to-Date Spend by Service charts to track the cost of various AWS services you are using. You can also set alerts to automatically email you when a cost threshold has been reached. 7. Which of the additional resources do you think will be useful in your daily operations? A: Answers will vary. In the beginning, admins might find Getting Started and AWS Marketplace to be very useful. If they want to access the console via a mobile device, they might use the AWS Console Mobile App. For daily operations, some may want to use the Service Health Dashboard. 8. What is the current Service Health status? A: Answers may vary, but most likely it will show all services operating normally. ACTIVITY 2-1: Choosing an AWS Storage Solution 1. Which storage solution would best serve the IT department's needs? A: Because several servers need to share data in a common network location, EFS would be the best choice. EBS, like a physical hard drive, is mounted to only one server so it's not a good choice. S3 does not allow objects in a bucket to be edited, but rather replaced by a new version. For that reason, S3 is also not a good choice. Glacier is not meant for constant data access, so it is not the right choice either. Solutions AWS™ Fundamentals | 117 2. Which storage solution would be the best fit for the graphics team? A: The graphics team has two needs, and EBS can serve both. Each graphic artist should have an editing computer with at least one additional EBS volume attached. As they edit, they can save the clips to this volume. The EBS volume can then be detached from the artist's workstation and reattached to a computer dedicated to rendering video. The rendering machine can have additional EBS volumes configured in a RAID 0 disk striping array for maximum throughput. EFS is not a good choice because of the latency added by network access between the workstation and storage. Additionally, you cannot stripe EFS shares. S3 also cannot be striped, and has network latency. It is also not meant for continuous editing of the same files. Glacier is meant for cold storage only, so could not possibly be used for this purpose. 3. Which storage solution would be best for the sales team? A: Because they need files to be available from anywhere in the world, an S3 bucket is a good choice. It's easy to set up, requiring little effort. Although S3 does not allow objects to be directly edited, this should not be a problem. When new product literature and price sheets are available, they can just be uploaded to the S3 bucket, replacing the old versions. 4. Which storage solution would satisfy the company's legal requirements? A: Glacier is by far the best choice in this scenario. It is meant for long term, safe storage of data at a very low cost. ACTIVITY 2-4: Selecting an AWS Database Service 1. Which database solution would be best suited for capturing and displaying customer reviews and discussion threads? A: DynamoDB would be the best choice in this case. Because the data can have loose consistency (need not be immediately replicated to other websites) and may end up being quite large, a NoSQL database is a good choice. 2. Which database type would best satisfy what the sales team wants? A: RDS is the only realistic choice here. Because there must be tight consistency between customers and their orders, a relational database will be required. Once RDS is set up, the database team can create a customer database with tables for customers, orders, and products. They can also create relationships between the tables to ensure data integrity and consistency. 3. What database type would best suit management's needs? A: Redshift would be the choice in this scenario. Because the data will be coming from diverse sources, it should be copied to a data warehouse. The data can then be queried and analyzed to spot trends. ACTIVITY 3-2: Implementing Virtual Networks 3. Do both the WordPress instance and Windows instance belong to the same VPC? If so, which one and why? A: Unless a mistake was made when creating the instances, the answer should be yes. They will both be in the default VPC because when you created the instances, you did not specify which VPC to put them in. 4. How will being in a VPC help improve security for the two instances? A: Answers will vary, but since the VPC is isolated from the rest of the world, you can control exactly what kind of traffic is permitted to and from your servers. Solutions 118 | AWS™ Fundamentals 5. Compare the VPC CIDR IP address with the Private IP addresses for the instances. Are they in the same subnet? If so, what does this imply regarding connectivity between the instances? A: Unless a mistake was made when creating the instances, they should belong to the same VPC and thus the same subnet. Belonging to the same subnet means that even though the VPC is isolated from the rest of the world, the instances can communicate with each other. ACTIVITY 4-2: Managing AWS Resources 3. What is the relationship between the categories of metrics that you see and the resources you have deployed? A: You will only see metrics for services you have deployed. Services that are not in use will not send metrics to CloudWatch. 5. Now that you have created different AWS resources in this course, which billing metrics do you think you might also wish to monitor? A: Answers will vary. Many will say that they wish to monitor billing for every type of resource they have created so far. Others may wish to focus on specific resources such as EC2 or DynamoDB. Solutions Glossary ACM (AWS Certificate Manager) A tool that helps you easily provision, deploy, and manage X.509 public key certificates. Amazon API Gateway A fully managed service that makes it easy to create, publish, secure, and manage Application Programming Interfaces. Amazon CloudFront A global content delivery network (CDN) that improves performance and availability of your website by providing servers that are geographically close to end users. Amazon CloudWatch A web service that enables you to monitor and manage various metrics, and configure alarms based on those metrics. Amazon DynamoDB A fully managed NoSQL database service. Amazon EBS (Amazon Elastic Block Store) A block storage system for EC2 instances that mimics an external hard drive. Amazon EC2 (Amazon Elastic Cloud Compute) A web service that enables you to launch and manage instances of Linux/UNIX and Windows servers in Amazon's cloud-based data centers. Amazon EFS (Amazon Elastic File System) A NAS-like file storage service for EC2 instances. Amazon ElastiCache A distributed in-memory data store in the cloud. Amazon Glacier A low-cost, secure and durable storage system for data archiving and long-term backup. Amazon Inspector An automated security assessment service used to determine the security and compliance of applications and operating systems. Amazon RDS (Amazon Relational Database Services) A web service that provides a fully managed traditional relational database system. Amazon Redshift A fully managed, petabyte-scale relational data warehouse. Amazon S3 (Amazon Simple Storage Service) Internet storage used to store and retrieve any amount of data from anywhere on the web at any time. Amazon VPC (Amazon Virtual Private Cloud) A web service for provisioning a logically isolated 120 | AWS™ Fundamentals part of the AWS cloud containing resources you define. AMI (Amazon Machine Image) An encrypted virtual machine image that contains the operating system and applications used by your service. cloud computing The use of a provider's Internet-based network and computers, as opposed to using locally deployed hardware. API call A specific operation that a client application can invoke at runtime to perform a task. EC2 instance A single copy of an Amazon Machine Image (AMI) running as a virtual server in the AWS cloud. AWS agents Software installed on a target EC2 instance that allows Amazon Inspector to perform a vulnerability assessment on the instance. EC2 instance store A low-latency virtual disk that is useful for temporary storage for EC2 instances. AWS CloudFormation A tool for creating or modifying resource templates. AWS CloudFormer A template creation tool that creates an AWS CloudFormation template using your account's existing AWS resources. AWS Directory Service An AWS deployment of a Microsoft Active Directory or compatible directory service. AWS IAM (AWS Identity and Access Management) A tool for securely controlling access to your AWS resources. AWS Trusted Advisor A web service that inspects your AWS environment and makes recommendations for improving security, availability, performance, and cost savings. AWS WAF A firewall used to help protect your web applications from common exploits and malicious code. AZ (Availability Zone) A distinct subdivision of an AWS region. Glossary bucket A logical unit of storage for Amazon Simple Storage Service (S3). edge locations AWS clustered web content servers that are geographically close to the end user. Elastic IP address A static public IP address that is dedicated to your account. ELB (Elastic Load Balancer) A web-based service that improves an application's availability by distributing incoming traffic between two or more EC2 instances. endpoint A URL that is the entry point for your web service, geographically close to the end user. IaaS (Infrastructure-as-a-Service) A type of cloud computing that provides automated compute resources such as virtual machines, storage, and networking. IAM policy simulator A tool used to test and troubleshoot the effects of IAM and resource-based policies before you commit them to use. Infrastructure as Code The process of using machine-read definition files to automate configuration and management of computing infrastructure devices and service. AWS™ Fundamentals | 121 JSON (JavaScript Object Notation) A text-based, lightweight data interchange format based on a subset of the JavaScript programming language. metadata A set of data that provides information about other data. mount target An EFS network connection point. object Any file that is stored in an S3 bucket. orchestration The coordination of multiple services into a single aggregate service. tags Information organized into a key-value pair that can be used to locate, organize, and manage AWS resources. tree hash A checksum of the original file that is split and uploaded in pieces to Amazon Glacier. VPC (Virtual Private Cloud) A logically isolated virtual network. white box The use of generic network hardware such as switches and routers that get their forwarding and control-plane instructions from software running on a centralized device. perspectives High-level areas of focus that enable managers to create actionable plans for their AWS environment. region An AWS geographical boundary, generally involving part of a continent. resource Any AWS entity or service that you can deploy and work with. resource groups A combination of AWS resources located across the entire account that can be viewed and managed from the same screen. resource provisioning A mechanism for quickly making cloud services available to the customer. security group A virtual firewall that controls traffic for one or more EC2 instances. stack A collection of AWS resources that are launched from the same template and are administered as a single unit. Glossary Index A ACM 95 Amazon API Gateway 95 Amazon CloudFront 36 Amazon CloudWatch 84 Amazon DynamoDB overview 43 use cases 45 vs. RDS 45 Amazon EBS comparisons 34 integration with EC2 63 overview 32 Amazon EC2 defined 58 EC2 instance 58 implementation 62 integration with EBS 63 integration with EFS 63 security groups 60 storage 60, 61 Amazon EFS integration with EC2 63 overview 33, 34 Amazon Elastic Block Store, See Amazon EBS Amazon Elastic Cloud Compute, See Amazon EC2 Amazon Elastic File System, See Amazon EFS Amazon Glacier 35 Amazon Inspector 101 Amazon Machine Image, See AMI Amazon RDS overview 43 vs. DynamoDB 45 Amazon Redshift 46 Amazon Relational Database Services, See Amazon RDS Amazon S3 bucket and object 32 comparisons 34 Amazon Simple Storage Service, See Amazon S3 Amazon Virtual Private Cloud, See Amazon VPC Amazon VPC 71 Amazon Web Services, See AWS AMI 60 Apache ElastiCache 72 API authentication 96 API call 96 authentication and encryption keys 21 AWS overview 5 AWS agents 101 AWS Certificate Manager, See ACM AWS Cloud Adoption Framework, See CAF AWS CloudFormation 78 AWS CloudFormer 79 AWS command line tools 21 AWS Core Infrastructure Services major categories 8 AWS Directory Service 94 AWS Global Infrastructure Availability Zones 6, 7 edge locations 6 endpoints 6 124 | AWS™ Fundamentals D up lic CAF perspectives 15 cloud computing and elastic capacity 6 defined 4 cloud services benefits 14 cost monitoring 85 EC2 instance AMIs 60 and ELB 63 and VPC 71 defined 58 integration with EBS 63 integration with EFS 63 security groups 60 storage 60, 61 types 58 EC2 instance store 61 edge locations 6 Elastic IP address 71 Elastic Load Balancer, See ELB ELB N ot ut e I ib IaaS 4 IAM policy simulator 96 Infrastructure-as-a-Service, See IaaS Infrastructure as Code 78 is D M managed database services RDS vs. DynamoDB 45 types 43 managing resources Amazon CloudWatch 84 cost monitoring 85 deleting 86 metrics and alarms 83 mount target 33 or C o Free Tier Eligible services 16 JavaScript Object Notation, See JSON JSON 78 at e bucket 32 business strategy aligning with business goals 15 AWS platform uses and case studies 14 cloud benefits 14 D F J B E and EC2 instances 63 types and features 64 endpoints 6 tr regions 6, 7 AWS IAM overview 94 policy simulator 96 AWS Identity and Access Management, See AWS IAM AWS Management Console new console preview 20 tools 19 user interface 19 AWS Marketplace 16 AWS Trusted Advisor 102 AWS Utility Pricing Model 6 AWS WAF 102 N NoSQL databases 43, 44 O object 32 orchestration 78 R resource groups creating 19 overview 22 resources defined 21 deletion 86 metrics and alarms 83 resources provisioning 78 RESTful API 95 Index AWS™ Fundamentals | 125 S tr ib ut e security Amazon Inspector 101 AWS Trusted Advisor 102 AWS WAF 102 features 9 isolation models 100 shared security model 10 security groups for EC2 instances 60 multi-tier 100 storage and EC2 instances 60, 61 options 32 is T tags at e or D creating 19 metadata 21 resources 21 stack 21 Tag Editor 22 tree hash 35 Virtual Private Cloud, See VPC VPC 33 W D o N ot D web service hosting types 2 white box hardware 78 up lic V Index ut e ib tr is D or at e up lic D N ot o D Licensed For Use Only By: Eleni Ioannou eioannou@newhorizons.cy Nov 6 2023 8:40A

aws fundamentals student material

Related documents

Products

Support

aws fundamentals student material

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib