A
access control lists (ACLs), 50
access policies, Amazon S3, 47–49
account management, 300
ACM. See AWS Certificate Manager (ACM)
Advanced Encryption Standard (AES), 46
agility, on AWS, 2
alarms, 259
alias records, 267
all-in-cloud deployment model, 5–6
API types supported by, 251
benefits of, 251–253
overview, 250–251
Amazon Athena, 21–22
Amazon Aurora, 20, 327–328, 387
creating an Amazon Aurora database (lab), 348–351
Amazon CloudFront, 14, 16, 19, 387
and Amazon Route 53, 267
behaviors, 263
and bucket policies, 50
distribution, 263
edge locations, 263
error handling, 266
geo restriction, 266
Gzip compression, 265
headers, 264
origin, 263
overview, 262
path pattern matching, 264
protocol policy, 265
query strings/cookies, 264
regional edge caches, 263
signed URLs/signed cookies, 264–265
time to live (TTL), 265
using with Amazon S3, 37
Amazon CloudWatch, 26, 291, 372
and Amazon EBS–backed volumes, 67
and AWS Web Application Firewall (WAF), 273
capturing real-time changes, 291
metrics collection and tracking, 291
setting alarms, 292–293
viewing graphs and statistics, 293
Amazon CloudWatch Events, 17, 291
Amazon Dash Button, 29
Amazon DocumentDB, 21, 346–348
Amazon DynamoDB, 20, 234, 377, 387, 389
and Amazon Elasticache, 343–344
benefits of, 337–338
consistency models, 341
creating an Amazon DynamoDB table (lab), 356–358
data types, 339
encryption and security, 342
global tables, 341
items, 339
overview, 337
primary keys, 339–340
range attributes, 339
secondary indexes, 340
terminology, 338–340
Amazon DynamoDB Accelerator, 342
Amazon DynamoDB Logstash plug-in, 342
Amazon DynamoDB Streams API, 341–342
and Auto Scaling, 213, 217–223
benefits of, 140–141
creating an EBS instance and attaching it to an EC2 instance (lab), 166–170
creating an EFS instance and mounting across two EC2 instances in different AZs (lab), 170–173
on-demand instance, 146
fleet management, 212
hosting relational databases, 313–315
IAM roles for, 203–207
instance store, 67
instance types and features, 141–145
no up-front reserved instance, 147
operating systems supported by, 141
overview, 139
partial up-front reserved instance, 147
pricing, 146–148
reserved instance, 147
security, 188
spot instance, 147–148
up-front reserved instance, 147
using, 146
using (lab), 161–166
See also Amazon Machine Images (AMIs)
Amazon EC2 Auto Scaling. See Auto Scaling
Amazon EC2 Container Service (ECS). See Amazon Elastic Container Service (ECS)
Amazon EC2 Ephemeral Storage, 387
Amazon Elastic Block Store (EBS), 18–19, 387
Cold HDD (sc1), 69
EBS-backed volumes, 67
features of, 66–67
General-Purpose SSD (gp2), 68, 145
HDD-backed volumes, 69
Multi-Attach, 66
overview, 65–66
Provisioned IOPS SSD (io1), 68–69, 145
SSD-backed volumes, 67–69
Throughput-Optimized HDD (st1), 69
types of block storage, 67–69
volumes, 67–69
Amazon Elastic Compute Cloud (EC2). See Amazon EC2
Amazon Elastic Container Service (ECS), 12–13, 158–159
Amazon Elastic File System (Amazon EFS), 19, 35
overview, 69–71
performance mode, 72
using with Amazon S3, 71–72
Amazon Elastic Kubernetes Service (Amazon EKS), 13, 15
Amazon Elastic MapReduce (EMR), 287–288, 390
Amazon Elastic Transcoder, 24
Amazon ElastiCache, 20, 342–344
Amazon Elasticsearch Service (Amazon ES), 22, 368, 377
Amazon EMR, 22
Amazon Inspector, 16, 194, 372
Amazon Keyspaces, 21
overview, 253
real-time application scenarios, 253–254
real-time stream processing, 260
stream processing vs. batch processing, 254
Amazon Kinesis Data Analytics, 257–259
Amazon Kinesis Data Firehose, 255–257
Amazon Kinesis Data Streams, 254–255
Amazon Kinesis Video Streams, 259
Amazon Lex, 28
Amazon Lightsail, 13
Amazon Machine Images (AMIs), 146
Hardware Virtual Machine (HVM) AMIs, 153–154
and instances, 149–152
obtaining an AMI, 152–153
Paravirtual (PV) AMIs, 154
shared AMIs, 153
Amazon Mobile Analytics, 30
Amazon MSK, 23
Amazon Polly, 28
Amazon QLDB, 21
Amazon QuickSight, 23
architecture, 329–332
backup and restore, 334
benefits of, 329
creating an Amazon Redshift cluster (lab), 353–356
data distribution in, 336–337
data loading in, 335–336
encryption, 333–334
enhanced VPC routing, 333
networking for, 333
overview, 328–329
security, 334
sizing clusters, 332–334
Amazon Redshift Managed Storage (RMS), 332
Amazon Rekognition, 28
Amazon Relational Database Service (RDS), 20, 387
Amazon VPC and, 320–324
backups, 324
data encryption on, 321–324
enhanced monitoring, 325
event notification, 326
high availability (HA) architectures on, 315–317
hosting in Amazon EC2 vs. Amazon RDS, 314–315
hosting scenarios, 312–315
monitoring, 325–326
overview, 311–312
Performance Insights, 326
restores, 324
scaling on, 318–320
standard monitoring, 325
taking a snapshot of a database (lab), 352–353
Amazon resource names (ARNs), 47–48
Amazon Route 53, 14, 16, 266–268
access control, 47–50
access control lists (ACLs), 50
access policies, 47–49
adding a hex hash prefix to a key name, 45–46
advantages of, 36–37
for application hosting, 38
for backup, 37
basic concepts, 38–41
bucket policies, 49–50
content distribution, 38
costs, 52
cross-region replication (CRR), 55–60
data consistency model, 41–43
data lakes, 38
for disaster recovery, 38
encryption in, 46–47
expiration action, 54
HTTP verbs, 40
infrastructure, 41
Intelligent-Tiering, 52
object lifecycle management, 54–55
objects, 39
One Zone Infrequent Access (S3 One Zone-IA), 42, 51
performance considerations, 43–44
private repositories, 38
real-time stream processing, 260
regions, 39–40
replication, 55–60
resource-based policies, 50
REST APIs, 40
reversing the key name string, 45
same-region replication (SRR), 55–60
SDKs, 40
security best practices, 50
Server Side Encryption (SSE), 46–47
Standard, 51
Standard Infrequent Access (IA), 51
for static web hosting, 38
static web hosting, 61–62
storage classes, 50–53
for tape replacement, 37
transition action, 54
versioning of objects, 54
See also Amazon S3 Glacier; Amazon S3 Glacier Deep Archive
Amazon S3 Glacier, 52
accessing, 64
archives, 63
inventory, 64
jobs, 64
overview, 62–63
retrieving files from, 65
uploading files to, 64–65
vault inventory, 64
Vault Lock, 64
vaults, 63
Amazon S3 Glacier Deep Archive, 52
Amazon SageMaker, 28
Amazon Simple Email Service (SES), 27
Amazon Simple Notification Service (SNS), 27, 64, 278–279
and Auto Scaling, 219
Amazon Simple Queue Service (SQS), 27, 274–277
Amazon Simple Workflow Service (SWF), 24, 280–282
Amazon Step Functions, 280–282
Amazon Virtual Private Cloud (VPC), 14, 255
and Amazon RDS, 320–324
connecting to a VPC, 117–119
creating a VPC with public and private subnets (lab), 123–127
default VPC, 119
DHCP option sets, 116–117
and DNS, 115–116
elastic IP (EIP) addresses, 104–105
Elastic Network Interface (ENI), 103
endpoints, 112–114
and Enhanced Networking, 104
exploring options in a VPC (lab), 127–134
flow logs, 17, 119, 296–297, 372
Internet gateway (IG), 99–100
network access control lists (NACLs), 107–109
and Network Address Translation (NAT), 100–102
peering, 110–111
route tables, 98–99
security groups, 105–107
subnets, 95–97
and Transit Gateway, 114–115
using the VPC Wizard (lab), 120–123
Amazon Web Services. See AWS
Amazon.com, 6
analytics services, 21–23
analyzing expenditures, 382
Apache Kafka, 23
Apache MXNet, 28
Apache Spark, 22
Apache TinkerPop Gremlin graph traversal language, 21
API Gateway. See Amazon API Gateway
API keys, 252
APIs, 40
Application Discovery Service. See AWS Application Discovery Service
application hosting, 38
application load balancer (ALB), 269
application management, 190
application services, 23–24
architecture
cloud optimized, 384
cloud-native, 384
loosely coupling, 390–391
parallel architectures, 389–390
See also AWS Well-Architected Framework (WAF)
archiving
compliance, 63
media assets, 63
artificial intelligence services, 28
Athena. See Amazon Athena
Aurora. See Amazon Aurora
authentication, 177–178
and account management, 190
authorization, 178–179
benefits of, 212–215
changing capacity, 221–222
cooldown period, 220
creating a scaling plan, 215–217
default scaling plan, 218
dynamic scaling, 212
groups, 218–219
launch configuration, 217–218, 223
manual scaling, 218
overview, 211–212
scaling as per demand, 219
scaling as per schedule, 219
scaling strategy, 216–217
setting up (lab), 235–239
simple scaling, 219–220
simple scaling with steps, 220–222
target-tracking scaling policies, 222
termination policy, 223
using multiple AZs, 232–235
availability, vs. outage, 379
availability zones (AZs)
and Amazon VPC, 95–97
high availability (HA) architectures on Amazon RDS, 315–317
using multiple AZs with Auto Scaling and ELB, 232–235
AWS, 2
advantages of running cloud computing on, 2–4
analytics services, 21–23
application services, 23–24
artificial intelligence services, 28
best practices, 384–391
compute services, 11–14
database services, 19–21
developer tools, 24–25
global infrastructure, 7–9
history of, 6
Internet of Things (IoT) services, 28–29
management tools, 25–26
messaging services, 27
migration services, 27–28
mobile services, 29–30
networking services, 14–15
products and services overview, 11
security and compliance, 9–11, 15–18
storage and content delivery services, 18–19
See also specific products and services
AWS App Mesh, 15
AWS Application Discovery Service, 27
AWS Batch, 13–14
AWS Certificate Manager (ACM), 16, 195
AWS CloudFormation, 25, 215, 288–290
AWS CloudTrail, 26, 179–180, 186, 294–295, 372
AWS CloudTrail Events, 17
AWS CodeBuild, 25
AWS CodeCommit, 24
AWS CodeDeploy, 25
AWS CodePipeline, 25
AWS command-line interface (CLI), 40–41
AWS Compliance Program, 186–187
AWS Config rule, 372
AWS Data Pipeline, 22
AWS Database Migration Service, 27
AWS Device Farm, 30
AWS Direct Connect, 15, 19, 118
AWS Directory Service, 16
and DHCP option sets, 116–117
AWS Elastic Beanstalk, 13, 282–284
AWS Elastic Load Balancing (ELB). See Elastic Load Balancing (ELB)
AWS Firewall Manager, 16
AWS Global Accelerator, 15
AWS Glue, 22
AWS Greengrass, 29
AWS hardware VPN, 118
AWS Identity and Access Management (IAM), 15, 177, 371
auditing, 179–180
authentication, 177–178
authorization, 178–179
best practices, 184–186
creating IAM users, groups, and roles (lab), 196–201
hierarchy of privileges, 184
managing accounts in AWS, 369
managing IAM user permissions and credentials (lab), 201–202
roles, 50, 183–184, 185, 196–201, 203–207
security credentials, 180–181, 184, 185
AWS Import/Export, 19
AWS IoT Button, 29
AWS IoT Platform, 29
AWS Key Management Service (KMS), 18, 196, 255, 321–324, 371
AWS Lake Formation, 23
AWS Lambda, 12
and Amazon EBS–backed volumes, 67
extract, transform, and load (ETL) processing, 260–261
IoT back ends, 261
languages supported, 249
overview, 245–246
real-time stream processing, 260
resource limits of, 249
serverless, 246–247
understanding, 247–250
usage pattern, 250
using, 248
AWS Management Console, 256
AWS Marketplace, 153
AWS Mobile Hub, 29
AWS OpsWorks Stacks, 285
AWS Organizations, 300
AWS Policy Generator, 49
AWS PrivateLink, 112
AWS Security Token Service, 369
AWS Server Migration Service (SMS), 28
AWS Service Catalog, 25
AWS Simple Shared Storage (S3). See Amazon S3
AWS Single Sign-On (SSO), 17
AWS Snowball Edge, 74
AWS Snowmobile, 74
AWS Step Functions, 24
AWS Storage Gateway (SGW), 19, 73
AWS Trusted Advisor, 297–299
AWS Web Application Firewall (WAF), 16, 195, 268–273
AWS Well-Architected Framework (WAF)
automating for security, 371
best practices for security, 371–374
design principles for cost optimization, 381–384
design principles for operational excellence, 366–368
design principles for performance, 374–377
design principles for reliability, 378–381
design principles for security, 368–374
implementing security at all layers, 370
maintaining a strong identity foundation, 369
overview, 365–366
planning for security events, 371
securing the data, 370–371
traceability, 369
B
backup, 37
Amazon Redshift, 334
Amazon Relational Database Service (RDS), 324
long-term, 63
best practices, 384
in AWS, 384–391
for reliability, 378–381
for security, 371–374
Black Friday, 3
block storage, 35
bucket policies, Amazon S3, 49–50
buffers, 275
C
caching services. See Amazon ElastiCache
caching static assets, 262
capacity, guessing about, 2–3
capital expenses, vs. variable/flexible expenses, 3
Cassandra Query Language (CQL), 21
change management, 380–381
Chef Automate, 26
and AWS OpsWorks, 284–285
CIDR blocks
and Internet gateway (IG), 99–100
cloud computing
advantages of running on AWS, 2–4
defined, 1–2
deployment models, 5–6
three models of, 4–5
See also Amazon EC2
CloudFormation. See AWS CloudFormation
CloudFront. See Amazon CloudFront
cloud-native architecture, 384
cloud-optimized architecture, 384
CloudTrail. See AWS CloudTrail
CloudWatch. See Amazon CloudWatch
CodeBuild, 25
CodeCommit, 24
CodeDeploy, 25
CodePipeline, 25
Cognito. See Amazon Cognito
Cold HDD (sc1), 69
command-line interface (CLI), 40–41, 179
compliance. See AWS Compliance Program
compute nodes, 329–331
See also Amazon Redshift
compute services, 11–14, 375–376
Config. See AWS Config
configuration management, 189
See also AWS OpsWorks
constraints, 391
consumption model, 381–382
containers, 159
See also Amazon Elastic Container Service (ECS)
content delivery network (CDN) services, 19
See also Amazon CloudFront
content distribution, 38
content encryption keys (CEKs), 46
cost control, 213
being aware of expenditures, 383
finding cost-effective resources, 382
optimizing over time, 383–384
cost optimization, 381–384
CPU credits, 142
cross-region replication (CRR), 55–60
cross-regional read replicas, 319, 320
D
data centers, 382
avoiding spending money on, 4
highly available, 189
hot, 7
physical security of, 188
Data Definition Language (DDL), 310–311
data distribution, in Amazon Redshift, 336–337
data ingestion, 255
data loading, in Amazon Redshift, 335–336
Data Manipulation Language (DML), 310–311
Data Pipeline. See AWS Data Pipeline
data protection, 373–374
data warehouses, 328–329
See also Amazon Redshift
database management systems (DBMSs), 309
Database Migration Service. See AWS Database Migration Service
database services, 19–21
databases. See relational databases
DAX. See Amazon DynamoDB Accelerator
dead-letter queues, 277
demand
matching supply with, 382–383
matching with demand, 382–383
deployment
blue-green deployments, 380
canary deployment, 381
feature toggle, 381
global deployment, 4
three models of, 5–6
See also AWS Elastic Beanstalk
detective controls, 371–372
developer tools, 24–25
Device Farm. See AWS Device Farm
DHCP, option sets, 116–117
digital preservation, 63
disaster recovery, 38
disk management, 189
distributed denial-of-service (DDoS) attacks, 16, 262
AWS Shield, 273–274
mitigation, 268
DNS
and Amazon VPC, 115–116
logs, 17
DNS hostnames, 115–116
document database services. See DocumentDB
Domain Name System. See DNS
dynamic content, accelerating, 262
Dynamic Host Configuration Protocol. See DHCP
dynamic scaling, 212
DynamoDB. See Amazon DynamoDB
E
EBS. See Amazon Elastic Block Store (EBS)
EBS-backed volumes, 145
EC2. See Amazon EC2
economies of scale, 3
ECS. See Amazon Elastic Container Service (ECS)
See also points of presence (POPs)
efficiency, measuring, 382
egress-only Internet gateways, 102–103
Elastic Beanstalk. See AWS Elastic Beanstalk
See also Amazon Elastic Block Store (EBS)
Elastic Container Service (ECS), 12–13, 158–159
Elastic File System (Amazon EFS), 19, 35
overview, 69–71
performance mode, 72
using with Amazon S3, 71–72
elastic IP (EIP) addresses, 104–105
Elastic Kubernetes Service (Amazon EKS), 13, 15
Elastic Load Balancer. See Elastic Load Balancing (ELB)
Elastic Load Balancing (ELB), 12, 14, 15, 16, 389
advantages of, 224–225
application load balancer (ALB), 226, 227, 228–229, 234
and Auto Scaling, 212
classic load balancer, 226, 227–228, 235
cross-zone load balancing, 234
external load balancer, 226–227
health checks, 231–232
how ELB works, 225
internal load balancer, 226
listeners, 230
network load balancer (NLB), 225–226, 234
overview, 223–224
path-based rules, 230–231
rules, 230–231
target groups and targets, 230
types of load balancers, 225–227
using multiple AZs, 232–235
using to distribute load, 390
Elastic MapReduce (EMR), 287–288, 390
Elastic Network Adapter (ENA), 104
Elastic Network Interface (ENI), 103, 112
Elastic Transcoder, 24
Elasticsearch (Amazon ES), 22, 368, 377
ELB. See Elastic Load Balancing (ELB)
EMR. See Amazon Elastic MapReduce (EMR)
encryption
Advanced Encryption Standard (AES), 46
Amazon DynamoDB, 342
on Amazon RDS, 321–324
Amazon Redshift, 333–334
in Amazon S3, 46–47
content encryption keys (CEKs), 46
at rest and in transit, 373–374
Enhanced Networking, 104
processing, 260–261
extract, transform, and load (ETL). See ETL
F
failover routing, 268
failure, 367
designing for, 384–387
failure management, 381
fault isolation zones, 380
federated users, 178
FIFO queues, 276
file gateways, 73
file storage, 35
file-based loading, 335
firewalls, 190
See also AWS Web Application Firewall (WAF)
fleet management, 212
flexible expenses, vs. capital expenses, 3
G
Gartner’s Magic Quadrant, 6
gateway endpoints, 112
General-Purpose SSD (gp2), 68, 145
geo DNS routing, 268
GET requests, 54
Git repositories, 24
Glue. See AWS Glue
GovCloud region, 7
graph database services. See Amazon Neptune
Greengrass. See AWS Greengrass
creating IAM users, groups, and roles (lab), 196–201
Gzip compression, 265
H
Hadoop frameworks, 22
hardware security module (HSM), 18
Hardware Virtual Machine (HVM) AMIs, 153–154
health checks, 212, 231–232, 267
hex hash prefix, 45–46
high availability (HA) architectures, on Amazon RDS, 315–317
host-based routing, 226
HTTP, 40
HTTP verbs, 40
hybrid deployment model, 6
Hypertext Transfer Protocol. See HTTP
I
IaaS. See Infrastructure as a Service (IaaS)
IAM. See AWS Identity and Access Management (IAM)
incident response, 374
Infrastructure as a Service (IaaS), 4, 189
infrastructure management. See AWS CloudFormation
infrastructure protection, 373
innovation, benefiting from pace of, 4
instance root volume, 150–152
instance store-backed AMIs, 150, 151
instance types, Amazon EC2, 141–145
instances, 12
accelerated computing, 143
and Amazon EC2, 140
and Amazon Machine Images (AMIs), 149–152
changing the instance type, 318–319
compute optimized, 143
connecting to, 156–158
creating an EBS instance and attaching it to an EC2 instance (lab), 166–170
creating an EFS instance and mounting across two EC2 instances in different AZs (lab), 170–173
on-demand instances, 146
general purpose, 142
launching web server instances, 162–165
lifecycle of, 154–155
memory optimized, 143
network features, 144–145
processor features, 144
reserved instances, 147
spot instances, 147–148
storage features, 145
storage optimized, 143
Intel 82599 Virtual Function (VF) interface, 104
interface endpoints, 112
Internet gateway (IG), 99–100
Internet of Things (IoT) services, 28–29
IoT back ends, 261
intra-region read replicas, 319
IoT. See Internet of Things (IoT) services
IoT Button. See AWS IoT Button
IoT Platform. See AWS IoT Platform
IP addresses, 156–157
J
Java Database Connectivity (JDBC), 329
JavaScript Object Notation (JSON), 47, 178
K
Kafka. See Amazon MSK
Keyspaces, 21
Kibana, 377
overview, 253
real-time application scenarios, 253–254
real-time stream processing, 260
stream processing vs. batch processing, 254
Kinesis Data Analytics, 257–259
Kinesis Data Firehose, 255–257
Kinesis Data Streams, 254–255
Kinesis Producer Library (KPL), 255
Kinesis Video Streams, 259
KMS. See AWS Key Management Service (KMS)
L
Lake Formation. See AWS Lake Formation; data lakes
latency-based routing, 268
launch configuration, 217–218, 223
leader nodes, 329–331
See also Amazon Redshift
least privilege access, 50
Lex, 28
Linux, Enhanced Networking, 104
listeners, 230
load balancing, 213
See also Elastic Load Balancing (ELB)
local zones, overview, 7, 8
long polling, 277
long-term backup, 63
M
magnetic hard drives, 145
magnetic tape replacement, 62
malicious requests, 268
managed services, 382
leveraging, 380
management tools, 25–26
Maria DB, 20
Memcached, 343
message consumers, 275
message producers, 275
message queues, 274–277
messaging services, 27
See also Amazon Simple Queue Service (SQS)
methods, 40
migration services, 27–28
Mobile Analytics, 30
Mobile Hub, 29
mobile services, 29–30
MongoDB, 21
MSK, 23
multifactor authentication (MFA), 50
MySQL, 20
N
National Institute of Standards and Technology, 1
Netflix, 254
network access control lists (NACLs), 107–109
Network Address Translation (NAT), 100–102
network configuration, 190
network security, 105–109, 188–189
networking services, 14–15, 376
NIST, 1
nonrelational (NoSQL) database services, 19
NoSQL database services, 19, 20, 376, 377
notifications, 259
O
object storage, 35
objects, 39
online analytical processing (OLAP), 328
Online Transactions Processing System (OLTP), 93, 328
on-premise deployment model, 6
on-premise storage integration with AWS, 72–74
Open Database Connectivity (ODBC), 329
operating systems, responsibility for, 189
OpsWorks Stacks, 285
Oracle, 20
P
PaaS. See Platform as a Service (PaaS)
Paravirtual (PV) AMIs, 154
path-based rules, 230–231
peering, 110–111
performance, 374–377
permissions, 178–179
managing IAM user permissions and credentials (lab), 201–202
Personal Health Dashboard, 368
Platform as a Service (PaaS), 4, 191
points of presence (POPs), 7
overview, 8
Polly, 28
PostgreSQL, 20
predictive scaling, 213
Presto, 22
primary network interfaces (eth0), 103
private cloud deployment model, 6
private repositories, 38
property graph model, 344
Provisioned IOPS SSD (io1), 68–69, 145
pub-sub messaging, 278
Puppet Enterprise, and AWS OpsWorks, 284–285
PUT requests, 42–43
Q
QuickSight, 23
R
RA3, 332
RDS. See Amazon Relational Database Service (RDS)
read replicas, 319–320
real-time dashboards, 259
real-time file processing, 260
real-time stream processing, 260
recovery point objectives (RPOs), 334
Redis, 343
architecture, 329–332
backup and restore, 334
benefits of, 329
creating an Amazon Redshift cluster (lab), 353–356
data distribution in, 336–337
data loading in, 335–336
encryption, 333–334
enhanced VPC routing, 333
networking for, 333
overview, 328–329
security, 334
sizing clusters, 332–334
Redshift Managed Storage (RMS), 332
redundant components, 380
regional edge cache locations, 8
regions, 39–40
overview, 7, 8, 9
Rekognition, 28
relational database management systems (RDBMSs), 309
Relational Database Service (RDS), 20, 387
Amazon VPC and, 320–324
backups, 324
data encryption on, 321–324
enhanced monitoring, 325
event notification, 326
high availability (HA) architectures on, 315–317
hosting in Amazon EC2 vs. Amazon RDS, 314–315
hosting scenarios, 312–315
monitoring, 325–326
overview, 311–312
Performance Insights, 326
restores, 324
scaling on, 318–320
standard monitoring, 325
taking a snapshot of a database (lab), 352–353
relational database services, 19
relational databases, 376–377
creating an Amazon Aurora database (lab), 348–351
hosting in Amazon EC2 vs. Amazon RDS, 314–315
hosting in your data center on-premises, 312
hosting on Amazon EC2 servers, 312–313
hosting using Amazon RDS, 313–314
overview, 309–311
primary keys, 310
standby databases, 316–317
See also Amazon Relational Database Service (RDS)
reliability, 378–381
Resource Access Manager, 192–193
Resource Description Framework (RDF) model, 344
Resource Description Framework (RDF) SPARQL query language, 21, 344
resource monitoring in AWS, 290
Amazon CloudWatch, 291–293
Amazon VPC Flow Logs, 296–297
AWS CloudTrail, 294–295
AWS Config, 295–296
AWS Organizations, 300
AWS Trusted Advisor, 297–299
resource-based policies, 50
REST APIs, 40
creating IAM users, groups, and roles (lab), 196–201
IAM roles for Amazon EC2, 203–207
route tables, 98–99
rules, 230–231
S
access control, 47–50
access control lists (ACLs), 50
access policies, 47–49
adding a hex hash prefix to a key name, 45–46
advantages of, 36–37
for application hosting, 38
for backup, 37
basic concepts, 38–41
bucket policies, 49–50
content distribution, 38
costs, 52
cross-region replication (CRR), 55–60
data consistency model, 41–43
data lakes, 38
for disaster recovery, 38
encryption in, 46–47
expiration action, 54
HTTP verbs, 40
infrastructure, 41
Intelligent-Tiering, 52
object lifecycle management, 54–55
objects, 39
One Zone Infrequent Access (S3 One Zone-IA), 42, 51
performance considerations, 43–44
private repositories, 38
real-time stream processing, 260
regions, 39–40
replication, 55–60
resource-based policies, 50
REST APIs, 40
reversing the key name string, 45
same-region replication (SRR), 55–60
SDKs, 40
security best practices, 50
Server Side Encryption (SSE), 46–47
Standard, 51
Standard Infrequent Access (IA), 51
for static web hosting, 38
static web hosting, 61–62
storage classes, 50–53
for tape replacement, 37
transition action, 54
versioning of objects, 54
See also Amazon S3 Glacier; Amazon S3 Glacier Deep Archive
SaaS. See Software as a Service (SaaS)
SageMaker, 28
same-region replication (SRR), 55–60
scalability
Amazon EC2, 140
scaling on Amazon RDS, 318–320
SDKs, 40
Secure Sockets Layer (SSL) certificates, 195
AWS Certificate Manager (ACM), 16
security
Amazon DynamoDB, 342
and Amazon EC2, 140
in Amazon Redshift, 334
AWS Well-Architected Framework (WAF), 368–374
best practices for Amazon S3, 50
building security in every layer, 387
certifications, 10–11
improving with Amazon CloudFront, 262
network security, 105–109
Resource Access Manager, 192–193
shared responsibility model, 187–192
shared security, 9–10
security and compliance services, 15–18
Security Assertion Markup Language (SAML), 178
security credentials, 180, 185
managing IAM user permissions and credentials (lab), 201–202
security groups, 105–107, 158–159
Server Migration Service (SMS), 28
Server Name Indication (SNI), 371
Server Side Encryption (SSE), 46–47
See also Amazon S3; encryption
server-side encryption (SSE), 277
Service Catalog. See AWS Service Catalog
service configuration, 190
Service Health Dashboard, 368
service level agreements (SLAs), 3
shared responsibility model, 187–192
shared security, 9–10
Simple Email Service (SES), 27
Simple Notification Service (SNS), 19, 27, 64, 278–279
Simple Object Access Protocol. See SOAP
Simple Queue Service (SQS), 27
Simple Storage Service. See Amazon S3
Simple Workflow Service, 24, 280–282
single-root I/O virtualization (SR-IOV), 104
Snowball. See AWS Snowball
Snowballs. See AWS Snowball; AWS Snowball Edge
SNS. See Amazon Simple Notification Service (SNS)
SOAP, 40
Software as a Service (SaaS), 4, 5, 192
software distribution, 262
software VPNs, 118
solid state drives (SSDs), 332
source queues, 277
SQL Server, 20
SSE-C, 46–47
SSE-KMS, 47
SSE-SE, 46
SSL/TLS certificates, 195
SSO, 17
standard queues, 276
static web hosting, 38
in Amazon S3, 61–62
Step Functions, 280–282
storage
in AWS, 376
block storage, 35
classes, 50–53
device decommissioning, 189
file storage, 35
gateways, 73
healthcare/life sciences/scientific data, 62
leveraging multiple storage options, 387–388
object storage, 35
on-premise storage integration with AWS, 72–74
storage and content delivery services, 18–19
subnets, 95–97
Swagger, 252
T
tape gateways, 73
tape replacement, 37
target groups, 230
target tracking, 213
scaling policies, 222
targets, 230
TensorFlow, 28
Throughput-Optimized HDD (st1), 69
time to live (TTL), 265
time-series analytics, 258
tokenization, 373
traceability, 369
Traffic Flow, 267
Transit Gateway, 114–115
Transparent Database Encryption (TDE), 321, 370
U
user identity and data synchronization service, 286
users
creating IAM users, groups, and roles (lab), 196–201
creating using IAM, 181–182
root users, 184
V
variable expenses, vs. capital expenses, 3
video streaming, 262
virtual private clouds. See Amazon Virtual Private Cloud (VPC)
virtual private gateways, 117, 118
virtual servers. See instances
virtualization
Hardware Virtual Machine (HVM) AMIs, 153–154
Paravirtual (PV) AMIs, 154
visibility timeouts, 276
Vogels, Werner, 385
volume gateways, 73
VPC. See Amazon Virtual Private Cloud (VPC)
VPC flow logs, 17, 119, 296–297, 372
VPC Wizard
creating a VPC with public and private subnets (lab), 123–127
exploring options in a VPC (lab), 127–134
using (lab), 120–123
See also Amazon Virtual Private Cloud (VPC)
VPN CloudHub, 118
VPN-only subnets, 95
vulnerability protection, 268
W
WAF. See AWS Web Application Firewall (WAF); AWS Well-Architected Framework (WAF)
web server
browsing, 165–166
launching web server instances, 162–165
weighted round robin, 267
write once read many (WORM) model, 56
Z
Zillow, 253
zone apex support, 267