# AWS Cloud Computingm

## NIST Cloud Computing Definition

- Definition
    - Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 
- Cloud Model
    - 5 essential characteristics
        - On-demand self-service
        - Broad network access
        - Resource pooling
        - Rapid elasticity
        - Measured service
    - 3 service models
        - SaaS
        - PaaS
        - IaaS
        - On-Premise
        - IT Stack
            - Application
            - Data
            - Runtime
            - Middleware
            - OS
            - Virtualization
            - Compute
            - Storage
            - Networking
            - Facility
    - 4 deployment models
      - Priavte Cloud
          - Single Tenant Implementation
      - Community Cloud
      - Hybrid Cloud
      - Public Cloud 
          - Multi-Tenant Implementation
          - Ownership: Service Provider
          - Access: Via Internet

## AWS Overview

### AWS Cloud Initiatives

- Advantages of Cloud Computing
    - Capex shifts to Opex
    - Benefits from massive economies of scale
    - Stop guessing capacity/Provisioning on-demand
    - Increse speed of deployment and business agility
    - Stop spending on running and maintianing data centers
    - Go globally in minutes

### Online Resources

- [AWS Cloud Architecture Center](https://aws.amazon.com/architecture/)
- [AWS Whitepapers](https://aws.amazon.com/whitepapers/)
- [AWS Documentation](https://docs.aws.amazon.com/)

### AWS Services Overview

- [check aws website](https://aws.amazon.com/)

### AWS Solutions Overview

- [check aws website](https://aws.amazon.com/)

### AWS Certification Path

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="AWS-CertificationView.png" width="750" height="600">

- [Blog](https://jayendrapatil.com/)

# AWS Cloud Adoption Framework

## Migration Strategy

- Process
    - Discovery
    - Assess
    - Design
    - Migrate
    - Validate

## Migration Management

- Application Migration
    - Process
        - Discovery
        - Identify
        - Measure
        - Explore
    - Practice
        - Security
        - Toplogy
        - Dendency
        - Availability
        - Performance
- Database Migration
    - Process
        - Discovery
        - Identify
        - Explore
        - Migrate
        - Verification
    - Practice
        - Homogenous vs Heterogenous
        - Schema Migrate
        - Data Transfer
- Host Migration
    - Data Migration

## Migration Services and Tools

- Migration Hub
    - Discovery
        - Discovery Connector
        - Discovery Agent
    - Assess
    - Migrate        
- Application Discovery Service
- Database Migration Service
- Server Migration Service
- Data Migration Service
    - AWS Transfer for SFTP
    - Snowball
    - DataSync

# AWS Cloud Architecture Framework

- General Principle
    - Stop guessing your capacity needs
    - Test systems at production scale
    - Automate to make architectural experimentation easier
    - Allow for evolutionary architectures
    - Drive architectures using data
    - Improve through game days

## 5 Pillers for AWS Well-Architected

### Operational Excellence 

- Overview
    - The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.
- Design Principle
    - Perform operations as code
    - Annotate documentation
    - Make frequent, small, reversible changes
    - Refine operations procedures frequently
    - Anticipate failure
    - Learn from all operational failures
- Best Practice
    - Prepare
    - Operate
    - Evolve

###   Security 

- Overview
    - The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
- Design Principle
    - Implement a strong identity foundation
    - Enable traceability
    - Apply security at all layers
    - Automate security best practices
    - Protect data in transit and at rest
    - Keep people away from data
    - Prepare for security events
- Best Practice
    - Identity and Access Management
    - Detective Controls
    - Infrastructure Protection
    - Data Protection
    - Security Incident Response

### Reliability

- Overview
    - The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.
- Design Principle
    - Test recovery procedures:
    - Automatically recover from failure
    - Scale horizontally to increase aggregate system availability
    - Stop guessing capacity
    - Manage change in automation
- Best Practice
    - Foundations
    - Change Management
    - Failure Management

### Performance Efficiency

- Overview
    - The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve.
- Design Principle
    - Democratize advanced technologies:
    - Go global in minutes
    - Use serverless architectures
    - Experiment more often
    - Mechanical sympathy
- Best Practice
    - Selection
    - Review
    - Monitoring
    - Tradeoffs

### Cost Optimization 

- Overview
    - The ability to run system  to deliver business value at the lowest price point.
- Design Principle
    - Adopt a consumption model:
    - Measure overall efficiency
    - Stop spending money on data center operations
    - Analyze and attribute expenditure
    - Use managed and application level services to reduce cost of ownership
- Best Practice
    - Expenditure Awareness
    - Cost-Effective Resources
    - Matching supply and demand
    - Optimizing Over Time

## Core Infra Services

### Global Infrastructure

- AWS Global Infrastructures
    - Regions
        - One-2-Many relationship with AZs
    - Availability Zones
        - AZ is isolated DC
    - Local Zones
    - POP: Points of Presence(Edge Locations)
    - Network
    - [view online](https://www.infrastructure.aws/)

### Compute

- Compute: EC2
    - Overview
        - AMI: Amazon Machine Image
            - Region Bounded
        - Security Group
        - Placement Group
            - Networking Affiliation
            - low latency, High throughput networking
            - only supported by network enhanced instances
            - Bound by AZ
        - ASG: Auto Scaling Group
            - Launch Config
            - Dynamic/Predictive Scaling
            - Scale Up/Down
            - Cross AZs/Bound by VPC
        - ELB: Elastic Load Balancer
            - Categorization
                - Classic LB
                - Application LB
                    - Listener Rule
                    - Target Group
                - Network LB(L4)
        - Store
            - Instance store provides temporary block-level storage for your instance, data lost after terminated
            - EBS 
    - Types
        - Resources View
            - General Purpose
            - Memery Optimized
            - Compute Optimized
            - Storage Optimized
            - Accelerated Computing
        - Billing View
            - On-Demand
            - Reserved
            - Spot
            - Dedicated
---
- Compute: ECS Amazon Elastic Container Service
    - Overview
        - Launch Type
            - Fargate Type: Full Managed Container/Cluster
            - EC2 Type: Self-Provisioning Container/Cluster
    - User Cases
        - Microservices
        - Batch Processing
        - Application Migration
        - Machine Learning
    - Components
        - Container
            - Container agent
        - Task      
            - Task Definition
                - Family
                - networkMode
                    - none
                    - bridge
                    - host
                    - awsvpc
            - Task Scheduler    
        - Service
        - Cluster
    - Workflow

- Compute: ECR Amazon Elastic Container Registry
    - Overview
        - Fully-managed Docker container registry
        
- Compute: EKS Amazon Elastic Kubernetes Service
    - Overview
        - Deploy, manage, and scale containerized applications using Kubernetes
---
- Compute: Lambda
    - Overview
        - Serverless Computing
        
- AWS Serverless Application Repository
    - Overview
        - Deploy Applicatioin for web and mobile back-ends, event and data processing, logging, monitoring, IoT
    - SAM: AWS Serverless Application Model (SAM)
        - Application Package Template

- Compute: Amazon Elastic Beanstalk
    - Overview
        - Deploying and scaling web applications and services 
        - DevOps Stack: Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker 
        - Web Servers: Apache, Nginx, Passenger, and Internet Information Services (IIS).
        - Application Deployment and Management Service
        - Application Provisinong System
        - Environment Tier
            - Web Server Tier
            - Worker Tier
    - Deployment Mode
        - All at once
        - Rolling per batch bases
        - Immutable(two environment temporarily)
        - Blue-Green(two environment)
---
- Compute: Batch Computing
    - Overview
        - Run hundreds of thousands of batch computing jobs
        - Dynamically provisions the optimal quantity and type of compute resources
        - Plans, schedules, and executes your batch computing workloads across the full range of AWS compute services and features
---

- Compute: AWS Outposts
    - Overview
        - Bring native AWS services, infrastructure, and operating models to virtually any data center, co-location space, or on-premises facility.
    - Hybrid Cloud Solutions
        - VMware Cloud on AWS Outposts
            - Avaliable on Limited Regions
        - AWS native variant of AWS Outposts

### Network

#### VPC

- Overview
    - Region boundary
    - Span multiple AZs
        - Subnet Bounded by AZ
    - VPC Peering
- Components
    - IGW
        - One IGW per VPC
    - NAT Gateway:  connet private subnet to internet
        - Place in Public Subnet
        - private subnet route table direct traffic to NAT Gateway
    - NAT Instance: connect private subnet to internet
        - Place in Public Subnet
        - private subnet route table direct traffic to NAT Instance
    - VPN
        - VPG: Virtual Private Gateway
    - Transit Gateway
    - Implied Router/Route Tables
        - All VPC traffics go through Implied Router
        - Default Route Table
            - Default Route Table creates with VPC creation
            - Default Route Table automatically attached to each
            - Default Route Table allow trafic in VPC for all subnets
        - Cumtomer Route Tables
            - Can Attached multiple subnets
    - Network ACL
        - Virtual Stateless Firewall
        - Apply on Subnet level
        - Allow/Deny ingress/egress in bi-direction
    - Subnet
        - Private Subnet
            - Implicite Route Table to VPC
        - Public Subnet
            - Explicite Route Table to IGW
    - Security Group
        - Virtual Stateful Firewall, inbound traffic allowed automaticlly allowed to flow out.
        - Apply on instance level, 1 to 5 per instance
        - Max 50 rules per SG
        - Deny implicite, Allow explicite
    - IP Addresses
        - Public IPs
        - Private IPs
            - A: 10.0.0.0/8
            - B: 171.16.0.0/12
            - C: 192.168.0.0/16
        - Elastic IPs
            - Region bounded
    - EC2:ENI Elastic Network Interface
        - Security Group bound to ENI
    - Endpoints
        - VPC Endpoint Services (AWS PrivateLink)
        
- VPC Connection
    - To Internet
        - Via IGW + Route Table
    - to On-premise
        - Via VPG + VPN, dual channels available
        - Via AWS Direct Connect
        - Via AWS Transit Gateway
            - Connectivity Hub
    - to VPCs
        - Via VPC Peering(PCX)
            - subnet-to-subnet traffic via route tables
            - no overlapping IP CIDR Blocks
            - Inter-Region peering doesn't support IPv6
            - An Instance in A VPC cannot use peering B VPC's IGW
- Types
    - VPC with single Public Subnet
    - VPC with Public and Private Subnet via NAT
    - VPC with Public and Private Subnet via VPN
    - VPC with Private Subnet via VPN
    
- Traffic Monitor
    - Flow Log 
        - [Flow Log Record](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records)
            - <version> 
            - <account-id>
            - <interface-id> 
            - <srcaddr> 
            - <dstaddr> 
            - <srcport> 
            - <dstport> 
            - <protocol> 
            - <packets> 
            - <bytes> 
            - <start> 
            - <end> 
            - <action> 
            - <log-status>


#### DC, CloudFront, Route53...

- Networking:AWS Direct Connect
    - Overview
        - Connect Enterprise Network to AWS Network via 1G/10G fiber
        - Enterprise Edge Router
        - AWS Direct Connect Router
---
- Networking:AWS CloudFront
    - Overview    
        - CND solution for Web/Streaming services
    - Features
    - Topologies
        - Edge Locations
        - Multi Edge Locatioins
        - Regional Cache Locations
---
- Networking:Amazon Route53
    - Overview    
        - DNS hosting service
    - Features
        - DNS Resolver
        - Domain Registration
        - Geo and Private DNS
        - DNS Failover
        - Health Check
        - Traffic Flow
        - Latency based routing
        - ELB Integration

---
- Networking:Global Accelerator
    - Overview    
---
- Networking:AWS Transit Gateway
    - Overview   
        - Access hub for VPC connectivity
        
---

- Networking:API Gateway
    - Overview    
        - API Management
        - Severless Architecture
---

- Networking:API Mesh
    - Overview    
        - Microservices Management
        
---
- Networking:Cloud Map
    - Overview    

### Storage

- Storage: EBS Elastic Block Store
    - Overview
        - Root Device Volume
        - Data Volume
        - AZ Bounded
    - Featurs
        - Data Availability and Durability
        - Data Encryption
        - Data Backup
        - Data Snapshot
        - Data Lifecycle Manager
    - Types
        - GP2: General Purpose SSD
        - IO1: Provision IOPS SSD
        - HDD-old: Magnetic Volumn HDD
        - HDD-st1: Throughput Optimized HDD
        - HDD-sc1: cold HDD
---
- Storage: EFS Elastic File System
    - Overview
        - provide file service for instances
        - NFSv4
        - Cross Region Replica
    - Mount Target
        - Required access EFS from VPC
        - VPN EFS Endpoint
        - AZ Bounded, not Subnet Bounded
        - Creatable when subnet available in that AZ
    - Security
        - Netwrok ACL controls Mount Target
        - SG controls Mount Target
        - IAM user controls permission
    - Features
        - Elastic
        - Flexible
            - on-premise mount
            - cross region mount
    - Store Types
        - General Purpose
        - Max I/O
---
- Storage: S3
    - Overview
        - Universal Namespace
        - Object Storage
        - Key-Value Storage
        - Cross Region Replication
            - versioning enabled
    - Security
        - ACLs for AWS Account by Object
            - Object/Bucket Level Control
        - Bucket Policy
            - Bucket Level Control
            -  Private by Default
        - IAM User/Group/Role Policy
        - Confilict Resolve
            - Least Privilege Principle
                - Deny prior to Allow
    - Perfromane
        - Partition 100MB file for upload
        - Partition 5GB big file
        - Prefix/Folder 3k-5k objects
    - Features
        - Data Availability and Durability
            - 4x9s Availability
            - 11x9s Durability
        - Data Consistency Model
            - Read after Write Consistency for NET PUT
            - Eventual Consistency for Overwrite PUT/DELETES
        - Tiered Storage
        - Encryption
        - Versioning
        - Data Lifcyle Management
    - Bucket
        - Lifecycle Management
            - Lifecycle Rule
                - Transition Action
                    - S3 Standard to S3 Standard-IA to S3 Glacier
                - Expiration Action
        - Versioning
            - unversioning
            - versioning enabled
            - versioning suspended      
        - Transfor Acceleration
    - Object
        - Files
            - Key: Filename
            - Value: File Content
            - Version ID
            - Metadata
            - Subresources
        - S3 Store Classes
            - S3 Standard
            - S3 Intelligence Tiering
            - S3 Standard-IA: Infrequently Access
            - S3 One Zone-IA
            - S3 Glacier
            - S3 Glacier Deep Archive
---
- Storage: Storage Gateway
    - Overview
        - Connecting an on-premises software appliance with S3
    - Types
        - File Gateway
        - Volume Gateway
            - Stored Mode
            - Cached Mode
        - Tape Gateway
    - Deployment Mode
        - On-premises
            - VM + Stroage Gateway Software
            - Hardware Applicance
        - Cloud
            - VM in VMware Cloud on AWS
            - AMI in AWS
---
- Storage: Amazon FSx for Lustre
    - Overview
        - HPC Storage
---
- Storage: Amazon FSx for Windows File
    - Overview
        - HPC Storage
---
- Storage: Snoballmobile
    - import/export EB level data
---
- Storage: Snowball
    - import/export PB level data
---
- Storage: Snoball Edge
    - import/export 100TB level data


### Database

- Databases: Amazon RDS
    - Overveiw
        - Multi-AZ Deployment
            - Syncronous Active-Standby Mode
        - Scalability
            - Scale-up
            - Scale-out
        - Backup
            - Auto backup to S3
        - Snapshot
        - Replica
            - Read-Replicas
    - Limits
        - RDS is not autoscaling and cannot be used behind an ELB.
        - Bound by AZ: No Multi-AZ Deploy
        - Bound by Region: Multi-AZ Deploy
    - DBMS
        - Multi-AZ
            - Master
            - Secondary
        - Read-Replica
            - Cannot utilize ELB
            - Using Route53/HAProxy
            - Using Aurora Cluster
    - Settings/Attributes
        - DB Instance Class
        - DB Instance Identifier
        - Master Username
        - Master Password
    - Benefits
        - Lower Administrative Burden
        - High Performance
        - High Scalability
        - High Availability and Durability
        - High Security
        - Manageability
        - Cost-Effectiveness
    - Categorization
        - Instance View
            - Standard
            - Memory Optimized
            - Burstable Performance
        - DB View
            - Aurora
            - MySQL
            - PostgreSQL
            - MariaDB
            - Oracle
            - SQL Server
    - RDS: Amazon Aurora
        - Features
            - MySQL/PostgreSQL Compatible RDS Service
            - Faster
            - Fully Managed RDS for Provision/Setup/Patching/Backups
            - Grow on-demand, Up to 64G
            - Up to 15 Read Replicas
            - HA and Durability
---

- Databases: Amazon DynamoDB
    - Overveiw
        - Fully managed, multiregion, multimaster database with built-in security, backup and restore, and in-memory caching for internet-scale applications
        - NoSQL  key-value and document DB
        - Global Tables
        - Supports cross region replication
    - Features
        - Schemaless DB
        - Strong Consistency on Read
        - Atomic Counter and Conditional Update
        - DynamoDB Stream
        - DynamoDB Trigger
        - DAX: DynamoDB Accelerator: in-memory cache for DynamoDB
    - DBMS
        - Schema
            - Tables: collection of item data
            - Items: collection of Attributes
            - Attributes: key-value pair
            - Primary Key: Unique
                - Partition(Hash)
                - Partition+Sort(Range)
            - Secondary Indexes
                - Alternative Key
                    - imporve query speed
                - Types
                    - Local Secondary Indexes
                    - Global Secondary Indexes
        - Operate
            - Query
            - Scan
            - UpdateItem
                - Atomic counters
                - Conditional Update
         - Perfromance
             - WCU
                 - 4KB
             - RCU
                 - 1KB

- Databases: Amazon DocumentDB
    - Overveiw
        - MongoDB Compatible Document DB Service
        
- Databases: Amazon Neptune
    - Overveiw
        - Graph DB Service
    - DBMS
        - Structure
            - Node
            - Edge
            - Property
        
- Databases: Amazon ElastiCache
    - Overveiw
        - In-Memory Distributed Cacheing Service
        - Accelerating RDS Query
    - Engine Types
        - Redis
        - Memcached
            - can be used as K-V data store too
            
- Databases: Amazon QLDB Quantum Ledger Database
    - Overveiw
        - Ledger DB Service
        - Transparent, immutable, and cryptographically verifiable transaction log owned by a central trusted authority
        
- Databases: Amazon TimeStream
    - Overveiw
        - Time series database
    - User Case
        - IoT and operational applications that makes it easy to store and analyze trillions of events per day      

---
- Amazon Redshift
    - Overveiw
        - PB-Level Data Warehouse Service     
---

- Databases: Amazon DMS Data Migration Service
    - Overveiw
    - Migration Scenarios
        - One-time Migration
        - Replication of On-going changes
        - Heterogeneous Migration using AWS SCT Schema Conversion Tool

## Application Integration

### Workflow

- Amazon SWF: Simple Workflow Service
    - Overview
        - Build, run, and scale background jobs that have parallel or sequential steps
        - State tracker 
        - Task coordinator
---
- Amazon Step Functions Service
    - Overview
        - Coordinate multiple AWS services into serverless workflows so you can build and update apps quickly
    - User Cases
        - Data Processing
        - Automate tasks
        - Application Orchastrating
        - Modernize monolith architecture
---

### Messaging

- Amazon SNS: Simple Notification Service
    - Overview
        - Fully managed pub/sub messaging service that enables you to decouple microservices, distributed systems, and serverless applications.
        - M-2-M relationship
        - Push-based
    - Topology
        - Topic in SNS
            - Access Policy
        - Publishers
        - Subscribers
---
- Amazon MQ: Message Queue Service
    - Overview
        - Managed Message Broker Service for Apache ActiveMQ
        - Message brokers allow different software systems–often using different programming languages, and on different platforms–to communicate and exchange information
---
- Amazon SQS: Simple Queue Service
    - Overview
        - Fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.
        - Decouple Application
        - Message size: 1-256KB
    - Types
        - Stardard Queue
            - maximum throughput
            - best-effort ordering
            - at-least-once delivery
        - FIFO Queue
            - guarantee that messages are processed exactly once
            - in the exact order that they are sent
---

### Service Bus

##  Analytics

- Amazon Redshift
    - Overveiw
        - PB-Level Data Warehouse Service
---
- AWS Lake Formation
    - Overview
        - Data Lake Service
---
- Amazon MSK Managed Streaming for Apache Kafka
    - Overview
        - Fully managed, highly available, and secure Apache Kafka service
        - Process streaming data
---
- Amazon Athena
    - Overview
        - Interactive Query Service to analyze S3 Data using SQL
        - Serverless
        - No ETL needed
        - integrated with AWS Glue Data Catalog
        - Build on Presto
---
- Amazon Kinesis
    - Overview
        - Collect, process, and analyze real-time, streaming data
        - Ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications.
        - Realtime Metric and Reporting
        - Realtime Analytic
    - Kinesis Components
        - Kinesis Data Firehose
            - Capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk.
            - Near real-time analytics with existing business intelligence tools and dashboards
        - Kinesis Data Streams
            - Massively scalable and durable realtime data streaming service
        - Kinesis Video Streams
            -  Securely stream video from connected devices to AWS for analytics, machine learning (ML), playback, and other processing.
        - Kinesis Data Analytics
            -  Analyze streaming data in real-time
---
- Amazon CloudSearch
    - Overview
        - Search solution for web or apps
---
- Amazon Elasticsearch
    - Overview
        -  deploy, secure, operate, and scale Elasticsearch to search, analyze, and visualize data in real-time
---
- Amazon Glue 
    - Overview
        - ETL Services
    - Glue Components
        - Glue Crawler
        - Glue Data Catelog
--- 
- Amazon QuickSight
    - Overview
        - BI Service
---
- Amazon EMR Elastic MapReduce
    - Overview
        - Managed Hadoop framework
        - Run Apache Spark, HBase, Presto, and Flink in Amazon EMR
        - Interact with data in other AWS data stores such as Amazon S3 and Amazon DynamoDB
---
- AWS Data Pipeline 
    - Overview
        -  process and move data between different AWS compute and storage services
---

## Machine Learning

## DevOps

- AWS Cloud9
    - Cloud IDE

- AWS CodeCommit
    - Secure Git-based repositories

- AWS CodeBuild
    - Build service that compiles source code, runs tests, and produces software packages

- AWS CodeDeploy
    - Automates code deployments to EC2

- AWS CodePipeline
    - Continuous delivery service
    - Automate release pipelines for fast and reliable application and infrastructure updates
    - Automates the build, test, and deploy phases

- AWS CodeStar
    - Creating, managing, and working with software development projects on AWS

- AWS X-Ray
    - Analyze and debug distributed applications in production or under development

## IoT

## Billing and Cost Management

- AWS Cost Explorer
- AWS Budgets
- AWS Cost & Usage Report
- Reserved Instance (RI) Reporting
- Tools
    - Simple Monthly Calculator
    - AWS TCO Calculator

## Security, Identity,  and Compliance

### Identity and Access Management

- AWS IAM
    - Overview
        - Manage, control, govern authentication, authorization and access control mechnisms of Identities to AWS Resources within your AWS Account.
        - Who What Which on Condition Model
            - Who: User, Group, Role
            - What: Allow/Deny CRUD Actions
            - Which: AWS Resources
            - Condition: 
        - Workflow Model
            - Principal: User/Role/Group
            - Authentication
            - Request/Effect
            - Authorizatioin
            - Action(Cosole)/Operation(CLI/API)
            - Resources
        - Global Service with Free of Charge
        - Fine-grained Access Control
        - Shared Access to your Account
        - Eventually Consistent
        - IAM Tool Sets
            - Console
            - APIs
            - CLI
            - SDKs
            
    - IAM Identity Management
        - Root User
        - IAM Users
            - Present an identity of a person/application accessing your account
            - Consists of Name/Credentials
                - Name
                    - Username
                    - ARN
                    - Unique ID
                - Credentials
                    - Console Password
                    - Access Keys
                - Permission
                    - Inheritant from Groups
                    - Copy from existing User
                    - Attach existing Policies
        - IAM Groups
            - Collection of Users with shared permission
        - IAM Roles
            - Defined permissions can be assumed by User/Resources
            - No credentials, AWS STS(Security Token Service) provides dynamic temporary credentials
            - User Cases
                - Grand user in another AWS account to access your AWS resources
                - Grand AWS EC2 to access other AWS resources
                - Grand user temporarily to access critial resources with least privilege, User ID can comes from Identity Federation Sources
            - Role Types
                - Service Role
                - Linked Role
                - Role for Cross-Account Access
                - Role for Identity Provider Access
            - Attach Permissions Policy
            - Trusted Entity
                - AWS Services
                - Another AWS Account
                - OpenID Identity
                - SAML 2.0 Federation Identity
        - Identity Federation
            - Allow you access and manage aws resources without a user account in IAM
            - Allow SSO/ STS underline
            - Identity Sources
                - Amazon Cognito
                - AWS Directory Service 
                - IdP
                    - OpenID: WebID integration
                    - SAML2.0: SP/IdP/Client
                        - MS ADFS/MS AD
     
            
    - IAM Access Control Policy Management
        - Policy: defines account's permission on resources
        - Types: PrincipalView
            - Identity-Based Policies
                - IAM Policy
            - Resource-Based Policies
                - Resource-based policies are inline policies. 
                - There are no managed resource-based policies
                - Allowed Resources: S3, Glacier, SNS, SQS, KMS
        - Types: OwnerView
            - Managed Policy: AWS
            - Managed Policy: Customer
            - Inline Policy: Embedded into a specific User/Group/Role
        - ARN
            - `arn:aws:iam::ACCOUNT:RESOURCE`
        - Policy Permission Conflict Resolve
             - Deny overides Allow
        - Policy Document Components(JSON)
            - Version 
            - Statement
            - Sid (Optional) : Statement ID
            - Effect: Allow/Deny
            - Principal: 
                - (Required in only some circumstances) – If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
            - Action: API Calls
            - Resource: 
                - ARN: arn:partition:service:region:accountID:resource
                - (Required in only some circumstances) – If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, this element is optional. If you do not include this element, then the resource to which the action applies is the resource to which the policy is attached.
            - Condition (Optional)
            
    - IAM Features
        - Shared access to AWS account
            - cross account access
                - Test/Dev account
                - UAT/Prod account
                - Partner account
        - Granular permissions
        - STS Enabled Security Token Service
        - MFA: Multi-Factor Authentication
        - Password Policies Management
        - Integration with AWS resources
        - 4A: 
            - Authentication
                - User/Password
                - Access Key: ID/Secret
                - Access Key/Temp Session Token
            - Authorization
            - Auditing
                - Accouting
                
    - Best Practices
        - Lock Root User access keys
        - Create Individual IAM Users
        - Use Group to assign permission
        - Use AWS defined policies
        - Grant Least-privilege
        - Review IAM permission
        - Strong password policy
        - MFA for privilege users
        - Use Role for EC2 applications
        - Use Role to delegate permission
        - Do not share access keys
        - Rotate credentials
        - Remove unnecessary credentials
        - User policy conditions
        - Monitor Activities

---
- AWS Single Sign-On
    - Overview
        - cloud service that makes it easy to manage SSO access to multiple AWS accounts and business applications in AWS Organization

---
- AWS Directory Service
    - Overview
    - Directories
        - MS Active Directory
        - AD Connector
        - Simple AD
        - Amazon Cognito
        - Amazon Cloud Directory
        
        
- AWS Resource Access Manager
    - Overview
        - Share AWS resources with other AWS accounts.

---

- Amazon Cognito
    - Overview
        - manage user pool and identity pool
        - User pools are user directories that provide sign-up and sign-in options for your app users. 
        - Identity pools provide AWS credentials to grant your users access to other AWS services
    

### Network Security

- AWS Sheild
    - Overview
        - protect from DDoS
    - Types
        - AWS Shield Stardard
        - AWS Shield Advance
            - UDP Reflection, SYN Flood, DNS Query Flood, HTTP Flood
    - Practice
        - Reduce Attack Surface
        - Plan for Scale
        - Identify normal/abnormal trafic pattern
        - Deploy WAF to protect Application
---


### Host Security

### Data Security

- AWS Secrets Manager
    - Overview
        - Easily rotate, manage, and retrieve secrets throughout their lifecycle
        
- Amazon KMS Key Management Service
    - Overview
        - Centralized Key Management
        - Control Encryptions for AWS Services

- Amazon CloudHSM Hardware Security Module
    - Overview
        - cloud-based hardware security modules (HSMs) for generating and using your own encryption keys in the AWS Cloud
    - User Case
        - Offload SSL processing from Web Server
        - Protect Private Keys for Issuing CA
        - Enable TDE(Transparent Data Encryption) for Oracle DB
        
---
- AWS Certificate Manager: ACM
    - Overview
        - easy to provision, manage, deploy, and renew SSL/TLS certificates on the AWS platform
        
---
- Amazon Macie
    - Overview
        - data visibility security service that helps classify and protect your sensitive and business-critical content.
    - Workflow
        - Discover
        - Classify
        - Protect

### Application Security

- AWS Firewall Manager
    - Overview
    
- AWS Web Application Firewall: AWS WAF
    - Overview
        - Web application firewall service that lets you monitor web requests that are forwarded to an Amazon API Gateway API, an Amazon CloudFront distribution, or an Application Load Balancer
    - Deploy Placement
        - CloudFront
        - Application LB
        - EC2
        - API Gateway
---

### Security Management

- AWS Inspector
    - Overview
        - Security Assesment Service
        - Build for DevSecOps
    - Workflow
        - Install on Instances
        - Run assessment for targets
        - Analyze assessment result
        - Remediate security issues
---
- AWS Security Hub
    - Overview
        - Consolidated view of your security status in AWS. 
        - Automate security checks, manage security findings, and identify the highest priority security issues across your AWS environment.
        
---
- Amazon Detective
    - Overview
        - Analyze and visualize security data to rapidly get to the root cause of potential security issues

- Amazon GuardDuty
    - Overview
        - Thread Detecting Service
        - continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs.
    - Workflow
        - Enable GuardDuty by Account
        - Countinuously Collecting Data
        - Continuously Analyzing
        - Intelligently Detecting Thread
        - Take Action

##  Management and Governance

### Provisining

- Amazon CloudFormation
    - Overview
        - Infra as Code Service
        - Template based provisioning and automation
    - Components
        - Template
            - Describle AWS Resource in JSON/YAML
            - [Formate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-formats.html)            
        - Stack
        - StackSet
        - CloudFormer
        - CloudFormation Designer
    - User Case
        - Dev/Test Environment Quich launch
        - Replicate Configruation between Envrionments

---
- AWS Service Catalog
    - Overveiw
        - Take control of your company's cloud resources
        - Enable self-service for your cloud users with products you define and govern
    - Components
        - OU: Organization Unit
        - SCP: Service Control Policy
---
- Amazon Organizations
    - Overview
        - Consolidated Multiple AWS Accounts for Centeral Management
        - Consolidated Billing
        - Integrate with IAM

### Monitoring and Logging

- Amazon CloudWatch
    - Overview
        - Monitoring and Mangement AWS Resources
    - Workflow
        - Collect
            - Metrics/Logs
        - Monitor
        - Act
        - Analyze
    - Components
        - Metrics
        - Alarms
        - Events
            - Rules
            - Targets
        - Logs
            - Log Stream
            - Log Stream Group
        - Dashboards
---
- Amazon CloudTrail
    - Overview
        - governance, compliance, operational and risk auditing for AWS account
    - Workflow
        - Capture
        - Store
        - Act
        - Review

### Operation

---
- Amazon Systems Manager
    - Overview
    - Workflow
        - Group Resources
        - Virualize Data
        - Take Action
    - Components
        - Tool Sets
            - Run CMD
            - State Manager
            - Inventory
            - Maintainance Window
            - Patch Manager
            - Automation
---
- Amazon Personal Health Dashboard
    - Overview
        - Show events/issues/changes

---
- Amazon Trusted Advisor
    - Overview
    - Advisor Domains
        - Cost Optimization
        - Performance
        - Security
        - Fault Tolerance
        - Service Limits
---

### Configuration

- Amazon Config
    - Overview
        - AWS resources inventory of AWS account
        - Change management
        
- AWS OpsWorks
    - Overview
        - Configuration Management Platform
        - More Control of Infrastructure over Elastic Beanstalk
    - OpsWorks Stacks
        - Components
            - Stack
            - Layer
                - Recipe
            - Apps
            - Instances
    - OpsWorks for Chef Automation   
    - OpsWorks for Puppet Enterprise
        

### Support

- Amazon Support Plan
    - Overview
    - Types
        - Basic Support Plan
        - Developer Plan
        - Business Plan
        - Enterprise Plan
---

### Regulation, Compliance

- Compliance Program
    - [AWS Cloud Compliance Program](https://aws.amazon.com/compliance/programs/)
        - [AWS Artifact Reports](https://aws.amazon.com/artifact/)
    - Compliant
    - Compliance-Enabling
    
- AWS Artifact
    - AWS Compliance Reports Repository
---

# AWS Cloud Security Framework

## Shared Responsibility Model

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="AWS-Secuirty-SharedResponsibilityModel.png" width="750" height="600">

- AWS Vulnerability and Penetration Testing

## Security Stack

- Physical and Environmental Security
- Network Security
- Host Security
- Data Security
- Applicatiion Security
- User and Identity Security
- Business Continuity Management

## Security Strategy, Governance, Management

- Security Strategy
    - Prevent
    - Detect
    - Respond
    - Remediate

## Security Regulation, Compliance

- Compliance
    - [AWS Cloud Compliance Program](https://aws.amazon.com/compliance/programs/)
        - [AWS Artifact Reports](https://aws.amazon.com/artifact/)

# AWS Cloud DevOps Framework

##  Cloud Rerouces Access

- AWS Management Cosole
    - Username/Passord
    - MFA
- [AWS CLI](https://aws.amazon.com/cli/)
    - IAM Credential
        - Access key ID/Secret access key
        - SSH Public key/Private key
    - `aws SERVICE ACTION CONFIG`
- [SDKs and Toolkits](https://aws.amazon.com/getting-started/tools-sdks/)
    - IAM Temporary Credential
    
- [AWS Cloud Development Kit(AWS CDK)](https://aws.amazon.com/cdk/)
    - Powered by AWS CloudFormation
    - Model application infrastructure using TypeScript, Python, Java, and .NET.

## Infrastructure as Code

- AWS Services Sets
    - AWS CloudFormation
        - Designer
        - Template
        - CloudFormer

## CI/CD

- AWS Service Sets
    - CodeCommit
    - CodePipeline
    - Elastic Beanstalk
    - OpsWorks
    - ECS/ECR/EKS
- Best Practice
    - CI/CD with CodePipeline
        - Source Code
            - Github
        - Build
            - CodeBuild
        - Deploy
            - CodeDeploy
        - Product
            - Elastic Beanstalk
    - Blue-Green Deployment
        - Elastic Beanstalk Application

## Ops

- AWS Servcie Sets
    - s

# AWS Best Practices

## Networking

- Network Resources Relationship View
    - <img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="AWS-BestPractice-NetResRelaView.png" width="600" height="500">
    

    
- Network Design 01: ENI, SG, Subnet, Route, IGW, VPG, NAT, PCX, Transit VPC
    - <img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="AWS-BestPractice-NetDesign01.png" width="900" height="700">

# END