# AWS Cloud Computing

## NIST Cloud Computing Definition

- Definition
    - Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 
- Cloud Model
    - 5 essential characteristics
        - On-demand self-service
        - Broad network access
        - Resource pooling
        - Rapid elasticity
        - Measured service
    - 3 service models
        - SaaS
        - PaaS
        - IaaS
        - On-Premise
        - IT Stack
            - Application
            - Data
            - Runtime
            - Middleware
            - OS
            - Virtualization
            - Compute
            - Storage
            - Networking
            - Facility
    - 4 deployment models
      - Priavte Cloud
          - Single Tenant Implementation
      - Community Cloud
      - Hybrid Cloud
      - Public Cloud 
          - Multi-Tenant Implementation
          - Ownership: Service Provider
          - Access: Via Internet

## AWS Overview

### AWS Cloud Initiatives

- Advantages of Cloud Computing
    - Capex shifts to Opex
    - Benefits from massive economies of scale
    - Stop guessing capacity/Provisioning on-demand
    - Increse speed of deployment and business agility
    - Stop spending on running and maintianing data centers
    - Go globally in minutes

### Online Resources

- [AWS Cloud Architecture Center](https://aws.amazon.com/architecture/)
- [AWS Whitepapers](https://aws.amazon.com/whitepapers/)
- [AWS Documentation](https://docs.aws.amazon.com/)

### AWS Services Overview

- [check aws website](https://aws.amazon.com/)

### AWS Solutions Overview

- [check aws website](https://aws.amazon.com/)

### AWS Certification Path

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="AWS-CertificationView.png" width="750" height="600">

- [Blog](https://jayendrapatil.com/)

# AWS Cloud Adoption Framework

## Envisioning

## Perspectives

### Business Perspectives

- Business Perspective

- People Perspective

- Governance Perspective

### Technical Perspectives

- Platform Perspective

- Security Perspective

- Operation Perspective

## Action Plan

# AWS Cloud Migration Framework

- Process
    - Discovery
    - Assess
    - Design
    - Migrate
    - Validate
    - Operate
    - Optimize
- Method
    - Re-host
    - Re-Platform
    - Re-Factor
    - Re-Architect
    - Re-Invent
    - Retain
    - Retire

## Migration Management

- Application Migration
    - Process
        - Discovery
        - Identify
        - Measure
        - Explore
    - Practice
        - Security
        - Toplogy
        - Dendency
        - Availability
        - Performance

- Database Migration
    - Process
        - Discovery
        - Identify
        - Explore
        - Migrate
        - Verification
    - Practice
        - Homogenous vs Heterogenous
        - Schema Migrate
        - Data Transfer
- Host Migration
    - Data Migration

## Migration Services and Tools

- Migration Hub
    - Discovery
        - Discovery Connector
        - Discovery Agent
    - Assess
    - Migrate        
- Application Discovery Service
- Database Migration Service
- Server Migration Service
- Data Migration Service
    - AWS Transfer for SFTP
    - Snowball
    - DataSync

# AWS Cloud Architecture Framework

- General Principle
    - Stop guessing your capacity needs
    - Test systems at production scale
    - Automate to make architectural experimentation easier
    - Allow for evolutionary architectures
    - Drive architectures using data
    - Improve through game days

## 5 Pillers for AWS Well-Architected

### General Principels

- Stop guessing capacity
- Automate everything
- Test at scale
- Adapt and Evolve
- Be Data-Driven
- Pracice

###   Security 

- Overview
    - The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
- Design Principle
    - Implement a strong identity foundation
    - Enable traceability
    - Apply security at all layers
    - Automate security best practices
    - Protect data in transit and at rest
    - Keep people away from data
    - Prepare for security events
- Best Practice
    - Identity and Access Management
    - Detective Controls
    - Infrastructure Protection
    - Data Protection
    - Security Incident Response

### Cost Optimization 

- Overview
    - The ability to run system  to deliver business value at the lowest price point.
- Design Principle
    - Adopt a consumption model:
    - Measure overall efficiency
    - Stop spending money on data center operations
    - Analyze and attribute expenditure
    - Use managed and application level services to reduce cost of ownership
- Best Practice
    - Expenditure Awareness
    - Cost-Effective Resources
    - Matching supply and demand
    - Optimizing Over Time

### Operational Excellence 

- Overview
    - The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.
- Design Principle
    - Perform operations as code
    - Annotate documentation
    - Make frequent, small, reversible changes
    - Refine operations procedures frequently
    - Anticipate failure
    - Learn from all operational failures
- Best Practice
    - Prepare
    - Operate
    - Evolve

### Reliability

- Overview
    - The ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.
- Design Principle
    - Test recovery procedures:
    - Automatically recover from failure
    - Scale horizontally to increase aggregate system availability
    - Stop guessing capacity
    - Manage change in automation
- Best Practice
    - Foundations
    - Change Management
    - Failure Management

### Performance Efficiency

- Overview
    - The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve.
- Design Principle
    - Democratize advanced technologies:
    - Go global in minutes
    - Use serverless architectures
    - Experiment more often
    - Mechanical sympathy
- Best Practice
    - Selection
    - Review
    - Monitoring
    - Tradeoffs

## Core Infra Services

### Global Infrastructure

- AWS Global Infrastructures
    - Regions
        - One-2-Many relationship with AZs
    - Availability Zones
        - AZ is isolated DC
    - Local Zones
    - POP: Points of Presence(Edge Locations)
    - Network
    - [view online](https://www.infrastructure.aws/)

### Compute

#### EC2

- Overveiw
- UserCase
- Technology
    - Instance Categorize
        - Tenancy View
            - default: Shared Instance
            - dedicated: Dedicated Instance
            - host: Dedicated Host Instance
        - Resources View
            - General Purpose: t, m
                - Scale-out workloads such as web servers, 
                - containerized microservices, 
                - caching fleets 
                - distributed data stores, as well as development environments
            - Memery Optimized: r, x
                - DB workload
                - HPC
                - EDA
                - SAP HANA
                - In-Memeory DB Engine
                - Analytic DB Engine
            - Compute Optimized: c
                - High performance web servers, 
                - scientific modelling, 
                - batch processing, 
                - distributed analytics, 
                - high-performance computing (HPC), 
                - machine/deep learning inference, 
                - ad serving, 
                - highly scalable multiplayer gaming, and video encoding.
            - Storage Optimized: d, i
                - MPP data warehouse
                - MapReduce/Hadoop
                - Log data processing
                - OLTP-like
            - Accelerated Computing: f, p, g
        - Billing View
            - On-Demand Instances
            - Reserved Instances
                - Scheduled Reserved Instances
            - Spot Instances
            - Dedicated Hosts
    - Instance Lifecycle
        - AMI: Amazon Machine Image
            - Region Bounded
        - Action: 
            - launch
            - reboot
            - stop
            - start
            - terminate
        - Status
            - pending
            - running
            - rebooting
            - stopping
            - stopped
            - shutingdown
            - terminated
    - Security Group
    - Placement Group
        - Networking Affiliation
        - low latency, High throughput networking
        - only supported by network enhanced instances
        - Bound by AZ
    - ASG: Auto Scaling Group
        - Launch Config
        - Scaling Policy
            - Dynamic/Predictive Scaling
            - Scale Up/Down            
            - SNS Notification
        - Cross AZs/Bound by VPC
        - ASG Lifecycle
            - <img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="AWS-ASG-Lifecycle.png" width="600" height="600">
        - ASG Lifecycle Hook
            - customize actions before instance running
            - Pending:Wait -> Launching Hook Action -> Pending:Proceed
            - Terminating:Wait -> Ternating Hook Action -> Terminating: Proceed
        - Mannual Scaling
            - Attache EC2 Instance
            - Detach EC2 Instance
            - Change Capacity using CLI
            - Change Capacity using Console
        - Scheduled Scaling
            - Schedule Action
        - Dynamic Scaling
            - Scaling Policy
                - Simple Scaling
                - Step Scaling
                - Target Tracking Scaling
                    - Metric Types
                        - CPU
                        - Network IN
                        - Network OUT
                        - ALB Requests count
            
    - ELB: Elastic Load Balancer
        - HA by Design
        - Cross-Zone LB or Zone-Bound LB
        - Features
            - Targets Health Check
            - SSL offload
            - Client IP foward
                - <img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="AWS-ELB-ClientIP.png" width="400" height="300">
        - Categorization
            - traffic view
                - internal LB
                - Internet-facing LB
            - Function View
                - Classic LB
                - Application LB
                    - Routing 
                        - Host-Based
                        - Content-Based
                        - Path-Based
                    - Listener Rule
                        - Condition
                            - Host Header
                            - Path Header
                        - Http Header
                        - Http Request Method
                        - Query String
                        - Source IP
                        - Path Condition
                    - Target Group
                        - EC 503: no Target
                        - Instance
                            - Protocal: HTTP, HTTPS
                            - Ports: 1-65525
                        - IP
                        - Lambda Function
                        - Health Check
                    - Session Stickiness
                        - cookie used
                        - expired setting
                    - Cross-Zone LB
                - Network LB(L4)
                    - Protocals
                        - TCP, UDP, TLS, TCP_UDP
         - Deploy/Config
             - Select VPC
             - Select Subnets
             - Select ACM Certificate
             - Select SG
             - Config Routing
                 - Target Group
                 - Health Checks
            
    - Store
        - Instance store
            - data will lost when
                - instance stops
                - instance terminates
                - underline physical disk fails
        - EBS 
- Architecture
    - Security
    - Reliability
    - Performance
    - Operation
    - Cost
- Deploy/Config/Operate
    - Prerequisite
    - Workflow
- Optimize
    - Best Practice
    



#### ECS, ECR, EKS

- Compute: ECS Amazon Elastic Container Service
    - Overview
        - Launch Type
            - Fargate Type: Full Managed Container/Cluster
            - EC2 Type: Self-Provisioning Container/Cluster
    - User Cases
        - Microservices
        - Batch Processing
        - Application Migration
        - Machine Learning
    - Components
        - Container
            - Container Definition
                - Image
                - Ports
                - Registry
                - Evrionment Variable
            - Container Agent
        - Task      
            - Task Definition
                - Family
                - networkMode
                    - none
                    - bridge
                    - host
                    - awsvpc
            - Task Scheduler    
        - Service
        - Cluster
    - Workflow

- Compute: ECR Amazon Elastic Container Registry
    - Overview
        - Fully-managed Docker container registry
    - Components
        - Registry
        - Repository
        - Repository Policy
        - Authorization Token
        - Image
        
- Compute: EKS Amazon Elastic Kubernetes Service
    - Overview
        - Deploy, manage, and scale containerized applications using Kubernetes
---

#### Lambda

- Compute: Lambda
    - Overview
        - Serverless Computing
    - User Case
        - Patterns
            - Event Driven Design
            - Speed, Simple, Singular
            - Concurrent
            - Share Nothing
            - Use State-Machine or Coordinate(AWS SWF)
            - Design for Failure/Duplicate
    - Components
        - Layer
            - IAM
            - Compute
            - Process Logic
            - Messageing/Streaming
            - Data
        - Function
        - Application
    - Architecture
        - Data Plane
        - Control Plane
            - Event Driven
                - Pull pattern: Kinesis/DynamoDB/SQS
                - Invoked Sync
                - Invoked Async
- AWS Serverless Application Repository
    - Overview
        - Deploy Applicatioin for web and mobile back-ends, event and data processing, logging, monitoring, IoT
    - SAM: AWS Serverless Application Model (SAM)
        - Application Package Template

#### Serveless

- Compute: Amazon Elastic Beanstalk
    - Overview
        - Deploying and scaling web applications and services 
        - DevOps Stack: Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker 
        - Web Servers: Apache, Nginx, Passenger, and Internet Information Services (IIS).
        - Application Deployment and Management Service
        - Application Provisinong System
        - Environment Tier
            - Web Server Tier
            - Worker Tier
    - Deployment Mode
        - All at once
        - Rolling per batch bases
        - Rolling with additional batch
        - Immutable(two environment temporarily)
        - Blue/Green with two environment(Route53 weighted routing)
---
- Compute: Batch Computing
    - Overview
        - Run hundreds of thousands of batch computing jobs
        - Dynamically provisions the optimal quantity and type of compute resources
        - Plans, schedules, and executes your batch computing workloads across the full range of AWS compute services and features
---

- Compute: AWS Outposts
    - Overview
        - Bring native AWS services, infrastructure, and operating models to virtually any data center, co-location space, or on-premises facility.
    - Hybrid Cloud Solutions
        - VMware Cloud on AWS Outposts
            - Avaliable on Limited Regions
        - AWS native variant of AWS Outposts

### Network

#### VPC

- Overveiw
    - Logical Isolation virtual network
    - Region boundary
    - Span multiple AZs
        - Subnet Bounded by AZ
    - VPC Peering
- UserCase
    - Types
        - VPC with single Public Subnet
        - VPC with Public and Private Subnet via NAT
        - VPC with Public and Private Subnet via VPN
        - VPC with Private Subnet via VPN
        
---

- Technology
    - Components
        - IGW
            - One IGW per VPC
            - HA, Scale-out, Managed
        - NAT
            - NAT Gateway:  connet private subnet to internet
                - Placed at VPC Edge, link to subnet route table
                - private subnet route table direct traffic to NAT Gateway
            - NAT Instance: connect private subnet to internet
                - Place in Public Subnet
                - private subnet route table direct traffic to NAT Instance
        - VPN Gateway
            - Connectors
                - AWS Side: VPC Virtual Private Gateway
                - Costomer Side: Customer Gateway
            - Scenarios
                - Site-to-Site VPN
                - AWS Client VPN: OpenVPN-based Client
                - AWS VPN CloudHub
                - Third party software VPN appliance
                - VPN over Direct Connect
        - Transit Gateway
        - Implied Router/Route Tables
            - All VPC traffics go through Implied Router
            - Default Main Route Table
                - Default Route Table creates with VPC creation
                - Default Route Table automatically attached to default subnet
                - Default Route Table allow trafic in VPC for all subnets
            - Cumtomer Route Tables
                - Can Attached to multiple subnets
            - local route rule cannot be modified
        - Network ACL
            - Virtual Stateless Firewall
            - Apply on Subnet level
            - Allow/Deny ingress/egress in bi-direction
                - Default Network ACL Allow all
                - New Created Network ACL Deny all
        - Subnet
            - implicitly attached to default main route table
            - can also explicitly attach default main route table
            - can replace main route table with cutomer route table
            - can not delete route table
            - Private Subnet
                - Implicite Route Table to VPC
            - Public Subnet
                - Explicite Route Table to IGW
        - Security Group
            - Virtual Stateful Firewall, inbound traffic allowed automaticlly allowed to flow out.
            - Allow Ingress traffic, Deny All Ingress traffic by default
            - Allow Egress traffic
            - Apply on instance level, 1 to 5 per instance
            - Max 50 rules per SG
            - Deny implicite, Allow explicite
        - IP Addresses
            - Public IPs
                - from AWS Public IP Pool
            - Private IPs
                - A: 10.0.0.0/8
                - B: 171.16.0.0/12
                - C: 192.168.0.0/16
            - Elastic IPs
                - Region bounded acossiate to your account
        - ENI Elastic Network Interface
            - IPs
                - 1 primary private IPv4 address
                - 0+ secondary private IPv4 address
                - 1 EIP per private IPv4 address
                - 1 Public IP auto-assigned to eth0
                - 0+ IPv6 address
                - 1+ SG
                - 1 MAC
                - Source/Destination Check Flag: Enabled by default
        - EC2 Instance NIC
            - Security Groups asocciate to NI
            - Primary NI can not be detached
        - Endpoints
            - VPC Endpoint Services (AWS PrivateLink)
    - VPC Connection
        - To Internet
            - Via IGW + Route Table
        - to On-premise
            - Via VPG + VPN, dual channels available
            - Via AWS Direct Connect
            - Via AWS Transit Gateway
                - Spoke-Hub Mode
        - to VPCs
            - Via VPC Peering(PCX)
                - subnet-to-subnet traffic via route tables
                - no overlapping IP CIDR Blocks
                - Inter-Region peering doesn't support IPv6
                - An Instance in A VPC cannot use peering B VPC's IGW
            - Via AWS Transit Gateway
                - Spoke-Hub Mode    
    - Internet Traffic Flow Process
        - Public VPC
            - Container: VPC
                - IGW
                - Container: Subnet
                    - Route Table: to IGW
                    - NACL
                    - Container: Instance
                        - SGs
                        - NIs   
        - Private VPC with NAT Gateway
             - Container: VPC
                 - NAT Gateway
                 - Container: Private Subnet
                     - Route Table: to NAT GW
                     - NACL
                     - Container: Instance
                         - SGs
                         - NIs              
        - Private and Public VPC with NAT Instance
             - Container: VPC    
                 - IGW
                 - Container: Pub Subnet
                     - Route Table: to IGW
                     - NACL
                     - Container: NAT Instance with EIP
                         - SGs
                         - ENIs 
                             - EIP
                         - Disable Source/Destination Check
                 - Container: Private Subnet
                     - Route Table: to NAT Instance ID
                     - NACL
                     - Container: Instance
                         - SGs
                         - NIs 
- Architecture
    - Security
        - VPN
        - NAT
        - NACL
        - SG
        - Flow Logs + CloudWatch
    - Reliability
    - Performance
    - Operation
        - Traffic Monitor
            - Flow Log 
                - Can be created at VPCs, Subnets, NIs
                - Bound to monitored VPC, not span to peering VPC
                - several minutes delay to CloudWatch logs
                - omitted traffices
                    - instance to AWS DNS server
                    - Windows license service traffic
                    - Metadata service traffic: 169.254.169.254
                    - DHCP traffic
                    - Traffic to 5 Reserved IP by default VPC router
                - Flow Log Record
                    - <version> 
                    - <account-id>
                    - <interface-id> 
                    - <srcaddr> 
                    - <dstaddr> 
                    - <srcport> 
                    - <dstport> 
                    - <protocol> 
                    - <packets> 
                    - <bytes> 
                    - <start> 
                    - <end> 
                    - <action> 
                    - <log-status>
    - Cost
- Deploy/Config/Operate
    - Prerequisite
    - Workflow
- Optimize
    - Best Practice
        - <img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="AWS-VPC-Topology01.png" width="600" height="600">
    



#### Route53

- Overveiw
    - DNS hosting service
    - Domain Name Registration
    - Internet Traffic Routing
- UserCase
- Featrues
    - Domain Registration
    - DNS Resolver
    - Traffic Flow/ Routing Policy
    - AWS Cloud Services Integration
    - Health Check
        - HTTP/HTTPS
        - TCP
- Technology
    - DNS Recods Type
        - A: IPv4 Address
        - AAAA: IPv6 Address
        - CNAME: Cononical Name
        - Alias
        - SOA
        - NS: Name Server
        - TXT
        - MX: Mail Exchanger
        - PTR: reverse of A record
        - SRV: 
            -`PRIORITY  WEIGHT  PORT TARGET_NAME`
            - `10 5 8080 target.example.com`
    - Hosted Zone: records set
        - Public Hosted Zone
        - Private Hosted Zone
            - VPC: enableDnsHostnames, 
            - VPC: enableDnsSupport
    - Routing Policy
        - Simple routing policy 
            - Use for a single resource that performs a given function for your domain, for example, a web server that serves content for the example.com website.
        - Failover routing policy 
            - Use when you want to configure active-passive failover.
        - Geolocation routing policy 
            - Use when you want to route traffic based on the location of your users.
        - Geoproximity routing policy 
            - Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another.
        - Latency routing policy 
            - Use when you have resources in multiple locations and you want to route traffic to the resource that provides the best latency.
        - Multivalue answer routing policy
            - Use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random.
        - Weighted routing policy
            - Use to route traffic to multiple resources in proportions that you specify.
    - Traffic Flow/Policy
        - a flow combination of routing policies
        - a traffic policy for public hosted zones
- Architecture
    - Security
        - DNSSEC Setting
    - Reliability
        - Routing Policies
        - FailOver Design
    - Performance
        - Routing Policies
    - Operation
    - Cost
- Deploy/Config/Operate
    - Prerequisite
    - Workflow
- Optimize
    - Best Practice

#### DC, CloudFront, Route53...

- Networking:AWS DX Direct Connect
    - Overview
        - Connect Enterprise Network to AWS Network via Dedicated 1G/10G fiber
        - Enterprise Edge Router
        - AWS Direct Connect Router
    - BGP Path Selection
        - AS_Path Prepending
        - AS Weight Attribute
        - Local_Pref
        - MED Attribute: Multi Exit Distributor
    - BGP Community
        - Internet
        - No-Advertise
        - No-Export
        - Local-AS
        - 7224:9100 local region
        - 7224:9200 local continent
        - 7224:9300 all public region
    - Route Priority
        - Local routes to VPC
        - Most Specific Prefix matching
        - Static routes
        - BGP routes
        - Routes learned via static VPN
        - BGP Routes from VPN

---
- Networking:AWS CloudFront
    - Overview    
        - CND solution for Web/Streaming services
    - Features
        - CORS: Cross Origin Resouce Sharing
    - Topologies
        - Edge Locations
        - Multi Edge Locatioins
        - Regional Cache Location
---
- Networking:Global Accelerator
    - Overview    
---
- Networking:AWS Transit Gateway
    - Overview   
        - Access hub for VPC connectivity
        
---

- Networking:API Gateway
    - Overview    
        - API Management
        - Severless Architecture
---

- Networking:API Mesh
    - Overview    
        - Microservices Management
        
---
- Networking:Cloud Map
    - Overview    

### Storage

#### S3/Glacier

- Overveiw
    - Object Storage
    - Key-Value Storage
    
- UserCase
    - Static Web Hosting
    - Content Storage and Distribution
    - Backup and Archiving Store
    - Big Data Analytics with AWS Athena
    - Cloud-Native App Integration
    
- Technology
    - Data Lifcyle Management
        - Tiered Storage
            - S3 Standard
            - S3 Intelligence Tiering
            - S3 Standard-IA: Infrequently Access
            - S3 One Zone-IA
            - S3 RRS: Reduced Redundancy Storage
            - S3 Glacier
            - S3 Glacier Deep Archive
        - Actions
            - Transition Action
            - Expiration Action
    - Versioning
        - Delete Marker
            - a null object acts as placeholder
            - del Delete Marker, undel the object
    - Bucket
        - Universal Namespace
            - 3-63 chars
            - name: `/(label)(.(label))*/`
            - label: `/[a-z0-9][a-z|\-|0-9]*[z-a0-9]/`
            - cannot be ipv4 format
            - SSL will not match buckets with name contains "."
        - Lifecycle Management
            - Lifecycle Rule
                - Transition Action
                    - S3 Standard to S3 Standard-IA to S3 Glacier
                - Expiration Action
        - Versioning
            - unversioning
            - versioning enabled
            - versioning suspended      
        - Transfor Acceleration
    - Object
        - Components
            - Key: Filename
            - Value: File Content
            - Version ID
            - Metadata
                - key-value pair
                - System metadata
                - User metadata
            - Subresources
                - acl or torrents ant etc.               
- Architecture
    - Security
        - Permission
            - ACLs for AWS Account by Object
                - Object/Bucket Level Control
            - Bucket Policy
                - Bucket Level Control
                - Private by Default
                - Only Bucket Owner can apply policy
            - IAM User/Group/Role Policy
            - Access Control Confilict Resolve
                - Least Privilege Principle
                    - Deny prior to Allow    
        - Encryption
    - Reliability
        - Data Availability and Durability
            - 4x9s Availability
            - 11x9s Durability    
        - Data Consistency Model
            - Read after Write Consistency for NET PUT
                - `PUT 200 -> GET 200`
                - `GET 404 -> PUT 200 -> GET 404`
            - Eventual Consistency for Overwrite PUT/DELETES
                - `PUT 200 -> PUT 200 -> GET 200(may be old version)`
                - `DELETE 200 -> GET 200`
        - Cross Region Replication
            - Automatic, Asynchronous, Accross Buckets Object copy.
            - Can accross AWS account
            - Must Enable Versioning
    - Performance
        - Partition 100MB file for Multipart Upload
        - Partition 5GB big file
        - Prefix/Folder 3k-5k objects
        - S3 Transfer Acceleration for Upload
        - Cloudfront for S3 for distribution
        - SSE-KMS may cap uploading performance
    - Operation
        - Bucket Policy Template
            - Version 
            - Statement: `[ ... ] `
            - Sid (Optional) : Statement ID
            - Effect: Allow/Deny
            - Principal: account, user, role, federated user, or assumed
            - Action: API Calls
            - Resource: ARN: arn:partition:service:region:accountID:resource
            - Condition (Optional)
        - Limits
            - 100 buckets per account
    
    - Cost
    
- Deploy/Config/Operate
    - Prerequisite
    - Workflow
- Optimize
    - Best Practice



#### EBS, EFS, Snowball...

- Storage: EBS Elastic Block Store
    - Overview
        - Root Device Volume
        - Data Volume
        - AZ Bounded
    - Featurs
        - Data Availability and Durability
        - Data Encryption
        - Data Backup
        - Data Snapshot
        - Data Lifecycle Manager
    - Types
        - GP2: General Purpose SSD
        - IO1: Provision IOPS SSD
        - HDD-old: Magnetic Volumn HDD
        - HDD-st1: Throughput Optimized HDD
        - HDD-sc1: cold HDD
---
- Storage: EFS Elastic File System
    - Overview
        - provide file service for instances
        - NFSv4
        - Cross Region Replica
    - Mount Target
        - Required access EFS from VPC
        - VPN EFS Endpoint
        - AZ Bounded, not Subnet Bounded
        - Creatable when subnet available in that AZ
    - Security
        - Netwrok ACL controls Mount Target
        - SG controls Mount Target
        - IAM user controls permission
    - Features
        - Elastic
        - Flexible
            - on-premise mount
            - cross region mount
    - Store Types
        - General Purpose
        - Max I/O

---
- Storage: Storage Gateway
    - Overview
        - Connecting an on-premises software appliance with S3
    - Types
        - File Gateway
        - Volume Gateway
            - Stored Mode
            - Cached Mode
        - Tape Gateway
    - Deployment Mode
        - On-premises
            - VM + Stroage Gateway Software
            - Hardware Applicance
        - Cloud
            - VM in VMware Cloud on AWS
            - AMI in AWS
---
- Storage: Amazon FSx for Lustre
    - Overview
        - HPC Storage
---
- Storage: Amazon FSx for Windows File
    - Overview
        - HPC Storage
---
- Storage: Snoballmobile
    - import/export EB level data
---
- Storage: Snowball
    - import/export PB level data
---
- Storage: Snoball Edge
    - import/export 100TB level data


### Database

#### RDS

- Overveiw
    - Benefits
        - High Performance
        - High Scalability
        - High Availability and Durability
        - High Security
        - Manageability
            - Lower Administrative Burden
        - Cost-Effectiveness
            
- Features
    - High Availability: Multi-AZ Deployment
        - Syncronous Active-Standby Mode
        - Master/Secondary
    - Scalability
        - Scale-up
        - Scale-out
    - High Performance
        - Provisoned IOPS EBS
        - Read-Replica
            - Cannot utilize ELB
            - Using Route53/HAProxy
            - Using Aurora Cluster
    - Security
        - Data Security
            - Snapshot
            - Backup
                - Auto backup to S3
            - Encryption
        - Access Security
            - AWS Securities Suites
    - Manageability
    - Cost Effectiveness
    - Limits
        - RDS is not autoscaling and cannot be used behind an ELB.
        - Bound by AZ: No Multi-AZ Deploy
        - Bound by Region: Multi-AZ Deploy

- RDS Technologies
    - Categorization
        - Instance View
            - Standard
            - Memory Optimized
            - Burstable Performance
        - DB View
            - Aurora
            - MySQL
            - PostgreSQL
            - MariaDB
            - Oracle
            - SQL Server
            
- Deploy/Configuration
    - Region Selection
    - DB Engine Selection
    - Environment Selection: Dev/Test/Prod
    - Engine Version Selection
    - Instance Class Selection
    - Multi-AZ Deployment Selection
    - Storage Class Selection
    - Network/Security Setting
        - Subnet Group Setting
    - DB Settings/Attributes
        - DB Instance Identifier
        - Master Username
        - Master Password
        - Parameter Group: Engine Config
        - Option Group
    - Backup Setting
    - Monitoring Setting
    - Maintainance Setting

- Operation
    - Monitoring
        - CloudWatch
            - HW Metrics: CPU/Mem/Storage/IO/Network
            - DB Metrics: Query Throughput/Performance/Connections/Utilization
    - Scale
    - Performance
    - Security
        - Audit
            - CloudTrail
    - Backup and Recovery
        - Storage Volume Snapshot
        - Automatic Backup Instance
            - Limited to InnoDB Engine
            - 0-35 Days Retention
            - RPO: 30min
        - Manual Backup

- RDS: Amazon Aurora
    - Features
        - MySQL/PostgreSQL Compatible RDS Service
        - Faster
        - Fully Managed RDS for Provision/Setup/Patching/Backups
        - Grow on-demand, Up to 64G
        - Up to 15 Read Replicas
        - HA and Durability
- DBMS
    - Database
        - Schema/DB
            - Table
                - Row/Record
                - Column/Attribute
            - View
            - Stored Procedure
            - Function
    - DB Engine
        

#### DynamoDB

- Overveiw
    - Fully managed, multiregion, multimaster database with built-in security, backup and restore, and in-memory caching for internet-scale applications
    - NoSQL  key-value and document DB
    - Global Tables
    - Supports cross region replication
- Features
    - Schemaless DB
    - Auto Scaling
    - Provisioned Throughput
        - RCU: Read Capacity Unit
            - 1 RCU: 4KB
        - WCU: Write Capacity Unit
            - 1 WCU: 1KB
        - Partition
            - 3000 RCU; 1000 WCU; 10GB
    - Consistency Mode
        - Strong Consistency Read
            - 1 RCU per unit, 4KB
        - Defualt: Eventual Consistency Read
            - 2 RCU per unit, 4KB
        - Transaction Read
            - 2RCU per unit, 4KB
        - Eventual Consistency Write
            - 1 WCU per unit, 1KB
        - Transaction Write
            - 2 WCU per unit, 1KB
    - Atomic Counter and Conditional Update
    - DynamoDB Stream
    - DynamoDB Trigger
    - DAX: DynamoDB Accelerator: in-memory cache for DynamoDB
    - Limits
        - 400KB Item Size
        - 10 Indexes per table
- DBMS
    - Structrue
        - Tables: collection of item data
            - Items: collection of Attributes
                - Attributes: key-value pair
            - Primary Key: Unique, Mandatory
                - Simple Primary Key
                    - 1 Attributes
                    - as Partition Key(Hash)
                - Composite Primary Key
                    - 2 Attributes
                    - as Partition Key(Hash)+Sort Key(Range)
            - Secondary Indexes
                - Global Secondary Index
                    - Partition Key(Hash)+Sort Key(Range) are diffrent from Primary Key
                - Local Secondary Index
                    - Partition Key(Hash) is the same with Primary Key
                    - Sort Key(Range) is diffrent from Primary Key
            - Alternative Key
                - imporve query speed
            - Streams: all changes in Table
                - CRUD is event
                - Stream record
                    - Event data
                    - Event Metadata
        - Data Types
            - Scalar
                - String: "hello"
                - Number: 123
                - Boolean: True/False
                - Binary: "dfjsjfj3sejld"
            - Set: no order
                - String Set: ["hello", "world"]
                - Number Set: [1, 2]
                - Binary Set: 
            - Document: order preserved
                - List: list_items: [2, 3, "string"]
                - Map: Map(JSON)
    - Operate
        - Query
        - Scan
        - UpdateItem
            - Atomic counters
            - Conditional Update
     - Perfromance
         - Partition
             - WCU: 1000
                 - 4KB
             - RCU: 3000
                 - 1KB
             - Size: 10GB

#### NoSQL

- NoSQL
    - Overview
    - Category
        - Document DB
        - Graph DB
        - Key-Value DB
        - Columnar DB
        - Ledger DB
    - Advantages
        - Schemaless
        - Scale-out Architecture
        - Easy Replication
        - Can manage huge amount of data    
---

- Databases: Amazon DocumentDB
    - Overveiw
        - MongoDB Compatible Document DB Service
        
- Databases: Amazon Neptune
    - Overveiw
        - Graph DB Service
    - DBMS
        - Structure
            - Node
            - Edge
            - Property
        
- Databases: Amazon ElastiCache
    - Overveiw
        - In-Memory Distributed Cacheing Service
        - Accelerating RDS Query
    - Engine Types
        - Redis
        - Memcached
            - can be used as K-V data store too
            
- Databases: Amazon QLDB Quantum Ledger Database
    - Overveiw
        - Ledger DB Service
        - Transparent, immutable, and cryptographically verifiable transaction log owned by a central trusted authority
        
- Databases: Amazon TimeStream
    - Overveiw
        - Time series database
    - User Case
        - IoT and operational applications that makes it easy to store and analyze trillions of events per day      

---
- Amazon Redshift
    - Overveiw
        - PB-Level Data Warehouse Service     
---

- Databases: Amazon DMS Data Migration Service
    - Overveiw
    - Migration Scenarios
        - One-time Migration
        - Replication of On-going changes
        - Heterogeneous Migration using AWS SCT Schema Conversion Tool

## Application Integration

### Workflow

- Amazon SWF: Simple Workflow Service
    - Overview
        - Build, run, and scale background jobs that have parallel or sequential steps
        - State tracker 
        - Task coordinator
---
- Amazon Step Functions Service
    - Overview
        - Coordinate multiple AWS services into serverless workflows so you can build and update apps quickly
    - User Cases
        - Data Processing
        - Automate tasks
        - Application Orchastrating
        - Modernize monolith architecture
---

### Messaging

- Amazon SNS: Simple Notification Service
    - Overview
        - Fully managed pub/sub messaging service that enables you to decouple microservices, distributed systems, and serverless applications.
        - M-2-M relationship
        - Push-based
    - User Case
        - Application/System Alarms
        - Push Email/Text Message
        - Mobile Push Notification
    - Topology
        - Topic in SNS
            - Access Policy
        - Publishers
        - Subscribers
---
- Amazon MQ: Message Queue Service
    - Overview
        - Managed Message Broker Service for Apache ActiveMQ
        - Message brokers allow different software systems–often using different programming languages, and on different platforms–to communicate and exchange information
---
- Amazon SQS: Simple Queue Service
    - Overview
        - Fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.
        - Decouple Application
        - Message size: 1-256KB
    - Types
        - Stardard Queue
            - maximum throughput
            - best-effort ordering
            - at-least-once delivery
        - FIFO Queue
            - guarantee that messages are processed exactly once
            - in the exact order that they are sent
---

### Event Bus

### API Mgmt

##  Analytics

- Amazon Redshift
    - Overveiw
        - PB-Level Data Warehouse Service
---
- AWS Lake Formation
    - Overview
        - Data Lake Service
---
- Amazon MSK Managed Streaming for Apache Kafka
    - Overview
        - Fully managed, highly available, and secure Apache Kafka service
        - Process streaming data
---
- Amazon Athena
    - Overview
        - Interactive Query Service to analyze S3 Data using SQL
        - Serverless
        - No ETL needed
        - integrated with AWS Glue Data Catalog
        - Build on Presto
---
- Amazon Kinesis
    - Overview
        - Collect, process, and analyze real-time, streaming data
        - Ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications.
        - Realtime Metric and Reporting
        - Realtime Analytic
    - Kinesis Components
        - Kinesis Data Firehose
            - Capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk.
            - Near real-time analytics with existing business intelligence tools and dashboards
            - Source
                - Kinesis Stream
                - Kinesis SDK KPL
                - Kinesis Agent
                - CloudWatch Logs/Events
                - IoT Rules Actions
            - Transform
                - AWS Lambda
            - Target
                - AWS S3
                - RedShift
                - ElasticSearch
                - Splunk
        - Kinesis Data Streams
            - Massively scalable and durable realtime data streaming service
        - Kinesis Video Streams
            -  Securely stream video from connected devices to AWS for analytics, machine learning (ML), playback, and other processing.
        - Kinesis Data Analytics
            -  Analyze streaming data in real-time
---
- Amazon CloudSearch
    - Overview
        - Search solution for web or apps
---
- Amazon Elasticsearch
    - Overview
        -  deploy, secure, operate, and scale Elasticsearch to search, analyze, and visualize data in real-time
---
- Amazon Glue 
    - Overview
        - ETL Services
    - Glue Components
        - Glue Crawler
        - Glue Data Catelog
--- 
- Amazon QuickSight
    - Overview
        - BI Service
---
- Amazon EMR Elastic MapReduce
    - Overview
        - Managed Hadoop framework
        - Run Apache Spark, HBase, Presto, and Flink in Amazon EMR
        - Interact with data in other AWS data stores such as Amazon S3 and Amazon DynamoDB
---
- AWS Data Pipeline 
    - Overview
        -  process and move data between different AWS compute and storage services
---

## Machine Learning

## DevOps

### CloudFormation

- Overview
    - Infra as Code Service
    - Template based provisioning and automation
- Components
    - Template
        - Describle AWS Resource in JSON/YAML
        - [Formate](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-formats.html) 
        - Elements
            - Version
            - Description
            - Metadata
            - Parameters
            - Mappings
            - Conditioins
            - Transform
            - Resources
            - Outputs
            - Functions
    - Stack
        - End Status of Template
    - StackSet
    - CloudFormer
    - CloudFormation Designer
- Script Syntax
    - Update Policy
        - 
    - Nested Stack
        - DependsOn
    - Helper Scripts
        - WaitCondition
            - Handle
        - WaitHandler
        - CreationPolicy
        - ConfigSets
        - cfn-signal
        - cfn-hup
        - cfn-get-metadata
        - cfn-init
            - config
                - packages
                - groups
                - users
                - sources
                - files
                - commands
                - services        
    - Metadata
        - Components
            - Authentication 
            - Interface
                - ParameterGroups
                - ParameterLabels
            - Init
                - configSets
                    - Install
                        - packages
                        - files
                        - services
                    - Configure
                        - commands
        - Usage
    - Outputs
        - Components
            - Logical ID
            - Description
            - Value to return
            - Export
                - Name
                    - Unique
                    - Bound in Region
                - Value to export
        - Usage
            - Can't delete the stack, if exports are imported by other stack
            - Can't change Outputs exports, if exports are refed by other stack
    - Conditions
        - Components
            - Logical ID
            - Condition Functions
                - `Fn::And`
                - `Fn::Equals`
                - `Fn::If`
                - `Fn::Not`
                - `Fn::Or`
        - Usage
            - `!If [condition_name, value_if_true, value_if_false]`
            - `!Not [condition]`
            - `!Or [condition, ...]`
            - `!Equals [value_1, value_2]`
            - `!And [condition, ...]`
    - Mappings
        - Components
            - Logical ID
            - Top Level Key
            - Second Level Key
            - Return Value
        - Functions
            - `!FindInMap [MapID, !Ref TopLevelKey, SecondLevelKey]` 
    - Parameters
        - Components
            - Description
                - ConstrainDescription
            - Logical ID
            - Type
                - String, Number, List
                - AWS Specific
                - SSM Parameter Types
            - Constrains
                - AllowedPattern
                - AllowedValue
                - Default
                - MaxLength/MinLength
                - MaxValue/MinValue
                - NoEcho             
            - Value
                - at runtime
                - default value
         - Uage
             - Resource and Output section
             - Scope within the template
         - Pseudo Parameters
            - `AWS::Region`
            - `AWS::AccountId`
            - `AWS::StackName`
            - `AWS::NotificationARNs`
            - `AWS::NoValue`
    - Resources
        - Components
            - Logical ID
            - Type
            - Properties
            - DependsOn
    - Functions
        - Intrinsic Functions
            - `Fn::Ref`
                - `!Ref LogicalID`
            - `Fn::Base64`
                - `!Base64 valueToEncode`
            - `Fn::FindInMap`
                - `!FindInMap [ MapName, TopLevelKey, SecondLevelKey ]`
            - `Fn::GetAttr`
                - `!GetAtt logicalNameOfResource.attributeName`
            - `Fn::GetAzs`
                - `!GetAZs region`
            - `Fn::ImportValue`
                - `!ImportValue LogicalID`
            - `Fn::Join`
                - `!Join [ ":", [ a, b, c ] ]`
            - `Fn::Select`
                - `!Select [ "1", [ "apples", "grapes", "oranges", "mangoes" ] ]`
            - `Fn::Split`
                - `!Split [ "|" , "a|b|c" ]`
            - `Fn::Sub`
                - `!Sub "${AWS::StackName}-InstanceAz"`
            - `Fn::Transform`
                - `!Transform { "Name" : macro name, "Parameters" : {key : value, ... } }`
- User Case
    - Dev/Test Environment Quich launch
    - Replicate Configruation between Envrionments

### Code*

- AWS Cloud9
    - Cloud IDE

- AWS CodeCommit
    - Secure Git-based repositories

- AWS CodeBuild
    - Build service that compiles source code, runs tests, and produces software packages

- AWS CodeDeploy
    - Automates code deployments to EC2

- AWS CodePipeline
    - Continuous delivery service
    - Automate release pipelines for fast and reliable application and infrastructure updates
    - Automates the build, test, and deploy phases

- AWS CodeStar
    - Creating, managing, and working with software development projects on AWS

- AWS X-Ray
    - Analyze and debug distributed applications in production or under development

## IoT

## Billing and Cost Management

- AWS Cost Explorer
- AWS Budgets
- AWS Cost & Usage Report
- Reserved Instance (RI) Reporting
- Tools
    - Simple Monthly Calculator
    - AWS TCO Calculator

## Security, Identity,  and Compliance

### IAM

- AWS IAM
    - Overview
        - Manage, control, govern authentication, authorization and access control mechnisms of Identities to AWS Resources within your AWS Account.
        - Who What Which on Condition Model
            - Who: User, Group, Role
            - What: Allow/Deny CRUD Actions
            - Which: AWS Resources
            - Condition: 
        - Workflow Model
            - Principal: User/Role/Group
            - Authentication
            - Request/Effect
            - Authorizatioin
            - Action(Cosole)/Operation(CLI/API)
            - Resources
        - Global Service with Free of Charge
        - Fine-grained Access Control
        - Shared Access to your Account
        - Eventually Consistent
        - IAM Tool Sets
            - Console
            - APIs
            - CLI
            - SDKs
            
    - IAM Identity Management
        - Root User
        - IAM Users
            - Present an identity of a person/application accessing your account
            - Consists of Name/Credentials
                - Name
                    - Username
                    - ARN
                    - Unique ID
                - Credentials
                    - Console Password
                    - Access Keys
                - Permission
                    - Inheritant from Groups
                    - Copy from existing User
                    - Attach existing Policies
        - IAM Groups
            - Collection of Users with shared permission
        - IAM Roles
            - Defined permissions can be assumed by User/Resources
            - No credentials, AWS STS(Security Token Service) provides dynamic temporary credentials
            - User Cases
                - Grand user in another AWS account to access your AWS resources
                - Grand AWS EC2 to access other AWS resources
                - Grand user temporarily to access critial resources with least privilege, User ID can comes from Identity Federation Sources
            - Role Trusted Entities
                - AWS Service Role
                - Role for Web Identity: OpenID
                - Role for Cross-Account Access
                - Role for Identity Provider Access: SAML
            - Attach Permissions Policy
            - Trusted Entity
                - AWS Services
                - Another AWS Account
                - OpenID Identity
                - SAML 2.0 Federation Identity
        - Identity Federation
            - Allow you access and manage aws resources without a user account in IAM
            - Allow SSO/ STS underline
            - Identity Sources
                - Amazon Cognito
                - AWS Directory Service 
                - IdP
                    - OpenID: WebID integration
                    - SAML2.0: SP/IdP/Client
                        - MS ADFS/MS AD 
            
    - IAM Access Control Policy Management
        - Policy: defines account's permission on resources
        - Types: PrincipalView
            - Identity-Based Policies
                - IAM Policy
            - Resource-Based Policies
                - Resource-based policies are inline policies. 
                - There are no managed resource-based policies
                - Allowed Resources: S3, Glacier, SNS, SQS, KMS
        - Types: OwnerView
            - Managed Policy: AWS
            - Managed Policy: Customer
            - Inline Policy: Embedded into a specific User/Group/Role
        - ARN
            - `arn:aws:iam::ACCOUNT:RESOURCE`
        - Policy Permission Conflict Resolve
             - Deny overides Allow
        - Policy Document Components(JSON)
            - Version 
            - Statement
            - Sid (Optional) : Statement ID
            - Effect: Allow/Deny
            - Principal: 
                - (Required in only some circumstances) – If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
                - Group can not be used as a Principal
            - Action: API Calls
            - Resource: 
                - ARN: arn:partition:service:region:accountID:resource
                - (Required in only some circumstances) – If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, this element is optional. If you do not include this element, then the resource to which the action applies is the resource to which the policy is attached.
            - Condition (Optional)
            
    - IAM Features
        - Shared access to AWS account
            - cross account access
                - Test/Dev account
                - UAT/Prod account
                - Partner account
        - Granular permissions
        - STS Enabled Security Token Service
        - MFA: Multi-Factor Authentication
        - Password Policies Management
        - Integration with AWS resources
        - 4A: 
            - Authentication
                - User/Password
                - Access Key: ID/Secret
                - Access Key/Temp Session Token
            - Authorization
            - Auditing
                - Accouting
                
    - Best Practices
        - Lock Root User access keys
        - Create Individual IAM Users
        - Use Group to assign permission
        - Use AWS defined policies
        - Grant Least-privilege
        - Review IAM permission
        - Strong password policy
        - MFA for privilege users
        - Use Role for EC2 applications
        - Use Role to delegate permission
        - Do not share access keys
        - Rotate credentials
        - Remove unnecessary credentials
        - User policy conditions
        - Monitor Activities

---
- AWS Single Sign-On
    - Overview
        - cloud service that makes it easy to manage SSO access to multiple AWS accounts and business applications in AWS Organization

---
- AWS Directory Service
    - Overview
    - Directories
        - MS Active Directory
        - AD Connector
        - Simple AD
        - Amazon Cognito
        - Amazon Cloud Directory
        
        
- AWS Resource Access Manager
    - Overview
        - Share AWS resources with other AWS accounts.

---

- Amazon Cognito
    - Overview
        - manage user pool and identity pool
        - User pools are user directories that provide sign-up and sign-in options for your app users. 
        - Identity pools provide AWS credentials to grant your users access to other AWS services
    

### Network Security

### Host Security

### Data Security

- AWS Secrets Manager
    - Overview
        - Easily rotate, manage, and retrieve secrets throughout their lifecycle
        
- Amazon KMS Key Management Service
    - Overview
        - Centralized Key Management
        - Control Encryptions for AWS Services

- Amazon CloudHSM Hardware Security Module
    - Overview
        - cloud-based hardware security modules (HSMs) for generating and using your own encryption keys in the AWS Cloud
    - User Case
        - Offload SSL processing from Web Server
        - Protect Private Keys for Issuing CA
        - Enable TDE(Transparent Data Encryption) for Oracle DB
        
---
- AWS Certificate Manager: ACM
    - Overview
        - easy to provision, manage, deploy, and renew SSL/TLS certificates on the AWS platform
        
---
- Amazon Macie
    - Overview
        - data visibility security service that helps classify and protect your sensitive and business-critical content.
    - Workflow
        - Discover
        - Classify
        - Protect

### Application Security

#### AWS Firewall Manager

- Overview
    - Manage WAF in a centralized 
- Technology
    - Components
        - WAF Rules
        - Rule Groups
        - Firewall Manager Policy
            - 1 policy only contains 2 rule groups
                - 1 customer rule group
                - 1 AWS Marketplace rule group
            - policy associated to AWS resources(CloudFront/ALB)
- Deploy/Config/Operate
    - Prerequisite
        - AWS FirewallManagerAdmin account
        - Account under AWS Organization
        - AWS Config enabled

#### AWS Sheild


- Overview
    - Protect from DDoS
    - Practice Guide
        - Reduce Attack Surface
        - Plan for Scale
        - Identify normal/abnormal trafic pattern
        - Deploy WAF to protect Application
- Technology
    - DDoS Types
        - SYN Flood
        - DNS Query Flood
        - HTTP Flood
            - Cache-busting
- Archtecture                
    - Types
        - AWS Shield Stardard
        - AWS Shield Advance
            - UDP Reflection, SYN Flood, DNS Query Flood, HTTP Flood


#### AWS WAF

- Overview
    - Web application firewall service that lets you monitor web requests that are forwarded to an Amazon API Gateway API, an Amazon CloudFront distribution, or an Application Load Balancer
    - Protect Web Site, Web Application from web attack patterns
    - Filter HTTP/HTTPS traffic, distinguish legitimate and harmful requests
- User Case
    - Web Service deployed via CloudFront/Application LB
- Technology
    - Components/Structure
        - WAF Condition
            - Cross-site scripting
            - GEO match
            - IP addresses match
            - Size constrains
            - SQL injection attacks
            - Request string and RegEx Match
        - Rule
            - Combines Conditions with logical operations
            - Regular-Rule
            - Rated-Rule
        - Web ACLs      
            - Collection of Rules
            - Allow/Deny/Count
            - Rule's Order Matters
- Architecture
    - Cost
        - Requests number
        - ACL number
        - Rule number in each ACL
- Deploy/Config/Operate
    - Deploy Placement
        - CloudFront(Global, no region bound)
        - Application LB
        - EC2
        - API Gateway
    - Limitation
        - 10k requests per account for ALB
        - 100 condition per rule/ 10 RegEx
        - 100 Rules and 50 ACL per account
        - 5 rated-rule per account
            

### Security Management

- AWS Inspector
    - Overview
        - Security Assesment Service
        - Build for DevSecOps
    - Workflow
        - Install on Instances
        - Run assessment for targets
        - Analyze assessment result
        - Remediate security issues
    - Secuirty Assessment Domain
        - CVE: Common Vulnerabilities an Exposure
        - CIS Benchmark on OS Security
        - Security Best Practices
        - Runtime Behaviour Analysis
---
- AWS Security Hub
    - Overview
        - Consolidated view of your security status in AWS. 
        - Automate security checks, manage security findings, and identify the highest priority security issues across your AWS environment.
        
---
- Amazon Detective
    - Overview
        - Analyze and visualize security data to rapidly get to the root cause of potential security issues

- Amazon GuardDuty
    - Overview
        - Thread Detecting Service
        - continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs.
    - Workflow
        - Enable GuardDuty by Account
        - Countinuously Collecting Data
        - Continuously Analyzing
        - Intelligently Detecting Thread
        - Take Action

##  Management and Governance

### Provisining

- AWS Service Catalog
    - Overveiw
        - Take control of your company's cloud resources
        - Enable self-service for your cloud users with products you define and govern
    - Components
        - OU: Organization Unit
        - SCP: Service Control Policy
---
- Amazon Organizations
    - Overview
        - Consolidated Multiple AWS Accounts for Centeral Management
        - Consolidated Billing
        - Integrate with IAM

### Monitoring and Logging

- Amazon CloudWatch
    - Overview
        - Monitoring and Mangement AWS Resources
    - Workflow
        - Collect
            - Metrics/Logs
        - Monitor
        - Act
        - Analyze
    - Components
        - Namespace
            - Metrics
                - Datapoints
                - Timestamp
                - Dimensions
            - Statistics
                - Units
                - Periods
            - Percentiles
        - Alarms
        - Events
            - Rules
            - Targets
        - Logs
            - Log Stream
            - Log Stream Group
        - Dashboards
---
- Amazon CloudTrail
    - Overview
        - governance, compliance, operational and risk auditing for AWS account
    - Workflow
        - Capture
        - Store
        - Act
        - Review

### Operation

---
- Amazon Systems Manager
    - Overview
        
    - Workflow
        - Install SSM Agent
        - Config SSM Role for Instances
        - Group Resources
        - Virualize Data
        - Take Action
    - Components
        - Resource Group
        - Insights
            - Dashboard
            - Inventory
            - Compliance
        - Parameter Store
        - Actions
            - Instance Automation
            - Run Command
            - Session Manager
            - Maintainance Window
            - Patch Manager
            - State Manager
---
- Amazon Personal Health Dashboard
    - Overview
        - Show events/issues/changes
---
- AWS Inspector
    - Overview
    - Components
        - Agent
        - Assessment
            - Network Assessment
                - Agent is optional
            - Host Assessment
    - Workflow
        - Install agents
        - Run Assessement
        - Analyze
---
- Amazon Trusted Advisor
    - Overview
    - Advisor Domains
        - Cost Optimization
        - Performance
        - Security
        - Fault Tolerance
        - Service Limits
---

### Configuration

- Amazon Config
    - Overview
        - AWS Resources Inventory of AWS account
        - Resource Change Management
        - Store Change Histories
        - Snapshots of Configuration
        - Notification of Changes
        - Integrate with CloudTrail
        - Use Rule for Compliance check
        - Security Analysis   
    - Components
        - AWS Resources
        - CI(JSON)
            - Metadata
            - Attributes
            - Relationship
            - Configuration
            - Related Events
        - Config Streams
            - When new CI was created
            - SNS topic
        - Config Histories
            - History of CI
        - Config Snapshots
        - Config Recorder
        - Config Rule
            - Security Checks
        - Resource Relationships
        - S3 Bucket
        - SNS Topic
        - AWS Config IAM Role
    - Workflow
- AWS OpsWorks
    - Overview
        - Configuration Management Platform
        - More Control of Infrastructure over Elastic Beanstalk
    - OpsWorks Stacks
        - Components
            - Stack
            - Layer
                - Recipe
            - Apps
            - Instances
    - OpsWorks Workflow
        - Setup
        - Config
        - Deploy
        - Undeploy
        - Shutdown
    - OpsWorks for Chef Automation
        

### Support

- Amazon Support Plan
    - Overview
    - Types
        - Basic Support Plan
        - Developer Plan
        - Business Plan
        - Enterprise Plan
---

### Regulation, Compliance

- Compliance Program
    - [AWS Cloud Compliance Program](https://aws.amazon.com/compliance/programs/)
        - [AWS Artifact Reports](https://aws.amazon.com/artifact/)
    - Compliant
    - Compliance-Enabling
    
- AWS Artifact
    - AWS Compliance Reports Repository
---

# AWS Cloud Security Framework

## Shared Responsibility Model

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="AWS-Secuirty-SharedResponsibilityModel.png" width="6000" height="600">

- CIA Triad of Security
    - Confidentiality
    - Integrity
    - Availability
- Triad Lines of Securities
    - Auditing and Accountability
    - Non-Repudiation

## Security Stack

- Physical and Environmental Security
- Network Security
    - VPC NACLs
    - Security Groups
    - AWS WAF
    - AWS Shield
    - IDS/IPS
    - Penetation Testing
- Host Security
    - Instance Key Pairs
    - Hypervisor Isolation
        - XEN
            - PV vs HVM
        - KVM
- Data Security
    - AWS Secrets Manager
    - AWS Systems Manager: Parameter Store
    - AWS KMS
    - ACM: AWS Certificate Manger
    - AWS CloudHSM
- Applicatiion Security
    - AWS Macie
    - AWS WAF
    - AWS Shield
    - AWS CloudFront
    - AWS EC2 ELB
    - AWS EC2 ASG
- User and Identity Security
    - AWS IAM
        - User/Group/Role
        - Role
            - Providing Access to an IAM User in Another AWS Account That You Own
            - Providing Access to AWS Accounts Owned by Third Parties
            - Providing Access to an AWS Service
            - Providing Access to Externally Authenticated Users (Identity Federation)
                - Federating Users of a Mobile or Web-based App with Amazon Cognito
                    - Amazon ID token exchanges Cognito token.
                    - Cognito token exchanges STS token.
                - Federating Users with Public Identity Service Providers or OpenID Connect
                    - AssumeRoleWithWebIdentity
                - Federating users with SAML 2.0
                    - AssumeRoleWithSAML
                - Federating users by creating a custom identity broker application
                    - AssumeRole/GetFederationToken 
        - Policies and Permissions
            - A policy is an object in AWS that, when associated with an identity or resource, defines their permissions.
            - Permissions in the policies determine whether the request is allowed or denied.
        - Policy Types
            - identity-based policies
                - Attach managed and inline policies to IAM identities 
            - resource-based policies
                - Attach inline policies to resources. 
            - permissions boundaries
                - defines the maximum permissions that the identity-based policies can grant to an entity
            - Organizations SCPs
                - define the maximum permissions for account members of an organization or organizational unit
            - ACLs 
                - control which principals in other accounts can access the resource to which the ACL is attached
            - session policies
                - limit the permissions that the role or user's identity-based policies grant to the session
        - Policy Evaluation
            - explicit deny 
            - Identity-based policies
            - Resource-based policies
            - IAM permissions boundaries
            - AWS Organizations service control policies (SCPs)
            - Session policies 
            - implicit deny(by default)
- Business Continuity Management

- Security Management(PBRM)
    - Plan        
    - Build
    - Run
        - AWS Organization
        - AWS Config
    - Monitor
        - AWS CloudTrail
        - AWS CloudWatch
            - Logs/Alarms/Events/Metrics
        
- Security Governance(EDM)
    - Evaluate
        - AWS Inspector
    - Direct
        - AWS Artifacts
        - AWS Trusted Advisor
            - Cost Optimisation/Performance/Secury/FT/Service Limits
    - Monitor
        - AWS GuardDuty        
        - AWS Personal Dashboard

## Security Strategy, Governance, Management

- Security Control
    - Control Types
        - Administrate
        - Physical
        - Technical
    - Categories
        - Prevent
        - Detect
        - Deterence
        - Corrective
        - Recovery
        - Compensating
- DDoS Mitigation
    - Reduce Attack Surface Area
    - Plan for Scale
    - Know what is normal and abnormal traffic
    - Deploy Firewalls for Sophisticated Application attacks
- Risk Management
    - Accept
    - Reduce
    - Reject
    - Transfer

## Security Regulation, Compliance

- Compliance
    - [AWS Cloud Compliance Program](https://aws.amazon.com/compliance/programs/)
        - [AWS Artifact Reports](https://aws.amazon.com/artifact/)

# AWS Cloud DevOps Framework

##  Cloud Rerouces Access

### AWS Console

- AWS Management Cosole
    - Username/Passord
    - MFA

### AWS CLI

- [AWS CLI](https://aws.amazon.com/cli/)
    - Install
        - `pip install --upgrade awscli`
    - IAM Role for EC2 Service attached to EC2 Instance
    - IAM Credential
        - Access key ID/Secret access key
        - SSH Public key/Private key
    - `aws SERVICE ACTION CONFIG`
        - `aws configure`
        - `aws configure get aws_access_key_id --profile USERNAME`
    - Multiple Profile
        - `aws configure --profile USERNAME`
        - `aws s3 ls --profile USERNAME`
        - `aws configure set region --profile USERNAME`
    - Pattern
        - `aws <service> <operation> <--options>`
        - `aws <service> <operation> help`
        - `--query 'JMSEPath-Query-String'`
        - `--filter Name='name',Value='value'`

- IAM
    - `aws iam create-user --user-name USER`
    - `aws iam delete-user --user-name USER`
    - `aws iam create-access-key --user-name USER`
    - `aws iam delete-access-key --user-name USER --access-key-id ID`
    - `aws iam list-policies --output table | grep EC2Full`
    - `aws iam attach-user-policy --policy-arn ARN --user-name USER`
    - `aws iam detach-user-policy --user-name USER --policy-arn ARN`
    - `aws iam create-role --role-name ROLE --assume-role-policy-document file://ROLE_POLICY.json`
    - `aws iam attach-role-policy --policy-arn ARN --role-name ROLE`
    - `aws iam creat-instance-profile --instance-profile-name PROFILE`
    - `aws iam add-role-to-instance-profile --instance-profile-name PROFILE --role-name ROLE`
---

- S3
    - `aws s3 ls`
    - `aws s3 ls BUCKET`
    - `aws s3 cp SOURCE BUCKET`
    - `aws s3 cp BUCKET_OBJ DESTINATION`
    - `aws s3 sync SOURCE BUCKET`
    - `aws s3 mb BUCKET_NAME`
    - `aws s3 presign OBJECT --expires-in 600`
    - SSE-x encryption
        - `aws s3 cp SOURCE BUCKET --sse`
        - `aws s3 cp SOURCE BUCKET --sse aws:kms`
        - `aws s3 cp SOURCE BUCKET --sse aws:kms --sse-kms-key-id KEYID`
        - `openssl enc -aes-128-cbc -k secret -P`
        - `aws s3 cp SOURCE BUCKET --sse-c --sse-c-key C_KEY`
        
---

- EC2
    - EC2 Service Role in IAM
    - `aws ec2 describe-instances`
    - `aws ec2 create-key-pair --key-name MyKeyPair --query 'KeyMaterial' --output text > MyKeyPair.pem`
    - `aws ec2 run-instances --image-id ami-8c1be5f6 --instance-type t2.micro --key-name MyKeyPair`
    - `aws ec2 run-instances --image-id ami-8c1be5f6 --instance-type t2.micro --key-name MyKeyPair --security-group-ids sg-beb3eacc --subnet-id subnet-ed36c3c2 --userdata file://userdata.txt`
    - `aws ec2 terminate-instances --instance-ids i-0b20d7680fa0e6ba0 i-00251da28fa34ffd1`
    - `image_id = $(aws ec2 create-image --instance_id $instance_id --name "imgName" --description "an image from instance" --query ImageId --output text)`
    - `aws ec2 create-tags --resources AR_ID --tags Key=Name,Value=CLI-VPC`
---

- VPC
    - `aws ec2 describe-vpcs`
    - `aws ec2 create-vpc --cidr-block 10.0.0.0/16`
    - `aws ec2 create-subnet --vpc-id VPCID --cidr-block 10.0.1.0/24`
    - `aws ec2 create-internet-gateway`
    - `aws ec2 attach-internet-gateway --internet-gateway-id IGWID --vpc-id VPCID`
    - `aws ec2 allocate-address --domain vpc`
    - `aws ec2 create-nat-gateway --subnet-id PUBSUB_ID --allocation-id EIP_ID`
    - `aws ec2 create-route-table --vpc-id VPC_ID`
    - `aws ec2 create-route --route-table-id RTB_ID --destination-cidr-block 0.0.0.0/0 --gateway-id IGW_ID`
    - `aws ec2 create-route --route-table-id RTB_ID --destination-cidr-block 0.0.0.0/0 --gateway-id NATGW_ID`
    - `aws ec2 associate-route-table --route-table-id RTB_ID --subnet-id SUB_ID`
    - `aws	ec2	create-security-group --group-name	SG_NAME --description "sg01" --vpc-id VPC_ID`
    - `aws ec2 authorize-security-group-ingress --group-id SG_ID --protocol tcp --port 22 --cidr 0.0.0.0/0`
    - `aws ec2 authorize-security-group-ingress --group-id SG_ID --protocol tcp --port 80 --cidr 0.0.0.0/0`
---

- Lambda
    - `aws iam create-role --role-name lambdarole --assume-role-policy-document  file://lambdaTrustPolicy.json`
    - `aws iam attach-role-policy --role-name lambdarole --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess`
    - `aws lambda create-function --function-name FUNC_NAME --runtime python3.6 --role ROLE_ARN --handler stopEC2.lambda_handler --zip-file fileb://lambda.zip`
    - `aws lambda invoke --invocation-type Event --function-name FUNC_NAME`
    - `aws lambda invoke --invocation-type RequestResponse --function-name FUNC_NAME --payload '{"key1":"value1"}'`

---

- Cloudformation
    - `aws cloudformation describe-stacks`
    - `aws cloudformation create-stack --stack-name STACK --template-body file://TMPALTE.json`
    - `aws cloudformation update-stack --stack-name STACK --template-url file://TMPALTE.json --parameters ParameterKey=KeyPairName,ParameterValue=SampleKeyPair`
    - `aws cloudformation delete-stack --stack-name STACK`
---
        
- KMS
    - `aws kms list-keys`
    - `aws kms create-key --description "key4s3"`
    - `aws kms create-alias --alias-name alias/example-alias --target-key-id 1234abcd-12ab-34cd-56ef-1234567890ab`
    - `aws kms list-aliases`

### SDK/CDK

- [SDKs and Toolkits](https://aws.amazon.com/getting-started/tools-sdks/)
    - IAM Temporary Credential

- [AWS Cloud Development Kit(AWS CDK)](https://aws.amazon.com/cdk/)
    - Powered by AWS CloudFormation
    - Model application infrastructure using TypeScript, Python, Java, and .NET.
    - `npm install -g aws-cdk`
    - `pip install --upgrade aws-cdk.core`
    - `cdk init --language python`
    - `source .env/bin/activate`
    - `pip install -r requirements.txt`

- AWS Python SDK: Boto3
    - `pip install boto3`

## Infrastructure as Code

### AWS Tool Sets

- AWS Services Sets
    - AWS CloudFormation
        - Designer
        - Template
        - CloudFormer

## Terraform IaC

### Project and CLI

- Project
    - `shared_vars/shared_vars.tf`
    - `module1/`
    - `module2/`
    - `main.tf`
    - `provider.tf`
        ```bash
        provider "aws" {
            access_key = ""
            secret_key = ""
            region = 'us-west-2'
        }
        ```
---

- Module
    - reusable code block
    - local module: a sub folder in Project foler with codes file
    
    
- Workspace
    - Swichable Dev/Stage/Prod environment management
---

- Terraform CMDs
    - `terraform init`
    - `terraform workspace`
        - `new test/stage/prod`
        - `list`
        - `select prod`
    - `terraform plan`
    - `terraform apply`       
    - `terraform destroy`


### Configuration Language

- Token/Identifier
    - `/[a-zA-Z_-][a-zA-Z_-]*/`
    
- Types
    - boolean: `true, false`
    - string: 
        - double quoted string: `"str"`
        - tagged string: `<<EOF ........ EOF`   
    - number: `32`
    - list: list(<TYPE>)
    - set: set(<TYPE>)
    - map: 
    - object:
    - tuple:
    - Keywords
        - `provider`
        - `resource`
            - ref:
                - `${NAME}`
        - `variable`
            - ref: 
                - `${var.VAR}`
                - `${var.VAR.ATTR}`
                - `${var.listVAR[INDEX]}`
                - `${var.mapVAR["KEY"]}`
        - `output`
            - output information
        - `module`
            - declare module:
                - `module "MOD_NAME" { source = "./MOD_FOLDER" ...}`
            - ref module resources:
                `${moudle.MODNAME.RES}`
        - `locals`
            - decalre local variable
                - `locals { env = "${terraform.workspace}" }`
- Expression
    - variable declare/reference
    - resource reference
        - `${NAME.KEY.KEY...}`
    - input pattern
        - variable statement without default value
        - output varible
        - `variable "input_variable" {}`
    - local variable reference
        - `${local.VAR}`
    - lookup mapping
        - `id = "${lookup(local.ids_env, local.env)}"`
    - Shared Varible Patter using Module and lookup mapping

- Resouces
    ```
    resource "aws_instance" "web" {
      ami           = "ami-a1b2c3d4"
      instance_type = "t2.micro"
    }    
    ```
- Provider
    ```
    provider "aws" {
        access_key = ""
        secret_key = ""
        region = 'us-west-2'
    }   
    ```

- Input Variables
    - root module get value from CLI
    - child module get value from module block passing
    ```
    variable "image_id" {
      type = string
    }    
    ```
    
- Output Varaibles
    - root module get value from CLI
    - child module get value from module block passing
    ```
    variable "image_id" {
      type = string
    }    
    variable "availability_zone_names" {
      type    = list(string)
      default = ["us-west-1a"]
    }
    variable "docker_ports" {
      type = list(object({
        internal = number
        external = number
        protocol = string
      }))
      default = [
        {
          internal = 8300
          external = 8300
          protocol = "tcp"
        }
      ]
    }
    ```
    
- Configruation

- Argument
    - `identifier = expression`
- Expression
- Block
    ```
    <BLOCK TYPE> "<BLOCK LABEL>" "<BLOCK LABEL>" {
        Block body
        <IDENTIFIER> = <EXPRESSION> # Argument
    }
    ```

- Statement
- Flow Control

- Variables
    ```
    //variable: string - single line
    variable "helloworld" {
      default = "Hello World"
    }
    
    output "variable_string_singleline" {
      value = "${var.helloworld}"
    }

    //variable: string - multiple line
    variable "multiline_helloworld" {
      default = <<EOF
    Hello World Line 1
    Hello World Line 2  
    EOF
    }
    
    output "variable_string_multiline" {
      value = "${var.multiline_helloworld}"
    }
    
    //variable: map
    variable "hellomap" {
      default = {
          "key1" = "value1"
          "key2" = "value2"
      }
    }
    
    output "varible_map" {
      value = "${var.hellomap}"
    }

    output "varible_map_key1" {
      value = "${var.hellomap["key1"]}"
    }

    //variable: list
    variable "hellolist" {
      default = ["item1", 2, "item3"]
    }

    output "varible_list" {
      value = "${var.hellolist}"
    }
    
    output "varible_list_1" {
      value = "${var.hellolist[1]}"
    }

    //variable: boolean
    variable "helloboolean" {
      default = true
    }
    
    output "varible_boolean" {
      value = "${var.helloboolean}"
    }
    ```

## CI/CD

### AWS DevOps Service Sets

- Cloud9
- CodeStar
- X-Ray
- Source: CodeCommit
- Build: CodeBuild
    - Overveiw
    - Components
        - Source
            - Buildspec file
                ```yaml
                version: 0.2
                
                run-as: Linux-user-name

                env:
                  variables:
                    key: "value"
                    key: "value"
                  parameter-store:
                    key: "value"
                    key: "value"
                  exported-variables:
                    - variable
                    - variable
                  secrets-manager:
                    key: secret-id:json-key:version-stage:version-id
                  git-credential-helper: yes

                proxy:
                    upload-artifacts: yes
                    logs: yes

                phases:
                  install:
                    run-as: Linux-user-name
                    runtime-versions:
                      runtime: version
                      runtime: version
                    commands:
                      - command
                      - command
                    finally:
                      - command
                      - command
                  pre_build:
                    run-as: Linux-user-name
                    commands:
                      - command
                      - command
                    finally:
                      - command
                      - command
                  build:
                    run-as: Linux-user-name
                    commands:
                      - command
                      - command
                    finally:
                      - command
                      - command
                  post_build:
                    run-as: Linux-user-name
                    commands:
                      - command
                      - command
                    finally:
                      - command
                      - command
                reports:
                  report-name-or-arn:
                    files:
                      - location
                      - location
                    base-directory: location
                    discard-paths: yes
                    file-format: JunitXml | CucumberJson | VisualStudioTrx | TestNGXml
                artifacts:
                  files:
                    - location
                    - location
                  name: artifact-name
                  discard-paths: yes
                  base-directory: location
                  secondary-artifacts:
                    artifactIdentifier:
                      files:
                        - location
                        - location
                      name: secondary-artifact-name
                      discard-paths: yes
                      base-directory: location
                    artifactIdentifier:
                      files:
                        - location
                        - location
                      discard-paths: yes
                      base-directory: location
                cache:
                  paths:
                    - path
                    - path
                ```
        - Phases:
            - Install
            - PreBuild
            - Build
            - PostBuild
        - Environment
        - Artifact
- Deploy: CodeDeploy
    - Overveiw
    - Terms
    - Components
        - Application
            - AppSpec file
                ```yaml
                version:[1]version-number
                os:[1]operating-system-name
                files:
                [2]-[1]source:[1]source-files-location
                [4]destination:[1]destination-files-location
                permissions:
                [2]-[1]object:[1]object-specification
                [4]pattern:[1]pattern-specification
                [4]except:[1]exception-specification
                [4]owner:[1]owner-account-name
                [4]group:[1]group-name
                [4]mode:[1]mode-specification
                [4]acls: 
                [6]-[1]acls-specification 
                [4]context:
                [6]user:[1]user-specification
                [6]type:[1]type-specification
                [6]range:[1]range-specification
                [4]type:
                [6]-[1]object-type
                hooks:
                [2]deployment-lifecycle-event-name:
                [4]-[1]location:[1]script-location
                [6]timeout:[1]timeout-in-seconds
                [6]runas:[1]user-name
                ```
        - Hooks
            - Start
            
            - BeforeBlockTraffic
            - BlockTraffic
            - AfterBlockTraffic

            - ApplicationStop
            - DownloadBundle
            - BeforeInstall
            - Install
            - AfterInstall
            - ApplicationStart
            - ValidateService
            
            - BeforeAllowTraffic
            - AllowTraffic
            - AfterAllowTraffic
        - Compute Platform
            - Instance
            - On-Premise
            - Lambda
            - Service Role
        - Deployment Configuration
            - EC2
                - In-Place
                    - all at once
                    - Half at a time
                    - One at a time
                - Blue/Green
            - Lambda
                - all at once
                - linear
                - canary
        - Deployment Group
        - Revision
    - Workflow
        - Create Application
        - Deployment Group
        - Deployment Configuration
        - Deploy/Rollback
- Pipeline: CodePipeline
    - Overveiw
    - Components
        - Stage
        - Action
            - Source
            - Build
            - Test
            - Deploy
            - Approval
            - Invoke
        - Transition

- Elastic Beanstalk
- OpsWorks
- ECS/ECR/EKS

### Best Practice

- Set Up the Credential Helper
    - `git config --global credential.helper '!aws codecommit credential-helper $@'`
    - `git config --global credential.UseHttpPath true`


## Microservice

- Benifites
    - Agility
    - Innovation
    - Quality
    - Scalability
    - Availability
 - Cloud Native Components
     - Severless
         - Lambda
         - Fargate
         - API Gateway
         - Step
         - SQS
         - SNS
         - S3
         - DynamoDB
         - Aurora Serverless
     - DevOps
         - CloudFormation
         - CodePipeline
         - Cloud9
         - CodeCommit
         - CodeBuild
         - CodeDeploy
         - CloudTrail
         - CloudWatch
         - X-Ray
     - Security

# AWS Best Practices-Pillars

## Principles

- Enable Scalability
- Avoid SPOF
- Utilize Disposable Components
- Leverage Automation
- Leverage Caching
- Loose Coupling
- Choose the right data architecture
- Optimize for Cost
- Security in All Layers

## Operation Excellence

## Security

## Performance Efficiency

- Capacity Plan

## Reliability

- Resiliency            
    - Resiliency of Internet Connectivity
        - IGW inheritently resilience/HA
    - Resiliency of VPN
    - Resiliency of DX
    - Resiliency of Application
    - Resiliency of DB

## Cost Optimization

## ITILv3 ITSM

### Cloud Governance

- Governance Goal
    - Assure the use of IT generate business value
    - Oversee and ensure IT staff's performance
    - Mitigate Risks associated with using of IT
- Cloud IT Challenges
    - Dynamic Billing
    - Remote Access
    - Dynamic Provisioning of Resources
- Governance Process
    - Policy
    - Compliance
    - Enforcement
- AWS Governance
    - Resouce States
        - AWS Config
        - Resource Tagging
        - CloudWatch Metrics
        - CloudWatch Alarms
        - AWS Trusted Advisor
        - Billing Console
    - Transition Actions
        - AWS CloudTrail
        - AWS CloudWatch Event
        - AWS Config Rules
        - AWS Service Catalog
        - AWS IAM Policy Actions
    - Actors States
        - IAM User/Group/Role
        - AWS Config Rules: IAM
        - AWS Directory Service
        - IAM Reports
    
   

# AWS Best Practices-Domain

## Networking

- Topology
    - Region
        - AZs
    - VPC: Logical Isolation
        - Subnets: 
            - Tier Isolation
            - Logical Mapping to AZ

- Network Resources Relationship View
    - <img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="AWS-BestPractice-NetResRelaView.png" width="600" height="500">
    

- Connectivity
    - Network-to-Amazon VPC Connectivity
        - AWS Managed VPN
        - AWS Direct Connect
        - AWS Direct Connect Plus VPN
        - AWS VPN CloudHub
        - Software VPN
        - Transit VPC
    - Amazon VPC-to-Amazon VPC Connectivit
        - VPC Peering
        - Software VPN
        - Software-to-AWS Managed VPN
        - AWS Managed VPN
        - AWS Direct Connect
        - AWS PrivateLink
            - interface endpoints
    - Internal User-to-Amazon VPC Connectivity Options
        - Software Remote-Access VPN

    
- Network Design 01: ENI, SG, Subnet, Route, IGW, VPG, NAT, PCX, Transit VPC
    - <img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="AWS-BestPractice-NetDesign01.png" width="900" height="700">

## Reference Architecture

### Wordpress

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="AWS-Architecture-WordPress.png" width="800" height="800">

### Gaming

<img style="-webkit-user-select: none;margin: auto;cursor: zoom-in;" src="AWS-Architecture-Gaming.png" width="800" height="800">

# END

- AWS Solution
    - Overveiw
    - UserCase
    - Technology
    - Architecture
        - Security
        - Reliability
        - Performance
        - Operation
        - Cost
    - Deploy/Config/Operate
        - Prerequisite
        - Workflow
    - Optimize
        - Best Practice