AWS Complete Notes by veera sir

What is EC2?

EC2 stands for Elastic Compute Cloud. It is the virtual machine in the Cloud Environment. EC2 provides scalable capacity — instances can scale up and down automatically based on traffic. You do not need to invest in hardware. You can launch as many servers as you want with complete control over security, networking, and storage.

Instance Types

Instance types provide a range of CPU, memory, storage, and networking for various use cases.

EBS Volume Types

• General Purpose SSD (gp2/gp3) — boot volumes, dev/test, low-latency apps
• Provisioned IOPS SSD (io1/io2) — databases needing 16,000+ IOPS
• Throughput Optimized HDD (st1) — big data, data warehouses, streaming
• Cold HDD (sc1) — infrequently accessed, lowest cost
• Magnetic — legacy workloads

AMI — Amazon Machine Image

An AMI decides the OS, installs dependencies, libraries, and data of your EC2 instances. Multiple instances with the same configuration can be launched using a single AMI.

Security Groups

• Acts as a virtual firewall for EC2 instances.
• Decides the type of port and traffic to allow.
• Security groups operate at the instance level; Network ACLs operate at the subnet level.
• Security Groups can only allow traffic — they cannot deny it explicitly.
• Security Groups are stateful — return traffic is automatically allowed.
• By default, all outbound traffic is allowed; inbound rules must be explicitly defined.

Key Pair

A key pair consists of a public key (attached to EC2 instance) and a private key (held by you). Access is only granted if both keys match. Keep the private key in a secure place.

Pricing Models

What is Elastic Beanstalk?

Beanstalk is a compute service for deploying and scaling applications in many popular languages. Developers focus on writing code — AWS handles infrastructure. It provides a dashboard to monitor applications and flexibility to choose AWS resources and pricing options.

Environment Types

Supported Platforms

.Net (Linux/Windows), Docker, GlassFish, Go, Java, Node.js, Python, Ruby, Tomcat

Deployment Models

What is AWS Lambda?

Lambda is a serverless compute service that runs code without provisioning servers. It only runs when needed, scales automatically, and follows a pay-per-use model — no charge when code is not running.

Lambda Functions

• A function is a block of code in Lambda — upload as zip or from S3.
• Lambda automatically monitors functions and reports metrics via CloudWatch.

Lambda Layers

• A layer is a container/archive with additional code (libraries, dependencies, custom runtimes).
• Up to 5 layers per function. Layers are immutable — new version on publish.
• Layers are private by default but can be shared or made public.

Supported Event Sources

DynamoDB, SQS, SNS, CloudWatch Events, API Gateway, AWS IoT, Kinesis, CloudWatch Logs

Supported Languages

Node.js, Go, Java, Python, Ruby, .NET

Lambda@Edge

Feature of CloudFront that runs code closer to users, improving performance and reducing latency. No infrastructure management needed globally — runs in response to CDN events.

What is AWS Fargate?

Fargate is a serverless compute service for containers used by Amazon ECS and Amazon EKS. It eliminates the need to provision, configure, or scale EC2 instances for containers. Each Fargate task does not share its kernel, memory, CPU, or ENI with other tasks.

Storage Support

• Amazon EFS volumes — for persistent storage
• Ephemeral storage — for non-persistent storage

Benefits

• Focus on building applications, not managing servers
• Automatically scales compute matching container resource requirements
• Built-in integration with CloudWatch Container Insights

What is Amazon EKS?

EKS enables users to manage Kubernetes applications in the AWS cloud or on-premises. Any standard Kubernetes application can be migrated to EKS without altering code.

EKS Cluster Components

AWS Service Integrations

• Images — Amazon ECR
• Load distribution — AWS ELB
• Authentication — AWS IAM
• Isolation — Amazon VPC

Creation Tools

• eksctl — CLI utility for creating/managing EKS clusters
• AWS Management Console + AWS CLI

What is Amazon ECS?

ECS is a regional container orchestration service (like Docker) that allows executing, stopping, and managing containers on a cluster. Containers are defined in task definitions (JSON format) which specify container images to run.

Key Concepts

• Task Definition — JSON config specifying container images, CPU, memory, ports
• Task — running instance of a task definition
• Service — runs and maintains a desired number of tasks simultaneously
• Cluster — logical grouping of tasks/services running on EC2 or Fargate
• Container Agent — runs on each EC2 instance; sends resource data to ECS

Application Load Balancer Features

• Enables containers to use dynamic host port mapping
• Allows multiple tasks from the same service per container instance
• Supports path-based routing and priority rules
• Multiple services can use the same listener port on a single ALB

Integrations

IAM, EC2 Auto Scaling, ELB, ECR, CloudFormation, App Mesh, SageMaker, AWS Batch, Amazon Lex

Use Cases

• Microservices — decoupled independent services
• Batch Jobs — short-lived Docker containers processed as ECS tasks

What is ECR?

ECR is a managed service to store, manage, share, and deploy container images and artifacts. Integrated with ECS, EKS, Lambda, and Fargate for easy deployments.

Key Features

• Stores both user-created containers and AWS Marketplace container software
• IAM enables resource-level control per repository
• Supports public and private repositories
• Amazon ECR Public Gallery — portal for all public repositories
• Images stored in Amazon S3 — 11 nines durability (99.999999999%)
• Cross-region and cross-account replication
• HTTPS encryption in transit; AES-256 at rest (SSE-S3 or customer KMS keys)
• Lifecycle policies to manage image lifecycle

Basics

• Object-based storage; files stored in Buckets
• Files can be 0 to 5 TB; bucket names must be globally unique
• Successful upload returns HTTP 200
• Strong consistency for PUTs, overwrites, deletes, and list operations
• All objects are private by default

Storage Classes

Key Properties

• Versioning — multiple versions of objects in the same bucket
• Static Website Hosting — no server-side technology needed
• Encryption — SSE-S3, SSE-KMS, or client-side
• Object Lock — block version deletion for a defined period (enable only at bucket creation)
• Transfer Acceleration — uses CloudFront edge locations for fast global uploads
• Replication — replicate data between buckets in same or different regions
• Lifecycle Policies — auto-transition objects to cheaper storage classes

Permissions

• ACL — grant read/write to another AWS account
• Bucket Policy — JSON-based advanced permissions
• CORS — allow cross-origin access to S3 resources

What is AWS Backup?

AWS Backup automates and governs data backup across the AWS cloud and on-premises. It provides a backup console, APIs, and CLI to manage backups across instances and databases.

Key Features

• Policy-based, tag-based, and resource-based backup
• Scheduled backup plans across accounts and regions
• Incremental backup — only backs up changes after first full backup
• Backup retention plans with automatic expiry
• Dashboard to monitor backup and restore activities
• Separate encryption keys per resource
• Lifecycle policies to auto-move EFS backups to cold storage
• Cross-account backup and restore within AWS Organizations
• Cross-region backups for disaster recovery
• Integration with CloudWatch, CloudTrail, and SNS for monitoring and notifications

What is EBS?

EBS is a persistent block-level storage (volume) service for Amazon EC2. EBS is AZ-specific and automatically replicated within its AZ for high availability and durability.

EBS Volume Types

Key Points

• Locked to a single Availability Zone — to move across AZs, take a snapshot first
• Default volume type: General Purpose SSD (gp2)
• Can detach from one EC2 instance and attach to another quickly
• RAID 0 (increase performance) or RAID 1 (fault tolerance)
• Unencrypted volumes can be encrypted using an encrypted snapshot
• Snapshot of an encrypted volume is encrypted by default

What is EFS?

Amazon EFS provides a scalable, fully managed elastic NFS-based distributed file system. It is persistent, scales to petabytes, and is designed to share with thousands of EC2 instances in parallel. It is a regional service, automatically replicated across multiple AZs.

Storage Classes

Access Modes

• Performance Modes: General Purpose (low latency) or Max I/O (high throughput)
• Throughput Modes: Bursting (grows with file system) or Provisioned (fixed capacity)

Key Features

• POSIX-compliant NFS (NFSv4), SSD-based, consistent low latencies
• Access across AZs, regions, VPCs, and on-premises via Direct Connect or VPN
• EFS Lifecycle Management for auto-moving files to IA storage
• Integrated with AWS DataSync, CloudWatch, CloudTrail
• Encryption at transit (TLS) and rest (KMS)
• EFS is more expensive than EBS
• Performance mode cannot be changed after creation
• Not suitable for boot volumes or highly transactional SQL/NoSQL databases

Use Cases

Mission-critical apps, microservices, container storage, web serving, media/entertainment, database backups, analytics, machine learning

What is S3 Glacier?

S3 Glacier is a web service with vaults for long-term data archiving and backup. It is the cheapest S3 storage class with 11 nines durability. Supports unlimited data — photos, videos, documents, data lakes, compliance data.

Data Retrieval Options

Key Features

• Vaults can be created, deleted, locked, listed, tagged, and configured
• Amazon SNS notifications when jobs complete
• S3 Glacier Select — query specific archive bytes using SQL (SELECT/FROM/WHERE) on uncompressed CSV data
• Only SSE-KMS and SSE-S3 encryption supported
• Does not provide real-time data retrieval

What is Aurora?

Aurora is AWS's fully managed RDS service compatible with MySQL and PostgreSQL only. AWS claims 5× throughput over MySQL and 3× over PostgreSQL.

High Availability

• Only supported in regions with minimum 3 AZs
• 99.99% availability — 2 copies in each AZ × 3 AZs = 6 copies total
• Up to 15 read replicas (vs 5 in standard RDS)
• Scales up to 128 TB per DB instance
• Read replicas have ≤100ms lag from primary

Aurora Features

• Aurora Global Database — spans multiple regions, low-latency global access, usable as cross-region DR
• Aurora Multi-Master — MySQL only; write operations scaled across multiple AZs, no single point of failure
• Aurora Serverless — scales in/out based on load; specify min (2 GB RAM) and max (488 GB RAM); for intermittent/unpredictable workloads; available for MySQL and PostgreSQL
• Fault Tolerance + Self-Healing — can handle loss of 2 copies without impacting writes, 3 copies without impacting reads; disks continuously scanned and repaired

What is DocumentDB?

DocumentDB is a fully managed document database service compatible with MongoDB. Ideal for storing, querying, and indexing JSON data.

Key Features

• Compatible with MongoDB 3.6 and 4.0
• Migrate MongoDB using AWS DMS (Database Migration Service)
• Storage auto-scales in 10 GB increments up to 64 TB
• Up to 15 read replicas with single-digit ms latency
• Instances reside in VPCs with security group access control
• Role-based access control (RBAC)
• Minimum 6 copies across 3 AZs for fault tolerance
• Self-healing — data blocks and disks continuously scanned and repaired
• Snapshots user-initiated; stored in S3 until explicitly deleted

What is DynamoDB?

DynamoDB is a Key-value and Document DB — serverless, no servers to manage. Delivers single-digit millisecond latency. Handles 20 million requests/second and 10 trillion requests/day.

Keys

• Primary Key — uniquely identifies each item (e.g., Student_ID)
• Partition Key — primary key with one attribute
• Partition Key + Sort Key — composite primary key for items without a unique attribute

Secondary Indexes

• Global Secondary Index (GSI) — different partition and sort keys from the table
• Local Secondary Index (LSI) — same partition key but different sort key

DynamoDB Accelerator (DAX)

• Fully managed in-memory cache for DynamoDB
• Up to 10× performance improvement; ms → microseconds
• For read-intensive workloads (not strongly consistent reads)
• Horizontal scaling (add up to 10 read replicas); Vertical scaling (change node type)

Consistency Models

• Eventually Consistent Reads — may return stale data after recent write
• Strongly Consistent Reads — returns most up-to-date data

Throughput Capacity

DynamoDB Transactions

ACID properties within a single account across tables. Each transaction can store up to 4 MB of data and 25 unique items. Use cases: financial transactions, gaming, high-volume order processing.

DynamoDB Streams

Captures item-level changes in near real-time. Stream data stored up to 24 hours. Commonly consumed by AWS Lambda or Kinesis Client Library (KCL).

What is ElastiCache?

ElastiCache is a fully managed in-memory data store. It significantly improves latency and throughput for read-heavy workloads. Works with both Redis and Memcached engines.

Best Practices

• Web sessions behind load balancer → use Redis
• Caching RDS query results → use Memcached in front of RDS
• Gaming dashboards → Memcached for fast fetching

Supported Engines

MySQL, PostgreSQL, MariaDB, Oracle, MS SQL Server, Amazon Aurora

Multi-AZ vs Read Replicas

Backups

• Default retention: 7 days (console); 1 day (CLI/API)
• Maximum automatic backup retention: 35 days
• Setting retention to 0 disables automatic backup
• Maximum 100 manual snapshots per region

DB Instance Classes

• Standard (m-series) — balanced compute, memory, network
• Burstable Performance (t-series) — baseline CPU with burst capability
• Memory Optimized (r, x, z series) — for large in-memory datasets

What is Redshift?

Redshift is a fast, fully managed, petabyte-scale data warehouse service. Highly scalable — under $1,000 per TB per year, which is less than a tenth of most competing solutions.

Cluster Configuration

• Single Node — 160 GB
• Multi-Node — Leader Node (manages connections/queries) + up to 128 Compute Nodes (store data, execute queries)

Key Features

• Columnar storage + multiple compression techniques — less space than traditional RDBMS
• No indexes or materialized views needed
• MPP (Massively Parallel Processing) — auto-distributes data and query load across nodes
• Default backup retention: 1 day; max 35 days
• Always maintains at least 3 copies: original + compute node replica + S3 backup
• Asynchronous snapshot replication to S3 in another region for DR
• Only available in 1 AZ — but can store snapshots to new AZs on outage

Core Concepts

• Root User — first account created with complete AWS access; protect with MFA
• IAM User — person or service that interacts with AWS individually
• IAM Group — collection of IAM users; assign permissions to the group
• IAM Role — like a user with policies; no credentials attached; can be assumed temporarily
• Principal — entity making a request for action on an AWS resource

IAM Policies

• JSON documents that define permissions — what actions are allowed/denied on which resources
• Resource-Based Policies — attached to a resource (e.g., S3 bucket)
• Identity-Based Policies — attached to users, groups, or roles
• AWS Managed Policies — created and managed by AWS
• Customer Managed Policies — created by you; more precise control
• Inline Policies — directly embedded in a user/group/role; 1:1 relationship

Security Best Practices

• Grant least privilege access rights
• Enable Multi-Factor Authentication (MFA)
• Monitor with CloudTrail
• Use policy conditions for extra security
• Create a strong password policy
• Remove unnecessary credentials

What is Amazon Cognito?

Cognito provides authentication, authorization, and user management for web and mobile apps. Enables sign-in through social providers (Google, Facebook, Amazon) and enterprise providers (Active Directory via SAML).

Standards Supported

OAuth 2.0, OpenID Connect, SAML 2.0. User verification via SMS or TOTP (e.g., Google Authenticator).

What is Secrets Manager?

Replaces hardcoded credentials in code with an API call. Provides rotation, management, and retrieval of database passwords, OAuth tokens, and API keys. Ensures in-transit encryption between AWS and the retrieving system.

Access Methods

AWS Management Console, AWS CLI, AWS Tools for Windows PowerShell, AWS SDKs, Secrets Manager HTTPS Query API

Native Rotation Support

MySQL, PostgreSQL, Oracle, MariaDB, MS SQL Server on Amazon RDS; Amazon DocumentDB; Amazon Redshift; Amazon Aurora

Key Features

• Rotate secrets safely without code deployment
• IAM policies to control developer access per environment
• Secrets encrypted with AWS KMS keys
• Integrates with CloudTrail and CloudWatch for auditing

What is Security Hub?

Provides an extensive view of security in AWS and helps protect against security industry standards. Aggregates findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager, and AWS Partner solutions.

Compliance Checks

Continuous automated checks using CIS AWS Foundations Benchmark (43 checks) and PCI DSS. Recommends remediation steps for any issues found.

Enable / Disable

Via AWS Management Console, AWS CLI, or Terraform. Must be enabled per region. Master account costs include all member account costs.

What is AWS KMS?

Secured service to create and control encryption keys. Integrated with EBS, S3, and other AWS services for data-at-rest encryption. KMS is a global service but keys are regional — keys cannot leave their region.

CMK Types

• Symmetric CMK — 256-bit key for encryption and decryption
• Asymmetric CMK — RSA key pair (encrypt/decrypt or sign/verify) or ECC key pair (sign/verify)
• Customer Managed CMK — created, owned, managed by you; full control
• AWS Managed CMK — created by AWS on your behalf; cannot be used in cryptographic operations directly

Envelope Encryption

Encrypts plaintext with a data key, then encrypts the data key under another key. Benefits: protects data keys, supports multiple master keys, combines strengths of algorithms.

Features

• Automatic key rotation once per year
• CloudTrail logs every KMS request
• Stores multiple encrypted copies of keys for high availability

What is ACM?

ACM allows provisioning, managing, renewing, and deploying public and private SSL/TLS X.509 certificates. Certificates can be issued directly by ACM or imported from third parties.

SSL Certificate Types

• EV SSL — Extended Validation (most expensive)
• OV SSL — Organization Validated
• DV SSL — Domain Validated (minimal encryption)
• Wildcard SSL — base domain + all subdomains
• Multi-Domain SSL (MDC) — up to hundreds of domains
• Unified Communications Certificate (UCC) — multiple domain names

Supported Services

Elastic Load Balancing, Amazon CloudFront, AWS Elastic Beanstalk, Amazon API Gateway, AWS Nitro Enclaves, AWS CloudFormation

What is Auto Scaling?

Auto Scaling monitors applications and automatically adjusts capacity for steady, predictable performance with no manual intervention. Creates scaling plans for EC2 Instances, ECS tasks, DynamoDB, and Aurora Read Replicas.

Launch Configuration vs. Launch Template

• AWS recommends Launch Templates for the latest EC2 features (e.g., Dedicated Hosts)
• Use Launch Templates to mix on-demand and spot instances

Lifecycle Hooks

Pause EC2 instances in a wait state during scale-out or scale-in until a custom action completes. Wait state remains active until the timeout period ends.

Monitoring

• Health Check — removes unhealthy instances from target group
• CloudWatch Events — submit events for launch or terminate actions
• CloudWatch Metrics — shows application performance statistics
• Notification Service — sends email alerts on scale events

What is CloudFormation?

CloudFormation collects AWS and third-party resources and manages their lifecycle as a stack. Templates allow reusable, repeatable infrastructure deployment without managing resources individually.

Core Concepts

• Templates — JSON or YAML files defining AWS resources
• Stack — single unit of resources managed together
• Change Sets — preview how changes to a resource impact running resources
• StackSets — provision/update/delete stacks across multiple accounts and regions
• Nested Stacks — stacks created within another stack; parent stack references child via !Ref

Update Methods

• Direct Update — quickly deploy updates immediately
• Change Sets — JSON preview of changes before applying

Example Template (EC2)

EC2Instance:
  Type: AWS::EC2::Instance
  Properties:
    ImageId: 1234xyz
    KeyName: aws-keypair
    InstanceType: t2.micro
    SecurityGroups:
      - !Ref EC2SecurityGroup
    BlockDeviceMappings:
      - DeviceName: /dev/sda1
        Ebs:
          VolumeSize: 50

What is CloudTrail?

CloudTrail is a global service for operational and risk auditing of AWS accounts. Records actions taken by users, roles, or services via the Console, CLI, SDKs, and APIs.

Event Types

• Management Events — control plane operations (e.g., EC2 CreateSubnet)
• Data Events — S3 GetObject, DeleteObject, PutObject; Lambda function invocations
• CloudTrail Insights Events — unusual API activity (e.g., S3 deleteBucket)

Key Features

• View 90 days of events in CloudTrail console; download as CSV or JSON
• Aggregate trail logs from multiple accounts to a single S3 bucket
• CloudTrail Insights identifies unusual API call patterns
• Integrates with S3 (log storage), SNS (notifications), CloudWatch (monitoring), IAM (security)

What is CloudWatch?

CloudWatch monitors and manages AWS services by providing data and actionable insights. Collects monitoring data in the form of logs, metrics, and events from AWS resources, applications, and on-premises servers.

Key Capabilities

• Custom dashboards to display additional metrics
• CloudWatch Alarms — monitor metrics and send notifications or trigger actions at threshold breaches
• Cross-account visibility across dashboards and alarms (useful with AWS Organizations)
• Container Insights — metrics and logs from ECS, EKS, Kubernetes
• Lambda Insights — system-level metrics for serverless Lambda functions

CloudWatch Agent

• Installed on EC2 instances for system-level metrics and custom metrics
• Supports StatsD (Linux and Windows) and collectd (Linux only) protocols
• Default namespace: CWAgent (configurable)

Integrations

Amazon SNS (notifications), EC2 Auto Scaling, AWS CloudTrail, AWS IAM

What is AWS Config?

Continuously monitors and evaluates configurations of AWS resources. Creates a snapshot of configurations and generates notifications whenever a resource is created, modified, or deleted.

Config Rules

• Managed Rules — predefined by AWS
• Custom Rules — Lambda-backed custom compliance checks
• Up to 150 AWS Config rules per region

Aggregation

Config aggregates configuration and compliance data from multiple accounts and regions, single account and multiple regions, or an entire AWS Organization.

What is AWS Organizations?

A global service to consolidate and manage multiple AWS accounts. The main account is the management account (cannot be changed). Other accounts are member accounts belonging to a single organization.

Key Features

• Security boundaries with multiple member accounts
• Organizes accounts into Organizational Units (OUs)
• Service Control Policies (SCPs) — governance boundaries for OUs ensuring security compliance
• Cost allocation tags for tracking AWS costs
• Consolidated billing — combines usage for volume discounts

Integrations

CloudTrail (audit), AWS Backup, AWS Control Tower, Amazon GuardDuty, AWS Resource Access Manager (RAM)

Migrating a Member Account

1. Remove member account from old Organization
2. Send invitation from new Organization
3. Accept invitation from the member account

What is Systems Manager?

Helps users manage EC2 and on-premises systems at scale. Detects insights about infrastructure state, detects problems, and enables patch automation for compliance. Supports both Windows and Linux.

Key Capabilities

• Integrated with CloudWatch metrics/dashboards and AWS Config
• Discover and audit installed software
• Group 100+ resource types into applications, business units, environments
• View OS patch levels, installed software, and compliance state
• Distribute multiple software versions safely across instances
• Patch instances on schedule for compliance
• Reduce errors by applying configurable parameters via Parameter Store

How It Works

Install the SSM Agent on the system. Ensure EC2 instances have a proper IAM role allowing SSM actions. If SSM cannot control an instance, check the SSM Agent and IAM role.

What is CodeBuild?

Fully managed continuous integration service — builds and tests code, produces artifacts. Developers don't need to manage build servers or wait in build queues. Runs continuously, avoiding wait time for concurrent jobs.

Key Features

• Easy setup — use your own environment or a preconfigured one
• Works with Jenkins, Git, and other existing tools
• Auto-scales for concurrent builds
• Automated builds — code changes trigger automatic builds and tests
• Pay only for build time used (idle time not billed)

What is CodeCommit?

A version control service hosted by AWS — privately store and manage assets (documents, source code, binaries). AWS manages scaling and version control infrastructure entirely.

Features

• Encrypted code (high security)
• Collaborative work via IAM users with different security groups
• Easy scalability and third-party tool integration

Pricing

What is CodeDeploy?

Automates application deployments to EC2 instances, on-premises instances, Lambda functions, or ECS services. Deploys: Code, Serverless Functions, Web & Config files, Executables, Scripts, Multimedia.

How It Works

1. Finalize the application revision to deploy
2. Set the deployment configuration (AppSpec YAML file with source/destination)
3. Deploy the revision to the deployment group (cloud location)

Features

• Rapid release of new features
• Maximizes application availability during deployment (avoids downtime)
• Easy launch and tracking of deployment status

What is DMS?

Cloud service to migrate relational databases from on-premises, EC2, or RDS to AWS securely — with minimal downtime (application keeps running during migration). Supports both homogeneous and heterogeneous migrations.

Supported Sources & Targets

• Sources: Oracle, MS SQL Server, PostgreSQL, Db2 LUW, SAP, MySQL, MariaDB, MongoDB, Amazon Aurora
• Targets: Oracle, MS SQL, PostgreSQL, SAP ASE, MySQL, Amazon Redshift, Amazon S3, Amazon DynamoDB

Heterogeneous Migration

Use AWS Schema Conversion Tool (AWS SCT) alongside DMS to convert the schema before migrating the data.

What is API Gateway?

Creates, publishes, maintains, monitors, and secures APIs at any scale. Forms the app-facing part of the AWS serverless infrastructure with Lambda. Combines with EC2, Lambda, or any web application back-end.

API Types

• RESTful APIs — HTTP-based, stateless, standard HTTP methods (GET, POST, PUT, PATCH, DELETE)
• WebSocket APIs — stateful, full-duplex communication; routes messages based on content

Endpoint Types

• Edge-Optimized — reduced latency globally via CloudFront
• Regional — reduced latency for same-region requests; configurable CDN + WAF
• Private — REST APIs securely exposed only within VPC

Security Options

Resource-based policies, IAM Permissions, Lambda Authorizer (Custom Authorizers), Cognito User Pools

Integrations

CloudTrail (logging), CloudWatch Metrics (monitoring), AWS WAF (protection), AWS X-Ray (performance tracing)

What is CloudFront?

CloudFront is a Content Delivery Network (CDN) that securely delivers data worldwide with low latency and high transfer speeds. Uses edge locations (small data centers) to cache data close to users.

Access Controls

• Signed URLs — restrict access to individual files
• Signed Cookies — access to multiple restricted files; don't change current URLs
• Geo Restriction — restrict by geographic location
• Origin Access Identity (OAI) — special CloudFront user to secure S3 content; prevents direct S3 URL access

Security

• Field-level encryption with HTTPS
• AWS Shield Standard — DDoS protection
• Shield Standard + WAF + Route53 — for more complex attacks

What is Transit Gateway?

A network hub to interconnect multiple VPCs and attach all hybrid connectivity. Solves the complexity of maintaining multiple VPC peering connections. Very useful for large enterprises.

Key Capabilities

• More than one per region but cannot be peered within a single region
• Connected with AWS Direct Connect gateway from a different AWS account
• Supports multi-user gateway connections for redundancy
• Transit Gateway VPN Attachment — IPsec VPN between remote network and Transit Gateway
• Transit Gateway Network Manager — manage and monitor networking resources and remote branch connections
• Supports Amazon VPCs with IPv6 CIDRs

What is Direct Connect?

Establishes a dedicated network connection from on-premises to AWS VPCs in the same region. Bypasses Internet service providers, removing internet-sourced network traffic for business-critical data.

Virtual Interfaces (VIFs)

• Private VIF — connect to an Amazon VPC using private IP addresses
• Public VIF — connect to AWS services in any AWS region using public IP addresses

VPC Connection Methods

AWS Managed VPN, AWS Direct Connect, Direct Connect + VPN, AWS VPN CloudHub, Transit VPC, VPC Peering, AWS PrivateLink, VPC Endpoints

Direct Connect Gateway

Globally available service to connect multiple VPCs across regions or accounts. Integrates with Transit Gateway (hub for multiple VPCs to on-premises) or Virtual Private Gateway (VPC edge routing).

What is ELB?

Distributes incoming traffic to multiple targets (Instances, Containers, Lambda Functions, IP Addresses). Spans single or multiple AZs. Provides high availability, scaling, and security.

Types of Load Balancers

Key Concepts

• Listener — checks for connection requests using specified protocol and port
• Target Group — destination for ELB; types: Instance, IP, Lambda Functions
• Health Check — continuously checks target health; unhealthy targets receive no traffic

Use Cases

• Web application distributed across multiple EC2 instances
• Hybrid cloud — load balance across AWS and on-premises using same target group
• AWS migration — ELB supports both traditional and cloud-native app load balancing

What is Route 53?

Route 53 is a managed DNS (Domain Name System) service — a collection of rules and records helping clients reach servers by domain name.

Hosted Zones

• Public Hosted Zone — determines how traffic is routed on the internet
• Private Hosted Zone — determines how traffic is routed within a VPC

CNAME vs. Alias

Routing Policies

• Simple — single resource; no health checks
• Weighted — weighted resources; supports health checks
• Failover — primary/secondary; routes to secondary if primary is down
• Geo-location — routes to closest geographic location
• Geo-proximity — routes based on resource location within geographic area
• Latency-based — routes to destination with lowest latency
• Multi-value answer — distributes across multiple IP addresses; up to 8 IPs to reduce downtime

What is VPC?

Amazon VPC allows users to create a virtual dedicated network for resources. Provides complete control over the virtual networking environment.

Security Groups vs. Network ACLs

VPC Components

• Subnets — Public (internet access via IGW) or Private (no direct internet)
• Route Tables — one subnet → one route table; one route table → multiple subnets
• NAT Instance — EC2 in public subnet; allows private subnet to reach internet (IPv4)
• NAT Gateway — AWS-managed; uses elastic IP; charged per hour + data processing; not for IPv6
• DHCP Options Set — auto-created with VPC; contains domain name, DNS server info
• PrivateLink — access services privately without internet using private IPs
• VPC Endpoints — Interface (ENI with private IP), Gateway Load Balancer, or Gateway (Route Table target)
• Egress-Only IGW — outbound-only for IPv6 traffic
• VPC Peering — connect two VPCs; same region, different region, or different account

VPN

• Site-to-Site VPN — encrypted tunnels between your network and AWS VPCs or Transit Gateways
• Client VPN — connects users to AWS or on-premises resources using a VPN client

What is EventBridge?

A serverless event bus service for SaaS and AWS services. Integrates 90+ AWS source services with 17+ target services with real-time event routing. Formerly called Amazon CloudWatch Events.

Key Concepts

• Event Buses — receive events; one default event bus per account (AWS services); create custom buses
• Events — JSON objects indicating environment changes; create rules to auto-act on changes
• Schema Registry — container for schemas; schemas available for all AWS services; auto-infer from events
• Rules — match incoming events and route to targets; one rule → multiple targets processed in parallel
• Targets — process events in JSON format; must be in same region as rule

What is SNS?

SNS is a web service for sending notifications from the cloud. Delivers notifications via mobile push, SMS, email, SQS, or HTTP. Allows grouping multiple recipients using topics.

Topic Types

Features

• Instantaneous, push-based delivery
• Simple API; easy integration with AWS services
• Flexible delivery over multiple protocols
• Pay-as-you-go; fully managed with auto-scalability

What is SQS?

Serverless service to decouple components and applications. Scales to 1–10,000 messages per second. Default retention: 4 days (max: 14 days). Messages auto-deleted after consumption. Fixed size: 256 KB.

Queue Types

Special Queue Features

• Delay Queue — postpone message delivery by 0–15 minutes
• Dead-Letter Queue (DLQ) — captures messages that could not be consumed successfully
• Visibility Timeout — prevents other consumers from receiving a message while it's being processed; default 30s, max 12 hours

What are Step Functions?

Step Functions offload application orchestration to a fully managed AWS service. Developers modularize code into "Steps" — AWS handles partial failures, retries, and error handling.

Workflow Types

Key Features

• Fixed or dynamic sequence workflows
• Inbuilt Retry and error handling
• Native Lambda, SNS, ECS, Fargate, DynamoDB, SQS, SageMaker, EMR integrations
• GUI for workflow audit, input/output visualization, and failure detection
• 25,000 execution history entry limit (use Lambda pattern for long-running executions)

What is Cost Explorer?

A UI tool to analyze costs and usage with graphs, cost reports, and RI reports. Accessed from the Billing and Cost Management console. Provides up to 12 months of historical data and 12-month forecasts.

Default Reports

• Cost and Usage Reports — AWS Marketplace, daily costs, monthly by linked account, monthly by service, monthly EC2 running hours
• RI Utilization Reports — how much saved or overspent using Reserved Instances
• RI Coverage Reports — how many hours covered by Reserved Instances

Key Capabilities

• Custom time period at monthly or daily interval
• Savings Plans — up to 72% savings on AWS compute usage
• Programmatic access via Cost Explorer API
• Export to CSV, bookmark, or save as report

What is AWS Budgets?

Enables setting custom budgets to track cost and usage. Alerts via email or SNS when metrics reach thresholds. Filter budgets by Service, Linked Account, Tags, AZ, API Operation, and Purchase Option.

Budget Types

• Cost budgets
• Usage budgets
• RI utilization budgets
• RI coverage budgets
• Savings Plans utilization budgets
• Savings Plans coverage budgets

Best Practices

• Set up to 5 alerts per budget
• Key alerts: when costs exceed budgeted amount, exceed 80% of budget, and when forecasted costs exceed budget
• Create separate IAM users/roles per user when using Budgets API
• Budget actions are not effective for Auto Scaling groups