Skip to content

AWS Certified Solutions Architect - Associate - SAA-C02

Resources

AWS Accounts

Basics of AWS Accounts

  • An AWS account is a container for AWS identities and resources
  • root account - superuser of the specified account
    • production account root cannot access developer account root
  • Full access to everything on the specific AWS account
  • IAM - used to create different identities, groups, and roles inside the account
    • they start with no access to the AWS account
  • Use separate accounts for separate things (dev, prod, test) or for different teams or products

Creating AWS Accounts

  • General account = management account
  • Best practice is to create IAM identities
  • ![[Pasted image 20210627125331.png]]
  • Can use the gmail + trick to create email addresses for multiple accounts
    • ![[Pasted image 20210627125429.png]]

MFA

  • Factors
    • Knowledge - something you know - password
    • Possession - something you have - MFA token/app
    • Inherent - something that you are - biometrics
    • Location - physical or network location

IAM

  • AWS account and root user can be thought of as the same thing
  • In most real world use cases you will grant users access to the AWS account with IAM roles
  • IAM is a globally resilient service, data will be available across all regions at all times
  • What does IAM let you create?
    • Users
      • identities that represent humans or applications that need access to the account
    • Groups
      • collections of related users e.g. dev team, finance, HR
    • Roles
      • can be used by AWS services or to grant external access to your account
      • if you want all EC2 instances to access S3, you can create a role that grants access to S3 and allow EC2 instances to use that role
      • can be used to grant external users access to an S3 bucket
    • IAM Policy Document
      • objects that can be used to allow or deny access to AWS services when they're attached to users, groups, or roles
    • IAM has 3 main jobs
      • identity provider - manages identities, create, modify
      • authenticates identities
        • when anyone attempts to connect to something they are knows as a security principle
      • Authorizes access to resources
    • IAM is included in AWS at no cost
    • Global service, globally resilient
    • Only controls what IAM users do
    • No direct control over external accounts or users
    • Allows for the use if identity federation and MFA
    • after the AWS account is setup, best practice is to create an IAM user and not use the root account
IAM Access Keys
  • Long term credentials in AWS
  • Used with IAM users
  • Used to auth programmatically
  • Uses access key ID and secret access key to auth
  • If secret access key needs to be reset, you have to reset access key id as well
  • IAM users are the only identities that use access keys, IAM roles do not

Cloud Computing Fundamentals

What is Cloud Computing?

![[Pasted image 20210630183105.png]] * NIST definition * On demand self service - can provision capabilities as needed without requiring human interaction * Broad network access - capabilities are available over the network and accessed through standard mechanisms * Resource pooling - location independence, no control or knowledge over the exact location of resources - resources are pooled to serve multiple customers using a multi-tenant model * Rapid elasticity - capabilities can be elastically provisioned and released to scale rapidly outward and inward with demand - to the consumer, the capabilities available for provisioning often appear to be unlimited * Measured service - resource usage can be monitored, controlled, reported, and billed * Exam Tip * Think about how each AWS service you encounter fits into these definitions

What is Multi and Hybrid Cloud; Private vs. Public Cloud

  • Public cloud - Cloud environment available to the public
    • AWS, Azure, Google
  • Multi-cloud - utilizing multiple cloud environments for high availability
  • Private Cloud - Cloud services hosted on prem
    • AWS - AWS Outposts
    • Azure - Azure Stack
    • Google - Anthos
  • Hybrid Cloud - On prem cloud solution used with hosted solution
    • AWS Outpost + AWS
    • Has to be using the on prem version of the cloud, not VMWare + Azure
  • Summary
    • Public cloud - using 1 public cloud
    • Private cloud - using on prem cloud solution
    • Multi-cloud - using more than one public cloud solution
    • Hybrid cloud - public and private clouds
    • Hybrid cloud is NOT public cloud + legacy on prem

Cloud Service Models

  • X as a Service
  • Terms and Concepts
    • Infrastructure stack ![[Pasted image 20210701142825.png]]
    • Some parts you manage, some parts others manage
    • Unit of consumption
      • what you pay for on a cloud service
  • Infrastructure as a Service - IaaS
    • ![[Pasted image 20210701145215.png]]
    • Vendor handles everything up to the OS
    • EC2 is Amazon's IaaS
  • Platform as a Service - PaaS
    • ![[Pasted image 20210701145326.png]]
    • provider manages everything up to the runtime environment, i.e. you need a python env to run an app you get everything up to that
  • Software as a Service - SaaS
    • ![[Pasted image 20210701145502.png]]
    • Someone else hosts and application that you use
    • gmail, netflix, etc

Tech Fundamentals

YAML101

  • human readable serialization language
  • Amazon CloudFormation uses YAML for config
  • unordered collection of key:value pairs
  • supports numbers, floating point, bools, and null
  • YAML also supports lists
    • ordered set of values
    • adrianscats: ["roffle", "truffles", "penny", "winkie"] 
      adrianscats:
  - "roffle"
  - "truffles"
  - 'penny'
  - winkie
  • indentation is how YAML is structured
  • dictionaries can be used to have multiple key value pairs for one item 
    Resources:
  s3bucket:
    Type: "AWS::S3::Bucket"
    Properties:
      BucketName: "ac1337catpics"

JSON101 - JavaScript Object Notation

  • JSON is used for CloudFormation as well as other things such as policy documents
  • object - unordered set of key:value pairs enclosed by {}
    • {"roffle": "cat", "sparky": "dog"}
  • array - ordered collection of values separated by commas and enclosed with []
    • ["cat", "cat", "chicken", "cat"]
  • values can be string, object, number, array, bool, null
  • sample JSON document 
    {
    "cats": ["roffle", "truffles", "penny", "winkie"],
    "colors": ["mixed", "mixed", "grey", "white"],
    "numofeyes": ["2", "2", "2", "1"]
}
  • JSON document is just a JSON object

AWS Fundamentals

AWS Public vs. Private Services

  • These terms relate to networking only
  • A public service is something that can be connected to from anywhere with an internet connection
  • Just because you can connect to a public service, doesn't mean you have the permissions to access it
  • AWS private zone has no direct connectivity to internet or AWS public zone
  • By default, no connections are allowed between private and public zone
  • You can divide the private zone up into individual private networks with VPC
  • You can configure rules so that services can connect outward, but cannot be reached from the internet
  • If you don't make a private service public by default the only things that can connect are things that are inside the same private network, or things with specific rules to connect to the private network
  • Essentially 3 networking zones - Public internet, AWS Public, AWS Private
  • ![[Pasted image 20210702102807.png]]

AWS Global Infrastructure

  • Regions, Edge Locations, Availability Zones
  • Regions - full deployment of AWS infrastructure
  • Edge Locations - primarily CDN to keep resources close to customers
  • A company might run infrastructure from multiple Regions, and content hosted at multiple Edge Locations spread about the Regions
  • Some services are region based, while some are global
  • Regions have 3 main benefits
    • Each region is separate geographically - Isolated fault domain
    • Geopolitical Separation - Different governance
    • Location control - maintain infrastructure close to your end users
    • Referred to by the region code, or region name
      • us-east-1
      • US East (N. Virginia)
    • side of every region there are multiple Availability Zones (AZs)
    • AZs are made up of isolated infrastructure inside a region
    • You can distribute infrastructure across multiple AZs
    • How to define AWS resilience
      • Globally resilient - data replicated across multiple regions across AWS - IAM, Route53
      • Region resilient - operate in a single region with one set of data in a region - date replicated across multiple AZs in a region
      • AZ resilient - run from a single AZ - if the AZ fails, the services fail

AWS Default Virtual Private Cloud (VPC)

  • Creates private networks inside of AWS that other private services connect to
  • Used to connect on prem to AWS
  • Used to connect to other cloud providers
  • VPC - Virtual network inside of AWS
  • A VPC is within 1 account and 1 region
    • Regionally resilient
  • Private and isolated unless decided otherwise
    • VPC is isolated from other VPCs and networks
  • Custom VPCs - require you to configure everything, 100% private by default
  • Default VPC
    • ![[Pasted image 20210702111823.png]]
    • Default VPC - 1 per region
    • Default VPC is created by AWS, 1 per region by default
    • VPC cannot communicate outside unless allowed
    • VPC CIDR - IP address range that's inside the VPC
    • Default VPC always has the CIDR of 172.31.0.0/16
    • VPC is deployed into a region and subnets are spread across AZs
    • Facts
      • One per region - can be removed and recreated
      • Default VPC CIDR is always 172.31.0.0/16
      • a /20 subnet is created in each AZ
      • Come configured with Internet Gateway (IGW), Security Group (SG), and NACL (Network Access Control List)
      • Subnets assign public IPv4 addresses

Elastic Compute Cloud - EC2

  • EC2 is IaaS
  • Unit of consumption is the instance (OS)
  • Private AWS service by default - runs in the private AWS zone
  • Uses VPC networking
  • AZ resilient - Instance fails if AZ fails
  • Different instance sizes and capabilities
  • Manage the OS and upwards on the stack
  • On-demand billing, by the second or by the hour
    • charge to run the instance
    • charge for the storage
    • any software charges
  • Local on-host storage, or Elastic Block Store (EBS)
  • Instances can be in different states
    • Running
    • Stopped
    • Terminated - non reversible
    • ![[Pasted image 20210702113048.png]]
  • Amazon Machine Image (AMI)
    • Image of a machine in amazon
    • Can be used to create and EC2 instance, or created from an EC2 instance
      • AMI contains:
        • Permissions
          • Public - everyone allowed
          • Owner - Implicit allow
          • Explicit - specific AWS accounts allowed
        • Boot volume
          • /root
          • C:\
        • Block device mapping
          • links volumes and tells OS what is boot, storage, etc
  • Connecting to EC2
    • Windows - RDP 3389
    • Linux - SSH 22

Simple Storage Service - S3

  • Global storage platform - regional based/resilient