AWS Cloud Practitioner cheat sheet

I have focused more on S3, IAM, EC2, and analytics because they’re super important on AWS. For everything else, I have kept it short and simple.

IAM (Identity and Access Management)

Overview:

IAM stands for Identity and Access Management. It is a web service that helps securely control access to AWS resources. IAM allows you to manage users, groups, roles, and permissions, ensuring that only authorized and authenticated users can access your AWS environment.

Key Concepts:

• Users: An IAM user is an identity with permission policies that determine what the identity can and cannot do in AWS. A user can represent a person or service.
• Groups: A way to specify permissions for a collection of users, which can make managing permissions easier. Users can be in multiple groups.
• Roles: IAM roles allow you to delegate access with defined permissions to trusted entities without having to share your AWS security credentials. Roles can be assumed by users, AWS services, or external users authenticated by external identity providers.
• Policies: Documents that define permissions and can be attached to IAM identities or resources. Policies determine what actions are allowed or denied.
• Root Account: The account created when you first sign up for AWS. It has complete access to all AWS services and resources in the account. Use of the root account should be minimized.

Best Practices:

• Least Privilege Principle: Grant only the permissions required to perform a task. Start with a minimum set of permissions and grant additional permissions as necessary.
• Use Groups for Users: Assign users to groups and apply policies to groups rather than directly to users.
• Enable MFA: For an added layer of security, enable Multi-Factor Authentication (MFA) on your root account and IAM users.
• Audit with IAM Credentials Report: Use the IAM credentials report to audit the status of all your IAM users and their access keys.
• Rotate Credentials Regularly: Regularly rotate IAM access keys and passwords, and remove unnecessary credentials.

Security Tools:

• IAM Access Analyzer: Helps identify the resources in your organization and accounts that are shared with an external entity. It analyzes policies to provide findings for unintended access.
• IAM Access Advisor: Shows the service permissions granted to a user and when those services were last accessed. You can use this information to revise your policies.

Access Management:

• Access Keys: Used for programmatic access (CLI, SDK) to AWS services.
• Inline vs. Managed Policies: Inline policies are directly attached to a single IAM user, group, or role. Managed policies are standalone policies that can be attached to multiple IAM users, groups, and roles

EC2 (Elastic Compute Cloud)

Overview:

Amazon EC2 (Elastic Compute Cloud) provides scalable computing capacity in the Amazon Web Services (AWS) cloud. It allows users to run virtual servers, configure security and networking, and manage storage. EC2 enables scalable deployment of applications by providing a web service through which users can boot an Amazon Machine Image (AMI) to configure a virtual machine, known as an instance.

Key Concepts:

• Instance: A virtual server for running applications. The EC2 service offers various instance types optimized for different use cases.
• Amazon Machine Images (AMI): Pre-configured templates to launch new instances, containing the operating system and additional software.
• Instance Types: Various configurations of CPU, memory, storage, and networking capacity for your instances. Example categories include General Purpose, Compute Optimized, Memory Optimized, and Storage Optimized.
• EBS (Elastic Block Store): Offers persistent storage volumes for use with EC2 instances. EBS volumes are network-attached and remain independent of the life of an instance.
• Security Groups: Act as virtual firewalls that control the traffic allowed to and from instances.
• Key Pairs: Used for secure SSH access to your instances. AWS stores the public key, and the user keeps the private key.

Best Practices:

• Choose the Right Instance Type: Select based on the application requirements (CPU, memory, storage).
• Utilize Elastic IP Addresses: For a static IPv4 address associated with your AWS account, use Elastic IP addresses.
• Monitor Instances with CloudWatch: Monitor the performance and health of your EC2 instances.
• Implement Elastic Load Balancing (ELB): Distribute incoming traffic across multiple targets, such as EC2 instances, to increase the scalability and reliability of your application.
• Auto Scaling: Ensure you have the correct number of Amazon EC2 instances available to handle the load for your application.

Features:

• Elasticity: Quickly scale capacity, both up and down, as your computing requirements change.
• Control: You have complete control of your instances; you have root access and the ability to interact with them as any machine.
• Flexible Cloud Hosting Services: Choose among multiple instance types, operating systems, and software packages. AWS allows you to select the configuration of memory, CPU, instance storage, and the boot partition size that is optimal for your choice of operating system and application.

EC2 Purchasing Options:

• On-Demand Instances: Pay for the compute capacity by per hour or per second depending on the instances you run.
• Reserved Instances: Provides you with a significant discount (up to 75%) compared to On-Demand instance pricing.
• Spot Instances: Enables you to bid for unused EC2 capacity at a significant discount.
• Dedicated Hosts: Physical servers with EC2 instance capacity fully dedicated to your use.
• Savings Plans: Offer a lower price compared to On-Demand pricing in exchange for a committed usage for a 1 or 3 year period.

S3 (Simple Storage Service)

Overview:

Amazon S3 (Simple Storage Service) is an object storage service offering industry-leading scalability, data availability, security, and performance. It allows you to store and protect any amount of data for a range of use cases, such as websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics.

Key Concepts:

• Buckets: Containers for storing objects. Each bucket is unique globally and defined at the region level.
• Objects: Fundamental entities stored in S3 which consist of data and metadata. An object is uniquely identified within a bucket by a key (name) and a version ID.
• Keys: The unique identifier for an object within a bucket.
• Region: The geographical area where your bucket is created. Always choose a region closest to your customers to minimize latency and costs.

Features:

• Durability and Availability: S3 provides 99.999999999% (11 9’s) durability and 99.99% availability over a given year.
• Security: Offers robust security features like bucket policies and Access Control Lists (ACLs) to manage access to data. Supports encryption in transit (SSL/TLS) and at rest (server-side encryption with Amazon S3-managed, KMS keys, or customer-provided keys).
• Scalability: You can store an unlimited amount of data with pay-as-you-go pricing.
• Performance: Optimized for fast and flexible access to data with the ability to scale your applications.
• Data Management: Provides features for organizing data and configuring finely-tuned access controls. Lifecycle policies for automatic migration of objects to cheaper storage classes or scheduled deletion.

Storage Classes:

• S3 Standard: For frequently accessed data with high durability, availability, and performance.
• S3 Intelligent-Tiering: Optimizes costs by automatically moving data to the most cost-effective access tier without performance impact.
• S3 Standard-IA (Infrequent Access): For data that is accessed less frequently but requires rapid access when needed.
• S3 One Zone-IA: For data that is accessed less frequently but does not require the multiple Availability Zone data resilience.
• S3 Glacier & S3 Glacier Deep Archive: For archiving data with various retrieval times ranging from minutes to hours.

Best Practices:

• Bucket Naming: Use DNS-compliant names that are unique globally.
• Data Security: Enable bucket versioning to protect against unintended deletes or overwrites. Use MFA Delete capability for additional security. Always encrypt your data.
• Cost Optimization: Utilize S3 Lifecycle policies to automate moving objects between storage classes.
• Performance Optimization: Use CloudFront for distributing content globally to improve read performance. Implement S3 Transfer Acceleration for faster file transfers over long distances between your client and an S3 bucket.
• Monitoring and Logging: Enable access logging to track requests for access to your bucket. Monitor storage and request metrics using Amazon CloudWatch.

Databases and Analytics Services

Databases:

Amazon RDS (Relational Database Service)

• Managed relational database service for MySQL, PostgreSQL, Oracle, SQL Server, and MariaDB.
• Automated backups, patching, and scaling.
• Multi-AZ deployments for high availability.

Amazon DynamoDB

• Fully managed NoSQL database service.
• Single-digit millisecond performance at any scale.
• Built-in security, backup and restore, and in-memory caching.

Amazon Redshift

• Fully managed, petabyte-scale data warehouse service.
• Columnar storage and massively parallel processing (MPP) to deliver fast query performance.
• Seamless integration with data lakes and BI tools.

Amazon ElastiCache

• In-memory caching service to improve the performance of web applications.
• Supports Redis and Memcached.
• High throughput and low latency.

Amazon Neptune

• Fully managed graph database service.
• Supports property graph and RDF models.
• Highly available across multiple Availability Zones.

Amazon Aurora

• MySQL and PostgreSQL-compatible relational database with up to 5X performance improvement.
• Scales automatically and supports up to 15 read replicas.
• Automated backups and snapshots.

Analytics:

Amazon Athena

• Interactive query service to analyze data in Amazon S3 using standard SQL.
• Serverless, no infrastructure to manage.
• Pay per query / per TB of data scanned.

Amazon EMR (Elastic MapReduce)

• Managed Hadoop framework to process vast amounts of data across resizable clusters of Amazon EC2 instances.
• Supports Apache Spark, HBase, Presto, and Flink.
• Integration with Amazon S3 and DynamoDB.

Amazon Kinesis

• Platform for streaming data on AWS.
• Capture, process, and analyze real-time, streaming data.
• Supports Kinesis Data Streams, Data Firehose, Data Analytics, and Video Streams.

Amazon QuickSight

• Fast, cloud-powered business intelligence service for data visualization.
• Serverless and embeddable.
• Supports ML Insights for advanced analytics.

AWS Glue

• Fully managed extract, transform, and load (ETL) service.
• Prepares and transforms data for analytics.
• Integrates with Amazon S3, RDS, DynamoDB, and Redshift.

Deployment Services

• AWS CloudFormation: Infrastructure automation with templates.
• AWS Elastic Beanstalk: Easy application deployment and management.
• AWS CodeDeploy: Automated software deployment.
• AWS Systems Manager: Infrastructure management and automation.
• AWS OpsWorks: Chef and Puppet automation.

Developer Services

• AWS CodeCommit: Managed source control service.
• AWS CodeBuild: Compiles source code, and runs tests.
• AWS CodePipeline: Continuous integration and delivery.
• AWS CodeArtifact: Artifact management.
• AWS CodeStar: Unified UI for development activities.
• AWS Cloud9: Cloud-based IDE.
• Docker on AWS: Container development and deployment.
• Amazon ECS: Container management service.
• AWS Fargate: Serverless container engine.
• Amazon EKS: Kubernetes service.
• AWS Batch: Managed batch processing.
• Amazon Lightsail: Simple web application deployment.

Global Infrastructure

• Amazon VPC: Isolated cloud resources.
• Amazon CloudFront: Content delivery network.
• Amazon Route 53: DNS and domain name registration.
• AWS Direct Connect: Dedicated network connection.
• AWS Global Accelerator: Performance optimization.
• AWS Wavelength: Minimizes latency for mobile applications.
• AWS Local Zones: Low-latency zones.

Integration Services

• Amazon SQS: Message queuing service.
• Amazon SNS: Pub/sub, notifications.
• Amazon Kinesis: Real-time data streaming.
• Amazon MQ: Managed message broker.

Cloud Monitoring

• Amazon CloudWatch: Monitoring and observability.
• AWS X-Ray: Application analysis and debugging.
• AWS CloudTrail: User activity and API usage tracking.
• Amazon Inspector: Security assessment.

VPC Services

• Subnets: Network segmentation.
• Internet Gateway: VPC internet access.
• NAT Gateway: Private subnet internet access.
• Security Groups: Instance-level security.
• VPC Peering: VPC interconnection.
• Endpoint: Service connectivity without internet.
• Private Link: Private AWS service access.
• VPC Flow Logs: Network traffic logs.
• Site-to-Site VPN: Secure connection to AWS.
• Direct Connect: Dedicated network to AWS.
• Transit Gateway: Network scaling and connectivity.

Security and Compliance

• AWS IAM: Access control.
• Amazon Cognito: User identity.
• AWS KMS: Key management.
• AWS Shield: DDoS protection.
• AWS WAF: Web application firewall.
• AWS Inspector: Security assessment.
• AWS Audit Manager: Compliance checks.
• AWS Certificate Manager: SSL/TLS certificates.
• AWS Macie: Data privacy and security.
• AWS Security Hub: Security insights.
• Amazon Detective: Security investigation.
• AWS Config: Configuration compliance.
• AWS IAM Access Analyzer: Access analysis.
• AWS GuardDuty: Threat detection.

Machine Learning

• Amazon SageMaker: ML model building and training.
• AWS DeepLens: Deep learning-enabled camera.
• Amazon Rekognition: Image and video analysis.
• Amazon Comprehend: Natural Language Processing.
• AWS DeepRacer: Reinforcement learning models.
• Amazon Transcribe: Speech recognition.
• Amazon Polly: Text-to-speech.
• Amazon Lex: Conversational interfaces.
• Amazon Forecast: Time-series forecasting.
• Amazon Personalize: Real-time personalization.
• AWS DeepComposer: Generative AI for music.

Billing and Cost Management

• AWS Cost Explorer: Cost visualization and management.
• AWS Budgets: Budgeting and alerts.
• AWS Price List API: Programmatic access to AWS pricing.
• AWS Cost and Usage Report: Detailed cost reports.
• AWS Savings Plans: Flexible pricing models.
• AWS Reserved Instances: Discounted instances.

Additional Services

• Amazon WorkSpaces: Desktop-as-a-Service.
• Amazon AppStream 2.0: Application streaming.
• Amazon Elastic Transcoder: Media transcoding.
• AWS Amplify: Full stack app development.
• AWS AppSync: Data synchronization.
• AWS Device Farm: App testing.
• AWS DataSync: Data transfer.

Best Practices for AWS Services

Security and Compliance

• Implement the Principle of Least Privilege: Use IAM to grant minimal necessary permissions.
• Enable MFA: Strengthen security by enabling Multi-Factor Authentication for AWS accounts and IAM users.
• Encrypt Data: Utilize AWS KMS for managing encryption keys and ensure encryption of data at rest and in transit.
• Regularly Audit and Review Permissions: Use AWS IAM Access Analyzer and AWS Config to continuously monitor and audit permissions and configurations.
• Use AWS WAF and Shield: Protect your applications from common web exploits and DDoS attacks.

Cost Optimization

• Monitor and Analyze Costs: Leverage AWS Cost Explorer and AWS Budgets to monitor, analyze, and manage AWS spending.
• Optimize Resource Utilization: Utilize AWS Trusted Advisor and AWS Compute Optimizer for recommendations on resource optimization.
• Leverage Reserved Instances and Savings Plans: Reduce costs for predictable usage by purchasing Reserved Instances or committing to Savings Plans.
• Implement Tagging Strategy: Organize resources with tags to allocate costs and optimize resources effectively.

Deployment and Development Efficiency

• Automate Deployments: Utilize AWS CloudFormation, AWS CodeDeploy, and AWS Elastic Beanstalk for automated and consistent deployments.
• Use Infrastructure as Code: Manage infrastructure through code with AWS CloudFormation for repeatable and scalable deployments.
• Adopt Continuous Integration/Continuous Deployment (CI/CD): Implement AWS CodePipeline to automate testing and deployment processes.
• Isolate Environments Using VPC: Use Amazon VPC to isolate development, testing, and production environments.

Performance and Scalability

• Design for Scalability: Employ services like Amazon EC2 Auto Scaling and AWS Fargate to automatically adjust capacity to maintain performance.
• Use Content Delivery Network: Utilize Amazon CloudFront to distribute content globally and reduce latency.
• Optimize Data Streaming: Use Amazon Kinesis for real-time data processing at scale.

Reliability and High Availability

• Design for Failure: Architect applications across multiple Availability Zones using services like Amazon RDS Multi-AZ deployments for high availability.
• Back-Up Data Regularly: Implement backup strategies using Amazon S3 and AWS Backup to protect data.
• Use Amazon Route 53 for DNS and Health Checks: Enhance application availability and monitor health using Route 53’s DNS management and health checking features.

Monitoring, Logging, and Debugging

• Monitor Applications and Infrastructure: Use Amazon CloudWatch for comprehensive monitoring of your applications and AWS resources.
• Enable Logging: Activate AWS CloudTrail and VPC Flow Logs for auditing and monitoring network traffic.
• Debug and Trace Application Issues: Leverage AWS X-Ray for analyzing and debugging production and distributed applications.