Home >

AWS Essentials 2018

Posted on October 14, 2018 by Ernesto Garbarino


# install
pip install awscli

# authenticate
# create user on console to get Access Key Id/Secret
aws configure

Identity and Access Management (IAM)

Simple Storage Service (S3)

# list buckets
aws s3 ls

# list a bucket's files
aws s3 ls bucket1

# copy one bucket to another
aws s3 cp --recursive s3://bucket1 s3://bucket2

# copy static website under ./site to s3 and make public
aws s3 cp --recursive --acl public-read _site/ s3://garba-static

# dealing with InvalidRequest errors (specify EC2 region)
aws s3 cp s3://sao_paulo_bucket/cowboy.jpg /tmp/ --region eu-west-1

S3 Lifecycle Rules

Cloud Front

Storage Gateway



The snowball software works similarly to the AWS cli tool. Software must be copied into “buckets” that will then end up in the proper cloud bucket when Amazon gets the appliance back:

./snowball cp hello.txt s3://my_bucket

S3 Transfer Acceleration


Security Groups

Recipe for running Apache on an existing EC2 instance

# after downloading key, remove access to group and others
chmod 400 myEC2.pem

# ssh into EC2 instance
ssh ec2-user@ -i myEC2.pem

# update packages on Linux AMI instance
sudo yum update -y

# install apache
sudo yum install httpd -y

# create page
echo "Hello World" > /var/www/html/index.html

# start httpd
sudo service httpd start

# always start at reboot
sudo chckconfig httpd on


# Get EC2 Instances (including terminated ones)
$ aws ec2 describe-instances

# Get instance Ids
$ aws ec2 describe-instances | grep InstanceId

# aws ec2 terminate-instances --instance-ids 
aws ec2 terminate-instances --instance-ids i-0090856f1626a0928

Get Metadata (!)


Placement Groups

EBS (Elastic Block Storage)


RAID stands for Redundant Array of Independent Disks


EBS vs Instance Store


Load Balancing

Cloud Watch



$ aws configure
$ cd ~/aws
$ ls -la

Elastic File System (EFS)


General Points



Route 53 & DNS

The name originates because the DNS port is 53 An apex record if one at the root of a DNS zone. They are also known as naked domains There is a limit of 50 domains that can be raised by contacting AWS support

Top Level Domains

* Domains such as .com, .edu, .gov
* Controlled by the Internet Assigned Numbers Authority (IANA)
* Database at http://www.iana.org/domains/root/db

Domain Registrars

* They can assign domain names under one or more top-level domains
* They are registered with InternNIC, a service of ICANN
* Each domain name is registered in the WhoIS database

Start Of Authority Record (SOA)

* The server that supplied the data for the zone
* The zone's administrator
* The current version of the data file
* The default number of seconds for the time-to-live (TTL) file on resource records

Name Server Records

Name Server Records (NS) are used by Top Level Domain servers to point to the authoritative DNS that holds the DNS records.

Example of a NS record pointing to Amazon set up at a Registrar (e.g. GoDaddy)

mydomain.com. 86400 IN NS ns.awsdns.com

Common Record Types

ELBs and IP Addresses

Routing Policies



Amazon managed-service for in-memory caching:

Amazon RDS

An OLTP offering:

mysql -u ernie -p -h mydb.cugrv9uf52uw.eu-west-2.rds.amazonaws.com -D my_database

For provisioned IOPS SSD Storage the following ranges apply:

Databases IOPS Storage
MariaDB, MySQ, PostreSQL 1k-40k 100GiB-16TiB
SQL Server Web/Express 1k-32k 100GiB-16TiB
SQL Server Standard/EE 1k-32k 20GiB-16TiB
Oracle 1k-40k 100GiB-32TiB

IOPS is fishy. More info at https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#USER_PIOPS

Automated Backups


Multi-AZ Replication

Red Replica


Consistency Model


An OLAP offering.


Microsoft SQL Server

Amazon Virtual Private Cloud (VPC)

Amazon VPC is a capability that allows to provision a logically isolated section and network so that resources can be secured and grouped into trust areas.

ELBs and VPCs

Subnet Ranges

CIDR Prefix First IP Last IP Total
(10/8) 16,777,216
(182.16/12) 1,048,576
(192.168/16) 65,536


Creating a new VPC

Creating a new VPC results in the automatic creation of:

Unavailable IPs

For example, in a subnet with CIDR block, the following five IP addresses are reserved:

NAT Instances

NAT Instances are AMI virtual machines that work as a NAT router.

NAT Gateway

A NAT gateway is a cloud native managed service rather than a user-managed EC2 instance

Network ACL (NACL)

VPC Flow Logs

It allows capturing information about IP traffic going to and from network interfaces in a VPC using Amazon CloudWatch.

They can be created at three levels:

  1. VPC
  2. Subnet
  3. Network Interface Level



Two types

Internet Gateway

Online 1 Internet Gateway can be attached to a VPC

Application Services

(Simple Queue Service) SQS

Simple Workflow Service (SWF)

Queue Types

Amazon SNS

Elastic Transcoder

API Gateway


Kinesis Streams

Kinesis Firehose

Kinesis Analytics

Simple E-Mail Service (SES)

Best Practices

Cloud Benefits

Design for Failure



  1. Proactive cyclic scaling: (daily, weekly, etc)
  2. Proactive business event-based scaling (e.g. Christmas, product launch, etc.)
  3. Auto-scaling based on demand: based on metrics and triggers


Well Architected Framework (WAF)

File pillars:

  1. Security
  2. Reliability
  3. Performance Efficiency
  4. Cost Optimisation
  5. Operational Excellence

General Design Principles


Design Principles

AWS Shared Responsibility Model

Security Best Practices

The key areas data protection, privilege management, infrastructure protection, and detective controls.

Data protection

Privilege management

Infrastructure protection

Detective controls


Design Principles

Best Practices

Key areas are foundations, change management, and failure management.


Change Management

Failure Management

Performance Efficiency

Design Principles

Best Practices

The four key areas are compute, storage, database, and space-time trade-off.



Space-Time Trade-off

Cost Optimisation

Design Principles

Best Practices

The four key areas are: matched supply and demand, cost-effective resources, expenditure awareness, and optimizing over time.

Matched Supply and Demand

Cost-effective Resources

Expenditure Awareness

Optimizing Over Time

Operational Excellence

Design Principles

Best Practices

The key areas are preparation, operation, and response.




AWS Organizations

An account management service that enables to consolidate multiple AWS accounts into an organisation that can be created and centrally managed.

Cross Account Access

Consolidated Billing


Resource Groups

AWS Systems Manager

VPC Peering

Direct Connect

Direct Connect vs VPN

Security Token Service (STS)

It grants users limited and temporary access to AWS resources.

Users come from three sources:

  1. Regular Enterprise Federation
    • It typically uses Active Directory (AD)
    • It uses the Security Assertion Markup Language (SAML)
    • It relies on AD credentials
      • User does not need to be an IAM user
    • It allows single sign-on to the AWS console without IAM credentials
  2. Federation with Mobile Apps
    • OpenID providers
    • Examples:
      • Facebook
      • Google
  3. Cross Account Access
    • It lets users from one AWS account to access resources in another

Key terms

More facts


Elastic Container Service (ECS)

Task Definitions

ECS Service

ECS Clusters

Scheduler types:



Amazon EC2 Container Registry (ECR)


Security credentials when creating a new user: (!) * Private Key * Authorized Key

How to add new administrators to the AWS console:

Support Levels

AWS Trusted Advisor

Security Checks (!)

Elastic Map Reduce

It allows root access (!)


Error nodes in Amazon RDS responses Minimum and maximum size capacity for various RDS databases. E.g. Microsoft SQL Server Express which is 10GB You can conduct your own vulnerability scans within your own VPC without alerting AWS first? -> Answer is NO.

Reserved Instances

OPsWorks -> Chef / Puppet

AWS Support Levels and SLAs at -> https://aws.amazon.com/premiumsupport/compare-plans/ specially response times by case severity

AWS uses the Xen hypervisor AWS is PCI DSS 1.0 certified AWS number of regions: 14