Index
A
access control
access control lists (ACLs), 51
creating, 28
accessing. See also IAM (Identity and Access Management)
AWS, 23
APIs (application programmable interfaces), 33–34
CLI (command-line interface), 29–32
SDKs (software development kits), 32–33
Pearson Cert Practice Test Engine, 286–287
accounts (AWS), creating, 23–24
ACID compliance, 121
ACLs (access control lists), 51
Active Directory, 56
activity tasks, 165
actors, 165
Agile, 182
DevOps and CI/CD versus, 184
Amazon API Gateway, 19
Amazon Cloud Hardware Security Model (CloudHSM), 17
Amazon CloudFront, 14, 70, 138–144
Amazon CloudSearch, 18
Amazon CloudTrail, 20, 277–279
security, 277
Amazon CloudWatch, 20, 261–277
collecting logs and metrics, 269–271
enhanced monitoring scripts, 275–277
storing logs and metrics, 271–273
Amazon DocumentDB, 129
authentication and access control, 136–137
global tables, 134
items, 131
on-demand mode, 152
secondary indexes, 133
Amazon DynamoDB Accelerator (DAX), 18, 138
Amazon Elastic Block Storage (EBS), 16, 88–89
Amazon Elastic Cloud Computing (EC2), 15, 76–83
monitoring memory usage, 275–277
Amazon Elastic Container Registry, 84
Amazon Elastic Container Service (ECS), 15, 76, 83–87
Amazon Elastic File System (EFS), 16
Amazon Elastic Kubernetes Service (EKS), 15, 84
Amazon Elastic Load Balancing (ELB), 14, 70, 90–91
Amazon Elastic Map Reduce (EMR), 18
Amazon Elastic Transcoder, 19
Amazon ElastiCache, 18, 129, 138
Amazon Glacier, 16
Amazon Identity and Access Management (IAM). See IAM (Identity and Access Management)
Amazon Inspector, 17
Amazon Key Management Service (KMS), 17
Amazon Kinesis, 18
Amazon Neptune, 129
Amazon Quantum Ledger, 129
Amazon RedShift, 18
Amazon Relational Database Service (RDS), 18, 123–124
supported database types, 124–127
Amazon Route 53, 14, 70, 93–95
Amazon Simple Notification Service (SNS), 171–175
subscriptions, 172
Amazon Simple Queue Service (SQS), 166–171
dead letter queues, 171
Amazon Simple Storage Service (S3), 16, 112–120
data life cycling, 118
as serverless service, 152
storage tiers, 118
transferring static files, 249–254
with multipart uploads, 250–254
versioning, 117
Amazon Simple Workflow (SWF), 19, 164–165
Amazon TimeStream, 129
Amazon Virtual Private Cloud (VPC), 14, 70, 71–76
creating VPCs, 72
private network connections, 75–76
Amazon Web Application Firewall (WAF), 17, 71
Amazon Web Services. See AWS (Amazon Web Services)
Amazon WorkDocs, 17
Amazon WorkMail, 17
Amazon WorkSpaces, 17
Amazon Redshift, 129
Amazon Redshift Spectrum, 129
AMI instances, 80
analytics tools, 18
API Gateway, 19
APIs (application programmable interfaces), 33–34
application services, 19
applications. See also software development
approaches, 229
AWS Database Migration Service (DMS), 234–249
AWS Server Migration Service (SMS), 234
transferring static files, 249–256
VM Import/Export service, 231–234
monitoring
with Amazon CloudTrail, 277–279
with Amazon CloudWatch, 261–277
with AWS Config, 279
artifact building with AWS CodeBuild, 198–206
assigning permissions, 27–28, 40–41
asynchronous communication, 67
atomicity, 121
attributes in Amazon DynamoDB, 132–133
authentication in Amazon DynamoDB, 136–137. See also IAM (Identity and Access Management)
authorization. See access control; IAM (Identity and Access Management)
automating
serverless processing flows, 161–165
Amazon Simple Workflow (SWF), 164–165
availability zones, 21–22. See also high availability
AWS (Amazon Web Services)
accessing, 23
APIs (application programmable interfaces), 33–34
CLI (command-line interface), 29–32
SDKs (software development kits), 32–33
Foundation services, 14
compute services, 15
end-user applications, 17
security and identity services, 16–17
storage services, 16
datacenters, 21
regions, 22
Management services, 20
approaches, 229
AWS Database Migration Service (DMS), 234–249
AWS Server Migration Service (SMS), 234
transferring static files, 249–256
VM Import/Export service, 231–234
Platform services, 17
analytics tools, 18
application services, 19
databases, 18
developer tools, 19
aws autoscaling create-auto-scaling-group command, 211
aws autoscaling update-auto-scaling-group command, 213, 215
AWS CloudFormation, 20, 96, 101–106
aws cloudformation delete-stack command, 105
aws cloudformation deploy command, 104, 217
aws cloudformation describe-stacks command, 104–105
aws cloudfront create-distribution command, 143, 144
aws cloudwatch put-metric-data command, 272
AWS CodeBuild, 19, 186, 198–206
aws codebuild batch-get-builds command, 206
aws codebuild create-project command, 201
aws codebuild list-builds-for-project command, 206
aws codebuild start-build command, 204
AWS CodeCommit, 19, 186, 196–198
aws codecommit create-repository command, 196
AWS CodeDeploy, 19, 96, 186, 206–214
aws codepipeline get-pipeline-state command, 218
aws codepipeline list-pipelines command, 217
AWS Cognito, 19
aws command, 30
AWS Database Migration Service (DMS), 234–249
AWS DataSync, 254
aws deploy create-application command, 211
aws deploy get-deployment command, 212
AWS Device Farm, 19
aws dynamodb create-table command, 135
aws dynamodb get-item command, 136
aws dynamodb put-item command, 135–136
aws ec2 allocate-address command, 74
aws ec2 associate-route-table command, 73
aws ec2 attach-internet-gateway command, 73
aws ec2 create-internet-gateway command, 73
aws ec2 create-key-pair command, 104
aws ec2 create-nat-gateway command, 74
aws ec2 create-route command, 73
aws ec2 create-route-table command, 73
aws ec2 create-subnet command, 73–74
aws ec2 create-vpc command, 72
aws ec2 describe-import-image-tasks command, 234
aws ec2 import-image command, 233
aws ecs create-cluster command, 85
aws ecs register-task-definition command, 86–87
supported platforms, 98
aws iam add-role-to-instance-profile command, 210
aws iam add-user-to-group command, 196
aws iam attach-group-policy command, 196
aws iam attach-role-policy command, 208, 235–236
aws iam create-group command, 196
aws iam create-instance-profile command, 210
aws iam create-role command, 200, 208–209, 215, 231, 235–236
aws iam put-role-policy command, 210, 233
AWS Internet of Things (IoT) Services, 20
AWS Lambda, 15, 76–77, 153–161
permissions and roles, 157–160
aws lambda get-function command, 159
aws logs create-log-group command, 274
aws logs create-log-stream command, 274
aws logs put-log-events command, 274–275
AWS Pinpoint, 19
aws s3 command, 117
aws s3 website command, 116
aws s3api abort-multipart-upload command, 251
aws s3api command, 117
aws s3api complete-multipart-upload command, 254
aws s3api create-bucket command, 114, 198
aws s3api create-multipart-upload command, 251
AWS SageMaker, 20
AWS Schema Conversion Tool (SCT), 235
AWS Server Migration Service (SMS), 234
AWS Serverless Application Model (SAM), 152
AWS Shield, 71
aws sns create-topic command, 172–173
aws sns publish command, 174
aws sns subscribe command, 173–174
aws sqs create-queue command, 167
aws sqs delete-message command, 170
aws sqs get-queue-attributes command, 169
aws sqs get-queue-url command, 167–168
aws sqs receive-message command, 169–170
aws sqs send-message command, 169
AWS Storage Gateway, 16, 254–255
AWS Systems Manager, 97
AWS Virtual Private Gateway, 14
AWS-managed policies, 51
B
basic availability, 122
broad network access, 6
buckets, 113
access control, 119
creating, 114
uploading to, 114
building artifacts with AWS CodeBuild, 198–206
building pipelines (CI/CD), 214–224
automating CI/CD process, 214–220
integrating into code, 220–224
built-in encryption, 57
C
cache hit, 68
Amazon DynamoDB Accelerator (DAX), 138
Amazon ElastiCache, 138
Memcached, 138
Redis, 138
capacity planning in Amazon DynamoDB, 133–134
CI/CD (continuous integration/continuous delivery and deployment), 184–185
continuous delivery, 185
continuous deployment, 185
continuous integration, 184–185
tools
list of, 186
CIDR (Classless Inter-Domain Routing) notation, 71–72
CLI (command-line interface), 29
in AWS Elastic Beanstalk, 99–101
installing, 29
policies (IAM), creating, 52
template generation, 32
client-side encryption, 58
cloud computing
containers, 11
deployment types, 6
shared responsibility model, 12–13
stateful versus stateless design, 69–70
virtualization, 11
CloudFormation, 20, 96, 101–106
CloudHSM (Cloud Hardware Security Model), 17
CloudHSM integrated encryption, 58
CloudSearch, 18
security, 277
collecting logs and metrics, 269–271
enhanced monitoring scripts, 275–277
storing logs and metrics, 271–273
clustering, 89
code
deploying with AWS CodeDeploy, 206–214
storing in AWS CodeCommit, 196–198
writing
CodeDeploy, 19, 96, 186, 206–214
Cognito, 19
command-line interface. See CLI (command-line interface)
community cloud, 6
compute services, 15
Amazon Elastic Cloud Computing (EC2), 77–83
Amazon Elastic Container Service (ECS), 83–87
overview of requirements, 65–70
configuring CLI (command-line interface), 29–30
consistency, 121
containers, 11, 83–84. See also Amazon Elastic Container Service (ECS)
content delivery in Amazon S3, 113–114
CR (continuous reaction), 185–186
customer-managed policies, 51
customizing Pearson Cert Practice Test Engine, 287–288
D
data life cycling in Amazon S3, 118
data storage
dynamic assets, 112
in-memory assets, 112
nonrelational, 129
persistent data
Amazon Elastic Block Storage (EBS), 88–89
relational
deploying in AWS, 123
supported database types, 124–127
static assets, 112
types of disks, 68
Database Migration Service (DMS), 234–249
databases, 18
ACID compliance, 121
encryption, 58
nonrelational, 129
relational
deploying in AWS, 123
supported database types, 124–127
datacenters, 21
DataSync, 254
DAX (DynamoDB Accelerator), 18, 138
dead letter queues, 171
decider tasks, 165
dedicated instances, 79
deploying code with AWS CodeDeploy, 206–214
developer tools, 19
Device Farm, 19
DevOps
Agile and CI/CD versus, 184
software development life cycle in, 182–183
tools
list of, 186
dimensions, 270
disks, 68
DMS (Database Migration Service), 234–249
DNS (Domain Name Service). See Amazon Route 53
document type (Amazon DynamoDB), 132
DocumentDB, 129
durability, 121
dynamic assets, 112
authentication and access control, 136–137
global tables, 134
items, 131
on-demand mode, 152
secondary indexes, 133
DynamoDB Accelerator (DAX), 18, 138
E
eb create command, 100
eb init command, 99
eb terminate command, 101
EBS (Elastic Block Storage), 16, 88–89
EC2 (Elastic Cloud Computing), 15, 76, 77–83
monitoring memory usage, 275–277
EC2 instances, 80
ECS (Elastic Container Service), 15, 76, 83–87
EFS (Elastic File System), 16
EKS (Elastic Kubernetes Service), 15, 84
supported platforms, 98
Elastic Block Storage (EBS), 16, 88–89
Elastic Container Registry, 84
Elastic Transcoder, 19
ELB (Elastic Load Balancing), 14, 70, 90–91
EMR (Elastic Map Reduce), 18
encryption, 57
end-user applications, 17
enhanced monitoring scripts, 275–277
error responses, 280
eventual consistency, 123
exam preparation
chapter reviews, 289
information about exam, 282–284
Pearson Cert Practice Test Engine, 286–289
Premium Edition, 289
updating, 288
skill requirements for exam, 283
suggested study plan, 289
examples, 283
adding entry as nested key/value pairs, 122
adding last active attribute to data, 122
appspec.yml file written in YAML, 203
AWS CLI input required to attach policies to CodePipeline role, 215
aws dynamodb get-item command response, 136
aws ec2 create-vpc command output, 72
AWS Step Functions machine that checks first value of name1 key, 163–164
bucket policy for CloudFront origin access identity, 143
buildspec.yml file written in YAML, 203
CLI input to create autoscaling launch configuration, 211
CLI input to create CodeDeploy deployment, 212
CLI input to create CodeDeploy deployment group, 212
CLI script to add Lambda permission to S3 bucket, 160
CloudFormation template, 103–104
CloudFormation template to deliver complete pipeline deployment, 216–217
CloudFront distribution configuration file in JSON, 143–144
CloudTrail log content, 278–279
CodeBuild IAM role policy, 199–200
CodeBuild project command output, 201–202
CodeBuild specification for project, 201
CodeDeploy appspec.yml file, 207
complete-multipart-upload command output, 254
container task definition, 86–87
create-multipart-upload command output, 251
create-repository command output, 197
.NET code that runs task definition, 87
event handler for Lambda function, 154
get-deployment CLI command output, 212–213
get-pipeline command output, 218–220
git push command output, 198
IAM policy
allowing access to S3 and logs required by Lambda, 158
allowing CodeDeploy to assume role, 208
allowing CodePipeline to assume role, 214–215
allowing DMS service to assume role, 235
allowing read access to items in S3 bucket, 116
allowing read access to S3, 209
in EC2 instance role, 209
locking down permissions to DynamoDB table, 137
that allows VM import service to assume vmimport role, 231
for vmimport role, 232
to write and retrieve metrics and logs to/from CloudWatch, 276
import-image command response, 233
Java DescribeDBInstanceResult class, 124
JavaScript to build RDS database, 123–124
JSON-formatted data with key/value pairs, 121
Lambda function invocation permission IAM document, 159
Lambda security policy required to run Python script, 83
log input file for CloudWatch, 273–274
metric input file for CloudWatch, 272
node.js script that creates EC2 instance, 80
parallel input for multipart upload operation, 253
Python script
to build complete pipeline through AWS boto3 SDK, 221–224
to create EC2 instance, 82
to create RDS instance, 128
receive-message command response formatted in JSON, 175
receive-message command response with receipt handle, 170
S3 policy with source IP condition, 119
s3 sync command output, 249
show database command output after successful migration, 249
show database command output for RDS database, 241
show databases command output, 237
SQL script to create sample database, 237
start-build command output, 204–205
test data for Lambda function, 155
user data bash script that deploys CodeDeploy agent, 210
VM import definition specifying S3 bucket and key for import process, 233
execution roles in AWS Lambda, 158
F
LDAP and Active Directory, 56
OpenID, 55
SAML 2.0, 56
when to use, 56
federation roles (IAM), 49
Flash Card mode, 288
Foundation services, 14
compute services, 15
end-user applications, 17
security and identity services, 16–17
storage services, 16
G
Git, AWS CodeCommit with, 196–198
Glacier, 16
global architecture of AWS, 20–21
datacenters, 21
regions, 22
global tables in Amazon DynamoDB, 134
adding users, 46
GSI (global secondary index), 133
H
high availability, 89
Amazon Elastic Load Balancing (ELB), 90–91
history
of software development
Agile, 182
CR (continuous reaction), 185–186
horizontal scaling, 127
hosting websites in Amazon S3, 116–117
HTTP methods, Amazon CloudFront support, 139–140
hybrid cloud, 6
I
IaaS (Infrastructure as a Service), 9–10, 12
IAM (Identity and Access Management), 16
LDAP and Active Directory, 56
OpenID, 55
SAML 2.0, 56
when to use, 56
adding users, 46
overview, 39
creating, 52
types of, 51
federation, 49
service, 48
user-based, 48
access keys, 28
adding to groups, 46
MFA (multifactor authentication), 43–44
iam add-user-to-group command, 46
iam create-group command, 46–47
iam create-policy command, 52
iam create-role command, 49–50
iam create-user command, 44–45
Identity and Access Management. See IAM (Identity and Access Management)
LDAP and Active Directory, 56
OpenID, 55
SAML 2.0, 56
identity-based policies, 51, 159
Infrastructure as a Service (IaaS), 9–10, 12
inline policies, 51
in-memory assets, 112
Inspector, 17
installing CLI (command-line interface), 29
instances
Internet connections for VPCs, 72–75
IoT (Internet of Things) Services, 20
IPsec VPNs, 59
IPv4 (Internet Protocol version 4), 65–66
IPv6 (Internet Protocol version 6), 65–66
isolation, 121
items in Amazon DynamoDB, 131
K
Kinesis, 18
KMS (Key Management Service), 17
KMS integrated encryption, 57
L
permissions and roles, 157–160
LANs (local area networks), 65
latencies, 68
LDAP, federation, 56
life cycling in Amazon S3, 118
logs
structure in Amazon CloudTrail, 277–279
LSI (local secondary index), 133
M
Amazon CloudWatch section, 262–269
Management services, 20
MariaDB, 125
measured service, 7
Memcached, 138
memory usage, monitoring, 275–277
messaging services, 165
Amazon Simple Notification Service (SNS), 171–175
subscriptions, 172
Amazon Simple Queue Service (SQS), 166–171
dead letter queues, 171
metrics
definition of, 270
MFA (multifactor authentication), 43–44
Microsoft SQL, 127
approaches, 229
AWS Database Migration Service (DMS), 234–249
AWS Server Migration Service (SMS), 234
transferring static files, 249–256
VM Import/Export service, 231–234
monitoring
with Amazon CloudTrail, 277–279
security, 277
with Amazon CloudWatch, 261–277
collecting logs and metrics, 269–271
enhanced monitoring scripts, 275–277
storing logs and metrics, 271–273
with AWS Config, 279
multifactor authentication (MFA), 43–44
MySQL, 125
N
NAT (Network Address Translation), 66
Neptune, 129
Amazon Virtual Private Cloud (VPC), 71–76
creating VPCs, 72
private network connections, 75–76
LANs versus WANs, 65
nonrelational databases, 129
authentication and access control, 136–137
global tables, 134
items, 131
secondary indexes, 133
Amazon DynamoDB Accelerator (DAX), 138
Amazon ElastiCache, 138
Memcached, 138
Redis, 138
NoSQL, 120–123. See also nonrelational databases
O
on-demand instances, 79
on-demand self-service, 6
OpenID, 55
Oracle, 127
P
PaaS (Platform as a Service), 9–10, 12–13
Pearson Cert Practice Test Engine, 286–289
Premium Edition, 289
updating, 288
percentiles, 271
permissions
types of, 41
permissions boundaries, 51
persistent data storage
Amazon Elastic Block Storage (EBS), 88–89
Pinpoint, 19
pipelines (CI/CD), building, 214–224
automating CI/CD process, 214–220
integrating into code, 220–224
Platform as a Service (PaaS), 9–10, 12–13
Platform services, 17
analytics tools, 18
application services, 19
databases, 18
developer tools, 19
creating, 52
identity-based, 159
types of, 51
PostgreSQL, 125
Practice Exam mode, 288
practice exam software. See Pearson Cert Practice Test Engine
Premium Edition of Pearson Cert Practice Test Engine, 289
preparing for exam. See exam preparation
private cloud, 6
private network connections for VPCs, 75–76
public cloud, 6
Q
Quantum Ledger, 129
queueing. See Amazon Simple Queue Service (SQS)
R
rapid elasticity, 6
RDS (Relational Database Service), 18, 123–124
supported database types, 124–127
read offloading, 127
Redis, 138
RedShift, 18
regions, 22
relational databases
deploying in AWS, 123
supported database types, 124–127
resource pooling, 6
resource-based policies, 51, 159–160
RIs (reserved instances), 79
role assumption, 47
federation, 49
service, 48
user-based, 48
users versus, 39
RRS (S3 Reduced Redundancy Storage) storage class, 118
S
S3 (Simple Storage Service), 16, 112–120
data life cycling, 118
as serverless service, 152
storage tiers, 118
transferring static files, 249–254
with multipart uploads, 250–254
versioning, 117
S3 Glacier Deep Archive storage class, 118
S3 Glacier storage class, 118
S3 Infrequent Access storage class, 118
S3 One Zone-Infrequent Access storage class, 118
S3 Reduced Redundancy Storage (RRS) storage class, 118
S3 Server-Side Encryption (SSE-S3), 119
S3 SSE-C, 120
S3 SSE-KMS, 119
S3 Standard storage class, 118
SaaS (Software as a Service), 9–10
SageMaker, 20
SAM (Serverless Application Model), 152
SAML 2.0, 56
scalability, 89. See also high availability
scalar type (Amazon DynamoDB), 132
SCPs (service control policies), 51
scripts in Amazon CloudWatch, 275–277
SCT (Schema Conversion Tool), 235
SDKs (software development kits), 32–33
secondary indexes in Amazon DynamoDB, 133
security
in Amazon CloudTrail, 277
security and identity services, 16–17
Server Migration Service (SMS), 234
Serverless Application Model (SAM), 152
automating processing flows, 161–165
Amazon Simple Workflow (SWF), 164–165
permissions and roles, 157–160
AWS Serverless Application Model (SAM), 152
service control policies (SCPs), 51
service roles (IAM), 48
session policies, 51
set type (Amazon DynamoDB), 132–133
shared responsibility model, 12–13
Shield, 71
Simple Queue Service (SQS), 166–171
dead letter queues, 171
Simple Storage Service (S3). See S3 (Simple Storage Service)
Simple Workflow (SWF), 19, 164–165
skeleton files, generating, 32
skill requirements for exam, 283
SMS (Server Migration Service), 234
SNS (Simple Notification Service), 171–175
subscriptions, 172
soft state, 123
Software as a Service (SaaS), 9–10
software development
history of
Agile, 182
CR (continuous reaction), 185–186
tools
list of, 186
software development kits (SDKs), 32–33
spot instances, 79
SQL, 120
SQS (Simple Queue Service), 166–171
dead letter queues, 171
SSE-S3 (S3 Server-Side Encryption), 119
stateful design versus stateless design, 69–70
static assets, 112
data life cycling, 118
storage tiers, 118
versioning, 117
statistics, 271
storage services, 16
storage tiers in Amazon S3, 118
storing
code in AWS CodeCommit, 196–198
data. See data storage
logs and metrics in Amazon CloudWatch, 271–273
Study mode, 288
subscriptions (Amazon SNS), 172
SWF (Simple Workflow), 19, 164–165
synchronous communication, 67
Systems Manager, 97
T
tables in Amazon DynamoDB, 130–131
templates
in AWS CloudFormation, 102–104
generating, 32
threads, 67
TimeStream, 129
time-to-live (TTL), 140
TLS encryption, 58
transferring static files, 249–254
AWS DataSync, 254
AWS Snowmobile, 256
with multipart uploads, 250–254
troubleshooting applications, 279–280
TTL (time-to-live), 140
U
updating Pearson Cert Practice Test Engine, 288
uploading
to buckets, 114
user-based roles (IAM), 48
access keys, 28
adding to groups, 46
MFA (multifactor authentication), 43–44
roles versus, 39
V
versioning in Amazon S3, 117
vertical scaling, 127
Virtual Private Gateway, 14
virtualization, 11
VM Import/Export service, 231–234
VPC (Virtual Private Cloud), 14, 70–76
creating VPCs, 72
private network connections, 75–76
W
WAF (Web Application Firewall), 17, 71
WANs (wide area networks), 65
Web Services. See AWS (Amazon Web Services)
websites, hosting in Amazon S3, 116–117
WorkDocs, 17
WorkMail, 17
WorkSpaces, 17
writing code