0% found this document useful (0 votes)

130 views839 pages

AWS Certified Solutions Architect Professional Slides v33

This document is a training resource for the AWS Certified Solutions Architect Professional course by Stéphane Maarek, intended for personal use and exam preparation. It outlines the course structure, key topics, and expectations, emphasizing the importance of prior AWS experience and the complexity of the exam. Additionally, it provides insights into IAM policies, roles, and security best practices within AWS.

Uploaded by

cenachefiio

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

130 views839 pages

AWS Certified Solutions Architect Professional Slides v33

Uploaded by

cenachefiio

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 839

NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.

com
AWS Certified Solutions Architect Professional
By Stéphane Maarek
https://links.data

https://links.dat
cumulus.com/aw
s-certified-sa-

https://links.da
pro-coupon

acumulus.com/
tacumulus.com
aws-certified-
/aws-certified-
sa-pro-pt-
sa-pro-coupon coupon
https://links.datacumulus.com/aw
COURSE
https://links.datacumulus.com/aws
EXTRA PRACTICE EXAMS
s-certified-sa-pro-coupon
-certified-sa-pro-pt-coupon
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Disclaimer: These slides are copyrighted and
strictly for personal use only
• This document is reserved for people enrolled into the
Ultimate AWS Certified Solutions Architect Professional course

• Please do not share this document, it is intended for personal use and exam
preparation only, thank you.

• If you’ve obtained these slides for free on a website that is not the course’s
website, please reach out to [email protected]. Thanks!

• Best of luck for the exam and happy learning!

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Table of Contents
• Identity & Federation
• Security
• Compute & Load Balancing
• Storage
• Caching
• Databases
• Service Communication
• Data Engineering
• Monitoring
• Deployment & Instance Management

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Table of Contents
• Cost Control
• Migrations
• Amazon VPC
• Machine Learning
• Other Services
• Exam Preparation
• Congratulations

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Certified Solutions
Architect Professional Course
SAP-C02

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Setting the right expectations for this course
• This course is all slides based
• I’m assuming you have experience using AWS
• No hands-on will come with the course. You should know the basics
• It’s fast paced. Your time is valuable. Feel free to slow me down to 0.75x
• If you just passed the AWS Certified Solutions Architect Associate cert
• I recommend you go through AWS Certified Developer, SysOps & DevOps
• I know you are eager to get the SAP certification, but take your time
• The AWS knowledge needed for the SA Pro exam
• Is extremely similar to the knowledge for SAA
• The questions are more complex, and knowing details is very important
• It’s possible that multiple answers are correct, but one is the most appropriate

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
The AWS Certified Solutions Architect
Professional Exam
• Is HARD
• Tests real AWS experience
• Will test you on some very subtle service features

• I have included quizzes for every single section BUT…

• The quizzes are not “scenario based” / ”exam-like”
• They only help you extract some important notions out of what you’re learning
• This is my optimal way of teaching you about specific topics
• Please trust my teaching process

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Practice Exams
• This course does not come with practice exams
• Practice Exams come separately
• I really want to focus this course on the knowledge needed

• Warning:
• This course is on the NEW CERTIFICATION (SAP-C02)
• You may see outdated content in other practice exams, other courses, etc…
• This course is not incomplete, it’s more targeted towards the knowledge you
actually need to know to pass the exam

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM – What should you know by now
• Users: long term credentials
• Groups
• Roles: short-term credentials, uses STS
• EC2 Instance Roles: uses the EC2 metadata service. One role at a time per instance
• Service Roles: API Gateway, CodeDeploy, etc…
• Cross Account roles
• Policies
• AWS Managed
• Customer Managed
• Inline Policies
• Resource Based Policies (S3 bucket, SQS queue, etc…)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM Policies Deep Dive
• Anatomy of a policy: JSON doc with Effect,
Action, Resource, Conditions, Policy Variables
• Explicit DENY has precedence over ALLOW
• Best practice: use least privilege for
maximum security
• Access Advisor: See permissions granted and
when last accessed
• Access Analyzer: Analyze resources that are
shared with external entity
• Navigate Examples at:
https://docs.aws.amazon.com/IAM/latest/User
Guide/access_policies_examples.html

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM AWS Managed Policies
AdministratorAccess
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}

{ …{
"Version": "2012-10-17", "Effect": "Allow",
"Statement": [ "Action": [
{ "iam:CreateServiceLinkedRole",
"Effect": "Allow", "iam:DeleteServiceLinkedRole",
"NotAction": [ "iam:ListRoles",
"iam:*", "organizations:DescribeOrganization”,
"organizations:*", "account:ListRegions"
"account:*" ],
], "Resource": "*"
"Resource": "*" }
},… ]
}

Note how ”NotAction” is used instead of Deny

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM Policies Conditions
"Condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}

Operators:
• String (StringEquals, StringNotEquals, StringLike…)
• "Condition": {"StringEquals": {"aws:PrincipalTag/job-category": "iamuser-admin"}}
• "Condition": {"StringLike": {"s3:prefix": [ "", "home/", "home/${aws:username}/" ]}}
• Numeric (NumericEquals, NumericNotEquals, NumericLessThan…)
• Date (DateEquals, DateNotEquals, DateLessThan…)
• Boolean (Bool):
• “Condition": {"Bool": {"aws:SecureTransport": "true"}}
• "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
• (Not)IpAddress:
• "Condition": {"IpAddress": {"aws:SourceIp": "203.0.113.0/24"}}
• ArnEquals, ArnLike
• Null: "Condition":{"Null":{"aws:TokenIssueTime":"true"}}

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM Policies Variables and Tags
Example: ${aws:username}
• "Resource": ["arn:aws:s3:::mybucket/${aws:username}/*"]

AWS Specific:
• aws:CurrentTime, aws:TokenIssueTime, aws:principaltype, aws:SecureTransport,
aws:SourceIp, aws:userid, ec2:SourceInstanceARN

Service Specific:
• s3:prefix, s3:max-keys, s3:x-amz-acl, sns:Endpoint, sns:Protocol…

Tag Based:
• iam:ResourceTag/key-name, aws:PrincipalTag/key-name…

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM Roles vs Resource Based Policies
• Attach a policy to a resource (example: S3 bucket policy) versus
attaching of a using a role as a proxy

User Role
Account A Account B

Amazon S3
Account B

User S3 Bucket
Account A Policy

Amazon S3
Account B

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM Roles vs Resource Based Policies
• When you assume a role (user, application or service), you give up your
original permissions and take the permissions assigned to the role

• When using a resource-based policy, the principal doesn’t have to give up any
permissions

• Example: User in account A needs to scan a DynamoDB table in Account A

and dump it in an S3 bucket in Account B.

• Supported by: Amazon S3 buckets, SNS topics, SQS queues, Lambda

functions, ECR, Backup, EFS, Glacier, AWS Artifact, Secrets Manager, ACM,
KMS, CloudWatch Logs, API Gateway, EventBridge etc…

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM Permission Boundaries
• IAM Permission Boundaries are supported for users and roles (not groups)
• Advanced feature to use a managed policy to set the maximum permissions
an IAM entity can get.

Example: + = No Permissions

IAM Permission Boundary IAM Permissions

Through IAM Policy
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM Permission Boundaries
• Can be used in combinations of Use cases
AWS Organizations SCP
• Delegate responsibilities to non
administrators within their permission
boundaries, for example create new IAM
users

• Allow developers to self-assign policies

and manage their own permissions, while
making sure they can’t “escalate” their
privileges (= make themselves admin)

• Useful to restrict one specific user

(instead of a whole account using
Organizations & SCP)
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM Access Analyzer
• Find out which resources are shared Zone of trust
externally
• S3 Buckets
• IAM Roles
Role User Account
• KMS Keys
• Lambda Functions and Layers
• SQS queues
• Secrets Manager Secrets
• Define Zone of Trust = AWS Account or
AWS Organization
S3 Bucket
• Access outside zone of trusts => findings VPC External
Endpoints Client

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM Access Analyzer Kinesis Data
Streams S3 Bucket

• IAM Access Analyzer Policy Validation

• Validates your policy against IAM policy grammar and
best practices API Calls

• General warnings, security warnings, errors,

suggestions API Calls Logged
• Provides actionable recommendations
CloudTrail Lambda
• IAM Access Analyzer Policy Generation Function
• Generates IAM policy based on access activity review
logs
• CloudTrail logs is reviewed to generate the policy
with the fine-grained permissions and the
generate
appropriate Actions and Services
• Reviews CloudTrail logs for up to 90 days
IAM Access IAM Policy
Analyzer
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Using STS to Assume a Role
• Define an IAM Role within your AssumeRole API
account or cross-account
• Define which principals can access
AWS STS
this IAM Role
user
• Use AWS STS (Security Token temporary
security
Service) to retrieve credentials and credential
impersonate the IAM Role you permissions
have access to (AssumeRole API)
• Temporary credentials can be valid
between 15 minutes to 12 hour
Role (same or
other account) IAM

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Assuming a Role with STS
• Provide access for an IAM user in one AWS account that you own to access
resources in another account that you own
• Provide access to IAM users in AWS accounts owned by third parties
• Provide access for services offered by AWS to AWS resources
• Provide access for externally authenticated users (identity federation)

• Ability to revoke active sessions and credentials for a role

(by adding a policy using a time statement – AWSRevokeOlderSessions)

When you assume a role (user, application or service), you give up your
original permissions and take the permissions assigned to the role

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Providing Access to an IAM User in Your or
Another AWS Account That You Own
• You can grant your IAM users permission to switch to roles within your AWS
account or to roles defined in other AWS accounts that you own.

Terminate EC2 Instance

User Role
Account A Account A*

• Benefits:
• You must explicitly grant your users permission to assume the role.
• Your users must actively switch to the role using the AWS Management Console or
assume the role using the AWS CLI or AWS API
• You can add multi-factor authentication (MFA) protection to the role so that only
users who sign in with an MFA device can assume the role
• Least privilege + auditing using CloudTrail

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Cross account access with STS
Development Account
Production Account

1. Admin creates role that grants

Development account read/write
access to productionapp bucket 3. Users requests Group: Testers
Access to role

4. STS returns
Group: Developers
Role: UpdateApp Role credentials

2. Admin grants members of the

group Developers permission to
5. User can access assume the UpdateApp Role
S3 bucket: productionapp the S3 bucket by using
the role credentials

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Providing Access to AWS Accounts Owned by
Third Parties
• Zone of trust = accounts, organizations that you own
• Outside Zone of Trust = 3rd parties
• Use IAM Access Analyzer to find out which resources are exposed
• For granting access to a 3rd party:
• The 3rd party AWS account ID
• An External ID (secret between you and the 3rd party)
• To uniquely associate with the role between you and 3rd party
• Must be provided when defining the trust and when assuming the role
• Must be chosen by the 3rd party
• Define permissions in the IAM policy

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Session Tags in STS
• Tags that you pass when you assume an IAM Role or federate user in STS
• aws:PrincipalTag Condition
• Compares the tags attached to the principal making the request with the tag you
specified in the policy
• Example: allow a principal to pass session tags only if the principal making the request has
the specified tags
sts:AssumeRole
with Session Tag Department=HR

User temporary security

credentials

S3 Bucket
(hr-docs)
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
STS Important APIs
• AssumeRole: access a role within your account or cross-account
• AssumeRoleWithSAML: return credentials for users logged with SAML
• AssumeRoleWithWebIdentity: return creds for users logged with an
IdP
• Example providers include Amazon Cognito, Login with Amazon, Facebook,
Google, or any OpenID Connect-compatible identity provider
• AWS recommends using Cognito instead
• GetSessionToken: for MFA, from a user or AWS account root user
• GetFederationToken: obtain temporary creds for a federated user,
usually a proxy app that will give the creds to a distributed app inside a
corporate network

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Identity Federation in AWS
• Give users outside of AWS permissions to access login
AWS resources in your account
credentials
• You don’t need to create IAM Users (user
management is outside AWS) User
Identity
• Use cases: Provider
• A corporate has its own identity system (e.g., Active
Directory)
• Web/Mobile application that needs access to AWS trust
resources access
relationship
• Identity Federation can have many flavors:
• SAML 2.0
• Custom Identity Broker
• Web Identity Federation With(out) Amazon Cognito
• Single Sign-On (SSO)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SAML 2.0 Federation
• Security Assertion Markup Language 2.0 (SAML 2.0)
• Open standard used by many identity providers (e.g., ADFS)
• Supports integration with Microsoft Active Directory Federations Services (ADFS)
• Or any SAML 2.0–compatible IdPs with AWS
• Access to AWS Console, AWS CLI, or AWS API using temporary credentials
• No need to create IAM Users for each of your employees
• Need to setup a trust between AWS IAM and SAML 2.0 Identity Provider (both ways)

• Under-the-hood: Uses the STS API AssumeRoleWithSAML

• SAML 2.0 Federation is the “old way”, Amazon Single Sign-On (AWS SSO) Federation is
the new managed and simpler way
• https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-
adfs-and-saml-2-0/

Corporate (Identity Provider) AWS Cloud

1. App makes Auth. Request 4. AssumeRoleWithSAML API

Portal/Identity Security Token
3. SAML Assertion 5. Temporary Security
Provider (IdP) Service (STS)
Credentials
User

2. Authenticate

6. Access AWS APIs

LDAP-based S3 Bucket
Identity Store

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SAML 2.0 Federation – AWS Console Access
Corporate (Identity Provider) AWS Cloud
IAM Role
1. User Logs into Portal 4. Post to AWS Sign-in
Portal/Identity AWS Sign-in Endpointfor SAML
3. SAML Assertion 6. Sign-in URL for
Provider (IdP) (https://signin.aws.amazon.com/saml)
AWS Console
User 5. Request Temporary
Security Credentials

2. Authenticate Security Token

Service (STS)

LDAP-based
Identity Store 7. Redirect

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SAML 2.0 Federation –
Active Directory FS (ADFS)
Corporate (Identity Provider) AWS Cloud
IAM Role
1. User Logs into Portal 4. Post to AWS Sign-in
AWS Sign-in Endpointfor SAML
3. SAML Assertion 6. Sign-in URL for (https://signin.aws.amazon.com/saml)
AWS Console
User 5. Request Temporary
Security Credentials

2. Authenticate Security Token

Service (STS)

7. Redirect

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Custom Identity Broker Application
• Use only if Identity Provider is NOT compatible with SAML 2.0
• The Identity Broker Authenticates users & requests temporary credentials from AWS
• The Identity Broker must determine the appropriate IAM Role
• Uses the STS API AssumeRole or GetFederationToken
AWS Cloud
Corporate (Identity Provider)
3. Request Temporary Security Credentials Security Token
Service (STS)
1. User browse to a URL
Custom 5. Access AW
4. Token or URL S APIs AWS Services
Identity Broker
User 5. R …
edi
2. Authenticate rec
t

LDAP-based
Identity Store

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Web Identity Federation – Without Cognito
AWS Cloud
Client 3. AssumeRoleWithWebIdentity API

• Not recommended by 4. Temporary Security Credentials

Security Token
Service (STS)
AWS – use Cognito
instead
5. A
cce
1. Login 2. Web Identity ss AW
Token S re
sou
rce
s
3rd Party Identity Provider AWS Services

OpenID Connect
or Compatible IdP

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Web Identity Federation – With Cognito
• Preferred over for Web
Identity Federation Client AWS Cloud
• Create IAM Roles using 3. ID Token
Cognito with the least 4. Cognito Token Amazon
privilege needed
• Build trust between the Cognito
5. C
OIDC IdP and AWS 6. Te ogn
mpo ito T
ra ry S oken
ecur
1. Login 2. ID Token it y C
rede Security Token
ntia
• Cognito benefits: 7.
Ac
ce
ls
Service (STS)
• Supports anonymous users ss
AW
• Supports MFA 3rd Party Identity Provider Sr
es
ou
• Data Synchronization rce
s AWS Services

…
• Cognito replaces a Token OpenID Connect
Vending Machine (TVM) or Compatible IdP

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Web Identity Federation – IAM Policy
• After being authenticated with
Web Identity Federation, you
can identify the user with an
IAM policy variable

• Examples:
• cognito-
identity.amazonaws.com:sub
• www.amazon.com:user_id
• graph.facebook.com:id
• accounts.google.com:sub

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
What is Microsoft Active Directory (AD)?
• Found on any Windows Server
with AD Domain Services Domain Controller
• Database of objects: User
John
Accounts, Computers, Printers, Password
File Shares, Security Groups
• Centralized security
management, create account,
assign permissions
• Objects are organized in trees
• A group of trees is a forest

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
What is ADFS (AD Federation Services)?
• ADFS provides Single Sign-On across applications
• SAML across 3rd party: AWS Console, Dropbox, Office365, etc…
Corporate (Identity Provider) AWS Cloud

1. User browse to a URL 4. POST to AWS Sign-in

AWS Sign-in Endpoint for SAML
3. SAML Token 5. Sign-in URL for AWS (https://signin.aws.amazon.com/saml)
Management Console
User
2. Authenticate
6. Redirect

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Directory Services
• AWS Managed Microsoft AD auth trust auth
• Create your own AD in AWS, manage users
locally, supports MFA
• Establish “trust” connections with your on-
premises AD On-prem AD AWS Managed AD

• AD Connector proxy auth

• Directory Gateway (proxy) to redirect to on-
premises AD, supports MFA
• Users are managed on the on-premises AD
On-prem AD AD Connector
• Simple AD
• AD-compatible managed directory on AWS
• Cannot be joined with on-premises AD

Simple AD
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Directory Services
AWS Managed Microsoft AD
• Managed Service: Microsoft AD in your AWS VPC
• EC2 Windows Instances: VPC

• EC2 Windows instances can join the domain and run

traditional AD applications (sharepoint, etc) Availability Zone
• Seamlessly Domain Join Amazon EC2 Instances from
Multiple Accounts & VPCs
• Integrations:
• RDS for SQL Server, AWS Workspaces, Quicksight… Apps Domain Controllers
• AWS SSO to provide access to 3rd party applications
• Standalone repository in AWS or joined to on-
premises AD Availability Zone

• Multi AZ deployment of AD in 2 AZ, # of DC

(Domain Controllers) can be increased for scaling
• Automated backups Apps AD DC AD DC
• Automated Multi-Region replication of your
directory
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Microsoft Managed AD - Integrations

SAML

RDS for Amazon Amazon Amazon Amazon AWS

WorkSpaces Quicksight Connect WorkDocs Single-Sign On Through AWS SSO
SQL Server

AD two-way
Forest trust
Traditional AD Applications

AWS Managed
Extend On Premise AD Microsoft AD DC

.NET Apps SharePoint SQL Server

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Connect to on-premises AD
• Ability to connect your on- VPC

premises Active Directory to Site-to-Site VPN

AWS Managed Microsoft AD Or Direct Connect
• Must establish a Direct Connect on-premises AWS Managed
(DX) or VPN connection Microsoft AD Microsoft AD DC
• Can setup three kinds of forest trust
trust:
• One-way trust: trust
AWS => on-premises
• One-way trust: est ing d om a in Seamless
on-premises => AWS q u om
For re .mycorp.c domain join
D
• Two-way forest trust: awsA
AWS ó on-premises
• Forest trust is different than EC2
synchronization Traditional AD app

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Solution Architecture:
Active Directory Replication
• You may want to create a replica of your AD on EC2 in the cloud to
minimize latency of in case DX or VPN goes down
• Establish trust between the AWS Managed Microsoft AD and EC2
VPC
on-premises Microsoft AD on EC2 AWS Managed
Microsoft AD Self Managed Replica Microsoft AD DC
trust
replication
trust

Domain: Domain: Domain:

onpremAD.example.com onpremAD.example.com awsAD.example.com

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Directory Services
AD Connector
Corporate Office
• AD Connector is a directory
gateway to redirect directory User
requests to your on-premises
Microsoft Active Directory
VPN or
• No caching capability Direct Connect
1. User Credentials
(over SSL)

Authentication
• Manage users solely on-premises,

3. LDAP
AWS Cloud
no possibility of setting up a trust
Region
• VPN or Direct Connect 4. STS (AssumeRole)
Custom
Sign-in Page
• Doesn’t work with SQL Server, 5. Temp. Credentials
2
doesn’t do seamless joining, can’t AWS IAM Availability Zone Availability Zone

share directory
AD Connector AD Connector

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Directory Services
Simple AD
• Simple AD is an inexpensive Active Directory–compatible service with
the common directory features.
• Supports joining EC2 instances, manage users and groups
• Does not support MFA, RDS SQL server, AWS SSO
• Small: 500 users, large: 5000 users
• Powered by Samba 4, compatible with Microsoft AD
• lower cost, low scale, basic AD compatible, or LDAP compatibility
• No trust relationship

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Organizations
Root Organizational Unit (OU)

Management Account

OU (Dev) OU (Prod)

OU (HR) OU (Finance)
Member Accounts

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Organizations -
OrganizationAccountAccessRole
• IAM role which grants full administrator
permissions in the Member account to the AWS Organizations
Management account
• Used to perform admin tasks in the Member Management Account
accounts (e.g., creating IAM users)
• Could be assumed by IAM users in the create AssumeRole API
Management account
• Automatically added to all new Member Member Account
accounts created with AWS Organizations
• Must be created manually if you invite an IAM Role

existing Member account OrganizationAccountAccessRole

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Multi Account Strategies
• Create accounts per department, per cost center, per dev / test /
prod, based on regulatory restrictions (using SCP), for better
resource isolation (ex: VPC), to have separate per-account service
limits, isolated account for logging,

• Multi Account vs. One Account Multi VPC

• Use tagging standards for billing purposes
• Enable CloudTrail on all accounts, send logs to central S3 account
• Send CloudWatch Logs to central logging account
• Strategy to create an account for security

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Organizational Units (OU) - Examples
Business Unit Environmental Lifecycle Project-Based

Sales Prod Project 1

Account 1 Account 1 Account 1
Project 1
Sales OU Prod OU
Sales Prod OU Project 1
Account 2 Account 2 Account 2

Retail Dev Project 2

Management
Account 1 Management
Account 1 Management Project 2 Account 1
Account
Retail OU Account
Dev OU Account OU
Retail Dev Project 2
Account 2 Account 2 Account 2

Finance Test Project 3

Finance Account 1 Account 1 Project 3 Account 1
Test OU
OU OU
Finance Test Project 3
Account 2 Account 2 Account 2

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Organization - Feature Modes
• Consolidated billing features:
• Consolidated Billing across all accounts - single payment method
• Pricing benefits from aggregated usage (volume discount for EC2, S3…)

• All Features (Default):

• Includes consolidated billing features, SCP
• Invited accounts must approve enabling all features
• Ability to apply an SCP to prevent member accounts from leaving the org
• Can’t switch back to Consolidated Billing Features only

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Organizations – Reserved Instances
• For billing purposes, the consolidated billing feature of AWS Organizations
treats all the accounts in the organization as one account.
• This means that all accounts in the organization can receive the hourly cost
benefit of Reserved Instances that are purchased by any other account.
• The payer account (Management account) of an organization can turn off
Reserved Instance (RI) discount and Savings Plans discount sharing for any
accounts in that organization, including the payer account
• This means that RIs and Savings Plans discounts aren't shared between any
accounts that have sharing turned off.
• To share an RI or Savings Plans discount with an account, both accounts must
have sharing turned on

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Organizations – Moving Accounts
1. Remove the member account from the AWS Organization
2. Send an invite to the member account from the AWS Organization
3. Accept the invite to the new Organization from the member account

2. Invite
AWS Organization AWS Organization
(Old) (New)

1. Remove 3. Accept
Member Account Member Account

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Service Control Policies (SCP)
• Define allowlist or blocklist IAM actions
• Applied at the OU or Account level
• Does not apply to the Management Account
• SCP is applied to all the Users and Roles in the account, including Root user
• The SCP does not affect Service-linked roles
• Service-linked roles enable other AWS services to integrate with AWS Organizations
and can't be restricted by SCPs.
• SCP must have an explicit Allow from the root a each OU in the direct path
to the target account (does not allow anything by default)
• Use cases:
• Restrict access to certain services (for example: can’t use EMR)
• Enforce PCI compliance by explicitly disabling services

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SCP Hierarchy
FullAWSAccess OU (Root) • Management Account
• Can do anything (no SCP apply)

Deny Athena Management Account • Account A

• Can do anything
FullAWSAccess • EXCEPT S3 (explicit Deny from
Sandbox OU)
FullAWSAccess + Deny S3 OU (Sandbox) OU (Workloads) • EXCEPT EC2 (explicit Deny)
Allow EC2 • Account B & C
OU (Test) • Can do anything
FullAWSAccess + Deny EC2 Account A • EXCEPT S3 (explicit Deny from
Sandbox OU)
Account D
• Account D
Account B • Can access EC2
OU (Prod)
FullAWSAccess • Prod OU & Account E & F
Account C Account E • Can do anything

Account F

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SCP Examples
Blocklist and Allowlist strategies

More examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Restricting Tags with IAM Policies
• You can restrict specific Tags on AWS
resources
• Using the aws:TagKeys Condition Key
• Validate the Tag Keys attached to a resource
against the Tag Keys in the IAM Policy
• Example: allow IAM users to create EBS Match All Keys
Volumes only if it has the “Env” and
“CostCenter” Tags
• Use either ForAllValues (must have all
keys) or ForAnyValue (must have any of
these keys at a minimum)

Match Any Keys

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Using SCP to Deny a Region
aws:RequestedRegion

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Using SCP to Restrict Creating Resources
without appropriate Tags
• Prevent IAM Users/Roles in the
affected Member accounts from
creating resources if they don’t
have a specific Tags

• Example: restrict launching an

EC2 instance if it doesn’t have
the “Project” and “CostCenter”
Tags

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Organizations – Tag Policies
• Helps you standardize tags across resources in an
AWS Organization
• Ensure consistent tags, audit tagged resources,
maintain proper resources categorization, …
• You define Tag keys and their allowed values
• Helps with AWS Cost Allocation Tags and
Attribute-based Access Control
• Prevent any non-compliant tagging operations on
specified services and resources
• Generate a report that lists all tagged/non-
compliant resources
• Use Amazon EventBridge to monitor non-
compliant tags

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Organizations – AI Services Opt-out Policies
• Certain AWS AI services may use your content for
continuous improvement of Amazon AI/ML services
• Example: Amazon Lex, Amazon Comprehend,
Amazon Polly, …
All Services
• You can opt-out of having your content stored or
used by AWS AI services
• Create an Opt-out Policy that enforces this setting
across all Member accounts and AWS Regions
• You can opt-out all AI services or selected services
• Can be attached to Organization Root, specific OU,
or individual Member account

ONLY Rekognition & Lex

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Organizations – Backup Policies
• AWS Backup enables you to create
Backup Plans that define how to backup
your AWS resources

• JSON documents that define Backup

Plans across an AWS Organization
• Gives you granular control over backing
up your resources (e.g., backup frequency,
time window, backup region, …)
• Can be attached to Organization Root,
specific OU, or individual Member
account
• Immutable Backup Plans appear in
Member accounts (view ONLY)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS IAM Identity Center
(successor to AWS Single Sign-On)
• One login (single sign-on) for all your
• AWS accounts in AWS Organizations
• Business cloud applications (e.g., Salesforce, Box, Microsoft 365, …)
• SAML2.0-enabled applications
• EC2 Windows Instances

• Identity providers
• Built-in identity store in IAM Identity Center
• 3rd party: Active Directory (AD), OneLogin, Okta…

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS IAM Identity Center – Login Flow
AWS IAM Identity Center

AWS IAM Identity Center

AWS
SSO Windows
login Organization
EC2

Permission Sets Business Cloud Apps

Browser Interface

Store / retrieve
User identities

Active Directory
IAM Identity Center Custom SAML2.0-enabled Apps
Users & groups
Built-in Identity Store
(On-premises, cloud)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM Identity Center
AWS Organization
IAM Identity Center
Management Account (in Management account)

Group (Developers)

OU (Development) OU (Production)
Bob Alice
Dev Account A Prod Account A
assign assign
Dev Account B Prod Account B
Permission Set
ReadOnlyAccess

Permission Set
FullAccess

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS IAM Identity Center
Fine-grained Permissions and Assignments
• Multi-Account Permissions
• Manage access across AWS accounts in your AWS Organization
AWS Organization
• Permission Sets – a collection of one or more IAM Policies
assigned to users and groups to define AWS access
Dev Prod
Account Account
• Application Assignments
• SSO access to many SAML 2.0 business applications (Salesforce, RDS Aurora RDS Aurora
Box, Microsoft 365, …)
• Provide required URLs, certificates, and metadata IAM Role IAM Role

• Attribute-Based Access Control (ABAC) assume

• Fine-grained permissions based on users’ attributes stored in Permission Sets
IAM Identity Center Identity Store (DB Admins)
• Example: cost center, title, locale, …
Permission Sets
• Use case: Define permissions once, then modify AWS access by (DB Admins)
changing the attributes Database IAM Identity Center
Admins

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Control Tower
• Easy way to set up and govern a secure and compliant multi-account
AWS environment based on best practices
• Benefits:
• Automate the set up of your environment in a few clicks
• Automate ongoing policy management using guardrails
• Detect policy violations and remediate them
• Monitor compliance through an interactive dashboard
• AWS Control Tower runs on top of AWS Organizations:
• It automatically sets up AWS Organizations to organize accounts and implement
SCPs (Service Control Policies)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Control Tower – Account Factory
• Automates account provisioning and Corporate Datacenter

deployments
• Enables you to create pre-approved
baselines and configuration options
for AWS accounts in your VPN or
2-way Trust
Direct Connect
organization (e.g., VPC default
configuration, subnets, region, …) AWS Cloud
• Uses AWS Service Catalog to Control Tower – Landing Zone
provision new AWS accounts (created through Account Factory)

authenticate
…
Member Accounts AWS Managed
IAM Identity Center
Microsoft AD
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Control Tower – Detect and Remediate
Policy Violations
• Guardrail
• Provides ongoing governance for your Control Tower environment (AWS Accounts)
• Preventive – using SCPs (e.g., Disallow Creation of Access Keys for the Root User)
• Detective – using AWS Config (e.g., Detect Whether MFA for the Root User is
Enabled)
• Example: identify non-compliant resources (e.g., untagged resources)

AWS Control Tower

Guardrail trigger notify
(Detective) (NON_COMPLIANT)
AWS Config
SNS Admin
monitor un-tagged
resources invoke

Member remediate
Accounts (add tags)
Lambda
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Control Tower – Guardrails Levels
• Mandatory
• Automatically enabled and enforced by AWS Control Tower
• Example: Disallow public Read access to the Log Archive account

• Strongly Recommended
• Based on AWS best practices (optional)
• Example: Enable encryption for EBS volumes attached to EC2 instances

• Elective
• Commonly used by enterprises (optional)
• Example: Disallow delete actions without MFA in S3 buckets

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Resource Access Manager (RAM)
• Share AWS resources that you own with other AWS accounts
• Share with any account or within your Organization
• Avoid resource duplication!
• VPC Subnets
• Allow to have all the resources launched in the same subnets
• Must be from the same AWS Organizations.
• Cannot share security groups and default VPC
• Participants can manage their own resources in there
• Participants can't view, modify, delete resources that belong to other participants or the owner
• AWS Transit Gateway
• Route 53 (Resolver Rules, DNS Firewall Rule Groups)
• License Manager Configurations

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Resource Access Manager (RAM)
• Aurora DB Clusters
• ACM Private Cer tificate Authority
• CodeBuild Project
• EC2 (Dedicated Hosts, Capacity Reservation)
• AWS Glue (Catalog, Database, Table)
• AWS Network Firewall Policies
• AWS Resource Groups
• Systems Manager Incident Manager (Contacts, Response Plans)
• AWS Outposts (Outpost, Site)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Resource Access Manager – VPC example
• Each account…
AWS Cloud – VPC Owner
• is responsible for its own resources
VPC • cannot view, modify or delete
other resources in other accounts
Private subnet
• Network is shared so…
• Anything deployed in the VPC can
talk to other resources in the VPC
• Applications are accessed easily
Account 1 Account 2 s across accounts, using private IP!
• Security groups from other
ALB EC2 accounts can be referenced for
EC2 maximum security
• Use cases
• Applications within the same trust
boundaries
• Applications with a high degree of
interconnectivity
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Resource Access Manager
Managed Prefix List Account A

• A set of one or more CIDR blocks Prefix List - A

• Makes it easier to configure and maintain CIDR 1 – 10.0.0.0/16

Security Groups and Route Tables CIDR 2 – 192.168.0.0/24

CIDR 3 – 192.134.1.62/32
• Customer-Managed Prefix List
• Set of CIDRs that you define and manage by you
share
• Can be shared with other AWS accounts or AWS
Organization Account B
• Modify to update many security groups at once
• AWS-Managed Prefix List Security Group
Inbound Rules
• Set of CIDRs for AWS services
Protocol Port Source
• You can’t create, modify, share, or delete them SSH 22 Prefix List - A

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Resource Access Manager
Route 53 Outbound Resolver
• Helps you scale forwarding rules to your DNS in case you have
multiple accounts and VPC

AWS Account - A AWS Account - B

Route 53 Resolver 1. share

Forwarding Rules
2. accept VPC
Domain Name Target IP
Resolver
example.com 172.16.0.10
Outbound Endpoint
acme.example.com 172.16.0.10 3. associate

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Summary of Identity & Federation
• Users and Accounts all in AWS
• AWS Organizations
• AWS Control Tower to setup secure & complaint multi-account AWS environment (best practices)
• Federation with SAML
• Federation without SAML with a custom IdP (GetFederationToken)
• AWS Single Sign-On to connect to multiple AWS Accounts (Organization) and SAML apps
• Web Identity Federation (not recommended)
• Cognito for most web and mobile applications (has anonymous mode, MFA)
• AWS Directory Service:
• Managed Microsoft AD – standalone or setup trust AD with on-premises, has MFA, seamless join, RDS
integration
• AD Connector – proxy requests to on-premises
• Simple AD – standalone & cheap AD-compatible with no MFA, no advanced capabilities
• AWS RAM to share resources (example VPC subnets)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS CloudTrail
• Provides governance, compliance and audit for your AWS Account
• CloudTrail is enabled by default!
• Get an history of events / API calls made within your AWS Account by:
• Console
• SDK
• CLI
• AWS Services
• Can put logs from CloudTrail into CloudWatch Logs or S3
• A trail can be applied to All Regions (default) or a single Region.
• If a resource is deleted in AWS, investigate CloudTrail first!

SDK

CloudWatch Logs
CloudTrail Console
CLI

Console
Inspect & Audit S3 Bucket

IAM Users &

IAM Roles

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudTrail Events
• Management Events:
• Operations that are performed on resources in your AWS account
• Examples:
• Configuring security (IAM AttachRolePolicy)
• Configuring rules for routing data (Amazon EC2 CreateSubnet)
• Setting up logging (AWS CloudTrail CreateTrail)
• By default, trails are configured to log management events.
• Can separate Read Events (that don’t modify resources) from Write Events (that may modify resources)

• Data Events:
• By default, data events are not logged (because high volume operations)
• Amazon S3 object-level activity (ex: GetObject, DeleteObject, PutObject): can separate Read and Write Events
• AWS Lambda function execution activity (the Invoke API)

• CloudTrail Insights Events:

• See next slide J

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudTrail Insights
• Enable CloudTrail Insights to detect unusual activity in your account:
• inaccurate resource provisioning
• hitting service limits
• Bursts of AWS IAM actions
• Gaps in periodic maintenance activity
• CloudTrail Insights analyzes normal management events to create a baseline
• And then continuously analyzes write events to detect unusual patterns
• Anomalies appear in the CloudTrail console
• Event is sent to Amazon S3
• An EventBridge event is generated (for automation needs)
CloudTrail Console

Continous analysis generate

Management Events Insights Events S3 Bucket

CloudTrail Insights
EventBridge event

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudTrail Events Retention
• Events are stored for 90 days in CloudTrail
• To keep events beyond this period, log them to S3 and use Athena

Management Events CloudTrail

Athena
log analyze
Data Events

90 days S3 Bucket
Insights Events Long-term retention
retention

User

DeleteTable API Call 💥

Log API call event alert

DynamoDB CloudTrail Amazon SNS

(any API call) EventBridge

API Call logs event

AssumeRole
IAM CloudTrail EventBridge SNS
User
IAM Role

API Call logs event

AuthorizeSecurityGroupIngress
EC2 CloudTrail EventBridge SNS
edit SG
User Security Group
Inbound Rules

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudTrail – Solution Architecture:
Delivery to S3
Every
5 minutes Lifecycle Policy
Glacier
SSE-S3 (default)
or SSE-KMS S3
CloudTrail
Delivery
S3 Enhancements:
S3 Events
notifications • Enable Versioning
• MFA Delete Protection
SQS, SNS, Lambda
• S3 Lifecycle Policy (S3 IA, Glacier…)
• S3 Object Lock
SNS SQS
• SSE-S3 or SSE-KMS encryption
• Feature to perform CloudTrail Log File Integrity
validation
(SHA-256 for hashing and signing)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudTrail - Solution Architecture:
Multi Account, Multi Region Logging
Account A

Security Account

CloudTrail cloudtrail-bucket/account-A
cloudtrail-bucket/account-B
cloudtrail-bucket/account-C…
Account B
S3
+ S3 Bucket Policy

Observations:
CloudTrail • The S3 bucket policy is necessary for cross-account delivery
• If Account A wants to access its CloudTrail files:
• Option 1: create a cross-account role and assume the role
• Option 2: edit the bucket policy

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudTrail - Solution Architecture:
Alert for API calls
stream

CloudTrail CW Logs Metric Filters CW Alarm SNS

• Log filter metrics can be used to detect a high level of API happening
• Ex: Count occurrences of EC2 TerminateInstances API
• Ex: Count of API calls per user
• Ex: Detect high level of Denied API calls

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudTrail – Solution Architecture:
Organizational Trail
AWS Organizations
(o-exampleorgid)

Management Account
(111111111111)
my-organization-bucket/Logs/o-exampleorgid/111111111111
my-organization-bucket/Logs/o-exampleorgid/222222222222
The Organizational my-organization-bucket/Logs/o-exampleorgid/333333333333
Trail is created in the my-organization-bucket/Logs/o-exampleorgid/444444444444
my-organization-bucket/Logs/o-exampleorgid/555555555555
management CloudTrail Trail S3 Bucket
account. (MyOrganizationTrail) (my-organization-bucket)

OU (Prod) OU (Dev)

Member Account Member Account Member Account Member Account

(222222222222) (333333333333) (444444444444) (555555555555)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudTrail: How to react to events the fastest?
Overall, CloudTrail may take up to 15 minutes to deliver events

• EventBridge:
• Can be triggered for any API call in CloudTrail
• The fastest, most reactive way
• CloudTrail Delivery in CloudWatch Logs:
• Events are streamed
• Can perform a metric filter to analyze occurrences and detect anomalies
• CloudTrail Delivery in S3:
• Events are delivered every 5 minutes
• Possibility of analyzing logs integrity, deliver cross account, long-term storage

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS KMS (Key Management Service)
• Anytime you hear “encryption” for an AWS service, it’s most likely KMS
• Easy way to control access to your data, AWS manages keys for us
• Fully integrated with IAM for authorization
• Seamlessly integrated into:
• Amazon EBS: encrypt volumes
• Amazon S3: Server-side encryption of objects
• Amazon Redshift: encryption of data
• Amazon RDS: encryption of data
• Amazon SSM: Parameter store
• Etc…
• But you can also use the CLI / SDK

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
KMS – KMS Key Types
• Symmetric (AES-256 keys)
• First offering of KMS, single encryption key that is used to Encrypt and Decrypt
• AWS services that are integrated with KMS use Symmetric KMS keys
• Necessary for envelope encryption
• You never get access to the KMS key unencrypted (must call KMS API to use)
• Asymmetric (RSA & ECC key pairs)
• Public (Encrypt) and Private Key (Decrypt) pair
• Used for Encrypt/Decrypt, or Sign/Verify operations
• The public key is downloadable, but you can’t access the Private Key unencrypted
• Use case: encryption outside of AWS by users who can’t call the KMS API

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Types of KMS Keys
• Customer Managed Keys
• Create, manage and use, can enable or disable
• Possibility of rotation policy (new key generated every year, old key preserved)
• Can add a Key Policy (resource policy) & audit in CloudTrail
• Leverage for envelope encryption

• AWS Managed Keys

• Used by AWS service (aws/s3, aws/ebs, aws/redshift)
• Managed by AWS (automatically rotated every 1 year)
• View Key Policy & audit in CloudTrail

• AWS Owned Keys

• Created and managed by AWS, use by some AWS services to protect your resources
• Used in multiple AWS accounts, but they are not in your AWS account
• You can’t view, use, track, or audit

KMS Key Customer Managed Key AWS Managed Key AWS Owned Key

Can view metadata?

Can manage?
Used only for my AWS account?

Automatic Rotation 90 – 2560 days (365 default) Required (every 1 year) Varies

On-demand Rotation

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
KMS Key Material Origin
• Identifies the source of the key material in the KMS key
• Can’t be changed after creation

• KMS (AWS_KMS) – default

• AWS KMS creates and manages the key material in its own key store

• External (EXTERNAL)
• You import the key material into the KMS key
• You’re responsible for securing and managing this key material outside of AWS

• Custom Key Store (AWS_CLOUDHSM)

• AWS KMS creates the key material in a custom key store (CloudHSM Cluster)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
KMS Key Source – Custom Key Store
(CloudHSM) AWS KMS
• Integrate KMS with CloudHSM cluster as a
Custom Key Store
• Key materials are stored in a CloudHSM View & manage keys
Custom Key
cluster that you own and manage User Store Connector

• The cryptographic operations are performed

in the HSMs VPC

• Use cases: AZ - A AZ - B

• You need direct control over the HSMs CloudHSM Cluster

• KMS keys needs to be stored in a dedicated
HSMs HSM HSM

At least 2 active HSMs

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
KMS Key Source - External
• Import your own key material into KMS key, Bring Your Own Key (BYOK)
• You’re responsible for key material’s security, availability, and durability outside of AWS
• Supports both Symmetric and Asymmetric KMS keys
• Can’t be used with Custom Key Store (CloudHSM)
• Manually rotate your KMS key (Automatic & On-demand Key Rotation are NOT supported)

1. Create KMS key

3. Encrypt Key Material (EXTERNAL)

2. Download
Key Material (Public Key & Import Token)
+ User Key Material AWS KMS
4. Import
Public Key (Encrypted Key Material & Import Token)
KMS key
=

multi-Region Replica key

arn:aws:kms:us-west-2:111122223333:
key/mrk-1234abcd12ab34cd56ef1234567890ab

us-east-1 eu-west-1
sync
multi-Region Primary key multi-Region Replica key
arn:aws:kms:us-east-1:111122223333: arn:aws:kms:eu-west-1:111122223333:
key/mrk-1234abcd12ab34cd56ef1234567890ab key/mrk-1234abcd12ab34cd56ef1234567890ab

ap-southeast-2

multi-Region Replica key

arn:aws:kms:ap-southeast-2:111122223333:
key/mrk-1234abcd12ab34cd56ef1234567890ab

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
KMS Multi-Region Keys
• A set of identical KMS keys in different AWS Regions that can be used
interchangeably (~ same KMS key in multiple Regions)
• Encrypt in one Region and decrypt in other Regions (No need to re-encrypt
or making cross-Region API calls)
• Multi-Region keys have the same key ID, key material, automatic rotation, …
• KMS Multi-Region are NOT global (Primary + Replicas)
• Each Multi-Region key is managed independently
• Only one primary key at a time, can promote replicas into their own primary
• Use cases: Disaster Recovery, Global Data Management (e.g., DynamoDB
Global Tables), Active-Active Applications that span multiple Regions,
Distributed Signing applications, …

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SSM Parameter Store
• Secure storage for configuration and secrets
• Optional Seamless Encryption using KMS Applications

• Serverless, scalable, durable, easy SDK

Plaintext Encrypted
• Version tracking of configurations / secrets configuration configuration
• Security through IAM
• Notifications with Amazon EventBridge Check IAM
SSM Parameter
Store
permissions
• Integration with CloudFormation
Decryption
Service

AWS KMS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SSM Parameter Store Hierarchy
• /my-department/
• my-app/ GetParameters or
• dev/ GetParametersByPath API
• db-url Dev Lambda
• db-password Function
• prod/
• db-url
Prod Lambda
• db-password
Function
• other-app/
• /other-department/
• /aws/reference/secretsmanager/secret_ID_in_Secrets_Manager
• /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 (public)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Standard and advanced parameter tiers
Standard Advanced
Total number of parameters 10,000 100,000
allowed
(per AWS account and
Region)
Maximum size of a 4 KB 8 KB
parameter value
Parameter policies available No Yes
Cost No additional charge Charges apply
Storage Pricing Free $0.05 per advanced parameter per
month

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Parameters Policies (for advanced parameters)
• Allow to assign a TTL to a parameter (expiration date) to force
updating or deleting sensitive data such as passwords
• Can assign multiple policies at a time

Expiration (to delete a parameter) ExpirationNotification (EventBridge) NoChangeNotification (EventBridge)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Secrets Manager
• Meant for storing secrets (e.g., passwords, API keys, …) Secrets Manager
• Capability to force rotation of secrets every X days Secret
• Automate generation of secrets on rotation (uses Lambda) (Database Password)

• Natively supports Amazon RDS (all supported DB engines), pull at boot

Redshift, DocumentDB
• Support other databases and services (custom Lambda ECS
function) ECS Task
Inject secret as
• Control access to secrets using Resource-based Policy environment variable

• Integration with other AWS services to natively pull

access
secrets from Secrets Manager: CloudFormation,
CodeBuild, ECS, EMR, Fargate, EKS, Parameter Store…

RDS
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Secrets Manager – with CloudFormation

secret is generated

reference secret in
RDS DB instance

link the secret to

RDS DB instance

Security Account Dev Account

share using KMS Policy

AWS KMS “Action”: “kms:Decrypt”
KMS Key “kms:ViaService”: “secretsmanager.{region}.amazonaws.com”

Secrets Share using Resource-based Policy

Manager “Action”: “secretsmanager:GetSecretValue”
Secret User

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SSM Parameter Store vs Secrets Manager
• Secrets Manager ($$$):
• Automatic rotation of secrets with AWS Lambda
• Lambda function is provided for RDS, Redshift, DocumentDB
• KMS encryption is mandatory
• Can integration with CloudFormation
• SSM Parameter Store ($):
• Simple API
• No secret rotation (can enable rotation using Lambda triggered by EventBridge)
• KMS encryption is optional
• Can integration with CloudFormation
• Can pull a Secrets Manager secret using the SSM Parameter Store API

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SSM Parameter Store vs. Secrets Manager
Rotation
AWS Secrets Manager SSM Parameter Store
every 30 days
every 30 days

invoke invoke

AWS Secrets Manager Lambda Function Amazon EventBridge Lambda Function

(can be provided)
change
change password
value
change
password

Amazon RDS Amazon RDS SSM Parameter Store

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
RDS - Security
• KMS encryption at rest for underlying EBS volumes / snapshots
• Transparent Data Encryption (TDE) for Oracle and SQL Server
• SSL encryption to RDS is possible for all DB (in-flight)
• IAM authentication for MySQL, PostgreSQL and MariaDB
• Authorization still happens within RDS (not in IAM)
• Can copy an un-encrypted RDS snapshot into an encrypted one
• CloudTrail cannot be used to track queries made within RDS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SSL/TLS - Basics
• SSL refers to Secure Sockets Layer, used to encrypt connections
• TLS refers to Transport Layer Security, which is a newer version
• Nowadays, TLS cer tificates are mainly used, but people still refer as
SSL

• Public SSL certificates are issued by Certificate Authorities (CA)

• Comodo, Symantec, GoDaddy, GlobalSign, Digicert, Letsencrypt, etc…

• SSL certificates have an expiration date (you set) and must be renewed

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SSL Encryption – How it works
• Asymmetric
Encryption is
1. Client sends hello, cipher suits & random expensive (SSL)
• Symmetric
2. Server Response with server random & encryption is
Client SSL certificate (Public Key) cheaper
Server
3. Client verifies • Asymmetric
SSL certificate handshake is used to
4. Master key (symmetric) generated and sent exchange a per-
encrypted using the Public Key 5. Server verifies client random
Client SSL cert symmetric key
(optional)
• Possibility of client
6. Master key sending an SSL
7. Secure Symmetric Communication in Place certificate as well
is decrypted
using Private Key
(two-way certificate)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SSL – Server Name Indication (SNI)
• SNI solves the problem of loading multiple Target group for

SSL cer tificates onto one web server (to www.mycorp.com

serve multiple websites)

• It’s a “newer” protocol, and requires the client
to indicate the hostname of the target server
in the initial SSL handshake Target group for
Domain1.example.com
• The server will then find the correct I would like
www.mycorp.com
certificate, or return the default one
Client ALB
Note: SSL Cert:
• Only works for ALB & NLB (newer Use the correct Domain1.example.com

generation), CloudFront SSL cert

SSL Cert:
• Does not work for CLB (older gen) www.mycorp.com

….

User Pirate Server Good Server

(can intercept packets)

HTTPS HTTPS

User Pirate Server Good Server

If infected, the user may trust the Send fake SSL cert to User
“pirate SSL certificate” Decrypts and
re-encrypts packets

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SSL – Man in the Middle Attack
How to prevent
1. Don’t use public-facing HTTP, use HTTPS (meaning, use SSL/TLS
certificates)
2. Use a DNS that has DNSSEC
• To send a client to a pirate server, a DNS response needs to be “forged” by a
server which intercepts them
• It is possible to protect your domain name by configuring DNSSEC
• Amazon Route 53 suppor ts DNSSEC for domain registration.
• Route 53 suppor ts DNSSEC for DNS service as of December 2020 (using
KMS)
• You could also run a custom DNS server on Amazon EC2 for example (Bind is
the most popular, dnsmasq, KnotDNS, PowerDNS).

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Certificate Manager (ACM)
• To host public SSL certificates in AWS, you can:
• Buy your own and upload them using the CLI
• Have ACM provision and renew public SSL
certificates for you (free of cost) Public www
HTTPS Request
SSL
• ACM loads SSL certificates on the following termination
integrations: Provision and
• Load Balancers (including the ones created by EB) Maintain Cert
• CloudFront distributions
• APIs on API Gateways
ACM
Private AWS
• SSL certificates is overall a pain to manually HTTP Request
manage, so ACM is great to leverage in your
AWS infrastructure!

Less CPU cost in EC2

Thanks to SSL termination for the ELB
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
ACM – Good to know
• Possibility of creating public certificates
• Must verify public DNS
• Must be issued by a trusted public certificate authority (CA)
• Possibility of creating private certificates
• For your internal applications
• You create your own private CA
• Your applications must trust your private CA
• Certificate renewal:
• Automatically done if generated provisioned by ACM
• Any manually uploaded certificates must be renewed manually and re-uploaded
• ACM is a regional service
• To use with a global application (multiple ALB for example), you need to issue an SSL certificate
in each region where you application is deployed.
• You cannot copy certs across regions

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudHSM
• KMS => AWS manages the software for encryption
• CloudHSM => AWS provisions encryption hardware
• Dedicated Hardware (HSM = Hardware Security Module)
• You manage your own encryption keys entirely (not AWS)
• HSM device is tamper resistant, FIPS 140-2 Level 3 compliance
• Supports both symmetric and asymmetric encryption (SSL/TLS keys)
• No free tier available
• Must use the CloudHSM Client Software
• Redshift supports CloudHSM for database encryption and key management
• Good option to use with SSE-C encryption

SSL Connection
User manages the Keys

AWS CloudHSM
CloudHSM Client

IAM permissions: CloudHSM Software:

• CRUD an HSM Cluster • Manage the Keys
• Manage the Users
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudHSM – High Availability
• CloudHSM clusters are spread across Multi AZ (HA)
• Great for availability and durability
Availability Zone 1

CloudHSM 1

Availability Zone 2
CloudHSM Client
CloudHSM 2

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudHSM vs. KMS
Feature AWS KMS AWS CloudHSM
Tenancy Multi-Tenant Single-Tenant
Standard FIPS 140-2 Level 3 FIPS 140-2 Level 3
Master Keys • AWS Owned Keys Customer Managed CMK
• AWS Managed Keys
• Customer Managed KMS Keys
Key Types • Symmetric • Symmetric
• Asymmetric • Asymmetric
• Digital Signing • Digital Signing & Hashing
Key Accessibility Accessible in multiple AWS regions • Deployed and managed in a VPC
KMS Key Replication • Can be shared across VPCs (VPC Peering)
Cryptographic None • SSL/TLS Acceleration
Acceleration • Oracle TDE Acceleration
Access & AWS IAM You create users and manage their permissions
Authentication

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudHSM vs. KMS
Feature AWS KMS AWS CloudHSM
High Availability AWS Managed Service Add multiple HSMs over different AZs
Audit Capability • CloudTrail • CloudTrail
• CloudWatch • CloudWatch
• MFA support
Free Tier Yes No

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Solution Architecture:
SSL on ALB
Auto Scaling group

HTTP

HTTPS

ALB with SSL cert

from ACM

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Solution Architecture:
SSL on web server EC2 instances
Auto Scaling group Retrieve SSL private key
at EC2 boot time
(user data)
HTTPS Install certs on EC2

TCP HTTPS

HTTPS Performing SSL encryption / SSM Parameter Store

NLB decryption can use CPU resources

IAM permissions

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Solution Architecture:
CloudHSM – SSL Offloading Auto
Scaling
• You can offload SSL to group
SSL
CloudHSM (SSL offloading
Acceleration) HTTPS

• Supported by NGINX,
Apache Web servers and TCP HTTPS
IIS for Windows Server
HTTPS
• Extra security: the SSL NLB CloudHSM
private key never leaves the
HSM device
• Must setup a cryptographic
user (CU) on the
CloudHSM device CloudHSM
(multi-AZ)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Encryption for Objects
• SSE-S3: encrypts S3 objects using keys handled & managed by AWS
• SSE-KMS: leverage KMS to manage encryption keys
• Key usage appears in CloudTrail
• objects made public can never be read
• On s3:PutObject, make the permission kms:GenerateDataKey is allowed
• SSE-C: when you want to manage your own encryption keys
• Client-Side Encryption

• Glacier : all data is AES-256 encrypted, key under AWS control

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Encryption in transit (SSL / TLS)
• Amazon S3 exposes:
• HTTP endpoint: non encrypted
• HTTPS endpoint: encryption in flight

• You’re free to use the endpoint you want, but HTTPS is recommended
• HTTPS is mandatory for SSE-C

• To enforce HTTPS, use a Bucket Policy with aws:SecureTransport

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Events in S3 Buckets
• S3 Access Logs:
• Detailed records for the requests that are made to a bucket
• Might take hours to deliver
• Might be incomplete (best effort)
• S3 Events Notifications:
• Receive notifications when certain events happen in your bucket
• E.g.: new objects created, object removal, restore objects, replication events
• Destinations: SNS, SQS queue, Lambda
• Typically delivered in seconds but can take minutes, notification for every object if versioning is
enabled, else risk of one notification for two same object write done simultaneously
• Trusted Advisor :
• Check the bucket permission (is the bucket public?)
• Amazon EventBridge:
• Need to enable CloudTrail object level logging on S3 first
• Target can be Lambda, SQS, SNS, etc…

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Security
• User based
• IAM policies - which API calls should be allowed for a specific user from IAM
console

• Resource Based
• Bucket Policies - bucket wide rules from the S3 console - allows cross account
• Object Access Control List (ACL) – finer grain
• Bucket Access Control List (ACL) – less common

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Bucket Policies
• Use S3 bucket for policy to:
• Grant public access to the bucket
• Force objects to be encrypted at upload
• Grant access to another account (Cross Account)
• Optional Conditions on:
• SourceIp: Public IP or Elastic IP | VpcSourceIp: Private IP (through VPC Endpoint)
• Source VPC or Source VPC Endpoint – only works with VPC Endpoints
• CloudFront Origin Identity
• MFA
• Examples here: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-
bucket-policies.html

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 pre-signed URLs
• Can generate pre-signed URLs using SDK or CLI
• For downloads (easy, can use the CLI)
• For uploads (harder, must use the SDK)
• Valid for a default of 3600 seconds, can change timeout with --expires-in
[TIME_BY_SECONDS] argument
• Users given a pre-signed URL inherit the permissions of the person who
generated the URL for GET / PUT

• Examples :
• Allow only logged-in users to download a premium video on your S3 bucket
• Allow an ever changing list of users to download files by generating URLs dynamically
• Allow temporarily a user to upload a file to a precise location in our bucket

Public www
S3 Bucket
Bucket policy by AWS:SourceIP (public IP)
Internet
Public Instance
Gateway

private S3 Bucket
Bucket policy by
AWS:SourceVpce
VPC Endpoint (one or few endpoints)
Private Instance
Gateway
OR

AWS:SourceVpc
(encompass all possible VPC endpoints)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Object Lock & Glacier Vault Lock
• S3 Object Lock
• Adopt a WORM (Write Once Read
Many) model Object
• Block an object version deletion for a
specified amount of time

• Glacier Vault Lock

• Adopt a WORM (Write Once Read
Many) model Vault Lock Policy
• Lock the policy for future edits (can no Object can’t be deleted
longer be changed)
• Helpful for compliance and data retention

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 – Access Points
Policy
Grant R/W to
Users /finance prefix Finance S3 Bucket
(Finance) Access Point Simple Bucket
Policy
Grant R/W to
Policy
Users /finance/…
/sales prefix Sales
(Sales) Access Point
Policy /sales/…
Grant R to
Users entire bucket Analytics
(Analytics) Access Point

• Access Points simplify security management for S3 Buckets

• Each Access Point has:
• its own DNS name (Internet Origin or VPC Origin)
• an access point policy (similar to bucket policy) – manage security at scale

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 – Access Points – VPC Origin
• We can define the access VPC
Access Point
S3 Bucket
point to be accessible EC2 Instance VPC Endpoint VPC Origin

only from within the VPC

• You must create a VPC
Endpoint to access the Endpoint Access Point Bucket
Policy Policy Policy

Access Point (Gateway

or Interface Endpoint)
• The VPC Endpoint Policy
must allow access to the
target bucket and Access
Point

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 – Multi-Region Access Points
• Provide a global endpoint that span
S3 buckets in multiple AWS regions
• Dynamically route requests to the
nearest S3 bucket (lowest latency)
S3 Multi-Region
• Bi-directional S3 bucket replication Access Point
rules are created to keep data in
sync across regions
• Failover Controls – allows you to
shift requests across S3 buckets in
different AWS regions within
minutes (Active-Active or Active-
Passive)
Bi-directional replication

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 – Multi-Region Access Points
us-east-1
Bi-directional
S3 Bucket Cross-Region
Replication

request routed to
AWS region with Bi-directional
the lowest latency Cross-Region eu-west-1
Replication
request S3 object
S3 Bucket

Application S3 Multi-Region
Access Point
ap-southeast-1

Bi-directional
S3 Bucket Cross-Region
Replication

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Multi-Region Access Points – Failover Controls

Regional traffic us-east-1

Active/Passive Failover Controls disruption
Selected Active
S3 Bucket

Bi-directional
request S3 object Cross-Region
Replication
Failover
initiated
Application S3 Multi-Region eu-west-1
Access Point
Selected Passive
S3 Bucket

Works with active/active or active/passive setups

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Object Lambda
AWS Cloud
• Use AWS Lambda Functions to
change the object before it is
retrieved by the caller application Original
Object
S3 Bucket

• Only one S3 bucket is needed, on E-Commerce

top of which we create S3 Access Application
Point and S3 Object Lambda Access Supporting
S3 Access Point
Points. S3 Object Lambda
Access Point
Redacting
Lambda Function
• Use Cases: Redacted
• Redacting personally identifiable Object
information for analytics or non- Analytics
production environments. Application S3 Object Lambda Enriching
• Converting across data formats, such Access Point Lambda Function
as converting XML to JSON. Enriched
• Resizing and watermarking images on Object
the fly using caller-specific details, such Marketing
as the user who requested the object. Application Customer Loyalty
Database

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
What’s a DDOS* Attack?
*Distributed Denial-of-Service
normal users

Not accessible
Not responsive

attacker

application
server

masters
bots
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Type of Attacks on your infrastructure
• Distributed Denial of Service (DDoS):
• When your service is unavailable because it’s receiving too many requests
• SYN Flood (Layer 4): send too many TCP connection requests
• UDP Reflection (Layer 4): get other servers to send many big UDP requests
• DNS flood attack: overwhelm the DNS so legitimate users can’t find the site
• Slow Loris attack: a lot of HTTP connections are opened and maintained

• Application level attacks:

• more complex, more specific (HTTP level)
• Cache bursting strategies: overload the backend database by invalidating cache

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
DDoS Protection on AWS
• AWS Shield Standard: protects against DDoS attack for your website and
applications, for all customers at no additional costs
• AWS Shield Advanced: 24/7 premium DDoS protection
• AWS WAF: Filter specific requests based on rules
• CloudFront and Route 53:
• Availability protection using global edge network
• Combined with AWS Shield, provides DDoS attack mitigation at the edge
• Be ready to scale – leverage AWS Auto Scaling
• Separate static resources (S3 / CloudFront) from dynamic ones (EC2 / ALB)
• Read the whitepaper for details:
https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf

https://aws.amazon.com/answers/networking/aws-ddos-attack-mitigation/

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Shield
• AWS Shield Standard:
• Free service that is activated for every AWS customer
• Provides protection from attacks such as SYN/UDP Floods, Reflection attacks
and other layer 3/layer 4 attacks
• AWS Shield Advanced:
• Optional DDoS mitigation service ($3,000 per month per organization)
• Protect against more sophisticated attack on Amazon EC2, Elastic Load
Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, Route 53
• 24/7 access to AWS DDoS response team (DRP)
• Protect against higher fees during usage spikes due to DDoS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS WAF – Web Application Firewall
• Protects your web applications from common web exploits (Layer 7)
• Deploy on Application Load Balancer (localized rules)
• Deploy on API Gateway (rules running at the regional or edge level)
• Deploy on CloudFront (rules globally on edge locations)
• Used to front other solutions: CLB, EC2 instances, custom origins, S3 websites
• Deploy on AppSync (protect your GraphQL APIs)
• WAF is not for DDoS protection
• Define Web ACL (Web Access Control List):
• Rules can include IP addresses, HTTP headers, HTTP body, or URI strings
• Protects from common attack - SQL injection and Cross-Site Scripting (XSS)
• Size constraints, Geo match
• Rate-based rules (to count occurrences of events)
• Rule Actions: Count | Allow | Block | CAPTCHA
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS WAF – Managed Rules
• Library of over 190 managed rules
• Ready-to-use rules that are managed by AWS and AWS Marketplace Sellers

• Baseline Rule Groups – general protection from common threats

• AWSManagedRulesCommonRuleSet, AWSManagedRulesAdminProtectionRuleSet, …
• Use-case Specific Rule Groups – protection for many AWS WAF use cases
• AWSManagedRulesSQLiRuleSet, AWSManagedRulesWindowsRuleSet,
AWSManagedRulesPHPRuleSet, AWSManagedRulesWordPressRuleSet, …
• IP Reputation Rule Groups – block requests based on source (e.g., malicious
IPs)
• AWSManagedRulesAmazonIpReputationList, AWSManagedRulesAnonymousIpList
• Bot Control Managed Rule Group – block and manage requests from bots
• AWSManagedRulesBotControlRuleSet

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
WAF - Web ACL – Logging
• You can send your logs to an:
• Amazon CloudWatch Logs log group – 5 MB per second
• Amazon Simple Storage Service (Amazon S3) bucket – 5 minutes interval
• Amazon Kinesis Data Firehose – limited by Firehose quotas
Kinesis Firehose
Destinations
CloudWatch Logs
Amazon S3

Amazon
AWS WAF Kinesis Data Firehose Redshift

Amazon
OpenSearch
S3 Bucket …
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Solution Architecture – Enahnce CloudFront Origin
Security with AWS WAF & AWS Secrets Manager
directly access the ALB

Auto Scaling group

Custom HTTP Header

(X-Origin-Verify: xxxxxxxxx)

Users Application EC2 Instances

AWS WAF Amazon AWS WAF
Load Balancer
CloudFront

WACL Filtering Rule

auto-rotate

invoke
update Custom HTTP Header
with the new value
Lambda
Function AWS Secrets Manager

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Firewall Manager
• Manage rules in all accounts of an AWS Organization

• Security policy: common set of security rules

• WAF rules (Application Load Balancer, API Gateways, CloudFront)
• AWS Shield Advanced (ALB, CLB, NLB, Elastic IP, CloudFront)
• Security Groups for EC2, Application Load Balancer and ENI resources in VPC
• AWS Network Firewall (VPC Level)
• Amazon Route 53 Resolver DNS Firewall
• Policies are created at the region level

• Rules are applied to new resources as they are created (good for
compliance) across all and future accounts in your Organization

AWS WAF AWS Firewall Manager AWS Shield

• WAF, Shield and Firewall Manager are used together for comprehensive protection
• Define your Web ACL rules in WAF
• For granular protection of your resources, WAF alone is the correct choice
• If you want to use AWS WAF across accounts, accelerate WAF configuration, automate the
protection of new resources, use Firewall Manager with AWS WAF
• Shield Advanced adds additional features on top of AWS WAF, such as dedicated support
from the Shield Response Team (SRT) and advanced reporting.
• If you’re prone to frequent DDoS attacks, consider purchasing Shield Advanced

VPC

Security group

NACL
Client EC2 Instance
Public IP
+ Optional Firewall
Software in EC2

VPC

ALB Security group EC2 Security group

NACL
Client
EC2 Instance
Application Load Balancer Private IP
Connection Termination

VPC

NLB Security group EC2 Security group

NACL
Client
Network Load Balancer EC2 Instance
Private IP

VPC

ALB Security group EC2 Security group

NACL
ALB
Client
EC2 Instance
Private IP

WAF
IP address filtering

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Blocking an IP address – ALB, CloudFront WAF

VPC

ALB Security group EC2 Security group

CloudFront Public IPs

Client Public ALB

CloudFront EC2 Instance
Geo Restriction Private IP

NACL
NACL not helpful

WAF
IP address filtering

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Inspector
SSM Agent
• Automated Security Assessments Lambda
Function

• For EC2 instances

• Leveraging the AWS System Manager (SSM) agent
• Analyze against unintended network accessibility
• Analyze the running OS against known vulnerabilities
Amazon
• For Container Images push to Amazon ECR Inspector
• Assessment of Container Images as they are pushed
Amazon ECR
• For Lambda Functions Container Image
• Identifies software vulnerabilities in function code and package
dependencies
• Assessment of functions as they are deployed assessment run state
& findings

• Reporting & integration with AWS Security Hub

• Send findings to Amazon Event Bridge
Security Hub EventBridge
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
What does Amazon Inspector evaluate?
• Remember : only for EC2 instances, Container Images & Lambda
functions

• Continuous scanning of the infrastructure, only when needed

• Package vulnerabilities (EC2, ECR & Lambda) – database of CVE

• Network reachability (EC2)

• A risk score is associated with all vulnerabilities for prioritization

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Config
• Helps with auditing and recording compliance of your AWS resources
• Helps record configurations and changes over time
• AWS Config Rules does not prevent actions from happening (no deny)
• Questions that can be solved by AWS Config:
• Is there unrestricted SSH access to my security groups?
• Do my buckets have any public access?
• How has my ALB configuration changed over time?
• You can receive alerts (SNS notifications) for any changes
• AWS Config is a per-region service
• Can be aggregated across regions and accounts

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Config Resource
• View compliance of a resource over time

• View configuration of a resource over time

• View CloudTrail API calls if enabled

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Config Rules
• Can use AWS managed config rules (over 75)
• Can make custom config rules (must be defined in AWS Lambda)
• Evaluate if each EBS disk is of type gp2
• Evaluate if each EC2 instance is t2.micro
• Rules can be evaluated / triggered:
• For each config change
• And / or: at regular time intervals
• Trigger Amazon EventBridge if the rule is non-compliant (chain with Lambda)
• Rules can have auto remediations through SSM Automations
• If a resource is not compliant, you can trigger an auto remediation
• Ex: remediate security group rules, stop instances with non-approved tags

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Managed Logs
• Load Balancer Access Logs (ALB, NLB, CLB) => to S3
• Access logs for your Load Balancers
• CloudTrail Logs => to S3 and CloudWatch Logs
• Logs for API calls made within your account
• VPC Flow Logs => to S3, CloudWatch Logs, Kinesis Data Firehose
• Information about IP traffic going to and from network interfaces in your VPC
• Route 53 Access Logs => to CloudWatch Logs
• Log information about the queries that Route 53 receives
• S3 Access Logs => to S3
• Server access logging provides detailed records for the requests that are made to a bucket
• CloudFront Access Logs => to S3
• Detailed information about every user request that CloudFront receives
• AWS Config => to S3

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon GuardDuty
• Intelligent Threat discovery to protect your AWS Account
• Uses Machine Learning algorithms, anomaly detection, 3rd party data
• One click to enable (30 days trial), no need to install software
• Input data includes:
• CloudTrail Events Logs – unusual API calls, unauthorized deployments
• CloudTrail Management Events – create VPC subnet, create trail, …
• CloudTrail S3 Data Events – get object, list objects, delete object, …
• VPC Flow Logs – unusual internal traffic, unusual IP address
• DNS Logs – compromised EC2 instances sending encoded data within DNS queries
• Optional Feature – EKS Audit Logs, RDS & Aurora, EBS, Lambda, S3 Data Events…
• Can setup EventBridge rules to be notified in case of findings
• EventBridge rules can target AWS Lambda or SNS
• Can protect against CryptoCurrency attacks (has a dedicated “finding” for
it)
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon GuardDuty
VPC Flow Logs

CloudTrail Logs

DNS Logs (AWS DNS) SNS

GuardDuty
Optional Features

S3 Logs EBS Volumes

EventBridge
Lambda
Lambda Network RDS & Aurora
Activity Login Activity

EKS Audit Logs &

Runtime Monitoring

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
GuardDuty – Delegated Administrator
• AWS Organization member accounts can be AWS Organization
designated to be a GuardDuty Delegated
Administrator Management
Account

• Have full permissions to enable and manage GuardDuty

Delegated
Member
GuardDuty for all accounts in the Administrator
Account A

Organization manage

• Can be done only using the Organization Member Member Member

Management Account Account B Account C Account D

GuardDuty GuardDuty GuardDuty

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM Conditions
aws:SourceIp aws:RequestedRegion
restrict the client IP from restrict the region the
which the API calls are being made API calls are made to

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM Conditions
ec2:ResourceTag aws:MultiFactorAuthPresent
restrict based on tags to force MFA

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
IAM for S3
• s3:ListBucket permission applies to
arn:aws:s3:::test
• => bucket level permission

• s3:GetObject, s3:PutObject,
s3:DeleteObject applies to
arn:awn:s3:::test/*
• => object level permission

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Resource Policies & aws:PrincipalOrgID
• aws:PrincipalOrgID can be used in any resource policies to restrict
access to accounts that are member of an AWS Organization

AWS Organization
(o-yyyyyyyyyy)

…
Member Accounts
S3 Bucket
(2022-financial-data)

User outside Organization

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EC2 Instance Connect (SendSSHPublicKey API)
Inbound Rules
Type Protocol Port Source
Allows AWS IP Range SSH TCP 22 18.206.107.24/29

Security Group
push one-time
SSH public key
EC2 Instance (valid for 60 secs)
Connect API SendSSHPublicKey API
EC2 Instance
EC2 Console,
EC2 Instance Connect CLI
{
"ip_prefix": "18.206.107.24/29",
"region": "us-east-1",
"service": "EC2_INSTANCE_CONNECT",
User "network_border_group": "us-east-1"
}
(IPv4: 1.2.3.4) https://ip-ranges.amazonaws.com/ip-ranges.json

Note: All connections are logged in CloudTrail

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Security Hub
• Central security tool to manage security across several AWS accounts and automate
security checks
• Integrated dashboards showing current security and compliance status to quickly take
actions
• Automatically aggregates alerts in predefined or personal findings formats from various
AWS services & AWS partner tools:
• Config
• GuardDuty
• Inspector
• Macie
• IAM Access Analyzer
• AWS Systems Manager
• AWS Firewall Manager
• AWS Health
• AWS Partner Network Solutions
• Must first enable the AWS Config Service

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Security Hub
Security Hub Multi
account EventBridge event
e
e rat
ge n

Macie GuardDuty Inspector Config

Automated checks Security Hub
Findings

Firewall IAM Access Systems Manager Health inv

est
Manager Analyzer iga
te

Collect potential issues & findings Amazon Detective

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Detective
• GuardDuty, Macie, and Security Hub are used to identify potential
security issues, or findings
• Sometimes security findings require deeper analysis to isolate the root
cause and take action – it’s a complex process
• Amazon Detective analyzes, investigates, and quickly identifies the
root cause of security issues or suspicious activities (using ML and
graphs)
• Automatically collects and processes events from VPC Flow Logs,
CloudTrail, GuardDuty and create a unified view
• Produces visualizations with details and context to get to the root cause

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Solution Architecture on AWS
Compute Layer Caching / Session Layer
DNS Layer ElastiCache, DAX,
Route 53 EC2, ASG, Lambda
ECS, Fargate, Batch, EMR DynamoDB, RDS
Database Layer
RDS, Aurora, DynamoDB
ElasticSearch, S3, Redshift

Decoupling Orchestration Layer

Web Layer SQS, SNS, Kinesis
CLB, ALB, NLB Amazon MQ, Step Functions
API Gateway, Elastic IP
Storage Layer
EBS, EFS, Instance Store

Static Assets Layer (storage)

CDN Layer S3, Glacier
CloudFront

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EC2 Instance Types – Main ones
• R: applications that needs a lot of RAM – in-memory caches
• C: applications that needs good CPU – compute / databases
• M: applications that are balanced (think “medium”) – general / web app
• I: applications that need good local I/O (instance storage) – databases
• G: applications that need a GPU – video rendering / machine learning

• T2 / T3: burstable instances (up to a capacity)

• T2 / T3 - unlimited: unlimited burst

• Real-world tip: use https://www.ec2instances.info

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EC2 - Placement Groups
• Control the EC2 Instance placement strategy using placement groups
• Group Strategies:
• Cluster—clusters instances into a low-latency group in a single Availability Zone
• Spread—spreads instances across underlying hardware (max 7 instances per group per
AZ) – critical applications
• Partition—spreads instances across many different partitions (which rely on different sets
of racks) within an AZ. Scales to 100s of EC2 instances per group (Hadoop, Cassandra,
Kafka)
• You can move an instance into or out of a placement group
• Your first need to stop it
• You then need to use the CLI (modify-instance-placement)
• You can then star t your instance

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Placement Groups
Cluster
EC2 EC2 EC2 Placement group
Same Rack Cluster
Same AZ Low latency
10 Gbps network
EC2 EC2 EC2

• Pros: Great network (10 Gbps bandwidth between instances with Enhanced
Networking enabled - recommended)
• Cons: If the rack fails, all instances fails at the same time
• Use case:
• Big Data job that needs to complete fast
• Application that needs extremely low latency and high network throughput

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Placement Groups
Spread
Us-east-1a Us-east-1b Us-east-1c • Pros:
• Can span across Availability
Zones (AZ)
• Reduced risk is simultaneous
EC2 EC2 EC2 failure
• EC2 Instances are on different
physical hardware
Hardware 1 Hardware 3 Hardware 5
• Cons:
• Limited to 7 instances per AZ
per placement group
• Use case:
EC2 EC2 EC2 • Application that needs to
maximize high availability
• Critical Applications where
Hardware 2 Hardware 4 Hardware 6 each instance must be isolated
from failure from each other

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Placements Groups
Partition
us-east-1a • Up to 7 partitions per AZ
• Up to 100s of EC2 instances
EC2 EC2 EC2 • The instances in a partition do
not share racks with the instances
in the other partitions
EC2 EC2 EC2
• A partition failure can affect many
EC2 but won’t affect other
EC2 EC2 EC2
partitions
• EC2 instances get access to the
partition information as metadata
EC2 EC2 EC2
• Use cases: HDFS, HBase,
Partition 1 Partition 2 Partition 3 Cassandra, Kafka

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EC2 Instance Launch Types
• On Demand Instances: short workload, predictable pricing, reliable
• Spot Instances: short workloads, for cheap, can lose instances (not reliable)
• Reserved: (MINIMUM 1 year)
• Reserved Instances: long workloads
• Conver tible Reserved Instances: long workloads with flexible instances
• Highest to lowest discount: All Upfront payment, Partial Upfront payment, no Upfront
• Dedicated Instances: no other customers will share your hardware
• Dedicated Hosts: book an entire physical server, control instance placement
• Great for software licenses that operate at the core, or CPU socket level
• Can define host affinity so that instance reboots are kept on the same host

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EC2 Graviton
• AWS Graviton Processors deliver the best price performance
• Supports many Linux OS, Amazon Linux 2, RedHat, SUSE, Ubuntu
• Not available for Windows instances

• Graviton2 – 40% better price performance over comparable 5th

generation x86-based instances
• Graviton3 – Up to 3x better performance compared to Graviton2
• Use cases: app servers, microservices, HPC, CPU-based ML, video
encoding, gaming, in-memory caches, …

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EC2 included metrics
• CPU: CPU Utilization + Credit Usage / Balance
• Network: Network In / Out
• Status Check:
• Instance status = check the EC2 VM
• System status = check the underlying hardware
• Disk: Read / Write for Ops / Bytes (only for instance store)

• RAM is NOT included in the AWS EC2 metrics

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EC2 Instance Recovery
• Status Check:
• Instance status = check the EC2 VM
• System status = check the underlying hardware

monitor alert

EC2 Instance CloudWatch Alarm SNS Topic

StatusCheckFailed_System

EC2 Instance Recovery

• Recovery: Same Private, Public, Elastic IP, metadata, placement group

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
High Performance Computing (HPC)
• The cloud is the perfect place to perform HPC
• You can create a very high number of resources in no time
• You can speed up time to results by adding more resources
• You can pay only for the systems you have used

• Perform genomics, computational chemistry, financial risk modeling,

weather prediction, machine learning, deep learning, autonomous driving

• Which services help perform HPC?

• AWS Direct Connect:

• Move GB/s of data to the cloud, over a private secure network

• Snowball
• Move PB of data to the cloud

• AWS DataSync
• Move large amount of data between on-premise and S3, EFS, FSx for Windows

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Compute and Networking
• EC2 Instances:
• CPU optimized, GPU optimized
• Spot Instances / Spot Fleets for cost savings + Auto Scaling

• EC2 Placement Groups: Cluster for good network performance

EC2 EC2 EC2 Placement group

Same Rack Cluster
Same AZ Low latency
10Gbps network
EC2 EC2 EC2

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Compute and Networking
• EC2 Enhanced Networking (SR-IOV)
• Higher bandwidth, higher PPS (packet per second), lower latency
• Option 1: Elastic Network Adapter (ENA) up to 100 Gbps
• Option 2: Intel 82599 VF up to 10 Gbps – LEGACY

• Elastic Fabric Adapter (EFA)

• Improved ENA for HPC, only works for Linux
• Great for inter-node communications, tightly coupled workloads
• Leverages Message Passing Interface (MPI) standard
• Bypasses the underlying Linux OS to provide low-latency, reliable transport

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Storage
• Instance-attached storage:
• EBS: scale up to 256,000 IOPS with io2 Block Express
• Instance Store: scale to millions of IOPS, linked to EC2 instance, low latency

• Network storage:
• Amazon S3: large blob, not a file system
• Amazon EFS: scale IOPS based on total size, or use provisioned IOPS
• Amazon FSx for Lustre:
• HPC optimized distributed file system, millions of IOPS
• Backed by S3

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Automation and Orchestration
• AWS Batch
• AWS Batch supports multi-node parallel jobs, which enables you to run single
jobs that span multiple EC2 instances.
• Easily schedule jobs and launch EC2 instances accordingly

• AWS ParallelCluster
• Open source cluster management tool to deploy HPC on AWS
• Configure with text files
• Automate creation of VPC, Subnet, cluster type and instance types

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Auto Scaling Groups – Dynamic Scaling Policies
• Target Tracking Scaling
• Most simple and easy to set-up
• Example: I want the average ASG CPU to stay at around 40%
• Simple / Step Scaling
• When a CloudWatch alarm is triggered (example CPU > 70%), then add 2 units
• When a CloudWatch alarm is triggered (example CPU < 30%), then remove 1
• Scheduled Actions
• Anticipate a scaling based on known usage patterns
• Example: increase the min capacity to 10 at 5 pm on Fridays

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Auto Scaling Groups – Predictive Scaling
• Predictive scaling: continuously forecast load and schedule scaling ahead

• CPUUtilization: Average CPU

utilization across your instances
• RequestCountPerTarget: to make sure
the number of requests per EC2 Application
Load Balancer
instances is stable
RequestCountPerTarget
• Average Network In / Out (if you’re Target Value: 3
application is network bound)
• Any custom metric (that you push
using CloudWatch)
Auto Scaling group

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Auto Scaling – Good to know
• Spot Fleet suppor t (mix on Spot and On-Demand instances)

• Lifecycle Hooks:
• Perform actions before an instance is in service, or before it is terminated
• Examples: cleanup, log extraction, special health checks

• To upgrade an AMI, must update the launch configuration / template

• Then terminate instances manually (CloudFormation can help)
• Or use EC2 Instance Refresh for Auto Scaling

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Auto Scaling – Instance Refresh
User
• Goal: update launch template
and then re-creating all EC2 New Launch Template StartInstanceRefresh
(Updated AMI) Min. Healthy Percentage: 60 %
instances
• For this we can use the native
feature of Instance Refresh Auto Scaling Group

• Setting of minimum healthy New Launch

Template
percentage
• Specify warm-up time (how long
until the instance is ready to use)
Old Launch
Template

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Auto Scaling – Scaling Processes
• Launch: Add a new EC2 to the group, increasing the capacity
• Terminate: Removes an EC2 instance from the group, decreasing its capacity.
• HealthCheck: Checks the health of the instances
• ReplaceUnhealthy: Terminate unhealthy instances and re-create them
• AZRebalance: Balancer the number of EC2 instances across AZ
• AlarmNotification: Accept notification from CloudWatch
• ScheduledActions: Performs scheduled actions that you create.
• AddToLoadBalancer : Adds instances to the load balancer or target group
• InstanceRefresh: Perform an instance refresh

• We can suspend these processes!

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Auto Scaling – Health Checks
• Health checks available: GOOD HEALTH CHECK BAD HEALTH CHECK
• EC2 Status Checks
• ELB Health Checks (HTTP)
• Custom Health Checks – send ASG ASG
instance’s health to an ASG using AWS (Target Group) (Target Group)
CLI or AWS SDK (set-instance-
/health-server /number-customers
health)
• ASG will launch a new instance after
terminating an unhealthy one
EC2 Instance EC2 Instance
• Make sure the health check is simple
and checks the correct thing DB call

© Stephane Maarek
RDS DB Instance
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Auto Scaling – Updating an application
Client

ALB

Auto Scaling Group

EC2 Instances
Launch Template

ALB ALB

Target group 1 Target group 2

Same target group Split traffic between TG
Auto Scaling Group Auto Scaling Group 1 Auto Scaling Group 2

EC2 Instances EC2 Instances EC2 Instances EC2 Instances

Launch Template v1 Launch Template v2 Launch Template v1 Launch Template v2

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Auto Scaling – Solution Architecture
Client Test Client
DNS Query

Route 53 Separate
CNAME Client based LB manual testing
Weighted record Load testing
ALB 1 ALB 2

Auto Scaling Group 1 Auto Scaling Group 2

EC2 Instances EC2 Instances

Launch Template v1 Launch Template v2

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EC2 Spot Instances
• Can get a discount of up to 90% compared to On-Demand
• Define max spot price and get the instance while current spot price <
max
• The hourly spot price varies based on offer and capacity
• If the current spot price > your max price you can choose to stop or terminate your
instance with a 2 minutes grace period.

• Used for batch jobs, data analysis, or workloads that are resilient to
failures.
• Not great for critical jobs or databases

User-defined max price

https://console.aws.amazon.com/ec2sp/v1/spot/home?region=us-east-1#
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Spot Fleets
• Spot Fleets = set of Spot Instances + (optional) On-Demand Instances
• The Spot Fleet will try to meet the target capacity with price constraints
• Define possible launch pools: instance type (m5.large), OS, Availability Zone
• Can have multiple launch pools, so that the fleet can choose
• Spot Fleet stops launching instances when reaching capacity or max cost
• Strategies to allocate Spot Instances:
• lowestPrice: from the pool with the lowest price (cost optimization, short workload)
• diversified: distributed across all pools (great for availability, long workloads)
• capacityOptimized: pool with the optimal capacity for the number of instances
• priceCapacityOptimized (recommended): pools with highest capacity available, then select
the pool with the lowest price (best choice for most workloads)
• Spot Fleets allow us to automatically request Spot Instances with the lowest price
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
What is Docker?
• Docker is a software development platform to deploy apps
• Apps are packaged in containers that can be run on any OS
• Apps run the same, regardless of where they’re run
• Any machine (no compatibility issues, predictable behavior)
• Less work
• Easier to maintain and deploy
• Works with any language, any OS, any technology
• Control how much memory / CPU is allocated to your container
• Scale containers up and down very quickly (seconds)
• More efficient than Virtual machines

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Docker Containers Management on AWS
• To manage containers, we need a container management platform

• Amazon Elastic Container Service (Amazon ECS) Amazon ECS

• Amazon’s own container platform

• Amazon Elastic Kubernetes Service (Amazon EKS)

Amazon EKS
• Amazon’s managed Kubernetes (open source)

• AWS Fargate
• Amazon’s own Serverless container platform AWS Fargate
• Works with ECS and with EKS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon ECS – Use cases
• Run Microservices
• Run multiple Docker containers on the same machine
• Easy Service Discovery features to enhance communication
• Direct integration with Application Load Balancer and Network Load Balancer
• Auto Scaling capability

• Run Batch Processing / Scheduled Tasks

• Schedule ECS tasks to run on On-demand / Reserved / Spot instances

• Migrate Applications to the Cloud

• Dockerize legacy applications running on-premises
• Move Docker containers to run on Amazon ECS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon ECS – Concepts
• ECS Cluster – logical grouping of EC2 instances
• ECS Service – defines how many tasks should run and how they should
be run
• Task Definitions – metadata in JSON form to tell ECS how to run a
Docker container (image name, CPU, RAM, …)
• ECS Task – an instance of a Task Definition, a running Docker container(s)
• ECS IAM Roles
• EC2 Instance Profile – used by the EC2 instance (e.g., make API calls to ECS, send
logs, …)
• ECS Task IAM Role – allow each task to have a specific role (e.g., make API calls to
S3, DynamoDB, …)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon ECS - Concepts ECS
CloudWatch
Logs S3 Bucket

Auto Scaling Group

EC2 Instance Profile

instantiate EC2 Instance EC2 Instance EC2 Instance

Task IAM Role
Task Definition Service - A

Service - B

ECS Tasks ECS Tasks ECS Tasks

ECS Cluster

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon ECS – ALB Integration
• We get Dynamic Port Mapping Dynamic EC2 Instance

• Allows you to run multiple Port Mapping

36789 ECS Task
instances of the same application
on the same EC2 instance 39586 ECS Task
• The ALB finds the right port on
your EC2 Instances 80/443

• Use cases: Users

EC2 Instance

• Increased resiliency even if running Application

39748 ECS Task
on one EC2 instance Load Balancer
• Maximize utilization of CPU / cores ECS Task
39856
• Ability to perform rolling upgrades
without impacting app uptime
ECS Cluster

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Fargate
• Launch Docker containers on AWS
• You do not provision the infrastructure New Docker
(no EC2 instances to manage) Container

• It’s all serverless!

• You create task definitions
AWS Fargate
• AWS runs containers for you based on
the CPU / RAM you need
• To scale, just increase the number of
tasks. Simple! No more EC2 instances J

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon ECS – Security & Networking
• You can inject secrets and configurations as Environment Variables into
running Docker containers
• Integration with SSM Parameter Store and Secrets Manager

• ECS Tasks Networking

• none – no network connectivity, no port mappings
• bridge – uses Docker’s virtual container-based network
• host – bypass Docker’s network, uses the underlying host network interface
• awsvpc
• Every tasks launched on the instance gets its own ENI and a private IP address
• Simplified networking, enhanced security, Security Groups, monitoring, VPC Flow Logs
• Default mode for Fargate tasks

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon ECS – Service Auto Scaling
• Automatically increase/decrease the desired number of tasks
• Amazon ECS leverages AWS Application Auto Scaling
• CPU and RAM is tracked in CloudWatch at the ECS Service level

• Target Tracking – scale based on target value for a specific CloudWatch metric
• Step Scaling – scale based on a specified CloudWatch Alarm
• Scheduled Scaling – scale based on a specified date/time (predictable changes)

• ECS Service Auto Scaling (task level) ≠ EC2 Auto Scaling (EC2 instance level)
• Fargate Auto Scaling is much easier to setup (because Serverless)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon ECS – Spot Instances
• ECS Classic (EC2 Launch Type)
• Can have the underlying EC2 instances as Spot Instances (managed by an ASG)
• Instances may go into draining mode to remove running tasks
• Good for cost savings, but will impact reliability

• AWS Fargate
• Specify minimum of tasks for on-demand baseline workload
• Add tasks running on FARGATE_SPOT for cost-savings (can be reclaimed by AWS)
• Regardless of On-demand or Spot, Fargate scales well based on load

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon ECR - Elastic Container Registry
• Store and manage Docker images on AWS ECR Repository

• Private and Public repository (Amazon ECR Docker Docker

Image A Image B
Public Gallery https://gallery.ecr.aws)
• Fully integrated with ECS
• Access is controlled through IAM pull
IAM Role
pull

(permission errors => check policy)

EC2 Instance
• Supports image vulnerability scanning,
versioning, image tags, image lifecycle, …

ECS Cluster
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon ECR – Cross Region Replication
• ECR private registry supports both cross-Region and cross-account
replication
us-west-1 (Destination)

us-east-1 (Source)

ECR
register/push replicate

eu-west-1 (Destination)
CodeBuild ECR
(build images)

ECR

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon ECR – Image Scanning
Basic Scanning
• Manual Scan or Scan on Push
• Basic Scanning – Common push trigger

CVE Image
ECR Scan EventBridge
• Enhanced Scanning –
Leverages Amazon Inspector
(OS & Programming Enhanced Scanning
Language vulnerabilities)
push trigger
• Scan results can be retrieved
from within the AWS Image
ECR Inspector EventBridge
console

Scan
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon EKS Overview
• Amazon EKS = Amazon Elastic Kubernetes Service
• It is a way to launch managed Kubernetes clusters on AWS
• Kubernetes is an open-source system for automatic deployment, scaling and
management of containerized (usually Docker) application
• It’s an alternative to ECS, similar goal but different API
• EKS supports EC2 if you want to deploy worker nodes or Fargate to deploy
serverless containers
• Use case: if your company is already using Kubernetes on-premises or in
another cloud, and wants to migrate to AWS using Kubernetes
• Kubernetes is cloud-agnostic (can be used in any cloud – Azure, GCP…)
• For multiple regions, deploy one EKS cluster per region
• Collect logs and metrics using CloudWatch Container Insights

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon EKS - Diagram
AWS Cloud
Availability Zone 1 Availability Zone 2 Availability Zone 3

VPC
Public subnet 1 Public subnet 2 Public subnet 3
EKS
Public
Service LB NGW NGW
ELB NGW ELB ELB

Private subnet 1 Private subnet 2 Private subnet 3 EKS

Private
Service LB
ELB
EKS node EKS node EKS node
Auto Scaling Group

EKS Pods EKS Pods EKS Pods

EKS Worker Nodes

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon EKS – Node Types
• Managed Node Groups
• Creates and manages Nodes (EC2 instances) for you
• Nodes are part of an ASG managed by EKS
• Supports On-Demand or Spot Instances

• Self-Managed Nodes
• Nodes created by you and registered to the EKS cluster and managed by an ASG
• You can use prebuilt AMI - Amazon EKS Optimized AMI
• Supports On-Demand or Spot Instances

• AWS Fargate
• No maintenance required; no nodes managed

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon EKS – Data Volumes
• Need to specify StorageClass manifest on your EKS cluster
• Leverages a Container Storage Interface (CSI) compliant driver

• Support for…
• Amazon EBS
• Amazon EFS (works with Fargate)
• Amazon FSx for Lustre
• Amazon FSx for NetApp ONTAP

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS App Runner
• Fully managed service that makes it easy to deploy web
Container Source
applications and APIs at scale Image (Docker) Code
• No infrastructure experience required
• Start with your source code or container image
Configure Settings
• Automatically builds and deploy the web app vCPU, RAM,
Auto Scaling,
• Automatic scaling, highly available, load balancer, encryption Health Check

• VPC access support

• Connect to database, cache, and message queue services
Create & Deploy

• Use cases: web apps, APIs, microservices, rapid production

deployments
Access using URL

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Solution Architecture
App Runner Multi-Region Architecture
Record Name Type Routing Value
api.example.com A Latency App Runner Endpoint - 1
api.example.com A Latency App Runner Endpoint - 2
Route 53
us-east-1 us-west-2
Cross-Region Replication

App Runner ECR Registry ECR Registry App Runner

Service Service

Image Image
Global Table Replication

DynamoDB DynamoDB

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon ECS Anywhere
• Easily run containers on Customer-managed
infrastructure (on-premises, VMs, …) AWS Cloud

• Allows customers to deploy native Amazon ECS

tasks in any environment
• Fully-managed Amazon ECS Control Plane
ECS Cluster SSM
• ECS Container Agent and SSM Agent needs to be
installed
• “EXTERNAL” Launch Type
register register
• Must have a stable connection to the AWS Region
• Use cases:
Corporate Data Center
• Meet compliance, regulatory, and latency requirements
• Run apps outside AWS Regions and closer to their Server Contents
other services
• On-premises ML, video processing, data processing, …

ECS Agent SSM Agent Containers

• Create and operate Kubernetes clusters created

outside AWS
• Leverage the Amazon EKS Distro (AWS’ bundled
release of Kubernetes) EKS Cluster
• Reduce support costs and avoid maintaing
redundant 3rd party tools
Connect using
• Install using the EKS Anywhere Installer EKS Connector
• Optionally use the EKS Connector to connect the
EKS Anywhere clusters to AWS
• Fully Connected & Partially Disconnected: you can
connect to Amazon EKS Anywhere clusters to AWS,
and leverage the EKS console
• Fully Disconnected: must install the EKS Distro and
leverage open-source tools to manage your clusters Amazon EKS

API Gateway Kinesis DynamoDB AWS S3 – AWS IoT

Simple Storage Service Internet of Things

Amazon EventBridge CloudWatch Logs AWS SNS AWS Cognito Amazon

SQS

u sh
p
New thumbnail in S3
trigger

pu
Image name

sh
New image in S3 AWS Lambda Function Image size
Creates a Thumbnail Creation date
etc…

Metadata in DynamoDB

Trigger
Every 1 hour

Amazon EventBridge AWS Lambda Function

Perform a task

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Lambda Language Support (runtimes)
• Node.js (JavaScript)
• Python
• Java
• C# (.NET Core) / Powershell
• Ruby
• Custom Runtime API (community supported, example Rust or Golang)

• Lambda Container Image

• The container image must implement the Lambda Runtime API
• ECS / Fargate is preferred for running arbitrary Docker images

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Lambda – Limits to know
• RAM – 128 MB to 10,240 MB (10 GB)
• CPU – is linked to RAM (cannot be set manually)
• 2 vCPUs are allocated at 1,769 MB of RAM
• 6 vCPUs are allocated at 10,240 MB of RAM
• Timeout – up to 15 minutes
• /tmp Storage – 10,240 MB
• Deployment Package – 50 MB (zipped) , 250 MB (unzipped) including layers
• Concurrent Executions – 1000 (soft limit that can be increased)
• Container Image Size – 10 GB
• Invocation Payload (request/response) – 6 MB (sync), 256 KB (async)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Lambda Concurrency and Throttling
• Concurrency limit: up to 1000 concurrent executions

• Can set a “reserved concurrency” at the function level (=limit)

• Each invocation over the concurrency limit will trigger a “Throttle”
• Can request a quota increase in AWS Service Quotas

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Lambda Concurrency Issue
• If you don’t reserve (=limit) concurrency, the following can happen:

1000 concurrent
executions
Many users Application Load Balancer

THROTTLE!

Few users
API Gateway

THROTTLE!
SDK / CLI

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Lambda & CodeDeploy
• CodeDeploy can help you automate
traffic shift for Lambda aliases Make X vary over time until X = 100%
• Feature is integrated within the SAM
framework PROD Alias

• Linear : grow traffic every N minutes until 100 – X%

100% V1
• Linear10PercentEvery3Minutes
• Linear10PercentEvery10Minutes
• Canary: try X percent then 100%
• Canary10Percent5Minutes X%
CodeDeploy
• Canary10Percent30Minutes V2
• AllAtOnce: immediate
• Can create Pre & Post Traffic hooks to
check the health of the Lambda function

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Lambda Logging, Monitoring and Tracing
• CloudWatch:
• AWS Lambda execution logs are stored in AWS CloudWatch Logs
• AWS Lambda metrics are displayed in AWS CloudWatch Metrics (successful
invocations, error rates, latency, timeouts, etc…)
• Make sure your AWS Lambda function has an execution role with an IAM
policy that authorizes writes to CloudWatch Logs
• X-Ray:
• It’s possible to trace Lambda with X-Ray
• Enable in Lambda configuration (runs the X-Ray daemon for you)
• Use AWS SDK in Code
• Ensure Lambda Function has correct IAM Execution Role

Default Lambda Deployment Lambda in VPC

AWS Cloud AWS Cloud

Public subnet DynamoDB

Public
www NAT IGW
works DynamoDB
Endpoint
VPC & Private Subnet VPC & Private Subnet
Not working
working

Assign security group Private RDS

Private RDS

Note: Lambda - CloudWatch Logs works even

without endpoint or NAT Gateway
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Lambda – Fixed Public IP for external comms
AWS Cloud
API
Random
Public IP

Lambda Function Internet

AWS Cloud

VPC

Private Subnet Public Subnet

ENI Fixed Elastic IP

Lambda Function NATGW IGW Internet

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Lambda – Synchronous Invocations
• Synchronous: CLI, SDK, API Gateway
• Results is returned right away
• Error handling must happen client side (retries, exponential backoff, etc…)
invoke
SDK Do something
Response

invoke proxy
Client Do something
Response Response

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Lambda – Asynchronous Invocation
• S3, SNS, Amazon EventBridge… retries

• Lambda attempts to retry on New file event

async invocation
errors (3 tries total)
• Make sure the processing is
idempotent (in case of retries)
DLQ for
failed processing

• Can define a DLQ (dead-letter

queue) – SNS or SQS – for SQS
failed processing

Starts immediately trigger invoke

Parallel executions
Amazon S3 Amazon SNS Lambda

Batched execution trigger send message consume

Delay
Amazon S3 Amazon SNS Amazon SQS Lambda

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Types of load balancer on AWS
• AWS has 4 kinds of managed Load Balancers
• Classic Load Balancer (v1 - old generation) – 2009 – CLB
• HTTP, HTTPS, TCP, SSL (secure TCP)
• Application Load Balancer (v2 - new generation) – 2016 – ALB
• HTTP, HTTPS, WebSocket
• Network Load Balancer (v2 - new generation) – 2017 – NLB
• TCP, TLS (secure TCP), UDP
• Gateway Load Balancer – 2020 – GWLB
• Operates at layer 3 (Network layer) – IP Protocol

• Overall, it is recommended to use the newer generation load balancers as they

provide more features
• Some load balancers can be setup as internal (private) or external (public) ELBs

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Classic Load Balancers (v1)
• Health Checks can be HTTP (L7) or
TCP (L4) based including with SSL

• Supports only one SSL certificate

• The SSL certificate can have many SAN listener internal
(Subject Alternate Name), but the SSL
certificate must be changed anytime a SAN
is added / edited / removed
• Better to use ALB with SNI (Server Name
Indication) if possible Client CLB EC2
• Can use multiple CLB if you want distinct
SSL certificates

• TCP => TCP passes all the traffic to

the EC2 instance
• Only way to use 2-way SSL authentication

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Application Load Balancer (v2)
• Application load balancers is Layer 7 (HTTP)

• Load balancing to multiple HTTP applications across machines

(target groups)
• Load balancing to multiple applications on the same machine
(ex: containers) – great fit with ECS, has dynamic port mapping
• Support for HTTP/2 and WebSocket
• Support redirects (from HTTP to HTTPS for example)
• Routing Rules for path, headers, query string

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Application Load Balancer (v2)
HTTP Based Traffic

Target Group

Health Check
application
for Users
Route /user HTTP
WWW

External
Application
Load Balancer
(v2)

Target Group

Health Check
application
for Search
Route /search HTTP
WWW

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Application Load Balancer (v2)
Target Groups
• EC2 instances (can be managed by an Auto Scaling Group) – HTTP
• ECS tasks (managed by ECS itself) – HTTP
• Lambda functions – HTTP request is translated into a JSON event
• IP Addresses – must be private IPs

• ALB can route to multiple target groups

• Health checks are at the target group level

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Network Load Balancer (v2)
• Network load balancers (Layer 4) allow to:
• Forward TCP & UDP traffic to your instances
• Handle millions of request per seconds
• Less latency ~100 ms (vs 400 ms for ALB)

• NLB has one static IP per AZ, and suppor ts assigning Elastic IP
(helpful for whitelisting specific IP)

• NLB are used for extreme performance, TCP or UDP traffic

• Not included in the AWS free tier

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Network Load Balancer – Target Groups
• EC2 instances
• IP Addresses – must be private IPs
• Application Load Balancer
Network Network Network
Load Balancer Load Balancer Load Balancer

i-1234567890abcdef0 i-1234567890abcdef0 192.168.1.118 10.0.4.21

Target Group Target Group Target Group

(EC2 Instances) (IP Addresses) (Application Load Balancer)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Network Load Balancer – Zonal DNS Name
• Resolving Regional NLB DNS name returns us-east-1
the IP addresses for all NLB nodes in all my-nlb-1234567890abcdef.elb.us-east-1.amazon.aws.com

enabled AZs us-east-1a.my-nlb-1234567890abcdef.elb.us-east-1.amazon.aws.com

• my-nlb-1234567890abcdef.elb.us-east-1.amazon.aws.com NLB

• Zonal DNS Name

• NLB has DNS names for each of its nodes IP: 172.31.7.90
IP: 172.31.7.90 IP: 172.31.27.8 IP: 172.31.44.7
• Use to determine the IP address of each node
us-east-1a us-east-1b us-east-1c
• us-east-1a.my-nlb-1234567890abcdef.elb.us-east-
1.amazon.aws.com
• Used to minimize latency and data transfer costs
• You need to implement app specific logic

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Gateway Load Balancer
Route
• Deploy, scale, and manage a fleet of 3rd party Table
network virtual appliances in AWS
• Example: Firewalls, Intrusion Detection and Users Application
Prevention Systems, Deep Packet Inspection (source) (destination)
Systems, payload manipulation, …
traffic traffic

Gateway Gateway
Load Balancer Load Balancer

i-1234567890abcdef0 i-1234567890abcdef0 192.168.1.118 10.0.4.21

Target Group Target Group

(EC2 Instances) (IP Addresses)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Cross-Zone Load Balancing
With Cross Zone Load Balancing: Without Cross Zone Load Balancing:
each load balancer instance distributes evenly Requests are distributed in the instances of the
across all registered instances in all AZ node of the Elastic Load Balancer

50 50 50 50

10 10 10 10 6.25 6.25 6.25 6.25

10 10 25 25

10 10 10 10 6.25 6.25 6.25 6.25

Availability Zone 1 Availability Zone 2 Availability Zone 1 Availability Zone 2

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Cross-Zone Load Balancing
• Classic Load Balancer
• Disabled by default
• No charges for inter AZ data if enabled

• Application Load Balancer

• Always on (can’t be disabled)
• No charges for inter AZ data

• Network Load Balancer

• Disabled by default
• You pay charges ($) for inter AZ data if enabled

• Gateway Load Balancer

• Disabled by default
• You pay charges ($) for inter AZ data if enabled

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Sticky Sessions (Session Affinity)
• It is possible to implement stickiness so that the
same client is always redirected to the same Client 1 Client 2 Client 3
instance behind a load balancer
• This works for Classic Load Balancers &
Application Load Balancers
• The “cookie” used for stickiness has an
expiration date you control
• Use case: make sure the user doesn’t lose his
session data
• Enabling stickiness may bring imbalance to the
load over the backend EC2 instances
EC2 Instance EC2 Instance

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Request Routing Algorithms – Least
Outstanding Requests
• The next instance to receive the request is the instance that has the lowest number
of pending/unfinished requests
• Works with Application Load Balancer and Classic Load Balancer (HTTP/HTTPS)

EC2 Instance
ALB

EC2 Instance

CLB
(HTTP/HTTPS Listener)
EC2 Instance

Registered Instances
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Request Routing Algorithms – Round Robin
• Equally choose the targets from the target group
• Works with Application Load Balancer and Classic Load Balancer
(TCP)

EC2 Instance
ALB

--- OR ---
EC2 Instance

CLB (TCP Listener) EC2 Instance

Target Group (ALB) /
Registered Instances (CLB)
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Request Routing Algorithms – Flow Hash
• Selects a target based on the protocol, source/destination IP address,
source/destination port, and TCP sequence number
• Each TCP/UDP connection is routed to a single target for the life of the connection
• Works with Network Load Balancer

Protocol
Source & destination IP EC2 Instance
Source & destination Port Hash
TCP sequence no. Flow Hash 8743b…
Algorithm
EC2 Instance

Network Load Balancer

EC2 Instance

Target Group
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
API Gateway – Overview
REST API PROXY REQUESTS CRUD

Amazon API AWS Amazon

client Gateway Lambda DynamoDB

• Helps expose Lambda, HTTP & AWS Services as an API

• API versioning, authorization, traffic management (API keys, throttles),
huge scale, serverless, req/resp transformations, OpenAPI spec, CORS

• Limits to know:
• 29 seconds timeout
• 10 MB max payload size

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
API Gateway – Deployment Stages
• API changes are deployed to “Stages” (as many as you want)
• Use the naming you like for stages (dev, test, prod)
• Stages can be rolled back as a history of deployments is kept
PROD Alias
Prod Stage 95%
V1

5%
TEST Alias
Test Stage
V2
100%

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
API Gateway – Integrations
• HTTP
• Expose HTTP endpoints in the backend
• Example: internal HTTP API on premise, Application Load Balancer…
• Why? Add rate limiting, caching, user authentications, API keys, etc…
• Lambda Function
• Invoke Lambda function
• Easy way to expose REST API backed by AWS Lambda
• AWS Service
• Expose any AWS API through the API Gateway?
• Example: start an AWS Step Function workflow, post a message to SQS
• Why? Add authentication, deploy publicly, rate control…

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Solution Architecture Discussion:
API Gateway in front of S3
• You will be impacted by the 10 MB payload size limit
Client I want to upload a file proxy
Application

• Better architecture:
I want to upload a file invoke
Client
Application
Forward URL Return URL

Generate pre-signed URL

Upload to S3 using the pre-signed URL

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
API Gateway - Endpoint Types
• Edge-Optimized (default): For global clients
• Requests are routed through the CloudFront Edge locations (improves latency)
• The API Gateway still lives in only one region
• Regional:
• For clients within the same region
• Could manually combine with CloudFront (more control over the caching
strategies and the distribution)
• Private:
• Can only be accessed from your VPC using an interface VPC endpoint (ENI)
• Use a resource policy to define access

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Caching API responses
Client
• Caching reduces the number of calls made to the
backend
• Default TTL (time to live) is 300 seconds
(min: 0s, max: 3600s)
• Caches are defined per stage Check
• Possible to override cache settings per method API cache
Gateway
• Clients can invalidate the cache with header: Gateway
cache
Cache-Control: max-age=0 (with proper IAM
authorization)
• Able to flush the entire cache (invalidate it) If cache miss
immediately
• Cache encryption option backend
• Cache capacity between 0.5GB to 237GB

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
API Gateway - Errors
• 4xx means Client errors
• 400: Bad Request
• 403: Access Denied, WAF filtered
• 429: Quota exceeded, Throttle

• 5xx means Server errors

• 502: Bad Gateway Exception, usually for an incompatible output returned from a
Lambda proxy integration backend and occasionally for out-of-order invocations due to
heavy loads.
• 503: Service Unavailable Exception
• 504: Integration Failure – ex Endpoint Request Timed-out Exception
API Gateway requests time out after 29 second maximum

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
API Gateway – Security
• Load SSL certificates and use Route53 to define a CNAME
• Resource Policy (~S3 Bucket Policy):
• control who can access the API
• Users from AWS accounts, IP or CIDR blocks, VPC or VPC Endpoints
• IAM Execution Roles for API Gateway at the API level
• To invoke a Lambda Function, an AWS service…
• CORS (Cross-origin resource sharing):
• Browser based security
• Control which domains can call your API

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
API Gateway – Authentication
• IAM based access (AWS_IAM)
• Good for providing access within your Client
infrastructure
• Pass IAM credentials in headers through Sig V4 Authentication
+ get token
• Lambda Authorizer (formerly Custom
Authorizer) Pass token
• Use Lambda to verify a custom OAuth / SAML /
3rd party authentication
API Gateway
• Cognito User Pools
• Client authenticates with Cognito Cognito User Pools Pass identity
• Client passes the token to API Gateway
• API Gateway knows out-of-the-box how to verify
to token
Backend

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
API Gateway – Logging, Monitoring, Tracing
• CloudWatch Logs:
• Enable CloudWatch logging at the Stage level (with Log Level – ERROR, INFO)
• Can log full requests / responses data
• Can send API Gateway Access Logs (customizable)
• Can send logs directly into Kinesis Data Firehose (as an alternative to CW logs)
• CloudWatch Metrics:
• Metrics are by stage, possibility to enable detailed metrics
• IntegrationLatency, Latency, CacheHitCount, CacheMissCount
• X-Ray:
• Enable tracing to get extra information about requests in API Gateway
• X-Ray API Gateway + AWS Lambda gives you the full picture

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
API Gateway – Usage Plans & API Keys
• If you want to make an API available as an offering ($) to your customers
• Usage Plan:
• who can access one or more deployed API stages and methods
• how much and how fast they can access them
• uses API keys to identify API clients and meter access
• configure throttling limits and quota limits that are enforced on individual client
• API Keys:
• alphanumeric string values to distribute to your customers
• Ex: WBjHxNtoAb4WPKBC7cGm64CBibIb24b4jt8jJHo9
• Can use with usage plans to control access
• Throttling limits are applied to the API keys
• Quotas limits is the overall number of maximum requests
• 429 Too Many Requests:
• Account level throttling across all APIs in a region
• Clients must implement retry mechanisms
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
API Gateway – WebSocket API – Overview
CHAT APPLICATION Client 1
• What’s WebSocket?
• Two-way interactive communication Persistent connection
between a user’s browser and a server
• Server can push information to the client WebSocket API
• This enables stateful application use cases API Gateway
• WebSocket APIs are often used in real-
time applications such as chat
applications, collaboration platforms,
multiplayer games, and financial trading
platforms.
Lambda function Lambda function Lambda function
• Works with AWS Services (Lambda, (onConnect) (sendMessage) (onDisconnect)
DynamoDB) or HTTP endpoints

Amazon DynamoDB
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Server to Client Messaging
@connections used for replies to clients
WebSocket URL
wss://abcdef.execute-api.us-west-1.amazonaws.com/dev

send message
invoke
connectionId connectionId
Clients Lambda function
Amazon API Gateway Amazon DynamoDB
WebSocket API (sendMessage)

Connection URL HTTP POST (IAM Sig v4)

callback
Connection URL
wss://abcdef.execute-api.us-west-1.amazonaws.com/dev/@connections/connectionId

• Can only be accessed from your VPC by using Resource Private

an VPC Interface Endpoint Policy API Gateway

• Each VPC Interface Endpoint can be used to

access multiple Private APIs
VPC

• API Gateway Resource Policy Private Subnet - B

• Allow or deny access to API from selected VPCs

Endpoint
and VPC Endpoints, including across AWS accounts Policy
Interface Endpoint

• aws:SourceVpc and aws:SourceVpce

EC2 Instance

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS AppSync - Overview
• AppSync is a managed service that uses GraphQL
• GraphQL makes it easy for applications to get exactly the data they
need.
• This includes combining data from one or more sources
• NoSQL data stores, Relational databases, HTTP APIs…
• Integrates with DynamoDB, Aurora, Elasticsearch & others
• Custom sources with AWS Lambda
• Retrieve data in real-time with WebSocket or MQTT on WebSocket
• For mobile apps: local data access & data synchronization
• It all starts with uploading one GraphQL schema

Mobile apps AppSync GraphQL Schema Aurora

Resolvers
Real-time
dashboards ElasticSearch
Service
Offline Sync

Lambda Anything

CloudWatch HTTP Public

Metrics & Logs HTTP APIs

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AppSync – Cognito Integration Client
authenticate

• Perform authorization on Cognito users JWT

based on the groups they belong to token

• In the GraphQL schema, you can specify authorize

the security for Cognito groups

AppSync Cognito

Resolver

IAM Permission

DynamoDB
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Record Types
• A – maps a hostname to IPv4
• AAAA – maps a hostname to IPv6
• CNAME – maps a hostname to another hostname
• The target is a domain name which must have an A or AAAA record
• Can’t create a CNAME record for the top node of a DNS namespace (Zone
Apex)
• Example: you can’t create for example.com, but you can create for
www.example.com
• NS – Name Servers for the Hosted Zone
• Control how traffic is routed for a domain

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Diagram for A record
example.com?
Amazon
Route 53
54.22.33.44
Client

AWS Cloud

Public IP
54.22.33.44

EC2 Instance

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – CNAME vs. Alias
• AWS Resources (Load Balancer, CloudFront...) expose an AWS hostname:
• lb1-1234.us-east-2.elb.amazonaws.com and you want myapp.mydomain.com

• CNAME:
• Points a hostname to any other hostname. (app.mydomain.com => blabla.anything.com)
• ONLY FOR NON ROOT DOMAIN (aka. something.mydomain.com)
• Alias:
• Points a hostname to an AWS Resource (app.mydomain.com => blabla.amazonaws.com)
• Works for ROOT DOMAIN and NON ROOT DOMAIN (aka mydomain.com)
• Free of charge
• Native health check

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Alias Records Targets
• Elastic Load Balancers
• CloudFront Distributions Elastic Amazon Amazon
• API Gateway Load Balancer CloudFront API Gateway

• Elastic Beanstalk environments

• S3 Websites
• VPC Interface Endpoints Elastic Beanstalk S3 Websites VPC Interface
Endpoints
• Global Accelerator accelerator
• Route 53 record in the same hosted zone
Global Accelerator Route 53 Record
(same Hosted Zone)
• You cannot set an ALIAS record for an EC2 DNS name

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Records TTL (Time To Live)
• High TTL – e.g., 24 hr
• Less traffic on Route 53 equest
D NS R le.com
?
p
• Possibly outdated records myapp
.exa m

• Low TTL – e.g., 60 sec. A 1 2 .3 4.56.7

TL)
8 Amazon
• More traffic on Route 53 ($$) (with T Route 53
TTL
• Records are outdated for less HT T
P Re
time Client ques
t
Will cache the result for HT T
• Easy to change records The TTL of the record
P Re
spon
se

• Except for Alias records,

TTL is mandatory for each
DNS record Web Server

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Routing Policies – Simple
Single Value
• Typically, route traffic to a single foo.example.com
resource A 11.22.33.44

• Can’t be associated with Health Client

Amazon
Checks Route 53

• Can specify multiple values in the Multiple Value

same record foo.example.com

• If multiple values are returned, a

random one is chosen by the client Client
A 11.22.33.44
A 55.66.77.88
A 99.11.22.33
Amazon
chooses
a random value Route 53

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Routing Policies – Weighted
• Control the % of the requests that go to
each specific resource
% Weight: 70
70
• Can be associated with Health Checks
• Use cases: load balancing between regions,
testing new application versions…
20%

Amazon Weight: 20
Route 53
10
%

Weight: 10
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Routing Policies – Latency-based
• Redirect to the resource that
has the least latency close to us
• Super helpful when latency for
users is a priority
• Latency is based on traffic
between users and AWS
Regions
ALB
• Germany users may be (us-east-1)
directed to the US (if that’s the
lowest latency) ALB
(ap-southeast-1)
• Can be associated with Health
Checks (has a failover
capability)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Routing Policies – Failover (Active-Passive)

EC2 Instance
Health Check (Primary)
(mandatory)
DNS Requests
Failover
Client
Amazon
Route 53

EC2 Instance
(Secondary – Disaster Recovery)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Routing Policies – Geolocation
A 11.22.33.44
• Different from Latency-based!
• This routing is based on user location
• Specify location by Continent, Country
or by US State (if there’s overlapping,
most precise location selected) Default
A 99.11.22.33
• Should create a “Default” record (in
case there’s no match on location)
• Use cases: website localization, restrict
content distribution, load balancing, …
• Can be associated with Health Checks
A 55.66.77.88

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Routing Policies – Geoproximity
• Route traffic to your resources based on the geographic location of users and
resources
• Ability to shift more traffic to resources based on the defined bias
• To change the size of the geographic region, specify bias values:
• To expand (1 to 99) – more traffic to the resource
• To shrink (-1 to -99) – less traffic to the resource

• Resources can be:

• AWS resources (specify AWS region)
• Non-AWS resources (specify Latitude and Longitude)
• You must use Route 53 Traffic Flow to use this feature

us-west-1 us-east-1
Bias: 0 Bias: 0

us-west-1 us-east-1
Bias: 0 Bias: 50

Higher bias in us-east-1

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Traffic flow
• Simplify the process of creating and
maintaining records in large and
complex configurations
• Visual editor to manage complex
routing decision trees
• Configurations can be saved as
Traffic Flow Policy
• Can be applied to different Route 53
Hosted Zones (different domain
names)
• Supports versioning

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Routing Policies – Multi-Value
• Use when routing traffic to multiple resources
• Route 53 return multiple values/resources
• Can be associated with Health Checks (return only values for healthy resources)
• Up to 8 healthy records are returned for each Multi-Value query
• Multi-Value is not a substitute for having an ELB

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Routing Policies – IP-based Routing
User B User A
• Routing is based on clients’ IP addresses (200.5.4.100) (203.0.113.56)

• You provide a list of CIDRs for your clients

and the corresponding endpoints/locations Route 53
(user-IP-to-endpoint mappings) CIDR Collection
• Use cases: Optimize performance, reduce Locations CIDR blocks
location-1 203.0.113.0/24
network costs… location-2 200.5.4.0/24

• Example: route end users from a particular Records

ISP to a specific endpoint Record Name

example.com
Value
1.2.3.4
IP-based
location-1
example.com 5.6.7.8 location-2

EC2 Instance EC2 Instance

(5.6.7.8) (1.2.3.4)
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Hosted Zones
• A container for records that define how to route traffic to a domain and
its subdomains

• Public Hosted Zones – contains records that specify how to route

traffic on the Internet (public domain names)
application1.mypublicdomain.com
• Private Hosted Zones – contain records that specify how you route
traffic within one or more VPCs (private domain names)
application1.company.internal

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Public vs. Private Hosted Zones
Public Hosted Zone Private Hosted Zone

example.com?

VPC
54.22.33.44
Client Private Hosted Zone
Public Hosted Zone

db.example.internal?
al?
ern

10.0.0.35
.int

.10
pl e
DB Instance

0
am

.0.
VPC

10
i.ex
(db.example.internal)

ap
(Private IP)

S3 Bucket Amazon EC2 Instance Application EC2 Instance EC2 Instance

CloudFront (Public IP) Load Balancer (webapp.example.internal) (api.example.internal)
(Private IP) (Private IP)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Good to Know
• For internal private DNS (Private Hosted Zone), you must enable the VPC
settings enableDnsHostnames and enableDnsSupport

• DNS Security Extensions (DNSSEC)

• A protocol for securing DNS traffic, verifies DNS data integrity and origin
• Protects against Man in the Middle (MITM) attacks
• Route 53 supports both DNSSEC for Domain Registeration and DNSSEC Signing
• Works only with Public Hosted Zones

• Route 53 with 3rd Registrar

• You can buy the domain out of AWS and use Route 53 as the DNS provider
• Update the NS records on the 3rd party Registrar

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Health Checks
Amazon Route 53
DNS Record
• HTTP Health Checks are only for public (latency, geoproximity, …)
resources
• Health Check => Automated DNS Failover: Health Check Health Check
1. Health checks that monitor an endpoint
(application, server, other AWS resource)
2. Health checks that monitor other health us-east-1 eu-west-1
checks (Calculated Health Checks)
3. Health checks that monitor CloudWatch
Alarms (full control !!) – e.g., throttles of ALB ALB
DynamoDB, alarms on RDS, custom metrics,
… (helpful for private resources)
Auto Scaling group Auto Scaling group

• Health Checks are integrated with CW

metrics EC2 Instance EC2 Instance

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Calculated Health Checks
Amazon Route 53
• Combine the results of multiple Health
Checks into a single Health Check
Health Check
• You can use OR, AND, or NOT (Parent)

• Can monitor up to 256 Child Health Checks

• Specify how many of the health checks need
to pass to make the parent pass
Health Check Health Check Health Check
• Usage: perform maintenance to your website (Child) (Child) (Child)

without causing all health checks to fail

monitor monitor monitor

EC2 Instance EC2 Instance EC2 Instance

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Health Checks – Monitor an Endpoint
Health Checker Health Checker Health Checker
(us-east-1) (us-west-1) (sa-east-1)

• About 15 global health checkers will check

HT /hea
the endpoint health

to
TP lth
20

req
0c

ue
• Health Checks pass only when the

st
e
endpoint responds with the 2xx and 3xx eu-west-1
Must allow incoming
status codes requests from Route 53
Health Checkers IP
• Health Checks can be setup to pass / fail ALB
address range

based on the text in the first 5120 bytes

of the response Auto Scaling group

EC2 Instance

https://ip-ranges.amazonaws.com/ip-ranges.json
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Health Checks – Private Hosted Zones
• Route 53 health checkers are outside the
VPC
VPC
• They can’t access private endpoints Private subnet

(private VPC or on-premises resource)

Health Checker
(us-east-1)

• You can create a CloudWatch Metric monitor

and associate a CloudWatch Alarm, then

create a Health Check that checks the monitor

alarm itself CloudWatch

Alarm

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Health Checks Solution Architecture
RDS multi-region failover
Option 1:
HTTP call
RDS Main /health-db route
us-east-1 Health check
Option 2:
CW Alarm
Async replication
CW Alarm linked to Health Check

RDS Read Replica Promote Read Replicas trigger CW Event linked to CW Alarm
us-west-2 (Or SNS topic)

Update DNS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Hybrid DNS
• By default, Route 53 Resolver
automatically answers DNS queries for: Public Name Server
• Local domain names for EC2 instances
• Records in Private Hosted Zones
• Records in public Name Servers Region

• Hybrid DNS – resolving DNS queries VPC

between VPC (Route 53 Resolver) and Private Hosted Zone
your networks (other DNS Resolvers)
• Networks can be: Route 53
• VPC itself / Peered VPC Resolver EC2 Instance
(ec2-192-0-2-44.compute-1.amazonaws.com)
• On-premises Network (connected through
Direct Connect or AWS VPN)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Resolver Endpoints
• Inbound Endpoint
• DNS Resolvers on your network can forward DNS queries to Route 53 Resolver
• Allows your DNS Resolvers to resolve domain names for AWS resources (e.g., EC2
instances) and records in Route 53 Private Hosted Zones

• Outbound Endpoint
• Route 53 Resolver conditionally forwards DNS queries to your DNS Resolvers
• Use Resolver Rules to forward DNS queries to your DNS Resolvers

• Associated with one or more VPCs in the same AWS Region

• Create in two AZs for high availability
• Each Endpoint supports 10,000 queries per second per IP address

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Resolver Inbound Endpoints
us-east-1 On-Premises Data Center
Private Hosted Zone
(aws.private) Domain Name Forward To
VPC
aws.private 10.0.0.10
10.0.1.10
Private Subnet 1

kup S Quer y ?
loo DN private
ENI . aws.
EC2 Instance app
(IP: 10.0.0.10) DNS Resolvers
(app.aws.private) (onpremise.private)

Private Subnet 2 DNS Query

Route 53 Resolver app.aws.private?
Inbound Endpoint
Resolver VPN or DX connection
(IP: x.x.x.2) ENI
(IP: 10.0.1.10)
Server
(web.onpremise.private)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Resolver Outbound Endpoints
us-east-1
Private Hosted Zone On-Premises Data Center
(aws.private)
VPC
Forwarding Rules
Private Subnet 1 IP: 172.16.0.10
Domain Name Target IP
ry ? onprem.private 172.16.0.10 y
S Que rivate N S Quer vate?
DN em.p D i
r ENI p rem.pr
b. onp EC2 Instance (IP: 10.0.0.20) web.
on
DNS Resolvers
we
(app.aws.private) (onprem.private)

Private Subnet 2
Route 53 Resolver
Outbound Endpoint
Resolver VPN or DX connection
(IP: x.x.x.2) ENI or
(IP: 10.0.1.20) NAT Gateway
Server
(web.onprem.private)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route 53 – Resolver Rules Resolver
Outbound Endpoint
• Control which DNS queries are forwarded to DNS Resolvers on
your network
• Conditional Forwarding Rules (Forwarding Rules) Forwarding Rules
• Forward DNS queries for a specified domain and all its subdomains to
target IP addresses Domain Name Target IP
• System Rules example.com 172.16.0.10
• Selectively overriding the behavior defined in Forwarding Rules (e.g., don’t acme.example.com 172.16.0.10
forward DNS queries for a subdomain acme.example.com)
• Auto-defined System Rules overrides System Rules
• Defines how DNS queries for selected domains are resolved (e.g., AWS
internal domain names, Privated Hosted Zones) Domain Name

• If multiple rules matched, Route 53 Resolver chooses the most acme.example.com

specific match
• Resolver Rules can be shared across accounts using AWS RAM Auto-defined System Rules
• Manage them centrally in one account Domain Name
• Send DNS queries from multiple VPC to the target IP defined in the rule compute.amazonaws.com
ec2.internal

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Global Accelerator
• Leverage the AWS internal
network to route to your
application
• 2 Anycast IP are created for your America Edge location Europe
application
• The Anycast IP send traffic directly
to Edge Locations Private AWS
Public ALB
• The Edge locations send the traffic
Australia India
to your application

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Global Accelerator
• Works with Elastic IP, EC2 instances, ALB, NLB, public or private
• Supports Client IP Address Preservation except EIPs endpoints
• Consistent Performance
• Intelligent routing to lowest latency and fast regional failover
• No issue with client cache (because the IP doesn’t change)
• Internal AWS network
• Health Checks
• Global Accelerator performs a health check of your applications
• Helps make your application global (failover less than 1 minute for unhealthy)
• Great for disaster recovery (thanks to the health checks)
• Security
• only 2 external IP need to be whitelisted
• DDoS protection thanks to AWS Shield

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Global Accelerator vs CloudFront
• They both use the AWS global network and its edge locations around the world
• Both services integrate with AWS Shield for DDoS protection.

• CloudFront
• Improves performance for both cacheable content (such as images and videos)
• Dynamic content (such as API acceleration and dynamic site delivery)
• Content is served at the edge

• Global Accelerator
• Improves performance for a wide range of applications over TCP or UDP
• Proxying packets at the edge to applications running in one or more AWS Regions.
• Good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP
• Good for HTTP use cases that require static IP addresses
• Good for HTTP use cases that required deterministic, fast regional failover

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Solution Architecture Comparisons
• EC2 on its own with Elastic IP
• EC2 with Route53
• ALB + ASG
• ALB + ECS on EC2
• ALB + ECS on Fargate
• ALB + Lambda
• API Gateway + Lambda
• API Gateway + AWS Service
• API Gateway + HTTP backend (ex: ALB)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EC2 with Elastic IP
Elastic IP Address
• Quick failover
Access instance using • The client should not
Public IP (Elastic IP
see the change
happen
User
• Helpful if the client
Public EC2 needs to resolve by
static Public IP
address
• Does not scale
Move Elastic IP • Cheap
In case of DR

Standby Instance

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Stateless web app - scaling horizontally
DNS Query
A Record Public EC2 instance,
TTL 1 hour No Elastic IP

DNS Query • “DNS-based load

A Record balancing”
TTL 1 hour • Ability to use multiple
instances
• Route53 TTL implies
client may get outdated
information
• Clients must have logic to
deal with hostname
resolution failures
• Adding an instance may
not receive full traffic
right away due to DNS
TTL

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
ALB + ASG
DNS Query
• Scales well, classic architecture
Auto Scaling group
Alias Record • New instances are in service right away.
Availability zone 1
TTL 1 hour • Users are not sent to instances that are
out-of-service
• Time to scale is slow (EC2 instance
Availability zone 1 to 3 startup + bootstrap) – AMI can help
• ALB is elastic but can’t handle sudden,
huge peak of demand (pre-warm)
Availability zone 2
• Could lose a few requests if instances
are overloaded
• CloudWatch used for scaling
ALB + • Cross-Zone balancing for even traffic
Health Checks distribution
+ Multi AZ Availability zone 3

• Target utilization should be between

40% and 70%

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
ALB + ECS on EC2 (backed by ASG)
DNS Query Auto Scaling group + ECS • Same properties as ALB +
Alias Record
TTL 1 hour Availability zone 1 ASG
• Application is run on
Availability zone 1 to 3 Docker
• ASG + ECS allows to have
Availability zone 2
dynamic por t mappings
• Tough to orchestrate ECS
ALB + service auto-scaling + ASG
Health Checks
+ Multi AZ Availability zone 3
auto-scaling

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
ALB + ECS on Fargate
DNS Query Fargate + Service Auto Scaling • Application is run on
Alias Record
TTL 1 hour Availability zone 1 Docker
• Service Auto Scaling is easy
• Time to be in-service is
quick (no need to launch an
Availability zone 2
EC2 instance in advance)
• Still limited by the ALB in
case of sudden peaks
Availability zone 3 • “serverless” application tier
• “managed” load balancer

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
ALB + Lambda
DNS Query • Limited to Lambda’s runtimes
Alias Record • Seamless scaling thanks to
TTL 1 hour Lambda
• Simple way to expose
Lambda functions as HTTP/S
without all the features from
API Gateway
• Can combine with WAF
(Web Application Firewall)
ALB • Good for hybrid
microservices
• Example: use ECS for some
requests, use Lambda for
others

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
API Gateway + Lambda
• Pay per request, seamless scaling,
fully serverless
• Soft limits: 10000/s API Gateway,
1000 concurrent Lambda
• API Gateway features:
Amazon API AWS authentication, rate limiting,
client
Gateway Lambda caching, etc…
• Lambda Cold Start time may
increase latency for some
requests
• Fully integrated with X-Ray

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
API Gateway + AWS Service (as a proxy)
OK
• Lower latency, cheaper
PUT
• Not using Lambda concurrent
capacity, no custom code
AWS
Amazon API SQS
client
Gateway
Lambda
• Expose AWS APIs securely
BETTER through API Gateway
• SQS, SNS, Step Functions…
• Remember API Gateway has a
client Amazon API SQS payload limit of 10 MB (can be
Gateway
a problem for S3 proxy)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
API Gateway + HTTP backend (ex: ALB)
• Use API Gateway features on
top of custom HTTP backend
(authentication, rate control,
API keys, caching…)

client Amazon API

Gateway HTTP Server
(ex: ALB, on-prem)
• Can connect to…
• on-premises service
• Application Load Balancer
• 3rd party HTTP service

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Outposts
• Hybrid Cloud: businesses that keep an on-
premises infrastructure alongside a cloud
infrastructure
• Therefore, two ways of dealing with IT systems: AWS Corporate
• One for the AWS cloud (using the AWS console, Cloud data center
CLI, and AWS APIs)
• One for their on-premises infrastructure On-prem
servers
• AWS Outposts are “server racks” that offers the
same AWS infrastructure, services, APIs & tools
to build your own applications on-premises just as Extension of Outposts
in the cloud AWS services Racks

• AWS will setup and manage “Outposts Racks”

within your on-premises infrastructure and you
can start leveraging AWS services on-premises
• You are responsible for the Outposts Rack
physical security

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Outposts
• Benefits:
• Low-latency access to on-premises systems
• Local data processing
• Data residency
• Easier migration from on-premises to the cloud
• Fully managed service
• Some services that work on Outposts:

Amazon EC2 Amazon EBS Amazon S3 Amazon EKS Amazon ECS Amazon RDS Amazon EMR

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 on AWS Outposts
• Use S3 APIs to store and retrieve data locally on AWS Outposts
• Keeping data close to on-premises applications
• Reduce data transfers to AWS Regions
• S3 Storage Class named S3 Outposts
• Default encryption using SSE-S3 VPC

EC2 Instance

S3 on Outposts S3 Access Point

sync sync

S3 on Outposts DataSync Amazon S3

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS WaveLength
• WaveLength Zones are infrastructure deployments
embedded within the telecommunications providers’ Region
datacenters at the edge of the 5G networks
• Brings AWS services to the edge of the 5G networks Availability Zone 1 Availability Zone 2

• Example: EC2, EBS, VPC…

• Ultra-low latency applications through 5G networks
• Traffic doesn’t leave the Communication Service
Provider’s (CSP) network
• High-bandwidth and secure connection to the parent WaveLength Zone
AWS Region
• No additional charges or service agreements
• Use cases: Smart Cities, ML-assisted diagnostics,
Connected Vehicles, Interactive Live Video Streams, AR/VR, Carrier
Gateway
Real-time Gaming, …
Telecom carrier
5G network
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Local Zones
• Places AWS compute, storage, database, Region us-east-1
and other selected AWS services closer
to end users to run latency-sensitive Availability Zone 1 Availability Zone 2

applications VPC
Private Subnet Private Subnet
• Extend your VPC to more locations –
“Extension of an AWS Region”
• Compatible with EC2, RDS, ECS, EBS,
ElastiCache, Direct Connect …
• Example: Local Zone (Boston)
• AWS Region: N. Virginia (us-east-1) Private Subnet
• AWS Local Zones: Boston, Chicago, Dallas,
Houston, Miami, …

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EBS
• Network drive you attach to
ONE instance only US-EAST-1A
• Linked to a specific availability
zone (transfer: snapshot =>
restore)
• Volumes can be resized

• Make sure you choose an

instance type that is EBS
optimized to enjoy maximum EBS EBS EBS
throughput (10 GB) (100 GB) (50 GB)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EBS Volume Types
• EBS Volumes come in 6 types
• gp2 / gp3 (SSD): General purpose SSD volume that balances price and performance for
a wide variety of workloads
• io1 / io2 Block Express: Highest-performance SSD volume for mission-critical low-
latency or high-throughput workloads
• st1 (HDD): Low cost HDD volume designed for frequently accessed, throughput-
intensive workloads
• sc1 (HDD): Lowest cost HDD volume designed for less frequently accessed workloads

• EBS Volumes are characterized in Size | Throughput | IOPS (I/O Ops Per Sec)
• When in doubt always consult the AWS documentation – it’s good!
• Only gp2/gp3 and io1/io2 can be used as boot volumes

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EBS Snapshots
• Incremental – only backup changed blocks
• EBS backups use IO, and you shouldn’t run them while your application is
handling a lot of traffic
• Snapshots will be stored in S3 (but you won’t directly see them)
• Not necessary to detach volume to do snapshot, but recommended
• Can copy snapshots across region (for DR)
• Can make Image (AMI) from Snapshot
• EBS volumes restored by snapshots need to be pre-warmed (use the Fast
Snapshot Restore FSR feature or fio/dd command to read the entire volume)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Data Lifecycle Manager
Tags
• Automate the creation, retention, and deletion Key Value
of EBS snapshots and EBS-backed AMIs Environment Prod

Tags
• Schedule backups, cross-account snapshot EC2 Instance
Key Value
copies, delete outdated backups, … Environment Prod

• Uses resource tags to identify the resources

(EC2 instances, EBS volumes) EBS Volume EBS Volumes
• Can’t be used to manage snapshots/AMIs
created outside DLM
Amazon Data
• Can’t be used to manage instance-store backed Lifecycle Manager
AMIs

© Stephane Maarek
Snapshots AMI
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Data Lifecycle Manager vs. AWS Backup

• Use Data Lifecycle Manager

• when you want to automate the creation, retention, and deletion of
EBS Snapshots

• Use AWS Backup

• to manage and monitor backups across the AWS services you use,
including EBS volumes, from a single place

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EBS Encryption – Account level setting
• New Amazon EBS
volumes aren’t
encrypted by default
• There’s an account-level
setting to encrypt
automatically new EBS
volumes and Snapshots
• This setting needs to be
enabled on a per-region
basis

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EBS Multi-Attach – io1/io2 family
• Attach the same EBS volume to multiple
EC2 instances in the same AZ Availability Zone 1
• Each instance has full read & write
permissions to the volume
• Use case:
• Achieve higher application availability in
clustered Linux applications (ex: Teradata)
• Applications must manage concurrent write
operations
• Must use a file system that’s cluster-aware
(not XFS, EXT4, etc…) io2 volume with Multi-Attach

• Physical disk attached to the

physical server where your EC2
is
• Very High IOPS (because physical)
• Disks up to 7.5 TiB (can change
over time), stripped to reach 60
TiB (can change over time…)
• Block Storage (just like EBS)
• Cannot be increased in size
• Risk of data loss if hardware fails

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Instance Store vs EBS
• Instance store is physically attached to the machine (ephemeral storage)
• EBS is a network drive (persistent)
• Pros:
• Better I/O performance (EBS gp2 has a max IOPS of 16000, io1 of 64000, io2
Block Express of 256000)
• Good for buffer / cache / scratch data / temporary content
• Data survives reboots
• Cons:
• On stop or termination, the instance store is lost
• You can’t resize the instance store
• Backups must be operated by the user

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EFS – Elastic File System
• Managed NFS (network file system) that can be mounted on many EC2
• EFS works with EC2 instances in multi-AZ, & on–premises (DX & VPN)
• Highly available, scalable, expensive (3x gp2), pay per GB used
us-east-1a us-east-1b us-east-1c

EC2 Instances EC2 Instances EC2 Instances

Security Group

EFS FileSystem

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EFS – Elastic File System
• Use cases: content management, web serving, data sharing, WordPress
• Compatible with Linux based AMI (not Windows), POSIX-compliant
• Uses NFSv4.1 protocol
• Uses security group to control access to EFS
• Encryption at rest using KMS

• POSIX file system (~Linux) that has a standard file API

• File system scales automatically, pay-per-use, no capacity planning!

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EFS – Performance & Storage Classes
• EFS Scale
• 1000s of concurrent NFS clients, 10 GB+ /s throughput
• Grow to Petabyte-scale network file system, automatically
• Performance Mode (set at EFS creation time)
• General Purpose (default) – latency-sensitive use cases (web server, CMS, etc…)
• Max I/O – higher latency, throughput, highly parallel (big data, media processing)
• Throughput Mode
• Bursting – 1 TB = 50MiB/s + burst of up to 100MiB/s
• Provisioned – set your throughput regardless of storage size, ex: 1 GiB/s for 1 TB storage
• Elastic – automatically scales throughput up or down based on your workloads
• Up to 3GiB/s for reads and 1GiB/s for writes
• Used for unpredictable workloads

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EFS – Storage Classes
• Storage Tiers (lifecycle management feature –
move file after N days)
• Standard: for frequently accessed files
• Infrequent access (EFS-IA): cost to retrieve files, lower
price to store.
• Archive: rarely accessed data (few times each year), 50%
cheaper no access
for 60 days
• Implement lifecycle policies to move files between storage
tiers EFS Standard

• Availability and durability move Lifecycle Policy

• Standard: Multi-AZ, great for prod
• One Zone: One AZ, great for dev, backup enabled by
default, compatible with IA (EFS One Zone-IA)

• Over 90% in cost savings EFS IA

Amazon EFS File System

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EFS - On-premises & VPC Peering
AWS Cloud
Redundancy in DX / DX
or DX / VPN
VPC VPC

NFS Mount Target by IPv4

(not DNS) Amazon EFS
ENI
Direct Connect
OR / AND ENI
VPC
Site-to-Site VPN ENI peering EC2
On-premises Server

Redundancy in mount target

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EFS – Access Points Developers
Analytics
Users/Groups Users/Groups

• Easily manage applications access to NFS

environments / = /data / = /config
Permissions
• Enforce a POSIX user and group to use
when accessing the file system Access Point 2
UID: 1002
Access Point 1
UID: 1001

• Restrict access to a directory within the GID: 1002

Path: /data
GID: 1001
Path: /config

file system and optionally specify a

different root directory /
• Can restrict access from NFS clients using
IAM policies
/data /secret /config

EFS File System

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EFS – File System Policies
• Resource-based policy to control access to EFS File Systems (same as S3
bucket policy)
• By default, it grants full access to all clients

Grant Read & Write Access to A specific IAM User

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EFS – Cross-Region Replication
• Replicate objects in an EFS file system to us-east-1 (Source)

another AWS Region

• Setup for new or existing EFS file systems
EFS File System
• Provides RPO and RTO of minutes
• Doesn’t affect the provisioned throughput of the replication
EFS file system
• Use cases: meet your compliance and business eu-west-2 (Destination)
continuity goals

EFS File System

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 – Overview
• Object storage, serverless, unlimited storage, pay-as-you-go
• Good to store static content (image, video files)
• Access objects by key, no indexing facility
• Not a filesystem, cannot be mounted natively on EC2

• Anti patterns:
• Lots of small files
• POSIX file system (use EFS instead), file locks
• Search features, queries, rapidly changing data
• Website with dynamic content

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Storage Classes Comparison
Intelligent- Glacier Instant Glacier Flexible Glacier Deep
Standard Standard-IA One Zone-IA
Tiering Retrieval Retrieval Archive

Durability 99.999999999% == (11 9’s)

Availability 99.99% 99.9% 99.9% 99.5% 99.9% 99.99% 99.99%

Availability
>= 3 >= 3 >= 3 1 >= 3 >= 3 >= 3
Zones

Min. Storage
None None 30 Days 30 Days 90 Days 90 Days 180 Days
Duration Charge

Min. Billable
None None 128 KB 128 KB 128 KB 40 KB 40 KB
Object Size

Retrieval Fee None None Per GB retrieved Per GB retrieved Per GB retrieved Per GB retrieved Per GB retrieved

• You can transition objects between tiers (or delete) using S3 Lifecycle Policies
https://aws.amazon.com/s3/storage-classes/
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 – Replication (Versioning enabled)
• Cross Region Replication (CRR) us-east-1 (Source)

• Same Region Replication (SRR)

S3 Bucket
• Combine with Lifecycle Rules
S3 replication

• Helpful to reduce latency, disaster recovery, security S3 Replication (with S3 RTC)

us-west-2 (Destination)
• S3 Replication Time Control (S3 RTC)
• Replicates most objects that you upload to Amazon S3 in S3 Bucket
seconds, and 99.99% of those objects within 15 minutes
Lifecycle Rule to Transition
• Helpful for compliance, DR, etc..

S3 Glacier
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Event Notifications
• S3:ObjectCreated, S3:ObjectRemoved,
S3:ObjectRestore, S3:Replication…
SNS
• Object name filtering possible (*.jpg)
• Use case: generate thumbnails of images
uploaded to S3 events
• Can create as many “S3 events” as desired
Amazon S3 SQS

• S3 event notifications typically deliver events

in seconds but can sometimes take a minute
or longer
Lambda Function

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Event Notifications
with Amazon EventBridge
events All events rules Over 18
AWS services
as destinations
Amazon S3 Amazon
bucket EventBridge

• Advanced filtering options with JSON rules (metadata, object size,

name...)
• Multiple Destinations – ex Step Functions, Kinesis Streams / Firehose…
• EventBridge Capabilities – Archive, Replay Events, Reliable delivery

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 – Baseline Performance
• Amazon S3 automatically scales to high request rates, latency 100-200 ms
• Your application can achieve at least 3,500 PUT/COPY/POST/DELETE or
5,500 GET/HEAD requests per second per prefix in a bucket.
• There are no limits to the number of prefixes in a bucket.
• Example (object path => prefix):
• bucket/folder1/sub1/file => /folder1/sub1/
• bucket/folder1/sub2/file => /folder1/sub2/
• bucket/1/file => /1/
• bucket/2/file => /2/
• If you spread reads across all four prefixes evenly, you can achieve 22,000
requests per second for GET and HEAD

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Performance
• Multi-Par t upload: • S3 Transfer Acceleration
• recommended for files > 100MB, • Increase transfer speed by transferring
must use for files > 5GB file to an AWS edge location which will
• Can help parallelize uploads (speed forward the data to the S3 bucket in the
up transfers) target region
• Compatible with multi-part upload
Divide Parallel uploads
In parts
Fast Fast
(public www) (private AWS)
File in USA Edge Location S3 Bucket
Amazon S3 USA Australia
BIG file

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Performance – S3 Byte-Range Fetches
• Parallelize GETs by requesting specific
byte ranges
• Better resilience in case of failures
Can be used to retrieve only partial
Can be used to speed up downloads data (for example the head of a file)

File in S3 File in S3

Byte-range request for header

(first XX bytes)
Part 1 Part 2 … Part N header

Requests in parallel

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Multi-Part Upload – Remove Incomplete Parts
S3 Bucket
Parallel Uploads

BIG file ds
…
loa
t-up
ar
… -mu
l t i p
S3 Lifecycle Policy
li st
api
s s3 Incomplete
aw Multi-Part Upload
Use AWS CLI to Use Lifecycle Policy to
List Incomplete abort & delete Incomplete
User
Multi-part Uploads Multi-part Uploads after X days

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Analytics – Storage Class Analysis
• May be seen as “Storage Class Analysis” at the exam
S3 Bucket
• Help you decide when to transition objects to the
right storage class
• Recommendations for Standard and Standard IA
• Does NOT work for One-Zone IA or Glacier
• Report is updated daily Storage Class
Analysis
• 24 to 48 hours to start seeing data analysis
• Visualize data in Amazon QuickSight .csv report

• Good first step to put together Lifecycle Rules (or Date StorageClass ObjectAge
improve them)! 8/22/2022 STANDARD 000-014
8/25/2022 STANDARD 030-044
9/6/2022 STANDARD 120-149

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 – Storage Lens
• Understand, analyze, and optimize storage across entire AWS Organization
• Discover anomalies, identify cost efficiencies, and apply data protection best
practices across entire AWS Organization (30 days usage & activity metrics)
• Aggregate data for Organization, specific accounts, regions, buckets, or prefixes
• Default dashboard or create your own dashboards
• Can be configured to export metrics daily to an S3 bucket (CSV, Parquet)
Organization
Summary Insights
Accounts
Data Protection
S3 Storage Lens Regions
Cost Efficiency
Buckets

Configure Aggregate Analyze Optimize

(Dashboard)
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Storage Lens – Default Dashboard
• Visualize summarized insights and trends for both free and advanced metrics
• Default dashboard shows Multi-Region and Multi-Account data
• Preconfigured by Amazon S3
• Can’t be deleted, but can be disabled

https://aws.amazon.com/blogs/aws/s3-storage-lens/

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Storage Lens – Metrics
• Summary Metrics
• General insights about your S3 storage
• StorageBytes, ObjectCount…
• Use cases: identify the fastest-growing (or not used) buckets and prefixes

• Cost-Optimization Metrics
• Provide insights to manage and optimize your storage costs
• NonCurrentVersionStorageBytes, IncompleteMultipartUploadStorageBytes…
• Use cases: identify buckets with incomplete multipart uploaded older than 7
days, Identify which objects could be transitioned to lower-cost storage class

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Storage Lens – Metrics
• Data-Protection Metrics
• Provide insights for data protection features
• VersioningEnabledBucketCount, MFADeleteEnabledBucketCount, SSEKMSEnabledBucketCount,
CrossRegionReplicationRuleCount…
• Use cases: identify buckets that aren’t following data-protection best practices

• Access-management Metrics
• Provide insights for S3 Object Ownership
• ObjectOwnershipBucketOwnerEnforcedBucketCount…
• Use cases: identify which Object Ownership settings your buckets use

• Event Metrics
• Provide insights for S3 Event Notifications
• EventNotificationEnabledBucketCount (identify which buckets have S3 Event Notifications
configured)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Storage Lens – Metrics
• Performance Metrics
• Provide insights for S3 Transfer Acceleration
• TransferAccelerationEnabledBucketCount (identify which buckets have S3 Transfer
Acceleration enabled)

• Activity Metrics
• Provide insights about how your storage is requested
• AllRequests, GetRequests, PutRequests, ListRequests, BytesDownloaded…

• Detailed Status Code Metrics

• Provide insights for HTTP status codes
• 200OKStatusCount, 403ForbiddenErrorCount, 404NotFoundErrorCount…

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Storage Lens – Free vs. Paid
• Free Metrics
• Automatically available for all customers
• Contains around 28 usage metrics
• Data is available for queries for 14 days

• Advanced Metrics and Recommendations

• Additional paid metrics and features
• Advanced Metrics – Activity, Advanced Cost
Optimization, Advanced Data Protection, Status
Code
• CloudWatch Publishing – Access metrics in
CloudWatch without additional charges
• Prefix Aggregation – Collect metrics at the
prefix level
• Data is available for queries for 15 months

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Solution Architecture ASG
Exposing Static Objects

EC2 Instance Store

CloudFront ALB EFS

CloudFront S3
CloudFront EC2 EBS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Solution Architecture
Indexing objects in DynamoDB

writes

Amazon S3 Lambda Function DynamoDB Table

API for object metadata

- Search by date
- Total storage used by a customer
- List of all objects with certain attributes
- Find all objects uploaded within a date range

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Solution Architecture on AWS
Dynamic vs Static Content Caching / Session Layer
DAX & DynamoDB
DNS Layer
Route 53 Dynamic Content (REST, HTTP server):
ALB + EC2
API Gateway + Lambda

Database Layer
Dynamic DynamoDB

CDN Layer upload

CloudFront index
Static content
Static events Lambda
Function

Pre-signed URL Static Assets Layer

S3
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon FSx – Overview
• Launch 3rd par ty high-performance file systems on AWS
• Fully managed service

FSx for Lustre FSx for

NetApp ONTAP

FSx for Windows FSx for

File Server OpenZFS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon FSx for Windows (File Server)
• FSx for Windows is a fully managed Windows file system share drive
• Supports SMB protocol & Windows NTFS
• Microsoft Active Directory integration, ACLs, user quotas
• Can be mounted on Linux EC2 instances
• Supports Microsoft's Distributed File System (DFS) Namespaces (group files across multiple FS)

• Scale up to 10s of GB/s, millions of IOPS, 100s PB of data

• Storage Options:
• SSD – latency sensitive workloads (databases, media processing, data analytics, …)
• HDD – broad spectrum of workloads (home directory, CMS, …)
• Can be accessed from your on-premises infrastructure (VPN or Direct Connect)
• Can be configured to be Multi-AZ (high availability)
• Data is backed-up daily to S3

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon FSx for Lustre
• Lustre is a type of parallel distributed file system, for large-scale computing
• The name Lustre is derived from “Linux” and “cluster

• Machine Learning, High Performance Computing (HPC)

• Video Processing, Financial Modeling, Electronic Design Automation
• Scales up to 100s GB/s, millions of IOPS, sub-ms latencies
• Storage Options:
• SSD – low-latency, IOPS intensive workloads, small & random file operations
• HDD – throughput-intensive workloads, large & sequential file operations
• Seamless integration with S3
• Can “read S3” as a file system (through FSx)
• Can write the output of the computations back to S3 (through FSx)
• Can be used from on-premises servers (VPN or Direct Connect)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
FSx Lustre - File System Deployment Options
Region
• Scratch File System Availability Zone 1 Availability Zone 2
ENI
• Temporary storage Compute Compute
instances instances
• Data is not replicated (doesn’t persist if file
server fails)
• High burst (6x faster, 200MBps per TiB) FSx For Lustre S3 bucket
• Usage: short-term processing, optimize (Scratch file system) (optional data repository)
costs
Region
• Persistent File System Availability Zone 1 Availability Zone 2
• Long-term storage Compute
ENI
Compute
• Data is replicated within same AZ instances instances

• Replace failed files within minutes

• Usage: long-term processing, sensitive data FSx For Lustre S3 bucket
(Persistent file system) (optional data repository)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon FSx for NetApp ONTAP
• Managed NetApp ONTAP on AWS
• File System compatible with NFS, SMB, iSCSI
protocol Amazon FSx for
NetApp ONTAP FS
• Move workloads running on ONTAP or NAS to AWS
• Works with:
• Linux NFS, SMB, iSCSI
• Windows
• MacOS
• VMware Cloud on AWS
• Amazon Workspaces & AppStream 2.0
• Amazon EC2, ECS and EKS
• Storage shrinks or grows automatically EC2 ECS EKS
• Snapshots, replication, low-cost, compression and data
de-duplication
• Point-in-time instantaneous cloning (helpful for
testing new workloads) VMware Cloud Amazon Amazon On-premises
on AWS AppStream 2.0 WorkSpaces Server

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon FSx for OpenZFS
• Managed OpenZFS file system on AWS
• File System compatible with NFS (v3, v4, v4.1, v4.2) Amazon FSx
• Move workloads running on ZFS to AWS for OpenZFS
• Works with:
• Linux
• Windows NFS (v3, v4, v4.1, v4.2)
• MacOS
• VMware Cloud on AWS
• Amazon Workspaces & AppStream 2.0
• Amazon EC2, ECS and EKS
• Up to 1,000,000 IOPS with < 0.5ms latency EC2 ECS EKS

• Snapshots, compression and low-cost

• Point-in-time instantaneous cloning (helpful for
testing new workloads) Amazon On-premises
VMware Cloud Amazon
on AWS AppStream 2.0 WorkSpaces Server

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
FSx – Solution Architecture
Migration from Single AZ to Multi AZ

FSx for Windows AWS DataSync FSx for Windows

File Server File Server
(Single AZ) (Multi-AZ)

backup restore

FSx for Windows Backup FSx for Windows

File Server File Server
(Single AZ) (Multi-AZ)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
FSx – Solution Architecture
Decrease FSx Volume Size
• If you take a backup, you can only restore to a same size
• You can only increase the amount of storage capacity for a file system;
you cannot decrease storage capacity.
• Instead, create a new FSx (smaller), use DataSync to sync data and then
migrate your app over

FSx for Window AWS DataSync FSx for Window

File Server File Server
(2TB) (1TB)

Application
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
FSx for Lustre – Data Lazy Loading
• Any data processing job on Lustre with S3 as
an input data source can be started without
Lustre doing a full download of the dataset
first
• Data is lazy loaded: only the data that is
actually processed is loaded, meaning you can Amazon FSx
decrease your costs and latency for Lustre

• Data is also loaded only once, therefore you Data stored in S3 bucket
reduce your requests on Amazon S3 is loaded to Amazon FSx
for Processing

S3 Bucket

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS DataSync
• Move large amount of data to and from
• On-premises / other cloud to AWS (NFS, SMB, HDFS, S3 API…) – needs agent
• AWS to AWS (different storage services) – no agent needed
• Can synchronize to:
• Amazon S3 (any storage classes – including Glacier)
• Amazon EFS
• Amazon FSx (Windows, Lustre, NetApp, OpenZFS...)
• Replication tasks can be scheduled hourly, daily, weekly
• File permissions and metadata are preserved (NFS POSIX, SMB…)
• One agent task can use 10 Gbps, can setup a bandwidth limit

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS DataSync
NFS / SMB to AWS (S3, EFS, FSx…)
Region
On-Premises
AWS Storage Resources

NFS or SMB TLS S3 Standard S3 Intelligent- S3 Standard-IA

Tiering

NFS or SMB AWS DataSync AWS S3 One S3 Glacier S3 Glacier

Server Agent Zone-IA Deep Archive
DataSync

AWS Snowcone
(agent pre-installed) AWS EFS Amazon FSx

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS DataSync
Transfer between AWS storage services

Amazon S3 Amazon S3

Amazon EFS Amazon EFS

AWS DataSync
copy data and metadata
between AWS Storage Services

Amazon FSx Amazon FSx

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS DataSync
Private VIF through Direct Connect

AWS Cloud
Public VIF
Corporate
Data Center VPC
Private VIF

DataSync Agent Direct Connect PrivateLink Interface AWS

VPC Endpoint DataSync

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Data Exchange
• Find, subscribe to, and use third-party data in the cloud
• Reuters, who curate data from over 2.2 million unique news stories per year in
multiple languages
• Change Healthcare, who process and anonymize more than 14 billion healthcare
transactions and $1 trillion in claims annually
• Dun & Bradstreet, who maintain a database of more than 330 million global
business records;
• Foursquare, whose location data is derived from 220 million unique consumers
and includes more than 60 million global commercial venues.
• Once subscribed to a data product, you can use the AWS Data
Exchange API to load data directly into Amazon S3 and then analyze it
with a wide variety of AWS analytics and machine learning services

Amazon S3
Amazon SageMaker
AWS Data Exchange

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Data Exchange – Other Products
• AWS Data Exchange for Redshift
• Find and subscribe to third-party data in AWS Data Exchange that you can
query in an Amazon Redshift data warehouse in minutes
• Easily license your data in Amazon Redshift through AWS Data Exchange

• AWS Data Exchange for APIs

• Find and subscribe to third-party APIs with a consistent access using AWS SDKs
• Consistent AWS-native authentication and governance

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Transfer Family
• A fully-managed service for file transfers into and out of Amazon S3 or
Amazon EFS using the FTP protocol
• Supported Protocols
• AWS Transfer for FTP (File Transfer Protocol (FTP))
• AWS Transfer for FTPS (File Transfer Protocol over SSL (FTPS))
• AWS Transfer for SFTP (Secure File Transfer Protocol (SFTP))
• Managed infrastructure, Scalable, Reliable, Highly Available (multi-AZ)
• Pay per provisioned endpoint per hour + data transfers in GB
• Store and manage users’ credentials within the service
• Integrate with existing authentication systems (Microsoft Active Directory,
LDAP, Okta, Amazon Cognito, custom)
• Usage: sharing files, public datasets, CRM, ERP, …

MS Active Directory authenticate

LDAP
… AWS Transfer for SFTP

Amazon S3

AWS Transfer for FTPS IAM Role

Users Route 53
(FTP client) (optional) AWS Transfer for FTP
(only within VPC)

Amazon EFS
AWS Transfer Family

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Transfer Family – Endpoint Types
Public Endpoint VPC Endpoint with Internal Access VPC Endpoint with Internet-facing Access
Internet

Internet VPC
EC2 Instance VPC EC2 Instance

EIP
AWS Cloud

VPN or
Direct Connect VPN or
Direct Connect
Corporate Data Center
• IPs managed by AWS (subject Corporate Data Center
to change, use DNS names)
• Can’t setup allow lists by
source IP addresses
• Static private IPs
• Static private IPs
• Setup allow lists (SGs & NACLs)
• Static public IPs (EIPs)
• Setup Security Groups
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Price of Storage (GB Month)
S3 (GB/Month) EBS (GB/Month) EFS (GB/Month)
Class Price Class Price Class Price
Standard $0.023 io1 $0.125 + $0.065/iops Standard $0.30
Standard IA $0.0125 io2 $0.125 + $0.065/iops One-Zone $0.16
One-Zone IA $0.01 gp2 $0.10 Standard IA $0.025
Intelligent Tiering $0.023 gp3 $0.08 One-Zone IA $0.0133
Glacier Instant Retrieval $0.004 st1 $0.045
Glacier Flexible Retrieval $0.0036 sc1 $0.015
Glacier Deep Arcvhive $0.00099

EFS Standard IA
EBS io2, io1 EBS gp2, gp3 S3 Standard EFS One-Zone IA

expensive cheap
EFS Standard, EBS st1 EBS sc1 S3 Standard IA, etc…
EFS One-Zone

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon CloudFront
• Content Delivery Network (CDN)
• Improves read performance, content is
cached at the edge
• 225+ Point of Presence globally (215+
Edge Locations & 13 Regional Edge
Caches)
• Protect against Network and Application
layer attacks (e.g., DDoS attacks)
• Integration with AWS Shield, AWS WAF, S3 Bucket
and Route 53
• Can expose external HTTPS and can talk Source: https://aws.amazon.com/cloudfront/features/
to internal HTTPS backends
• Supports WebSocket protocol

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront – Origins
• S3 Bucket
• For distributing files
• Enhanced security with CloudFront Origin Access Control (OAC)
• OAC is replacing Origin Access Identity (OAI)
• CloudFront can be used as an ingress (to upload files to S3)
• S3 Bucket configured as a website
• First, enable Static Website hosting on the bucket
• MediaStore Container & MediaPackage Endpoint
• To deliver Video On Demand (VOD) or live streaming video using AWS Media Services
• Custom Origin (HTTP)
• EC2 instance
• Elastic Load Balancer (CLB or ALB)
• API Gateway (for more control… otherwise use API Gateway Edge)
• Any HTTP backend you want

Public www
Private AWS
Private AWS
Edge Edge
Los Angeles Mumbai

Private AWS Private AWS

Origin (S3 bucket)

Public www OAC
Edge Edge
São Paulo Melbourne

Origin Access Control

+ S3 bucket policy

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront vs S3 Cross Region Replication
• CloudFront:
• Global Edge network
• Files are cached for a TTL (maybe a day)
• Great for static content that must be available everywhere

• S3 Cross Region Replication:

• Must be setup for each region you want replication to happen
• Files are updated in near real-time
• Read only
• Great for dynamic content that needs to be available at low-latency in few
regions

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront – EC2 or ALB as an origin
Security group

Allow Public IP of Edge Locations

Edge Location EC2 Instance

Must be Public

Security group Security group

Allow Public IP of Allow Security Group
Edge Locations of Load Balancer

Edge Location Application Load Balancer EC2 Instances

Public IPs Must be Public Can be Private

http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront – Restrict Access to Application
Load Balancers and Custom Origins
• Prevent direct access to your ALB or Custom Origins (only access through CloudFront)
• First, configure CloudFront to add a Custom HTTP Header to requests it sends to the ALB
• Second, configure the ALB to only forward requests that contain that Custom HTTP
Header
• Keep the custom header name and value secret!
Origins
GET /index.html HTTP/1.1
GET /index.html HTTP/1.1 Host: mywebsite.com
X-Custom-Header: djdfhsb12121
Host: mywebsite.com X-Custom-Header: djdfhsb12121
… … forward

.1
Users P/1 Application
T T
l H om EC2 Instances
tm Load Balancer
ex.h site.c
ind eb -- OR --
Edge Location E T / myw
G st:
Ho
… You can also restrict access to
CloudFront Public IP addresses ONLY
https://d7uri8nf7uskq.cloudfront.net/
Custom Origin tools/list-cloudfront-ips

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront – Origin Groups
• To increase high-availability and do failover
• Origin Group: one primary and one secondary origin
• If the primary origin fails, the second one is used
• Origins can be cross AWS Regions
Amazon Origin Group Amazon Origin Group
CloudFront Send request CloudFront Send request

Responds with error status code Responds with error status code

Origin A (us-east-1) Origin A

Replication
(Primary Origin) (Primary Origin)
Client Client
Try same request Try same request

Responds with OK status code Responds with OK status code

Origin B (eu-west-1) Origin B

Cross-Region High Availability S3 + CloudFront – Region-level High Availability

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront Geo Restriction
• You can restrict who can access your distribution
• Allow list: Allow your users to access your content only if they're in one of the
countries on a list of approved countries.
• Block list: Prevent your users from accessing your content if they're in one of
the countries on a blacklist of banned countries.

• The “country” is determined using a 3rd party Geo-IP database

• Use case: Copyright Laws to control access to content

• Note: the geo header CloudFront-Viewer-Country is in Lambda@Edge

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront – Pricing
• CloudFront Edge locations are all around the world
• The cost of data out per edge location varies

lower higher

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront – Price Classes
• You can reduce the number of edge locations for cost reduction
• Three price classes:
1. Price Class All: all regions – best performance
2. Price Class 200: most regions, but excludes the most expensive regions
3. Price Class 100: only the least expensive regions

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront - Price Class
Prices Class 100
Prices Class 200
Prices Class All

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront Signed URL Diagram
• Signed URL with expiration
to control access to content 4. Signed URL Edge Location

in CloudFront Edge Location

Client
Amazon CloudFront

• The Signed URL are

generated by an API call into 1. Authentication +
Authorization
3. Signed URL

CloudFront as a trusted OAC

signer
2. Generate Signed URL
(AWS SDK)

Amazon S3
Application Server

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront Signed URL vs
S3 Pre-Signed URL
• CloudFront Signed URL: • S3 Pre-Signed URL:
• Allow access to a path, no matter • Issue a request as the person who
the origin pre-signed the URL
• Account wide key-pair, only the root • Uses the IAM key of the signing
can manage it IAM principal
• Can filter by IP, path, date, expiration • Limited lifetime
• Can leverage caching features

Pre-Signed URL
Signed URL Origin
Client
Client
Edge location

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront – Custom Error Pages
• Return an object to the viewer (e.g., .html) when your origin returns an
HTTP 4xx or 5xx status code to CloudFront
• Use Error Caching Minimum TTL to specify how long CloudFront
caches the custom error pages
request forward

403-forbidden.html
4xx or 5xx error response

Client store in cache

Origin
Cache
(cache origin error responses)
Edge Location
403-fo
rbidde S3 Bucket
n.html
(custom error pages)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront – Customization At The Edge
• Many modern applications execute some form of the logic at the edge
• Edge Function:
• A code that you write and attach to CloudFront distributions
• Runs close to your users to minimize latency
• Doesn’t have any cache, only to change requests/responses
• CloudFront provides two types: CloudFront Functions & Lambda@Edge
• Use cases:
• Manipulate HTTP requests and responses
• Implement request filtering before reaching your application
• User authentication and authorization
• Generate HTTP responses at the edge
• A/B Testing
• Bot mitigation at the edge
• You don’t have to manage any servers, deployed globally

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront Functions & Lambda@Edge
Edge Location

CloudFront Functions
Client A

Regional Edge Cache

Edge Location

CloudFront Functions Lambda@Edge Functions

Client B
Origin

Edge Location

CloudFront Functions
Client C

• Lightweight functions written in JavaScript

• For high-scale, latency-sensitive CDN customizations Viewer Viewer
• Sub-ms startup times, millions of requests/second Request Response

• RuN at Edge Locations

• Process-based isolation
• Used to change Viewer requests and responses:
• Viewer Request: after CloudFront receives a request from a CloudFront
viewer
• Viewer Response: before CloudFront forwards the response to Origin Origin
the viewer Request Response
• Native feature of CloudFront (manage code entirely within
CloudFront)

Origin
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront – Lambda@Edge Client

• Lambda functions written in NodeJS or Python

• Scales to 1000s of requests/second Viewer Viewer
• Runs at the nearest Regional Edge Cache Request Response

• VM-based isolation
• Used to change CloudFront requests and responses:
• Viewer Request – after CloudFront receives a request from a viewer
• Origin Request – before CloudFront forwards the request to the origin CloudFront
• Origin Response – after CloudFront receives the response from the
origin Origin Origin
• Viewer Response – before CloudFront forwards the response to the Request Response
viewer
• Author your functions in one AWS Region (us-east-1), then
CloudFront replicates to its locations
Origin
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront Functions with Lambda@Edge
CloudFront Functions and Lambda@Edge can be used together

Edge Location Regional Edge Cache

CloudFront Lambda@Edge
Functions Functions

Viewer Request Origin Request

Viewer Response Origin Response

Client Edge Location Regional Edge
Cache
Origin
Cache

NOTE: You can’t combine CloudFront Functions and Lambda@Edge

in viewer events (viewer request & viewer response)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Using Lambda@Edge Only
Use when you need some of the capabilities of Lambda@Edge that aren’t available
with CloudFront Functions (e.g., longer execution time, network access, …)

Edge Location Regional Edge Cache

Lambda@Edge Lambda@Edge
Functions Functions

Viewer Request Origin Request

Viewer Response Origin Response

Client Regional Edge Origin
Cache

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront Functions vs. Lambda@Edge
CloudFront Functions Lambda@Edge
Runtime Support JavaScript Node.js, Python
Execution Location Edge Locations Regional Edge Caches
CloudFront Triggers - Viewer Request/Response - Viewer Request/Response
- Origin Request/Response
Isolation Process-based VM-based
Max. Execution Time < 1 ms - 5 seconds (viewers triggers)
- 30 seconds (origin triggers)
Max. Memory 2 MB - 128 MB (viewer triggers)
- 10 GB (origin triggers)
Total Package Size 10 KB - 1 MB (viewer triggers)
- 50 MB (origin t
Network Access, File System Access No Yes
Access to the Request Body No Yes
Pricing Free tier available, 1/6th price of @Edge No free tier, charged per request & duration

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront Functions vs. Lambda@Edge –
Use Cases
CloudFront Functions Lambda@Edge
• Cache key normalization • Longer execution time (several ms)
• Transform request attributes (headers,
cookies, query strings, URL) to create an • Adjustable CPU or memory
optimal Cache Key
• Your code depends on a 3rd
• Header manipulation
• Insert/modify/delete HTTP headers in the
libraries (e.g., AWS SDK to access
request or response other AWS services)
• URL rewrites or redirects • Network access to use external
• Request authentication & authorization services for processing
• Create and validate user-generated
tokens (e.g., JWT) to allow/deny requests • File system access or access to the
body of HTTP requests

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFront Functions vs. Lambda@Edge –
Authentication and Authorization
CloudFront Functions Lambda@Edge

Amazon Amazon
CloudFront CloudFront
request forward request forward

Client Client
Origin Origin

Edge Location Regional

Edge Cache
intercept
check authentication Cognito
intercept
And authorization Or 3rd Party OICD
check authenticaiton
(e.g., validate JWT tokens) and authorization
CloudFront Function

Lambda@Edge Function
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Lambda@Edge: Loading content based on
User-Agent
GET /images/cat-1920-1080.jpg GET /images/cat-1920-1080.jpg
Host: pics.mywebsite.com Amazon Host: pics.mywebsite.com
User-Agent: Mac OS Chrome/96.0.4664.110 User-Agent: Mac OS Chrome/96.0.4664.110
…
CloudFront …

GET /images/cat-1920-1080.jpg
Host: pics.mywebsite.com GET /images/cat-640-320.jpg
User-Agent: iPhone OS Safari/604.1 Host: pics.mywebsite.com
S3 Bucket
… User-Agent: iPhone OS Safari/604.1 (Origin)
Regional …
Edge Cache

Inspect User-Agent HTTP Header Redirect based on Device Type

Lambda@Edge Function
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Lambda@Edge – Global Application
Amazon
CloudFront
dynamic API requests
Client

HTML website Regional Cached Responses

Edge Cache

S3 Bucket query data

(Static Website Hosting)
Lambda@Edge Function
DynamoDB

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Lambda@Edge – Route to Different Origin
us-east-1

S3 Bucket
CloudFront (Origin 1)
Edge Location (Website Hosting Enabled)

1. index.html
S3 Cross-Region
2. If cached, return object 4. Modify Origin
Replication
Users 3. Trigger Origin Request eu-west-2
(Europe) Lambda@Edge function

S3 Bucket
(Origin 2)
(Website Hosting Enabled)

5. Return Object

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon ElastiCache Overview
• The same way RDS is to get managed Relational Databases…
• ElastiCache is to get managed Redis or Memcached
• Caches are in-memory databases with really high performance, low
latency
• Helps reduce load off of databases for read intensive workloads
• Helps make your application stateless
• AWS takes care of OS maintenance / patching, optimizations, setup,
configuration, monitoring, failure recovery and backups
• Using ElastiCache involves heavy application code changes

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
ElastiCache
Solution Architecture - DB Cache
• Applications queries Amazon
ElastiCache, if not ElastiCache
available, get from RDS Cache hit
and store in ElastiCache.
• Helps relieve load in RDS
Cache miss
• Cache must have an application
Read from DB
invalidation strategy to
make sure only the most
current data is used in Write to cache Amazon
there. RDS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
ElastiCache
Solution Architecture – User Session Store
• User logs into any of the Write session
application application
• The application writes Amazon
the session data into ElastiCache
ElastiCache Retrieve session

User
• The user hits another application
instance of our
application
• The instance retrieves the
data and the user is application
already logged in

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
ElastiCache – Redis vs Memcached
REDIS MEMCACHED
• Multi AZ with Auto-Failover • Multi-node for partitioning of
• Read Replicas to scale reads data (sharding)
and have high availability • Non persistent
• Persistent, Data Durability: • Backup and restore (Serverless)
Append Only File (AOF), • Multi-threaded architecture
backup and restore features

Replication
+
sharding

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Handling Extreme Rates
Compute Layer Redis – < 200 nodes (replica+sharding)
Route 53 ASG, ECS – slow, bootstrap Memcached – 20 nodes (sharding)
(global) Fargate – faster DAX – 10 nodes (primary + replicas)
Lambda – 1000 concurrent Database Layer
RDS, Aurora, ElasticSearch - provisioned
DynamoDB - auto scaling, on-demand
SQS, SNS – unlimited
SQS FIFO – 3000 RPS (with batching)
CloudFront ALB Kinesis – 1 MB/s in, 2 MB/s out per shard
Client
100000 RPS API Gateway – 10000 RPS
EBS – 16k IOPS (gp2), 64k IOPS (io1)
Instance Store – ~M IOPS
EFS – General, Max IO

Cache S3 – 3500 PUT, 5550 GET per prefix /s

CloudFront (edge) KMS limits if encrypted

Caching, TTL, Network, Computation, Cost, Latency

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
DynamoDB – in short
• NoSQL database, fully managed, massive scale (1,000,000 rps)
• Similar to Apache Cassandra (can migrate to DynamoDB)
• No disk space to provision, max object size is 400 KB
• Capacity: provisioned (WCU, RCU, & Auto Scaling) or on-demand
• Supports CRUD (Create Read Update Delete)
• Read: eventually or strong consistency
• Supports transactions across multiple tables (ACID support)
• Backups available, point in time recovery
• Table classes: Standard and Infrequent Access (IA)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
DynamoDB - Basics
• DynamoDB is made of tables
• Each table has a Primary Key (must be decided at creation time)
• Each table can have an infinite number of items (= rows)
• Each item has attributes (can be added over time – can be null)
• Maximum size of a item is 400KB
• Data types supported are:
• Scalar Types: String, Number, Binary, Boolean, Null
• Document Types: List, Map
• Set Types: String Set, Number Set, Binary Set

• Option 1: Par tition Key only (HASH)

user_id First Name Age
• Partition key must be unique for each
item 12broiu45 John 46
dfi7503df Katie 31
• Partition key must be “diverse” so that
the data is distributed Partition key
attributes
(unique)
• Example: user_id for a users table

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
DynamoDB – Primary Keys
• Option 2: Par tition Key + Sor t Key
• The combination must be unique
• Data is grouped by partition key user_id game_id Result
• Sort key == range key 12broiu45 1234 win
• Example: users-games table 12broiu45 3456 lose
• user_id for the partition key Partition key Sort Key attributes
• game_id for the sort key
Partition key

• Example good sor t key: timestamp

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
DynamoDB – Indexes
• Object = partition key + optional sort key + attributes
• LSI – Local Secondary Index
• Keep the same primary key
• Select an alternative sort key
• Must be defined at table creation time
• GSI – Global Secondary Index
• Change the partition key and optional sort sort
• Can be defined after the table is created

• You can only query by PK + sort key on the main table & indexes (≠ RDS)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
DynamoDB – Important Features
• TTL: automatically expire row after a • Global Tables: (cross region
specified epoch date replication)
• Active Active replication, many
• DynamoDB Streams: regions
• react to changes to DynamoDB tables in • Must enable DynamoDB
real time Streams
• Can be read by AWS Lambda, EC2… • Useful for low latency, DR
• 24 hours retention of data purposes

Amazon
OpenSearch replication
CRUD Streams CRUD CRUD

Table Kinesis
Lambda Table Table
us-east-1 ap-southeast-2
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Kinesis Data Streams for DynamoDB
• You can use Kinesis Data Streams to capture item-level changes in DynamoDB
• Custom and longer data retention period (> 24 hours in DynamoDB Streams)
Kinesis Data
Firehose
Store …
Amazon S3 Redshift OpenSearch

item-level changes

DynamoDB Kinesis Data Real-time computations

Table Streams (filter, aggregate, transform, …)
Kinesis Data Kinesis Data Lambda
Streams Firehose
Kinesis Data
Analytics

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
DynamoDB Solution Architecture
Indexing objects in DynamoDB

writes

Amazon S3 Lambda Function DynamoDB Table

API for object metadata

- Search by date
- Total storage used by a customer
- List of all objects with certain attributes
- Find all objects uploaded within a date range

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
DynamoDB - DAX
• DAX = DynamoDB Accelerator
• Seamless cache for DynamoDB, no application re- applications

write
• Writes go through DAX to DynamoDB
• Micro second latency for cached reads & queries
• Solves the Hot Key problem (too many reads) DAX
• 5 minutes TTL for cache by default
• Up to 10 nodes in the cluster
• Multi AZ (3 nodes minimum recommended for
production)
• Secure (Encryption at rest with KMS, VPC, IAM,
CloudTrail…)
Amazon table table table
DynamoDB

Store Aggregation Result ElastiCache

Client
DynamoDB

DAX
Individual objects cache
Query / Scan cache

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon OpenSearch (ex ElasticSearch)
• New name is Amazon OpenSearch
• ElasticSearch => OpenSearch
• Kibana => OpenSearch Dashboards

• Managed version of OpenSearch (open-source project, fork of ElasticSearch)

• Two modes: Managed cluster or Serverless cluster
• Use cases:
• Log Analytics
• Real Time application monitoring
• Security Analytics
• Full Text Search
• Clickstream Analytics
• Indexing

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
OpenSearch + OS Dashboards + Logstash
• OpenSearch (ex ElasticSearch): provide search and indexing capability

• OpenSearch Dashboards (ex Kibana):

• Provide real-time dashboards on top of the data that sits in OpenSearch
• Alternative to CloudWatch dashboards (more advanced capabilities)

• Logstash:
• Log ingestion mechanism, use the “Logstash Agent”
• Alternative to CloudWatch Logs (you decide on retention and granularity)

DynamoDB Table DynamoDB Stream Lambda Function Amazon OpenSearch

API to search items

API to retrieve items

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
OpenSearch patterns
CloudWatch Logs
Real time

CloudWatch Logs Subscription Filter Lambda Function Amazon OpenSearch

(managed by AWS)

Near Real Time

CloudWatch Logs Subscription Filter Kinesis Data Firehose Amazon OpenSearch

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
RDS
• Engines: PostgreSQL, MySQL, MariaDB, IBM DB2, Oracle, SQL Server
• Managed DB: provisioning, backups, patching, monitoring
• Launched within a VPC, usually in private subnet, control network
access using security groups (important when using Lambda)
• Storage by EBS, can increase volume size with auto-scaling
• Backups: automated with point-in-time recovery. Backups expire
• Snapshots: manual, can make copies of snapshots cross region
• RDS Events: get notified via SNS for events (operations, outages…)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
RDS – Multi AZ & Read Replicas
• Multi-AZ: Standby instance for • Read Replicas: Increase read
throughput. Eventual consistency.
failover in case of outage Can be cross-region
Application
Application
writes reads
writes reads
reads
One DNS name – automatic failover

SYNC ASYNC
replication replication
Standby instance Master Instance
RDS Read Replica RDS Instance
AZ – B AZ – A

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
RDS – Distributing Reads across Replicas
Read Replica 1

25%
+ health check
25% Read Replica 2
requests
25%

Application Amazon 25% Read Replica 3

Route 53
Weighted Record Set

Value Weight
Read Replica 4
Read Replica 1 Endpoint 25%
Read Replica 2 Endpoint 25%
Read Replica 3 Endpoint 25%
Read Replica 4 Endpoint 25%

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
RDS – Security (reminder)
• KMS encryption at rest for underlying EBS volumes / snapshots
• Transparent Data Encryption (TDE) for Oracle and SQL Server
• SSL encryption to RDS is possible for all DB (in-flight)
• IAM authentication for MySQL, PostgreSQL and MariaDB
• Authorization still happens within RDS (not in IAM)
• Can copy an un-encrypted RDS snapshot into an encrypted one
• CloudTrail cannot be used to track queries made within RDS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
RDS - IAM Authentication
EC2 Security group
• IAM database authentication works with
MariaDB, MySQL and PostgreSQL IAM Role RDS Service
API Call
• You don’t need a password, just an Get Auth Token
authentication token obtained through EC2
IAM & RDS API calls
• Auth token has a lifetime of 15 minutes
SSL encryption
Pass Auth Token
• Benefits:
• Network in/out must be encrypted using SSL RDS Security group
• IAM to centrally manage users instead of DB
• Can leverage IAM Roles and EC2 Instance
profiles for easy integration

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
About RDS for Oracle – Exam Tips
Backups • Real Application Clusters (RAC)
• RDS for Oracle does NOT support RAC
• Use RDS Backups for backups & restore
to Amazon RDS for Oracle • RAC is working on Oracle on EC2
Instances because you have full control
• Use Oracle RMAN (Recovery Manager)
for backups & restore to-non RDS • RDS for Oracle supports Transparent
(RDS not suppor ted) Data Encryption (TDE) to encrypt
data before it’s written to storage
backup restore • DMS works on Oracle RDS
RDS DB Instance RDS Backup RDS DB Instance
on-premises AWS Cloud

backup upload restore replicate/migrate

RDS DB Instance Oracle RMAN S3 Bucket Oracle DB Oracle DB AWS DMS RDS DB Instance
Backup (external) (source) (target)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
About RDS for MySQL
• You can use the native mysqldump to migrate a MySQL RDS DB to non-RDS
• The external MySQL database can run either on-premises in your data center, or
on an Amazon EC2 instance

DB Admin
1. Export using mysqldump 2. Import using mysqldump

AWS Cloud on-premises Data Center

3. Start Replication

RDS MySQL DB MySQL DB Instance

4. Stop Replication
Instance (Source) after completion (Target)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
RDS Proxy for AWS Lambda
Lambda functions
• When using Lambda functions with RDS, it …
opens and maintains a database connection
• This can result in a “TooManyConnections” IAM
Authentication
exception
• With RDS Proxy, you no longer need code VPC
that handles cleaning up idle connections
and managing connection pools Public subnet
• Supports IAM authentication or DB RDS Proxy
authentication, auto-scaling
• The Lambda function must have connectivity
to the Proxy (public proxy => public Private subnet
Lambda, private proxy => Lambda in VPC)
Aurora
DB Cluster

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
RDS Solution Architecture
Cross Region Failover
Option 1:
HTTP call
RDS Main /health-db route
us-east-1 Health check
Option 2:
CW Alarm
Async replication
CW Alarm linked to Health Check

RDS Read Replica Promote Read Replicas trigger CW Event linked to CW Alarm
us-west-2 (Or SNS topic)

Update DNS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Aurora
• DB Engines: PostgreSQL-compatible & MySQL-compatible
• Storage: automatically grows up to 128 TB, 6 copies of data, multi-AZ
• Read Replicas: up to 15 RR, reader endpoint to access them all
• Cross Region RR: entire database is copied (not select tables)
• Load / Offload data directly from / to S3: efficient use of resources
• Backup, Snapshots & Restore: same as RDS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Aurora High Availability and Read Scaling
• 6 copies of your data across 3 AZ: AZ 1 AZ 2 AZ 3
• 4 copies out of 6 needed for writes
• 3 copies out of 6 need for reads
• Self healing with peer-to-peer replication
W R
• Storage is striped across 100s of volumes R R R R

• Automated failover for master in less Shared storage Volume

Replication + Self Healing + Auto Expanding
than 30 seconds
• Master + up to 15 Aurora Read
Replicas serve reads
• Support for Cross Region Replication

client

Writer Endpoint Reader Endpoint

Pointing to the master Connection Load Balancing

Auto Scaling

W R R R R R

Shared storage Volume – Auto Expanding

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Aurora Endpoints
• Endpoint = Host Address + Por t

• Cluster Endpoint (Writer Endpoint)

• Connects to the current primary DB instance in the Aurora cluster
• Used for all write operations in the DB cluster (inserts, updates, deletes, and queries)
• Reader Endpoint
• Provides load-balancing for read only connections to all Aurora Replicas in the Aurora cluster
• Used only for read operations (queries)
• Custom Endpoint
• Represents a set on DB instances that you choose in the Aurora cluster
• Used when you want to connect to different subsets of DB instances with different capacities and
configurations (e.g., different DB parameter group)
• Instance Endpoint
• Connects to a specific DB instance in the Aurora cluster
• Used when you want to diagnosis and fine tune a specific DB instance

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Aurora – Custom Endpoints
• Define a subset of Aurora Instances as a Custom Endpoint
• Example: Run analytical queries on specific replicas
• The Reader Endpoint is generally not used after defining Custom Endpoints

Analytical Queries
Queries
Client

Writer Endpoint Reader Endpoint Custom Endpoint

db.r3.large db.r3.large db.r5.2xlarge db.r5.2xlarge

W
R R R R
Shared Storage Volume
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Aurora Logs
Amazon Aurora
• You can monitor the following types
of Aurora MySQL log files:
• Error log …
Log Files
• Slow query log
• General log
• The audit log publish download

• These log files are either downloaded or

published to CloudWatch Logs
User
CloudWatch Logs

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Troubleshooting RDS & Aurora Performance
• Performance Insights: find issues by waits, SQL statements, hosts and users

SQL Statements Users

• CloudWatch Metrics: CPU, Memory, Swap Usage
• Enhanced Monitoring Metrics: at host level, process view, per-second metric
• Slow Query logs

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Aurora Serverless
• Automated database Client
instantiation and auto-
scaling based on actual
usage
Proxy Fleet
• Good for infrequent, (managed by Aurora)
intermittent or
unpredictable workloads
• No capacity planning
needed
• Pay per second, can be
more cost-effective
Shared storage Volume

• Access Aurora Serverless DB with a simple

API endpoint (no JDBC connection needed)
• Secure HTTPS endpoint to run SQL HTTP API Calls
(without DB credentials)
statements
• No persistent DB connections management

transparent
• Users must be granted permissions to Data allow / deny

API and Secrets Manager (where credentials Secrets

are checked) Manager

Aurora
Serverless

Users
Application Lambda RDS Proxy Aurora
Load Balancer Function Primary Instance
(Read & Write)

• Ability to create an additional read-only endpoint that connects to

Aurora Read Replicas only
RDS Proxy
Aurora Primary Instance
Read-only endpoint
(Read & Write)
Lambda read only endpoint
Aurora Read
Functions
Replica 1

Aurora Read
Replica 2
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Global Aurora us-east-1 - PRIMARY region

• Aurora Cross Region Read Replicas

• Useful for disaster recovery
• Simple to put in place
Applications
• Aurora Global Database (recommended) Read / Write
• 1 Primary Region (read / write) replication
• Up to 5 secondary (read-only) regions, replication lag is
less than 1 second eu-west-1 - SECONDARY region

• Up to 16 Read Replicas per secondary region

• Helps for decreasing latency
• Promoting another region (for disaster recovery) has an
RTO of < 1 minute
Applications
• Ability to manage the RPO in Aurora for PostgreSQL Read Only

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Aurora Global – Write Forwarding
• Enables Secondary DB Clusters to
forward SQL statements that eu-central-1
perform write operations to the write
Secondary
Primary DB Cluster Users DB Cluster
(Read only)
• Data is always changed first on the
Primary DB Cluster, then replicated

replication
forward write
to the Secondary DB Clusters
• Primary DB Cluster always has an us-east-2

up-to-date copy of all data Primary

DB Cluster
• Reduces the number of endpoints to
manage

snapshot restore

RDS DB Instance DB Snapshot Aurora DB Instance

New replica promote

RDS DB Instance Aurora Read Replica Aurora DB Instance

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Step Functions
• Build serverless visual workflow to orchestrate your Lambda functions
• Represent flow as a JSON state machine
• Features: sequence, parallel, conditions, timeouts, error handling…
• Maximum execution time of 1 year
• Possibility to implement human approval feature

• If you chain Lambda functions using Step Functions, be mindful of the

added latency to pass the calls.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Step Function Integrations
• Optimized Integrations
• Can invoke a Lambda function Lambda Batch ECS
• Run an AWS Batch job
• Run an ECS task and wait for it to complete Step Functions
• Insert an item from DynamoDB
• Publish message to SNS, SQS DynamoDB
• Launch an EMR, Glue, or SageMaker jobs
• Launch another Step Function workflow…
• AWS SDK Integrations
SNS SQS
• Access 200+ AWS services from your State
Machine
• Works like standard AWS SDK API call

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Step Functions Workflow Triggers
• You can invoke a Step Function
Workflow (State Machine) using:
AWS Management AWS SDK AWS CLI AWS Lambda
• AWS Management Console Console
• AWS SDK (Star tExecution API call)
• AWS CLI (star t-execution)
• AWS Lambda (Star tExecution API API Gateway EventBridge CodePipeline Step Functions

call)
• API Gateway trigger
• EventBridge
• CodePipeline
• Step Functions
Step Functions
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Step Functions – Sample Projects
• https://console.aws.amazon.com/states/home?region=us-east-
1#/sampleProjects

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Step Functions – Tasks
• Lambda Tasks:
• Invoke a Lambda function
• Activity Tasks:
• Activity worker (HTTP), EC2 Instances, mobile device, on premise DC
• They poll the Step functions service
• Service Tasks:
• Connect to a supported AWS service
• Lambda function, ECS Task, Fargate, DynamoDB, Batch job, SNS topic, SQS queue
• Wait Task:
• To wait for a duration or until a timestamp

• Note: Step Functions does not integrate natively with AWS Mechanical Turk

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Step Functions – Standard vs. Express
Standard Workflows Express Workflows

Maximum duration 1 year. 5 minutes.

Supported execution start rate Over 2,000 per second Over 100,000 per second
Supported state transition rate Over 4,000 per second per account Nearly unlimited
Pricing Priced per state transition. A state transition is Priced by the number of executions you run,
counted each time a step in your execution is their duration, and memory consumption
completed (more expensive) (cheaper)
Execution history Executions can be listed and described with Step Executions can be inspected in CloudWatch
Functions APIs, and visually debugged through Logs by enabling logging on your state
the console. They can also be inspected in machine.
CloudWatch Logs by enabling logging on your
state machine.
Execution semantics Exactly-once workflow execution. At-least-once workflow execution.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Step Functions – Express Workflow –
Synchronous vs. Asynchronous
• Synchronous Express Workflows
• Wait until the Workflow completes, then return the result
• Examples: orchestrate microservices, handle errors, retries, parallel tasks, …
request start Workflow

result result wait

Users API Gateway Synchronous

Express Workflow
• Asynchronous Express Workflows
• Doesn’t for the Workflow to complete
• Examples: Workflows that don’t require immediate response, messaging, …
request start Workflow

start confirmed start confirmed

Users API Gateway Asynchronous
Express Workflow
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Step Functions – Error Handling
• You can enable error handling, retries, and add alerting to Step Function
State Machine
• Example: set up EventBridge to alert via email if a State Machine
execution fails
1. invoke 2. invoke

3. E
xec
User State Machine u t i on Lambda Function
Fail
u re E
5. S ven
e nd t
Em
ail

4. Trigger (Execution Failure Event)

SNS EventBridge
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Step Functions – Solution Architecture
REST API Call
Service proxy
API Gateway
Lambda
Trigger

EventBridge Step Functions

Trigger DynamoDB

SQS
AWS SDK / CLI

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon SQS
• Serverless, managed queue, integrated with IAM
• Can handle extreme scale, no provisioning required
• Used to decouple services
• Message size of max 256 KB (use a pointer to S3 for large messages)
• Can be read from EC2 (optional ASG), Lambda
• SQS could be used as a write buffer for DynamoDB
• SQS FIFO:
• receive messages in order they were sent
• 300 messages/s without batching, 3000 /s with batching

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon SQS – Dead Letter Queue (DLQ)
Dead Letter
• If a consumer fails to process a message within the Queue
SQS Queue
Visibility Timeout…
the message goes back to the queue!
• We can set a threshold of how many times a message can
go back to the queue
• After the MaximumReceives threshold is exceeded, the
message goes into a Dead Letter Queue (DLQ)
• Useful for debugging!
• DLQ of a FIFO queue must also be a FIFO queue
Consumer
• DLQ of a Standard queue must also be a Standard
queue
Failure
• Make sure to process the messages in the DLQ before loop
they expire:
• Good to set a retention of 14 days in the DLQ

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SQS DLQ – Redrive to Source
• Feature to help consume Source Dead Letter
messages in the DLQ to SQS Queue Queue
understand what is wrong with Redrive task

them
• When our code is fixed, we can
redrive the messages from the ✅
Manual inspection
DLQ back into the source And debugging
queue (or any other queue) in
batches without writing custom Consumer
code

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SQS – Solution Architecture
Idempotency
• Messages can be processed twice by consumer (in case of failures, timeouts, etc)
• To hedge against that problem, implement idempotency at the consumer level
• Means the same action done twice by the consumer won’t duplicate the effect

SQS DynamoDB
Poll batch of messages
Long Polling EC2
Consumer

Insert into DynamoDB (not idempotent)

Vs Upsert into DynamoDB (idempotent)
Delete message

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Lambda – Event Source Mapping
SQS & SQS FIFO
• Event Source Mapping will SQS
poll SQS (Long Polling)
• Specify batch size (1-10
messages) POLL RETURN BATCH
• Recommended: Set the
queue visibility timeout to
6x the timeout of your Lambda
Lambda function Event Source Mapping
• To use a DLQ
• set-up on the SQS queue,
not Lambda (DLQ for INVOKE WITH EVENT BATCH
Lambda is only for async
invocations)
• Or use a Lambda destination Lambda Function
for failures

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SQS - Solution Architecture
Request / Response queue (async)
SQS Request Queue

• Decoupling
• Fault-Tolerance
• Load Balancing
Client Work Processor

SQS Response Queue

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon MQ
• SQS, SNS are “cloud-native” services: proprietary protocols from AWS
• Traditional applications running from on-premises may use open protocols
such as: MQTT, AMQP, STOMP, Openwire, WSS
• When migrating to the cloud, instead of re-engineering the application to
use SQS and SNS, we can use Amazon MQ
• Amazon MQ is a managed message broker service for

• Amazon MQ doesn’t “scale” as much as SQS / SNS

• Amazon MQ runs on servers, can run in Multi-AZ with failover
• Amazon MQ has both queue feature (~SQS) and topic features (~SNS)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon MQ – Re-platform
• IBM MQ, TIBCO EMS, Rabbit MQ, and Apache ActiveMQ can be
migrated to Amazon MQ

https://aws.amazon.com/blogs/compute/migrating-from-ibm-mq-to-amazon-mq-using-a-phased-approach/
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon SNS
• What if you want to send one message to many receivers?
Direct Email Pub / Sub
Email
integration notification notification

Fraud Fraud
Service Service
Buying Buying
Service Service
Shipping Shipping
Service SNS Topic Service

SQS Queue SQS Queue

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon SNS
• The “event producer” only sends message to one SNS topic
• As many “event receivers” (subscriptions) as we want to listen to the SNS topic notifications
• Each subscriber to the topic will get all the messages (note: new feature to filter messages)
• Up to 12,500,000 subscriptions per topic
• 100,000 topics limit
Subscribers

publish SQS Lambda Kinesis Data

Firehose

SNS
HTTP(S) SMS & Emails
Endpoints Mobile Notifications

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SNS integrates with a lot of AWS services
• Many AWS services can send data directly to SNS for notifications

…
CloudWatch Alarms AWS Budgets Lambda

… publish
Auto Scaling Group S3 Bucket DynamoDB
(Notifications) (Events)
SNS
…
CloudFormation AWS DMS RDS Events
(State Changes) (New Replic)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon SNS – How to publish
• Topic Publish (using the SDK)
• Create a topic
• Create a subscription (or many)
• Publish to the topic

• Direct Publish (for mobile apps SDK)

• Create a platform application
• Create a platform endpoint
• Publish to the platform endpoint
• Works with Google GCM, Apple APNS, Amazon ADM…

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon SNS – Security
• Encryption:
• In-flight encryption using HTTPS API
• At-rest encryption using KMS keys
• Client-side encryption if the client wants to perform encryption/decryption itself

• Access Controls: IAM policies to regulate access to the SNS API

• SNS Access Policies (similar to S3 bucket policies)

• Useful for cross-account access to SNS topics
• Useful for allowing other services ( S3…) to write to an SNS topic

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SNS + SQS: Fan Out
SQS Queue
Fraud
Service
Buying
Service
Shipping
SNS Topic Service

SQS Queue

• Push once in SNS, receive in all SQS queues that are subscribers
• Fully decoupled, no data loss
• SQS allows for: data persistence, delayed processing and retries of work
• Ability to add more SQS subscribers over time
• Make sure your SQS queue access policy allows for SNS to write
• Cross-Region Delivery: works with SQS Queues in other regions
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Application: S3 Events to multiple queues
• For the same combination of: event type (e.g. object create) and prefix
(e.g. images/) you can only have one S3 Event rule
• If you want to send the same S3 event to many SQS queues, use fan-out
SQS Queues

Fan-out

S3 Object events
created…
SNS Topic
Amazon S3
Lambda Function

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Application: SNS to Amazon S3 through
Kinesis Data Firehose
• SNS can send to Kinesis and therefore we can have the following
solutions architecture:

Buying Amazon S3
Service
SNS Topic Kinesis Data
Firehose
Any supported KDF
Destination

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon SNS – FIFO Topic
• FIFO = First In First Out (ordering of messages in the topic)

Send messages Receive messages Subscribers

Producer
SQS FIFO
4 3 2 1 4 3 2 1

• Similar features as SQS FIFO:

• Ordering by Message Group ID (all messages in the same group are ordered)
• Deduplication using a Deduplication ID or Content Based Deduplication
• Can have SQS Standard and FIFO queues as subscribers
• Limited throughput (same throughput as SQS FIFO)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SNS FIFO + SQS FIFO: Fan Out
• In case you need fan out + ordering + deduplication

SQS FIFO Queue

Fraud
Service
Buying
Service
Shipping
SNS FIFO Topic Service

SQS FIFO Queue

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SNS – Message Filtering
• JSON policy used to filter messages sent to SNS topic’s subscriptions
• If a subscription doesn’t have a filter policy, it receives every message
Filter Policy SQS Queue
State: Placed
(Placed orders)
SQS Queue
(Cancelled orders)
Filter Policy
Buying New transaction State: Cancelled Email Subscription
Service (Cancelled orders)
Order: 1036
Product: Pencil SNS Topic Filter Policy
Qty: 4 State: Declined
SQS Queue
State: Placed
(Declined orders)

SQS Queue
(All)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SNS – Message Delivery Retries
• When a message is delivered to an SNS
subscriber, in case of server-side errors, a
delivery policy is applied
Delivery Immediate retry Pre-backoff Post-backoff
Endpoint type Backoff phase Total attempts
protocols (no delay) phase phase phase

AWS managed Amazon Kinesis 3 times, without 2 times, 1 second 10 times, with 100,000 times, 100,015 times,
endpoints Data Firehose delay apart exponential 20 seconds over 23 days
AWS Lambda backoff, from 1 apart
second to 20
Amazon SQS seconds
Customer SMTP 0 times, without 2 times, 10 10 times, with 38 times, 600 50 attempts, over
managed delay seconds apart exponential seconds (10 6 hours
endpoints backoff, from 10 minutes) apart
seconds to 600
seconds (10
minutes)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SNS – Custom Delivery Policies
• Only HTTP/S supports custom policies

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
SNS – Dead Letter Queues
• After exhausting the delivery policy, messages that haven’t been delivered are
discarded unless you set a DLQ (Dead Letter Queue)
• DLQ are Amazon SQS queues or Amazon SQS FIFO queues (for SNS FIFO)
• Dead Letter Queues are attached to a subscription (rather than a topic)

Email Subscription

SQS DLQ
SNS Topic
message
HTTP Subscription

SQS DLQ

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Kinesis Data Streams
• Collect and store streaming data in real-time
Real-time data
Consumers

Application
Amazon Kinesis
Click Streams
Producers Data Streams
Lambda
Applications
IoT devices Amazon
Kinesis Agent Data Firehose

Managed
Metrics & Logs Service for
Apache Flink

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Kinesis Data Streams
• Retention between up to 365 days
• Ability to reprocess (replay) data by consumers
• Data can’t be deleted from Kinesis (until it expires)
• Data up to 1MB (typical use case is lot of “small” real-time data)
• Data ordering guarantee for data with the same “Partition ID”
• At-rest KMS encryption, in-flight HTTPS encryption
• Kinesis Producer Library (KPL) to write an optimized producer application
• Kinesis Client Library (KCL) to write an optimized consumer application

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Kinesis Data Streams – Capacity Modes
• Provisioned mode:
• Choose number of shards
• Each shard gets 1MB/s in (or 1000 records per second)
• Each shard gets 2MB/s out
• Scale manually to increase or decrease the number of shards
• You pay per shard provisioned per hour

• On-demand mode:
• No need to provision or manage the capacity
• Default capacity provisioned (4 MB/s in or 4000 records per second)
• Scales automatically based on observed throughput peak during the last 30 days
• Pay per stream per hour & data in/out per GB

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Kinesis Data Firehose 3rd-party Partner Destinations

Lambda
function Datadog
Applications
Kinesis Data
Data Streams transformation AWS Destinations
Amazon S3
Client Record
Up to 1 MB
Amazon Redshift
Amazon Batch writes (COPY through S3)
SDK CloudWatch
(Logs & Events) Kinesis
Data Firehose Amazon OpenSearch

Kinesis Agent All or Failed data

Custom Destinations
AWS IoT
Producers S3 backup bucket HTTP Endpoint

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Kinesis Data Firehose
• Fully Managed Service, no administration
• Near Real Time (Buffer based on time and size, optionally can be disabled)
• Load data into Redshift / Amazon S3 / OpenSearch / Splunk
• Automatic scaling
• Supports many data formats
• Data Conversions from JSON to Parquet / ORC (only for S3)
• Data Transformation through AWS Lambda (ex: CSV => JSON)
• Supports compression when target is Amazon S3 (GZIP, ZIP, and SNAPPY)
• Only GZIP is the data is further loaded into Redshift
• Pay for the amount of data going through Firehose
• Spark / KCL do not read from KDF

Data Transformation
Several “blueprint” templates available

Delivery
stream output COPY
Source

Amazon S3 Amazon Redshift

Output Bucket

Source Records
Transformation failures
Delivery Failures

Amazon S3
Other bucket

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Firehose Buffer Sizing
• Firehose accumulates records in a buffer
• The buffer is flushed based on time and size rules

• Buffer Size (ex: 32MB): if that buffer size is reached, it’s flushed
• Buffer Time (ex: 2 minutes): if that time is reached, it’s flushed
• Firehose can automatically increase the buffer size to increase throughput

• High throughput => Buffer Size will be hit

• Low throughput => Buffer Time will be hit

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Kinesis Data Streams vs Firehose
• Streams
• Going to write custom code (producer / consumer)
• Real time (~200 ms latency for classic, ~70 ms latency for enhanced fan-out)
• Must manage scaling (shard splitting / merging)
• Data Storage for 1 to 365 days, replay capability, multi consumers
• Use with Lambda to insert data in real-time to OpenSearch (for example)

• Firehose
• Fully managed, send to S3, Splunk, Redshift, OpenSearch
• Serverless data transformations with Lambda
• Near real time
• Automated Scaling
• No data storage

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Managed Service for Apache Flink
• Previously named: Kinesis Data Analytics for Apache Flink
• Flink (Java, Scala or SQL) is a framework for processing data streams
Kinesis Data
Streams

Amazon MSK
(Apache Kafka) Amazon Managed Service
for Apache Flink
• Run any Apache Flink application on a managed cluster on AWS
• Provisioned compute resources, parallel computation, automatic scaling
• Application backups (implemented as checkpoints and snapshots)
• Use any Apache Flink programming features to transform data
• Important: Flink does not read from Amazon Data Firehose

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Full Data Engineering Pipeline
Real-Time Layer
AWS Lambda

producers

Amazon Kinesis Amazon Kinesis Amazon Kinesis Amazon EC2

Data Streams Data Analytics Data Streams

Amazon S3 Amazon Redshift

producers

Amazon Kinesis Amazon S3 Amazon Kinesis

Data Firehose Data Firehose
Amazon Elasticsearch
Service

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Streaming Architectures
3000 messages of 1 KB per second
Kinesis
• 3 shards: 3MB/s in
Kinesis AWS Lambda • 3 * $0.015/hr = $32.4/mth
Data Streams • Must use KDF for output to S3
DynamoDB
Streams
DynamoDB + Streams
DynamoDB AWS Lambda • 3000 WCU = 3 MB/s
• = $1,450.90 / month
• Storage in DynamoDB
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Comparison Charts
Kinesis Data SQS SQS FIFO SNS DynamoDB S3
Streams
Data Immutable Immutable Immutable Immutable Mutable Mutable

Retention 1-365 days, 1-14 days 1-14 days No retention Infinite or can Infinite, can
export to S3 implement setup lifecycle
using KDF TTL policies
Ordering Per shard No ordering Per group-id No ordering No ordering No ordering

Scalability Provision Soft limit 300 msg/s Soft limit WCU & RCU Infinite
Or 3000 if batch 3500 PUT 5500
shards On-demand GET / prefix
Readers EC2, Lambda, EC2, Lambda EC2, Lambda HTTP, DynamoDB SDK, S3
KDF, KDA, KCL Lambda, Streams Events
(checkpoint) Email, SQS…
Latency KDS (200 ms) Low (10- Low (10- Low (10- Low (10- Low (10-
KDF (1 min) 100ms) 100ms) 100ms) 100ms) 100ms)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Managed Streaming for Apache
Kafka (Amazon MSK)
• Alternative to Amazon Kinesis
• Fully managed Apache Kafka on AWS
• Allow you to create, update, delete clusters
• MSK creates & manages Kafka brokers nodes & Zookeeper nodes for you
• Deploy the MSK cluster in your VPC, multi-AZ (up to 3 for HA)
• Automatic recovery from common Apache Kafka failures
• Data is stored on EBS volumes for as long as you want
• MSK Serverless
• Run Apache Kafka on MSK without managing the capacity
• MSK automatically provisions resources and scales compute & storage

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Apache Kafka at a high level
EMR
MSK Cluster

Kinesis
S3

on ti
Broker 2

lica
rep
IoT SageMaker
Producers Write to topic Poll from topic Consumers
(your code) (your code)
Broker 1

rep
RDS Kinesis

lica
onti
Etc…
RDS
Broker 3
Etc…

Kinesis Data Streams Amazon MSK

• 1 MB message size limit • 1MB default, configure for higher (ex: 10MB)
• Data Streams with Shards • Kafka Topics with Partitions
• Shard Splitting & Merging • Can only add partitions to a topic
• TLS In-flight encryption • PLAINTEXT or TLS In-flight Encryption
• KMS at-rest encryption • KMS at-rest encryption

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon MSK Consumers
Kinesis Data Analytics
for Apache Flink

AWS Glue
Streaming ETL Jobs
Powered by Apache Spark Streaming

Lambda
Amazon MSK

Applications Running on

Amazon EC2 ECS EKS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Batch
• Run batch jobs as Docker images
• Two options:
1. Run on AWS Fargate (fully serverless offering)
2. Dynamic provisioning of the instances (EC2 & Spot Instances) – in VPC
• Optimal quantity and type based on volume and requirements
• No need to manage clusters, fully serverless
• You just pay for the underlying resources used
• Example: batch process of images, running thousands of concurrent jobs
• Schedule Batch Jobs using Amazon EventBridge
• Orchestrate Batch Jobs using AWS Step Functions

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Batch – Solution Architecture
metadata
Event Notifications
AWS Batch
AP
Ic
all Amazon
AWS Lambda Amazon ECS DynamoDB

upload retrieve file (API call) EC2 Instance

processed file
User Spot Instance (Spot Fleet)
Amazon S3
AWS Fargate Amazon S3

er
gg
tri
event

Amazon EventBridge
pull Docker images
Amazon ECR

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Batch vs. Lambda
• Lambda:
• Time limit
• Limited runtimes (built in runtimes, or Docker images built for Lambda)
• Limited temporary disk space
• Serverless

• Batch:
• No time limit
• Any runtime as long as it’s packaged as a Docker image
• Rely on EBS / instance store for disk space
• Relies on EC2 (can be managed by AWS) or AWS Fargate

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Batch – Compute Environments
• Managed Compute Environment:
• AWS Batch managed the capacity and instance types within the environment
• You can choose EC2 On-Demand or Spot Instances
• You can choose Fargate On-Demand or Fargate Spot Instances
• You can set a maximum price for Spot Instances
• Launched within your own VPC
• If you launch within your own private subnet, make sure it has access to the ECS service
• Either using a NAT gateway / instance or using VPC Endpoints for ECS

• Unmanaged Compute Environment

• You control and manage EC2 instance configuration, provisioning and scaling

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Batch – Managed Compute Environment
AWS Batch (set min & max vCPU)

Spot Instances

Add jobs Distribute jobs m5.large c5.xlarge r5.2xlarge

…
SDK AWS Batch Job Queue

Automatically created to respond

To increase / decrease in jobs

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Batch – Multi Node Mode
AWS Batch
• Multi Node: large scale, good for HPC
(high performance computing) Submit Job
Launch and manage
• Leverages multiple EC2 / ECS instances at
the same time
• Good for tightly coupled workloads Same Rack
EC2
EC2
EC2
Same AZ main
• Represents a single job, and specified how
many nodes to create for the job Placement
• 1 main node, and many child node. Group:
EC2 EC2 EC2
Cluster
• Does not work with Spot Instances
• Works better if your EC2 launch mode is a
placement group ”cluster”

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon EMR
• EMR stands for “Elastic MapReduce”
• EMR helps creating Hadoop clusters (Big Data) to analyze and process
vast amount of data
• The clusters can be made of hundreds of EC2 instances
• Also supports Apache Spark, HBase, Presto, Flink…
• EMR takes care of all the provisioning and configuration of EC2
• Auto-scaling with CloudWatch
• Use cases: data processing, machine learning, web indexing, big data…

DynamoDB
Read from DynamoDB
EC2 EC2

EMRFS S3 (EMRFS)
(native integration) Permanent Storage
EBS Volume EBS Volume Server-side encryption
(HDFS) (HDFS)
Temporary Storage
VPC – Single AZ

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon EMR – Node types & purchasing
• Master Node: Manage the cluster, coordinate, manage health – long running
• Core Node: Run tasks and store data – long running
• Task Node (optional): Just to run tasks – usually Spot
• Purchasing options:
• On-demand: reliable, predictable, won’t be terminated
• Reserved (min 1 year): cost savings (EMR will automatically use if available)
• Spot Instances: cheaper, can be terminated, less reliable

• Can have long-running cluster, or transient (temporary) cluster

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon EMR – Instance Configuration
• Uniform instance groups: • Instance fleet: select target
select a single instance type capacity, mix instance types and
purchasing options (no Auto
and purchasing option for each Scaling)
node (has auto scaling)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Running Jobs on AWS
Strategy 1: Provision EC2 instance Strategy 3: Reactive Workflow Strategy 5: use Fargate
(long running - CRON jobs) EventBridge
S3 Events
API Gateway
EC2 SQS, SNS
Etc… EventBridge Fargate

Strategy 2: Amazon EventBridge + Lambda Strategy 4: use AWS Batch Strategy 6: Use EMR
(cron) (step execution or cluster)
cron schedule

EventBridge EventBridge Batch EMR

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Glue
• Managed extract, transform, and load (ETL) service
• Useful to prepare and transform data for analytics
• Fully serverless service
Glue ETL
S3 Bucket

Extract Load
Amazon RDS Transform Redshift
Data Warehouse

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Glue Data Catalog
• Glue Data Catalog: catalog of datasets

Glue Jobs (ETL)

Amazon S3 Amazon Athena

Data discovery
Writes Metadata

Amazon RDS AWS Glue

Data Catalog Amazon
AWS Glue
Database Database Redshift
Data Crawler
Spectrum
Amazon DynamoDB

JDBC Tables Tables

(Metadata) (Metadata)
Amazon EMR
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Redshift Overview
• Redshift is based on PostgreSQL, but it’s not used for OLTP
• It’s OLAP – online analytical processing (analytics and data
warehousing)
• 10x better performance than other data warehouses, scale to PBs of data
• Columnar storage of data (instead of row based)
• Massively Parallel Query Execution (MPP)
• Two modes: Provisioned cluster or Serverless cluster
• Has a SQL interface for performing the queries
• BI tools such as AWS Quicksight or Tableau integrate with it

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Redshift Continued…
• Data is loaded from S3, Kinesis Firehose, DynamoDB, DMS…
• Based on node type: up to 100+ nodes, up to 16 TB of space per node
• Can provision multiple nodes, with Multi-AZ only for some clusters
• Leader node: for query planning, results aggregation
• Compute node: for performing the queries, send results to leader
• Backup & Restore, Security VPC / IAM / KMS, Monitoring
• Redshift Enhanced VPC Routing: COPY / UNLOAD goes through VPC
• Redshift is provisioned, so it’s wor th it when you have a sustained usage
(use Athena if the queries are sporadic instead)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Redshift – Snapshots & DR
• Snapshots are point-in-time backups of a cluster, stored internally in S3
• Snapshots are incremental (only what has changed is saved)
• You can restore a snapshot into a new cluster
• Automated: every 8 hours, every 5 GB, or on a schedule. Set
retention
• Manual: snapshot is retained until you delete it

• You can configure Amazon Redshift to automatically copy snapshots

(automated or manual) of a cluster to another AWS Region

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Cross-Region Snapshot Copy for an KMS-
Encrypted Redshift
Source Destination
us-east-1 eu-west-2

Redshift Redshift
copy to
Redshift Snapshot eu-west-2 Redshift Snapshot
(encrypted) (encrypted)

KMS Key - A KMS Key - B

snapshot copy grant

Enables Redshift to perform encryption operations in the destination Region

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Redshift Spectrum Query
SELECT COUNT (*), …
FROM S3.EXT_TABLE
GROUP BY …

JDBC/ODBC

• Query data that is already in Amazon Redshift Cluster

S3 without loading it
Leader Node
• Must have a Redshift cluster
available to star t the query
Compute Nodes
• The query is then submitted
to thousands of Redshift
Spectrum nodes Redshift Spectrum
1 2 …. N

Amazon S3

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Redshift Workload Management (WLM)
• Enables you to flexibly manage queries’
priorities within workloads Admin User
• Example: prevent short, fast-running queries
from getting stuck behind long-running system
short-running
queries
queries queries
Long-running
• Define multiple query queues (Superuser query
queue, User-defined queues)
Amazon Redshift
• Route queries to the appropriate queues at
runtime
• Automatic WLM – queues and resources
managed by Redshift
• Manual WLM – queues and resources
managed by you Superuser Short-running Long-running
Queue Queue Queue
WLM
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Redshift Concurrency Scaling
Users
• Enables you to provide consistently fast
performance with virtually unlimited
concurrent users and queries
• Redshift automatically adds additional
cluster capacity (Concurrency-Scaling
Cluster) to process an increase in
requests Amazon Redshift

• Ability to decide which queries sent to

Redshift Cluster Concurrency-Scaling
the concurrency-Scaling Cluster using Cluster
WLM
Nodes Nodes
• Charged per second …

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
DocumentDB
• Aurora is an “AWS-implementation” of PostgreSQL / MySQL …
• DocumentDB is the same for MongoDB (which is a NoSQL database)
• MongoDB is used to store, query, and index JSON data

• Similar “deployment concepts” as Aurora

• Fully Managed, highly available with replication across 3 AZ
• DocumentDB storage automatically grows in increments of 10GB

• Automatically scales to workloads with millions of requests per seconds

Instance Instance Instance

• Pay for what you use, no upfront costs (replica) (replica) (primary)

• On-demand Instances (per second

2. Database I/O
with minimum of 10 minutes)
3. Database Storage
• Database I/O – amount of I/O used
when read and write (per million I/Os) Database Storage

• Database Storage (per GB/month)

4. Backup Storage
• Backup Storage (per GB/month)

Amazon S3

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Timestream
• Fully managed, fast, scalable, serverless time series database
• Automatically scales up/down to adjust capacity
• Store and analyze trillions of events per day
• 1000s times faster & 1/10th the cost of relational databases
• Scheduled queries, multi-measure records, SQL compatibility
• Data storage tiering: recent data kept in memory and
historical data kept in a cost-optimized storage
• Built-in time series analytics functions (helps you identify
patterns in your data in near real-time)
• Encryption in transit and at rest

• Use cases: IoT apps, operational applications, real-time

analytics, …

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Timestream – Architecture
AWS IoT Amazon
QuickSight
Lambda
Kinesis Data
Streams Amazon
SageMaker
Prometheus

Amazon
Timestream
Kinesis Data
Streams
Any JDBC connection

Amazon MSK Kinesis Data Analytics

For Apache Flink

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Athena
• Serverless query service to analyze data stored in Amazon S3
• Uses standard SQL language to query the files (built on Presto)
load data
• Supports CSV, JSON, ORC, Avro, and Parquet
• Pricing: $5.00 per TB of data scanned
S3 Bucket
• Commonly used with Amazon Quicksight for
reporting/dashboards Query & Analyze

Amazon
• Use cases: Business intelligence / analytics / reporting, analyze & Athena
query VPC Flow Logs, ELB Logs, CloudTrail trails, etc...
• Exam Tip: analyze data in S3 using serverless SQL, use Athena Reporting & Dashboards

Amazon
QuickSight
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Athena – Performance Improvement
• Use columnar data for cost-savings (less scan)
• Apache Parquet or ORC is recommended
• Huge performance improvement
• Use Glue to convert your data to Parquet or ORC
• Compress data for smaller retrievals (bzip2, gzip, lz4, snappy, zlip, zstd…)
• Partition datasets in S3 for easy querying on virtual columns
• s3://yourBucket/pathToTable
/<PARTITION_COLUMN_NAME>=<VALUE>
/<PARTITION_COLUMN_NAME>=<VALUE>
/<PARTITION_COLUMN_NAME>=<VALUE>
/etc…
• Example: s3://athena-examples/flight/parquet/year=1991/month=1/day=1/
• Use larger files (> 128 MB) to minimize overhead

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Athena – Federated Query
Amazon
• Allows you to run SQL queries across Athena
data stored in relational, non-relational, S3 Bucket

object, and custom data sources (AWS

Lambda
or on-premises) (Data Source
ElastiCache Connector)
• Uses Data Source Connectors that run
on AWS Lambda to run Federated
Queries (e.g., CloudWatch Logs, DocumentDB
HBase in EMR
DynamoDB, RDS, …)
• Store the results back in Amazon S3
DynamoDB Database
(On-Premises)

Redshift
© Stephane Maarek Aurora SQL Server MySQL
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon QuickSight
• Serverless machine learning-powered business intelligence service to create
interactive dashboards
• Fast, automatically scalable, embeddable, with per-session pricing
• Use cases:
• Business analytics
• Building visualizations
• Perform ad-hoc analysis
• Get business insights using data
• Integrated with RDS, Aurora,
Athena, Redshift, S3…
• In-memory computation using SPICE
engine if data is imported into QuickSight
• Enterprise edition: Possibility to setup
Column-Level security (CLS)
https://aws.amazon.com/quicksight/

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
QuickSight Integrations
Data Sources (AWS Services)

QuickSight On-Premises
Databases (JDBC)
RDS Aurora Redshift

Data Sources (Imports)

Athena S3 OpenSearch

Data Sources (SaaS)

Timestream ELF & CLF

(Log Format)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
QuickSight – Dashboard & Analysis
• Define Users (standard versions) and Groups (enterprise version)
• These users & groups only exist within QuickSight, not IAM !!
• A dashboard…
• is a read-only snapshot of an analysis that you can share
• preserves the configuration of the analysis (filtering, parameters, controls, sort)

• You can share the analysis or the dashboard with Users or Groups
• To share a dashboard, you must first publish it
• Users who see the dashboard can also see the underlying data

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Full Data Engineering Pipeline
Analytics layer
Hadoop / Spark / Hive…

Amazon EMR

Data Warehousing

Redshift /
Redshift Spectrum

Visualization

Amazon QuickSight
Amazon Athena
Serverless

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Big Data Ingestion Pipeline
IoT Devices Pull data

Real-time Ingestion Reporting

Every 1 minute Bucket Bucket
trigger

Amazon Kinesis Data Amazon Kinesis Data Amazon Simple Storage Amazon Simple Queue AWS Lambda Amazon Athena Amazon Simple Storage
Streams Firehose Service (S3) Service Service (S3)
(optional)

AWS Lambda
Amazon QuickSight Amazon Redshift
(not serverless)
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Comparison of warehousing technologies
• EMR
• Need to use Big Data tools such as Apache Hive, Spark
• One long-running cluster, many jobs, with auto-scaling, or one cluster per job?
• Purchasing options – Spot, On Demand, Reserved Instances
• Can access data in DynamoDB and / or S3
• Scratch data on EBS disks (HDFS) and long term storage in S3 (EMRFS)
• Athena
• Simple queries and aggregations, data must live in S3
• Serverless, simple SQL queries, out-of-the-box queries for many services (cost & billing..)
• Audit queries through CloudTrail
• Redshift
• Advanced SQL queries, must provision servers
• Can leverage Redshift Spectrum for serverless queries on S3

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudWatch
• CloudWatch Metrics
• Provided by many AWS services
• EC2 standard: 5 minutes, detailed monitoring: 1 minute
• EC2 RAM is not a built-in metric
• Can create custom metrics: standard resolution 1 minute, high resolution 1 sec
• CloudWatch Alarms
• Can trigger actions: EC2 action (reboot, stop, terminate, recover), Auto Scaling, SNS
• Alarm events can be intercepted by Amazon EventBridge
• CloudWatch Dashboards
• Display metrics and alarms
• Can show metrics of multiple regions

Kinesis
CloudWatch Alarm Amazon EventBridge

Step Functions

EC2 Action Auto Scaling SNS SQS Lambda

Stop, Terminate
Reboot, Recover

Lambda
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudWatch Synthetics Canary Users

• Configurable script that monitor your APIs, URLs, us-east-1

Websites, …
• Reproduce what your customers do
programmatically to find issues before customers
are impacted Route 53
• Checks the availability and latency of your
endpoints and can store load time data and update monitor
screenshots of the UI DNS record
• Integration with CloudWatch Alarms invoke trigger
• Scripts written in Node.js or Python
• Programmatic access to a headless Google Chrome Lambda CloudWatch CloudWatch
browser Function Alarm Synthetics Canary

• Can run once or on a regular schedule

us-west-2

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudWatch Synthetics Canary Blueprints
• Hear tbeat Monitor – load URL, store screenshot and an HTTP archive file
• API Canary – test basic read and write functions of REST APIs
• Broken Link Checker – check all links inside the URL that you are testing
• Visual Monitoring – compare a screenshot taken during a canary run with a
baseline screenshot
• Canary Recorder – used with CloudWatch Synthetics Recorder (record your
actions on a website and automatically generates a script for that)
• GUI Workflow Builder – verifies that actions can be taken on your webpage (e.g.,
test a webpage with a login form)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS CloudWatch Logs - Sources
• SDK, CloudWatch Logs Agent, CloudWatch Unified Agent
• Elastic Beanstalk: collection of logs from application
• ECS: collection from containers
• AWS Lambda: collection from function logs
• VPC Flow Logs: VPC specific logs
• API Gateway
• CloudTrail based on filter
• CloudWatch log agents: for example on EC2 machines
• Route53: Log DNS queries

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudWatch Logs
• Log groups: arbitrary name, usually representing an application
• Log stream: instances within application / log files / containers
• Can define log expiration policies (never expire, 30 days, etc..)
• Optional KMS encryption
• CloudWatch Logs can send logs to:
• Amazon S3 (exports)
• Kinesis Data Streams
• Kinesis Data Firehose
• AWS Lambda
• ElasticSearch

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudWatch Logs Metric Filter & Insights
• CloudWatch Logs can use filter expressions
• For example, find a specific IP inside of a log
• Or count occurrences of “ERROR” in your logs
• Metric filters can be used to trigger alarms

• CloudWatch Logs Insights can be used to query logs and add queries to
CloudWatch Dashboards

• S3 buckets must be encrypted with

AES-256 (SSE-S3) or SSE-KMS
• Log data can take up to 12 hours to
become available for export
CloudWatch Logs Amazon S3
• The API call is CreateExpor tTask

• Not near-real time or real-time… use

Logs Subscriptions instead

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudWatch Logs Subscriptions
Lambda Function Real time
(managed by AWS)

Amazon ES

Near
Real Time

CloudWatch Logs Subscription Filter Kinesis Data Firehose Amazon S3

KDF, KDA, EC2, Lambda…

Lambda Function
(custom) Kinesis Data Streams

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudWatch Logs Aggregation
Multi-Account & Multi Region
ACCOUNT A
REGION 1

CloudWatch Logs Subscription Filter

ACCOUNT B Near
REGION 2 Real Time

CloudWatch Logs Subscription Filter Kinesis Data Streams Kinesis Data Firehose Amazon S3

ACCOUNT B
REGION 3

CloudWatch Logs Subscription Filter

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudWatch Agent – Integration with SSM
• Install CW Agent using SSM Run Command
SSM Document: AWS-ConfigureAWSPackage SSM
Agent EC2 Instance
Name: AmazonCloudWatchAgent
Run Command

• Install CW Agent using SSM State Manager

SSM Document: AWS-ConfigureAWSPackage SSM
Agent EC2 Instance
Name: AmazonCloudWatchAgent
State Manager
• Configure CW Agent by storing config. in SSM Parameter Store
download CW Agent config. CW
Agent
EC2 Instance

Parameter Store

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon EventBridge
(formerly CloudWatch Events)
• Schedule: Cron jobs (scheduled scripts)
Schedule Every hour Trigger script on Lambda function

• Event Pattern: Event rules to react to a service doing something

IAM Root User Sign in Event SNS Topic with Email Notification

• Trigger Lambda functions, send SQS/SNS messages…

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon EventBridge Rules
Example Destinations
Example Source

Compute
JSON
{
"version": "0", Lambda AWS Batch ECS Task
EC2 Instance CodeBuild "id": "6a7e8feb-b491",

Integration
"detail-type": "EC2 Instance
(ex: Start Instance) (ex: failed build) State-change Notification",
Filter events ….
(optional) }
SQS SNS Kinesis Data
Streams

Maintenance Orchestration
S3 Event Trusted Advisor
(ex: upload object) (ex: new Finding) Amazon
EventBridge
Step CodePipeline CodeBuild
Functions
CloudTrail Schedule or Cron
(any API call) (ex: every 4 hours)

SSM EC2 Actions

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon EventBridge
AWS Services AWS SaaS Custom
Default Partners
Partner Apps Custom
Event Bus Event Bus Event Bus

• Event buses can be accessed by other AWS accounts using Resource-based Policies

• You can archive events (all/filter) sent to an event bus (indefinitely or set period)
• Ability to replay archived events

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon EventBridge – Schema Registry
• EventBridge can analyze the events in
your bus and infer the schema

• The Schema Registry allows you to

generate code for your application, that
will know in advance how data is
structured in the event bus

• Schema can be versioned

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon EventBridge – Resource-based Policy
• Manage permissions for a specific Event Bus
• Example: allow/deny events from another AWS account or AWS region
• Use case: aggregate all events from your AWS Organization in a single AWS
account or AWS region

AWS Account AWS Account

(123456789012) (111122223333)

PutEvents

EventBridge Bus Lambda function

(central-event-bus)
Allow events from another AWS account

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS X-Ray
Visual analysis of our applications

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
X-Ray
• Tracing requests across your microservices (distributed systems)
• Integrations with:
• EC2 – install the X-Ray agent
• ECS – install the X-Ray agent or Docker container
• Lambda
• Beanstalk - agent is automatically installed
• API Gateway – helpful to debug errors (such as 504)

• The X-Ray agent or services need IAM permissions to X-Ray

• Global service
• Show how AWS outages directly impact you
• Show the impact on your resources
• List issues and actions you can do to remediate them
• Will show maintenance events from AWS
• Programmatically accessible through the AWS Health API
• Aggregations across multiple accounts of an AWS Organization
• https://phd.aws.amazon.com/

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Health Event Notifications AWS Personal
Health Dashboard
• Use EventBridge (CloudWatch Events) to trigger
react to changes for AWS Health events in
your AWS account
• Example: receive email notifications when CloudWatch EventBridge
Events
EC2 instances in your AWS account are
scheduled for updates invoke

• Can’t be used to return public events from

the Service Health Dashboard
Lambda SNS SQS Kinesis
• Use cases: send notifications, capture event Data
information, take corrective action, … Streams

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Elastic Beanstalk Overview
• Elastic Beanstalk is a developer centric view of deploying an application
on AWS

• It uses all the component’s we’ve seen before:

EC2, Auto Scaling Group, Elastic Load Balancers, RDS, etc…
• But it’s all in one view that’s easy to make sense of!
• We still have full control over the configuration of each component

• Beanstalk is free but you pay for the underlying instances

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Elastic Beanstalk
• Support for many platforms: • Multicontainer Docker
• Go • Preconfigured Docker
• Java SE
• Java with Tomcat
• .NET on Windows Server with IIS
• Node.js
• PHP
• Python
• Ruby • Beanstalk is great to “Replatform”
• Packer Builder your application from on-premises to
• Single Container Docker the cloud

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Elastic Beanstalk
• Managed service
• Instance configuration / OS is handled by Beanstalk
• Deployment strategy is configurable but performed by Elastic Beanstalk

• Just the application code is the responsibility of the developer

• Three architecture models:

• Single Instance deployment: good for dev
• LB + ASG: great for production or pre-production web applications
• ASG only: great for non-web apps in production (workers, etc..)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Beanstalk Environments
Single Instance High Availability with Load Balancer Worker Tier
Great for dev Great for prod
PUT

SQS Queue
Availability Zone 1 Availability Zone 1 ALB Availability Zone 2
Elastic IP
Auto Scaling Group

EC2 Instance EC2 Instance EC2 Instance

Worker Tier = SQS + EC2

RDS Master RDS Master RDS Standby Auto Scaling Group

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Web Server vs Worker Environment
• If your application performs tasks that are long to complete, offload these tasks to a dedicated
worker environment
• Decoupling your application into two tiers is common
• Example: processing a video, generating a zip file, etc
• You can define periodic tasks in a file cron.yaml

Web Tier = ELB + EC2 Worker Tier = SQS + EC2

requests PUT

ALB
Auto Scaling Group SQS Queue Auto Scaling Group

Environment “blue”
v1
• Not a “direct feature” of Elastic Beanstalk
• Zero downtime and release facility v1
• Create a new “stage” environment and

90
deploy v2 there v1

%
• The new environment (green) can be Web traffic

validated independently and roll back if

Environment “green”
issues v2

%
Amazon Route 53
• Route 53 can be setup using weighted

10
policies to redirect a little bit of traffic to v2
the stage environment
• Using Beanstalk, “swap URLs” (DNS v2
swap) when done with the environment
test
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS CodeDeploy
• We want to deploy our application
automatically to many EC2 instances
• These instances are not managed by v1 v2
Elastic Beanstalk
• There are several ways to handle
deployments using open source v1 v2
tools (Ansible, Terraform, Chef,
Puppet, etc…)
v1 v2
• We can use the managed Service
AWS CodeDeploy
• CodeDeploy can deploy to: v1 v2
EC2, ASG, ECS & Lambda

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CodeDeploy to EC2
• Define how to deploy the
application using
appspec.yml + deployment
v1 v2 v2 v2
strategy

Half
• Will do in-place update to v1 v2 v2 v2
your fleet of EC2 instances

Other Half
• Can use hooks to verify v1 v1 v1 v2

the deployment after each

v1 v1 v1 v2
deployment phase

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CodeDeploy to ASG
ALB
• In place updates:
• Updates current existing EC2
instances Blue/Green deployment

• Instances newly created by an Auto Scaling Group

ASG will also get automated

deployments
• Blue / green deployment:
EC2 Instances EC2 Instances
• A new auto-scaling group is Launch Template v1 Launch Template v2
created (settings are copied)
• Choose how long to keep the
old instances
• Must be using an ELB

CodeDeploy
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CodeDeploy to AWS Lambda
Lambda Alias
CloudWatch
• Traffic Shifting feature Alarm v1
Trigger
• Pre and Post traffic hooks deployment
features to validate deployment (CICD)
Traffic shifting with alias
(before the traffic shift starts
and after it ends) CodeDeploy
v2
• Easy & automated rollback Run tests
using CloudWatch Alarms
• SAM framework natively uses Lambda Function
Pre-Traffic Hook
CodeDeploy
Run tests
Lambda Function
Post-Traffic Hook
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CodeDeploy to ECS
ALB
• Support for Blue/Green deployments
for Amazon ECS and AWS Fargate Blue/Green deployment
Traffic Shifting
• Setup is done within the ECS service
ECS Service
definition
• A new task set is created, and traffic
is re-routed to the new task test. ECS Tasks ECS Tasks
Definition 1 Definition 2
• Then if everything is stable for X
minutes, the old task set is
terminated (so you have time to
notice issues) CodeDeploy
• Supports Canary deployments
(Canary10Percent5Minutes)
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS CloudFormation
• Infrastructure as code (IaC) in AWS
• Portability of stacks across multiple accounts and regions

• Backbone of the Elastic Beanstalk service

• Backbone of the Service Catalog service
• Backbone of the SAM (Serverless Application Model) framework

• Must-know service as a developer / sysops / devops

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Retaining Data on Deletes
• You can put a DeletionPolicy on any resource to control what happens when
the CloudFormation template is deleted
• DeletionPolicy=Retain:
• Specify on resources to preserve / backup in case of CloudFormation deletes
• To keep a resource, specify Retain (works for any resource / nested stack)
• DeletionPolicy=Snapshot:
• EBS Volume, ElastiCache Cluster, ElastiCache ReplicationGroup
• RDS DBInstance, RDS DBCluster, Redshift Cluster
• DeletePolicy=Delete (default behavior):
• Note: for AWS::RDS::DBCluster resources, the default policy is Snapshot
• Note: to delete an S3 bucket, you need to first empty the bucket of its content

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFormation Custom Resources (Lambda)
• You can define a Custom Resource in
CloudFormation
CloudFormation to address any of these Custom Resource
use cases:
Create, update, delete
• An AWS resource is not yet supported
(new service for example)
• An on-premises resource AWS Lambda Function

• Emptying an S3 bucket before being

deleted API calls
• Fetch an AMI id
• Anything you want…! Whatever you want

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFormation – StackSets
• Create, update, or delete stacks across CloudFormation StackSet
multiple accounts and regions with a Admin Account
single operation
• Administrator account to create
StackSets
• Trusted accounts to create, update,
delete stack instances from StackSets
• When you update a stack
set, all associated stack instances are
updated throughout all accounts and
regions
Account A Account A Account B
• Enable Automatic Deployment feature us-east-1 ap-south-1 eu-west-2
to automatically deploy to accounts in
AWS Organization or OUs

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFormation Drift Overview
• CloudFormation allows you to create
infrastructure SSHSecurityGroup
Type Protocol/Port Source

• But it doesn’t protect you against manual SSH TCP/22 10.0.0.115/32

configuration changes Stack

so gh
on rou
• How do we know if our resources have drifted?

le
2 C th
EC dify
o
m
Type Protocol/Port Source

SSH TCP/22 0.0.0.0/0

• We can use CloudFormation Drift!
• Detect drift on an entire stack or on individual Compare

resources within a stack

Template Drifted!
CloudFormation Drift

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFormation – Integration with Secrets
Manager
secret is generated

reference secret in
RDS DB instance

link the secret to

RDS DB instance

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CloudFormation - Resource Import Template
(with resources to import)

• Import existing resources into existing/new stacks

• You don’t need to delete and re-create the
resources as part of a CloudFormation stack
• During import operation, you’ll need import resources

• A template that describes the entire stack (original stack

resources & target resources to import)
• A Unique identifier for each target resource (ex. S3 bucket
BucketName for S3 buckets) (MyBucket) CloudFormation
• Each resource to import must have a
DeletionPolicy attribute (any value) & Identifier
Stack
• Can’t import the same resource into multiple stacks
manage through CloudFormation
S3 bucket
(MyBucket)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Service Catalog
• Users that are new to AWS have too many options, and may create
stacks that are not compliant / in line with the rest of the organization

• Some users just want a quick self-service por tal to launch a set of
authorized products pre-defined by admins

• Includes: virtual machines, databases, storage options, etc…

• Enter AWS Service Catalog!

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Service Catalog diagram
Product Portfolio Control
ADMIN TASKS

CloudFormation Collection of Products IAM Permissions to

Templates Access Portfolios
USER TASKS

Product List Provisioned Products

launch

Authorized by IAM Ready to use

Properly Configured
Properly Tagged
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Service Catalog
• Create and manage catalogs of IT services that are approved on AWS
• The “products” are CloudFormation templates
• Ex: Virtual machine images, Servers, Software, Databases, Regions, IP address ranges
• CloudFormation helps ensure consistency, and standardization by Admins
• They are assigned to Portfolios (teams)
• Teams are presented a self-service portal where they can launch the products
• All the deployed products are centrally managed deployed services
• Helps with governance, compliance, and consistency
• Can give user access to launching products without requiring deep AWS knowledge
• Integrations with “self-service portals” such as ServiceNow

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS SAM - Serverless Application Model
• SAM = Serverless Application Model
• Framework for developing and deploying serverless applications
• All the configuration is YAML code. Examples:
• Lambda Functions (AWS::Serverless::Function)
• DynamoDB tables (AWS::Serverless::SimpleTable)
• API Gateway (AWS::Serverless::API)
• StepFunction - State Machine (AWS::Serverless::StateMachine)
• SAM can help you to run Lambda, API Gateway, DynamoDB locally
• SAM can use CodeDeploy to deploy Lambda functions (traffic shifting)
• Leverages CloudFormation in the backend

CodePipeline

Traffic shifting with alias

CodeCommit CodeBuild CloudFormation CodeDeploy v2

Build, test, package + SAM

API Gateway

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Cloud Development Kit (CDK)
• Define your cloud infrastructure using a familiar language:
• JavaScript/TypeScript, Python, Java, and .NET
• The code is “compiled” into a CloudFormation template (JSON/YAML)
• You can therefore deploy infrastructure and application runtime code together
• Great for Lambda functions
• Great for Docker containers in ECS / EKS

CDK Application

CDK CLI CloudFormation CloudFormation

Programming Template
Languages

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Systems Manager Overview
• Helps you manage your EC2 and on-premises systems at scale
• Get operational insights about the state of your infrastructure
• Easily detect problems
• Patching automation for enhanced compliance
• Works for both Windows and Linux OS
• Integrated with CloudWatch metrics / dashboards
• Integrated with AWS Config
• Free service

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
How Systems Manager works
• We need to install the SSM
agent onto the systems we Systems Manager
control
• Installed by default on Amazon
Linux AMI & some Ubuntu
AMI
• If an instance can’t be
controlled with Systems
Manager, it’s probably an issue
with the SSM agent! SSM Agent SSM Agent SSM Agent
• Make sure the EC2 instances
have a proper IAM role to
allow Systems Manager actions EC2 Instance EC2 Instance On Premise VM

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Systems Manager
Run Command
• Execute a document (= script) or
just run a command Systems Manager

• Run command across multiple

instances (using resource groups) RunCommand
• Rate Control / Error Control
• Integrated with IAM & CloudTrail
SSM Agent
• No need for SSH
Command is run

• Results in the console EC2 Instance

No SSH access needed

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Systems Manager – Send Command
before an ASG Instance is Terminated
SSM Automation EventBridge
• Perform any action before the ASG trigger
terminates an EC2 instance
• Create a ASG Lifecycle Hook that puts Event
the instance in Terminating:Wait state SendCommand
Terminating:Wait

• Monitor the Terminating:Wait state using

EventBridge
• Trigger a SSM Automation Document to Auto Scaling Group
perform the actions on the instance (with Lifecycle Hook configured)

before termination terminate

EC2 Instances
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Systems Manager Patch Managers – Steps
1. Define a patch baseline to use (or multiple if you
have multiple environments)
2. Define patch groups: define based on tags, example
different environments (dev, test, prod) – use tag
Patch Group
3. Define Maintenance Windows (schedule, duration,
registered targets/patch groups and registered tasks)
4. Add the AWS-RunPatchBaseline Run Command
as part of the registered tasks of the Maintenance
Window (works cross platform Linux & Windows)
5. Define Rate Control (concurrency & error
threshold) for the task
6. Monitor Patch Compliance using SSM Inventory

https://aws.amazon.com/blogs/mt/patching-your-windows-ec2-instances-using-aws-systems-manager-patch-manager/

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Systems Manager Session Manager
• Allows you to start a secure shell on your EC2 CloudWatch
and on-premises servers Logs Amazon S3
• Access through AWS Console, AWS CLI, or
Session Manager SDK
• Does not need SSH access, bastion hosts, or
SSH keys session log data IAM Instance
Profile
• Supports Linux, macOS, and Windows
• Log connections to your instances and Session
executed commands Manager
• Session log data can be sent to S3 or AWS Console,
EC2 Instance
CloudWatch Logs AWS CLI,
(SSM Agent)
• CloudTrail can intercept Star tSession events or Session Manager SDK IAM
Permissions

User
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Systems Manager OpsCenter
• Resolve Operational Issues (OpsItems) related to AWS resources
• OpsItems – issues, events and alerts
• Aggregates information to resolve issues on each OpsItems such as:
• AWS Config changes and relationships
• CloudTrail Logs
• CloudWatch Alarms
• CloudFormation Stack information
• Provides Automation Runbooks that you can use to resolve issues
• EventBridge or CloudWatch Alarms can create OpsItems

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Cloud Map
Without Cloud Map
• A fully managed resource discovery
service Frontend service Backend service
• Creates a map of the backend code change
services/resources that your is required Version 1
applications depend on
Version 2
• You register your application
components, their locations, attributes,
and health status with AWS Cloud Map With Cloud Map
• Integrated health checking (stop Frontend service Backend service
sending traffic to unhealthy endpoints)
Version 1
• Your applications can query AWS 2. Dynamic lookup
Cloud Map using AWS SDK, API, or to find the location
of v2
3. Connect to v2
Version 2
DNS
1. Update endpoint
AWS Cloud Map from v1 to v2

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Cost Allocation Tags
• With Tags we can track resources that relate to each other
• With Cost Allocation Tags we can enable detailed costing reports
• Just like Tags, but they show up as columns in Reports
• AWS Generated Cost Allocation Tags
• Automatically applied to the resource you create
• Starts with Prefix aws: (e.g. aws: createdBy)
• They’re not applied to resources created before the activation
• User tags
• Defined by the user
• Starts with Prefix user :
• Cost Allocation Tags just appear in the Billing Console
• Takes up to 24 hours for the tags to show up in the report

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Tag Editor
• Allows you to manage tags of multiple resources at once
• You can add/update/delete tags
• Search tagged/untagged resources in all AWS Regions

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Trusted Advisor
• No need to install anything – high level AWS account assessment
• Analyze your AWS accounts and provides recommendation:
• Cost Optimization
• Performance
• Security
• Fault Tolerance
• Service Limits
• Operational Excellence
• Core Checks and recommendations – all customers
• Can enable weekly email notification from the console
• Full Trusted Advisor – Available for Business & Enterprise support plans
• Ability to set CloudWatch alarms when reaching limits
• Programmatic Access using AWS Suppor t API

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Support Plans
Basic Support Developer Business Enterprise
Recommended if you Recommended if you have business
included for all AWS Recommended if you have
are experimenting or and/or mission critical workloads in
customers and free production workloads in AWS.
testing in AWS. AWS.
AWS Trusted Full set of checks Full set of checks
Advisor Best 7 Core checks 7 Core checks + Programmatic Access using + Programmatic Access using AWS
Practice Checks AWS Support API Support API
Business hours email 24x7 phone, email, and chat
24x7 access to 24x7 phone, email, and chat access
access to Cloud access to Cloud Support
customer service, to Cloud Support Engineers
Enhanced Support Associates Engineers
documentation,
Technical Support
whitepapers, and Unlimited cases / unlimited
Unlimited cases / 1 Unlimited cases / unlimited
support forums. contacts (IAM supported)
primary contact contacts (IAM supported)

General guidance: < 24 hours General guidance: < 24 hours

General guidance:
System impaired: < 12 hours System impaired: < 12 hours
< 24 business hours**
Case Severity / Production system impaired: Production system impaired: < 4 hours
Response Times System impaired:
< 4 hours Production system down: < 1 hour
Production system down: Business-critical system down:
< 12 business hours**
< 1 hour < 15 minutes

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Trusted Advisor – Good to know
Primary Account
SQS Queue
• Can check if an S3 bucket is made (DLQ)

public
• But cannot check for S3 objects that SQS Queue Lambda Function DynamoDB

are public inside of your bucket! (Limit Summarizer) Table

• Use Amazon EventBridge / S3 Events Lambda Function Trusted Advisor EventBridge SNS Topic
instead / AWS Config Rules (TA Refresher) Checks Rule
Optional

• Service Limits Service Quotas Lambda Function

(vCPU Checker)
Lambda Function
(Slack Notifier)
• Limits can only be monitored in
Trusted Advisor (cannot be changed) EventBridge
Bus
• Cases must be created manually in Parameter Store

AWS Suppor t Centre to increase Secondary Account

limits
• OR use the AWS Service Quotas
service Lambda Function
(TA Refresher)
Trusted Advisor
Checks
EventBridge
Rule

Service Quotas Lambda Function

(vCPU Checker)
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Service Quotas
• Notify you when you’re close to a service quota value threshold
• Create CloudWatch Alarms on the Service Quotas console
• Example: Lambda concurrent executions
• Helps you know if you need to request a quota increase or shutdown resources before limit is reached

AWS Lambda Quota

monitor

AWS Service trigger

Quotas
CW Alarm

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EC2 Instance Launch Types
• On Demand Instances: short workload, predictable pricing, reliable
• Spot Instances: short workloads, for cheap, can lose instances (not reliable)
• Reserved: (MINIMUM 1 year)
• Reserved Instances: long workloads
• Conver tible Reserved Instances: long workloads with flexible instances
• Dedicated Instances: no other customers will share your hardware
• Dedicated Hosts: book an entire physical server, control instance
placement
• Great for software licenses that operate at the core, or socket level
• Can define host affinity so that instance reboots are kept on the same host

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Savings Plan
• New pricing model to get a discount based on long-term usage
• Commit to a certain type of usage: ex $10 per hour for 1 to 3 years
• Any usage beyond the savings plan is billed at the on-demand price

• EC2 Instance Savings plan (up to 72% - same discount as Standard RIs)
• Select instance family (e.g. M5, C5…), and locked to a specific region
• Flexible across size (m5.large to m5.4xlarge), OS (Windows to Linux), tenancy
(dedicated or default)
• Compute Savings plan (up to 66% - same discount as Convertible RIs)
• Ability to move between instance family (move from C5 to M5), region (Ireland to US),
compute type (EC2, Fargate, Lambda), OS & tenancy
• SageMaker Savings plan (up to 64% off)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Storage Classes
• Amazon S3 Standard - General Purpose
• Amazon S3 Standard-Infrequent Access (IA)
• Amazon S3 One Zone-Infrequent Access
• Amazon S3 Glacier Instant Retrieval
• Amazon S3 Glacier Flexible Retrieval
• Amazon S3 Glacier Deep Archive
• Amazon S3 Intelligent Tiering

• Can move between classes manually or using S3 Lifecycle configurations

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 – Other Cost Savings
• S3 Lifecycle Rules: transition objects between tiers
• Compress objects to save space
• S3 Requester Pays:
• In general, bucket owners pay for all Amazon S3 storage and data transfer costs
associated with their bucket
• With Requester Pays buckets, the requester instead of the bucket owner pays
the cost of the request and the data download from the bucket
• The bucket owner always pays the cost of storing data
• Helpful when you want to share large datasets with other accounts
• If an IAM role is assumed, the owner account of that role pays for the
request

• Can move between classes manually or using S3 Lifecycle configurations

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Durability and Availability
• Durability:
• High durability (99.999999999%, 11 9’s) of objects across multiple AZ
• If you store 10,000,000 objects with Amazon S3, you can on average expect to
incur a loss of a single object once every 10,000 years
• Same for all storage classes

• Availability:
• Measures how readily available a service is
• Varies depending on storage class
• Example: S3 standard has 99.99% availability = not available 53 minutes a year

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Standard – General Purpose
• 99.99% Availability
• Used for frequently accessed data
• Low latency and high throughput
• Sustain 2 concurrent facility failures

• Use Cases: Big Data analytics, mobile & gaming applications, content
distribution…

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Storage Classes – Infrequent Access
• For data that is less frequently accessed, but requires rapid access when needed
• Lower cost than S3 Standard

• Amazon S3 Standard-Infrequent Access (S3 Standard-IA)

• 99.9% Availability
• Use cases: Disaster Recovery, backups

• Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)

• High durability (99.999999999%) in a single AZ; data lost when AZ is destroyed
• 99.5% Availability
• Use Cases: Storing secondary backup copies of on-premise data, or data you can recreate

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon S3 Glacier Storage Classes
• Low-cost object storage meant for archiving / backup
• Pricing: price for storage + object retrieval cost

• Amazon S3 Glacier Instant Retrieval

• Millisecond retrieval, great for data accessed once a quarter
• Minimum storage duration of 90 days
• Amazon S3 Glacier Flexible Retrieval (formerly Amazon S3 Glacier):
• Expedited (1 to 5 minutes), Standard (3 to 5 hours), Bulk (5 to 12 hours) – free
• Minimum storage duration of 90 days
• Amazon S3 Glacier Deep Archive – for long term storage:
• Standard (12 hours), Bulk (48 hours)
• Minimum storage duration of 180 days

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Intelligent-Tiering
• Small monthly monitoring and auto-tiering fee
• Moves objects automatically between Access Tiers based on usage
• There are no retrieval charges in S3 Intelligent-Tiering

• Frequent Access tier (automatic): default tier

• Infrequent Access tier (automatic): objects not accessed for 30 days
• Archive Instant Access tier (automatic): objects not accessed for 90 days
• Archive Access tier (optional): configurable from 90 days to 700+ days
• Deep Archive Access tier (optional): config. from 180 days to 700+ days

Durability 99.999999999% == (11 9’s)

Availability 99.99% 99.9% 99.9% 99.5% 99.9% 99.99% 99.99%

Availability SLA 99.9% 99% 99% 99% 99% 99.9% 99.9%

Availability
>= 3 >= 3 >= 3 1 >= 3 >= 3 >= 3
Zones

Min. Storage
None None 30 Days 30 Days 90 Days 90 Days 180 Days
Duration Charge

Min. Billable
None None 128 KB 128 KB 128 KB 40 KB 40 KB
Object Size

Retrieval Fee None None Per GB retrieved Per GB retrieved Per GB retrieved Per GB retrieved Per GB retrieved

https://aws.amazon.com/s3/storage-classes/
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
S3 Storage Classes – Price Comparison
Example: us-east-1
Glacier Instant Glacier Flexible Glacier Deep
Standard Intelligent-Tiering Standard-IA One Zone-IA
Retrieval Retrieval Archive
Storage Cost
$0.023 $0.0025 - $0.023 $0.0125 $0.01 $0.004 $0.0036 $0.00099
(per GB per month)
GET: $0.0004
GET: $0.0004
POST: $0.03
POST: $0.05
Retrieval Cost GET: $0.0004 GET: $0.0004 GET: $0.001 GET: $0.001 GET: $0.01
(per 1000 request) POST: $0.005 POST: $0.005 POST: $0.01 POST: $0.01 POST: $0.02 Expedited: $10
Standard: $0.10
Standard: $0.05
Bulk: $0.025
Bulk: free

Expedited (1 – 5 mins)
Standard (12 hours)
Retrieval Time Instantaneous Standard (3 – 5 hours)
Bulk (48 hours)
Bulk (5 – 12 hours)

Monitoring Cost
$0.0025
(pet 1000 objects)

https://aws.amazon.com/s3/pricing/

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Budgets
• Create budget and send alarms when costs exceeds the budget
• 4 types of budgets: Usage, Cost, Reservation, Savings Plans
• For Reserved Instances (RI)
• Track utilization
• Supports EC2, ElastiCache, RDS, Redshift
• Up to 5 SNS notifications per budget
• Can filter by: Service, Linked Account, Tag, Purchase Option, Instance
Type, Region, Availability Zone, API Operation, etc…
• Same options as AWS Cost Explorer!
• 2 budgets are free, then $0.02/day/budget

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Budget Actions
Root OU
• Run actions on your behalf when a budget
exceeds a certain cost or usage threshold Management Account
• Supports 3 action types:
Budget threshold breach
• Applying an IAM Policy to a user, group, or IAM triggers Budget Action to apply
role a restrictive SCP on the OU

• Applying Service Control Policy (SCP) to an AWS Budgets SCP

OU pl y
ap
• Stop EC2 or RDS Instances
• Actions can be executed automatically or Dev OU

require a workflow approval process

• Reduces unintentional overspending in your Member Accounts
account

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Centralized Budget Management
Management Account Current OU

Member Account
1. Budget set by Management
AWS Budgets account for Member account
Amazon SNS using account filter
2. Budget threshold breach
sends a notification
Amazon SNS

3. Trigger Lambda function Restrictive OU

4b. Send an Email 4a. Move account to Member Account

about this move restrictive OU

SCP
Lambda Function

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Decentralized Budget Management
AWS Organization

Management Account CloudFormation

StackSet to deploy Budget

OU configuration to Member accounts

Member Account
Warning Notification Critical Notification

OU
SNS SNS

EC2 Instance Member Accounts

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Cost Explorer
• Visualize, understand, and manage your AWS costs and usage over time
• Create custom reports that analyze cost and usage data.
• Analyze your data at a high level: total costs and usage across all accounts
• Or Monthly, hourly, resource level granularity
• Choose an optimal Savings Plan (to lower prices on your bill)
• Forecast usage up to 12 months based on previous usage

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Compute Optimizer
• Reduce costs and improve performance by
recommending optimal AWS resources for your
workloads
• Helps you choose optimal configurations and right-
size your workloads (over/under provisioned)
• Uses Machine Learning to analyze your resources’
configurations and their utilization CloudWatch
metrics
• Supported resources
• EC2 instances
• EC2 Auto Scaling Groups
• EBS volumes
• Lambda functions
• Lower your costs by up to 25%
• Recommendations can be exported to S3

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Compute Optimizer – CloudWatch Agent
EC2 Instances with
CloudWatch Agent Installed

• Needed to analyze Memory Utilization Send Metrics

(e.g., RAM)

• Not needed for CPU, NetworkIn/Out, CloudWatch

DiskReadOps, DiskWriteOps, …
analyze

Compute
Optimizer

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Reserved Instances
• Reserved Instances in an AWS Organization
• all accounts share the Reserved Instances and Savings Plan
• The payer account (Management account) of an organization can turn off
Reserved Instance (RI) discount and Savings Plans discount sharing for any
accounts in that organization, including the payer account

• Renewal of Reserved Instances

• You can queue (schedule and reserve ahead of time) your reserved instances
• To renew a RI, just queue an RI purchase whenever the previous one expires

https://aws.amazon.com/blogs/enterprise-strategy/new-possibilities-seven-strategies-to-accelerate-your-application-migration-to-aws/

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Cloud Migration Strategies: The 7Rs
• Retire
• Turn off things you don’t need (maybe as a result of Re-architecting)
• Helps with reducing the surface areas for attacks (more security)
• Save cost, maybe up to 10% to 20%
• Focus your attention on resources that must be maintained

• Retain
• Do nothing for now (it’s still a decision to make in a Cloud Migration)
• Security, data compliance, performance, unresolved dependencies
• No business value to migrate, mainframe or mid-range and non-x86 Unix apps

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Cloud Migration Strategies: The 7Rs
• Relocate
• Move apps from on-premises to its Cloud version
• Move EC2 instances to a different VPC, AWS account or AWS Region
• Example: transfer servers from VMware Software-defined Data Center (SSDC) to
VMware Cloud on AWS

• Rehost “lift and shift”

• Simple migrations by re-hosting on AWS (applications, databases, data…)
• Migrate machines (physical, virtual, another Cloud) to AWS Cloud
• No cloud optimizations being done, applications is migrated as is
• Could save as much as 30% on cost
• Example: Migrate using AWS Application Migration Service

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Cloud Migration Strategies: The 7Rs
• Replatform “lift and reshape”
• Example: migrate your database to RDS
• Example: migrate your application to Elastic Beanstalk
• Not changing the core architecture, but leverage some Cloud optimizations
• Save time and money by moving to a fully managed service or Serverless

• Repurchase “drop and shop”

• Moving to a different product while moving to the Cloud
• Often you move to a SaaS platform
• Expensive in the short term, but quick to deploy
• Example: CRM to Salesforce.com, HR to Workday, CMS to Drupal

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Cloud Migration Strategies: The 7Rs
• Refactor / Re-architect
• Reimagining how the application is architected using Cloud Native features
• Driven by the need of the business to add features and improve scalability,
performance, security, and agility
• Move from a monolithic application to micro-services
• Example: move an application to Serverless architectures, use AWS S3

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Storage Gateway
• Bridge between on-premises data and cloud data
• Use cases:
• disaster recovery
• backup & restore
• tiered storage Storage Gateway
• on-premises cache & low-latency files access
• Types of Storage Gateway:
• S3 File Gateway
• FSx File Gateway
• Volume Gateway
• Tape Gateway

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon S3 File Gateway
• Configured S3 buckets are accessible using the NFS and SMB protocol
• Most recently used data is cached in the file gateway
• Supports S3 Standard, S3 Standard IA, S3 One Zone A, S3 Intelligent Tiering
• Transition to S3 Glacier using a Lifecycle Policy
• Bucket access using IAM roles for each File Gateway
• SMB Protocol has integration with Active Directory (AD) for user authentication

Corporate AWS Cloud .

Data Center
S3 Standard Lifecycle
HTTPS policy
S3 Standard-IA
S3 One Zone-IA
NFS or SMB S3 Intelligent-Tiering
Application S3 File S3 Glacier
Server Gateway

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon FSx File Gateway
• Native access to Amazon FSx for Windows File Server
• Local cache for frequently accessed data
• Windows native compatibility (SMB, NTFS, Active Directory...)
• Useful for group file shares and home directories

Corporate AWS Cloud

Data Center

SMB Clients
Amazon FSx
File Gateway Amazon FSx File systems
for Windows File Server

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Volume Gateway
• Block storage using iSCSI protocol backed by S3
• Backed by EBS snapshots which can help restore on-premises volumes!
• Cached volumes: low latency access to most recent data
• Stored volumes: entire dataset is on premise, scheduled backups to S3
Corporate AWS Cloud
Data Center

Region

iSCSI HTTPS
Application Volume Gateway S3 Bucket Amazon EBS
Server Snapshots

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Tape Gateway
• Some companies have backup processes using physical tapes (!)
• With Tape Gateway, companies use the same processes but, in the cloud
• Virtual Tape Library (VTL) backed by Amazon S3 and Glacier
• Back up data using existing tape-based processes (and iSCSI interface)
• Works with leading backup software vendors
Corporate AWS Cloud
Data Center
Region
Media
iSCSI Changer HTTPS

Tape Virtual Tapes Archived Tapes

Backup Tape
stored in stored in
Server Drive Gateway Amazon S3 Amazon Glacier

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Storage Gateway – Hardware appliance
• Using Storage Gateway means you need
on-premises virtualization
• Otherwise, you can use a Storage
Gateway Hardware Appliance
• You can buy it on amazon.com

• Works with File Gateway, Volume Gateway,

Tape Gateway
• Has the required CPU, memory, network,
SSD cache resources
• Helpful for daily NFS backups in small data
centers

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Storage Gateway
On-Premises AWS Cloud
NFS/SMB

User/group file shares File Gateway Amazon S3 Any S3 Storage Class

local cache excluding Glacier & Including Glacier
Glacier Deep Archive

iSCSI Encryption in Transit

Internet or Direct Connect
Application Server Volume Gateway Amazon S3 AWS EBS
local cache Storage Gateway
Eject from backup application
iSCSI VTL

Amazon S3 Tape Archive

Backup Application Tape Gateway Tape Library Glacier &
local cache Glacier Deep Archive

Gateway Deployment Options

Automated Backups
VM(VMware, Hyper-V, KVM) or Hardware Appliance Amazon S3
Amazon FSx
For Windows File Server

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
File Gateway: Extensions
Corporate
data center
Lambda
nts
NFS / SMB Eve
Amazon S3 S3

File Gateway Appliance

Athena
VPC

NFS / SMB CRR

Redshift Spectrum
File Gateway Appliance

Amazon S3 EMR

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
File Architectures: Other possibilities
• Amazon S3 Object Versioning
• Ability to store multiple object versions as they are modified
• Helpful to restore a file to a previous version
• Could restore an entire file system to a previous version
• Must use the “RefreshCache” API on the Gateway to be notified of restore

• Amazon S3 Object Lock

• Enables to have the File Gateway for Write Once Read Many (WORM) data
• If there are file modifications or renames in the file share clients, the file gateway
creates a new version of the object without affecting priori versions, and the
original locked version will remain unchanged

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Snowball
• Highly-secure, portable devices to collect and process data at the
edge, and migrate data into and out of AWS
• Helps migrate up to Petabytes of data

Device Compute Memory Storage (SSD)

Snowball Edge Storage Optimized 104 vCPUs 416 GB 210 TB

Snowball Edge Compute Optimized 104 vCPUs 416 GB 28 TB

Snowball Edge

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Data Migrations with Snowball
Challenges:
Time to Transfer • Limited connectivity
100 Mbps 1Gbps 10Gbps • Limited bandwidth
10 TB 12 days 30 hours 3 hours • High network cost
100 TB 124 days 12 days 30 hours • Shared bandwidth (can’t
1 PB 3 years 124 days 12 days maximize the line)
• Connection stability

AWS Snowball: offline devices to perform data migrations

If it takes more than a week to transfer over the network, use Snowball devices!

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Diagrams
• Direct upload to S3:
www: 10Gbit/s

client Amazon S3
bucket
• With Snowball:
ship

AWS AWS import/ Amazon S3

client
Snowball Snowball export bucket

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
What is Edge Computing?
• Process data while it’s being created on an edge location
• A truck on the road, a ship on the sea, a mining station underground...

• These locations may have limited internet and no access to computing power
• We setup a Snowball Edge device to do edge computing
• Snowball Edge Compute Optimized (dedicated for that use case) & Storage Optimized
• Run EC2 Instances or Lambda functions at the edge
• Use cases: preprocess data, machine learning, transcoding media

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Snow Family – Improving Transfer Performance
• Most impactful to least:
• Perform multiple write operations at one time - from multiple terminals
• Transfer small files in batches – zip up small files until at least 1MB
• Don't perform other operations on files during transfer
• Reduce local network use
• Eliminate unnecessary hops – directly connect to the computer

• The data transfer rate using the file interface is typically between 25
MB/s and 40 MB/s. If you need to transfer data faster than this, use the
Amazon S3 Adapter for Snowball, which has a data transfer rate
typically between 250 MB/s and 400 MB/s

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
DMS – Database Migration Service
• Quickly and securely migrate databases to
AWS, resilient, self healing Source DB
• The source database remains available
during the migration
• Supports:
EC2 instance
• Homogeneous migrations: ex Oracle to Running DMS
Oracle
• Heterogeneous migrations: ex Microsoft SQL
Server to Aurora
• Continuous Data Replication using CDC Target DB
• You must create an EC2 instance to
perform the replication tasks

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
DMS Sources and Targets
SOURCES: TARGETS:
• On-premises and EC2 instances • On-premises and EC2 instances
databases: Oracle, MS SQL Server,
databases: Oracle, MS SQL Server, MySQL, MariaDB, PostgreSQL, SAP
MySQL, MariaDB, PostgreSQL, • Amazon RDS including Aurora
MongoDB, SAP, DB2
• Amazon Redshift
• Azure: Azure SQL Database • Amazon DynamoDB
• Amazon RDS: all including • Amazon S3
Aurora • OpenSearch Service
• Amazon S3 • Kinesis Data Streams
• DocumentDB • DocumentDB

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Schema Conversion Tool (SCT)
• Convert your Database’s Schema from one engine to another
• Example OLTP: (SQL Server or Oracle) to MySQL, PostgreSQL, Aurora
• Example OLAP: (Teradata or Oracle) to Amazon Redshift

Source DB DMS + SCT Target DB (different engine)

• You do not need to use SCT if you are migrating the same DB engine
• Ex: on-premises PostgreSQL => RDS PostgreSQL
• The DB engine is still PostgreSQL (RDS is the platform)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
DMS – Good things to know
• Works over VPC Peering, VPN (site to site, software), Direct Connect
• Supports Full Load, Full Load + CDC, or CDC only
• Oracle:
• Source: Supports TDE for the source using “BinaryReader”
• Target: Supports BLOBs in tables that have a primary key, and TDE
• OpenSearch:
• Source: does not exist
• Target: possible to migrate from a relational database using DMS
• Therefore, DMS cannot be used to replicate OpenSearch data

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Snowball + Database Migration Service (DMS)
• Larger data migrations can include many terabytes of information.
• Can be limited due to network bandwidth or size of data
• AWS DMS can use Snowball Edge & Amazon S3 to speed up migration
• Following stages:
1. You use the AWS Schema Conversion Tool (AWS SCT) to extract the data
locally and move it to an Edge device.
2. You ship the Edge device or devices back to AWS.
3. After AWS receives your shipment, the Edge device automatically loads its
data into an Amazon S3 bucket.
4. AWS DMS takes the files and migrates the data to the target data store. If you
are using change data capture (CDC), those updates are written to the
Amazon S3 bucket and then applied to the target data store.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Cloud Adoption Readiness Tool (CART)
• Helps organizations develop efficient and effective plans for cloud adoption and migrations
• Transforms your idea of moving to the cloud into a detailed plan that follows AWS best
practices
• Answer a set of questions across six perspectives (business, people, process, platform,
operations, security)
• Generates a custom report on your level of migration readiness

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Disaster Recovery Overview
• Any event that has a negative impact on a company’s business continuity
or finances is a disaster
• Disaster recovery (DR) is about preparing for and recovering from a
disaster
• What kind of disaster recovery?
• on-premises => on-premises: traditional DR, and very expensive
• on-premises => AWS Cloud: hybrid recovery
• AWS Cloud Region A => AWS Cloud Region B
• Need to define two terms:
• RPO: Recovery Point Objective
• RTO: Recovery Time Objective

RPO Disaster RTO

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Disaster Recovery Strategies
• Backup and Restore
• Pilot Light
• Warm Standby
• Hot Site / Multi Site Approach

Faster RTO

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Backup and Restore (High RPO)
Corporate data AWS Cloud AWS Cloud
center

Amazon EC2

lifecycle
AWS Storage Gateway Amazon S3

AWS Snowball Glacier

AMI
AWS Cloud

EBS Scheduled regular

snapshots
Redshift
Amazon RDS
Snapshot
RDS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Disaster Recovery – Pilot Light
• A small version of the app is always running in the cloud
• Useful for the critical core (pilot light)
• Very similar to Backup and Restore
• Faster than Backup and Restore as critical systems are already up

Corporate data AWS Cloud

center Route 53

EC2 (not running)

Data Replication

RDS (running)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Warm Standby
• Full system is up and running, but at minimum size
• Upon disaster, we can scale to production load
Corporate data AWS Cloud
center

Reverse
Route 53
proxy
ELB

App
Server
EC2 Auto Scaling failover
(minimum)
Master Data Replication
DB
RDS Slave (running)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Multi Site / Hot Site Approach
• Very low RTO (minutes or seconds) – very expensive
• Full Production Scale is running AWS and On Premise
Corporate data AWS Cloud
active active
center

Reverse
Route 53
proxy
ELB

App
Server
EC2 Auto Scaling failover
(production)
Master Data Replication
DB
RDS Slave (running)

AWS Cloud AWS Cloud

active active

Route 53

ELB ELB

EC2 Auto Scaling EC2 Auto Scaling failover

(production) (production)
Data Replication

Aurora Global (master) Aurora Global (slave)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Disaster Recovery Tips
• Backup
• EBS Snapshots, RDS automated backups / Snapshots, etc…
• Regular pushes to S3 / S3 IA / Glacier, Lifecycle Policy, Cross Region Replication
• From on-premises: Snowball or Storage Gateway
• High Availability
• Use Route53 to migrate DNS over from Region to Region
• RDS Multi-AZ, ElastiCache Multi-AZ, EFS, S3
• Site to Site VPN as a recovery from Direct Connect
• Replication
• RDS Replication (Cross Region), AWS Aurora + Global Database
• Database replication from on-premises to RDS
• Storage Gateway
• Automation
• CloudFormation / Elastic Beanstalk to re-create a whole new environment
• Recover / Reboot EC2 instances with CloudWatch if alarms fail
• AWS Lambda functions for customized automations
• Chaos
• Netflis has a “simian-army” randomly terminating EC2

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Fault Injection Simulator (FIS)
• A fully managed service for running fault injection experiments on AWS workloads
• Based on Chaos Engineering – stressing an application by creating disruptive events
(e.g., sudden increase in CPU or memory), observing how the system responds, and
implementing improvements
• Helps you uncover hidden bugs and performance bottlenecks
• Supports the following AWS services: EC2, ECS, EKS, RDS…
• Use pre-built templates that generate the desired disruptions
Resources Monitoring

create start

EC2 ECS CloudWatch

AWS Fault Injection Experiment Stop View
Simluator Template Experiment Results
(stop if complete or (identify performance,
EKS RDS EventBridge an alarm is triggered) observability,
or resiliency issues)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Application Discovery Service
• Plan migration projects by gathering information about on-premises data centers
• Server utilization data and dependency mapping are important for migrations
• Agentless Discovery (AWS Agentless Discovery Connector)
• Open Virtual Appliance (OVA) package that can be deployed to a VMware host
• VM inventory, configuration, and performance history such as CPU, memory, and disk usage
• OS agnostic
• Agent-based Discovery (AWS Application Discovery Agent)
• System configuration, system performance, running processes, and details of the network
connections between systems
• Supports Microsoft Server, Amazon Linux, Ubuntu, RedHat, CentOS, SUSE…
• Resulting data can be exported as CSV or viewed within AWS Migration Hub
• Data can be explorer using pre-defined queries in Amazon Athena

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Application Discovery Service –
Migration Hub Data Exploration
• Allows you to use Amazon Athena to analyze data
On-Premises Data Center
collected from on-premises servers during discovery
Servers with
• Data is automatically stored in S3 bucket at regular Agent installed
intervals
• Use Pre-defined or custom queries in Amazon Athena
to analyze data data discovered
& data sources
• Example: type of processes running on each server
Amazon S3
• Ability to upload additional data sources such as
Configuration Management Database (CMDB) exports
• Integrate Athena with QuickSight to visualize data

Athena

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Application Migration Service (MGN)
• The “AWS evolution” of CloudEndure Migration, replacing AWS Server Migration Service (SMS)

• Lift-and-shift (rehost) solution which simplify migrating applications to AWS

• Converts your physical, virtual, and cloud-based servers to run natively on AWS
• Supports wide range of platforms, Operating Systems, and databases
• Minimal downtime, reduced costs

Corporate Data Center / Any cloud AWS Cloud

Application Migration Service
OS
Staging Production
continuous replication
Apps
cutover
DB AWS Replication
Agent
Disks Low-cost EC2 instances Target EC2 instances
& EBS volumes & EBS volumes

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Elastic Disaster Recovery (DRS)
• Used to be named “CloudEndure Disaster Recovery”

• Quickly and easily recover your physical, virtual, and cloud-based servers into AWS
• Example: protect your most critical databases (including Oracle, MySQL, and SQL Server),
enterprise apps (SAP), protect your data from ransomware attacks, …
• Continuous block-level replication for your servers
Corporate Data Center / Any cloud AWS Cloud
Elastic Disaster Recovery
OS
Staging Production
Apps continuous replication
(seconds)
failover
DB AWS Replication (minutes)
Agent
Disks Low-cost EC2 instances Target EC2 instances
& EBS volumes & EBS volumes
failback

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
On-premises strategy with AWS
• Ability to download Amazon Linux 2 AMI as a VM (.iso format)
• VMWare, KVM, VirtualBox (Oracle VM), Microsoft Hyper-V
• AWS Application Discovery Service AWS Application
• Gather information about your on-premises servers to plan a migration
Discovery Service
• Server utilization and dependency mappings
• Track with AWS Migration Hub
• AWS Application Migration Service (MGN) AWS Application
• Replacing AWS Server Migration Services & CloudEndure Migration Migration Service
• Incremental replication of on-premises live servers to AWS
• Migrates the entire VM into AWS
• AWS Elastic Disaster Recovery (DRS) AWS Elastic
• Replacing CloudEndure Disaster Recovery Disaster Recovery
• Recover on-premises workloads onto AWS
• AWS Database Migration Service (DMS)
• replicate on-premises => AWS , AWS => AWS, AWS => on-premises
AWS Database
• Works with various database technologies (Oracle, MySQL, DynamoDB, etc..) Migration Service

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Migration Evaluator
• Helps you build a data-driven business case for migration to AWS
• Provides a clear baseline of what your organization is running today
• Install Agentless Collector to conduct broad-based discovery
• Take a snapshot of on-premises foot-print, server dependepncies, …
• Analyze current state, define target state, then develop migration plan

Install Collector Gather Data

Download and configure the Connect to hypervisors and server
on-premises Agentless Collector to gather inventory, resource utilization

Quick Insights Business Case

Import Data AWS Migration Review Quick Insights report Gain expert guidance to build
Upload existing data from 3rd party for customized cost insights a business case for migration to AWS
tools or Application Discovery Service
Evaluator

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Backup
• Fully managed service
• Centrally manage and automate backups across AWS services
• No need to create custom scripts and manual processes
• Supported services:
• Amazon EC2 / Amazon EBS
• Amazon S3
• Amazon RDS (all DBs engines) / Amazon Aurora / Amazon DynamoDB
• Amazon DocumentDB / Amazon Neptune
• Amazon EFS / Amazon FSx (Lustre & Windows File Server)
• AWS Storage Gateway (Volume Gateway)
• Supports cross-region backups
• Supports cross-account backups

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Backup
• Supports PITR for supported services
• On-Demand and Scheduled backups
• Tag-based backup policies
• You create backup policies known as Backup Plans
• Backup frequency (every 12 hours, daily, weekly, monthly, cron expression)
• Backup window
• Transition to Cold Storage (Never, Days, Weeks, Months, Years)
• Retention Period (Always, Days, Weeks, Months, Years)

EC2 EBS S3

Create Backup Plan RDS DynamoDB DocumentDB Automatically

(frequency, retention
backed up to
policy)
AWS Backup Amazon S3
EFS Aurora Neptune

FSx Storage
Gateway

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Backup Vault Lock
• Enforce a WORM (Write Once Read Many)
state for all the backups that you store in
your AWS Backup Vault backup

• Additional layer of defense to protect your

backups against:
• Inadvertent or malicious delete operations
• Updates that shorten or alter retention periods
Backup Vault Lock Policy
Backups can’t be deleted
• Even the root user cannot delete backups
when enabled

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Basics
• CIDR: Block of IP address
• Example: 192.168.0.0/26: 192.168.0.0 – 192.168.0.63 (64 IP)
• Used for security groups, route tables, VPC, subnets, etc…
• Private IP
• 10.0.0.0 – 10.255.255.255 (10.0.0.0/8) <= in big networks
• 172.16.0.0 – 172.31.255.255 (172.31.0.0/12)
• 192.168.0.0 – 192.168.255.255 (192.168.0.0/16) <= example: home networks
• Public IP
• All the rest

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Basics
• VPC
• A VPC must have a defined list of CIDR blocks, that cannot be changed
• Each CIDR within VPC: min size is /28, max size is /16 (65536 IP addresses)
• VPC is private, so only Private IP CIDR ranges are allowed
• Subnets
• Within a VPC, defined as a CIDR that is a subset of the VPC CIDR
• All instances within subnets get a private IP
• First 4 IP and last one in every subnet is reserved by AWS
• Route Tables
• Used to control where the network traffic is directed to
• Can be associated with specific subnets
• The “most specific” routing rule is always followed (192.168.0.1/24 beats 0.0.0.0/0)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Basics
• Internet Gateway (IGW)
• Helps our VPC connect to the internet, HA, scales horizontally
• Acts as a NAT for instances that have a public IPv4 or public IPv6
• Public Subnets
• Has a route table that sends 0.0.0.0/0 to an IGW
• Instances must have a public IPv4 to talk to the internet
• Private Subnets
• Access internet with a NAT Instance or NAT Gateway setup in a public subnet
• Must edit routes so that 0.0.0.0/0 routes traffic to the NAT

Private subnet

• EC2 instance you deploy in a public subnet Private EC2

192.168.0.34
• Edit the route in your private subnet to
route 0.0.0.0/0 to your NAT instance
Public subnet
• Not resilient to failure, limited bandwidth
based on instance type, cheap NAT Instance

• Must manage failover yourself Elastic IP

54.25.43.122
• Must disable Source/Destination Check
(EC2 setting) Public internet

3rd party service

Must whitelist
The Elastic IP
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Basics – NAT Gateway Internet

www
• Managed NAT solution, Region
bandwidth scales Internet
Gateway
automatically VPC

• Resilient to failure within a

single AZ Public Subnet
Router
Public Subnet

• Must deploy multiple NAT Elastic IP Elastic IP

Gateways in multiple AZ NAT Gateway NAT Gateway

for HA Private Subnet Private Subnet

• Has an Elastic IP, external
services see the IP of the
NAT Gateway as the EC2 Instance EC2 Instance

source AZ - A AZ - B

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Basics
• Network ACL (NACL)
• Stateless firewall defined at the subnet level, applies to all instances within
• Support for allow and deny rules
• Stateless = return traffic must be explicitly allowed by rules
• Helpful to quickly and cheaply block specific IP addresses

• Security Groups
• Applied at the instance level, only support for allow rules, no deny rules
• Stateful = return traffic is automatically allowed, regardless of rules
• Can reference other security groups in the same region (peered VPC, cross-account)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Basics
• VPC Flows Logs
• Log internet traffic going through your VPC
• Can be defined at the VPC level, Subnet level, or ENI-level
• Helpful to capture “denied internet traffic”
• Can be sent to CloudWatch Logs and Amazon S3

• Bastion Hosts
• SSH into private EC2 instances through a public EC2 instance (bastion host)
• You must manage these instances yourself (failover, recovery)
• SSM Session Manager is a more secure way to remote control without SSH

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Basics
• IPv6 in shor t
• All IPv6 addresses are public, total 3.4×1038 addresses (vs 4.3 billion IPv4)
• Example CIDR: 2600:1f18:80c:a900::/56
• Addresses are “random” and can’t be scanned online (because too many)
• VPC suppor t for IPv6
• Create an IPv6 CIDR for VPC & use an IGW (supports IPv6)
• Public subnet:
• Create an instance with IPv6 support
• Create a route table entry to ::/0 (IPv6 “all”) to the IGW
• Private subnet (instances cannot be reached by IPv6 but can reach IPv6):
• Create an Egress-Only Internet Gateway in the VPC
• Add a route table entry for the private subnet from ::/0 to the Egress-Only IGW

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Peering
• Connect two VPC, privately using AWS’
network VPC peering
Aß àB
VPC A VPC B
• Make them behave as if they were in the
same network
• Must not have overlapping CIDR
• VPC Peering connection is not transitive
(must be established for each VPC that
need to communicate with one another) VPC C
• You can do VPC peering with another VPC peering VPC peering
AWS account Aß àC Bß à C

• You must update route tables in each

VPC’s subnets to ensure instances can
communicate

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Peering – Good to know
• VPC peering can work inter-region, cross-account
• You can reference a security group of a peered VPC (works cross account)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Peering – Longest Prefix Match
• VPC uses the longest prefix match to select the most specific route

• Here the longest prefix for 10.0.0.77 is 10.0.0.77/32 (route table VPC A)
• (other way of saying it is “most specific route”)
https://docs.aws.amazon.com/vpc/latest/peering/peering-configurations-partial-access.html#one-to-two-vpcs-lpm

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Peering – Invalid Configurations
Overlapping CIDR for IPv4 No Transitive VPC Peering

No Edge to Edge Routing

VPN, Direct Connect, IGW, NAT, Gateway VPC Endpoint (S3 & DynamoDB)
https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Peering – Invalid Configuration
No edge to edge routing
• This is an invalid configuration
• VPC Peering does not suppor t edge to edge routing for NAT devices
Central VPC
VPC VPC
Public subnet
Private subnet Private subnet

X NAT Gateway X

Internet Gateway

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Transit Gateway
• For having transitive peering between thousands of VPC and
on-premises, hub-and-spoke (star) connection
• Regional resource, can work cross-region
• Share cross-account using Resource Access Manager (RAM)
• You can peer Transit Gateways across regions
• Route Tables: limit which VPC can talk with other VPC
• Works with Direct Connect Gateway, VPN connections
• Supports IP Multicast (not supported by any other AWS
service)
• Instances in a VPC can access a NAT Gateway, NLB,
PrivateLink, and EFS in others VPCs attached to the AWS
Transit Gateway.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Transit Gateway – Central NAT Gateway
• The NAT Gateway is
shared in the Egress-
VPC
• The private App VPC
can access internet
through the TGW
• In this example: the
App VPCs cannot
communicate with
each other based on
the TGW route table

https://aws.amazon.com/blogs/networking-and-content-delivery/creating-a-single-internet-
exit-point-from-multiple-vpcs-using-aws-transit-gateway/
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Transit Gateway – Sharing through RAM
• You can use AWS RAM to share a Transit Gateway for VPC attachments
across accounts or across AWS Organization

AWS Account - A AWS Account - B

Transit 1. share
Gateway
2. accept

Transit
3. use Gateway
VPC-A VPC-B

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Transit Gateway – Use Different Route Tables
to Prevent VPC from Communicating
Prod Account Pre-Prod Account Staging Account Dev Account

VPC-A VPC-B VPC-C VPC-D

(10.1.0.0/16) (10.2.0.0/16) (10.3.0.0/16) (10.4.0.0/16)
TGW Attachment-A TGW Attachment-B TGW Attachment-C TGW Attachment-D

Network Service Account

Prod Route Table Staging Route Table
CIDR Next Hop CIDR Next Hop
10.1.0.0/16 TGW Attachment-A 10.3.0.0/16 TGW Attachment-C
VPC-E
(10.5.0.0/16) Transit 10.2.0.0/16 TGW Attachment-B 10.4.0.0/16 TGW Attachment-D
Gateway

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Transit Gateway to Direct Connect Gateway
AWS Cloud

us-east-1 Transit
Gateway
VPC-A
Corporate
VPC-B Data Center

TGW
us-west-2 Peering
Direct Connect Direct Connect
VPC-C Gateway Location
VPC-D
Transit
Gateway

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Transit Gateway – Inter & Intra Region Peering
Inter-Region
Region A Region B Peering Mesh Region C

Hub TGW Hub TGW Hub TGW

Intra-Region Intra-Region Intra-Region

Peering Mesh Peering Mesh Peering Mesh

Your Your/3rd Your Your/3rd Your Your/3rd

TGW Party TGW TGW Party TGW TGW Party TGW

• Billed hourly for each peering attachment, no data processing charges

• If data goes cross-region through the attachment, standard charges
• Specify the Transit Gateway ID

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Endpoints
• Endpoints allow you to connect to AWS VPC
Services using a private network instead of the Private subnet
public www network
• They scale horizontally and are redundant
VPC Endpoint
• No more IGW, NAT, etc… to access AWS Interface (ENI)
Services
• VPC Endpoint Gateway (S3 & DynamoDB) VPC Endpoint
• VPC Endpoint Interface (all except DynamoDB) Gateway

• In case of issues:
• Check DNS Setting Resolution in your VPC
• Check Route Tables
S3 DynamoDB CloudWatch

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Endpoint Gateway
• Only works for S3 and DynamoDB, must create one gateway per VPC
• Must update route tables entries
• Gateway is defined at the VPC level

EC2
VPC Endpoint S3
Gateway
• DNS resolution must be enabled in the VPC
• The same public hostname for S3 can be used
• Gateway endpoint cannot be extended out of a VPC (VPN, DX, TGW, peering)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Endpoints Interface
• Provision an ENI that will have a private endpoint interface hostname
• Leverage Security Groups for security
• Private DNS (setting when you create the endpoint)
• The public hostname of a service will resolve to the private Endpoint Interface hostname
• VPC Setting: “Enable DNS hostnames” and “Enable DNS Support” must be 'true’
• Example for Athena:
• vpce-0b7d2995e9dfe5418-mwrths3x.athena.us-east-1.vpce.amazonaws.com
• vpce-0b7d2995e9dfe5418-mwrths3x-us-east-1a.athena.us-east-1.vpce.amazonaws.com
• vpce-0b7d2995e9dfe5418-mwrths3x-us-east-1b.athena.us-east-1.vpce.amazonaws.com
• athena.us-east-1.amazonaws.com (private DNS name)
• Interface can be accessed from Direct Connect and Site-to-Site VPN

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Endpoint Policies
• Endpoint Policies are JSON documents to control access to services
• Does not override or replace IAM user policies or service-specific
policies (such as S3 bucket policies)
• Note: the IAM user
can still use other SQS
API from outside the
VPC Endpoint
• You could add an SQS
queue policy to deny
any action not done
through the VPC
endpoint
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Endpoint Policy & S3 bucket policy
• VPC Endpoint Policy to restrict access to bucket “my_secure_bucket”

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Endpoint Policy & S3 bucket policy
• VPC Endpoint Policy to allow access to Amazon Linux 2 repositories

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Endpoint Policy & S3 bucket policy
• S3 bucket policy may have
• Condition: "aws:sourceVpce": "vpce-1a2b3c4d" to Deny any traffic that doesn't
come from a specific VPC endpoint (more secure)
• Condition: "aws:sourceVpc": "vpc-111bbb22" for a specific VPC
• The aws:sourceVpc condition only works for VPC Endpoints, in case
you have multiple endpoints and want to manage access to your S3
buckets for all your endpoints
• The S3 bucket policies can restrict access only from a specific public IP
address or an elastic IP address. You can’t restrict based on private IP
• Therefore aws:SourceIp condition doesn’t apply for VPC endpoints

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Example S3 bucket policies
• S3 bucket policy to restrict to one • S3 bucket policy to restrict to an
specific VPC Endpoint entire VPC (multiple VPC Endpoints)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Endpoint Policies for S3
Troubleshooting
Check IAM permissions

VPC
Private subnet
Security group

Check SG Route table VPC Endpoint

Amazon S3
Outbound Rules Must have route to S3 Gateway
Using gateway VPC Endpoint Verify
Check VPC Endpoint Policy S3 bucket policy
Check VPC DNS settings
DNS resolution must be enabled

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS PrivateLink (VPC Endpoint Services)
• Most secure & scalable way to expose a service to 1000s of VPC (own or other accounts)
• Does not require VPC peering, internet gateway, NAT, route tables…
• Requires a network load balancer (Service VPC) and ENI (Customer VPC)
• If the NLB is in multiple AZ, and the ENI in multiple AZ, the solution is fault tolerant!

Service VPC Customer VPC

AWS Private Link

AWS
private
Application Network Elastic Network Consumer
service Load Balancer Interface (ENI) Application

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
PrivateLink for Amazon S3 with Direct Connect

AWS Cloud
Public VIF
Corporate
Data Center VPC
Private VIF

Direct Connect PrivateLink Interface Amazon S3

VPC Endpoint

us-east-1 eu-west-1

VPC VPC

EC2 Instances
VPC Peering Interface
VPC Endpoint Amazon S3

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Site to Site VPN (AWS Managed VPN)
• on-premises: Corporate
• Setup a software or hardware VPN appliance data center
to your on-premises network.
• The on-premises VPN should be accessible VPN appliance
using a public IP Public IP
• AWS-side:
Customer Gateway
• Setup a Virtual Private Gateway (VGW) and
attach to your VPC
• Setup a Customer Gateway to point the on- Site-to-Site VPN Site-to-Site VPN
premises VPN appliance Public Tunnel 2 (IPSec)
Tunnel 1 (IPSec) internet
• Two VPN connections (tunnels) are
created for redundancy, encrypted using VPC Virtual Private
IPSec Gateway
• Can optionally accelerate it using Global (VGW)
Accelerator (for worldwide networks) Private subnet

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Route Propagation in Site-to-Site VPN
VPC
Corporate
Route Table CGW Site-to-Site VPN VGW Private subnet
data center Route Table

10.3.0.0/20 Custom ASN Custom ASN 10.0.0.1/24

• Static Routing:
• Create static route in corporate data center for 10.0.0.1/24 through the CGW
• Create static route in AWS for 10.3.0.0/20 through the VGW
• Dynamic Routing (BGP):
• Uses BGP (Border Gateway Protocol) to share routes automatically (eBGP for internet)
• We don’t need to update the routing tables, it will be done for us dynamically
• Just need to specify the ASN (Autonomous System Number) of the CGW and VGW

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Site to Site VPN and Internet Access
• NOT OKAY (blocked by NAT Gateway restrictions)
VPC Public subnet
Corporate
CGW VGW
data center
google.com
(or direct connect)
NAT Gateway IGW

• OKAY (self managed NAT Instance – more control)

VPC Public subnet
Corporate
CGW VGW
data center
google.com
(or direct connect)
NAT Instance IGW

• OKAY (alternative to NAT Instances / Gateway)

VPC
Corporate
CGW VGW Private subnet
data center

Google.com

on-premises NAT (or direct connect)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS VPN CloudHub
• Can connect up to 10 Customer Gateway
for each Virtual Private Gateway (VGW)
• Low cost hub-and-spoke model for
primary or secondary network
connectivity between locations
• Provide secure communication between
sites, if you have multiple VPN connections
• It’s a VPN connection so it goes over the
public internet
• Can be a failover connection between
your on-premises locations

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPN to multiple VPC
Corporate
data center
• For VPN-based
customers, AWS
recommends creating a
separate VPN Customer Gateway
connection for each
customer VPC.
• Direct Connect is
recommended because
it has a Direct Connect
VGW VGW VGW
Gateway
VPC VPC VPC

• Create a VPN connection between on-

premises and shared service VPC
• Replicate services, applications, VPC Peering
databases between on-premises and
the Shared Services VPC or deploy
proxies in the shared service VPC
Replicated Application
• Do VPC peering between the VPC and Services Proxies
the shared service VPC Shared Services VPC
• VPCs can directly access the Shared
Service VPC services and do not need VGW
VPN connections to on-premises Site-to-Site VPN

CGW

Corporate data center

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Client VPN
• Connect from your computer using OpenVPN to your private network
in AWS and on-premises
Computer with AWS Client VPN (OpenVPN)

e IP Uses
at priva
s priv te IP
Use
VPC
Corporate
CGW Site-to-Site VPN VGW Private subnet
data center

10.3.0.0/20 Custom ASN Custom ASN 10.0.0.1/24

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Client VPN – Peered VPC
• Client VPN is compatible with VPC peering

VPC – A
(172.31.0.0/16)
Private Subnet
Clients (172.31.0.0/20)

Client VPN ENI

(172.31.4.104)

Client VPN Endpoint

VPC Peering

VPC – B
(10.2.0.0/16)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Client VPN – Access to On-Premises
• Access On-Premises resources through AWS with Client VPN
VPC – A
(172.31.0.0/16)
Private Subnet
Clients (172.31.0.0/20)

Client VPN ENI

(172.31.4.104)

Client VPN Endpoint

S2S VPN

Corporate
Data Center

Users Internet

Internet AWS Client VPN

AWS Client VPN

VPC (10.1.0.0/16)

VPC (10.1.0.0/16) Private Subnet – AZ A Private Subnet – AZ B

Public Subnet – AZ A Public Subnet – AZ B ENI ENI

ENI ENI
Public Subnet – AZ A Public Subnet – AZ B

NATGW NATGW
Internet
Gateway Internet
Gateway
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Client VPN – Transit Gateway
VPC – B (10.2.0.0/16)
VPC – A (10.1.0.0/16)

Private Subnet – AZ A

ENI
VPC – C (10.3.0.0/16)
Transit
Internet Private Subnet – AZ B Gateway
Users
AWS Client VPN
ENI

VPC – D (10.4.0.0/16)

VPC Peering

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Client VPN – Transit Gateway
VPC – B (10.2.0.0/16) VPC – C (10.3.0.0/16)

VPC – A (10.1.0.0/16)

Private Subnet – AZ A

Corporate
ENI Data Center

Internet Private Subnet – AZ B Direct

Users Transit Connect Customer
AWS Client VPN
ENI Gateway Gateway

VPN Connection

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Direct Connect
• Provides a dedicated private connection from a remote network to
your VPC
• Dedicated connection must be setup between your DC and AWS
Direct Connect locations
• More expensive than running a VPN solution
• Private access to AWS services through VIF
• Bypass ISP, reduce network cost, increase bandwidth and stability
• Not redundant by default (must setup a failover DX or VPN)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Direct Connect – Virtual Interfaces (VIF)
• Public VIF – connect to Public AWS Endpoints (S3 buckets, EC2 service,
anything AWS …)
• Private VIF – connect to resources in your VPC (EC2 instances, ALB, …)
• Transit Vir tual Interface – connect to resources in a VPC using a Transit
Gateway

• VPC Interface Endpoints can be accessed through Private VIF

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Direct Connect Diagram
Region
(us-east-1)
VPC Corporate
data center
Private Subnet
VLAN 1
VLAN 2
Virtual Private Gateway AWS Direct Customer or Customer
Connect Endpoint partner router router/firewall
EC2 Instances
Customer or
AWS Cage partner cage

AWS Direct Connect Location Customer Network

Amazon Glacier Amazon S3

Private virtual interface
Public virtual interface

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Direct Connect – Connection Types
• Dedicated Connections: 1Gbps, 10 Gbps, 100 Gbps capacity
• Physical ethernet port dedicated to a customer
• Request made to AWS first, then completed by AWS Direct Connect Partners

• Hosted Connections: 50Mbps, 500 Mbps, to 10 Gbps

• Connection requests are made via AWS Direct Connect Partners
• Capacity can be added or removed on demand
• 1, 2, 5, 10 Gbps available at select AWS Direct Connect Partners

• Lead times are often longer than 1 month to establish a new connection

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Direct Connect – Encryption
Region
• Data in transit is not encrypted but is (us-east-1)
private VPC

Availability Zone Corporate

(us-east-1a)
• AWS Direct Connect + VPN provides Private Subnet 1
Data Center

an IPsec-encrypted private connection

Client

EC2 Instances
• VPN over Direct Connect connection
Uses Public VIF Availability Zone
(us-east-1b) Virtual AWS Direct
VPN
Customer
Connection
Private Connect Endpoint Gateway
Private Subnet 2 Gateway

AWS Direct
• Good for an extra level of security, but Connect
Location
slightly more complex to put in place EC2 Instances

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Direct Connect – Link Aggregation Groups
(LAG)
Region
(us-east-1)
• Get increased speed and failover by
summing up existing DX connections VPC
into a logical one Availability Zone

• Can aggregate up to 4 connections (us-east-1a)

LAG 1
Corporate
Data Center
(active-active mode) Private Subnet 1 Conn
ectio
n1

• Can add connections over time to Connection 2

the LAG EC2 Instances

AWS Direct
Connect
Customer
Gateway
• All connections in the LAG: Availability Zone
Location - A

• Must be dedicated connections (us-east-1b) Virtual

• Must have the same bandwidth Private Subnet 2

Private
Gateway LAG 2
Corporate
Data Center
• Must terminate at the same AWS Direct Conn
ectio
n1
Connect Endpoint
Connection 2
• Can set a minimum number of EC2 Instances AWS Direct Customer
connections for the LAG to function Connect
Location - B
Gateway

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Direct Connect Gateway
• If you want to setup a Direct Connect to one or more VPC in many different
regions (same/cross account), you must use a Direct Connect Gateway
Region Region
(us-east-1) (us-west-1)

VPC VPC

Customer network
10.0.0.0/16 172.16.0.0/16
Private virtual
Private virtual
interface
interface

Private virtual AWS Direct

interface Connect
Direct Connect Gateway connection

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Direct Connect Gateway + Transit Gateway
Direct Connect
Gateway

VPC VPC
Transit
Gateway

VPN
Connection

VPC VPC
Customer
Gateway

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Site-to-Site Active-Active Connection
Active-Active VPN Connection

AWS Region Corporate Data Center 1

(10.0.0.0/16)

VPC
(172.16.0.0/16)
Customer
Gateway
VPN Connection

Virtual Private Corporate Data Center 2

Gateway (10.1.0.0/16)

VPN Connection

Customer
Gateway

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Direct Connect – High Availability
Multiple connections at multiple AWS Direct Connect locations

Corporate
Data Center
Region

AWS Direct
Connect Location 1

Corporate
Data Center

AWS Direct
Connect Location 2

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Direct Connect – High Availability
Backup VPN Connection

AWS Region Corporate Data Center 1

(10.0.0.0/16)

VPC VPN Connection

(172.16.0.0/16)
Customer
Gateway

Virtual Private
Gateway Corporate Data Center 2
(10.1.0.0/16)

Customer
AWS Direct
Connect Location 1 Gateway

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Direct Connect Gateway – SiteLink
• Allows you to send data from on Direct Connect location to another
• Bypassing AWS Regions
• Use cases: create private network connections between on-premises
data centers by connecting them to Direct Connect locations
• Data is sent over the fastest path between Direct Connect locations
AWS Cloud Direct Connect Location - A Corporate Data Center - A

Traffic Allowed DX Logical Device Customer Router

Direct Connect
Gateway Direct Connect Location - B Corporate Data Center - B

Traffic Allowed DX Logical Device Customer Router

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Flow Logs
• Capture information about IP traffic going into your interfaces:
• VPC Flow Logs
• Subnet Flow Logs
• Elastic Network Interface (ENI) Flow Logs
• Helps to monitor & troubleshoot connectivity issues
• Flow logs data can go to S3, CloudWatch Logs, and Kinesis Data Firehose
• Captures network information from AWS managed interfaces too: ELB,
RDS, ElastiCache, Redshift, WorkSpaces, NATGW, Transit Gateway…

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Flow Logs Syntax
version interface-id dstaddr dstport packets start action

account-id srcaddr srcport protocol bytes end log-status

• srcaddr & dstaddr – help identify problematic IP

• srcpor t & dstpor t – help identity problematic ports
• Action – success or failure of the request due to Security Group / NACL
• Can be used for analytics on usage patterns, or malicious behavior
• Query VPC flow logs using Athena on S3 or CloudWatch Logs Insights
• Flow Logs examples: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-
records-examples.html

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Flow Logs – Troubleshoot SG & NACL issues
Look at the “ACTION” field

Incoming Requests Outgoing Requests

• Inbound REJECT => NACL or SG • Outbound REJECT => NACL or SG
• Inbound ACCEPT, Outbound REJECT => • Outbound ACCEPT, Inbound REJECT =>
NACL NACL

Subnet Subnet
NACL Inbound SG Inbound NACL Outbound SG Outbound Security Group
Security Group
Rules Rules Rules Rules

NACL
NACL

NACL Outbound NACL Inbound Inbound Allowed

Outbound Allowed
Rules (Stateless) EC2 Instance Rules (Stateless) (Stateful) EC2 Instance
(Stateful)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
VPC Flow Logs – Architectures
Top-10 IP addresses

VPC Flow Logs CloudWatch Logs CloudWatch

Contributor Insights

Metric Filter Alert

SSH, RDP…

VPC Flow Logs CloudWatch Logs CW Alarm Amazon SNS

Amazon Amazon
VPC Flow Logs S3 Bucket
Athena QuickSight

• My Virtual Private Cloud (VPC) flow logs show Action = ACCEPT for www

inbound traffic coming from public IP addresses. However, my

understanding of network address translation (NAT) gateways was Internet
that they don't accept traffic from the internet. Is my NAT gateway VPC
Gateway

accepting inbound traffic from the internet?

• Inbound traffic is permitted by Security Group or NACLs
• Traffis isn’t permitted by the NAT Gateway, it’s dropped Public Subnet
• To confirm run the following query in CloudWatch Log Group
filter (dstAddr like 'xxx.xxx' and srcAddr like 'public IP’) Elastic IP
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr NAT Gateway
| limit 10
• Make ‘xxx.xxx’ the first two octets of your VPC CIDR Private Subnet

• Replace Public IP with the IP you see in logs

• You will see traffic on the Private IP of the NAT Gateway but EC2 Instance
nowhere else: traffic was unsolicited and then dropped AZ - A

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Network Protection on AWS
• To protect network on AWS, we’ve seen
• Network Access Control Lists (NACLs)
• Amazon VPC security groups
• AWS WAF (protect against malicious requests)
• AWS Shield & AWS Shield Advanced
• AWS Firewall Manager (to manage them across accounts)

• But what if we want to protect in a sophisticated way our entire VPC?

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Network Firewall
internet
• Protect your entire Amazon VPC
AWS Network Firewall
• From Layer 3 to Layer 7 protection
• Any direction, you can inspect
• VPC to VPC traffic VPC
Direct Connect
• Outbound to internet
• Inbound from internet Private subnet
• To / from Direct Connect & Site-to-Site VPN
Corporate DC
• Internally, the AWS Network Firewall uses VPN connection
the AWS Gateway Load Balancer
• Rules can be centrally managed cross-
account by AWS Firewall Manager to apply
to many VPCs
Peered VPC

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Network Firewall – Fine Grained Controls
• Supports 1000s of rules
• IP & port - example: 10,000s of IPs filtering
• Protocol – example: block the SMB protocol for outbound communications
• Stateful domain list rule groups: only allow outbound traffic to *.mycorp.com or third-party
software repo
• General pattern matching using regex
• Traffic filtering: Allow, drop, or aler t for the traffic that matches the rules
• Active flow inspection to protect against network threats with intrusion-
prevention capabilities (like Gateway Load Balancer, but all managed by AWS)

• Send logs of rule matches to Amazon S3, CloudWatch Logs, Kinesis Data Firehose

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Network Firewall - Architecture
Egress VPC
(192.168.0.0/24)

• Nor th-South VPC

egress to Internet VPC 1
Internet Gateway Internet
(10.0.1.0/24) NAT Gateway

Instances
• Nor th-South VPC Inspection VPC
to VPN or Direct (192.168.1.0/26)

Connect
VPC 2
(10.0.2.0/24)
AWS Transit Gateway AWS Network Firewall
• East-West VPC to Instances
VPC

VPN Connection AWS Direct Connect

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Rekognition
• Find objects, people, text, scenes in images and videos using ML
• Facial analysis and facial search to do user verification, people counting
• Create a database of “familiar faces” or compare against celebrities
• Use cases:
• Labeling
• Content Moderation
• Text Detection
• Face Detection and Analysis (gender, age range, emotions…)
• Face Search and Verification
• Celebrity Recognition
• Pathing (ex: for sports game analysis)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Rekognition – Content Moderation
• Detect content that is inappropriate, unwanted, Image
or offensive (image and videos)
• Used in social media, broadcast media,
advertising, and e-commerce situations to create Amazon
a safer user experience Rekognition
• Set a Minimum Confidence Threshold for
items that will be flagged
• Flag sensitive content for manual review in Confidence Level
Amazon Augmented AI (A2I) and Threshold

• Help comply with regulations

Optional Manual
review in A2I
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Transcribe
• Automatically conver t speech to text
• Uses a deep learning process called automatic speech recognition (ASR) to
convert speech to text quickly and accurately
• Automatically remove Personally Identifiable Information (PII) using Redaction
• Suppor ts Automatic Language Identification for multi-lingual audio
• Use cases:
• transcribe customer service calls
• automate closed captioning and subtitling
• generate metadata for media assets to create a fully searchable archive

”Hello my name is Stéphane.

I hope you’re enjoying the course!

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Polly
• Turn text into lifelike speech using deep learning
• Allowing you to create applications that talk

Hi! My name is Stéphane

and this is a demo of Amazon Polly

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Polly – Lexicon & SSML
• Customize the pronunciation of words with Pronunciation lexicons
• Stylized words: St3ph4ne => “Stephane”
• Acronyms: AWS => “Amazon Web Services”
• Upload the lexicons and use them in the SynthesizeSpeech operation

• Generate speech from plain text or from documents marked up with Speech
Synthesis Markup Language (SSML) – enables more customization
• emphasizing specific words or phrases
• using phonetic pronunciation
• including breathing sounds, whispering
• using the Newscaster speaking style

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Translate
• Natural and accurate language translation
• Amazon Translate allows you to localize content - such as websites and
applications - for international users, and to easily translate large
volumes of text efficiently.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Lex & Connect
• Amazon Lex: (same technology that powers Alexa)
• Automatic Speech Recognition (ASR) to convert speech to text
• Natural Language Understanding to recognize the intent of text, callers
• Helps build chatbots, call center bots
• Amazon Connect:
• Receive calls, create contact flows, cloud-based vir tual contact center
• Can integrate with other CRM systems or AWS
• No upfront payments, 80% cheaper than traditional contact center solutions

Phone Call call stream invoke schedule

Schedule an
Appointment
Connect Lex Lambda CRM
Intent recognized
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Comprehend
• For Natural Language Processing – NLP
• Fully managed and serverless service
• Uses machine learning to find insights and relationships in text
• Language of the text
• Extracts key phrases, places, people, brands, or events
• Understands how positive or negative the text is
• Analyzes text using tokenization and parts of speech
• Automatically organizes a collection of text files by topic
• Sample use cases:
• analyze customer interactions (emails) to find what leads to a positive or negative experience
• Create and groups articles by topics that Comprehend will uncover

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Comprehend Medical
• Amazon Comprehend Medical detects and returns useful information in
unstructured clinical text:
• Physician’s notes
• Discharge summaries
• Test results
• Case notes
• Uses NLP to detect Protected Health Information (PHI) – DetectPHI API
• Store your documents in Amazon S3, analyze real-time data with Kinesis
Data Firehose, or use Amazon Transcribe to transcribe patient narratives
into text that can be analyzed by Amazon Comprehend Medical.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon SageMaker
• Fully managed service for developers / data scientists to build ML models
• Typically, difficult to do all the processes in one place + provision servers
• Machine learning process (simplified): predicting your exam score
label 670 build Train and Tune
890
934
ML model
Historical Data: score
# years of experience in IT
Apply model
# years of experience with AWS
Time spent on the course
… PASS WITH 906
New data Prediction

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Forecast
• Fully managed service that uses ML to deliver highly accurate forecasts
• Example: predict the future sales of a raincoat
• 50% more accurate than looking at the data itself
• Reduce forecasting time from months to hours
• Use cases: Product Demand Planning, Financial Planning, Resource Planning, …

Historical Time-series Data:

Product features
Prices upload produce
Discounts
Website traffic
Store locations Forecasting Model Future sales
… Amazon S3 Amazon Forecast of raincoat:
$500,000

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Kendra
• Fully managed document search service powered by Machine Learning
• Extract answers from within a document (text, pdf, HTML, PowerPoint, MS Word, FAQs…)
• Natural language search capabilities
• Learn from user interactions/feedback to promote preferred results (Incremental Learning)
• Ability to manually fine-tune search results (importance of data, freshness, custom, …)
Data Sources

Where is the IT support desk?

indexing
Amazon S3 Amazon RDS Google Drive MS SharePoint 1st floor
Knowledge Index
3rdparty, (powered by ML)
User
APNs,
MS OneDrive Custom Amazon Kendra

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Personalize
• Fully managed ML-service to build apps with real-time personalized recommendations
• Example: personalized product recommendations/re-ranking, customized direct marketing
• Example: User bought gardening tools, provide recommendations on the next one to buy
• Same technology used by Amazon.com
• Integrates into existing websites, applications, SMS, email marketing systems, …
• Implement in days, not months (you don’t need to build, train, and deploy ML solutions)
• Use cases: retail stores, media and entertainment…

Websites & Apps

read data from S3
Amazon S3
Customized personalized API Mobile Apps

real-time data integration

Amazon Personalize API
SMS
Amazon Personalize

Emails
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Textract
• Automatically extracts text, handwriting, and data from any scanned
documents using AI and ML
{
“Document ID”: “123456789-005”,
analyze result “Name”: “”,
“SEX”: “F”,
“DOB”: “23.05.1997”,
…
}
Amazon Textract

• Extract data from forms and tables

• Read and process any type of document (PDFs, images, …)
• Use cases:
• Financial Services (e.g., invoices, financial reports)
• Healthcare (e.g., medical records, insurance claims)
• Public Sector (e.g., tax forms, ID documents, passports)
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Machine Learning - Summary
• Rekognition: face detection, labeling, celebrity recognition
• Transcribe: audio to text (ex: subtitles)
• Polly: text to audio
• Translate: translations
• Lex: build conversational bots – chatbots
• Connect: cloud contact center
• Comprehend: natural language processing
• SageMaker: machine learning for every developer and data scientist
• Forecast: build highly accurate forecasts
• Kendra: ML-powered search engine
• Personalize: real-time personalized recommendations
• Textract: detect text and data in documents

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CodeCommit – Important – Deprecation
• On July 25th 2024, AWS abruptly discontinued CodeCommit
• New customers cannot use the service
• AWS recommends to migrate to an external Git solution

3rd party
• For this course:
• CodeCommit might still appear at the exam (for now)
• Every time I mention CodeCommit, assume there’s a GitHub integration

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Continuous Integration
• Developers push the code to a code
repository often (GitHub / CodeCommit /
Bitbucket / etc…)
• A testing / build server checks the code as
soon as it’s pushed (CodeBuild / Jenkins CI Tell developer
Push code
/ etc…) results of build
often
• The developer gets feedback about the
tests and checks that have passed / failed
Code
• Find bugs early, fix bugs Build Server
Repository
Get code
• Deliver faster as the code is tested build & test
• Deploy often
• Happier developers, as they’re unblocked

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Continuous Delivery
Push code
• Ensure that the software can be released often
reliably whenever needed. Code
• Ensures deployments happen often and Repository
Get code
are quick build & test
• Shift away from “one release every 3 Build Server
months” to ”5 releases a day” Deploy every
• That usually means automated deployment Deployment passing build
• CodeDeploy Server
• Jenkins CD
• Spinnaker Application Application Application
• Etc… Server v1 Server v1 Server v1

Application Application Application

Server v2 Server v2 Server v2
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Technology Stack for CICD
Code Build Test Deploy Provision

AWS AWS CodeBuild

AWS Elastic Beanstalk
CodeCommit (no time limit)

GitHub User Managed EC2

Jenkins CI
Or 3rd party AWS CodeDeploy Instances Fleet
Or 3rd party CI servers (CloudFormation)
code repository

Orchestrate: AWS CodePipeline

Elastic Beanstalk

DEV BRANCH

Pull Request & Merge CodeBuild CodeDeploy DEV Environment

CodeCommit
“PROD” CodePipeline

Elastic Beanstalk

PROD BRANCH

CodeBuild CodeDeploy PROD Environment

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CodeCommit Trigger for AWS Lambda
Developer
• Every push to CodeCommit can
trigger a Lambda function
push

• The Lambda function can scan for AWS CodeCommit

leaked AWS credentials on every
lock repository
code push, and disable them invoke

automatically to remedy the issue

API call to AWS Lambda
disable Access Keys (scan credentials)

IAM
trigger

Administrator
notify
AWS SNS

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Good to know – CICD
• You can use a manual approval stage in CodePipeline
• Running unit tests CodeCommit + CodeBuild + Code Pipeline
CodePipeline
CodeCommit CodeBuild
(Source) (Run Tests)

• Build and Store Docker Images: CodeBuild + ECR

CodeBuild Amazon ECR
(Build Image) Docker image (Store Image)

• Automated CloudFormation deployment: CodePipeline

Regular checks HTTP Webhooks

CodePipeline CodePipeline

VERSION 2

CodeStar Source Connection CodePipeline

(GitHub App)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon CodeGuru
• An ML-powered service for automated code reviews and application
performance recommendations
• Provides two functionalities
• CodeGuru Reviewer : automated code reviews for static code analysis (development)
• CodeGuru Profiler : visibility/recommendations about application performance during
runtime (production)

CodeGuru Reviewer CodeGuru Profiler

Detect and optimize Identify performance
Built-in code reviews the expensive lines and cost improvements
with actionable of code pre-prod in production
recommendations

Coding Build & Test Deploy Measure

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon CodeGuru Reviewer
• Identify critical issues, security
vulnerabilities, and hard-to-find bugs
• Example: common coding best practices,
resource leaks, security detection, input
validation
• Uses Machine Learning and automated
reasoning
• Hard-learned lessons across millions of
code reviews on 1000s of open-source
and Amazon repositories
• Supports Java and Python
• Integrates with GitHub, Bitbucket, and
AWS CodeCommit

https://aws.amazon.com/codeguru/features/
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon CodeGuru Profiler
• Helps understand the runtime behavior of your
application
• Example: identify if your application is consuming
excessive CPU capacity on a logging routine
• Features:
• Identify and remove code inefficiencies
• Improve application performance (e.g., reduce CPU
utilization)
• Decrease compute costs
• Provides heap summary (identify which objects using
up memory)
• Anomaly Detection
• Support applications running on AWS or on-
premise
• Minimal overhead on application

https://aws.amazon.com/codeguru/features/
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Alexa for Business, Lex & Connect
• Alexa for Business:
• Use Alexa to help employees be more productive in meeting rooms and their desk
• Measure and increase the utilization of meeting rooms in their workplace
• Amazon Lex: (same technology that powers Alexa)
• Automatic Speech Recognition (ASR) to convert speech to text
• Natural Language Understanding to recognize the intent of text, callers
• Helps build chatbots, call center bots
• Amazon Connect:
• Receive calls, create contact flows, cloud-based virtual contact center
• Can integrate with other CRM systems or AWS

Phone Call call stream invoke schedule

Schedule an
Appointment
Connect Lex Lambda CRM
Intent recognized
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Kinesis Video Streams
• One video stream per streaming device (producers)
• Security cameras, body worn camera, smartphone
• Can use a Kinesis Video Streams Producer library
• Underlying data is stored in S3 (but we don’t have access to it)
• Cannot output the stream data to S3 (must build custom solution)
• Consumers:
• Consumed by EC2 instances for real time analysis, or in batch
• Can leverage the Kinesis Video Stream Parser Library
• Integration with AWS Rekognition for facial detection

Kinesis Data Stream

Kinesis Video Stream Rekognition
Video
Producers,
DeepLens Metadata stream
Kinesis Data Firehose

Internal Rekognition
EC2
Face Collection
Kinesis Data Analytics

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon WorkSpaces
• Managed, Secure Cloud Desktop
• Great to eliminate management of on-premises VDI (Vir tual Desktop Infrastructure)
• Pricing is either on-demand (pay per hour) or monthly subscription
• Secure, Encrypted, Network Isolation
• Integrated with Microsoft Active Directory

secure Corporate
data center

User Virtual Desktop

Linux / Windows
AWS Cloud

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon WorkSpaces
• WorkSpaces Application Manager (WAM)
• Deploy and Manage applications as virtualized application containers
• Provision at scale, and keep the applications updated using WAM
• Windows Updates
• By default, Amazon Workspaces are configured to install software updates
• Amazon WorkSpaces with Windows will have Windows Update turned on
• You have full control over the Windows Update frequency
• Maintenance Windows
• Updates are installed during maintenance windows (you define them)
• Always On WorkSpaces: default is from 00h00 to 04h00 on Sunday morning
• AutoStop WorkSpaces: automatically starts once a month to install updates
• Manual maintenance: you define your windows and perform maintenance

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon WorkSpaces - Cross Region Redirection
us-west-1 (Primary Region)

Route 53 desktop.example.com
TXT Record
Failover type n alias Amazon WorkDocs
n e c tio (persistence for
C on WorkSpaces AWS Managed
Directory Microsoft AD user data)
Alarm

C on us-east-2 (Failover Region)

n ec
tion
alia
s

WorkSpaces AD Connector*
Directory
*must use AD Connector, can’t use multi-region AWS Managed Microsoft AD

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon WorkSpaces
IP Access Control Groups Corporate data center

• Similar to security groups for

Amazon WorkSpaces User
Public IP from CIDR owned
• List of IP addresses / CIDR by Data Center
address ranges that users are
authorized to connect from
• If users access WorkSpaces IP Access Control Group
through VPN or NAT, the IP
Access Control Group must
authorize the public IP of these
WorkSpaces
Directory

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon AppStream 2.0
• Desktop Application Streaming Service
• Deliver to any computer, without acquiring, provisioning infrastructure
• The application is delivered from within a web browser

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon AppStream 2.0 vs WorkSpaces
• Workspaces
• Fully managed VDI and desktop available
• The users connect to the VDI and open native or WAM applications
• Workspaces are on-demand or always on

• AppStream 2.0
• Stream a desktop application to web browsers (no need to connect to a VDI)
• Works with any device (that has a web browser)
• Allow to configure an instance type per application type (CPU, RAM, GPU)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Device Farm
• Application testing service for
your mobile and web applications
• Test across real browsers and
real mobiles devices
• Fully automated using framework
• Improve the quality of web and
mobile apps
• Generates videos and logs to
document the issues encountered
• Can remotely log-in to devices
for debugging

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Macie
• Amazon Macie is a fully managed data security and data privacy service
that uses machine learning and pattern matching to discover and
protect your sensitive data in AWS.
• Macie helps identify and alert you to sensitive data, such as personally
identifiable information (PII)

analyze notify integrations

S3 Buckets Macie Amazon

Discover Sensitive Data (PII) EventBridge

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Simple Email Service (Amazon SES)
• Fully managed service to send emails securely, globally and at scale
• Allows inbound/outbound emails Users
• Reputation dashboard, performance insights, anti-spam feedback
• Provides statistics such as email deliveries, bounces, feedback loop bulk emails
results, email open
• Supports DomainKeys Identified Mail (DKIM) and Sender Policy
Framework (SPF)
• Flexible IP deployment: shared, dedicated, and customer-owned IPs
Amazon SES
• Send emails using your application using AWS Console, APIs, or SMTP
APIs
or SMTP
• Use cases: transactional, marketing and bulk email communications

Application
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon SES – Configuration Sets Users

bulk emails
• Configuration sets help you customize Amazon SNS
and analyze your email send events
Amazon SES
• Event destinations: With Config Set

• Kinesis Data Firehose: receives metrics

(numbers of sends, deliveries, opens, clicks,
bounces, and complaints) for each email Kinesis
Data Firehose
• SNS: for immediate feedback on bounce
and complaint information Amazon S3
• IP pool management: use IP pools to
send particular types of emails
Kinesis
Data Analytics
Athena
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Amazon Pinpoint
• Scalable 2-way (outbound/inbound) marketing
communications service
• Supports email, SMS, push, voice, and in-app messaging
Amazon
• Ability to segment and personalize messages with the SMS Pinpoint
right content to customers Customers
• Possibility to receive replies
• Scales to billions of messages per day stream events
(e.g., TEXT_SUCCESS,
• Use cases: run campaigns by sending marketing, bulk, TEXT_DELIVERED, …)
transactional SMS messages
• Versus Amazon SNS or Amazon SES
• In SNS & SES you managed each message's audience,
content, and delivery schedule
• In Amazon Pinpoint, you create message templates,
delivery schedules, highly-targeted segments, and full
campaigns
SNS Kinesis Data CloudWatch
Firehose Logs
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EC2 Image Builder
• Used to automate the creation of Virtual Machines or container images
• => Automate the creation, maintain, validate and test EC2 AMIs
• Can be run on a schedule (weekly, whenever packages are updated, etc…)
• Free service (only pay for the underlying resources)
• Can publish AMI to multiple regions and multiple accounts
Build Components applied Test suite is run
(customize software on instance) (is the AMI working, secure?)

create create AMI is distributed

- can be multiple regions
- can be multiple accounts
EC2 Image Builder Builder EC2 Instance New AMI Test EC2 Instance

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
EC2 Image Builder – CICD Architecture
Stage 1: Build Code Stage 2: Build AMI Stage 3: Rollout

AWS CodePipeline

AWS CodeCommit AWS CodeBuild AWS CloudFormation AWS CloudFormation

Rolling update

EC2 Image Builder Auto Scaling

AMI Instances
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS IoT Core
• IoT stands for “Internet of Things” – the
network of internet-connected devices
that are able to collect and transfer data
• AWS IoT Core allows you to easily
connect IoT devices to the AWS Cloud
Publish & subscribe
• Serverless, secure & scalable to billions of messages
devices and trillions of messages
AWS IoT Core
• Integrates with a lot of AWS services
(Lambda, S3, SageMaker, etc.)
• Build IoT applications that gather, process,
analyze, and act on data

Kinesis DynamoDB SQS MSK

IoT Rules Actions etc…

IoT Topic SNS S3 AWS Lambda

IoT Rules

Lambda function
Amazon S3

Redshift

IoT Core Amazon Kinesis

rules actions Data Firehose OpenSearch

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Analysis from the Practice Sample questions
• Exam Page: https://aws.amazon.com/certification/certified-solutions-
architect-professional/

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 1
• An enterprise has a large number of AWS accounts owned by separate
business groups. One of the accounts was recently compromised. The
attacker launched a large number of instances, resulting in a high bill for
that account.
• The security breach was addressed, but management has asked a
solutions architect to develop a solution to prevent excessive spending
in all accounts. Each business group wants to retain full control over
its AWS account.
• Which solution should the solutions architect recommend to meet
these requirements?

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 1 – Architecture Diagram
AWS Cloud AWS Cloud AWS Cloud

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option A
• Use AWS Organizations to add each AWS account to the master account.
Create a service control policy (SCP) that uses the `ec2:instanceType` condition
key to prevent the launch of high-cost instance types in each account.
SCP AWS ORGANIZATION SCP SCP
AWS Cloud AWS Cloud AWS Cloud

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option B
• Attach a new customer-managed IAM policy to an IAM group in each
account that uses the ec2:instanceType condition key to prevent the launch
of high-cost instance types. Place all of the existing IAM users in each
group.
AWS Cloud AWS Cloud AWS Cloud
Users in a Group Policy

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER
Option C
• Enable billing alerts on each AWS account. Create Amazon CloudWatch
alarms that send an Amazon SNS notification to the account
administrator whenever their account exceeds the spending budget.
AWS Cloud AWS Cloud AWS Cloud

Billing Alarm SNS Notification

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option D
• Enable AWS Cost Explorer in each account. Regularly review the Cost
Explorer reports for each account to ensure spending does not
exceed the planned budget
AWS Cloud AWS Cloud AWS Cloud

Cost Explorer

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 2
• A company has multiple AWS accounts. The company has integrated its
on-premises Active Directory (AD) with AWS SSO to grant AD users
least privilege abilities to manage infrastructure across all the
accounts.
• A solutions architect must integrate a third-party monitoring solution
that requires read-only access across all AWS accounts. The
monitoring solutions will run in its own AWS account.
• How can the monitoring solution be given the required permissions?

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 2 - Architecture
AWS Cloud AWS Cloud

AWS Cloud

3rd party monitoring

AWS SSO
On Premises AD

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option A
• Create a user in an AWS SSO directory and assign a read-only permissions set. Assign
all AWS accounts to be monitored to the new user. Provide the third-party
monitoring solution with the user name and password.
AWS Cloud AWS Cloud

AWS Cloud

3rd party monitoring

AWS SSO
On Premises AD
New User

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Note on option A
• Currently, the sample question PDF says:

• “A is incorrect because credentials supplied by AWS SSO are temporary, so the

application would lose permissions and have to re-login”

• That is wrong.

• Users created in AWS SSO have a password that doesn’t change and must respect
the password policy defined.

• Here Option A is wrong because you can’t have both users defined in AWS SSO
and in Active Directory. SSO only allows for one Identity source (SSO, AD or IdP).

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option B
• Create an AWS IAM role in the organization's master account. Allow the
AWS account of the third-party monitoring solution to assume the role.
AWS Cloud AWS Cloud

AWS Cloud

Role 3rd party monitoring

AWS SSO
On Premises AD
AWS Master Account

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option C
• Invite the AWS account of the third-party monitoring solution to join
the organization. Enable all features
AWS Cloud AWS Cloud

AWS Cloud

3rd party monitoring

AWS SSO
On Premises AD
AWS Master Account
AWS Organization
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER
Option D
• Create an AWS CloudFormation template that defines a new AWS IAM role for
the third-party monitoring solution with the account of the third party listed in the
trust policy. Create the IAM role across all linked AWS accounts by using a stack set.
CloudFormation
StackSet To deploy
in all accounts

AWS Cloud AWS Cloud

Assume role thanks to trust

Stack Role

AWS Cloud

3rd party monitoring

AWS SSO
On Premises AD

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 3
• A team is building an HTML form hosted in a public Amazon S3
bucket. The form uses JavaScript to post data to an Amazon API
Gateway endpoint. The endpoint is integrated with AWS Lambda
functions. The team has tested each method in the API Gateway console
and received valid responses.
• Which combination of steps must be completed for the form to
successfully post to the API Gateway and receive a valid response?
(Select TWO.)

POST API Gateway Lambda

[restapi-id].execute-api.amazonaws.com

GET

Public S3 Bucket
Client

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWERS D,E
Options
• A) Configure the S3 bucket to
allow cross-origin resource
sharing (CORS).
• B) Host the form on Amazon
EC2 rather than Amazon S3. API Gateway Lambda
[restapi-id].execute-api.amazonaws.com
• C) Request a limit increase for
API Gateway.
• D) Enable cross-origin resource
sharing (CORS) in API Gateway.
Public S3 Bucket
• E) Configure the S3 bucket for Client
web hosting.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 3 – Final Architecture
CORS is a Browser based security
CORS to allow calls with Origin [bucketname].s3.website-[region].amazonaws.com
Using the header Access-Control-Allow-Origin

POST API Gateway Lambda

[restapi-id].execute-api.amazonaws.com

GET

Web Browser Public S3 Bucket

[bucketname].s3.website-[region].amazonaws.com
Visits [bucketname].s3.website-[region].amazonaws.com
Makes API calls to [restapi-id].execute-api.amazonaws.com
With Origin: [bucketname].s3.website-[region].amazonaws.com

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 4
• A retail company runs a serverless mobile app built on Amazon API
Gateway, AWS Lambda, Amazon Cognito, and Amazon DynamoDB.
During heavy holiday traffic spikes, the company receives complaints of
intermittent system failures. Developers find that the API Gateway
endpoint is returning 502 Bad Gateway errors to seemingly valid
requests.
• Which method should address this issue?

Authentication
+ get token

502 errors in case of spikes

API Gateway

Cognito User Pools

Lambda

DynamoDB

• 5xx means Server errors

• 502: Bad Gateway Exception, usually for an incompatible output returned from a
Lambda proxy integration backend and occasionally for out-of-order invocations
due to heavy loads.
• 503: Service Unavailable Exception
• 504: Integration Failure – ex Endpoint Request Timed-out Exception
API Gateway requests time out after 29 second maximum

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER
Option A
Client
• Increase the Authentication
concurrency limit for + get token
Lambda functions and
configure notification 502 errors in case of spikes
alerts to be sent by
Amazon CloudWatch API Gateway

when the Cognito User Pools

ConcurrentExecution CW Alarm
s metric approaches Concurrent
Lambda
the limit. Executions Metric

DynamoDB

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option B Option B would work if we were receiving 429 errors
429: Quota exceeded, Throttle
Client
• Configure notification Authentication
alerts for the limit of + get token
transactions per
second on the API CW Alarm SNS
Gateway endpoint TPS Metric
and create a Lambda
function that will Cognito User Pools API Gateway
increase this limit, as
needed. Lambda
Lambda

AWS Service Quotas API

DynamoDB

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option C Option C would be valid if we had performance issues
At Cognito User Pools, but that’s not the question
Client
• Shard users to Authentication
Amazon Cognito user + get token
pools in multiple
regions to reduce user 502 errors in case of spikes

authentication latency.
API Gateway

Cognito User Pools

Multiple Regions
Multiple Pools
Lambda

DynamoDB

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option D
Client
• Use DynamoDB Authentication
strongly consistent + get token
reads to ensure the
latest data is always 502 errors in case of spikes

returned to the client

API Gateway
application.
Cognito User Pools

Lambda

Strongly Consistent Reads

DynamoDB

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 5
• A company is launching a new web service on an Amazon ECS cluster.
Company policy requires that the security group on the cluster
instances block all inbound traffic but HTTPS (port 443). The cluster
consists of Amazon 100 EC2 instances. Security engineers are
responsible for managing and updating the cluster instances. The security
engineering team is small, so any management efforts must be
minimized.
• How can the service be designed to meet these operational
requirements?

Security group

443

Client

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option A
• Change the SSH port ECS Cluster
to 2222 on the cluster
instances with a user Security group

data script. Log in to

each instance using 443
SSH over port 2222
Client

2222

SSH Client

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option B
• Change the SSH port to ECS Cluster
2222 on the cluster instances
with a user data script. Use Security group
AWS Trusted Advisor to
remotely manage the cluster
instances over port 2222 443

Client

2222

Trusted Advisor

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER
Option C
• Launch the cluster ECS Cluster
instances with no
SSH key pairs. Use Security group
the Amazon EC2
Systems Manager
Run Command to 443
remotely manage SSM Agent
Client
the cluster instances

Run
Command

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option D
• Launch the cluster ECS Cluster
instances with no SSH key
pairs. Use AWS Trusted Security group
Advisor to remotely
manage the cluster
instances. 443

Client

Trusted Advisor

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 6
• A company has two AWS accounts: one for production workloads and
one for development workloads. Creating and managing these
workloads are a development team and an operations team. The
company needs a security strategy that meets the following
requirements:
• Developers need to create and delete development application infrastructure.
• Operators need to create and delete both development and production
application infrastructure.
• Developers should have no access to production infrastructure.
• All users should have a single set of AWS credentials.
• What strategy meets these requirements?

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option A
• In the development account:
• Create a development IAM group with the ability to create and delete
application infrastructure.
• Create an IAM user for each operator and developer and assign them to the
development group.
• In the production account:
• Create an operations IAM group with the ability to create and delete application
infrastructure.
• Create an IAM user for each operator and assign them to the operations group.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option B
• In the development account:
• Create a development IAM group with the ability to
create and delete application infrastructure.
• Create an IAM user for each developer and assign
them to the development group.
• Create an IAM user for each operator and assign
them to the development group and the operations
group in the production account.
• In the production account:
• Create an operations IAM group with the ability to
create and delete application infrastructure.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Option C
• In the development account:
• Create a shared IAM role with the ability to create and delete application
infrastructure in the production account.
• Create a development IAM group with the ability to create and delete
application infrastructure.
• Create an operations IAM group with the ability to assume the shared role.
• Create an IAM user for each developer and assign them to the development
group.
• Create an IAM user for each operator and assign them to the development
group and the operations group.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER
Option D
• In the development account:
• Create a development IAM group with the ability to create and delete application
infrastructure.
• Create an operations IAM group with the ability to assume the shared role in the
production account.
• Create an IAM user for each developer and assign them to the development group.
• Create an IAM user for each operator and assign them to the development group and
the operations group.
• In the production account:
• Create a shared IAM role with the ability to create and delete application infrastructure.
• Add the development account to the trust policy for the shared role.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 7
• A solutions architect needs to reduce costs for a big data application. The application
environment consists of hundreds of devices that send events to Amazon Kinesis
Data Streams. The device ID is used as the partition key, so each device gets a
separate shard. Each device sends between 50 KB and 450 KB of data per second.
The shards are polled by an AWS Lambda function that processes the data and
stores the result on Amazon S3.
• Every hour, an AWS Lambda function runs an Amazon Athena query against the
result data that identifies any outliers and places them in an Amazon SQS queue. An
Amazon EC2 Auto Scaling group of two EC2 instances monitors the queue and
runs a short (approximately 30-second) process to address the outliers. The devices
submit an average of 10 outlying values every hour.
• Which combination of changes to the application would MOST reduce costs?
(Select TWO.)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 7 – Architecture
Auto Scaling group

Poll

30s processing SQS

10 msgs / hour
Kinesis
Lambda
50-450KB /s
Shard 1

Shard 2 Athena

Shard 50 Lambda S3

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Options (choose 2)
A) Change the Auto Scaling group launch configuration to use smaller
instance types in the same instance family.
B) Replace the Auto Scaling group with an AWS Lambda function
triggered by messages arriving in the Amazon SQS queue.
C) Reconfigure the devices and data stream to set a ratio of 10 devices
to 1 data stream shard.
D) Reconfigure the devices and data stream to set a ratio of 2 devices to
1 data stream shard.
E) Change the desired capacity of the Auto Scaling group to a single EC2
instance.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER B
Option Group 1
Auto Scaling group
A) Change the Auto Scaling group Poll
launch configuration to use smaller small
SQS
instance types in the same instance > 30s processing 10 msgs / hour
family. small
B) Replace the Auto Scaling group
with an AWS Lambda function
triggered by messages arriving in SQS
the Amazon SQS queue. 10 msgs / hour
E) Change the desired capacity of
the Auto Scaling group to a single Auto Scaling group

EC2 instance. SQS

30s processing 10 msgs / hour

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER D
Option Group 2
C) Reconfigure the devices
50-450KB /s x 10 = 500KB-4500KB / s
and data stream to set a
ratio of 10 devices to 1 Shard N
data stream shard.

50-450KB /s x 2 = 100KB-900KB / s
D) Reconfigure the devices
and data stream to set a Shard N
ratio of 2 devices to 1 data
stream shard.
Each shard has a limit of 1MB/s = 1000KB/s
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 8
• A company operates an ecommerce application on Amazon EC2 instances
behind an ELB Application Load Balancer. The instances run in an Amazon
EC2 Auto Scaling group across multiple Availability Zones. After an order is
successfully processed, the application immediately posts order data to an
external third-party affiliate tracking system that pays sales commissions for
order referrals. During a highly successful marketing promotion, the number
of EC2 instances increased from 2 to 20. The application continued to work
correctly, but the increased request rate overwhelmed the third-party affiliate
and resulted in failed requests.

• Which combination of architectural changes could ensure that the entire

process functions correctly under load? (Select TWO.)

ALB

Auto Scaling group

External API

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER B
Option Group 1
• A) Move the code that calls the
affiliate to a new AWS Lambda
function. Modify the application
to invoke the Lambda function External API
asynchronously.
• B) Move the code that calls the
affiliate to a new AWS Lambda
function. Modify the application
to place the order data in an
Amazon SQS queue. Trigger SQS External API
the Lambda function from the
queue.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER D
Option Group 2
• C) Increase the timeout of
the new AWS Lambda
function.
• D) Adjust the concurrency
limit of the new AWS
Lambda function.
SQS External API
• E) Increase the memory of
the new AWS Lambda
function.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 9
• A company has built an online ticketing web application on AWS. The
application is hosted on AWS App Runner and uses images that are stored in
an Amazon Elastic Container Registry (Amazon ECR) repository. The
application stores data in an Amazon Aurora MySQL DB cluster. The
company has set up a domain name in Amazon Route 53.

• The company needs to deploy the application across two AWS Regions in an
active-active configuration.

• Which combination of steps will meet these requirements with the LEAST
change to the architecture? (Select THREE.)

Route 53

us-east-1

App Runner ECR Registry

Service

Image

Aurora MySQL

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER A
Option Group 1
• A) Set up Cross-Region Replication to the second Region for the ECR images
us-east-1 us-west-2
Cross-Region Replication

App Runner ECR Registry ECR Registry App Runner

Service Service

• B) Create a VPC endpoint from the ECR repository in the second Region
us-east-1 us-west-2
VPC Endpoint

App Runner ECR Registry VPC Endpoint App Runner

Service

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER D
Option Group 2
• C) Edit the App Runner configuration by adding a second deployment target to the
second Region.
us-east-1 us-west-2

App Runner Container Container

Multi-Region Deploy
Service

• D) Deploy App Runner to the second Region. Set up Route 53 latency-based

routing.
us-east-1 us-west-2

Route 53

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER F
Option Group 3
• E) Change the database by using Amazon DynamoDB global tables in the two
desired Regions.

us-east-1 us-west-2

Active/active replication
DynamoDB DynamoDB

• F) Use an Aurora global database with write forwarding enabled in the second
Region.
us-east-1 us-west-2

Replication
Aurora Aurora

Write forwarding

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Final Architecture
Record Name Type Routing Value
api.example.com A Latency App Runner Endpoint - 1
api.example.com A Latency App Runner Endpoint - 2
Route 53
us-east-1 us-west-2
Cross-Region Replication

App Runner ECR Registry ECR Registry App Runner

Service Service

Aurora Image Image Aurora

Replication

Write forwarding

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 10
• A company has deployed a multi-tier web application in the AWS Cloud. The
application consists of the following tiers:
• A Windows-based web tier that is hosted on Amazon EC2 instances with Elastic IP addresses
• A Linux-based application tier that is hosted on EC2 instances that run behind an Application
Load Balancer (ALB) that uses path-based routing
• A MySQL database that runs on a Linux EC2 instance

• All the EC2 instances are using Intel-based x86 CPUs. A solutions architect needs to
modernize the infrastructure to achieve better performance. The solution must
minimize the operational overhead of the application.

• Which combination of actions should the solutions architect take to meet these
requirements? (Select TWO.)

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Question 10 - Architecture
Web Tier Application Tier Database Tier

MySQL

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER C
Option Group 1
• A) Run the MySQL database on multiple EC2 instances.
MySQL MySQL

• C) Migrate the MySQL database to Amazon Aurora Serverless.

Aurora Serverless

• D) Migrate all EC2 instance types to Graviton2.

• Not available for Windows Instances

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
CORRECT ANSWER B
Option Group 2
• B) Place the web tier • E) Replace the ALB for the application
instances behind an ALB. tier instances with a company-
managed load balancer.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Your AWS Certification journey
Foundational Professional
Knowledge-based certification for Role-based certifications that validate advanced skills
foundational understanding of AWS Cloud. and knowledge required to design secure, optimized,
No prior experience needed. and modernized applications and to automate processes on AWS.
2 years of prior AWS Cloud experience recommended.

Associate Specialty
Role-based certifications that showcase your knowledge Dive deeper and position yourself as a trusted advisor to your
and skills on AWS and build your credibility as an AWS Cloud professional. stakeholders and/or customers in these strategic areas.
Prior cloud and/or strong on-premises IT experience recommended. Refer to the exam guides on the exam pages for recommended experience.

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Certification Paths – Architecture
Architecture
Solutions Architect
Design, develop, and manage
cloud infrastructure and assets,
work with DevOps to migrate
applications to the cloud
optional for IT/ recommended for IT/cloud Dive Deep
cloud professionals professionals to leverage AI

Architecture
Application Architect
Design significant aspects of
application architecture including
user interface, middleware, and
infrastructure, and ensure
enterprise-wide scalable, reliable,
optional for IT/ recommended for IT/cloud Dive Deep
and manageable systems cloud professionals professionals to leverage AI

https://d1.awsstatic.com/training-and-
certification/docs/AWS_certification_paths.pdf
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Certification Paths – Operations
Operations
Systems Administrator
Install, upgrade, and maintain
computer components and
software, and integrate
automation processes
optional for IT/ Dive Deep
cloud professionals

Operations
Cloud Engineer
Implement and operate an
organization’s networked computing
infrastructure and Implement
security systems to maintain
data safety
optional for IT/
cloud professionals
Dive Deep

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Certification Paths – DevOps
DevOps
Test Engineer
Embed testing and quality
best practices for software
development from design to release,
throughout the product life cycle
optional for IT/
cloud professionals
DevOps
Cloud DevOps Engineer
Design, deployment, and operations
of large-scale global hybrid
cloud computing environment,
advocating for end-to-end
automated CI/CD DevOps pipelines optional for IT/ Optional recommended for IT/cloud Dive Deep
cloud professionals professionals working on

DevOps AI/ML projects

DevSecOps Engineer
Accelerate enterprise cloud adoption
while enabling rapid and stable delivery
of capabilities using CI/CD principles,
methodologies, and technologies
optional for IT/ recommended for IT/cloud
cloud professionals professionals working on
© Stephane Maarek AI/ML projects
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Certification Paths – Security
Security
Cloud Security Engineer
Design computer security architecture
and develop detailed cyber security designs.
Develop, execute, and track performance
of security measures to protect information
optional for IT/ recommended for IT/cloud
cloud professionals professionals to secure
Dive Deep
AI/ML systems

Security
Cloud Security Architect
Design and implement enterprise cloud
solutions applying governance to identify,
communicate, and minimize business and
technical risks

optional for IT/ recommended for IT/cloud Dive Deep

cloud professionals professionals to secure
AI/ML systems

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Certification Paths – Development &
Networking
Development
Software Development Engineer
Develop, construct, and maintain
software across platforms and devices

optional for IT/ recommended for IT/cloud

cloud professionals professionals to leverage AI

Networking
Network Engineer
Design and implement computer
and information networks, such as
local area networks (LAN),
wide area networks (WAN),
optional for IT/ Dive Deep
intranets, extranets, etc. cloud professionals

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Certification Paths – Data Analytics &
AI/ML
Data Analytics
Cloud Data Engineer
Automate collection and processing
of structured/semi-structured data
and monitor data pipeline performance
optional for IT/ recommended for IT/cloud Dive Deep
cloud professionals professionals working on
AI/ML projects

AI/ML
Machine Learning Engineer
Research, build, and design artificial
intelligence (AI) systems to automate
predictive models, and design machine
learning systems, models, and schemes

optional for IT/ optional for AI/ML Dive Deep

cloud professionals professionals

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
AWS Certification Paths – AI/ML
AI/ML
Prompt Engineer
Design, test, and refine text
prompts to optimize the
performance of AI language models
optional for IT/ Dive Deep
cloud professionals
AI/ML
Machine Learning Ops Engineer
Build and maintain AI and ML platforms
and infrastructure. Design, implement,
and operationally support AI/ML model
activity and deployment infrastructure
optional for IT/ optional for AI/ML
cloud professionals professionals

AI/ML
Data Scientist
Develop and maintain AI/ML models
to solve business problems. Train and
fine tune models and evaluate
their performance
optional for IT/ optional for AI/ML
cloud professionals professionals
© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Congratulations

© Stephane Maarek
NOT FOR DISTRIBUTION © Stephane Maarek www.datacumulus.com
Next steps
• Congratulations, you have covered all the domains!
• Make sure you revisit the lectures as much as possible

• The AWS Certified SA Pro exam is hard, and tests experience…

• Make sure you master every single concept outlined in this course

• For Hands On experience, have a look at the AWS Solutions Architect

Associate, Developer Associate, SysOps Adminsitrator Associate,
DevOps Professional courses

Jon Bonso - AWS Certified Solutions Architect Associate SAA-C03-Tutorials Dojo (2022)
67% (9)
Jon Bonso - AWS Certified Solutions Architect Associate SAA-C03-Tutorials Dojo (2022)
288 pages
PassLeader - aws.SAA C03.Dumps.196.Q&as
100% (1)
PassLeader - aws.SAA C03.Dumps.196.Q&as
94 pages
AWS Certified Solutions Architect - Associate SAA-C03 Exam-22June2023
100% (2)
AWS Certified Solutions Architect - Associate SAA-C03 Exam-22June2023
272 pages
Tutorials Dojo Study Guide and Cheat Sheets AWS Certified Cloud Practitioner 2021 10 01 xrhf1w
100% (13)
Tutorials Dojo Study Guide and Cheat Sheets AWS Certified Cloud Practitioner 2021 10 01 xrhf1w
196 pages
Aws Certified Solutions Architect Associate Saa C03 DUMPS
50% (4)
Aws Certified Solutions Architect Associate Saa C03 DUMPS
402 pages
Associate SAA-C03-ENG-01
No ratings yet
Associate SAA-C03-ENG-01
39 pages
AWS Certified Solutions Architect Study Guide: Associate SAA-C02 Exam
From Everand
AWS Certified Solutions Architect Study Guide: Associate SAA-C02 Exam
David Clinton
No ratings yet
AWS Certified Solutions Architect - Associate SAA-C03 Exam Questions and Answers
No ratings yet
AWS Certified Solutions Architect - Associate SAA-C03 Exam Questions and Answers
43 pages
Aws Solution Architect Associate Guide
100% (2)
Aws Solution Architect Associate Guide
43 pages
AWS Solutions Architect Associate (SAA-C03) Cheat Sheet
No ratings yet
AWS Solutions Architect Associate (SAA-C03) Cheat Sheet
14 pages
AWS Certified Solutions Architect - Associate SAA-C03 Exam Exam QAs Page 1 - ExamTopics-LATEST
100% (2)
AWS Certified Solutions Architect - Associate SAA-C03 Exam Exam QAs Page 1 - ExamTopics-LATEST
204 pages
AWS Stephane Maarek Practice Test1 From Udemy June
No ratings yet
AWS Stephane Maarek Practice Test1 From Udemy June
151 pages
AWS Certified Solutions Architect Associate (Jon Bonso and Adrian Formaran)
80% (5)
AWS Certified Solutions Architect Associate (Jon Bonso and Adrian Formaran)
236 pages
AWS CSAA Practice-Questions DCT V08-Ambu0d
100% (11)
AWS CSAA Practice-Questions DCT V08-Ambu0d
411 pages
AWS Certified Solutions Architect - Associate SAA-C03 Exam
No ratings yet
AWS Certified Solutions Architect - Associate SAA-C03 Exam
249 pages
PassLeader - aws.SAA C03.Dumps.644.Q As
No ratings yet
PassLeader - aws.SAA C03.Dumps.644.Q As
309 pages
AWS Certified Cloud Practitioner Exam
100% (1)
AWS Certified Cloud Practitioner Exam
332 pages
ExamTopicsSAA C03 2 6
No ratings yet
ExamTopicsSAA C03 2 6
427 pages
AWS Lab Workbook v1.0
93% (14)
AWS Lab Workbook v1.0
127 pages
SAA C03 Edu Re Igq50n
No ratings yet
SAA C03 Edu Re Igq50n
651 pages
AWS Certified Cloud Practitioner Exam (CLF-C02)
100% (1)
AWS Certified Cloud Practitioner Exam (CLF-C02)
13 pages
AWS Certified Cloud Practitioner - Practice Paper 1: AWS Certified Cloud Practitioner, #1
From Everand
AWS Certified Cloud Practitioner - Practice Paper 1: AWS Certified Cloud Practitioner, #1
Tech Interviews
4.5/5 (2)
Sanford N. AWS Certified Solutions Architect Associate (SAA-C02) 2021
100% (1)
Sanford N. AWS Certified Solutions Architect Associate (SAA-C02) 2021
378 pages
Latest Amazon AWS-Certified-Cloud-Practitioner Dumps Questions
50% (4)
Latest Amazon AWS-Certified-Cloud-Practitioner Dumps Questions
8 pages
AWS Certified Solutions Architect - Associate SAA-C03 - New
100% (4)
AWS Certified Solutions Architect - Associate SAA-C03 - New
245 pages
AWS Certified Solutions Architect Associate (SAA-C03) Exam Notes - Coding N Concepts2
100% (1)
AWS Certified Solutions Architect Associate (SAA-C03) Exam Notes - Coding N Concepts2
58 pages
Aws Dumps
100% (1)
Aws Dumps
168 pages
AWS Certified Solution Architect Associate Study Guide V1.0 Abdul Jaseem VP Release 30 Aug 2020
100% (6)
AWS Certified Solution Architect Associate Study Guide V1.0 Abdul Jaseem VP Release 30 Aug 2020
235 pages
AWS Certified Cloud Practitioner - Practice Paper 4: AWS Certified Cloud Practitioner, #4
From Everand
AWS Certified Cloud Practitioner - Practice Paper 4: AWS Certified Cloud Practitioner, #4
Tech Interviews
No ratings yet
AWS Solution Architect Certification Exam Practice Paper 2019
From Everand
AWS Solution Architect Certification Exam Practice Paper 2019
Tech Interviews
3.5/5 (3)
Amazon AWS Certified Solutions Architect Associate PDF
100% (2)
Amazon AWS Certified Solutions Architect Associate PDF
369 pages
AWS Course - All Slides
80% (10)
AWS Course - All Slides
879 pages
AWS Certified Solutions Architect Associate Exam Practice Questions
100% (1)
AWS Certified Solutions Architect Associate Exam Practice Questions
515 pages
AWS SysOp Associate Crash Course
100% (3)
AWS SysOp Associate Crash Course
326 pages
AWS Certified Solutions Architect - Associate Dumps Prepaway
86% (7)
AWS Certified Solutions Architect - Associate Dumps Prepaway
100 pages
Volvo - D5 Engine Training PDF
100% (4)
Volvo - D5 Engine Training PDF
62 pages
Datasheet Radar Level
No ratings yet
Datasheet Radar Level
98 pages
Working Model of Manual Hand Stacker (Forklift)
100% (2)
Working Model of Manual Hand Stacker (Forklift)
43 pages
AWS Certified Solutions Architect Professional Slides v2.0
100% (2)
AWS Certified Solutions Architect Professional Slides v2.0
724 pages
AWS Solutions Architect Certification Case Based Practice Questions Latest Edition 2023
From Everand
AWS Solutions Architect Certification Case Based Practice Questions Latest Edition 2023
Exam OG
No ratings yet
AWS Certified Cloud Practitioner - Practice Paper 3: AWS Certified Cloud Practitioner, #3
From Everand
AWS Certified Cloud Practitioner - Practice Paper 3: AWS Certified Cloud Practitioner, #3
Tech Interviews
5/5 (1)
AWS Certified Cloud Practitioner - Practice Paper 2: AWS Certified Cloud Practitioner, #2
From Everand
AWS Certified Cloud Practitioner - Practice Paper 2: AWS Certified Cloud Practitioner, #2
Tech Interviews
5/5 (2)
Microsoft AZURE® AZ-104 Administrator Practice Tests
From Everand
Microsoft AZURE® AZ-104 Administrator Practice Tests
iCertify Training
No ratings yet
第一部、Aws Saa c03 623题英文新
No ratings yet
第一部、Aws Saa c03 623题英文新
986 pages
Aws Solution Architect Preparation Guide
100% (3)
Aws Solution Architect Preparation Guide
201 pages
AWS Certified Solutions Architect Associate Dump Questions
100% (1)
AWS Certified Solutions Architect Associate Dump Questions
304 pages
Architecting On AWS 5.0 1
80% (5)
Architecting On AWS 5.0 1
780 pages
Dokumen - Pub Aws Aws Certified Cloud Practitioner 2020 CLF c01 390 Top Notch Questions The Latest CLF c01 Certification Blueprint 9798671358834
100% (2)
Dokumen - Pub Aws Aws Certified Cloud Practitioner 2020 CLF c01 390 Top Notch Questions The Latest CLF c01 Certification Blueprint 9798671358834
373 pages
2022 AWS Solutions Architect Associate Exam Prep Manuscript
100% (1)
2022 AWS Solutions Architect Associate Exam Prep Manuscript
326 pages
AWS Solution Architect
75% (4)
AWS Solution Architect
115 pages
Aws Premium Dumps
100% (2)
Aws Premium Dumps
245 pages
AWS Solution Architect Associate Practice 1 Converted The
No ratings yet
AWS Solution Architect Associate Practice 1 Converted The
171 pages
TEST3 - AWS Certified Solutions Architect Associate Practice Exams
No ratings yet
TEST3 - AWS Certified Solutions Architect Associate Practice Exams
124 pages
AWS Certified DevOps Engineer Professional... Tests 2021
100% (3)
AWS Certified DevOps Engineer Professional... Tests 2021
210 pages
Amazon: Questions & Answers
No ratings yet
Amazon: Questions & Answers
279 pages
AWS Solution Architect Associate - Update1
100% (1)
AWS Solution Architect Associate - Update1
133 pages
AWS-CLF-C02-V 13.5.24withans
100% (1)
AWS-CLF-C02-V 13.5.24withans
168 pages
AWS Latest Dumps
No ratings yet
AWS Latest Dumps
33 pages
Aws Dumps and Study Material
100% (1)
Aws Dumps and Study Material
518 pages
AWS Solution Architect Certification
67% (12)
AWS Solution Architect Certification
6 pages
AWS Certified Solutions Architect Associate SAA-C03 - Exam Changes (EN)
No ratings yet
AWS Certified Solutions Architect Associate SAA-C03 - Exam Changes (EN)
21 pages
Icertify Training - The Ultimate AWS® Certified Cloud Practitioner Training Manual - The Complete Guide To Get You AWS Cloud Practitioner Certified On Your First Attempt (2021)
100% (2)
Icertify Training - The Ultimate AWS® Certified Cloud Practitioner Training Manual - The Complete Guide To Get You AWS Cloud Practitioner Certified On Your First Attempt (2021)
703 pages
Aws Certified Solutions Architect Associate Training
50% (2)
Aws Certified Solutions Architect Associate Training
21 pages
A Dictionary of The Sacred Language of All Scriptures and Myths G. A. Gaskell PDF Download
100% (1)
A Dictionary of The Sacred Language of All Scriptures and Myths G. A. Gaskell PDF Download
59 pages
Cambridge IELTS 18 - Listening Test 3
No ratings yet
Cambridge IELTS 18 - Listening Test 3
7 pages
S-258 Test Report
No ratings yet
S-258 Test Report
1 page
ONTAP 9 16 1 Commands
No ratings yet
ONTAP 9 16 1 Commands
4,286 pages
Materi 4 - Analisis Big Data
No ratings yet
Materi 4 - Analisis Big Data
30 pages
Mobile Tv12
No ratings yet
Mobile Tv12
28 pages
NetWorker Software Distribution Functionality (NSRPUSH)
No ratings yet
NetWorker Software Distribution Functionality (NSRPUSH)
7 pages
Slab 2
No ratings yet
Slab 2
21 pages
Seerat Un Nabi S.A.W Aur Hamari Zindagi by Mufti Taqi Usmani
No ratings yet
Seerat Un Nabi S.A.W Aur Hamari Zindagi by Mufti Taqi Usmani
2 pages
Car Dashboard
No ratings yet
Car Dashboard
17 pages
10 Travelling Allowance Rules-Final PDF
No ratings yet
10 Travelling Allowance Rules-Final PDF
48 pages
Geothermal Powerplants g9
No ratings yet
Geothermal Powerplants g9
10 pages
Student Feedback Form
No ratings yet
Student Feedback Form
3 pages
Proline Promag 10D: Brief Operating Instructions
No ratings yet
Proline Promag 10D: Brief Operating Instructions
28 pages
Computer Science 2009 Solved For CBSE C++
89% (9)
Computer Science 2009 Solved For CBSE C++
23 pages
Palawan Electric Cooperative
No ratings yet
Palawan Electric Cooperative
4 pages
Page 0671
No ratings yet
Page 0671
1 page
Carl Linnaeus Taxonomy
No ratings yet
Carl Linnaeus Taxonomy
6 pages
Curriculum Night Handbook 23 - 24 Vos
No ratings yet
Curriculum Night Handbook 23 - 24 Vos
6 pages
2014 Mazda 3 Remote Start
No ratings yet
2014 Mazda 3 Remote Start
23 pages
Studyguideexam2 1
No ratings yet
Studyguideexam2 1
4 pages
03 20182017 Statistical Abstract
No ratings yet
03 20182017 Statistical Abstract
341 pages
Westward Basic
100% (2)
Westward Basic
357 pages
MLC Case Report Aman
No ratings yet
MLC Case Report Aman
4 pages
Kamala Devi Harris-Horoscope
No ratings yet
Kamala Devi Harris-Horoscope
47 pages
Bending Stress Analysis of Rear Axle of Maruti 800 Car IJERTV1IS6246 PDF
No ratings yet
Bending Stress Analysis of Rear Axle of Maruti 800 Car IJERTV1IS6246 PDF
4 pages
Unit 3 Speciality Products - 1
No ratings yet
Unit 3 Speciality Products - 1
12 pages