AWS Certified Cloud Practitioner Study Guide With 500 Practice Test Questions E-Book

Table of Contents

Cover

Table of Contents

AWS Certification Books from Sybex

Title Page

Copyright

Acknowledgments

About the Authors

Table of Exercises

Introduction

What Does This Book Cover?

Interactive Online Learning Environment and Test Bank

Exam Objectives

Objective Map

Assessment Test

Answers to Assessment Test

Chapter 1: The Cloud

What Is Cloud Computing?

Server Virtualization: The Basics

Cloud Platform Models

Scalability and Elasticity

Summary

Exam Essentials

Review Questions

Chapter 2: Understanding Your AWS Account

The Free Tier

Product Pricing

Service Limits

Billing and Cost Management

Summary

Exam Essentials

Review Questions

Chapter 3: Getting Support on AWS

Support Plans

Documentation and Online Help

Trusted Advisor

Summary

Exam Essentials

Review Questions

Chapter 4: Understanding the AWS Environment

AWS Global Infrastructure: AWS Regions

AWS Global Infrastructure: Availability Zones

AWS Global Infrastructure: Edge Locations

AWS Global Infrastructure: Extending the Cloud

The AWS Shared Responsibility Model

Summary

Exam Essentials

Review Questions

Chapter 5: Securing Your AWS Resources

AWS Identity and Access Management

Encryption

Regulatory Compliance (AWS Artifact)

Other AWS Security and Compliance Tools

Summary

Exam Essentials

Review Questions

Chapter 6: Working with Your AWS Resources

The AWS Management Console

The AWS Command-Line Interface

Software Development Kits

CloudWatch

CloudTrail

Cost Explorer

AWS Config

AWS Control Tower

AWS License Manager

Summary

Exam Essentials

Review Questions

Chapter 7: The Core Compute Services

Deploying Amazon Elastic Compute Cloud Servers

Simplified Deployments Through Managed Services

Deploying Container and Serverless Workloads

Summary

Exam Essentials

Review Questions

Chapter 8: The Core Storage Services

Simple Storage Service

S3 Glacier

AWS Storage Gateway

AWS Snow Family

Other Storage-Related Services

Summary

Exam Essentials

Review Questions

Chapter 9: The Core Database Services

Database Models

Amazon Relational Database Service

DynamoDB

Amazon Redshift

Analytics

Summary

Exam Essentials

Review Questions

Chapter 10: The Core Networking Services

Virtual Private Cloud

Route 53

CloudFront

Summary

Exam Essentials

Review Questions

Chapter 11: Automating Your AWS Workloads

Automation

CloudFormation

AWS Developer Tools

EC2 Auto Scaling

Configuration Management

Summary

Exam Essentials

Review Questions

Chapter 12: Common Use-Case Scenarios

The Well-Architected Framework

A Highly Available Web Application Using Auto Scaling and Elastic Load Balancing

Static Website Hosting Using S3

Machine Learning

Summary

Exam Essentials

Review Questions

Appendix A: Answers to Review Questions

Chapter 1: The Cloud

Chapter 2: Understanding Your AWS Account

Chapter 3: Getting Support on AWS

Chapter 4: Understanding the AWS Environment

Chapter 5: Securing Your AWS Resources

Chapter 6: Working with Your AWS Resources

Chapter 7: The Core Compute Services

Chapter 8: The Core Storage Services

Chapter 9: The Core Database Services

Chapter 10: The Core Networking Services

Chapter 11: Automating Your AWS Workloads

Chapter 12: Common Use-Case Scenarios

Appendix B: Additional Services

Activate for Startups

Amazon EventBridge

AppStream 2.0

Athena

AWS Amplify

AWS AppSync

AWS Batch

AWS CloudShell

AWS Device Farm

AWS Step Functions

Backup

Cognito

Connect

Database Migration Service

Elastic File System

Elastic MapReduce

Glue

Inspector

IoT Core

IoT Greengrass

IQ

Kinesis

Macie

Managed Services (AMS)

Neptune

Simple Queue Service

WorkDocs

WorkSpaces

X-Ray

Index

End User License Agreement

List of Tables

Chapter 3

TABLE 3.1 Monthly pricing for Amazon paid support plans (all prices in U.S. ...

TABLE 3.2 Some key benefits of the AWS support plans

TABLE 3.3 The five Trusted Advisor alert categories

Chapter 4

TABLE 4.1 The current list of AWS regions and their codes

TABLE 4.2 Available private IPv4 address ranges

Chapter 7

TABLE 7.1 EC2 instance type families (as of this writing)

Chapter 8

TABLE 8.1 S3 storage classes

TABLE 8.2 Comparison of Snowball and Snowball Edge

Chapter 9

TABLE 9.1 The Customers table

TABLE 9.2 A sample DynamoDB table

TABLE 9.3 Comparison of relational and nonrelational databases

Chapter 10

TABLE 10.1 Resource records for the

benpiper.com

domain

List of Illustrations

Chapter 1

FIGURE 1.1 VMs accessing storage and compute resources from their host serve...

FIGURE 1.2 The breakdown of responsibility across multiple infrastructure ty...

Chapter 2

FIGURE 2.1 The account drop-down menu that includes a link to your Billing D...

FIGURE 2.2 The Free Tier usage tracking table displaying an account's busies...

Chapter 3

FIGURE 3.1 The “healthy” icons indicating that these services are not config...

Chapter 4

FIGURE 4.1 The AWS Management Console feature indicating the region that's c...

FIGURE 4.2 A representation of AWS infrastructure divided among multiple reg...

FIGURE 4.3 A general comparison between local and managed deployments

FIGURE 4.4 A representation of the AWS Shared Responsibility Model

Chapter 5

FIGURE 5.1 The IAM Account Settings page where you can set an account-wide p...

Chapter 6

FIGURE 6.1 Logging in as a root user

FIGURE 6.2 Entering the account alias to log in as an IAM user

FIGURE 6.3 Logging in as an IAM user

FIGURE 6.4 Browsing available service consoles

FIGURE 6.5 Pinning a shortcut to the navigation bar

FIGURE 6.6 Selecting a region

FIGURE 6.7 Some global services don't require selecting a region.

FIGURE 6.8 The account name menu when you're logged in as an IAM user

FIGURE 6.9 The Resource Groups menu

FIGURE 6.10 Tag Editor query results

FIGURE 6.11 The AWS Console Mobile Application dashboard

FIGURE 6.12 Viewing a CloudWatch alarm from the AWS Console Mobile Applicati...

FIGURE 6.13 Viewing an EC2 instance from the AWS Console Mobile Application...

FIGURE 6.14 Adding an identity to the AWS Console Mobile Application

FIGURE 6.15 S3 bucket policy configuration, as shown in the AWS Console Mobi...

FIGURE 6.16 Using CloudWatch to graph the CPU Utilization metric for an EC2 ...

FIGURE 6.17 A CloudWatch dashboard

FIGURE 6.18 Cost and usage report showing monthly costs

FIGURE 6.19 Cost and usage report showing monthly costs grouped by service

FIGURE 6.20 RI Utilization report

FIGURE 6.21 RI Coverage report

Chapter 7

FIGURE 7.1 A few EC2 AMI listings displaying features and options

Chapter 10

FIGURE 10.1 A VPC with two subnets in different availability zones

Chapter 12

FIGURE 12.1 A highly available web application using Auto Scaling and elasti...

FIGURE 12.2 Modifying the default security group

FIGURE 12.3 Application load balancer basic configuration

FIGURE 12.4 Application load balancer availability zones configuration

FIGURE 12.5 Application load balancer details

FIGURE 12.6 Auto Scaling group basic configuration

FIGURE 12.7 The Apache Linux AMI test page

Guide

Cover

AWS Certification Books from Sybex

Title Page

Copyright

Acknowledgments

About the Authors

Table of Exercises

Introduction

Table of Contents

Begin Reading

Appendix A: Answers to Review Questions

Appendix B: Additional Services

Index

End User License Agreement

Pages

i

ii

v

vi

vii

ix

xxi

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

1

2

3

4

5

6

7

8

9

10

11

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

AWS Certification Books from Sybex

Associate Certifications

AWS Certified SysOps Administrator Study Guide: Associate (SOA-C01) Exam, 2nd Edition — ISBN 978-1-119-56155-2, February 2020

Edition with accompanying online labs — ISBN 978-1-119-75669-9, July 2020

AWS Certified SysOps Administrator Practice Tests: Associate (SOA-C01) Exam — ISBN 978-1-119-62272-7, May 2020

SOA-C01 Study Guide and Practice Tests also available as a set — ISBN 978-1-119-66410-9, June 2020

AWS Certified Solutions Architect Study Guide with 900 Practice Test Questions: Associate (SAA-C03) Exam, 4th Edition — ISBN 978-1-119-98262-3, October 2022

Edition with accompanying online labs — ISBN 978-1-394-18557-3, December 2022

AWS Certified Developer Official Study Guide: Associate (DVA-C01) Exam — ISBN 978-1-119-50819-9, August 2019

Foundational Certification

AWS Certified Cloud Practitioner Study Guide: Foundational (CLF-C02) Exam, Second Edition — ISBN 978-1-394-23563-6, December 2023

Specialty Certifications

AWS Certified Advanced Networking Study Guide: Specialty (ANS-C01) Exam, 2nd Edition — ISBN 978-1-394-17185-9, December 2023

AWS Certified Data Analytics Study Guide: Specialty (DAS-C01) Exam — ISBN 978-1-119-64947-2, December 2020

Edition with accompanying online labs — ISBN 978-1-119-81945-5, April 2021

AWS Certified Security Study Guide: Specialty (SCS-C01) Exam — ISBN 978-1-119-65881-8, December 2020

AWS Certified Machine Learning Study Guide: Specialty (MLS-C01) Exam — ISBN 978-1-119-82100-7, November 2021

AWS Certified Database Study Guide: Specialty (DBS-C01) Exam — ISBN 978-1-119-77895-0, April 2023

AWS®Certified Cloud PractitionerStudy Guide

Foundational (CLF-C02) Exam

Second Edition

Copyright © 2024 by John Wiley & Sons. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada and the United Kingdom.

ISBNs: 9781394235636 (paperback), 9781394235643 (ePub), 9781394235650 (ePDF)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. AWS is a registered trademark of Amazon Technologies, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and authors have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2023947983

Cover image: ©Jeremy Woodhouse/Getty Images, Inc.Cover design: Wiley

Acknowledgments

We would like to thank the following people who helped us create this AWS® Certified Cloud Practitioner Study Guide: Foundational CLF-C02 Exam, Second Edition.

First, a special thanks to our friends at Wiley. Kenyon Brown, senior acquisitions editor, got the ball rolling on this project and put all the pieces together. Our project editor, Gus Miklos, kept us on track and moving in the right direction. Thanks to production specialist Magesh Elangovan and copyeditor Liz Welch. We're also very grateful to our sharp-eyed technical editor, John Mueller, and Ashirvad Moses—we may not know exactly what a “managing editor” is, but we do know that this one made a big difference.

Lastly—once again—the authors would like to thank each other!

About the Authors

David Clinton is a Linux server and cloud admin who has worked with IT infrastructure in both academic and enterprise environments. He has authored many technology books—including AWS Certified Solutions Architect Study Guide: Associate SAA-C03 Exam, Fourth Edition (Sybex, 2022)—and created 20 video courses teaching Amazon Web Services and Linux administration, server virtualization, and IT security for Pluralsight.

In a previous life, David spent 20 years as a high school teacher. He currently lives in Toronto, Canada, with his wife and family and can be reached through his website: https://bootstrap-it.com.

Ben Piper is a cloud and networking consultant who has authored multiple books including the AWS Certified Solutions Architect Study Guide: Associate SAA-C03 Exam, Fourth Edition (Sybex, 2022). He has created more than 20 training courses covering Amazon Web Services, Cisco routing and switching, Citrix, Puppet configuration management, and Windows Server Administration. You can contact Ben by visiting his website: https://benpiper.com.

Table of Exercises

Exercise 1.1

Create an AWS Account

Exercise 2.1

Calculate Monthly Costs for an EC2 Instance

Exercise 2.2

Build a Deployment Cost Estimate Using the AWS Pricing Calculator

Exercise 2.3

Create a Cost Budget to Track Spending

Exercise 3.1

Find Out How to Copy Files from One S3 Bucket to Another

Exercise 3.2

Confirm That Your Account Security Settings Are Compliant with Best Practices

Exercise 4.1

Select a Subnet and AZ for an EC2 Instance

Exercise 4.2

Take a Quick Look at the Way CloudFront Distributions Are Configured

Exercise 5.1

Create a Password Policy for Your IAM Users

Exercise 5.2

Create an IAM User and Assign Limited Permissions

Exercise 5.3

Assign Multiple Users to an IAM Group

Exercise 6.1

Install the AWS Command-Line Interface

Exercise 7.1

Select an EC2 AMI

Exercise 7.2

Launch an Apache Web Server on an EC2 Instance

Exercise 8.1

Create an S3 Bucket

Exercise 9.1

Create a DynamoDB Table

Exercise 11.1

Explore the CloudFormation Designer

Exercise 12.1

Create an Inbound Security Group Rule

Exercise 12.2

Create an Application Load Balancer

Exercise 12.3

Create a Launch Template

Exercise 12.4

Create an Auto Scaling Group

Exercise 12.5

Create a Static Website Hosted Using S3

Introduction

Studying for any certification always involves deciding how much of your studying should be practical hands-on experience and how much should be simply memorizing facts and figures. Between the two of us, we've taken more than 20 different IT certification exams, so we know how important it is to use your study time wisely. We've designed this book to help you discover your strengths and weaknesses on the AWS platform so that you can focus your efforts properly. Whether you've been working with AWS for a long time or you're relatively new to it, we encourage you to carefully read this book from cover to cover.

Passing the AWS Certified Cloud Practitioner exam won't require you to know how to provision and launch complex, multitier cloud deployments. But you will need to be broadly familiar with the workings of a wide range of AWS services. Everything you'll have to know should be available in this book, but you may sometimes find yourself curious about finer details. Feel free to take advantage of Amazon's official documentation, which is generally available in HTML, PDF, and Kindle formats.

Even though the AWS Certified Cloud Practitioner Study Guide: CLF-C02 Exam skews a bit more to the theoretical side than other AWS certifications, there's still a great deal of value in working through each chapter's hands-on exercises. The exercises here aren't meant to turn you into a solutions architect who knows how things work but to help you understand why they're so important.

Bear in mind that some of the exercises and figures rely on the AWS Management Console, which is in constant flux. As such, screenshots and step-by-step details of exercises may change. If what you see in the Management Console doesn't match the way it's described in this book, use it as an opportunity to dig into the AWS online documentation or experiment on your own.

Each chapter includes review questions to thoroughly test your understanding of the services you've seen. We've designed the questions to help you realistically gauge your understanding and readiness for the exam. Although the difficulty level will vary between questions, you can be sure there's no “fluff.” Once you complete a chapter's review questions, refer to Appendix A for the correct answers and detailed explanations.

The book also comes with a self-assessment exam at the beginning with 25 questions, two practice exams with a total of 100 questions, and flashcards to help you learn and retain key facts needed to prepare for the exam.

Changes to AWS services happen frequently, so you can expect that some information in this book might fall behind over time. To help you keep up, we've created a place where we'll announce relevant updates and where you can also let us know of issues you encounter. Check in regularly to this resource at https://awsccp.github.io.

What Does This Book Cover?

This book covers topics you need to know to prepare for the Amazon Web Services (AWS) Certified Cloud Practitioner exam:

Chapter 1

: The Cloud

This chapter describes the core features of a cloud environment that distinguish it from traditional data center operations. It discusses how cloud platforms provide greater availability, scalability, and elasticity and what role technologies such as virtualization and automated, metered billing play.

Chapter 2

: Understanding Your AWS Account

In this chapter, you'll learn about AWS billing structures, planning and monitoring your deployment costs, and how you can use the Free Tier for a full year to try nearly any AWS service in real-world operations for little or no cost.

Chapter 3

: Getting Support on AWS

This chapter is focused on where to find support with a problem that needs solving or when you're trying to choose between complex options. You'll learn about what's available under the free Basic Support plan as opposed to the Developer, Business, and Enterprise levels.

Chapter 4

: Understanding the AWS Environment

In this chapter, we discuss how to enhance security and availability, and how Amazon organizes its resources in geographic regions and availability zones. You'll also learn about Amazon's global network of edge locations built to provide superior network performance for your applications.

Chapter 5

: Securing Your AWS Resources

The focus of this chapter is security. You'll learn how you control access to your AWS-based resources through identities, authentication, and roles. You'll also learn about data encryption and how AWS can simplify your regulatory compliance.

Chapter 6

: Working with Your AWS Resources

How will your team access AWS resources so they can effectively manage them? This chapter will introduce you to the AWS Management Console, the AWS Command-Line Interface, software development kits, and various infrastructure monitoring tools.

Chapter 7

: The Core Compute Services

Providing an alternative to traditional physical compute services is a cornerstone of cloud computing. This chapter discusses Amazon's Elastic Compute Cloud (EC2), Lightsail, and Elastic Beanstalk services. We also take a quick look at various serverless workload models.

Chapter 8

: The Core Storage Services

This chapter explores Amazon's object storage services including Simple Storage Service (S3) and Glacier for inexpensive and highly accessible storage, and Storage Gateway and Snowball for integration with your local resources.

Chapter 9

: The Core Database Services

Here you will learn about how data is managed at scale on AWS, exploring the SQL-compatible Relational Database Service (RDS), the NoSQL DynamoDB platform, and Redshift for data warehousing.

Chapter 10

: The Core Networking Services

AWS lets you control network access to your resources through virtual private clouds (VPCs), virtual private networks (VPNs), DNS routing through the Route 53 service, and network caching via CloudFront. This chapter focuses on all of them.

Chapter 11

: Automating Your AWS Workloads

This chapter covers the AWS services designed to permit automated deployments and close DevOps integration connecting your development processes with your Amazon-based application environments.

Chapter 12

: Common Use-Case Scenarios

This chapter illustrates some real-world, cloud-optimized deployment architectures to give you an idea of the kinds of application environments you can build on AWS.

Appendix A

: Answers to Review Questions

This appendix provides the answers and brief explanations for the questions at the end of each chapter.

Appendix B

: Additional Services

To make sure you're at least familiar with the full scope of AWS infrastructure, this appendix provides brief introductions to many of the services not mentioned directly in the chapters of this book.

Interactive Online Learning Environment and Test Bank

The authors have worked hard to create some really great tools to help you with your certification process. The interactive online learning environment that accompanies this AWS Certified Cloud Practitioner Study Guide includes a test bank with study tools to help you prepare for the certification exam—and increase your chances of passing it the first time! The test bank includes the following:

Sample Tests

All the questions in this book are included online, including the assessment test at the end of this introduction and the review questions printed after each chapter. In addition, there are two practice exams with 50 questions each. Use these questions to assess how you're likely to perform on the real exam. The online test bank runs on multiple devices.

Flashcards

The online text banks include 100 flashcards specifically written to hit you hard, so don't get discouraged if you don't ace your way through them at first. They're there to ensure that you're really ready for the exam. And no worries—armed with the review questions, practice exams, and flashcards, you'll be more than prepared when exam day comes. Questions are provided in digital flashcard format (a question followed by a single correct answer). You can use the flashcards to reinforce your learning and provide last-minute test prep before the exam.

We plan to update any errors or changes to the AWS platform that aren't currently reflected in these questions as we discover them here: https://awsccp.github.io.

Should you notice any problems before we do, please be in touch.

Glossary

A glossary of key terms from this book is available as a fully searchable PDF.

 Go to www.wiley.com/go/sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.

Like all exams, the AWS Certified Cloud Practitioner exam certification from AWS is updated periodically and may eventually be retired or replaced. At some point after AWS is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired, or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam’s online Sybex tools will be available once the exam is no longer available.

Exam Objectives

According to the AWS Certified Cloud Practitioner Exam Guide, the AWS Certified Cloud Practitioner (CLF-C02) examination is “intended for individuals who have the knowledge and skills necessary to effectively demonstrate an overall understanding of the AWS Cloud, independent of specific technical roles addressed by other AWS certifications” (for example, solution architects or SysOps administrators).

To be successful, you'll be expected to be able to describe the following:

The AWS Cloud and its basic global infrastructure

AWS Cloud architectural principles

The AWS Cloud value proposition

Key AWS services along with their common use cases (for example, highly available web applications or data analysis)

The basic security and compliance practices relating to the AWS platform and the shared security model

AWS billing, account management, and pricing models

Documentation and technical assistance resources

Basic characteristics for deploying and operating in the AWS Cloud

AWS recommends that “candidates have at least six months of experience with the AWS Cloud in any role, including technical, managerial, sales, purchasing, or financial.” They should also possess general knowledge of information technology and application servers and their uses in the AWS Cloud.

Objective Map

The exam covers four domains, with each domain broken down into objectives. The following table lists each domain and its weighting in the exam, along with the chapters in the book where that domain's objectives are covered.

Percentage of Exam

Chapters

Domain 1: Design Secure Architectures

30.00%

2

,

3

,

4

,

6

,

7

,

12

1.1: Design secure access to AWS resources.

1.2: Design secure workloads and applications.

1.3: Determine appropriate data security controls.

Domain 2: Design Resilient Architecture

26.00%

2

,

4

,

5

,

8

,

9

,

10

,

11

2.1: Design scalable and loosely coupled architectures.

2.2: Design highly available and/or fault-tolerant architectures.

Domain 3: Design High-Performing Architectures

24.00%

2

,

3

,

4

,

5

,

8

,

9

,

11

3.1: Determine high-performing and/or scalable storage solutions.

3.2: Design high-performing and elastic compute solutions.

3.3: Determine high-performing database solutions.

3.4: Determine high-performing and/or scalable network

3.5: Determine high-performing data ingestion and transformation solutions.

Domain 4: Design Cost-Optimized Architectures

20.00%

2

,

3

,

4

,

5

,

8

,

9

,13

4.1: Design cost-optimized storage solutions.

4.2: Design cost-optimized compute solutions.

4.3: Design cost-optimized database solutions.

4.4: Design cost-optimized network architectures.

How to Contact the Publisher

If you believe you have found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

Assessment Test

Which of the following describes the cloud design principle of scalability?

The ability to automatically increase available compute resources to meet growing user demand

The ability to route incoming client requests between multiple application servers

The ability to segment physical resources into multiple virtual partitions

The ability to reduce production costs by spreading capital expenses across many accounts

Which of the following best describes the cloud service model known as infrastructure as a service (IaaS)?

End-user access to software applications delivered over the Internet

Access to a simplified interface through which customers can directly deploy their application code without having to worry about managing the underlying infrastructure

Customer rental of the use of measured units of a provider's physical compute, storage, and networking resources

Abstracted interfaces built to manage clusters of containerized workloads

How does AWS ensure that no single customer consumes an unsustainable proportion of available resources?

AWS allows customers to consume as much as they're willing to pay for, regardless of general availability.

AWS imposes default limits on the use of its service resources but allows customers to request higher limits.

AWS imposes hard default limits on the use of its service resources.

AWS imposes default limits on the use of its services by Basic account holders; Premium account holders face no limits.

The AWS Free Tier is designed to give new account holders the opportunity to get to know how their services work without necessarily costing any money. How does it work?

You get service credits that can be used to provision and launch a few typical workloads.

You get full free access to a few core AWS services for one month.

You get low-cost access to many core AWS services for three months.

You get free lightweight access to many core AWS services for a full 12 months.

AWS customers receive “production system down” support within one hour when they subscribe to which support plan(s)?

Enterprise.

Business and Enterprise.

Developer and Basic.

All plans get this level of support.

AWS customers get full access to the AWS Trusted Advisor best practice checks when they subscribe to which support plan(s)?

All plans get this level of support.

Basic and Business.

Business and Enterprise.

Developer, Business, and Enterprise.

The AWS Shared Responsibility Model illustrates how AWS itself (as opposed to its customers) is responsible for which aspects of the cloud environment?

The redundancy and integrity of customer-added data

The underlying integrity and security of AWS physical resources

Data and configurations added by customers

The operating systems run on EC2 instances

Which of these is a designation for one or more AWS data centers within a single geographic area?

Availability zone

Region

Network subnet

Geo-unit

How, using security best practices, should your organization's team members access your AWS account resources?

Only a single team member should be given any account access.

Through a jointly shared single account user who's been given full account-wide permissions.

Through the use of specially created users, groups, and roles, each given the fewest permissions necessary.

Ideally, resource access should occur only through the use of access keys.

Which of the following describes a methodology that protects your organization's data when it's on-site locally, in transit to AWS, and stored on AWS?

Client-side encryption

Server-side encryption

Cryptographic transformation

Encryption at rest

What authentication method will you use to access your AWS resources remotely through the AWS Command-Line Interface (CLI)?

Strong password

Multifactor authentication

SSH key pairs

Access keys

Which of these is the primary benefit from using resource tags with your AWS assets?

Tags enable the use of remote administration operations via the AWS CLI.

Tags make it easier to identify and administrate running resources in a busy AWS account.

Tags enhance data security throughout your account.

Some AWS services won't work without the use of resource tags.

What defines the base operating system and software stack that will be available for a new Elastic Compute Cloud (EC2) instance when it launches?

The Virtual Private Cloud (VPC) into which you choose to launch your instance.

The instance type you select.

The Amazon Machine Image (AMI) you select.

You don't need to define the base OS—you can install that once the instance launches.

Which of the following AWS compute services offers an administration experience that most closely resembles the way you would run physical servers in your own local data center?

Simple Storage Service (S3)

Elastic Container Service (ECS)

Elastic Compute Cloud (EC2)

Lambda

Which of the following AWS object storage services offers the lowest ongoing charges, but at the cost of some convenience?

S3 Glacier

Storage Gateway

Simple Storage Service (S3)

Elastic Block Store (EBS)

Which of the following AWS storage services can make the most practical sense for petabyte-sized archives that currently exist in your local data center?

Saving to a Glacier Vault

Saving to a Simple Storage Service (S3) bucket

Saving to an Elastic Block Store (EBS) volume

Saving to an AWS Snowball device

Which of the following will provide the most reliable and scalable relational database experience on AWS?

Relational Database Service (RDS)

Running a database on an EC2 instance

DynamoDB

Redshift

What's the best and simplest way to increase reliability of an RDS database instance?

Increase the available IOPS.

Choose the Aurora database engine when you configure your instance.

Enable Multi-AZ.

Duplicate the database in a second AWS region.

How does AWS describe an isolated networking environment into which you can launch compute resources while closely controlling network access?

Security group

Virtual private cloud (VPC)

Availability zone

Internet gateway

What service does AWS use to provide a content delivery network (CDN) for its customers?

VPC peering

Internet gateway

Route 53

CloudFront

What is Amazon's Git-compliant version control service for integrating your source code with AWS resources?

CodeCommit

CodeBuild

CodeDeploy

Cloud9

Which AWS service allows you to build a script-like template representing complex resource stacks that can be used to launch precisely defined environments involving the full range of AWS resources?

LightSail

EC2

CodeDeploy

CloudFormation

What is Amazon Athena?

A service that permits queries against data stored in Amazon S3

A service that permits processing and analyzing of real-time video and data streams

A NoSQL database engine

A Greece-based Amazon Direct Connect service partner

What is Amazon Kinesis?

A service that permits queries against data stored in Amazon S3

A service that permits processing and analyzing of real-time video and data streams

A no-SQL database engine

A Greece-based Amazon Direct Connect service partner

What is Amazon Cognito?

A service that can manage authentication and authorization for your public-facing applications

A service that automates the administration of authentication secrets used by your AWS resources

A service that permits processing and analyzing of real-time video and data streams

A relational database engine

Answers to Assessment Test

A. A scalable deployment will automatically “scale up” its capacity to meet growing user demand without the need for manual interference. For more information, see

Chapter 1

.

C. IaaS is a model that gives customers access to virtualized units of a provider's physical resources. IaaS customers manage their infrastructure much the way they would local, physical servers. For more information, see

Chapter 1

.

B. AWS applies usage limits on most features of its services. However, in many cases, you can apply for a limit to be lifted. For more information, see

Chapter 2

.

D. The Free Tier offers you free lightweight access to many core AWS services for a full 12 months. For more information, see

Chapter 2

.

B. “Production system down” support within one hour is available only to subscribers to the Business or Enterprise support plans. For more information, see

Chapter 3

.

D.  All support plans come with full access to Trusted Advisor except for the (free) Basic plan. For more information, see

Chapter 3

.

B. According to the Shared Responsibility Model, AWS is responsible for the underlying integrity and security of AWS physical resources, but not the integrity of the data and configurations added by customers. For more information, see

Chapter 4

.

A. An availability zone is one or more physical data centers located within a single AWS region. For more information, see

Chapter 4

.

C. Team members should each be given identities (as users, groups, and/or roles) configured with exactly the permissions necessary to do their jobs and no more. For more information, see

Chapter 5

.

A. End-to-end encryption that protects data at every step of its life cycle is called client-side encryption. For more information, see

Chapter 5

.

D. AWS CLI requests are authenticated through access keys. For more information, see

Chapter 6

.

B. Resource tags—especially when applied with consistent naming patterns—can make it easier to visualize and administrate resources on busy accounts. For more information, see

Chapter 6

.

C. The AMI you select while configuring your new instance defines the base OS. For more information, see

Chapter 7

.

C. You can administer EC2 instances using techniques that are similar to the way you'd work with physical servers. For more information, see

Chapter 7

.

A. Amazon Glacier can reliably store large amounts of data for a very low price but requires CLI or SDK administration access, and retrieving your data can take hours. For more information, see

Chapter 8

.

D. You can transfer large data stores to the AWS cloud (to S3 buckets) by having Amazon send you a Snowball device to which you copy your data and which you then ship back to Amazon. For more information, see

Chapter 8

.

A. RDS offers a managed and highly scalable database environment for most popular relational database engines (including MySQL, MariaDB, and Oracle). For more information, see

Chapter 9

.

C. Multi-AZ will automatically replicate your database in a second availability zone for greater reliability. It will, of course, also double your costs. For more information, see

Chapter 9

.

B. A VPC is an isolated networking environment into which you can launch compute resources while closely controlling network access. For more information, see

Chapter 10

.

D. CloudFront is a content delivery network (CDN) that distributes content through its global network of edge locations. For more information, see

Chapter 10

.

A. CodeCommit is a Git-compliant version control service for integrating your source code with AWS resources. For more information, see

Chapter 11

.

D. CloudFormation templates can represent complex resource stacks that can be used to launch precisely defined environments involving the full range of AWS resources. For more information, see

Chapter 11

.

A. Amazon Athena is a managed service that permits queries against S3-stored data. For more information, see Chapter 13.

B. Amazon Kinesis allows processing and analyzing of real time video and data streams. For more information, see Chapter 13.

A. Amazon Cognito can manage authentication and authorization for your public-facing applications. For more information, see Chapter 13.

Chapter 1The Cloud

THE AWS CERTIFIED CLOUD PRACTITIONER EXAM OBJECTIVES COVERED IN THIS CHAPTER MAY INCLUDE, BUT ARE NOT LIMITED TO, THE FOLLOWING:

Domain 1: Cloud Concepts

1.1: Define the benefits of the AWS Cloud

1.2: Identify design principles of the AWS Cloud

1.3: Understand the benefits of and strategies for migration to the AWS Cloud

If you want to make smart choices about how your organization is going to use the Amazon Web Services (AWS) cloud platform, you first need to properly understand it. To get there, you must figure out just what the cloud is, what technologies it's built on, what kinds of cost savings and operational advantages it can bring you, and how cloud-based applications work differently than their traditional cousins.

This chapter will introduce you to the basics. The rest of the book will fully flesh out the details.

What Is Cloud Computing?

Using a public cloud is about using other people's servers to run your digital workloads.

In a sense, there's no significant difference between running a software application on servers hosted in your own office versus locating it within Amazon's infrastructure. In both cases, you need to make sure you've got sufficient compute, memory, network, and storage resources. In both cases, fast deployments and avoiding overprovisioning are key goals.

But particularly when it comes to the largest cloud providers, there are important differences. You see, the sheer size of a platform like AWS (and right now there's no platform on Earth that's bigger) means it can offer you service, cost, and reliability performance that you could probably never hope to re-create on your own.

Let's see how some of this works.

Highly Available and Scalable Resources

There's an awful lot a successful company like AWS can get done with a few hundred thousand networked servers and hundreds of the best trained engineers in the business:

Design multiple layers of redundancy so that whenever one component fails, its workload is automatically and instantly moved to a healthy replacement. This is often known as “failover.”

Connect resources in geographically remote locations so that the failure of one complete region could trigger a predefined relocation of resources. This relocation can be supported by a similarly automated rerouting of network requests.

Provide customers with access to as much compute power as they could possibly need and deliver that power on-demand.

Because of the scale and efficiency of the platform, AWS can do all that at a price that's often far below what it would cost you to run comparable workloads locally.

Professionally Secured Infrastructure

IT security is a constantly moving target. As difficult as it's been to manage last year's threats, you know there's a whole new batch coming right behind them. As a business, you're already responsible for protecting the workstations and networking hardware running in your office along with securing your organization's data and code your developers put into your apps. The integrity of your underlying server infrastructure is just one more potential area of vulnerability for you to worry about.

No matter how good your IT security team is, they're probably not better informed, equipped, and trained than their counterparts at a major cloud provider. Because AWS is so good at what it does—and because it takes responsibility for the security of its platform's underlying networking and compute infrastructure—this is one area where outsourcing will usually make sense.

This won't relieve you of all worries. As you'll see in Chapter 4, “Understanding the AWS Environment,” the terms of the AWS Shared Responsibility Model mean that, in many cases, the security and integrity of the resources you run on the cloud are still your problem. But the cloud itself is managed by AWS.

Metered Payment Model

One of the defining characteristics of any public cloud computing platform is the way it automatically allocates resources to meet client requests. Practically, this means that you can, for instance, log in to the AWS browser console and define and launch a virtual server (called an instance in the AWS world), and moments later your new instance will be ready for you. There's no need to wait for manual intervention by AWS employees.

The flexibility of the self-serve system permits usage patterns that would have been impossible using traditional compute paradigms. Let's say you need to quickly test a possible application configuration you're working on. In the old days, even if the test lasted only an hour, you would still need to find free capacity on a physical server in the server room. Once the test ended, you'd still be paying the maintenance and ownership costs of that server capacity even if it was idle.

In the cloud, by contrast, you fire up an instance, run it for the length of time your test requires, and then shut it down. You'll be billed for only that testing time, which, in some cases, could cost you a fraction of a penny.

Since there's no human processing involved in cloud compute billing, it's as easy for a provider to charge a few pennies as it is thousands of dollars. This metered payment makes it possible to consider entirely new ways of testing and delivering your applications, and it often means your cost-cycle expenses will be considerably lower than they would be if you were using physical servers running on-premises.

Comparing the costs of cloud deployments against on-premises deployments requires that you fully account for both capital expenses (CapEx) and operating expenses (OpEx). On-premises infrastructure tends to be very CapEx-heavy since you need to purchase loads of expensive hardware up front. Cloud operations, on the other hand, involve virtually no CapEx costs at all. Instead, your costs are ongoing, consisting mostly of per-hour resource “rental” fees. You'll learn more about AWS billing in Chapter 2, “Understanding Your AWS Account.”

Server Virtualization: The Basics

The secret sauce that lets cloud providers give their customers on-demand compute resources in such a wide range of configurations is virtualization. When you request a virtual machine (VM) with a particular processor speed, memory capacity, and storage size, AWS doesn't send some poor engineer running through the halls of its data center looking for an available machine with exactly that profile. Rather, as you can see illustrated in Figure 1.1, AWS carves the necessary resources from larger existing devices.

FIGURE 1.1 VMs accessing storage and compute resources from their host server

A 5 TB storage drive could, for instance, be divided into dozens of smaller virtual volumes, each associated with a different virtual server (or instance). And the resources of a single physical server could be invisibly shared between multiple instances. The operating systems installed on each of those instances could run, blissfully unaware that they're actually only masters over a small subset of a much larger server environment.

The virtualization model offers two compelling benefits:

Speed:

Defining, purchasing, provisioning, testing, and launching a new physical server can take months. Even a simple reboot can keep you waiting for a couple of minutes. The time lag between requesting a new cloud-based VM and logging in and getting to work can be seconds, but never more than a few minutes. Restarting a VM can sometimes happen faster than you can type your login details.

Efficiency:

It's rare to find a nonvirtualized physical server that utilizes anywhere near 100 percent of its capacity. More likely, either it will spend its time running mostly empty or it will be badly overused while you wait for more capacity to come online. Multiple virtual machines, on the other hand, can be tightly packed onto a physical server running a hypervisor (a common technology for hosting VMs). When space opens up on one server, you can quickly fill it with another virtual workload. When a server reaches capacity, overflow workloads can be moved to another machine. And the more workloads you're managing, the more flexible everything gets.

Amazon's formidable scale and logistical abilities mean that it's often able to leverage the benefits of virtualization to provide both superior performance and pricing.

Cloud Platform Models

Cloud services come in more than one flavor. Choosing the one that's right for your project will depend on your specific needs and how much fine control you'll need over the underlying gears and levers.

Infrastructure as a Service

Infrastructure as a service (IaaS) products generally simulate the look and feel you'd get from managing physical resources. IaaS products give you direct access to a provider's compute, storage, and networking assets. Because it's you that's in there playing around at the hardware level, you—rather than the IaaS provider—are responsible for the consequences of any bad configurations. The trade-off is that you get to closely configure every layer of your operating stack.

You'll learn much more about these examples later in the book, but AWS IaaS products include Elastic Cloud Compute (EC2) for virtual machine instances, Elastic Block Store (EBS) for storage volumes, and Elastic Load Balancing.

Platform as a Service

Unlike IaaS, platform as a service (PaaS) products simplify the process of building an application by hiding the complexity of the infrastructure that runs it. You're given an interface through which you define the behavior and environment you want for your application. This will often include the code that will run your application.

AWS PaaS products include Elastic Beanstalk and Elastic Container Service (ECS).

Software as a Service

Software as a service (SaaS) products offer services meant to be accessed by end users. An easily recognizable illustration is Google's Gmail service, which allows users to manage their email by logging in to a browser interface or through an email client (like Microsoft Outlook) that's running locally.

While some may disagree with the designation, AWS SaaS products arguably include Simple Email Service and Amazon WorkSpaces.

Figure 1.2 compares the scope of responsibility you have on IaaS, PaaS, and SaaS platforms with the way it works for on-premises deployments.

FIGURE 1.2 The breakdown of responsibility across multiple infrastructure types

Serverless Workloads

Besides doing an excellent job emulating traditional server behavior, cloud providers can also enable entirely new ways to administer applications and data. Perhaps the most obvious example is serverless computing.

Now don't be fooled by the name. You can't run a compute function without a computer environment (a “server”) somewhere that will host it. What “serverless” does allow is for individual developers to run their code for seconds or minutes at a time on someone else's cloud servers.

The serverless model—as provided by services like AWS Lambda—makes it possible to design code that reacts to external events. When, for instance, a video file is uploaded to a repository (like an AWS S3 bucket or even an on-premises FTP site), it can trigger a Lambda function that will convert the file to a new video format. There's no need to maintain and pay for an actual instance running 24/7, just for the moments your code is actually running. And there's no administration overhead to worry about.

Scalability and Elasticity

The world's largest public cloud providers can accomplish a great deal by combining the wonders of server virtualization with the power that comes from owning vast data centers filled with racks upon racks of hardware resources. Elasticity and scalability are the two key principles through which a lot of this happens, and understanding exactly what they mean can help you optimize your design choices, so you'll get the most bang for your cloud buck.

Note that there are no precise and authoritative definitions for scalability and elasticity in the context of cloud computing—and any definitions you do see are bound to involve at least some overlap. Nevertheless, building some kind of picture in your mind of how these two principles work can be valuable.

Scalability

A scalable service will automatically grow in capacity to seamlessly meet any changes in demand. A well-designed cloud-based operation will constantly monitor the health of its application stack and respond whenever preset performance metrics might soon go unmet. The response might include automatically launching new server instances to add extra compute power to your existing cluster. But it will probably also involve prepopulating those instances with the application data and configuration settings they'll need to actually serve your application to your clients.

A large cloud provider like AWS will, for all practical purposes, have endless available capacity, so the only practical limit to the maximum size of your application is your organization's budget (and default service limits imposed by AWS that you'll learn about in Chapter 2).

Just how big is AWS? Well, if it can handle the capacity stresses required to keep millions of Netflix customers happy—and if you've ever watched a movie on the AWS-hosted Netflix, then you know it can—then AWS will surely be able to keep up with whatever trouble your applications send its way.

Elasticity

You can stretch an elastic band far beyond its resting state. But part of what makes it truly elastic is the fact that, when you let go of it, it immediately returns to its original size. The reason the word elastic is used in the names of so many AWS services (Elastic Compute Cloud, Elastic Load Balancing, Elastic Beanstalk, and so on) is because those services are built to be easily and automatically resized.

Generally, you set the maximum and minimum performance levels you want for your application, and the AWS service(s) you're using will automatically add or remove resources to meet changing usage demands. By way of illustration, a scalable e-commerce website could be configured to function using just a single server during low-demand periods, but any number of additional servers could be automatically brought online as demand spikes. When demand drops back down, unused servers will be shut down automatically.

Assuming you don't already have one, now is the time to create your own AWS account. Working through the rest of this book will be pretty much impossible without an active account. You will have to provide a credit card, but you won't be charged anything unless you launch an actual resource. Work through Exercise 1.1 to make this happen.

EXERCISE 1.1 Create an AWS Account

Go to

https://aws.amazon.com

and click the Create An AWS Account button. If, instead, you see a Sign In button, you might have previously logged in to an existing account using this browser. If you'd still like to create a new account, click Sign In and then create a new, different account.

Enter the email address you want to associate with the account as the root user, a name for your AWS account, and a new AWS account name you'd like to use. Select Verify Email Address. You'll need to retrieve the verification code that AWS will send to your email account. You'll then need to create a (strong) password.

Select an account type (either Professional or Personal—the only difference is the Company Name field) and the other requested information. Then agree to the AWS terms and select Create Account And Continue.

Enter a payment method and, if the payment address is different from the address you used in the previous step, enter a new address and select Secure Submit.

On the Verify Your Identity page, enter the contact method AWS can use to send you a verification code. Enter the PIN that you'll receive and continue.

One last step: On the Support Plan page, select an AWS support plan. If you're not sure which plan you want, just go with the Basic plan for now. It's free, and you can always upgrade later. You'll learn more about AWS support in

Chapter 3

, “Getting Support on AWS.”

Once you're fully activated, you'll receive another email, this one confirming that your account is ready for you. The activation email should arrive quickly, but it can take up to 24 hours.

Summary

The size and quality of a major cloud provider like AWS means that its customers can often benefit from higher-quality security, availability, and reliability than they could provide locally.

While AWS customers are still responsible for the applications they run in the cloud, they don't need to worry about the underlying physical infrastructure that's managed by AWS.

Much of the attraction of cloud computing is the ability to pay for only the services you use, and only as you use them. This allows the provisioning of sophisticated applications with virtually no capital expenses (CapEx). You will, of course, need to assess and manage the operating expenses (OpEx).

Server virtualization makes it possible to more densely pack software operations on physical hardware, potentially driving down the costs and improving the time-to-deployment of compute workloads. An even more “virtualized” kind of virtualization is serverless computing, where customers are aware only of their code and the network events that trigger it.

Cloud-optimized workloads are designed to take advantage of the scalability and elasticity of cloud platforms.

Exam Essentials

Understand how a large and geographically dispersed infrastructure improves service quality.

 The sheer scale and geographic redundancy of the physical compute and networking resources owned by AWS mean that the company is able to guarantee a level of reliability and availability that would be hard to reproduce in any other environment.

Understand how metered, pay-per-use pricing makes for flexible compute options.

 Access to cloud infrastructure—sometimes for pennies per hour—makes it possible to experiment, sandbox, and regularly reassess and update application stacks.

Understand that cloud services come in a wide range of forms.

 IaaS gives you near-full control over virtualized hardware resources, closely emulating the way you would administer actual physical servers. PaaS products abstract the underlying infrastructure, providing a simplified interface for you to add your application code. SaaS products provide services over a public network directly to end users.

Understand how serverless computing can be both cheap and efficient.

 Serverless services like AWS Lambda allow you to access AWS compute power for up to 15 minutes for a single function. This lets you operate code in response to real-time event triggers.

Understand how scalability allows applications to grow to meet need.

 A cloud-optimized application allows for automated provisioning of server instances that are designed from scratch to perform a needed compute function within an appropriate network environment.

Understand how elasticity matches compute power to both rising and falling demand.