考证：AWS CLF-C02

前言

一些我整理的资料:
官网: https://aws.amazon.com/certification/certified-cloud-practitioner/
参考笔记: https://cong-onion.cn/archives/acp-prepare-note
白皮书: https://d0.awsstatic.com/whitepapers/aws-overview.pdf
网课：https://www.udemy.com/course/aws-certified-cloud-practitioner-new/ (个人比较推荐，课比较新，Whizlabs 的课有些内容并不是基于新的 AWS)
网课: https://www.whizlabs.com/aws-certified-cloud-practitioner/ (不推荐)
题库: Whizlabs 购买的课有 4 套题 (Whizlabs 的题还行)
题库: https://www.udemy.com/course/practice-exams-aws-certified-cloud-practitioner/ (推荐)
题库: https://www.examtopics.com/exams/amazon/aws-certified-cloud-practitioner-clf-c02/view/ (这个是免费的)
准备时间: 1 月 1 号准备，1 月 8 号考过 (有一定 AWS 的基础)

知识点

重点: Pay-as-you-go，on-demand delivery

There are three fundamental drivers of cost with AWS: compute, storage, and outbound data transfer. In most cases, there is no charge for inbound data transfer or data transfer between other AWS services within the same region.

Types of Cloud Computing

重点: 3 types of cloud computing

IaaS: 比如 EC2
PaaS: 比如 Elastic Beanstalk
SaaS: 比如 Rekognition

Six Advantages of Cloud Computing

AWS Global Infrastructure

AWS Region

A region is a cluster of data centers
一个 Region 至少有三个 AZ

AWS Availability Zones

Each availiablity zone (AZ) is one or more discrete data centers in the same location
AZ 组合起来就是 Region
All traffic between Availability Zones (AZ) is encrypted

AWS Points of Presence (Edge Locations)

Content is delivered to end users with low latency

AWS Shared Responsibility Model

AWS 负责什么，Customer 负责什么
AWS is responsible for Security “of” the Cloud

1. Identity and Access Management

IAM Users & Group

Global service
Root account: don’t share with others
Root user access credentials are the email address and password used to create the AWS account
Users: people within organization
Groups: a group of people

IAM Permissions

least privilege principle

IAM Policies

Inline Policy 是 Attach 给个人的 Policy

IAM Password Policy & MFA

MFA 是 Root Account 的 Best Practice

AWS Access Keys & CLI & SDK

有 3 种方法 Access AWS: AWS Management Console，AWS CLI，AWS SDK

IAM Roles

Assign permissions to AWS services with IAM Roles

IAM Guildlines & Best Parctices

Shared Responsibility Model for IAM

Summary

2. Elastic Compute Cloud

AWS EC2

60 seconds - There is a one-minute minimum charge for Linux based EC2 instances
Convertible reserved instance (RI): Purchase convertible reserved instance (RI) if you need additional flexibility, such as the ability to use different instance families, operating systems, or tenancies over the reserved instance (RI) term.

User Data:

EC2 Instance 第一次跑的时候会 Run，用来做 Task (比如安装 Apache)

EC2 Instance Types

General Purpose: Balance between Compute，Memory，Networking
Compute Optimized: Great for compute-intensive tasks
Memory Optimized: Fast performance for workloads that process large data sets
Storage Optimized: Great for storage-intensive tasks

Security Groups

Security Group 就是 EC2 的防火墙
Security Group 可以 Attach 给多个 Instances

EC2 Instances Purchasing Options

On-Demand Instances: Pay for what you use
Reserved: 长期使用 (1-3 年)
Saving Plans: 有固定的 Billing，超过的进入 On-Demand
Spot Instances: 最便宜，但是可能 Lose Instance
Dedicated Hosts: 完全 Control 一个 Server
Capacity Reservations: 短期内保证有 Instance 可以使用，即使不使用

Shared Responsibility Model for EC2

Summary

3. EC2 Instance Storage

AWS EBS

Attach EBS to EC2 instance like a USB drive
EBS Volume tied to AZ
Persist data even after termination
Block-level storage
Charge for EBS Volumes: Provisioned IOPS，Volume type

EBS Snapshots (备份)

Make a backup (snapshot) of EBS volume
Recycle Bin 可以防止 Accidental Delete
Amazon Elastic Block Store (Amazon EBS) Snapshots are stored incrementally, which means you are billed only for the changed blocks stored

EC2 Instance Store

物理硬盘
Block-level storage
Fast I/O performance
Good for cache

Shared Responsibility Model for EC2 Storage

AWS EFS

可以 Mount 到多个 EC2 Instance
Provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources.
EBS volume can be attached to a single instance in the same Availability Zone (AZ) whereas EFS file system can be mounted on instances across multiple Availability Zones (AZ)
EC2 instances can access files on an Amazon Elastic File System (Amazon EFS) file system across many Availability Zones (AZ), Regions and VPCs

EFS Infrequent Access (EFS-IA)

Storing files in an accessible location to satisfy audit requirements
You will pay a fee each time you read from or write data stored on the Amazon Elastic File System (Amazon EFS) - Infrequent Access storage class

AWS AMI

Amazon Machine Image
可以更好的 Configure 和 Launch EC2 Instance (比如不需要重装 Apache)
Region specific

EC2 Image Builder

Automatically build，test and distribute AMIs

AWS FSx

第三方文件管理系统
FSx for Windows
FSx for Lustre

Summary

4. ELB & ASG

Scalability & High Availability

Vertical Scale: increase the size of the instance
Horizontal Scale: increase the number of instances (elastic)
High Availability: running application in at least 2 AZ (disaster recovery)

AWS ELB

Spread load across multiple downstream instances

Application Load Balancer (HTTP/HTTPS)
Network Load Balancer (Allow TCP/UDP)
Gateway Load Balancer (Security)
Classic Load Balancer (retired in 2023)

AWS ASG

可以作为 Template 来生成 EC2 Instance (Launch Template)
可以和 ELB 一起用，来 Scale Up or Down 基于服务器压力
可以自动 Replace Unhealth Instance (Meet desired Instances)

Scaling Strategies

Manual Scaling
Dynamic Scaling
Predictive Scaling (Use ML)

Summary

5. Simple Storage Service

AWS S3

Buckets have a globally unique name
Buckets are defined at the region level
All Amazon S3 buckets have encryption configured by default, and objects are automatically encrypted by using server-side encryption with Amazon S3 managed keys (SSE-S3).
Amazon Simple Storage Service (Amazon S3) is a key value based object storage service
Amazon Simple Storage Service (Amazon S3) stores data in a flat non-hierarchical structure

Bucket Policies

User Access to S3: Use IAM permission
EC2 Instance Access: Use IAM Roles
Cross-Account Access: Use Bucket Policy

S3 Website (Static Website Hosting)

S3 Versioning

S3 Replication (CRR & SRR)

S3 Storage Classes

Standard
Infrequent Access (IA)
Glacier
Intelligent Tiering

S3 Encryption

Shared Responsibility Model for S3

AWS Snow Family

Snowcone，Snowball (TB & Petabyte-scale)，Snowmobile (Exabytes-scale)
Transfer data to AWS physically

Edge Computing

在任何地方处理数据

AWS OpsHub

Manage Snow Family Device

AWS Storage Gateway

处理 Hybrid Storage on Cloud
Automatically enabled data encryption

Summary

6. Database & Analytics

AWS RDS

负责 Relational Database
Amazon RDS RIs: Like Amazon EC2 RIs

AWS Aurora

AWS 开发的数据库

RDS Deployments Options

Read Replicas: Scale
Multi-AZ: Failover
Multi-Region: Disaster recovery
You can use both read replicas and multi-AZ deployment for disaster recovery

AWS Elastic Cache

In-memory database (类似 Redis)

AWS DynamoDB

NoSQL Database
DynamoDB Reserved Capacity
Support High Availability by default

DynamoDB Accelerator (DAX)

DynamoDB Global Tables

Low latency in multiple-regions

AWS Redshift

Analytics and data warehousing

Redshift Serverless

AWS EMR

Help creating Hadoop clusters (Big Data) to analyze vast amount of data

AWS Athena

Perform analytics against S3 objects

AWS QuickSight

生成 Visualization Dashboard (处理 BI)

AWS DocumentDB

For MongoDB，NoSQL

AWS Neptune

Graph database
NoSQL

AWS Timestream

Time series database

AWS QLDB

Immutable，for financial transcations

AWS Managed Blockchain

Decentralized

AWS Glue

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics.

AWS DMS

Database Migration Service

Summary

7. Other Compute Services

AWS ECS

Launch Docker containers on AWS

AWS Fargate

Launch Docker containers on AWS (Serverless)

AWS ECR

Docker Registry on AWS

AWS Lambda

Could be Event-Driven
Could use EventBridge trigger Lambda every hour (CRON)
You pay for the compute time you consume for AWS Lambda
Serverless

AWS API Gateway

Expose Lambda as HTTP API

AWS Batch

A job with a start and an end

AWS Lightsail

For people with little cloud experience

Summary

8. Deployment & Manage Infrastructure

AWS CloudFormation

Infrastructure as code (不需要手动 Config EC2 之类的)
作为 Template 来生成各种 Services

AWS CDK

AWS Elastic Beanstalk

PaaS (只负责写 Application，其他都由 EB 来处理)
Free of cost

AWS CodeDeploy

Deploy application automatically

AWS CodeCommit

类似 Github

AWS CodeBuild

Automatically build and test

AWS CodePipeline

CICD
AWS CodePipeline uses Amazon CloudWatch Events to detect changes in CodeCommit repositories used as a source for a pipeline

AWS CodeArtifact

Manage packages (dependencies)

AWS CodeStar

Each AWS CodeStar project includes development tools, including AWS CodePipeline, AWS CodeCommit, AWS CodeBuild, and AWS CodeDeploy, that can be used on their own and with existing AWS applications
You can use AWS CodeStar and AWS Cloud9 to develop, build, and deploy a serverless web application

AWS Cloud9

Cloud IDE

AWS SSM

Manage a fleet of EC2 Instances

Summary

9. AWS Global Infrastructure

Why make a global application?

Decreased Latency
Disaster Recovery (DR)

Global Applications in AWS

AWS Route53

DNS (Domain Name System)

Routing Policies

Simple Routing Policy (No health check)
Weighted Routing Policy (Distribute traffic)
Latency Routing Policy (Minimize Latency)
Failover Routing Policy (Disaster recovery，active-passive)

AWS CloudFront

Global service
CDN
Cached in edged location
Integrated with WAF (Network Firewall) and Shield (DDoS)

AWS Global Accelerator

AWS Internal Network (No cache)
AWS Global Accelerator is a good fit for non-HTTP use cases
AWS Global Accelerator provides static IP addresses that act as a fixed entry point to your applications

AWS Outposts

Server Rack (物理层面)

AWS WaveLength

AWS Local Zones

AWS Local Zones allow you to use select AWS services, like compute and storage services, closer to more end-users, providing them very low latency access to the applications running locally.

Global Applications Architecture

Summary

10.Cloud Integration

SQS，SNS，Kinesis

AWS SQS

Decouple application
Message deleted after Customer read
Guarantee message will be processed
Queue Model

AWS Kinesis

Real-time big data streaming

AWS SNS

Send one message to many receivers
Pub/Sub Model

AWS MQ

管理第三方软件

Summary

11. Cloud Monitoring

AWS CloudWatch

Application performance
Resource utilization

CloudWatch Metric

Billing metric data is stored in the US East (N. Virginia) Region and represents worldwide charges.

CloudWatch Alarms

CloudWatch Logs

Use CloudWatch Logs for both the EC2 instance and the on-premises servers

AWS EventBridge

定制 Event 来触发某些功能 (Lambda，SNS)

AWS CloudTrail

Governance，compliance and audit for AWS account
AWS CloudTrail Insights helps AWS users identify and respond to unusual activity associated with write API calls by continuously analyzing CloudTrail management events.
By default, AWS CloudTrail logs all management events and does not include data events or Insights events.

AWS X-Ray

You can use AWS X-Ray to analyze and debug serverless and distributed applications such as those built using a microservices architecture.

AWS CodeGuru

ML for code review

AWS Health Dashboard

Summary

12. VPC & Networking

AWS VPC

IP Address in AWS

VPC & Subnets

VPC: Virtual Private Network
Subnets: Partition network inside VPC

Internet Gateway & NAT Gateways

IGW: Public
NAT: Private

Security Groups & Network Access Control List (NACL)

NACL: Firewall for Allow and Deny rules
Security Group: Firewall for Allow rules
A security group is stateful, that is, it automatically allows the return traffic
Security Group acts as a firewall at the instance level whereas Network Access Control List (Network ACL) acts as a firewall at the subnet level

VPC Flow Logs

Capture log information

VPC Peering

Connect two VPC

VPC Endpoints

Access services privately

AWS PrivateLink

第三方 VPC 连接到 AWS VPC

Site to Site VPN & Direct Connect

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS.
Components of AWS Site to Site VPN: Virtual private gateway (VGW)，Customer gateway
A customer gateway device is a physical or software appliance on your side of a Site-to-Site VPN connection. You or your network administrator must configure the device to work with the Site-to-Site VPN connection.

AWS ClientVPN

AWS Transit Gateway

AWS Transit Gateway connects Amazon Virtual Private Clouds (Amazon VPC) and on-premises networks through a central hub.

AWS VPN

AWS Virtual Private Network (VPN) solutions establish secure connections between on-premises networks, remote offices, client devices, and the AWS global network.

Summary

13. Security & Compliance

AWS WAF & Shield

AWS Shield

防止 DDoS 攻击
Shield Advance 用在 Route53 和 AWS Global Accelerator 上

AWS WAF

Define Web ACL (Access Control List)
Can be deployed on Amazon CloudFront, Application Load Balancer, Amazon API Gateway, AWS AppSync

AWS Network Firewall

AWS Firewall Manager

AWS KMS & CloudHSM

KMS: Manage Encryption keys

Use AWS managed master keys that are automatically created in your account for each service

CloudHSM: Encryption Hardware (物理层面)

AWS ACM

Manage certificates

AWS Secrets Manager

AWS Artifact

AWS GuardDuty

AWS Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
Only for EC2, Container Image & Lambda

AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
Think resource-specific history, audit, and compliance; think Config.

AWS Macie

Find sensitive data

AWS Security Hub

AWS Detective

Analyze AWS CloudTrail logs, Amazon VPC Flow Logs, and Amazon GuardDuty findings

IAM Access Analyzer

Summary

14. Machine Learning

AWS Rekognition

Find text or image using ML
Regional in scope

AWS Transcribe

Convert speech to text

Amazon Elastic Transcoder

Amazon Elastic Transcoder lets you convert media files that you have stored in Amazon Simple Storage Service (Amazon S3) into media files in the formats required by consumer playback devices.

AWS Polly

Convert text to speech

AWS Translate

Translate language

AWS Lex & Connect

Lex: Conversational bots
Connect: Cloud contact center

AWS Comprehend

AWS SageMaker

Build ML

AWS Forecast

Forecast things using ML

AWS Kendra

Document search service

AWS Personalize

Personal Recommendation

AWS Textract

Extract text

Summary

15. Account Management，Billing & Support

AWS Organization

Manage multiple AWS accounts
Consolidated Billing

AWS Control Tower

Running on top of AWS Organization
AWS Control Tower is an AWS native service providing a pre-defined set of blueprints and guardrails to help customers implement a landing zone for new AWS accounts

AWS Service Catalog

Pricing Models in AWS

AWS Compute Optimizer

Reduce cost and improve performance

Cost Allocation Tags

For each resource, each tag key must be unique, and each tag key can have only one value
You must activate both AWS generated tags and user-defined tags separately before they can appear in Cost Explorer or on a cost allocation report

AWS Budgets

Create alarm when exceed budget
Budget Types: Cost budget，Usage budget，Reservation budget
AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount.

AWS Pricing Calculator

Cost and Usage Reports

AWS Cost & Usage Report (AWS CUR) contains the most comprehensive set of cost and usage data available.

Cost Explorer

AWS Cost Explorer has an easy-to-use interface that lets you visualize, understand, and manage your AWS costs and usage over time.
Can be used to forecast your AWS account usage and costs

AWS Trusted Advisor

AWS Trusted Advisor is an online tool that provides you real-time guidance to help you provision your resources following AWS best practices on cost optimization
Identify unattached or underutilized EBS volumes

AWS Service Quotas

Service Quotas enables you to view and manage your quotas for AWS services from a central location.

AWS Support Plans Pricing

Free，Developer，Business，Enterprise On-Ramp，Enterprise

Summary

16. Adavanced Identity

AWS STS

Security Token Service

AWS Cognito

处理用户登录 (Google，Facebook)

AWS IAM Identity Center

One login for multiple accounts

Summary

17. Other AWS Services

AWS WorkSpace

Global cloud-based products

AWS AppStream

Deliver application within web

AWS IoT

物联网

AWS AppSync

GraphQL

AWS Amplify

Deploy fullstack web or mobile app

AWS Application Composer

AWS Device Farm

Test web app in different devices

AWS Backup

Disaster Recovery Strategies

最便宜: Back and Restore

AWS DRS

AWS DataSync

Incremental

AWS Application Discovery Service

AWS Application Migration Service

AWS Migration Hub

AWS Migration Evaluator

AWS Migration Evaluator (Formerly TSO Logic) is a complimentary service to create data-driven business cases for AWS Cloud planning and migration.

AWS FIS

AWS Step Functions

Serverless

AWS Ground Station

Satellite

AWS Pinpoint

AWS Systems Manager

AWS Systems Manager allows you to centralize operational data from multiple AWS services and automate tasks across your AWS resources.
Get operational insights of its resources to quickly identify any issues that might impact applications using those resources

AWS Systems Manager Session Manager (SSM)

AWS SSM Session Manager is a fully-managed service that provides you with an interactive browser-based shell and CLI experience.
Runs on a fleet of Amazon EC2 instances

AWS SSO

AWS SSO is an AWS service that enables you to makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place.

AWS Quick Starts references

Quick Starts are built by AWS solutions architects and partners to help you deploy popular technologies on AWS, based on AWS best practices for security and high availability.

APN Consulting Partner

APN Consulting Partners are professional services firms that help customers of all types and sizes design, architect, build, migrate, and manage their workloads and applications on AWS, accelerating their migration to AWS cloud.

Penetration Testing

AWS customers can carry out security assessments or penetration tests against their AWS infrastructure without prior approval for few common AWS services.

AWS Personal Health Dashboard

AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you.

AWS Service Health Dashboard

AWS Service Health Dashboard publishes most up-to-the-minute information on the status and availability of all AWS services in tabular form for all Regions that AWS is present in.

AWS Marketplace

Sell Software as a Service (SaaS) solutions to AWS customers
AWS customer can buy software that has been bundled into customized AMIs by the AWS Marketplace sellers

AWS Service Catalog

AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS.

AWS Well-Architected Tool

The AWS Well-Architected Tool helps you review the state of your workloads and compares them to the latest AWS architectural best practices.

AWS Resource Groups

You can use AWS Resource Groups to organize your AWS resources. Resource groups make it easier to manage and automate tasks on large numbers of resources at a time.

AWS Cloud Foundations

Cloud Foundations provides a guided path to help customers deploy, configure, and secure their new workloads while ensuring they are ready for on-going operations in the cloud.

Credentials Report

You can generate and download a credentials report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices.

CloudEndure Disaster Recovery

CloudEndure Disaster Recovery enables you to use AWS Cloud as a disaster recovery Region for an on-premises workload and its environment.