Posts

Docker Introduction (Before ECS) What is Docker? Docker = software development platform to deploy applications. Traditional way: install apps directly on Linux → works but not portable. Docker way: package app into containers. Docker Containers Run the same way everywhere (no compatibility issues). Works with any programming language, OS, technology. Easier to maintain, deploy, and scale. Scaling containers = seconds. Powerful and widely used for modern app deployment. ...

Deployments & Managing Infrastructure at Scale CloudFormation Overview What it is: AWS service for Infrastructure as Code (IaC). Declarative way of describing AWS resources (you state what you want, not how to create it). Supports almost all AWS resources. Example use case: Define: Security Group, 2 EC2 instances using that SG, an S3 bucket, a Load Balancer. CloudFormation will automatically create all resources in the correct order with the exact configuration. Benefits of CloudFormation Infrastructure as Code No manual creation of resources. Changes reviewed via code review (improves control and governance). Cost Advantages Resources in a stack are automatically tagged for easier cost tracking. Can estimate costs before deployment. Enables cost-saving automation, e.g., delete stacks at 5 PM, recreate at 8 AM. Productivity Easily destroy and recreate infrastructure. Generates diagrams of resources and their relationships. Declarative programming: CloudFormation figures out dependencies (e.g., DynamoDB before EC2). Reusability Use existing templates from AWS docs or community. Almost everything in AWS is supported. If not, use Custom Resources. Visualization Infrastructure Composer can visualize stacks. Example: WordPress stack diagram shows ALB Listener, DB, Security Groups, Launch Config, etc. Helps understand relations between components. ...

AWS Global Infrastructure Why Build a Global Application? Reduced Latency Latency = Time for a network packet to reach a server. Deploying in multiple AWS Regions or Edge Locations reduces lag by placing servers closer to users. Example: Users in India get faster response if an Asia region hosts the app instead of only US. Disaster Recovery (DR) Do not rely on a single Region. In case of disasters (earthquake, storm, power failure, politics), failover to another Region ensures high availability. Security & Attack Resistance ...

AWS Cloud Integrations Purpose of Cloud Integration Multiple applications often need to communicate with each other. AWS provides different integration patterns to enable communication between distributed systems. Communication Patterns A. Synchronous Communication Definition: Applications directly communicate in real-time. Example: A Buying Service directly calls a Shipping Service to start shipment after a purchase. Characteristics: Real-time and direct connection. Immediate response required. If one service is down or overloaded, the other is affected. Disadvantages: Not resilient to failures or traffic spikes. Services are tightly coupled. B. Asynchronous (Event-Based) Communication Definition: Applications communicate indirectly through an intermediate system (like a queue). Example: The Buying Service places an order message in a queue, and the Shipping Service processes it later. Characteristics: Services are decoupled (operate independently). Enables scalability and fault tolerance. Allows buffering during high traffic (prevents overload). ...

Cloud Monitoring Cloud Monitoring helps understand and visualize the performance and health of AWS resources. The main AWS service for monitoring is Amazon CloudWatch. CloudWatch Metrics Definition Metrics: Variables that represent the performance of AWS resources over time. Examples: CPUUtilization (for EC2) NetworkIn and NetworkOut Billing (total AWS spending) Key Points Metrics are timestamped data points collected periodically. You can visualize metrics in CloudWatch Dashboards. Billing Metric: Available only in us-east-1 region. Represents total AWS spending for the entire account. Resets monthly. Common Metrics by Service Service Common Metrics Notes EC2 CPUUtilization, StatusCheck, NetworkIn/Out RAM metrics are not available EBS DiskReadOps, DiskWriteOps Measures disk I/O S3 BucketSizeBytes, NumberOfObjects, AllRequests Tracks storage and request activity Billing EstimatedCharges Account-wide billing data (us-east-1) Service Limits API usage Helps monitor resource limits Custom Metrics User-defined Push your own metrics if needed Metric Frequency Standard Monitoring: every 5 minutes (default, free). Detailed Monitoring: every 1 minute (paid). CloudWatch Alarms Alarms trigger actions based on metric thresholds. Example: When CPU utilization > 90%, send an alert. Alarm Actions Auto Scaling Actions – increase/decrease EC2 instance count automatically. EC2 Actions – stop, terminate, reboot, or recover instances. SNS Notifications – send alerts via email, SMS, or other channels. Billing Alarms Set alarms on the Billing metric to get notified when estimated charges exceed a certain amount (e.g., $10 or $20). Alarm States State Meaning OK Metric within normal range INSUFFICIENT_DATA Not enough data points ALARM Threshold breached (bad condition) Evaluation Options You can configure: Statistic type (average, min, max, percentage) Evaluation period (e.g., 5 minutes, 1 hour) Summary CloudWatch Metrics track performance data. CloudWatch Alarms automate responses or notifications when thresholds are crossed. Billing Metrics and Alarms help control costs. Custom Metrics allow monitoring of user-defined data. Amazon CloudWatch Logs Purpose CloudWatch Logs is used to collect, monitor, store, and analyze log files from various AWS services and on-premises systems. Enables real-time monitoring and troubleshooting of applications and infrastructure. What Are Log Files? Logs are records of events and activities generated by applications or systems. Used for debugging, troubleshooting, and performance analysis. Example: logs that record user actions, errors, cleanup tasks, or background processes. Log Sources CloudWatch Logs can collect logs from: ...

VPC & Networking (Overview) What is a VPC? VPC (Virtual Private Cloud) is a private, isolated section of the AWS cloud where you can launch and manage your AWS resources (like EC2, RDS, etc.). It provides control over networking, including IP addressing, subnets, routing, and security. Think of it as your own virtual data center in AWS. Why VPC Matters VPC concepts are essential for networking-related AWS services. In-depth knowledge is required for advanced certifications such as: AWS Certified Solutions Architect – Associate AWS Certified SysOps Administrator – Associate For CCP, understanding high-level concepts and their purpose is sufficient. Key Components to Know (for CCP) Component Purpose / Function VPC The virtual private network environment in AWS. Subnets Divide a VPC into smaller networks; can be public (internet-accessible) or private. Internet Gateway (IGW) Allows communication between resources in a public subnet and the internet. NAT Gateway Enables outbound internet access for private subnets without exposing them publicly. Security Groups Act as stateful firewalls controlling inbound and outbound traffic at the instance level. Network ACLs (NACLs) Stateless firewalls controlling traffic at the subnet level. VPC Flow Logs Capture network traffic information for monitoring and troubleshooting. VPC Peering Connects two VPCs privately using AWS’s internal network. VPC Endpoints Enable private connectivity to AWS services (like S3, DynamoDB) without using the internet. Site-to-Site VPN Connects an on-premises network to a VPC over the internet securely. Direct Connect Establishes a dedicated physical connection between on-premises and AWS for low latency. Transit Gateway Central hub to connect multiple VPCs and on-premises networks efficiently. CCP Exam Relevance The VPC topic accounts for less than 1–2 questions on the exam. Focus on definitions, purposes, and relationships between components. Hands-on familiarity with the default VPC (created automatically by AWS) is helpful. Key Takeaways Understand what each component does and why it’s used. No need to configure or design a VPC for the CCP level. Exam tests conceptual clarity, not technical implementation. IP Addresses in AWS IPv4 Overview IPv4 (Internet Protocol version 4) provides around 4.3 billion unique addresses. Common format: 192.0.2.1 (four octets). Used for most existing networks and devices. Public IPv4 Public IPs are reachable over the internet. Assigned automatically when creating EC2 instances (if enabled). Behavior: Released when instance is stopped. A new public IP is assigned when instance is started again. Pricing: AWS charges $0.005/hour per public IPv4 address (including Elastic IPs). Free Tier: 750 hours of public IPv4 usage per month. Private IPv4 Used for internal communication within private networks (e.g., inside a VPC). Example range: 192.168.0.0/16. Not accessible from the internet. Remains the same for an EC2 instance’s entire lifetime, even after stop/start. Elastic IP (EIP) A static public IPv4 address that remains the same even if an instance is stopped and restarted. Useful for consistent IP mapping (e.g., DNS records). Charged if allocated but not associated with a running instance. IPv6 Overview IPv6 (Internet Protocol version 6) is the newer protocol with 3.4 × 10³⁸ addresses (virtually unlimited). Example format: 2600:1f18:abcd:1234::1. All IPv6 addresses are public (no private range). Free to use in AWS (no hourly charge). IPv4 vs IPv6 (Quick Comparison) Feature IPv4 IPv6 Address Space 4.3 billion 3.4 × 10³⁸ Format 4 decimal octets (e.g., 192.168.0.1) Hexadecimal blocks (e.g., 2600:1f18::1) Private Range Yes No Internet Reachability Optional Always Public AWS Cost $0.005/hour Free Example Usage Legacy systems, internal networking New apps, scalable internet exposure Exam Tip Know the difference between public, private, and elastic IPs. Remember: IPv6 = free + public-only + huge address space. For CCP, focus on behavior and cost, not configuration details. VPC (Virtual Private Cloud) Overview Definition VPC (Virtual Private Cloud) is a private, isolated network in AWS used to deploy cloud resources like EC2 instances, databases, etc. Each VPC is region-specific. If you use multiple AWS Regions, you have separate VPCs in each region. VPC Structure A VPC contains subnets, which are partitions of the VPC network. Each subnet is associated with one Availability Zone (AZ). CIDR Range (Classless Inter-Domain Routing) defines the IP address range of a VPC. Example: 10.0.0.0/16. ...

AWS Security & Compliance Shared Responsibility Model Definition: The framework that defines which security tasks are handled by AWS and which are managed by the customer. Key Idea: AWS is responsible for security of the cloud. Customer is responsible for security in the cloud. AWS Responsibility (Security of the Cloud) AWS manages and secures: Infrastructure: Hardware, software, networking, facilities. Managed Services: Full responsibility for services like S3, DynamoDB, RDS. Global Infrastructure: Regions, Availability Zones (AZs), and Edge Locations. Compute, Storage, Database, and Networking layers of their services. Service Software: Ensuring AWS services are updated, secure, and operational. Example: For RDS, AWS handles: ...

Machine Learning Overview Machine Learning (ML) is not deeply tested in the CCP exam. You only need to understand main AWS ML services and their high-level use cases. Amazon Rekognition Definition: A machine learning-based image and video analysis service that can automatically detect and recognize objects, people, text, scenes, and activities. Core Features / Capabilities: Object and Scene Detection: Identifies items in images or videos (e.g., person, dog, mountain bike). Facial Analysis: Detects faces and analyzes attributes like gender, age range, and emotion. Face Search and Verification: Compares faces for user verification or security applications. Celebrity Recognition: Identifies well-known people in images or videos. Text Detection: Extracts text from images (useful for reading signs, runner numbers, etc.). Content Moderation: Flags inappropriate or unsafe content. Pathing / Movement Tracking: Tracks object or person movements (e.g., in sports or surveillance). Use Cases: ...

Global Service used to manage multiple AWS accounts centrally. The main account is called the Master Account, and other linked accounts are Child Accounts. Key Benefits Consolidated Billing All accounts share a single payment method managed by the master account. You receive one combined bill for all linked accounts. Pricing Benefits Aggregated usage provides volume discounts for services like EC2 and S3 across all accounts. Reserved Instances (RIs) are shared among accounts for maximum savings. Automation API support to automate AWS account creation (useful for sandbox or departmental accounts). Service Control Policies (SCPs) Used to restrict account privileges. Common exam topic. Multi-Account Strategy Why Use Multiple Accounts Easier management and security isolation. Organize by: Department (Sales, Finance, HR) Environment (Dev, Test, Prod) Project (Project-1, Project-2, etc.) Regulatory requirements (compliance-based isolation) Benefits Separate service limits per account. Improved resource isolation (different VPCs per account). Dedicated logging accounts for central log management. Best Practices Apply tagging standards across accounts for billing. Enable CloudTrail and CloudWatch Logs in all accounts. Send logs to a central S3 or logging account for visibility and compliance. Organizational Units (OUs) Used to group related accounts within an organization. Structure Example: Root OU (contains Master Account) Dev OU, Prod OU, etc. Nested OUs possible (e.g., Prod → Finance OU, HR OU). Allows hierarchical policy management using SCPs. Service Control Policies (SCPs) Manage permissions centrally across accounts. Whitelist or blacklist IAM actions at OU or account level. Do not apply to the Master Account. Behavior Affect users and roles (including root users) within child accounts. Do not affect service-linked roles (used internally by AWS services). SCPs must have explicit “Allow” statements; otherwise, actions are denied by default. Use Cases Restrict access to specific AWS services (e.g., deny EMR in production). Enforce compliance (e.g., disable non-PCI-compliant services). Examples Blacklist example: 1 2 3 4 5 { "Effect": "Deny", "Action": "dynamodb:*", "Resource": "*" } Denies all DynamoDB actions. Whitelist example: 1 2 3 4 5 { "Effect": "Allow", "Action": ["ec2:*", "cloudwatch:*"], "Resource": "*" } Allows only EC2 and CloudWatch actions; all others denied. Key Exam Points AWS Organizations = Global Service for multi-account management. Master account pays bills via Consolidated Billing. Aggregated usage and shared RIs reduce costs. SCPs manage account-level permissions, not IAM roles directly. SCPs don’t apply to the master account or service-linked roles. Use CloudTrail and centralized logging for auditing all accounts. AWS Organizations – Consolidated Billing Purpose Consolidated Billing in AWS Organizations allows centralized payment management and shared cost benefits across multiple AWS accounts under one organization. ...

AWS STS (Security Token Service) Overview AWS STS is a core AWS service used to create temporary, limited-privilege credentials for accessing AWS resources. These credentials are short-term and consist of: Access Key ID Secret Access Key Session Token (time-limited) Purpose Provides temporary security credentials instead of long-term IAM user credentials. Commonly used when: Access must be limited in time or scope. Cross-account access is required. Federated users (from external identity systems) need AWS access. Applications or EC2 instances assume roles to access AWS services securely. How It Works A user or service assumes a role using an STS API call (for example, AssumeRole). STS returns temporary credentials (access key, secret key, session token). These credentials are used to access AWS resources as defined by the role’s permissions. Credentials expire automatically after a specified duration. Key Use Cases Identity Federation Users managed in an external system (e.g., corporate directory, SSO provider) can obtain STS tokens to access AWS resources. Allows integration with systems like Active Directory, Google Workspace, or SAML providers. Cross-Account Role Access Allows an IAM user in one AWS account to assume a role in another account. Facilitates secure sharing of resources between AWS accounts. EC2 Instance Roles EC2 instances can assume IAM roles automatically. AWS refreshes credentials in the background using STS to maintain temporary access tokens. ...