AWS AI Practitioner - Introduction to AWS & Cloud Computing
Traditional IT - Overview
How Websites Work:
Every website interaction involves a client (your browser) sending a request across a network to a server, which processes it and returns a response. Both sides are identified by unique IP addresses -- think of them like postal addresses that ensure data reaches the right destination.
Request-Response Flow (ASCII Diagram):
+----------+ HTTP Request +----------+
| CLIENT | ------------------> | SERVER |
| (Browser)| |(Web Host)|
| | <------------------ | |
+----------+ HTTP Response +----------+
| |
v v
IP: 192.168.1.1 IP: 54.239.28.85
What a Server Contains:
- CPU - the processing brain; executes instructions and calculations
- RAM - fast, volatile memory for active data; lost when power is off
- Storage (HDD/SSD) - persistent, long-term data storage for files and databases
- Networking components - NICs, routers, switches, DNS that handle data flow
- Motherboard - the main circuit board connecting all components
- Power Supply Unit (PSU) - provides electrical power to all components
Networking Fundamentals:
- Network - interconnected devices that can communicate
- Router - directs packets between different networks (like a post office sorting hub)
- Switch - delivers packets to the correct device within the same local network
- DNS - translates human-readable domain names (google.com) into IP addresses
- Packet - small unit of data transmitted over a network
- Firewall - security device that monitors and controls incoming/outgoing network traffic
- Load Balancer - distributes incoming traffic across multiple servers
Network Topology (ASCII Diagram):
+-------------+
| INTERNET |
+------+------+
|
+------v------+
| ROUTER | <-- Connects different networks
+------+------+
|
+------v------+
| SWITCH | <-- Connects local devices
+------+------+
|
+-----------------+-----------------+
| | |
+----v----+ +-----v-----+ +------v------+
| Server 1| | Server 2 | | Server 3 |
+---------+ +-----------+ +-------------+
The Problem with Traditional On-Premises IT:
Organizations historically bought and housed their own servers -- first at home or in a garage, then in dedicated data centers. This model creates significant operational burden:
- High fixed costs: rent, electricity, cooling, hardware purchase
- Slow provisioning: ordering and installing new servers takes weeks or months
- Poor scalability: can't rapidly handle unexpected traffic spikes (Black Friday scenario)
- Requires 24/7 in-house IT staff for monitoring and maintenance
- Single point of failure: a fire, flood, or power outage can bring everything down
- Stranded capacity: servers sit idle during low-traffic periods but must still be paid for
- Hardware depreciation: equipment becomes obsolete and needs replacement every 3-5 years
- Security burden: organization must handle all physical and cyber security themselves
- Disaster recovery complexity: setting up a secondary data center is extremely expensive
Traditional IT vs Cloud (Cost Comparison):
Traditional On-Prem: Cloud:
+---------------------+ +---------------------+
| Buy Servers ($$$) | | No upfront cost |
| Buy Networking | | Pay per hour/second |
| Rent Data Center | | Scale instantly |
| Hire IT Staff 24/7 | vs | AWS manages hardware|
| Pay even when idle | | Pay only when used |
| 3-5 year commitment | | No commitment |
+---------------------+ +---------------------+
CAPEX Model OPEX Model
Why This Matters for the Exam:
Understanding traditional IT pain points helps you articulate WHY cloud computing is valuable -- a common exam question angle. AWS frequently tests on matching cloud benefits to specific traditional IT problems.
Key Terms
| Term | Definition |
|---|---|
| IP Address | A unique numerical label assigned to each device on a network, used to identify and locate it for communication. IPv4 uses 32-bit addresses (e.g., 192.168.1.1); IPv6 uses 128-bit addresses. |
| DNS (Domain Name System) | The internet's phonebook -- translates domain names like aws.amazon.com into IP addresses machines can route to. |
| Latency | The time delay between sending a request and receiving a response. Lower latency = faster response. Measured in milliseconds (ms). |
| On-Premises (On-Prem) | Infrastructure that a company owns, houses, and manages in its own physical location rather than using a cloud provider. |
| CAPEX (Capital Expenditure) | Upfront investment in physical assets like servers and data center equipment. High risk, slow to scale, and creates depreciation. |
| Throughput | The amount of data that can be transferred in a given time period. Usually measured in Mbps or Gbps. High throughput = more data transferred. |
| Bandwidth | The maximum rate of data transfer across a network path. Higher bandwidth capacity enables higher throughput. |
| Data Center | A physical facility housing computing equipment including servers, storage, and networking. Traditional IT requires companies to build or rent these. |
| Provisioning | The process of acquiring and setting up IT infrastructure. Traditional provisioning takes weeks; cloud provisioning takes minutes. |
- On-premises = YOU own the hardware and pay whether you use it or not.
- Exam may ask you to identify which traditional IT pain point a cloud feature solves (e.g., elasticity solves capacity guessing).
- Remember: Router = connects DIFFERENT networks. Switch = connects devices on the SAME network.
- Traditional IT requires CAPEX (buy upfront); Cloud uses OPEX (pay as you go). Know this distinction cold.
- Hardware refresh cycles (typically 3-5 years) are a hidden cost of on-premises that cloud eliminates.
- The exam often presents scenarios where companies struggle with 'capacity planning' -- this is the problem cloud elasticity solves.
- DNS is sometimes called the 'phonebook of the internet' -- expect questions testing this analogy.
- Provisioning time: On-prem = weeks/months, Cloud = minutes/seconds. This 'speed and agility' benefit is frequently tested.
Practice Questions
Q1. A company is worried that a natural disaster could destroy their on-premises data center and halt business operations. Which cloud benefit directly addresses this concern?
- Pay-as-you-go pricing
- High availability and fault tolerance across multiple geographic locations
- Managed database services
- Serverless computing
Answer: B
Cloud providers distribute infrastructure across multiple Availability Zones and Regions, so a single disaster cannot take down the entire system -- unlike a single on-premises data center.
Q2. What is the primary role of a router in a network?
- Store data temporarily for fast retrieval
- Connect devices within the same local network
- Forward data packets between different networks
- Translate domain names into IP addresses
Answer: C
A router directs traffic between networks (e.g., your home network to the internet). A switch handles traffic within a local network. DNS handles name resolution.
Q3. A startup wants to launch a new application but cannot afford to purchase servers upfront. Which traditional IT limitation does this represent?
- Slow provisioning times
- High capital expenditure requirements
- Limited geographic reach
- Complex backup procedures
Answer: B
Traditional IT requires significant upfront capital expenditure (CAPEX) to purchase hardware. Cloud computing eliminates this barrier by converting costs to operational expenditure (OPEX) with no upfront investment.
Q4. An e-commerce company experiences 10x traffic during holiday sales but only 1x traffic during normal periods. Their on-premises servers are sized for peak load. What is the PRIMARY problem with this approach?
- The servers will crash during peak traffic
- They pay for unused capacity 90% of the time (stranded capacity)
- Holiday traffic cannot be predicted
- On-premises servers cannot handle 10x traffic
Answer: B
This describes 'stranded capacity' -- the company must purchase servers to handle peak load, but those servers sit idle during normal traffic periods. They still pay for rent, power, cooling, and maintenance even when servers are unused. Cloud elasticity solves this by scaling resources with demand.
Q5. Which component of a server is responsible for storing data persistently, even when the server is powered off?
- CPU
- RAM
- HDD/SSD Storage
- Network Interface Card
Answer: C
Storage devices (HDD/SSD) provide persistent, non-volatile storage that retains data even when power is off. RAM is volatile and loses data when powered off. CPU processes instructions but doesn't store data. NICs handle network communication.
What is Cloud Computing?
Definition:
Cloud computing is the on-demand provisioning of IT resources -- compute, storage, databases, networking, AI, and more -- over the internet, billed based on actual consumption rather than upfront ownership.
The Core Shift:
Instead of owning infrastructure, you rent capacity from a provider. You get what you need, when you need it, and stop paying the moment you stop using it.
Cloud Computing Visual Model:
+-------------------------------------------------+
| THE CLOUD (Internet) |
| +---------+ +---------+ +---------+ |
| | Compute | | Storage | |Database | |
| | (EC2) | | (S3) | | (RDS) | |
| +---------+ +---------+ +---------+ |
| +---------+ +---------+ +---------+ |
| | AI/ML | |Networking| |Analytics| |
| |(Bedrock)| | (VPC) | |(Athena) | |
| +---------+ +---------+ +---------+ |
+---------------------+---------------------------+
| Internet
+---------------+---------------+
v v v
+-------+ +-------+ +-------+
| User 1| | User 2| | User 3|
|(Laptop)| |(Phone)| |(Server)|
+-------+ +-------+ +-------+
Access from ANYWHERE using standard internet protocols
5 Essential Characteristics (NIST Definition -- exam-relevant):
- On-Demand Self-Service - spin up servers or storage in minutes through a console or API, no human from AWS required
- Broad Network Access - accessible from anywhere via internet using standard tools (browser, CLI, mobile app)
- Resource Pooling - AWS serves many customers from shared physical infrastructure using multi-tenancy; your data stays isolated and secure
- Rapid Elasticity - scale up during Black Friday traffic surge, scale down at 2am when demand drops; pay only for what you use
- Measured Service - like a utility bill; usage is tracked and you pay precisely for consumption
NIST Characteristics Visual:
+-----------------------------------------------------+ | 5 NIST CLOUD CHARACTERISTICS | +-----------------------------------------------------+ | 1. ON-DEMAND | Self-service, instant access | | SELF-SERVICE | No waiting, no tickets | +----------------------+------------------------------+ | 2. BROAD NETWORK | Any device, anywhere | | ACCESS | Browser, CLI, mobile, SDK | +----------------------+------------------------------+ | 3. RESOURCE | Multi-tenant, shared infra | | POOLING | Isolated & secure per user | +----------------------+------------------------------+ | 4. RAPID | Auto-scale up and down | | ELASTICITY | Match resources to demand | +----------------------+------------------------------+ | 5. MEASURED | Pay per use, like utilities | | SERVICE | Precise billing, no waste | +----------------------+------------------------------+
6 Advantages of Cloud Computing (Memorize These -- Exam Staple):
- Trade CAPEX for OPEX - no upfront server purchases; pay operational expenses only when consuming resources
- Benefit from Economies of Scale - AWS buys hardware at massive volume, passing savings to customers over time
- Eliminate Capacity Guessing - auto-scaling matches resource allocation to real demand automatically
- Increase Speed and Agility - new environments can be created in seconds vs. weeks with physical hardware
- Stop Spending on Running Data Centers - let AWS handle facilities management so your team focuses on business value
- Go Global in Minutes - deploy to any of AWS's global regions with a few clicks, reducing latency for international users
6 Advantages Memory Diagram:
+--------------------------------------------------------+ | 6 ADVANTAGES OF CLOUD COMPUTING | +--------------------------------------------------------+ | | | [Money] 1. CAPEX -> OPEX | No upfront cost | | | Pay only for usage | | [Chart-Down] 2. ECONOMIES OF SCALE | AWS bulk pricing = savings | | | Lower cost per unit | | [Chart] 3. NO CAPACITY GUESS | Auto-scaling handles spikes| | | Never over/under provision | | [Lightning] 4. SPEED & AGILITY | Deploy in minutes | | | Iterate quickly | | [Building] 5. NO DATA CENTERS | Focus on business | | | AWS handles facilities | | [Globe] 6. GO GLOBAL FAST | Deploy worldwide instantly | | | Reduce global latency | | | +--------------------------------------------------------+
Cloud Pricing Philosophy:
- You pay for what you consume, not what you reserve physically
- This eliminates stranded capacity -- idle servers that still cost money in traditional IT
- Enables small startups to access enterprise-grade infrastructure with zero upfront cost
- Three primary pricing dimensions: Compute (time), Storage (capacity), Data Transfer (egress)
Cloud vs. Traditional IT -- The Key Differences:
+-------------------+--------------------+--------------------+ | DIMENSION | TRADITIONAL IT | CLOUD COMPUTING | +-------------------+--------------------+--------------------+ | Cost Model | CAPEX (Buy upfront)| OPEX (Pay per use) | | Provisioning Time | Weeks to months | Minutes to seconds | | Scaling | Manual, slow | Automatic, instant | | Maintenance | You manage all | AWS manages infra | | Global Reach | Build data centers | Click to deploy | | Risk | High (hardware) | Low (shared infra) | | Idle Cost | Pay for idle | No idle cost | +-------------------+--------------------+--------------------+
Key Terms
| Term | Definition |
|---|---|
| OPEX (Operational Expenditure) | Ongoing costs for running services, like a monthly cloud bill. Preferred over CAPEX because it's flexible and tied to usage. |
| Elasticity | The ability to automatically increase or decrease resource capacity in response to demand changes. Different from scalability -- elasticity is automatic and dynamic. |
| Scalability | The ability of a system to handle increased load. Can be vertical (bigger machine) or horizontal (more machines). Unlike elasticity, scaling may be manual. |
| Multi-Tenancy | Multiple customers sharing the same underlying physical infrastructure, with logical isolation ensuring security and privacy. |
| TCO (Total Cost of Ownership) | The full cost of owning and operating infrastructure over time. Cloud typically reduces TCO by eliminating hardware, maintenance, and staffing overhead. |
| Economies of Scale | As AWS serves more customers, its per-unit costs decrease, and it passes savings on as lower prices. |
| Vertical Scaling (Scale Up) | Adding more power (CPU, RAM) to an existing machine. Has physical limits and may require downtime. |
| Horizontal Scaling (Scale Out) | Adding more machines to distribute load. No theoretical limit and typically zero downtime. Cloud-native approach. |
| NIST | National Institute of Standards and Technology -- the US agency that published the official definition and 5 characteristics of cloud computing. |
| Pay-As-You-Go | Cloud pricing model where you pay only for resources consumed, similar to a utility bill. Core principle of cloud economics. |
- The 6 advantages of cloud are frequently tested -- know them cold, especially 'Trade CAPEX for OPEX' and 'Stop guessing capacity'.
- Elasticity = automatically scaling WITH demand. Scalability = ABILITY to scale. Both are tested but mean slightly different things.
- On-Demand Self-Service means YOU provision resources -- no AWS support ticket needed.
- 'Go Global in Minutes' = deploy to multiple AWS Regions worldwide quickly for low-latency global reach.
- If asked 'what allows a startup to compete with enterprises?' -- answer is usually 'economies of scale' or 'no upfront cost.'
- Resource Pooling uses MULTI-TENANCY -- many customers share physical hardware but data is logically isolated.
- Measured Service = usage tracking and billing. Cloud charges precisely for what you use, like an electricity meter.
- Horizontal scaling (scale OUT) is the cloud-native approach. Vertical scaling (scale UP) has physical limits.
Practice Questions
Q1. Which cloud characteristic ensures that a retail company's website can handle a sudden 10x spike in traffic during a flash sale, and then automatically reduce capacity afterward?
- Broad Network Access
- Measured Service
- Rapid Elasticity
- Resource Pooling
Answer: C
Rapid Elasticity allows resources to scale out to handle the spike and scale back in automatically, so the company only pays for extra capacity while it's needed.
Q2. A startup wants to launch a global application without purchasing any physical servers. Which advantage of cloud computing makes this possible at minimal upfront cost?
- Economies of Scale
- Trade CAPEX for OPEX
- Stop spending on data centers
- Stop guessing capacity
Answer: B
Trading CAPEX for OPEX means the startup pays only for what they consume (OPEX) rather than buying servers upfront (CAPEX), removing the barrier of large initial investment.
Q3. Which of the following is NOT one of the 5 essential characteristics of cloud computing?
- On-Demand Self-Service
- Dedicated Hardware per Customer
- Measured Service
- Rapid Elasticity
Answer: B
Cloud computing uses shared, multi-tenant infrastructure -- not dedicated hardware per customer (unless you specifically use Dedicated Hosts, which is a premium option). The 5 NIST characteristics do not include dedicated hardware.
Q4. A company needs their application to be accessible from laptops, mobile devices, and IoT sensors across the world. Which NIST cloud characteristic enables this?
- On-Demand Self-Service
- Broad Network Access
- Resource Pooling
- Measured Service
Answer: B
Broad Network Access means cloud services are accessible over the network using standard protocols. Users can connect from any device (laptop, phone, tablet, IoT) from anywhere with internet access.
Q5. An organization's IT team currently spends 60% of their time managing data center facilities, including power, cooling, and physical security. Which cloud advantage addresses this?
- Trade CAPEX for OPEX
- Benefit from economies of scale
- Stop spending money running and maintaining data centers
- Increase speed and agility
Answer: C
'Stop spending money running and maintaining data centers' means AWS handles all facility management -- power, cooling, physical security, hardware maintenance -- so your IT team can focus on business-value activities instead.
Q6. What is the difference between elasticity and scalability in cloud computing?
- They are exactly the same concept
- Elasticity is automatic and dynamic; scalability is the ability to scale (may be manual)
- Scalability is automatic; elasticity is manual
- Elasticity refers to storage; scalability refers to compute
Answer: B
Scalability is the capability to handle increased load (can be achieved manually or automatically). Elasticity specifically refers to the automatic, dynamic scaling that responds to changing demand in real-time. Elasticity is a specific type of scalability that is automated.
The Different Types of Cloud Computing
Three Cloud Deployment Models:
1. Private Cloud
- Infrastructure dedicated to a single organization, managed internally or by a third party
- Greater control, customization, and security for sensitive regulated workloads
- Higher cost than public cloud -- no sharing benefits
- Use case: government agencies, financial institutions with strict compliance requirements
- Example provider: Rackspace, VMware, OpenStack
- Still uses cloud technologies (virtualization, self-service, elasticity) -- just not shared
2. Public Cloud
- Infrastructure owned and operated by a cloud provider, shared across many customers
- No capital investment required; fully managed hardware and facilities
- Pay-as-you-go; access from anywhere
- Major providers: AWS, Microsoft Azure, Google Cloud Platform (GCP)
- Most cost-effective due to economies of scale
3. Hybrid Cloud
- A deliberate combination of private (on-prem) and public cloud resources
- Sensitive or regulated data stays on-premises; burst workloads or less-sensitive systems go to public cloud
- Requires networking connectivity between environments (e.g., AWS Direct Connect or VPN)
- Use case: a bank keeps customer financial records on-prem but runs analytics in AWS
- Key AWS services: AWS Outposts (run AWS on-prem), Direct Connect, VPN, Storage Gateway
Deployment Models Visual:
+---------------------------------------------------------------+ | CLOUD DEPLOYMENT MODELS | +-----------------+-----------------+---------------------------+ | PRIVATE CLOUD | PUBLIC CLOUD | HYBRID CLOUD | +-----------------+-----------------+---------------------------+ | +-------------+ | +-------------+ | +-------+ +-------+ | | | Dedicated | | | Shared | | |On-Prem|<-->| AWS | | | | to ONE | | | Multi- | | |Private| |Public | | | | Organization| | | Tenant | | +-------+ +-------+ | | +-------------+ | +-------------+ | Connected via VPN/ | | | | Direct Connect | | You own/lease | AWS owns all | | | Examples: | Examples: | Examples: | | * VMware | * AWS | * AWS Outposts | | * Rackspace | * Azure | * Storage Gateway | | * OpenStack | * GCP | * Direct Connect | +-----------------+-----------------+---------------------------+
Three Cloud Service Models -- The Responsibility Pyramid:
IaaS vs PaaS vs SaaS Responsibility Diagram:
+--------------------------------------------------------------------+ | WHAT YOU MANAGE vs WHAT AWS MANAGES | +--------------------------------------------------------------------+ | | | ON-PREM IaaS PaaS SaaS | | (Traditional) (EC2) (Elastic BS) (WorkMail) | | | | +----------+ +----------+ +----------+ +----------+ | | | DATA | | DATA | | DATA | | DATA | <- YOU | | +----------+ +----------+ +----------+ +----------+ | | | APP | | APP | | APP | |##########| <- AWS | | +----------+ +----------+ +----------+ +----------+ | | | RUNTIME | | RUNTIME | |##########| |##########| | | +----------+ +----------+ +----------+ +----------+ | | | OS | | OS | |##########| |##########| | | +----------+ +----------+ +----------+ +----------+ | | | VIRT. | |##########| |##########| |##########| | | +----------+ +----------+ +----------+ +----------+ | | | SERVERS | |##########| |##########| |##########| | | +----------+ +----------+ +----------+ +----------+ | | | STORAGE | |##########| |##########| |##########| | | +----------+ +----------+ +----------+ +----------+ | | | NETWORK | |##########| |##########| |##########| | | +----------+ +----------+ +----------+ +----------+ | | | | YOU manage ### AWS manages | | EVERYTHING ### shaded layers | | | | MORE Control <----------------------------------> LESS Control | | MORE Work LESS Work | +--------------------------------------------------------------------+
| Model | Full Name | You Manage | AWS Manages | AWS Examples |
|---|---|---|---|---|
| IaaS | Infrastructure as a Service | OS, Runtime, App, Data | Hardware, Networking, Virtualization | EC2, S3, VPC |
| PaaS | Platform as a Service | Application code, Data | OS, Runtime, Middleware, Infrastructure | Elastic Beanstalk, RDS, Lambda |
| SaaS | Software as a Service | Just use the app | Everything | Rekognition, WorkMail, Chime, Amazon Connect |
Memory Aid for Service Models:
- IaaS = you get the land and tools, you build the house (MOST control, MOST work)
- PaaS = you get a house shell, you decorate inside (balanced control/work)
- SaaS = you move into a fully furnished hotel room (LEAST control, LEAST work)
Pizza as a Service Analogy:
+-----------------------------------------------------------------+ | PIZZA AS A SERVICE ANALOGY | +---------------+---------------+-------------+-------------------+ | ON-PREMISES | IaaS | PaaS | SaaS | | (Make at Home)| (Take & Bake) | (Delivery) | (Dine Out) | +---------------+---------------+-------------+-------------------+ | Make dough | Dough provided| Pizza made | Show up, eat | | Add sauce | Add toppings | You reheat | They serve you | | Add toppings | Bake it | and serve | | | Bake it | | | | | Serve it | | | | +---------------+---------------+-------------+-------------------+ | YOU DO ALL | YOU: Toppings | YOU: Plate | YOU: Eat | | | + Bake | + Serve | | +---------------+---------------+-------------+-------------------+
AWS Pricing: Three Pillars (Pay-as-you-go):
- Compute - charged per second or per hour of processing time (e.g., EC2, Lambda)
- Storage - charged per GB stored per month (e.g., S3, EBS)
- Data Transfer - data INTO AWS is free; data OUT of AWS to the internet incurs charges
Pricing Direction Visual:
+----------------------------+
| AWS CLOUD |
| |
-->| Data IN = FREE |
| |
| Data OUT = $$$$ (Egress) |<--
| |
+----------------------------+
INGRESS = FREE | EGRESS = PAID
Why Data Transfer Pricing Matters:
Architecting to minimize data leaving AWS (e.g., keeping compute and storage in the same region) directly reduces costs. This is why AWS encourages processing data where it's stored rather than downloading it.
Key Terms
| Term | Definition |
|---|---|
| IaaS | Infrastructure as a Service -- you manage the OS and above; the cloud provider manages hardware, networking, and virtualization. Most control, most responsibility. Example: EC2. |
| PaaS | Platform as a Service -- you manage only your application and data; the provider manages everything else including the runtime and OS. Example: Elastic Beanstalk, RDS. |
| SaaS | Software as a Service -- a fully managed application delivered over the internet; the user just logs in and uses it. Least control, least responsibility. Example: Gmail, Salesforce, Amazon WorkMail. |
| Hybrid Cloud | An architecture combining on-premises infrastructure with public cloud resources, connected and orchestrated together. |
| Data Egress | Data leaving the cloud to the internet. AWS charges for egress but not for ingress (data coming in). |
| Data Ingress | Data entering the cloud from the internet. AWS does NOT charge for ingress -- uploading data to AWS is free. |
| AWS Outposts | AWS hardware and services deployed in your own data center. Enables a true hybrid cloud with consistent AWS APIs on-premises. |
| Direct Connect | A dedicated private network connection from your premises to AWS. Bypasses the public internet for consistent performance and added security. |
| Multi-Cloud | Using multiple cloud providers (e.g., AWS + Azure) for different workloads. Not the same as hybrid cloud. |
| FaaS (Function as a Service) | A subset of PaaS where you deploy individual functions that run in response to events. AWS Lambda is the primary example. Also called 'serverless compute.' |
- IaaS gives you the MOST control but the MOST responsibility. SaaS gives you the LEAST control but the LEAST responsibility.
- EC2 is IaaS. Elastic Beanstalk is PaaS. Gmail is SaaS. Know an example of each.
- Hybrid cloud = on-prem + public cloud working TOGETHER. Not just having both separately.
- Data INTO AWS = FREE. Data OUT of AWS = CHARGED. This is a common trick question.
- Private cloud is NOT the same as on-premises. Private cloud uses cloud technologies but is dedicated to one org.
- Lambda is often classified as PaaS or FaaS (Function as a Service). You manage only the code.
- AWS Outposts enables hybrid cloud by putting AWS hardware in YOUR data center.
- Multi-cloud (using multiple providers) is different from hybrid cloud (on-prem + one cloud).
- RDS is PaaS -- AWS manages the database engine, OS, patching. You manage data and access.
Practice Questions
Q1. A developer wants to deploy a web application without managing the underlying operating system, patching, or server configuration. Which cloud service model best fits this need?
- IaaS
- PaaS
- SaaS
- Private Cloud
Answer: B
PaaS abstracts away the OS and runtime management. The developer only needs to focus on their application code and data. AWS Elastic Beanstalk is a prime example.
Q2. A financial institution must keep customer account data on-premises due to regulatory requirements, but wants to run their analytics workloads on AWS. Which deployment model describes this architecture?
- Public Cloud
- Private Cloud
- Hybrid Cloud
- Multi-Cloud
Answer: C
Hybrid cloud combines on-premises (private) and public cloud resources. Sensitive data stays on-prem for compliance, while flexible workloads run in the public cloud.
Q3. Which of the following AWS pricing rules is correct regarding data transfer?
- Data in and out of AWS are both charged
- Data into AWS is charged; data out is free
- Data into AWS is free; data out to the internet is charged
- All data transfer within AWS is free
Answer: C
AWS does not charge for inbound data transfer. Outbound data transfer to the internet incurs costs. Data transfer between AWS services within the same region is also typically free or very low cost.
Q4. A company uses Amazon EC2 to host their application. Under the IaaS model, which of the following is the company responsible for?
- Managing the physical servers
- Managing the hypervisor
- Patching the guest operating system
- Providing electricity to the data center
Answer: C
EC2 is IaaS -- the customer manages the OS and everything above (runtime, application, data). AWS manages the physical infrastructure, virtualization layer (hypervisor), and data center facilities.
Q5. Which service model requires the LEAST operational overhead from the customer?
- IaaS
- PaaS
- SaaS
- On-Premises
Answer: C
SaaS (Software as a Service) is fully managed -- the customer simply uses the application. Examples: email services, CRM systems. The provider handles ALL infrastructure, runtime, and application maintenance.
Q6. A company wants to extend their AWS environment into their own data center with the same AWS APIs, tools, and services. Which AWS service enables this?
- AWS Direct Connect
- AWS VPN
- AWS Outposts
- Amazon CloudFront
Answer: C
AWS Outposts brings AWS infrastructure, services, and APIs to your on-premises data center. This creates a true hybrid architecture with consistent APIs across both environments. Direct Connect and VPN provide network connectivity but don't run AWS services on-prem.
AWS Cloud Overview
What is AWS?
Amazon Web Services is the world's largest and most widely adopted cloud platform, offering over 200 fully featured services from data centers globally. Launched in 2006, AWS pioneered the modern cloud industry and remains the market leader.
AWS Market Position:
- Launched 2006 (first major cloud provider)
- Market share: ~32% (largest)
- Over 200 services across compute, storage, database, AI/ML, IoT, and more
- Trusted by enterprises, startups, and government agencies worldwide
AWS Global Infrastructure -- Three Key Concepts:
AWS Global Infrastructure Hierarchy:
+-----------------------------------------------------------------+
| AWS GLOBAL INFRASTRUCTURE |
+-----------------------------------------------------------------+
|
+--------------------+--------------------+
v v v
+-----------------+ +-----------------+ +-----------------+
| REGION 1 | | REGION 2 | | REGION 3 |
| (us-east-1) | | (eu-west-1) | | (ap-south-1) |
| N. Virginia | | Ireland | | Mumbai |
+--------+--------+ +-----------------+ +-----------------+
|
+----+----+------------+
v v v
+-------+ +-------+ +-------+
| AZ 1 | | AZ 2 | | AZ 3 | <-- Availability Zones
| (1a) | | (1b) | | (1c) | (2-6 per Region)
+---+---+ +---+---+ +---+---+
| | |
v v v
+---+ +---+ +---+
|DC | |DC | |DC | <-- Data Centers
|DC | |DC | |DC | (Multiple per AZ)
+---+ +---+ +---+
+-----------------------------------------------------------------+
| EDGE LOCATIONS |
| (400+ worldwide, for CloudFront CDN) |
| +---+ +---+ +---+ +---+ +---+ +---+ +---+ +---+ +---+ +---+ |
| | E | | E | | E | | E | | E | | E | | E | | E | | E | | E | |
| +---+ +---+ +---+ +---+ +---+ +---+ +---+ +---+ +---+ +---+ |
| More Edge Locations than Regions! |
+-----------------------------------------------------------------+
1. Regions
- A Region is a physically separate geographic area containing multiple data centers
- Currently 30+ Regions worldwide (and growing)
- Each Region is completely independent -- a failure in one does not affect others
- Services and data deployed in a Region stay in that Region unless you explicitly move them
- Examples: us-east-1 (N. Virginia), eu-west-1 (Ireland), ap-southeast-1 (Singapore)
- Naming convention: continent-direction-number (e.g., us-west-2 = US West, 2nd region)
How to Choose a Region (4 Factors -- Memorize!):
+----------------------------------------------------------------+ | 4 FACTORS FOR CHOOSING AN AWS REGION | +----------------------------------------------------------------+ | | | 1. LATENCY (Proximity) | | * Choose region closest to your users | | * Lower latency = faster response times | | | | 2. COMPLIANCE (Data Residency) | | * Some laws require data to stay in specific countries | | * GDPR, HIPAA, government regulations | | | | 3. SERVICE AVAILABILITY | | * Not all services exist in all regions | | * New services launch in us-east-1 first | | | | 4. PRICING | | * Prices vary slightly between regions | | * us-east-1 is often cheapest | | | +----------------------------------------------------------------+
2. Availability Zones (AZs)
- Each Region contains 2-6 AZs (usually 3)
- Each AZ is one or more discrete data centers with independent power, cooling, and networking
- AZs within a Region are connected via high-speed, low-latency private fiber links (<2ms latency)
- Deploying across multiple AZs = high availability and fault tolerance
- If one AZ goes down, your application keeps running from the others
- AZs are physically separate but close enough for synchronous replication
3. Edge Locations (Points of Presence)
- 400+ Edge Locations worldwide -- far more than Regions
- Used by Amazon CloudFront (CDN) to cache and deliver content closer to end users
- Reduces latency for global users by serving content from a nearby edge node
- Also used by Route 53 (DNS), AWS Shield, and AWS WAF
- Regional Edge Caches provide an additional caching layer between edge locations and origin
Global vs. Regional Services:
+-----------------------------------------------------------------+
| GLOBAL vs REGIONAL SERVICES |
+------------------------+----------------------------------------+
| GLOBAL SERVICES | REGIONAL SERVICES |
| (No region selection) | (Must select a region) |
+------------------------+----------------------------------------+
| * IAM | * EC2 |
| * Route 53 (DNS) | * S3 (buckets are regional) |
| * CloudFront (CDN) | * RDS |
| * WAF (can be global) | * Lambda |
| * AWS Organizations | * VPC |
| * Billing Dashboard | * DynamoDB |
| | * SageMaker |
+------------------------+----------------------------------------+
Shows 'Global' Shows region name
in console header in console header
AWS Service Categories (Key Ones for Exam):
- Compute: EC2, Lambda, ECS, EKS, Elastic Beanstalk, Fargate, Lightsail
- Storage: S3, EBS, EFS, FSx, Glacier, Storage Gateway
- Database: RDS, DynamoDB, ElastiCache, Aurora, Redshift, Neptune, DocumentDB
- Networking: VPC, Route 53, CloudFront, Direct Connect, API Gateway, Transit Gateway
- Security: IAM, KMS, Shield, WAF, GuardDuty, Inspector, Macie, Secrets Manager
- AI/ML: SageMaker, Rekognition, Comprehend, Bedrock, Polly, Transcribe, Lex, Textract
AI/ML Services Hierarchy:
+-----------------------------------------------------------------+ | AWS AI/ML SERVICES STACK | +-----------------------------------------------------------------+ | | | +---------------------------------------------------------+ | | | AI SERVICES (No ML expertise needed - just API calls) | | | | Rekognition | Comprehend | Polly | Lex | Textract | | | | Transcribe | Translate | Personalize | Forecast | | | +---------------------------------------------------------+ | | ^ | | +---------------------------------------------------------+ | | | ML SERVICES (Build/train custom models) | | | | Amazon SageMaker | SageMaker Studio | | | | Built-in algorithms | Custom training | | | +---------------------------------------------------------+ | | ^ | | +---------------------------------------------------------+ | | | ML FRAMEWORKS (Deep learning on EC2) | | | | TensorFlow | PyTorch | MXNet | Deep Learning AMIs | | | +---------------------------------------------------------+ | | ^ | | +---------------------------------------------------------+ | | | GENERATIVE AI (Foundation Models) | | | | Amazon Bedrock | Amazon Q | PartyRock | | | | Claude | Titan | Llama | Stable Diffusion | | | +---------------------------------------------------------+ | | | | HIGHER = Easier to use, less customization | | LOWER = More control, more expertise required | +-----------------------------------------------------------------+
Key Terms
| Term | Definition |
|---|---|
| Region | A geographically distinct area hosting multiple Availability Zones. Data in a Region stays in that Region unless explicitly moved. Currently 30+ worldwide. |
| Availability Zone (AZ) | One or more physically separate data centers within a Region, each with independent power and networking. Deploying across AZs enables high availability. 2-6 AZs per Region. |
| Edge Location | A site used by CloudFront and other services to cache content closer to end users, reducing latency. There are 400+ edge locations -- far more than Regions. |
| High Availability | System design that minimizes downtime by distributing resources across multiple AZs or Regions so that no single failure causes a full outage. |
| Fault Tolerance | The ability of a system to continue operating correctly even when one or more components fail. |
| CloudFront | AWS's Content Delivery Network (CDN). Uses edge locations to serve content from the location closest to the user. |
| Points of Presence (PoP) | The network of edge locations and Regional Edge Caches used by CloudFront, Route 53, and other global services. |
| Data Residency | Legal requirements specifying where data must be physically stored. A key factor when choosing AWS Regions. |
| Low Latency Links | High-speed, private fiber connections between AZs in the same Region. Typically <2ms latency, enabling synchronous replication. |
| Regional Edge Cache | A larger cache layer between edge locations and the origin server. Provides better cache hit ratios for less frequently accessed content. |
- Regions > Availability Zones > Data Centers. Know this hierarchy.
- AZs = isolated failure domains. Spreading across AZs = high availability.
- Edge Locations are NOT the same as AZs or Regions. They serve cached content via CloudFront.
- There are more Edge Locations than Regions -- often tested as a trick question.
- IAM and Route 53 are GLOBAL services. EC2 and S3 buckets are REGIONAL.
- Four factors for choosing a Region: Latency, Compliance, Service Availability, Pricing.
- AZs within a Region have <2ms latency between them -- low enough for synchronous replication.
- Not all services are available in all regions -- new services typically launch in us-east-1 first.
- S3 bucket names are globally unique, but the buckets themselves are REGIONAL.
Practice Questions
Q1. A company needs to ensure their application remains available even if an entire AWS data center experiences a power failure. What should they do?
- Deploy across multiple AWS Regions
- Deploy across multiple Availability Zones within one Region
- Use a single large EC2 instance
- Enable CloudFront caching
Answer: B
Each AZ has independent power, cooling, and networking. Deploying across multiple AZs in the same Region ensures your app stays up if one AZ fails -- this is standard high availability architecture.
Q2. Which of the following AWS services is considered a GLOBAL service (not tied to a specific region)?
- Amazon EC2
- Amazon S3
- AWS IAM
- Amazon RDS
Answer: C
IAM (Identity and Access Management) is a global service -- users, roles, and policies created in IAM are available across all regions. EC2, S3 (buckets), and RDS are all regional.
Q3. What is the PRIMARY purpose of AWS Edge Locations?
- Run EC2 instances closer to users
- Store database backups for disaster recovery
- Cache and deliver content to end users with low latency via CloudFront
- Host AWS management consoles in each country
Answer: C
Edge Locations are part of AWS's Points of Presence network, primarily used by CloudFront to cache content (images, videos, web pages) near end users to reduce latency.
Q4. A European company must ensure customer data never leaves Germany due to data sovereignty laws. Which factor is MOST important when selecting an AWS Region?
- Latency to users
- Service availability
- Compliance and data residency requirements
- Pricing differences
Answer: C
Data residency and compliance requirements are the most critical factor when laws mandate where data must be stored. The company should use the eu-central-1 (Frankfurt) region to keep data in Germany.
Q5. How many Availability Zones does a typical AWS Region contain?
- 1
- 2-6 (usually 3)
- Exactly 10
- Over 100
Answer: B
Most AWS Regions have 3 Availability Zones, though some have 2 and larger regions like us-east-1 have 6. Each AZ contains one or more data centers.
Q6. A streaming media company wants to deliver video content to users worldwide with minimal loading time. Which AWS feature should they use?
- Deploy EC2 instances in every Region
- Use Amazon CloudFront with Edge Locations
- Use Amazon S3 Cross-Region Replication
- Use AWS Direct Connect
Answer: B
CloudFront is AWS's CDN that caches content at 400+ Edge Locations worldwide. This ensures video content is served from the location closest to each user, minimizing latency without deploying infrastructure in every region.
Creating an AWS Account
Account Creation Steps:
- Visit aws.amazon.com -> Create an AWS Account
- Enter a valid email address and create a root account password
- Provide contact details (name, address, phone number)
- Enter a valid credit/debit card -- AWS requires this even for free tier (charged only if you exceed limits)
- Complete phone identity verification
- Select a Support Plan -- choose Basic (free) for learning purposes
Account Setup Flow:
+-----------------------------------------------------------------+
| AWS ACCOUNT CREATION FLOW |
+-----------------------------------------------------------------+
|
+------------------------+------------------------+
v v v
+----------+ +----------+ +----------+
| 1. Email |---------->|2. Payment|---------->|3. Verify |
| + Password| | Info | | Phone |
+----------+ +----------+ +----------+
|
+------------------------+------------------------+
v v v
+----------+ +----------+ +----------+
|4. Support|---------->|5. Account|---------->|6. Secure |
| Plan | | Activated| | the Root |
+----------+ +----------+ +----------+
|
v
Enable MFA!
The Root Account -- Handle With Extreme Care:
The root account is created with your email at sign-up. It has UNLIMITED access to everything in your AWS account with no restrictions.
- Never use the root account for everyday tasks
- Enable MFA (Multi-Factor Authentication) on the root account immediately after creation
- Store root credentials securely and use them only for account-level tasks
- Root tasks include: closing the account, changing billing info, changing support plan, restoring IAM permissions
Root Account Security Visual:
+-----------------------------------------------------------------+ | ROOT ACCOUNT RULES | +-----------------------------------------------------------------+ | | | [check] DO [x] DON'T | | -------------------- -------------------- | | * Enable MFA immediately * Use for daily work | | * Store creds securely * Share credentials | | * Create IAM admin user * Create access keys | | * Use only for root tasks * Ignore the warnings | | | | ROOT-ONLY TASKS: | | * Close the account * Change support plan | | * Modify account settings * View certain reports | | * Restore IAM permissions * Enable MFA for root | | | +-----------------------------------------------------------------+
AWS Free Tier -- Three Types:
| Type | Duration | Example |
|---|---|---|
| 12-Month Free | First 12 months only | 750 hrs/month EC2 t2.micro, 5 GB S3 |
| Always Free | Never expires | 1M Lambda requests/month, 25 GB DynamoDB |
| Free Trials | Short-term trial | 90-day free trial of Amazon Inspector |
Free Tier Details:
+-----------------------------------------------------------------+ | AWS FREE TIER TYPES | +-----------------------------------------------------------------+ | | | 12-MONTH FREE ALWAYS FREE | | (Expires after 1 year) (Never expires) | | -------------------- ---------------- | | * 750 hrs EC2 t2.micro * 1M Lambda requests | | * 5 GB S3 standard * 25 GB DynamoDB | | * 750 hrs RDS db.t2.micro * 1M SNS requests | | * 30 GB EBS storage * 10 custom CloudWatch metrics | | * 25 GB SageMaker Studio Lab | | | | FREE TRIALS | | (Short-term) | | ---------------- | | * 90-day Inspector trial | | * 30-day GuardDuty trial | | * 60-day Lightsail trial | | | +-----------------------------------------------------------------+
Post-Creation Security Best Practices:
- Enable MFA on root account -- use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator)
- Create an IAM Admin user for daily use -- never log in as root routinely
- Set up a billing alarm in CloudWatch to alert you before charges accumulate
- Enable AWS Cost Explorer to monitor spending trends
- Review IAM Password Policy to enforce strong passwords for all users
- Enable AWS CloudTrail to log all API activity for auditing
- Consider enabling AWS Organizations for multi-account management
Security Setup Checklist:
+-----------------------------------------------------------------+ | POST-CREATION SECURITY CHECKLIST | +-----------------------------------------------------------------+ | | | [ ] 1. Enable MFA on root account (FIRST PRIORITY!) | | [ ] 2. Create IAM admin user with MFA | | [ ] 3. Set up billing alarm (CloudWatch) | | [ ] 4. Enable Cost Explorer | | [ ] 5. Configure IAM password policy | | [ ] 6. Enable CloudTrail logging | | [ ] 7. Review and remove unused credentials | | [ ] 8. Set up AWS Budgets for cost control | | | +-----------------------------------------------------------------+
Account Activation:
New accounts may take up to 24 hours to fully activate, particularly for phone verification. Email confirmation is immediate.
Support Plans Overview:
+------------------------------------------------------------------+ | AWS SUPPORT PLANS | +--------------+--------------+---------------+-------------------+ | BASIC | DEVELOPER | BUSINESS | ENTERPRISE | | (Free) | ($29/mo) | ($100/mo min) | ($15,000/mo min) | +--------------+--------------+---------------+-------------------+ | Docs, forums | Email support| 24/7 phone | TAM assigned | | Trusted Adv | 12-24hr resp | 1hr urgent | 15min critical | | (7 checks) | 1 contact | Unlimited | Concierge team | | | | contacts | All TA checks | +--------------+--------------+---------------+-------------------+
Key Terms
| Term | Definition |
|---|---|
| Root Account | The original AWS account created with your email address. Has unrestricted access to all AWS services and account settings. Should be protected with MFA and used sparingly. |
| MFA (Multi-Factor Authentication) | An extra layer of login security requiring a second factor (like a code from an authenticator app) in addition to a password. Can be virtual (app) or hardware (key fob). |
| IAM (Identity and Access Management) | AWS service for creating and managing users, groups, and roles with specific permissions. Use IAM users instead of root for day-to-day access. |
| AWS Free Tier | A set of AWS service allowances available at no charge, including 12-month free offers, always-free services, and short-term trials. |
| Billing Alarm | A CloudWatch alarm that notifies you when your estimated AWS charges exceed a threshold you set -- critical for avoiding surprise bills. |
| CloudTrail | AWS service that logs all API calls made in your account for security auditing, compliance, and troubleshooting. Records who did what, when, and from where. |
| AWS Organizations | Service for centrally managing multiple AWS accounts. Enables consolidated billing, service control policies, and organizational units. |
| Trusted Advisor | AWS service that provides real-time recommendations for cost optimization, security, fault tolerance, performance, and service limits. |
| AWS Budgets | Service for setting custom budgets and receiving alerts when costs or usage exceed thresholds. More flexible than basic billing alarms. |
| Technical Account Manager (TAM) | A dedicated AWS expert assigned to Enterprise Support customers who provides proactive guidance and advocacy. |
- Root account = god mode. Never use it daily. Always secure with MFA.
- Creating an IAM Admin user = first thing to do after enabling root MFA.
- Free Tier has THREE types: 12-month, Always Free, and Short-Term Trials. Know the difference.
- Billing alarms are set up in CloudWatch (not the Billing console directly) -- though you can also use AWS Budgets.
- The exam may ask what action to take FIRST after creating an account: Enable MFA on root.
- Lambda 1M requests/month is ALWAYS FREE -- it never expires. EC2 t2.micro hours expire after 12 months.
- Business and Enterprise support include 24/7 phone support. Basic and Developer do NOT.
- Only Enterprise support includes a TAM (Technical Account Manager).
- CloudTrail records API activity -- essential for auditing and compliance.
Practice Questions
Q1. A cloud administrator just created a new AWS account. What should be done FIRST to secure the account?
- Create an S3 bucket for log storage
- Enable MFA on the root account
- Deploy an EC2 instance in the default VPC
- Purchase a Reserved Instance for cost savings
Answer: B
The root account has unrestricted access. Enabling MFA immediately after account creation is the single most important first security step, preventing unauthorized access even if the password is compromised.
Q2. Which of the following is an 'Always Free' AWS Free Tier offering that does not expire after 12 months?
- 750 hours/month of EC2 t2.micro
- 5 GB of Amazon S3 storage
- 1 million AWS Lambda requests per month
- 30 GB of Amazon EBS storage
Answer: C
AWS Lambda's 1 million requests per month (and 400,000 GB-seconds of compute) is Always Free -- it never expires. EC2 t2.micro, S3 5GB, and EBS 30GB are 12-month free tier offers.
Q3. Which AWS Support plan provides a dedicated Technical Account Manager (TAM)?
- Basic
- Developer
- Business
- Enterprise
Answer: D
Only the Enterprise Support plan includes a Technical Account Manager (TAM). TAMs provide proactive guidance, architectural reviews, and act as your advocate within AWS. Business support offers 24/7 phone support but no TAM.
Q4. After creating an IAM admin user, what should the administrator do with the root account credentials?
- Delete them permanently
- Store them securely and use only for specific root-level tasks
- Share them with all team administrators
- Use them for deploying EC2 instances
Answer: B
Root credentials should be stored securely (e.g., in a password manager or safe) and used only for tasks that require root access -- such as closing the account, changing support plans, or restoring IAM permissions. They should never be deleted, shared, or used for daily operations.
Q5. A user wants to be alerted when their AWS spending approaches $100. Which service should they configure?
- AWS Cost Explorer
- Amazon CloudWatch Billing Alarm
- AWS Trusted Advisor
- IAM Access Analyzer
Answer: B
CloudWatch Billing Alarms allow you to set spending thresholds and receive notifications (via SNS) when estimated charges exceed your defined limit. AWS Budgets is also an option with more features, but CloudWatch billing alarms are the classic approach.
Tour of the Console & Services in AWS
AWS Management Console:
A browser-based graphical interface for managing all AWS services. It is the primary entry point for beginners before graduating to the CLI or SDK.
URL: console.aws.amazon.com
Console Layout -- Key Areas:
+-------------------------------------------------------------------------+ | AWS [Services v] [Search] Search... v Region [*] Account | +-------------------------------------------------------------------------+ | | | [Star] Favorites: EC2 | S3 | Lambda | CloudWatch | IAM | | | +---------------------------------------------------+---------------------+ | | | | RECENTLY VISITED | AWS HEALTH | | ----------------- | ------------ | | * Amazon EC2 | All systems | | * Amazon S3 | operational [check] | | * AWS Lambda | | | | | | BUILD A SOLUTION | COST & USAGE | | ----------------- | ------------- | | * Launch a VM | $XX.XX MTD | | * Store files | | | * Create a database | | | | | +---------------------------------------------------+---------------------+
Console Layout -- Key Areas:
- Top Navigation Bar - search bar, services menu, region selector, account menu, notifications
- Region Selector (top right) - sets which AWS region you're working in; CRITICAL to get right
- Search Bar - fastest way to find a service; also returns features, documentation, blog posts
- Services Menu (top left) - browse all 200+ services by name or by category
- Recently Visited - quick access to services you've used recently
- Home Dashboard - shows health status, cost and usage summary, and tutorials
- Favorites Bar - pin frequently used services for one-click access
Finding Services -- Three Ways:
- Search bar: type the service name (fastest method)
- Services menu: browse by category (Compute, Storage, Database, etc.)
- Favorites bar: pin frequently used services to the top nav bar
Region Selector -- Why It Matters:
+-----------------------------------------------------------------+ | REGION SELECTOR | +-----------------------------------------------------------------+ | | | +-----------------------------------------+ | | | Current Region: US East (N. Virginia) v | <-- CHECK THIS! | | +-----------------------------------------+ | | | | COMMON MISTAKE: | | "Where did my EC2 instance go?!" | | Answer: You're looking in the wrong region. | | | | REGIONAL SERVICES: GLOBAL SERVICES: | | ----------------- ---------------- | | * EC2 instances * IAM | | * S3 buckets * Route 53 | | * RDS databases * CloudFront | | * Lambda functions * AWS Organizations | | * VPCs * Billing | | | | Shows: "US East (N. Virginia)" Shows: "Global" | | | +-----------------------------------------------------------------+
Region Selector -- Why It Matters:
- Most AWS services are regional -- resources created in one region do NOT appear in another
- Always confirm your region before creating resources
- Switching regions mid-session is a common source of confusion ('Where did my EC2 instance go?')
- Recommended: choose the region nearest to you for lowest latency during practice
Global vs. Regional Service Behavior in Console:
- Global services (IAM, Route 53, CloudFront) display 'Global' in the region selector -- no region choice needed
- Regional services (EC2, S3 console, RDS) display your current region -- different resources per region
Three Ways to Access AWS:
+-----------------------------------------------------------------+
| THREE WAYS TO ACCESS AWS |
+-------------------+-------------------+-------------------------+
| CONSOLE | CLI | SDK |
| (Web Browser) | (Command Line) | (Application Code) |
+-------------------+-------------------+-------------------------+
| | | |
| +-----------+ | $ aws s3 ls | import boto3 |
| | [*]? GUI | | $ aws ec2 run..| s3 = boto3.client('s3')|
| | Point and | | | s3.list_buckets() |
| | Click | | Terminal/Shell | |
| +-----------+ | | Python, Java, JS, |
| | | .NET, Go, Ruby... |
| | | |
| Best for: | Best for: | Best for: |
| * Learning | * Automation | * Applications |
| * Exploration | * Scripts | * Integration |
| * Ad-hoc tasks | * DevOps | * Custom tools |
| | | |
+-------------------+-------------------+-------------------------+
|
v
ALL USE THE SAME AWS APIs
(Equal capability, different UX)
AWS CLI and SDK -- Beyond the Console:
- AWS CLI - command-line tool to interact with AWS services via terminal; great for automation
- Install on Windows, Mac, Linux
- Requires access keys (create in IAM)
- Example:
aws s3 lslists all your S3 buckets - AWS SDKs - libraries for Python (boto3), Java, JavaScript, .NET, Go, Ruby, PHP, C++
- Embed AWS calls directly in application code
- Example:
boto3.client('s3').list_buckets()in Python - Both use the same underlying AWS APIs as the console -- equal power, different interfaces
AWS CloudShell:
- Browser-based shell environment pre-configured with AWS CLI
- No installation required -- access from the console
- 1 GB persistent storage per region
- Great for quick CLI operations without local setup
AWS Documentation and Support:
- docs.aws.amazon.com - official service documentation
- AWS Regional Services List - check which services are available in which region
- AWS Health Dashboard - check for service disruptions affecting your account
- AWS Knowledge Center - frequently asked questions and solutions
- re:Post - AWS community forum for questions and answers
Key Terms
| Term | Definition |
|---|---|
| AWS Management Console | The web-based GUI for accessing and configuring AWS services. Beginner-friendly but less efficient than CLI for repetitive tasks. |
| AWS CLI (Command Line Interface) | A tool that lets you control AWS services through terminal commands. Useful for scripting and automation. Requires access keys for authentication. |
| AWS SDK | Software Development Kits for various programming languages that allow developers to call AWS APIs programmatically from application code. |
| AWS Region Selector | The dropdown in the top-right of the console that sets which geographic region your resources are created and viewed in. |
| AWS Health Dashboard | A console page showing the current status and any disruptions of AWS services globally and for your specific account. |
| AWS CloudShell | A browser-based terminal environment with AWS CLI pre-installed. Accessible from the console with no setup required. |
| Access Keys | Credentials (Access Key ID + Secret Access Key) used to authenticate programmatic access via CLI and SDKs. Never share or commit to code repositories. |
| AWS API | Application Programming Interface -- the underlying programmatic interface that all access methods (Console, CLI, SDK) use to interact with AWS services. |
| Resource Tags | Key-value pairs you attach to AWS resources for organization, cost allocation, and automation. Example: Environment=Production. |
- The console is regional by default -- always check your region before creating resources.
- IAM console shows 'Global' -- changes made there apply everywhere.
- The AWS CLI and SDKs use the SAME APIs as the console -- they are equivalent in capability.
- Know that not all services exist in all regions -- use the AWS Regional Services page to verify.
- For the exam, understand the DIFFERENCE between console, CLI, and SDK as access methods.
- CloudShell provides a pre-configured CLI environment in your browser -- no installation needed.
- Access Keys are for programmatic access (CLI/SDK). Never share them or put them in code.
- The search bar is the FASTEST way to navigate to any AWS service.
- S3 bucket names are globally unique, but when you view buckets in the console, you see ALL your buckets regardless of region.
Practice Questions
Q1. A developer creates an EC2 instance in the eu-west-1 (Ireland) region but cannot find it when they look in the us-east-1 (N. Virginia) console. What is the most likely cause?
- The instance was automatically terminated after 1 hour
- EC2 instances are global and should appear in all regions
- The developer is looking in the wrong region; EC2 is a regional service
- The instance requires IAM permission to be visible
Answer: C
EC2 is a regional service. Resources created in eu-west-1 only appear when you have eu-west-1 selected in the region selector. Switching to us-east-1 will show a different (empty) set of resources.
Q2. Which of the following is the FASTEST way to navigate to a specific AWS service in the Management Console?
- Browse the Services menu alphabetically
- Use the search bar and type the service name
- Check the Recently Visited section
- Go to the AWS documentation site
Answer: B
The search bar instantly filters services, features, and documentation as you type. It is the fastest navigation method in the console, especially with 200+ services available.
Q3. A DevOps engineer wants to automate the creation of EC2 instances using scripts. Which AWS access method is MOST appropriate?
- AWS Management Console
- AWS CLI
- AWS Support
- AWS Trusted Advisor
Answer: B
The AWS CLI is designed for scripting and automation. You can write shell scripts that call AWS CLI commands to create, modify, or delete resources programmatically. The console is better for manual, ad-hoc tasks.
Q4. An application developer needs to integrate AWS S3 operations into their Python application. Which tool should they use?
- AWS Management Console
- AWS CLI
- AWS SDK (boto3)
- AWS CloudShell
Answer: C
AWS SDKs (boto3 for Python) allow developers to call AWS APIs directly from application code. This enables tight integration of AWS services into applications, unlike the console or CLI which are for human interaction.
Q5. A user wants to run AWS CLI commands without installing anything on their local machine. Which AWS service provides this capability?
- AWS Lambda
- Amazon EC2
- AWS CloudShell
- AWS CodeBuild
Answer: C
AWS CloudShell is a browser-based shell environment accessible from the AWS Console. It comes pre-configured with AWS CLI and common tools, requiring no local installation. It persists 1 GB of storage per region.
Shared Responsibility Model & AWS Acceptable Use Policy
What is the Shared Responsibility Model?
A foundational AWS security framework that clearly divides who is accountable for what in a cloud environment. AWS secures the platform; you secure what you build on it.
The Core Principle:
- AWS = Security OF the Cloud (the physical and virtual infrastructure)
- Customer = Security IN the Cloud (what you deploy and configure)
Shared Responsibility Model Diagram:
+-----------------------------------------------------------------+ | AWS SHARED RESPONSIBILITY MODEL | +-----------------------------------------------------------------+ | | | +-----------------------------------------------------------+ | | | CUSTOMER RESPONSIBILITY | | | | "Security IN the Cloud" | | | | | | | | +-----------------------------------------------------+ | | | | | Customer Data | | | | | +-----------------------------------------------------+ | | | | | Platform, Applications, Identity & Access (IAM) | | | | | +-----------------------------------------------------+ | | | | | Operating System, Network & Firewall Configuration | | | | | +-----------------------------------------------------+ | | | | | Client-Side Encryption | Server-Side Encryption | | | | | | Network Traffic Protection | | | | | +-----------------------------------------------------+ | | | +-----------------------------------------------------------+ | | | | | v | | +-----------------------------------------------------------+ | | | AWS RESPONSIBILITY | | | | "Security OF the Cloud" | | | | | | | | +-----------------------------------------------------+ | | | | | Software: Compute, Storage, Database, Networking | | | | | +-----------------------------------------------------+ | | | | | Hardware/AWS Global Infrastructure | | | | | | Regions, Availability Zones, Edge Locations | | | | | +-----------------------------------------------------+ | | | | | Physical Security: Guards, Biometrics, Cameras | | | | | +-----------------------------------------------------+ | | | +-----------------------------------------------------------+ | | | +-----------------------------------------------------------------+
AWS Responsibilities (Security OF the Cloud):
- Physical security of all global data centers (guards, biometrics, surveillance, 24/7 monitoring)
- Hardware lifecycle management (servers, networking equipment, storage devices)
- Global network infrastructure and its protection (fiber, networking, DDoS mitigation)
- Hypervisor and virtualization layer security
- Managed service software (e.g., the database engine in RDS, the runtime in Lambda)
- Compliance certifications for the underlying infrastructure (SOC, ISO, PCI DSS at the hardware level)
- Decommissioning of hardware (secure disk wiping/destruction)
Customer Responsibilities (Security IN the Cloud):
- Data classification, encryption of data at rest and in transit
- IAM -- who has access to what (users, roles, permissions, MFA)
- Operating system patching and updates (for EC2/IaaS -- you own the OS)
- Application-level security and code vulnerabilities
- Network and firewall configuration (Security Groups, NACLs, VPC settings)
- Client-side encryption and authentication
- Logging and monitoring setup (CloudTrail, CloudWatch Logs)
Responsibility by Service Type:
+-----------------------------------------------------------------+ | RESPONSIBILITY SHIFTS BY SERVICE MODEL | +---------------------------------------------------------------+ | | | | | IaaS (EC2) PaaS (RDS/Lambda) SaaS | | | +---------------+ +---------------+ +---------------+ | | | | Customer Data | | Customer Data | | Customer Data | | | | C |---------------| C |---------------| C |---------------| | | | U | Application | U | Application | |###############| | | | S |---------------| S |---------------| A |###Application#| | | | T | OS Patching | T |###############| W |###############| | | | O |---------------| |#OS Patching###| S |##OS Patching##| | | | M | Runtime Config| A |###############| |###############| | | | E |---------------| W |#Runtime#######| |##Runtime######| | | | R |###############| S |###############| |###############| | | | |# Hardware ####| |##Hardware#####| |###Hardware####| | | | A |###############| |###############| |###############| | | | W |#Data Centers##| |#Data Centers##| |#Data Centers##| | | | S |###############| |###############| |###############| | | | +---------------+ +---------------+ +---------------+ | | | | | | ### = AWS manages Blank = Customer manages | | | | | | MORE MANAGED SERVICE ----------------------> LESS CUSTOMER | | | RESPONSIBILITY| | +---------------------------------------------------------------+ |
How Responsibility Shifts by Service Model:
| Layer | IaaS (EC2) | PaaS (Elastic Beanstalk/RDS) | SaaS (Rekognition) |
|---|---|---|---|
| Physical infrastructure | AWS | AWS | AWS |
| Hypervisor / Virtualization | AWS | AWS | AWS |
| Operating System | Customer | AWS | AWS |
| Runtime / Middleware | Customer | AWS | AWS |
| Application Code | Customer | Customer | AWS |
| Data | Customer | Customer | Customer |
Key Insight: The more managed the service, the more AWS takes responsibility. With SaaS, AWS manages almost everything except your data.
Common Exam Scenarios:
+-----------------------------------------------------------------+ | WHO IS RESPONSIBLE? (EXAM SCENARIOS) | +-----------------------------------------------------------------+ | | | SCENARIO | RESPONSIBLE | | ------------------------------------ | ------------ | | Patching EC2 instance OS | CUSTOMER | | Patching RDS database engine | AWS | | Physical security of data center | AWS | | Configuring Security Groups | CUSTOMER | | Enabling S3 encryption | CUSTOMER | | Providing encryption option in S3 | AWS | | Managing the hypervisor | AWS | | Setting up IAM users and permissions | CUSTOMER | | Protecting networking infrastructure | AWS | | Application-level firewall rules | CUSTOMER | | Hardware decommissioning/wiping | AWS | | Compliance of physical infrastructure | AWS | | Compliance of customer workloads | CUSTOMER | | | +-----------------------------------------------------------------+
AWS Acceptable Use Policy (AUP):
All AWS users agree to the AUP by creating an account. Prohibited activities include:
- Illegal content, services, or activities
- Security attacks (port scanning, DDoS, unauthorized access attempts)
- Network abuse (spam, phishing, email harvesting)
- Distributing malware or harmful code
- Mining cryptocurrency in violation of AWS terms
- Penetration testing without prior approval (approval required for certain tests)
Violation Consequences:
- Warning or account suspension
- Termination of services
- Legal action in severe cases
Penetration Testing Policy:
- AWS permits certain penetration testing without prior approval (for services you own)
- Permitted: EC2, RDS, CloudFront, API Gateway, Lambda, Lightsail, Elastic Beanstalk
- Prohibited without approval: DNS zone walking, DDoS simulation, port/protocol flooding
- Always check the latest AWS Customer Support Policy for Penetration Testing
Key Terms
| Term | Definition |
|---|---|
| Shared Responsibility Model | AWS's framework dividing security duties: AWS secures the cloud infrastructure; customers secure their data and configurations within it. |
| Security OF the Cloud | AWS's portion of responsibility -- physical facilities, hardware, global network, hypervisor, and managed service software layers. |
| Security IN the Cloud | The customer's portion -- data, identity management, OS configuration, application security, network settings, and encryption. |
| Security Group | A virtual firewall at the instance level in AWS that controls inbound and outbound traffic. This is the customer's responsibility to configure. |
| Encryption at Rest | Encrypting data while it is stored (e.g., in S3 or EBS). The customer chooses whether to enable this -- it is their responsibility. |
| Acceptable Use Policy (AUP) | AWS's terms governing legal and ethical use of its services. Users agree to this on account creation. Violations can result in account suspension. |
| NACL (Network Access Control List) | A firewall at the subnet level in a VPC. Stateless rules that control traffic in and out of subnets. Customer's responsibility to configure. |
| Encryption in Transit | Encrypting data while it moves across networks (e.g., HTTPS, TLS). Customer's responsibility to implement using AWS-provided tools. |
| Compliance | AWS provides compliance certifications for infrastructure (SOC, ISO, PCI). Customers are responsible for their own workload compliance on top of AWS. |
| Penetration Testing | Security testing of your AWS resources. Permitted for certain services without approval, but DDoS simulation and some tests require prior authorization. |
- TRICK QUESTION ALERT: Patching the OS on an EC2 instance = CUSTOMER responsibility. Patching the physical host = AWS responsibility.
- Encryption is ALWAYS the customer's responsibility to ENABLE, even if AWS provides the tools (like KMS).
- With managed services (RDS, Lambda, DynamoDB), AWS takes MORE responsibility -- including the OS.
- Data is ALWAYS the customer's responsibility, regardless of service model.
- The exam loves edge cases: who patches the guest OS? (Customer for EC2, AWS for RDS).
- Remember: AWS is responsible FOR the cloud; YOU are responsible IN the cloud.
- Security Groups = CUSTOMER configures. Physical network security = AWS.
- AWS provides the TOOLS for security (KMS, IAM, Security Groups). Customer must USE them correctly.
- Penetration testing is allowed on YOUR resources for certain services without prior approval.
Practice Questions
Q1. A company runs a web application on Amazon EC2. According to the AWS Shared Responsibility Model, which of the following is the CUSTOMER'S responsibility?
- Patching the physical host server hardware
- Securing the data center facility with physical guards
- Applying security patches to the EC2 instance's operating system
- Managing the underlying hypervisor software
Answer: C
EC2 is IaaS -- the customer owns and manages the operating system and above. AWS manages everything below the OS (hardware, hypervisor, data center). Patching the guest OS is the customer's job.
Q2. A company uses Amazon RDS (Relational Database Service) for their database. Who is responsible for patching the database engine?
- The customer, because databases contain sensitive data
- AWS, because RDS is a managed service
- Both AWS and the customer share this equally
- A third-party security vendor
Answer: B
RDS is a managed service (PaaS). AWS manages the database engine, OS patching, backups, and hardware. The customer is responsible for data, access control (who can connect), and database-level configurations.
Q3. Under the Shared Responsibility Model, which of the following is ALWAYS the customer's responsibility regardless of which AWS service is used?
- Operating system patching
- Physical security of data centers
- Customer data and access management
- Hypervisor maintenance
Answer: C
Regardless of whether you use EC2 (IaaS), RDS (PaaS), or Rekognition (SaaS), your DATA and who has access to it (IAM) is always your responsibility. AWS never takes responsibility for customer data.
Q4. Which of the following activities violates the AWS Acceptable Use Policy?
- Hosting a public e-commerce website on EC2
- Running unauthorized penetration tests that simulate DDoS attacks
- Using AWS Lambda to process financial transactions
- Storing encrypted customer data in Amazon S3
Answer: B
DDoS simulation and certain aggressive security tests require prior written approval from AWS. Unauthorized penetration testing that could impact AWS infrastructure or other customers is prohibited under the AUP.
Q5. A security auditor asks who is responsible for the physical destruction of decommissioned storage devices in AWS data centers. What is the correct answer?
- The customer
- AWS
- A third-party vendor
- The responsibility is shared equally
Answer: B
Physical hardware management, including secure decommissioning and destruction of storage devices, is entirely AWS's responsibility. Customers never handle physical hardware in AWS data centers.
Q6. A company wants to ensure their data stored in Amazon S3 is encrypted. According to the Shared Responsibility Model, who is responsible for enabling this encryption?
- AWS automatically encrypts all data
- The customer must enable encryption (server-side or client-side)
- AWS enables it by default with no customer action needed
- A third-party security service is required
Answer: B
While AWS provides encryption capabilities (SSE-S3, SSE-KMS, SSE-C, client-side encryption), it is the CUSTOMER'S responsibility to enable and configure encryption for their data. Note: S3 now encrypts new objects by default with SSE-S3, but understanding the responsibility model is key.
Q7. Which layer of the technology stack is AWS responsible for in ALL deployment models (IaaS, PaaS, and SaaS)?
- Application code
- Customer data
- Physical infrastructure and data centers
- Operating system configuration
Answer: C
Regardless of service model, AWS is ALWAYS responsible for the physical infrastructure: data centers, power, cooling, physical security, networking hardware, and the global network. This never shifts to the customer.
AWS AI Practitioner - Table of Contents
Master all exam topics with comprehensive study guides and practice questions.