Exam Revision

R3zk0n Β· October 2, 2025

API   Active Directory   CI/CD   Cloud   Containers   Evasion   IaC   K8   Linux   Network   Security   Web   Windows
Contents

    Exam Tips

    AWS Fundamentals

    • Introduction
      • Region - physical location in the world with two or more AZ
      • AZ - discrete data centers
      • Edge locations - endpoint for caching content (CDN)
    • Shared Management Model
      • Can you do this yourself in the AWS Management Console - security groups, IAM users, patching EC2 OS, databases on EC2 instances are all viable
      • Encryption is a shared responsibility

    AWS IAM

    • Secure Root Account
      • MFA
      • Admin group for administrators, and assign permissions to this group
      • Create user accounts for your administrators
      • Add users to admin group
    • Assign Permissions using IAM Policy Documents
      • Effect, Action, Resource
      • Uses JSON format
    • Other Exam Tips
      • IAM is universal and does not apply to any region
      • Root Account should be secure and not used day to day
      • New users do not have permissions when first created
      • Access Key ID and secret access key are created - used via API and command line, these are viewed once and should be saved securely
      • IAM federation - combine existing user account with AWS via federation and the SAML standard (Active Directory)

    AWS S3

    • Introduction
      • Object-based storage
      • Files up to 5TB - unlimited storage
      • Files are stored in buckets - universal namespace
    • Within an S3 Object - Key, Value (Data), Version ID and Metadata
    • Securing S3 Bucket - private by default, must allow access of bucket and objects to make buckets public
      • Object ACLs - can make individual objects public using ACLs
      • Bucket policies - can make entire bucket public
    • Host Static Websites - static content only, can scale automatically with demand
    • Versioning - all versions are stored in S3, can serve as backup, cannot be disabled, lifecycle rules - move older versions to different storage tiers, and supports MFA
    • Storage Class
      • S3 standard
      • S3 standard IA
      • S3 one zone IA
      • S3 glacier
      • S3 glacier deep archive
      • S3 intelligent tiering
      • New: S3 glacier instant retrieval vs S3 glacier flexible retrieval
    • Lifecycle Management - automates moving objects between storage tiers, can be used with versioning
    • S3 object lock (WORM - write once, read many), governance (special permissions can overwrite or delete) and compliance (cannot be overwritten or deleted) mode
    • S3 glacier vault lock - similar to object lock but for glacier
    • Encryption - in transit via SSL/TLS and HTTPS, at rest via server-side encryption (SSE)
      • SSE-S3 (AES-256), aws managed
      • SSE-KMS, external service
        • There are KMS limits - 5500, 10000 or 30000 requests per second, cannot increase atm
      • SSE-C, customer managed
      • Can enforce client-side encryption and also force x-amz-server-side-encryption in request header via bucket policy
    • Optimising performance
      • Each prefix allows 5500 GET/HEAD and 3500 PUT/COPY/POST/DELETE, the more prefixes (folders) the better performance
      • Multipart upload to increase performance
      • Over 100MB and must be used for files over 5GB
      • S3 byte-range fetches to download files to S3
    • Replication
      • Replicate objects from one bucket to another (cross-region replication)
      • Delete markers are not replicated but can be turned on
      • Existing objects are not replicated automatically

    AWS EC2

    • Pricing options
      • On-demand
      • Spot - unused capacity with most discount
      • Reserved Instances - 1 to 3 years
      • Dedicated - compliance requirement
    • AWS CLI - least privilege and use IAM groups and assign users (IAM polices are given to groups)
      • Secret Access Key (can only be generated, otherwise need to aws configure again)
    • Roles - preferred option, avoid hard coding credenials, policies, updates, attach or detach EC2 roles without termination
    • Security Group - changes are immediate, any number of EC2 in security groups, can have multiple security groups attached to EC2 instances, default: DENY ALL inbound, ALLOW ALL outbound
    • Bootstrap scripts - root script when instance first runs
    • User Data vs Metadata - User Data (Bootstrap Scripts), Metadata (data about EC2 instances)
    • Networking
      • ENI - basic networking at low cost, separate networks from prod and management etc
      • Enhanced Networking - reliable, high throughput
      • EFA - high performance computing (HPC) or OS-level bypass, ML etc
    • Placement group (logical grouping of clusters)
      • Cluster - low network latency, cannot span multiple AZ
      • Spread - critical instances
      • Partition - HDFS, HBase, Cassandra (multiple instances)
    • Only certain types of instances can be launched in a placement group, cannot merge, but can move existing instance into a placement group
    • Dedicated Hosts - physical server, special licensing requirements
    • Spot Instances (90% cost savings up to) - don’t need persistance storage just compute power, can use spot block to prevent termination, spot fleet is a collection of spot instances and on-demand instances
    • vCenter can be deployed on AWS cloud which acts as an extension of the private VMWare cloud into the AWS public cloud - cloud migration etc.
    • AWS Outposts - extending AWS to data center, bring AWS to you - AWS outposts racks (large) or AWS outposts servers (small)

    AWS EBS

    • SSDs - gp2 (general purpose), gp3 (high performance applications, 3000 IOPS min), io1 (provision IOPS, OLTP high performance), io2 (OLTP and latency sensitive applications)
    • HDDs - st1 (big data, data warehouses, cannot be a boot volume), sc1 (cold HDD, used for less frequently access data)
    • EBS volumes and snapshots - volumes for EBS and snapshots for S3
      • Fist snapshot takes time to create, can be share between accounts and regions but needs to be copied, EBS volumes can be resized
    • AMIs - Instance Store volumes are ephemeral and cannot be stopped (can lose data), all deleted on termination. EBS-based instances can be stopped and will not lose data
    • Encrypted volumes - data at rest and in flight are protected, all snapshots and volumes are encrypted
      • EBS hibernation - preserves RAM on EBS so that is is faster to reload the operating system (cannot hibernate for longer than 60 days)
    • EFS - supports NFSv4
      • Data stored across multi-AZ
      • Highly scalable shared storage - use EFS
      • Linux
    • FSx for Windows - centralized storage for Windows

    • FSx for Lustre - high performance distributed storage, for HPC - high performance computing, can store data directly on S3

    • Storage options
      • S3 - serverless object storage
      • Glacier - archive
      • EFS - network file system for linux
      • FSx for Lustre - HPC - high performance computing
      • FSx for Windows - windows central storage
      • EBS volumes - persistent storage for EC2
      • Instance Store - ephemeral storage for EC2
    • AWS Backup - consolidation to backup AWS services, such as EC2, EBS, EFS, AWS Storge Gateway etc.
    • Can be used with AWS Organisations to back up different services across different accounts, more centralized control

    Databases

    • RDS
      • SQL Server, Oracle, MySQL, PostgreSQL, MariaDB and Amzon Aurora
      • OLTP (transactions) workloads such as small transactions, not suitable for OLAP (analytics), that is better using redshift for large amounts of data
      • Read Replicas - read-only performance, can be cross-AZ, same AZ or cross-region, scaling read performance, requires automatic backups, multiple RR are supported (up to 5 RR)
      • Multi-AZ - exact copy of production database, used only for disaster recovery, automatic failover
    • Amazon Aurora
      • 2 copies in each AZ with minimum of 3 AZ - redundant
      • Aurora replicas, MySQL replicas, PostgreSQL replicas
      • Automated backups
      • Aurora Serverless - infrequent or unpredicatable workloads (serverless)
    • DynamoDB
      • SSD storage, 3 distinct data centers
      • Eventually consistent reads (copies of data is usually within a second), strongly consistent reads (returns a result that returns all writes), transactional
      • DynamoDB transactions - Multiple β€œall or nothing” operations, financial transactions, ACID - atomicity, consistency, isolation and durability across one or more tables within a single AWS account or region - all or nothing transactions
      • DynamoDB on-demand backup and restore - full backup, consistency
      • DynamoDB point-in-time recovery - any point recovery in the past 35 days (must be turned on)
      • DynamoDB streams - time-ordered sequence of item-level modifications (up to 24 hours), stream of data, broken into shards, can combine with lambda for stored procedures
      • Managed multi-master, multi-region replication - based on dynamoDB streams, globally distributed applications, multi-region redundancy for disaster recovery <- global tables (how to add redundancy to DynamoDB), must enable streams
    • MongoDB (DocumentDB)
      • Database Migration Service to move MongoDB to DocumentDB
    • Cassandra (AWS Keyspaces)
      • Migrating large data set
    • Neptune
      • Graph Databases only
    • QLDB (Quantum Ledger Database)
      • Must be immutable
    • Timestream
      • Time series data, such as temperature senses of weather

    VPC Networking

    • VPC is a logical data center in AWS
    • Contains internet gateways (virtual private gateways), route tables, network access control lists, subnets and security groups
    • NAT gateways
      • 5 GBPS –> 45 GBPS
      • Not associated with security groups, automatically assigned a public IP
      • NAT gateway need to be configured in each availability zone to ensure high availability
    • Security Groups
      • Stateful
      • if request is sent from instance, the response traffic is allowed regardless of inbound traffic rules
      • responses to inbound traffic are allows to flow out, regardless of outbound rules
    • NACLs
      • Default NACL allows all inbound and outbound
      • Custom NACL by default denies all until rules are added
      • Subnet association - each subnet needs a network ACL, otherwise they get the default ACL
      • Block IP addresses using network ACLs not security groups
      • One NACL –> many subnets; one subnet –> one NACL
      • Evaluation of rules start with the LOWEST numbered rule (the lowest numbered rule is the most important)
      • NACL is stateless (responses to inbound traffic are subject to rules from outbound traffic)
    • Direct Connect (VPC to Data Center)
      • Connect to data center to AWS
      • Stable and reliable connection with high throughput
    • VPC Endpoints (VPC to AWS Services)
      • Connect AWS services wihout leaving Amazon internal network
      • Interface endpoints + gateway endpoints –> supports S3 and DynamoDB
    • VPC Peering (VPC –> VPC)
      • Allows connection between VPCs using private IP addresses
      • Act as if the were on the same private network
      • Peer VPCs with AWS accounts as well as other VPCs in the same account
      • No transitive peering –> Star formation 1 central VPC to multiple other VPCs
      • Can be between regions
    • AWS PrivateLink (VPC –> many VPC)
      • Peering VPCs to many customer VPCs
      • No need for VPC peering
      • Requires network load balancer and ENI on customer VPC
    • AWS Transit Gateway (One to many VPCs)
      • Use route tables to limit how VPCs talk to one another
      • Works with Direct Connect
      • Supports IP multicast
      • Simplify networking
    • VPN Hub (Network to other network via AWS)
      • Allow customers to connect to each other by using AWS
    • AWS Wavelength
      • 5G and mobile networks

    Route 53

    • Different between alias and CNAME –> alias is AWS only and choose over CNAME
    • SOA record - start of authority, CNAME, NS and A records
    • Routing policies - simple, weighted, latency-based, failover, geolocation, geoproximity (traffic flow only), multivalue answer routing
    • Can buy domain names directly from AWS
    • Health checks can be set on record sets, will be removed until healthy, can use SNS to provide alerts
    • Routing policies+
      • Simple - pick one route randomly
      • Weighted - pick one based off weighting randomly
      • Latency - pick one that has the lowest latency
      • Failover - pick the active one and failover to the passive one
      • Geolocation - pick the one with the particular location
      • Geoproximity - pick one using AWS based on geographic location, but can add a bias
      • Multivalue Answer - pick one based on preference but with failover

    ELB

    • Application Load Balancers (Layer 7)
      • Listeners check for connection requests
      • Rules determine how LB routes traffic
      • Target groups routes to registered targets
      • Only supports HTTP/HTTPS (HTTPS requires SSL/TLS certifcate to decrypt requests and sending to applications)
    • Network Load Balancers (Layer 4)
      • Need extreme performance or where not supported by ALB
    • Classic Load Balancers
      • 504 gateway timeout - application is not responding - troubleshoot the web or database server
      • X-Forwarded-For header to find IP addresses
    • Sticky Sessions
      • Stick users to same EC2 instances, disable to prevent
      • Can be enabled for ALB, but only to the target group level, can have a single instance in target group
    • Deregistration delay
      • Enable deregistration delay, keeps connections open if EC2 instance becomes unhealthy
      • Disable deregistration delay allows closing of connections to instances

    Monitoring

    • What is the best tool to monitor with? Is that metric available by default? Where can I find these logs? Do I need to adjust my alarm threshold?
    • Cloudwatch is the main tool for anything alarm related. Then other services can be used.
    • AWS standards should be watched by AWS config - not AWS cloudwatch
    • Standard metrics are usually 5 minutes, but detailed monitoring is 1 minute
    • CloudWatch Logs is the place for logs, many services can integrate with this service.
    • SQL - CloudWatch Logs Insights

    • Real time - Kinesis (big data logging service and not CloudWatch)

    • Grafana is best for visualization of container metrics
    • Monitoring container metrics at scale requires Prometheus
    • Kubernetes/EKS clusters requires Grafana and Prometheus (AWS managed)

    High Availability and Scaling

    • Is it highly available? What is appropriate - horizontal or vertical? Is it cost effective? Would switching the databases fix the problem?
    • Auto scaling for EC2 - exclusively for EC2
      • Avoid long provision times by putting everything in an AMI - this is better than using user data or other solutions
      • Auto scaling groups should be over multiple AZ
      • Steady state groups allows for automatic recovery, usually for legacy resources
      • ELBs are essential to send health checks and distribute traffic, unhealthy instances need to be explicitly terminated by auto scaling group
    • Scaling Databases
      • RDS - horizontal scaling is most preferred, use read replicas for read heavy workloads
      • DynamoDB - predictable R/W use autoscaling method, unpredictable R/W use on-demand option

    Decoupling Workflows

    • Synchronous or asynchronous workload? What type of decoupling makes sense? Does the order of messages matter? What type of application load will we see?
    • Amazon SQS
      • Can duplicate messages - if it happens consistently, check of misconfigured timeout or failed delete API call
      • Queues are not bi-directional - will require another queue
      • Know the defaults
      • Nothing lasts forever - last 14 days (configurable)
      • SQS FIFO - if ordering matters
    • Amazon SNS
      • Proactive notifications (email, text or other type of push-based notifcation)
      • CloudWatch + SNS –> perfect pair
      • API Gateway - acts as a secure frontdoor for external communications
    • AWS Batch
      • Long running batch workloads (over 15 minutes, as lamdba is 15 max)
      • Queued workloads or batch workloadstht requires queues
      • This is an on-demand alternative to AWS lambda
    • Amazon MQ
      • Managed messaging broker service living in AWS cloud
      • Supports RabbitMQ or ActiveMQ
      • Specific messaging protocols - JMS, AMQP, MQTT etc.
    • Step Functions
      • Serverless orchestration service - workflow decision requirements like different states such as condition checks, failure catches or wait periods (up to 1 year)
    • Amazon AppFlow
      • Third party SaaS data ingestion from external SaaS applications
      • Bi-directional - data being used from third party SaaS living in AWS for long duration

    Big Data

    • ETL –> Extract, Transform, Load
    • What kind of database works? How much data do you have? Is serverless a requirement? How do we optimise cost?
    • Redshift - relational database (but not replcement for RDS), single AZ deployments, not highly available by default
      • Amazon Redshift is a fully managed data warehousing service. It’s optimized for analyzing large datasets using SQL queries
    • EMR - made out of EC2 instances
      • EMR (Elastic MapReduce): EMR is a cloud-native big data platform provided by AWS. It allows you to process and analyze large amounts of data using popular frameworks such as Apache Hadoop, Spark, and Presto. EMR simplifies the setup, configuration, and scaling of these frameworks.
    • Kinesis - only service with a real time response
      • Amazon Kinesis is a platform for real-time streaming and analytics.
    • SQS and Kinesis can both act as queues - SQS is simpler, Kinesis is faster and can store data for a year
    • Serverless SQL - Athena
    • AWS Glue - serverless ETL which create a schema for data
      • AWS Glue is a managed extract, transform, and load (ETL) service that helps you prepare and load data for analytics.
    • Quicksight - create a dashboard for visualizing data but not analyze
      • Amazon QuickSight is a business intelligence (BI) tool that lets you create interactive visualizations, reports, and dashboards.
    • OpenSearch - analyzing log files and various documents
      • Formerly known as Amazon Elasticsearch Service, OpenSearch is a managed service that provides a scalable and distributed search and analytics engine.
    • Amazon OpenSearch (and ElasticSearch) - analyze log files
    • Data Pipeline - ETL service within AWS, automated workflows for movement and transformation of data, integrates with storage services and compute services
      • AWS Data Pipeline is a web service for orchestrating and automating the movement and transformation of data between different AWS services and on-premises data sources.
    • Amazon MSK (Managed Streaming Kafka) - for running Apache Kafka streaming application - it handles control plane operations and you manage data plane operations. Push broker logs to CloudWatch etc.
      • Amazon MSK is a fully managed service that makes it easy to build and run applications using Apache Kafka, which is a popular platform for building real-time streaming data pipelines and applications.

    Redshift: Data warehouse for analyzing large datasets. Good for SQL queries on big data. Not highly available by default. EMR (Elastic MapReduce): Cloud platform for big data processing. Uses frameworks like Hadoop and Spark. Simplifies setup and scaling. Kinesis: Real-time streaming and analytics. Provides immediate responses. SQS and Kinesis (Queues): SQS is simpler. Kinesis is fast and stores data up to a year. Athena: Serverless SQL for querying data. AWS Glue: Serverless ETL for data preparation. Creates data schemas. QuickSight: Creates dashboards for visualizing data. OpenSearch: Analyzes log files and documents. Data Pipeline: ETL service for data movement and transformation. Amazon MSK (Managed Streaming Kafka): Manages Apache Kafka for streaming data.

    Serverless Architecture

    • Lamdba requires attaching roles
      • Lamdba triggers - S3 events, Kinesis, EventBridge
      • Functions should be short and at most 10 GB of RAM and 15 minutes of runtime
      • Can trigger EventBridge
    • Open Source = Kubernetes, EKS or EKS anywhere
    • Fargate requires ECS or EKS
    • Containers are flexible which is preferred over EC2 instances
    • AWS-managed image registry (ECR)
    • Aurora Serverless - on-demnd or auto scaling database, perfect for variable traffic or workloads, good for capacity planning
    • AWS X-Ray - gain application insights using requests and responses at different points in an application flow
      • Traces and downstream response times
      • Can be used with AWS Lambda or Amazon API Gateway insights

    • AWS AppSync - managed GraphQL interface

    • ECS: Good for those who want a managed container orchestration service without Kubernetes, and offers both EC2 and Fargate launch options.
    • EKS: Ideal for those who prefer to use Kubernetes for container orchestration and need a managed Kubernetes control plane. It supports both self-managed EC2 worker nodes and Fargate.
    • Fargate: Suited for those who want to run containers without managing the underlying infrastructure. It can be used with both ECS and EKS for a serverless container experience.

    Security

    • DDoS - unavailable to end users, layer 4 SYN floods, NTP amplication attacks vs layer 7 GET/POST floods
    • CloudTrail - after-the-fact incident investigation, real time intrusion detection, compliance –> the CCTV for our account
    • AWS Shield - protects layer 3 and layer 4 only (protect against DDoS attacks), there is advanced team
    • AWS WAF - allow requests, block requests or count request - operates at layer 7
    • AWS Firewall Manager - multiple AWS accounts secured centrally
    • GuardDuty - uses AI to learn normal behaviour and alert malicious behaviour, database of malicious domains
    • Macie - uses AI to analyze data in S3 to find PII, PHI and financial data, good for compliance, can use step functions for remediation
    • Inspector - vulnerability scanner on EC2 and VPC (host or network assessments)
    • KMS and CloudHSM - KMS managed service to create and control encryption keys, need creation of CSM and control the lifecycle
      • Generate CMK - HSM by AWS generates key, import own key material, have cloudHSM generate
      • Use key policy, use IAM policies in combination, use grants in combination with key policy
      • KMS (shared tenancy, automatic key rotation), cloudHSM (dedicated physical hardware with full control, no automatic key rotation)
    • Secrets Manager - store application secrets, when enabled secrets are immediately rotated
      • Parameter Store vs Secrets Manager
      • Presigned URLs - for S3 buckets
      • Advanced IAM policies - explicit allow > implicit denied, explicit deny > everything else, AWS managed and customer policies
    • AWS Certificate Manager - SSL certificates
    • AWS Audit Manager - continuous or automating audits
    • AWS Artifact - audits and the need for compliance reports
    • Cognito - user pools sign up and sign in options, identity pools to access other AWS services
      • Device –> User Pool to get token –> Exchange with identity pool for credentials –> communicate with AWS services
    • Amazon Detective - analyse the root cause of the event, not to be confused with Inspector which does vulnerability scanning
    • AWS Network Firewall - IPS/IDS, hardware firewall, filter traffic before reaching internet gateway
    • AWS Security Hub - pane of glass for all security issues

    Caching

    • CloudFront is the only options to add HTTPS to a static wesite being hosted in an S3 bucket
    • Global Accelerator - 2 static IP addresses to mitigate IP caching by clients
    • β€œin-memory database”
      • Redis, more features compared to memcached (just a cache)
      • DynamoDB + DAX
      • Only Redis can do backups

    Governance

    • Service Control Policies (SCPs) - determines whether an API calls can go through, this restricts root accounts
    • Centralized logs using CloudTrail to log everything to a single account
    • Isolate workloads into separate accounts to add more layers of security and controls (dev, prod, staging)
    • AWS Config
      • Use config to check for compliance
      • Automatically remediate problems by combining with lambda
      • Know what changed in the account
    • User Management via AWS SSO (Identity Centre) or Cognito for external users
      • Directory Service - used for Active Directory
      • Lift and Shift - use managed Microsoft AD
      • AD on premise - AD Connector
    • Cross-account role access - better than creating new IAM credentials
    • Cost management - tags, Cost Explorer and AWS Budgets
      • Proactive alerts via SNS
      • Automate the response to shut down
      • Detail reports via AWS Cost and Usage Reports vs Cost Explorer (more in depth)
    • AWS Compute Optimiser - optimise compute based on actual needs
    • Trusted Advisor - auditing tool but does not solve problems (need business and enterprise for more checks) - automate using EventBridge + Lambda
    • AWS Control Tower - implement compliance and account governance, can use preventative via SCPs and AWS Config
    • AWS License Manager - prevents license abuse
    • AWS Service Catalo - allows end users to provision pre-approved products and services
    • AWS Proton - automate provisioning of the entire application stack for container-based for serverless
    • AWS Well-Architected Tool
    • AWS Health - dashboard to provide notifications of both public and account-specific events within AWS (such as EC2 maintenance reboots)

    Migration

    • Snowball choices - terabytes of data
    • Snowcone and Snowmobile (tiny and big)
    • Storage Gateway - Hybrid, File Gateway (for AWS storage), Storage Gateway is a VM on premises
    • DataSync –> One time migration of file shares to AWS
    • EFS and FSx to receive data
    • Transfer Family –> Allow legacy file transfer protocol
    • Migration Hub - organisational tool that allow the organization of migration steps
      • Database Migration Service - go to tool for movement of data between different RDS databases
      • Server Migration Service - migrate from data center to AWS
      • Application Discovery Service - migrate entire application to AWS cloud (OVA file via Agentless discovery, or agent to collect information of VMs for both linux and windows)
      • Application Migration Service (AWS MGN) - lift and shift infrastructure, by replicating source servers into AWS for non-disruptive cutover, impressive RTO and RPO

    Front-end Web and Mobile

    • AWS Amplify - simplified front-end web and mobile development (full stack applications hosted on AWS), allows coding but not infrastructure, uses server-side rendering (next.js)
    • AWS Pinpoint - engage with customers on large or small scale, marketing teams, business users, create segments for targeted messages and audiences, ML to engagement interactions
    • Device Farm - Android, iOS or web apps on mobile devices

    Machine Learning

    • Comprehend - speech to text, sentiment analysis
    • Kendra - ML to build intelligent search service using unstructured text
    • Textract - Scan to text
    • Amazon Forecast - predict time-series data
    • Fraud Detector - ML model for fraud detection
    • Transcribe - ML convert video or audio to text
    • Lex - conversational chatbots
    • Rekognition - content moderation via AI/ML
    • SageMaker - Notebook, training and inference
      • Tensorflow, Pytorch etc –> SageMaker Neo
      • Elastic inference - CPU vs GPU
    • Translate - language translation

    Media

    • Elastic Transcoder - video to other devices
    • Amazon Kinesis Video Streams

    =========================

    Practice Exam Notes

    • AWS Data Pipeline: implement data-driven workflows to automatically move data between the listed resources within AWS. It executes and provides methods of tracking data ETL processes.
    • DynamoDB: NoSQL database that allows constant updates to schemas without any downtime or performance issues.
    • Amazon EventBridge is a cloud-based event bus service by Amazon Web Services (AWS) that allows different applications or services to communicate with each other by sending and receiving events in a simple and scalable manner.
    • EC2 - T4g instances are a part of the β€œT” family and are cost-effective, general-purpose instances, M6g instances belong to the β€œM” family and are high memory instances, R6g instances fall under the β€œR” family and are optimized for memory and high-performance computing and C7g instances are part of the β€œC” family, which is focused on high compute workloads.
    • CloudFront signed cookies and CloudFront signed URLs are both mechanisms for controlling access to private content served through Amazon CloudFront, but they serve slightly different use cases and offer different levels of control.
      • Signed cookies are typically used for scenarios where you want to provide access to multiple restricted resources on your website or application after the user has been authenticated. For example, you might want to protect access to multiple files for a logged-in user.
      • Signed URLs are typically used when you want to provide temporary, time-limited access to a specific resource. This is common for scenarios where you want to grant access to a single file or resource, such as a download link in an email.
    • A CloudFront Origin Access Identity (OAI) is a special CloudFront user identity that you can associate with your Amazon S3 bucket or other AWS origin to restrict access to your private content through CloudFront
    • Customers can buy VMware Cloud on AWS directly through AWS and AWS Partner Network (APN) Partners in the AWS Solution Provider Program. This allows customers the flexibility to purchase VMware Cloud on AWS either through AWS or VMware, or the AWS Solution Provider or VMware VPN Solution Provider of their choice.
    • AWS Control Tower is an AWS service designed to simplify and automate the process of setting up and governing a secure, compliant, and multi-account AWS environment. It’s particularly valuable for organizations looking to establish and manage multiple AWS accounts while ensuring best practices in terms of security and compliance.
      • AWS Control Tower provides the capability to deploy specific AWS accounts within your multi-account AWS environment for specific purposes, including the Log Archive account and the Audit account.
    • AWS Config is a service provided by Amazon Web Services (AWS) that helps you assess, audit, and monitor the configuration of your AWS resources over time.
    • AWS Security Hub is a Cloud Security Posture Management service that performs security best practice checks, aggregates alerts, and enables automated remediation.
    • AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks that identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas. It is not a Cloud Security Posture Management service.

    Twitter, Facebook