4. IAM

5. EC2

EC2 User Data script can bootstrap the instance. It is executed only once when the instance is launched.

Example: m5.xlarge: m is instance class, 5 is the generation, xlarge is the size.

  • c class: compute optimized
  • R, X, High Memory, z1d type: RAM optimized, for in memory databases, cache, real time big data
  • ‘I’, ‘D’, ‘H1’: storage intensive (databases, cache, etc.)
  • and many more: ec2instances info

Security Groups

  • security group is a firewall, regulate ports, IP ranges, inbound and outbound traffic

  • 0.0.0.0/0 means all IP addresses

  • can be attached to multiple instances

  • locekd to the region

  • lives outside the instance

  • good to maintain a security group for SSH access

  • any timeout is security group issue

  • connection refused is instance issue

  • by default all inbound is closed, all outbound is open

  • security group can reference another security group, this is good to allow bunch of instances to talk to - each other in groups

  • 22 is SSH

  • 21 is FTP

  • 80 is HTTP unsecured websites

  • 443 is HTTPS secured websites

  • 3389 is RDP (for Windows)

If you lose Key pair pem file you will need to create a new public one from it like:

ssh-keygen -y -f Test.pem > Test.pub
cat Test.pub

then connect to the instance using browser console and add the public key to the authorized_keys file:

nano ~/.ssh/authorized_keys

with that you can connect to the instance from local machine::

chmod 400 Test.pem  # to change the permissions of the key
ssh -i Test.pem ubuntu@<public IP>  # for for Ubuntu and for Amazon Linux AMI use `ec2-user`

Always attach roles to the instance to give access to other AWS services.

  • On-demand, Reserved, Spot, and Dedicated Hosts are the pricing models for EC2 instances.

6. Instance Storage

EBS (Elastic Block Storage)

They are network drives you can attach to your instances while they run. They can persist data after the instance is terminated. They are bound to a specific availability zone. They are automatically replicated within the availability zone. Can be attached only to one instance at a time.

What if we want to transfer Volume to different AZ or to simply back it up, then we have to snapshot it. We can then recreate a new EBS from the snapshot, even in a different AZ. We can also archive the snapshot but it takes 24-48 hours to get it back.

AMI (Amazon Machine Image)

AMI is super useful to speed up the new instance launching, it is equivalent to run bunch of user data and then store the state of the machine.

EC2 Image Builder

This is service that can build and test AMIs. One can first create Components, then bundle them to create AMIs. These AMIs can also be tested automatically, updates scheduled, etc.

EC2 Instance Store

It is a temporary block storage for EC2 instances. It is lost when the instance is stopped or terminated. It is physically attached to the machine hosting the instance. It is much faster than EBS but it’s available only on certain instance types (for example g4dn, i3, m5d, etc. but not on small t types).

EFS Elastic File System

This is a managed NFS (Network File System) that can be mounted on many EC2 instances (as well as on-prem but with VPN or DirectConnect). It is highly available, scalable. It can be used for content management, web serving, data sharing, etc. It is 2-3X more expensive than EBS. Available in all AZs, VPCs, and Regions, at the same time. EFS Infrequent Access (EFS-IA) is a cheaper/slower version of EFS with lifecycle policy.

Amazon FSx for 1) Lustre (Linux + Cluster = Lustre) and 2) Windows File Server

This is a high-performance file system optimized for fast processing of workloads such as machine learning, high-performance computing, video processing, financial modeling, etc. It is a fully managed service that can be integrated with S3. The data is stored in S3 but managed by AWS with super small latencies.

7. Load Balancers

There is Application (HTTP like, layer 7), Network (high performance, millions request per second, TCP,UDP,TLS, layer 4), and Gateway (IP packets themselves, GENEVE protocol, layer 3, typically used to check security via 3rd party).

We run 2 instances, join them in a target group, and then create an Application LB (ALB) and point to the group. The LB is managed for us.

Autoscaling group (ASG)

ASG embodies elasticity, across multiple AZ. There is minimum, desired, and maximum number of instances. We need to set up template, type, security group, EBS, the usual. The ASG will now always try to keep desired number of instances even if they crash. There are scaling options (Manual, Dynamic(Simple, Target, Schedule), and Predictive).

8. S3

S3 has 11 nines durability and 4 nines availability.

Replication works only with versioning enabled. It has to be enabled in the bucket tab Management -> Replication. There is same region replication (SRR) and cross region replication (CRR). It is asynchronous and can be used for disaster recovery, backups, etc.

What’s free with S3 is 1) data transfer into S3, and S3 out to EC2 when instance is in the same region, 3) CloudFront.

There are several storage classes from “S3 Express One Zone” via “Standard” to “Glacier”. We can define these when uploading the file or later in the Management tab. We can also set up lifecycle policies to move files between these classes (say move Standard to Intelligent Tiering after 30 days, then to Glacier after 60 days, etc.).

We pay money for all storage.

Snow Family is a physical device that can be used to transfer data to AWS. It is secure, fast, and can be used for large data transfers. SnowCone and SnowBall are the most popular devices. SSD (Solid State Drive) is more advanced then HDD (Hard Disk Drive).

9. Databases

RDS is relational store, can create snapshot to back up or replicate, can create read replicas. Can be reserved.

Aurora is a MySQL and PostgreSQL compatible database, it’s serverless, and faster then RDS.

Elastic Cache is in-memory data store, can be used for caching, session store, etc. Can be used on many database types.

Redshift is a data warehousing solution, can be used for business intelligence, etc. It is based on PostgreSQL.

Dynamo DB is a NoSQL, it’s serverless and single digit millisecond latency. Stores key-value pairs, documents, graphs, etc.

DynamoDB Accelerator (DAX) is a caching layer in front of DynamoDB, and no other database. It’s 10X better then ElastiCache.

DynamoDB Global Tables is a multi-region, fully managed, and multi-master database (aka active-active replication means user can write in both regions).

10. ECS, Lambda, Batch, Lightsail

ECS and Fargate can run containers on AWS. ECS is more control and can run on EC2 or Fargate, which is serverless. ECS has Task Definition, Service, Cluster. Fargate has only Task Definition.

Lightsail is miniature AWS, has fixed prices and trimmed down flexibility.

AWS Batch run processes in batch.

11. Deployment

  • CloudFormation is Infra as Code,

  • Beanstalk (PaaS)

    • Role needs AWSElasticBeanstalkWebTier, AWSElasticBeanstalkMulticontainerDocker, AWSElasticBeanstalkWorkerTier
    • Beanstalk uses CloudFormation

  • CodeDeploy (Hybrid) deploys code to EC2 or on-premises

  • AWS System Manager (SSM) (hybrid) is a service that allows you to automate tasks across your AWS resources. It can be used to patch, automate, run commands, etc. It needs IAM role that allows SSM to be assigned to EC2 instance. It also needs SSM agent installed but this should be there by default on Amazon AMIs and Ubuntu (you will need to install it for on-premises machines). So now we can connect to EC2 machine without SSH port open. One can find all the instances in the Systems Manager -> Fleet Manager.

  • AWS Parameter Store is a service that allows you to store configuration data and secrets. It can be used to store passwords, database strings, etc. It can be used with IAM roles to give access to the instances.

  • AWS Secrets Manager serves to store secrets.

  • Code Commit is a Git service

  • Code Build is a build service

  • Code Deploy is a deployment service

  • Code Pipeline is a orchestration service

  • Code Star is allowing for CICD

  • Cloud9 is an IDE in the cloud

  • AWS CDK (this is creating services using some language like Python, which is then translated to CloudFormation)

12. Global services

Route 53 - managed DNS

  • hostname to IPv4 is called A-record
  • hostname to IPv6 is called AAAA record
  • hostname to hostname is called CNAME
  • hostname to AWS resource is called Alias

Routing polices: - Simple routing policy is one record with multiple IP addresses - Weighted routing policy is to distribute the traffic - Latency routing policy is to minimize latency - Failover routing policy is to help with disaster recovery

We can buy a domain, then create EC2 web servers that host some application, and then create a Route 53 A-records to point to the EC2 web servers, say based on latency. Then, when a user, from around the world, goes to the domain, they will be redirected to the closest server.

AWS CloudFront

AWS CloudFront is CDN and it caches content around the world. Origin can be S3 bucket or HTTP backend, or anything. Enhanced security with CloudFront Origin Access Control (OAC). Note that CloudFront is great for static content, S3 cross-region-replication is great for dynamic content that need to have low-latency.

We first create a CloudFront distribution, then we point it to the S3 bucket, then we can set up the cache behavior, TTL, etc. We can also set up the security, like Origin Access Control (OAC) to restrict access to the S3 bucket, we need to S3 bucket a policy so it is accessible only from CloudFront.

Web application firewall (WAF) is Layer 7 security service, and AWS Shield is for DDoS protection.

AWS Shield Advanced provides enhanced protections for your applications running on protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53 resources against more sophisticated and larger attacks.

S3 Accelerated Transfer: S3 buckets are linked to only one region. If you want to upload to a S3 bucket that is far away, you want to use S3 Accelerated Transfer (this is just a feature under bucket/properties). This tool compares S3 transfer acceleration upload/download to one specific bucket. So if you need fast transfer to S3 bucket from around the world, use it (btw, the acceleration happens by using edge locations).

AWS Global accelerator: leverages internal AWS network (which is fast) to optimize route to the application using edge locations (note that Global accelerator does not cache any content). If enabled, 2 Anycast IP addresses are assigned to the application, and the traffic is routed to the optimal endpoint. Test. For global accelerator we need to create 1) accelerator, 2) listener, 3) endpoint group, 4) endpoints. We can also set up the traffic dials, like percentage of traffic to go to one endpoint, etc.

AWS Outpost, is like having AWS racks on-premisses.

AWS Wavelength, is like having basic AWS racks in the 5G towers (with EC2 instances, EBS, etc.) for ultra-low latency applications.

AWS Local Zones extend VPC into more zones outside default AZs. For example if we define a subnet in Boston, we can then create EC2 instance in that zone. This allows ultra-low latency applications.

Final notes on global services: - Single-region, single AZ is easy to set up, but not fault tolerant. - Single-region, multi-AZ is fault tolerant, but not disaster tolerant. - Multi-region Active-Passive, only writes to active. Disaster tolerant, but more expensive and complex. - Multi-region Active-Active, writes to both. Disaster tolerant, but more expensive and complex.

13. Cloud Integration

Let’s decouple services, so that they can be scaled independently. We can use SQS, SNS, Kinesis, and Amazon MQ for this.

SQS (Simple Queue Service)

Producer/Consumer model. Pull based. 1-10K per second. Message retention is 4-14 days. Standard or FIFO order.

Amazon Kinesis

Kinesis = real-time big data. Gets data (Kinesis Data Streams), analytics using SQL (Kinesis Data Analytics), save into S3, Redshift (Kinesis Firehose). Side thing would be real-time video streams (Kinesis Video Streams).

SNS (Simple Notification Service)

Push based notifications to mobile devices, email, HTTP endpoints, etc. It is pub/sub model. It can be used to send messages to multiple subscribers. Mailinator.com is a good tool to test email notifications.

Amazon MQ

SQS and SNS are cloud native, Amazon MQ is managed message broker service for ActiveMQ and RabbitMQ. It is good for legacy applications that use ActiveMQ or RabbitMQ. Amazon MQ doesn’t scale as much as SQS.

14. Monitoring

CloudWatch has: - metrics: can visualize high level - alarms: one can create alarms directly for EC2 instances too. Billing alarm works only in us-east-1 region. - logs: logs everything line by line, needs CloudWatch Logs Agent (can work hybrid). Very useful. - events: EventBridge can be reactive to any event or just run on schedule. It can activate for example to send emails, run Lambdas etc. It can also accepts third party events via Event Bus. It is quite powerful. It’s also serverless. - X-ray gives visual analysis of the distributed applications. It can be used to debug, trace, and analyze the application. It can be used to trace requests as they travel through the application. It can be used to identify bottlenecks, etc.

CloudTrail is for compliance. All high level AWS actions are tracked. Can be ported to Logs or S3.

CodeGuru is not available in all regions (like not in N.Cal). CodeGuru Reviewer is ML powered code review. CodeGuru Profiler is to profile running code.

AWS Health Dashboard is for health of AWS services. Personal Health Dashboard is for your account.

Trusted Advisor is for cost optimization, performance, security, fault tolerance, and service limits. It is available in Business and Enterprise support plans.

15. VPC and Networking

VPC is virtual private cloud. It is a region specific. It can have subnets (public is accessible by internet, and private is not), assigned to availability zone. To define access to the internet and between subnets we use route tables.

Each VPC has CIDR range - a range of IP addresses allowed in the VPC. It can be IPv4 or IPv6.

Internet Gateway is horizontally scaled, redundant, VPC component that allows access to the internet from the VPC. It is attached to the VPC. As soon as we have IGW and a route to it, that makes subnet public. VPC can have only 1 IGW.

NAT Gateway (AWS managed) or NAT Instance (self-managed) is a gateway that allows private subnet to access the internet.

cidr.xyz is a good tool to visualize CIDR ranges. These are valid only for private IP addresses of course.

NACL (Network Access Control List) is a firewall that controls traffic from and to subnet. Can have allow and deny rules. It’s at a subnet level. Return traffic must be explicitly allowed (it’s stateless).

Security Groups - can have only allow rules. It’s at the EC2 instance level. Return traffic is allowed by default (i.e. it’s stateful).

VPC Flow Logs - captures information about IP traffic going to and from network interfaces in the VPC. Helps to diagnose network issues, understand traffic patterns.

VPC peering - allows to connect 2 VPCs. It’s not transitive (i.e. if A is peered with B and B is peered with C, A is not peered with C). It’s not possible to have overlapping CIDR ranges.

VPC Endpoints - allows to connect to AWS services without going through the internet. It’s secure and scalable. VPC Endpoint Gateway: is to access S3 and DynamoDB VPC Endpoint Interface: is for the rest of AWS services.

PrivateLink - allows to connect to services hosted by other AWS accounts. It’s secure and scalable, does not require VPC peering, IGW, NAT, route tables. It requires 1) Network Load Balancer on 3rd party side, and 2) Elastic Network Interface (ENI) on your side, then all traffic is private, no internet involved.

AWS Site-to-site VPN, (encrypted) connects on-premises data center to AWS. It’s secure and scalable. It’s a hardware VPN connection between customer gateway and virtual private gateway. It’s encrypted and uses IPsec.

Direct Connect (DX) is a physical connection between on-premises data center and AWS. It’s more expensive. Takes over a month to establish.

AWS Client VPN, connects local computers using OpenVPN to your private network in AWS. Allows to connect to EC2 instances over private IP, just as if you were in the private VPC network. Goes over public internet.

To connect thousands of VPCs, use Transit Gateway. It’s a hub and spoke model. It’s a regional service. It can connect VPCs, VPNs, Direct Connects, etc. It’s a fully managed service.

16. Security

AWS Shield protects against DDoS attacks.

AWS WAF (Web Application Firewall) protects against SQL injection, cross-site scripting, etc.

AWS Network Firewall protects against layer 3-7 attacks. It operates at the VPC level.

AWS Firewall Manager is a security management service that allows to centrally configure and manage firewall rules across accounts and applications.

Penetration testing is allowed on some services, but not all. It’s good to ask AWS first.

Data at rest and motion can be both encrypted. AWS KMS is a service that allows to create and manage encryption keys. It’s integrated with many AWS services.

CloudHSM is a hardware security module that allows to generate and use encryption keys. It’s a dedicated hardware.

We can see all keys in AWS KMS: - AWS Managed Key (start like aws/s3, aws/ebs, etc.) - Customer Managed Key

AWS Certificate Manager (ACM) is a service that allows to provision, manage, and deploy SSL/TLS certificates. For example it can be added to Application Load Balancer so all traffic is encrypted (so called in-flight encryption). It can be loaded to CloudFront, API Gateway, etc.

AWS Secrets Manager is a service that allows to store, retrieve, and rotate secrets. It can be used to store database credentials, API keys, etc. It can be integrated with RDS, Redshift, DocumentDB, etc. You can get the secret value from the CLI or most languages.

AWS Artifact - for compliance. Global Service. It’s a portal that provides on-demand access to AWS compliance reports.

GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. It can be used to detect unusual API calls, unauthorized deployments, etc. Analyzes all logs, or many more features (paid).

Amazon Inspector - On EC2 instances (uses AWS System Manager) - For Containers in ECR (on push) - For Lambda functions (on deployment) Report findings to Security Hub and/or EventBridge. Looks for CVE (Common Vulnerabilities and Exposures).

AWS Config Tracks resource configuration and compliance.

Amazon Macie Uses ML to detect Personal Identifiable Information (PII) and sensitive data in AWS. Notifies via EventBridge.

AWS Security Hub - aggregates findings into one place.

Amazon Detective - analyzes, investigates, and identifies the root cause of security issues or suspicious activities.

AWS Abuse is to report abuse.

Root user only can: close the account, register in the AWS Marketplace, change AWS Support plan.

IAM Access Analyzer - analyzes resource policies to detect any potential security issues.

17. Machine Learning

  • Rekognition is for classification, detection, recognition, etc. of images and videos.
  • Transcribe is for speech to text. Can redact, works on multiple languages. Can create metadata for searchable archive. This can be useful for podcasts.
  • Polly - text to speech.
  • Lex - chatbots, bundled with Connect but can trigger Lambda functions.
  • Comprehend - NLP, sentiment analysis, key phrase extraction, language detection, etc.
  • SageMaker - ML service, can train, tune, deploy models.
  • Translate - language translation.
  • Forecast - time series forecasting.
  • Kendra - document search service.
  • Personalize - recommendation service.
  • Textract - OCR, can extract text, tables, etc. from images.

18. Account management

AWS Organizations - allows to manage multiple AWS accounts. It allows to create groups of accounts, apply policies, etc.

OU (Organizational Unit) is a group of accounts.

SCP (Service Control Policy) is a policy that can be applied to OU or account. It allows to control what services can be used, what regions, etc. It looks like IAM policy but it’s much bigger and applies across accounts.

Once can have consolidated billing to increase savings.

Bob receives the cost-benefit from Susan’s Reserved Instances (RI) only if he launches his instances in the same Availability Zone (AZ) where Susan purchased her Reserved Instances

AWS Control Tower is a service that allows to set up and govern a new, secure, multi-account AWS environment. It’s a managed service that automates the set up of a new environment.

AWS Resource Access Manager (RAM) is a service that allows to share AWS resources with other AWS accounts. It can be used to share subnets, transit gateways, etc.

AWS Service Catalog is a service that allows to create and manage catalogs of IT services that are approved for use on AWS. It can be used to create a portfolio of products, manage access, etc.

Pricing Models, some are free, some are free trial, some pay only for underlying resources.

AWS Pricing Calculator: calculator.aws

AWS Compute Optimizer uses ML to recommend optimal AWS resources.

AWS Trusted Advisor - checks the environment and makes recommendations. It’s a paid service.

AWS Budgets - can set alarms for estimated costs.

For each resource, each tag key must be unique, and each tag key can have only one value

You must activate both AWS generated tags and user-defined tags separately before they can appear in Cost Explorer or on a cost allocation report

AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organization.

AWS Shield Advanced ($3K a month), 24/7 support, etc.

Web Access Control List (ACL), associated to AWS Web Application Firewall (WAF), can have lots of rules (IP, HTTP filtering), SQL injection, geo match, rate-based. Web ACLs are applied to individual AWS resources such as a specific CloudFront distribution or load balancer. Operates on Level 7.

Network ACL is associated with a subnet, and each subnet can only be associated with one network ACL at a time. It operates on Layer 3 & 4.

19. Advanced Identity

AWS STS is Security Token Service. It allows to assume roles, get temporary credentials, etc.

AWS Cognito is a service that allows to manage user pools, identity pools, etc. It’s used for authentication, authorization, etc. Can be used for web, mobile, connect to Google, Faceboook, login.

AWS Directory Service is a 1) managed Microsoft AD in the cloud, 2) AD Connector 3) Simple AD. It can be used to connect to on-premises AD, etc.

AWS IAM Identity Center (same as SSO)

20. AWS Architecture best practices

  1. Operational Excellence
  • Infra as code,
  • Annotate, document
  • Make frequent, small, reversible changes
  • Refine operations procedures
  • Anticipate failure
  • Learn from all operational failures
  1. Security
  • Implement strong identity foundation
  • Enable traceability
  • Apply security at all layers
  • Automate security best practices
  • Protect data in transit and at rest
  • Keep people away from data
  • Prepare for security events
  1. Reliability
  • Test recovery procedures
  • Automatically recover from failure
  • Scale horizontally to increase aggregate system availability
  • Stop guessing capacity
  • Manage change in automation
  • Understand dependencies
  1. Performance Efficiency
  • Democratize advanced technologies
  • Go global in minutes
  • Use serverless architecture
  • Experiment more often
  • Mechanical sympathy
  • Use data to make decisions
  1. Cost Optimization
  • Adopt a consumption model
  • Measure overall efficiency
  • Stop spending money on data center operations
  • Analyze and attribute expenditure
  • Use managed services to reduce cost of ownership
  • Trade capital expense for variable expense
  • Use the right pricing model for the workload

FAQ

Cognito is for authentication.

AWS CodeDeploy to deploy patches to many instances, Lambdas, ECS, as well as on premises.

AWS Inspector is for security assessment, not infrastructure (AWS Config is for infrastructure).

QuickStart References is a service that allows to deploy reference architectures on AWS. Good stuff.

APN Consulting Partners provide consulting services, APN Technology Partners have some are companies that provide software solutions that are hosted on AWS.

AWS SSO is now AWS Identity Center.

AWS Health center has both Personal and Service Dashboard.

AWS Local Zones are type of infra closer to end users.

AWS Systems Manager is operations hub for your AWS applications and resources. Can be used for patching, running many scripts at once on instances, etc.

DynamoDB is NoSQL database, global tables are multi-region, multi-master. DB Accelerator is caching layer in front of DynamoDB.

CLoudTrain are logs but for admin actions, CloudWatch for compute logs (EC2, Lambda, etc).

AWS Cost Explorer can do forecast.

Reservation is supported: - Amazon EC2 Reserved Instances (RI) - Amazon DynamoDB Reserved Capacity - Amazon ElastiCache Reserved Nodes - Amazon RDS RIs - Amazon Redshift Reserved Nodes

AWS Business Support provides architectural guidance contextual to your specific use-cases

AWS Artifact is a portal that provides on-demand access to AWS compliance reports.

AWS CAF groups its capabilities in six perspectives: Business, People, Governance, Platform, Security, and Operations.

Compute Optimizer helps you choose optimal configurations for three types of AWS resources: Amazon EC2 instances, Amazon EBS volumes, and AWS Lambda functions, based on your utilization data.

AWS Systems Manager is the operations hub for AWS

The KMS keys that you create are customer managed keys.

EBS volume can be attached to a single instance in the same Availability Zone (AZ) whereas EFS file system can be mounted on instances across multiple Availability Zones (AZ)

The AWS Professional Services organization is a global team of experts that can help you realize your desired business outcomes when using the AWS Cloud.

Each AWS Region consists of a minimum of three Availability Zones (AZ)

Each Availability Zone (AZ) consists of one or more discrete data centers

The AWS account must be able to operate as a standalone account. Only then it can be removed from AWS organizations

The performance of AWS managed Amazon Relational Database Service (Amazon RDS) instance is better than a customer-managed database instance

https://assets-pt.media.datacumulus.com/aws-clf-pt/assets/pt1-q65-i2.jpg

https://assets-pt.media.datacumulus.com/aws-clf-pt/assets/pt1-q65-i3.jpg

https://aws.amazon.com/premiumsupport/plans/

AWS CloudTrail Logs are encrypted by default.

AWS Compute Optimizer delivers recommendations for: EC2 instances, EC2 Auto Scaling groups, Amazon EBS volumes, and AWS Lambda functions

Amazon GuardDuty analyzes billions of events across your AWS accounts from AWS CloudTrail (AWS user and API activity in your accounts), Amazon VPC Flow Logs (network traffic data), and DNS Logs (name query patterns) to detect threat, malicious activity, and unauthorized behavior on your AWS account.

AWS Service Catalog lets you centrally manage your cloud resources to achieve governance at scale of your infrastructure as code (IaC) templates, written in CloudFormation or Terraform configurations.

Watch out for questions on AWS Cost Explorer vs AWS Budgets. AWS Budgets can alert you when your costs exceed your budgeted amount. Cost Explorer helps you visualize and manage your AWS costs and usage over time.

Amazon DynamoDB supports both key-value and document data models.

Cloud Foundations is a set of best practices for cloud computing. It is a framework for cloud adoption and transformation.

You will pay a fee each time you read from or write data stored on the Amazon Elastic File System (Amazon EFS) - Infrequent Access storage class

EC2 instances can access files on an Amazon Elastic File System (Amazon EFS) file system across many Availability Zones (AZ), Regions and VPCs.

AWS Budgets enable you to plan your service usage, service costs, and instance reservations.

AWS Migration Evaluator helps with migrations.

Amazon Elastic File System (Amazon EFS) has encryption by default.

Create separate AWS accounts for development and production environments to receive separate invoices

Reserved instances are only for It is a commitment to pay in advance for specific Amazon EC2 or Amazon RDS instances.