Mastering AWS 2
Mastering AWS 2
Mastering AWS 2
AWS Terminology
AWS IoT: AWS IoT is a managed cloud service that lets connected devices easily and
securely interact with cloud applications and other devices.
Certificate Manager: AWS Certificate Manager lets you easily provision, manage, and
deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use
with AWS services.
CloudFront: Amazon CloudFront provides a way to distribute content to end users with
low latency and high data transfer speeds.
CloudSearch: AWS CloudSearch is a fully managed search service for websites and
apps.
CloudTrail: AWS CloudTrail provides increased visibility into user activity by recording
API calls made on your account.
Data Pipeline: AWS Data Pipeline is a lightweight orchestration service for periodic,
data-driven workflows.
DMS: AWS Database Migration Service (DMS) helps you migrate databases to the
cloud easily and securely while minimizing downtime.
DynamoDB: Amazon DynamoDB is a scalable NoSQL data store that manages distri-
buted replicas of your data for high availability.
EC2: Amazon Elastic Compute Cloud (EC2) provides resizable compute capacity in the
cloud.
EC2 Container Service: Amazon ECS allows you to easily run and manage Docker
containers across a cluster of Amazon EC2 instances.
Elastic Beanstalk: AWS Elastic Beanstalk is an application container for deploying and
managing applications.
1|Page
Elastic File System: Amazon Elastic File System (Amazon EFS) is a file storage
service for Amazon Elastic Compute Cloud (Amazon EC2) instances.
Elastic Transcoder: Amazon Elastic Transcoder lets you convert your media files in
the cloud easily, at low cost, and at scale
Elastic MapReduce (EMR): Amazon Elastic MapReduce lets you perform big data
tasks such as web indexing, data mining, and log file analysis.
Glacier: Amazon Glacier is a low-cost storage service that provides secure and durable
storage for data archiving and backup.
IAM: AWS Identity and Access Management (IAM) lets you securely control access to
AWS services and resources.
Inspector: Amazon Inspector enables you to analyze the behavior of the applications
you run in AWS and helps you to identify potential security issues.
Kinesis: Amazon Kinesis services make it easy to work with real-time streaming data in
the AWS cloud.
Lambda: AWS Lambda is a compute service that runs your code in response to events
and automatically manages the compute resources for you.
Machine Learning: Amazon Machine Learning is a service that enables you to easily
build smart applications.
RDS: Amazon Relational Database Service (RDS) makes it easy to set up, operate,
and scale familiar relational databases in the cloud.
Route 53: Amazon Route 53 is a scalable and highly available Domain Name System
(DNS) and Domain Name Registration service.
SES: Amazon Simple Email Service (SES) enables you to send and receive email.
2|Page
SNS: Amazon Simple Notification Service (SNS) lets you publish messages to subscr-
ibers or other applications.
SQS: Amazon Simple Queue Service (SQS) offers a reliable, highly scalable, hosted
queue for storing messages.
SWF: Amazon Simple Workflow (SWF) coordinates all of the processing steps within an
application.
S3: Amazon Simple Storage Service (S3) can be used to store and retrieve any amount
of data.
VPC: Amazon Virtual Private Cloud (VPC) lets you launch AWS resources in a private,
isolated cloud.
3|Page
Answer: In an AWS DevOps Engineer interview, this is the most common AWS
interview questions for DevOps. To answer this question, mention the popular DevOps
tools with the type of tool –
4|Page
Class A 10.0.0.0 10.255.255.255 10.0.0.0/8
Class B 172.16.0.0 172.31.255.255 172.16.0.0/12
Class C 192.168.0.0 192.168.255.255 192.168.0.0/16
Network ID 192.168.1.0
DNS 192.168.1.2
5|Page
o Default output format [None]: json
Using the VPC ID from the previous step, create a subnet with a 10.0.1.0/24
CIDR block.
6|Page
Make Your Subnet Public
After you've created the VPC and subnets, you can make one of the subnets a public
subnet by attaching an Internet gateway to your VPC, creating a custom route table,
and configuring routing for the subnet to the Internet gateway.
NOTE: In the output that's returned, take note of the Internet gateway ID.
2. Using the ID from the previous step, attach the Internet gateway to your VPC.
In the output that's returned, take note of the route table ID.
4. Create a route in the route table that points all traffic (0.0.0.0/0) to the Internet
gateway.
5. To confirm that your route has been created and is active, you can describe the route
table and view the results.
6. The route table is currently not associated with any subnet. You need to
associate it with a subnet in your VPC so that traffic from that subnet is routed to the
Internet gateway. First, use the describe-subnets command to get your subnet IDs.
You can use the --filter option to return the subnets for your new VPC only, and the
--query option to return only the subnet IDs and their CIDR blocks.
7|Page
You can choose which subnet to associate with the custom route table, for example,
subnetb46032ec.
You can optionally modify the public IP addressing behavior of your subnet so that an
instance launched into the subnet automatically receives a public IP address.
Otherwise, you should associate an Elastic IP address with your instance after
launch so that it's reachable from the Internet.
7. You can choose which subnet to associate with the custom route table, for example,
subnetb46032ec. This subnet will be your public subnet.
8. You can optionally modify the public IP addressing behavior of your subnet so
that an instance launched into the subnet automatically receives a public IP address.
Otherwise, you should associate an Elastic IP address with your instance after
launch so that it's reachable from the Internet.
1. Create a key pair and use the --query option and the --output text option to pipe your
private key directly into a file with the .pem extension.
2. Create a security group in your VPC, and add a rule that allows SSH access from
anywhere.
8|Page
aws ec2 create-security-group --group-name SSHAccess --description "Security
group for SSH access" --vpc-id vpc-2f09a348
Note
If you use 0.0.0.0/0, you enable all IPv4 addresses to access your instance using
SSH. This is acceptable for this short exercise, but in production, authorize only a
specific IP address or range of addresses.
Launch an instance into your public subnet, using the security group and key pair you've
created. In the output, take note of the instance ID for your instance.
In this example, the AMI is an Amazon Linux AMI in the US East (N. Virginia) region. If
you're in a different region, you'll need the AMI ID for a suitable AMI in your region. For
more information, see Finding a Linux AMI in the Amazon EC2 User Guide for Linux
Instances
Your instance must be in the running state in order to connect to it. Describe your
instance and confirm its state, and take note of its public IP address.
When your instance is in the running state, you can connect to it using an SSH client on
a Linux or Mac OS X computer by using the following command:
9|Page
Configure an Egress-Only Private Subnet
You can configure the second subnet in your VPC to be an IPv6 egress-only private
subnet. Instances that are launched in this subnet are able to access the Internet over
IPv6 (for example, to get software updates) through an egress-only Internet gateway,
but hosts on the Internet cannot reach your instances.
Create an egress-only Internet gateway for your VPC. In the output that's returned, take
note of the gateway ID.
Create a custom route table for your VPC. In the output that's returned, take note of the
route table ID.
From your private instance, test that you can connect to the Internet by running the ping
command for a website that has ICMP enabled, for example:
ping -n ietf.org
Cleanup
After you've verified that you can connect to your instance, you can terminate it if you no
longer need it. To do this, use the terminate-instances command. To delete the other
resources you've created in this example, use the following commands in their listed
order:
10 | P a g e
4. Detach your Internet gateway from your VPC:
Amazon VPC is the networking layer for Amazon Elastic Compute Cloud (Amazon EC2)
and it allows you to build your own virtual network with AWS.
optional components:
IGWs
EIP addresses
Endpoints
Peering
NAT instance and NAT gateway
VPG, CGW, and VPN
11 | P a g e
You must first allocate an EIP for use within a VPC and then assign it to an
instance.
EIPs are specific to a region (that is, an EIP in one region cannot be
assigned to an instance within an Amazon VPC in a different region).
There is a one-to-one relationship between network interfaces and EIPs.
You can move EIPs from one instance to another, either in the same Amazon
VPC or a different Amazon VPC within the same region.
EIPs remain associated with your AWS account until you explicitly release them.
There are charges for EIPs allocated to your account, even when they are not
associated with a resource.
You must do the following to create a public subnet with Internet access:
Attach an IGW to your Amazon VPC.
Create a subnet route table rule to send all non-local traffic (0.0.0.0/0) to the
IGW.
Configure your network ACLs and security group rules to allow relevant traffic
to flow to and from your instance.
instance to send and receive traffic from the Internet: Assign a public IP address
or EIP address.
Endpoints
An Amazon VPC endpoint enables you to create a private connection between your
Amazon VPC and another AWS service without requiring access over the Internet or
through a NAT instance, VPN connection, or AWS Direct Connect
12 | P a g e
Specify the policy. You can allow full access or create a custom policy. This
policy can be changed at any time.
Specify the route tables. A route will be added to each specified route table,
which will state the service as the destination and the endpoint as the target.
Security Groups
A security group is a virtual stateful firewall that controls inbound and outbound network
traffic to AWS resources and Amazon EC2 instances. All Amazon EC2 instances must
be launched into a security group. If a security group is not specified at launch, then the
instance will be launched into the default security group for the Amazon VPC. The
default security group allows communication between all resources within the
security group, allows all outbound traffic, and denies all other traffic.
You can create up to 500 security groups for each Amazon VPC.
You can add up to 50 inbound and 50 outbound rules to each security group.
If you need to apply more than 100 rules to an instance, you can associate up to
five security groups with each network interface.
You can specify allow rules, but not deny rules. This is an important
difference between security groups and ACLs.
You can specify separate rules for inbound and outbound traffic.
By default, no inbound traffic is allowed until you add inbound rules to the
security group.
By default, new security groups have an outbound rule that allows all outbound
traffic.
You can remove the rule and add outbound rules that allow specific outbound
trafficonly.
Security groups are stateful. This means that responses to allowed
inbound traffic are allowed to flow outbound regardless of outbound rules
and vice versa. This is an important difference between security groups and
network ACLs.
Instances associated with the same security group can’t talk to each other unless
you add rules allowing it (with the exception being the default security group).
You can change the security groups with which an instance is associated after
launch, and the changes will take effect immediately
13 | P a g e
initial configuration will deny all inbound and outbound traffic until you create rules that
allow otherwise.
NAT Gateway
A NAT gateway is an Amazon managed resource that is designed to operate just like a
NAT instance, but it is simpler to manage and highly available within an Availability
Zone.
NAT Gateway
A NAT gateway is an Amazon managed resource that is designed to operate just like a
NAT instance, but it is simpler to manage and highly available within an Availability one.
NAT Instance
A network address translation (NAT) instance is an Amazon Linux Amazon Machine
Image (AMI) that is designed to accept traffic from instances within a private subnet,
translate the source IP address to the public IP address of the NAT instance, and
forward the traffic to the IGW.
The Elastic Load Balancing service allows you to distribute traffic across a group of
Amazon EC2 instances in one or more Availability Zones, enabling you to achieve
high availability in your applications. Elastic Load Balancing supports routing and load
balancing of Hypertext Transfer Protocol (HTTP), Hypertext Transfer Protocol Secure
(HTTPS), Transmission Control Protocol (TCP), and Secure Sockets Layer (SSL) traffic
to Amazon EC2 instances. Elastic Load Balancing provides a stable, single Canonical
Name record (CNAME) entry point for Domain Name System (DNS) configuration and
supports both Internet-facing and internal application-facing load balancers. Elastic
Load Balancing supports health checks for Amazon EC2 instances to ensure traffic is
not routed to unhealthy or failing instances. Elastic Load Balancing can automatically
scale based on collected metrics
Elastic Load Balancing is a highly available service itself and can be used to help
build highly available architectures An AWS recommended best practice is
always to reference a load balancer by its DNS name, instead of by the IP address
of the load balancer, in order to provide a single, stable entry point. To ensure
that the load balancer is responsible for closing the connections to your back-end
instance, make sure that the value you set for the keep-alive time is greater
than the idle timeout setting on your load balancer
14 | P a g e
Amazon Cloud Watch
Amazon CloudWatch is a monitoring service for AWS Cloud resource and the
application running on AWS. It allows organization to collect and track metrics,
collect and monitors logs files, and set alarms.
Auto Scaling
A distinct advantage of deploying applications to the cloud is the ability to launch and
then release servers in response to variable workloads. Provisioning servers on
demand and then releasing them when they are no longer needed can provide
significant cost savings for workloads that are not steady state.
Steady state workloads that need a consistent number of Amazon EC2 instances
at all times can use Auto Scaling to monitor and keep that specific number of
Amazon EC2 instances running.
Manual scaling out can be very useful to increase resources for an infrequent event,
such as the release of a new game version that will be available for download and
require a user registration. For extremely large-scale events, even the Elastic Load
Balancing load balancers can be pre-warmed by working with your local solutions
architect or AWS Support.
15 | P a g e
Recurring events such as end-of-month, quarter, or year processing, or
scheduled and recurring automated load and performance testing, can be
anticipated and Auto Scaling can be ramped up appropriately at the time of the
scheduled event
In large deployments of Amazon EC2 instances, Auto Scaling can be used to make
rolling out a patch to your instances easy. The launch configuration associated with the
Auto Scaling group may be modified to reference a new AMI and even a new Amazon
EC2 instance if needed. Then you can deregister or terminate instances one at a time
or in small groups, and the new Amazon EC2 instances will reference the new patched
AMI
Auto Scaling has several schemas palns 1) Maintain Current Instance levels, 2)
Manual Scaling,
A launch configuration is the template that Auto Scaling uses to create new
instance, and it is compoes of the configuration name, Amazon Machine Image
(AMI), Amazon EC2 Instance type, security group, and instance key pair.
An Auto Scaling group is collection of Amazon EC2s instances managed by the
Auto Scaling service.
These three services can be used very effectively together to create a highly
available application with a resilient architecture on AWS.
16 | P a g e
A principal is an IAM entity that is allowed to interact with AWS resources. A principal
can be permanet or tempory, and it can represent a human or an application.
IAM is a powerful service that allows you to control how people and programs are
allowed to manipulate your AWS infrastructure. IAM uses traditional identity
concepts such as users, groups, and access control policies to control who can use
your AWS account, what services and resources they can use, and how they can use
them.
First, IAM is not an identity store/authorization system for your applications. The
permissions that you assign are permissions to manipulate AWS infrastructure,
not permissions within your application.
Second, IAM is not operating system identity management. Remember that under the
shared responsibility model, you are in control of your operating system console and
configuration. Whatever mechanism you currently use to control access to your server
infrastructure will continue to work on Amazon Elastic Compute Cloud (Amazon EC2)
instances, whether that is managing individual machine login accounts or a directory
service such as Active Directory or Lightweight Directory Access Protocol (LDAP). You
can run an Active Directory or LDAP server on Amazon EC2, or you can extend your
onpremises system into the cloud. AWS Directory Service will also work well to provide
Active Directory functionality in the cloud as a service, whether standalone or integrated
with your existing Active Directory.
THE AWS
Root User When you first create an AWS account, you begin with only a single sign-in
principal that has complete access to all AWS Cloud services and resources in the
account.
A good first step is to use the root user to create a new IAM group called “IAM
Administrators” and assign the managed policy, “IAMFullAccess.” Then create a
new IAM user called “Administrator,” assign a password, and add it to the IAM
Administrators group. At this point, you can log off as the root user and perform all
further administration with the IAM user account.
IAM User (Users are an excellent way to enfor the principle of least privilege;
Roles/Temporary Security Tokens; Roles are used to grant specific privileges to
specific actor for a set duration of time.
The range of a temporary security toke lifetime is 15 minutes to 36 hours.
Roles and temporary security tokes enable a number of use cases:
1. Amazon EC2 Roles
17 | P a g e
2. Cross-Accoutn Access
3. Federation
IAM can integrate with two different types of outside Identity Provider (IdP) .
OpenID Connect and Security Assertion Markup Language 2.0 (SAML)
What actions a principle can and cannot perform is called authorization.
Using IAM roles for Amazon EC2 removes the need to store AWS credentials in a
configuration file.
Multi-Factor Authentication requires you to verify your identity with both something you
know and something you have.
Using predefined managed policies ensures that when new permissions are added
for new features, your users will still have the correct access.
Rotating Keys
The security risk of any credential increases with the age of the credential. To this end,
it is a security best practice to rotate access keys associated with your IAM users. IAM
facilitates this process by allowing two active access keys at a time. The process to
rotate keys can be conducted via the console, CLI, or SDKs:
18 | P a g e
2. All the appropriate policies are evaluated; if there is an explicit “deny” found in
any policy, the request is denied and evaluation stops.
3. If no explicit “deny” is found and an explicit “allow” is found in any policy, the request
is allowed.
4. If there are no explicit “allow” or “deny” permissions found, then the default “deny” is
maintained and the request is denied.
Resolving Multiple
Database systems and engines can be grouped into two broad categories
19 | P a g e
MariaDB (Open Source) built by the Hbase
creators of MySQL
PostgreSQL (Open source) MongoDB
Microsoft SQL Server Cassandra
Oracle CouchDB
Recap
Amazon RDS MySQL allows you to connect using standard MySQL tools such as
MySQL Workbench or SQL Workbench/J. Amazon RDS MySQL supports Multi-AZ
deployments for high availability and read replicas for horizontal scaling.
Amazon RDS PostgreSQL also supports Multi-AZ deployment for high availability and
read replicas for horizontal scaling.
AWS supports MariaDB version 10.0.17. Amazon RDS fully supports the XtraDB
storage engine for MariaDB DB Instances and, like Amazon RDS MySQL and
PostgreSQL, has support for Multi-AZ deployment and read replicas.
Amazon RDS Oracle supports three different editions of the popular database engine:
Standard Edition One, Standard Edition, and Enterprise Edition
20 | P a g e
Edition Encryption Multiple Availability Zone
NOTE:
AWS Key Management Service (AWS KMS) AWS KMS is a managed service that
makes it easy for you to create and control the encryption keys used to encrypt your
data. AWS KMS lets you create keys that can never be exported from the service
and that can be used to encrypt and decrypt data based on policies you define.
Amazon RDS Microsoft SQL Server also supports four different editions of SQL Server:
Express Edition, Web Edition, Standard Edition, and Enterprise Edition
Express KMS
Web KMS
Standard KMS Yes
Amazon Aurora
Amazon Aurora offers enterprise-grade commercial database technology Amazon
Aurora is a fully managed service, is MySQL compatible out of the box, and provides for
increased reliability and performance over standard MySQL deployments.
21 | P a g e
Aurora
DynamoDB
Elasticache
Redis
22 | P a g e
Memcached
Route 53
What is Route 53
23 | P a g e
---- AWSCSA-23.3: Routing Policies
Simple: This is the default. Most commonly used when you have a single resource that
performs a given function for your domain eg. one web server that serves content for
the a website.
Used for splitting traffic regionally or if you want to do some A/B testing on a new
website.
Latency: This is based on the lowest network latency for your end user (routing to the
best region). You create a latency resource set for each region.
Route53 will select the latency resource set for the region that will give them the best
result and repond with be resource set.
User -> DNS -> the better latency for an EC2 instance
Failover: When you want to create an active/passive set up. Route53 will monitor the
health of your primary site using a health check.
Remember!
Can create an Alias record at the zone apex of a Domain, but cannot
create a CNAME for it
1. Simple Routing
2. Weighted Routing
3. Latency Routing
4. Failover Routing
5. Geolocation Routing
Simple Routing
24 | P a g e
When you have a single resource that perform a specific function for your domain
Route 53 responds to DNS queries based only on the value in the resource
record set ( for example, the IP address in an A record)
Default policy when you create a Record Set
Weighted Routing
When you have multiple resource that perform the same function ( for
example, web servers that serve the same website) and you want to route
traffic to them in proportion that you specify (for example, ¾ traffic to first site
and 1/34 to second one)
Use cases include – load balancing and testing new version of software (A/B
testing)
Latency Routing
When you have resource in multiple regions that perform the same
function and you want to Route 53 to responds to DNS queries with the
resource with the lowest latency for the users
Latency resource records allowed for EC2 instance and ELBs.
Latency between hosts on the Internet can change over time as a result of
changes in network connectivity and routing.
Failover Routing
Geolocation Routing
When you want Route53 to respond to DNS queries based on the location of
your users.
Use Case include:
o Restrict distribution of content to only the location in which you
have distribution rights
25 | P a g e
o Localize your contend and present come or all your website in
language of your users.
DNS is used to convert human friendly domain names into an Internet Protocol
address (IP).
DNS is like the phonebook. If someone wants to call you at your new house or
location, they might lookup you up by name in the phonebook.
DNS uses a hierarchical name structure, and different levels in the hierarchy are each
septeated with a dot(.) Example www.amzaon.com or aws.amazonj.com In both cases
COM is the Top Level Domain (TLD)
.com
.edu
Etc
26 | P a g e
will say that the amazon portion is the domain, but we can generally refer to the
combined form as the domain name
For example, 111.222.111.222 could be a valid IPv4 IP address. With DNS, we
map a name to that address so that you do not have to remember a complicated
set of numbers for each place you want to visit on a network.
A zone file is a simple text file that contains the mappings between domain
names and IP addresses. This is how a DNS server finally identifies which IP
address should be contacted when a user requests a certain domain name.
Zone files reside in name servers and generally define the resources available
under a specific domain, or the place where one can go to get that information.
Domain Registrars
Names are registered with InterNIC - a service of ICANN. They enforce the uniqueness.
Route53 isn't free, but domain registrars include things like GoDaddy.com etc.
SOA Records
NS Records
used by Top Level Domains to direct traffic to the Content DNS servers which
contains the authoritative DNS records.
A Records
Address record - used to translate from a domain name to the IP address. A records are
always IPv4. IPv6 is AAA.
TTL
Length that the DNS is cached on either the Resolving Server or on your PC. This is
important from an architectural point of view.
CNAMES
27 | P a g e
Canonical Name (CName) can be used to resolve one domain name to another. eg. you
may have a mobile website m.example.com that is used for when users browse to your
domain on a mobile. You may also want mobile.example.com to point there as well.
Alias Records
Used to map resource record sets in your hosted zone to Elastic Load Balancers,
CloudFront Distribution, or S3 buckets that are configured as websites.
Alias records work like a CNAME record in that you can map one DNS name
(www.example.com) to another 'target' DNS name (aeijrioea.elb.amazonaws.com)
Key Difference - A CNAME can't be used for naked domain names (zone apex).
You can't have a CNAME for acloud.guru. It must be either an A record or an
Alias.
The naked domain name MUST always be an A record, not a C name. eg dennis.com.
Summary
For an ELB, you need a DNS name to resolve to an ELB. You will always need an IPv4
domain to resolve this... which is why you have the Alias Record.
Records with alias records won't have you charged, whereas CName will.
Bootstrap Script
Bootstrap Script
28 | P a g e
Simple Queue Service is a fully-managed message queuing service.
Amazon SQS ensures delivery of each message at least once and supports
multiple readers and writer interacting with the same queue.
The service does not guarantee First IN, First Out (FIFO) delivery of message.
For many distributed applications, each message can stand on its own and if all
messages are delivered, the order is not important.
Multiple producers and consumers can interact with SQL at the same time.
Message size max 256 KB of text data (for example, JSON, XML, unformatted
text)
But billed at 64 KB chunks -> 256 KB billed as 4 request
Nearly unlimited throughput
At-Lest-Once Delivery
Design application to be idempotent
If you need order maintained, add sequencing info in each message so you can
reorder them once they are received.
Can send/receivd/delte a maximum of 10 message in request
Message Retention Period – 1 minute – 14 days (default 4 days)
Delay queues allow you to postpone the delivery of new messages in queue for
specific number of seconds.
To create aa delay queue, use CreateQueue and set the DelaySeconds attribute
to any value between 0 to 900 ( 15minutes)
The default value for DelaySeconds is 0.
When a message is in the queue but is neither delayed nor in a visibility timeout,
it is considered to be “IN FLIGHT”.
You can have up to 120,000 messages IN FLIGHT at any given time .
Amazon SQS supports up to 12 hours maximum visibility timeout.
Your message are identified via a globally unique ID tat Amazon SQS returns.
Amazon SQS uses three identifiers: 1) queue URL, 2) messageIDs 3) Receipt
handles.
Each message can have up to 10 attributes.
29 | P a g e
Each topic has a unique name that identifies that Amazon SNS endpoints where
publishers post messages and subscribers register for notifications.
Send notification to Apple, Google, Fire OS, and Windows devices, as well as to
Android devices in China with Baidu Cloud Push
Create Simple Notification Service (SNS) topics and subscribe clients
(subscribers) to them
Amazon SNS can support a wide variety of needs, including monitoring
applications, workflow systems, time-sensitive information updates, mobile
applications, and any other application that generates or consumes
notifications. For example, you can use Amazon SNS to relay events in
workflow systems among distributed computer applications, move data
A fanout scenario is when an Amazon SNS message is sent to a topic and then
replicated and pushed to multiple Amazon SQS queues, HTTP endpoints, or
email addresses This allows for parallel asynchronous processing.
between data stores, or update records in business systems
Can customize messages by protocol
Flexible message delivery over multiple transport protocols:
o HTTP
o HTTPS
o Email
o Email-JSON
o Simple Queue Service (SQS)
Push email and text messaging are two ways to transmit messages to individuals
or groups via email and/or SMS. For example, you can use Amazon SNS to push
targeted news headlines to subscribers by email or SMS.
Mobile push notifications enable you to send messages directly to mobile
applications.
o Simple WorkFlow is a managed web service for task coordination and state
tracking across distributed application components
o SWF work with both application in the cloud as well as on-premise.
o A workflow can also involve human action
o Simple Workflow Service (SWF) redundantly store the tasks, reliably
dispatched them to the application components, track their progress, and
keeps their latest state
30 | P a g e
o Task will be performed at most once (task won’t be duplicated).
o Actors can be workflow starters, deciders or activity workers. These actor
communicate with Amazon SWF through its API.
o The logic that coordinates the tasks in a workflow is called the DECIDER.
o An ACTIVITY worker is a single computer process (or thread) that performs
the activity in your workflow.
o Amazon SWF provides activity workers and decider with work assignments,
given as one of three types of tasks: activity tasks, AWS Lambda tasks, and
decisions tasks.
o Amazon SWF schedules a decision task when the workflow starts and
whenever the stat of workflow changes, such as when an activity task
completes.
o Task lists provide a flexible mechanism to route task to workers as you use
necessitates.
Domain
Worker
Tasks
Decider task
Amazon Simple Workflow Service (SWF) vs Amazon Simple Queue Service (SQS)
31 | P a g e
o SQL offers best effort ordering
o SWF will assign a task only once (no duplicates)
o SQS can introduce duplicated (at least once delivery)
o SWF task can last up to 1 year
o SQS messages can be retained in the queue for max 14 days.
Exam Tips
CloudFormaiton
AWS CloudFormaiton is a service that help you model and setup your AWS
resource that your can spend less time managing those resource.
Infrastructure as code
CloudFormaiton is free
You pay for the resources created by CloudFormaiton
Stack – Collection of resource you want to be deployed together as a group
JSON and YAML compatible
AWS CloudFormaiton templates to define your AWS resource and their
properties. A template is a text files whose format compile with the JSON
standard.
32 | P a g e
When you use AWS CloudFormation, you can reuse your template to set up your
resources consistently and repeatedly. Just describe your resources once, and
then provision the same resources over and over in multiple regions.
When you use AWS CloudFormation, you manage related resources as a single
unit called a stack. You create, update, and delete a collection of resources by
creating, updating, and deleting stacks. All of the resources in a stack are defined
by the stack’s AWS CloudFormation template.
Often you will need to launch stacks from the same template, but with minor
variations, such as within a different Amazon VPC or using AMIs from a different
region. These variations can be addressed using parameters. You can use
parameters to customize aspects of your template at runtime, when the stack is
built. For example, you can pass the Amazon RDS database size, Amazon EC2
instance types, database, and web server port numbers to AWS CloudFormation
when you create a stack.
Because environments are dynamic in nature, you inevitably will need to update
your stack’s resources from time to time. There is no need to create a new stack
and delete the old one; you can simply modify the existing stack’s template. To
update a stack, create a change set by submitting a modified version of the
original stack template, different input parameter values, or both.
If you want to delete a stack but still retain some resources in that stack,
you can use a deletion policy to retain those resources. If a resource has
no deletion policy, AWS CloudFormation deletes the resource by default
Use Case
Quickly Launch New Test Environments
Reliably Replicate Configuration Between Environments
Launch Applications in New AWS Regions
There are key components that comprise AWS Elastic Beanstalk and work
together to provide the necessary services to deploy and manage applications
easily in the cloud. An AWS Elastic Beanstalk application is the logical collection
33 | P a g e
of these AWS Elastic Beanstalk components, which includes environments,
versions, and environment configurations. In AWS Elastic Beanstalk, an
application is conceptually similar to a folder
An environment is an application version that is deployed onto AWS resources.
Each environment runs only a single application version at a time; however, the
same version or different versions can run in as many environments at the same
time as needed. When an environment is created, AWS Elastic Beanstalk
provisions the resources needed to run the application version that is specified
At the time of this writing, AWS Elastic Beanstalk provides platform support for
the programming languages Java, Node.js, PHP, Python, Ruby, and Go with
support for the web containers Tomcat, Passenger, Puma, and Docker.
AWS Trusted Advisor draws upon best practices learned from the aggregated
operational history of serving over a million AWS customers. AWS Trusted Advisor is
accessed in the AWS Management Console. Additionally, programmatic access to
AWS Trusted Advisor is available with the AWS Support API.
AWS Trusted Advisor provides best practices in four categories: cost
optimization, security, fault tolerance, and performance improvement
Security Groups–Specific Ports Unrestricted Checks security groups for rules
that allow unrestricted access (0.0.0.0/0) to specific ports
AWS Config
AWS Config is a fully managed service that provides you with an AWS resource
inventory, configuration history, and configuration change notifications to enable
security and governance. With AWS Config, you can discover existing and deleted AWS
resources, determine your overall compliance against rules, and dive into configuration
details of a resource at any point in time.
AWS Config provides a detailed view of the configuration of AWS resources in
your AWS account. This includes how the resources are related and how they
were configured in the past so that you can see how the configurations and
relationships change over time.
Use Cases
o Discovery
o Change Management
o Continuous Audit and Compliance AWS Config and AWS Config Rules are
designed to help you assess compliance with internal policies and regulatory
standards by providing visibility into the configuration of a resource at any
time and evaluating relevant configuration changes against rules that you can
define.
o Troubleshooting
o Security and Incident Analysis
34 | P a g e
AWS Config integrates with AWS CloudTrail, a service that records AWS API
calls for an account and delivers API usage log files to an Amazon S3 bucket. If
the configuration change of a resource was the result of an API call, AWS Config
also records the AWS CloudTrail event ID that corresponds to the API call that
changed the resource’s configuration. Organizations can then leverage the AWS
CloudTrail logs to obtain details of the API call that was made— including who
made the API call, at what time, and from which IP address—to use for
troubleshooting purposes.
Organizations can use the AWS Management Console, API, or AWS CLI to
obtain details of what a resource’s configuration looked like at any point in
the past. AWS Config will also automatically deliver a history file to the Amazon
S3 bucket you specify every six hours that contains all changes to your resource
configurations.
You should architect your AWS usage to take advantage of multiple regions and
Availability Zones. Distributing applications across multiple Availability Zones provides
the ability to remain resilient in the face of most failure modes, including natural
disasters or system failures.
It is not possible for a virtual instance running in promiscuous mode to receive or “sniff”
traffic that is intended for a different virtual instance.
Attacks such as Address Resolution Protocol (ARP) cache poisoning do not work within
Amazon EC2 and Amazon VPC.
Incident
When you move computer systems and data to the cloud, security responsibilities
become shared between you and your cloud service provider.
SUBNETS resides within ONE Availability Zone and can not span zones.
ONE subnet equals one availability zone
35 | P a g e
https://us-east-2.console.aws.amazon.com/vpc/home?region=us-east-
2#routetables:
36 | P a g e
37 | P a g e
38 | P a g e
39 | P a g e
Routing Your VPC has an implied router (shown in the configuration diagram above). In
this scenario, the VPC wizard creates a custom route table that routes all traffic
destined for an address outside the VPC to the Internet gateway, and associates this
route table with the subnet. The following table shows the route table for the example in
the configuration diagram above. The first entry is the default entry for local IPv4
routing in the VPC; this entry enables the instances in this VPC to communicate
with each other. The second entry routes all other IPv4 subnet traffic to the
Internet gateway (for example, igw-1a2b3c4d).
40 | P a g e
Security AWS provides two features that you can use to increase security in your VPC:
security groups and network ACLs.
Security groups control inbound and outbound traffic for your instances, and network
ACLs control inbound and outbound traffic for your subnets.
In most cases, security groups can meet your needs; however, you can also use
network ACLs if you want an additional layer of security for your VPC.
Your VPC comes with a default security group (p. 123). An instance that's launched
into the VPC is automatically associated with the default security group if you
don't specify a different security group during launch.
For this scenario, we recommend that you create the following security groups instead
of using the default security group:
• WebServerSG: Specify this security group when you launch the web servers in the
public subnet.
• DBServerSG: Specify this security group when you launch the database servers in the
private subnet.
41 | P a g e
The instances assigned to a security group can be in different subnets. However, in this
scenario, each security group corresponds to the type of role an instance plays, and
each role requires the instance to be in a particular subnet.
Therefore, in this scenario, all instances assigned to a security group are in the same
subnet.
The following table describes the recommended rules for the WebServerSG security
group, which allow the web servers to receive Internet traffic, as well as SSH and
RDP traffic from your network.
Because the web server doesn't initiate any other outbound communication, the
default outbound rule is removed.
The web servers can also initiate read and write requests to the database servers
in the private subnet, and send traffic to the Internet; for example, to get software
42 | P a g e
updates.
43 | P a g e
The following table describes the recommended rules for the DBServerSG security
group, which allow read or write database requests from the web servers. The
database servers can also initiate traffic bound for the Internet (the route table
sends that traffic to the NAT gateway, which then forwards it to the Internet over
the Internet gateway).
44 | P a g e
(Optional) The default security group for a VPC has rules that automatically allow
assigned instances to communicate with each other. To allow that type of
communication for a custom security group, you must add the following rules:
45 | P a g e
The configuration for this scenario includes the following:
• A virtual private cloud (VPC) with a size /16 IPv4 CIDR (example: 10.0.0.0/16). This
provides 65,536 private IPv4 addresses. 45 Amazon Virtual Private Cloud User Guide
Overview
• A public subnet with a size /24 IPv4 CIDR (example: 10.0.0.0/24). This provides
256 private IPv4 addresses. A public subnet is a subnet that's associated with a route
table that has a route to an Internet gateway.
46 | P a g e
• A VPN-only subnet with a size /24 IPv4 CIDR (example: 10.0.1.0/24). This provides
256 private IPv4 addresses.
• An Internet gateway. This connects the VPC to the Internet and to other AWS
products.
• A VPN connection between your VPC and your network. The VPN connection
consists of a virtual private gateway located on the Amazon side of the VPN
connection and a customer gateway located on your side of the VPN connection.
• Instances with private IPv4 addresses in the subnet range (examples: 10.0.0.5 and
10.0.1.5), which enables the instances to communicate with each other and other
instances in the VPC.
Instances in the VPN-only subnet are back-end servers that don't need to accept
incoming traffic from the Internet, but can send and receive traffic from your network.
• A custom route table associated with the public subnet. This route table contains an
entry that enables instances in the subnet to communicate with other instances in the
VPC, and an entry that enables instances in the subnet to communicate directly with the
Internet.
• The main route table associated with the VPN-only subnet. The route table contains
an entry that enables instances in the subnet to communicate with other instances in
the VPC, and an entry that enables instances in the subnet to communicate directly with
your network.
Routing
Your VPC has an implied router (shown in the configuration diagram for this
scenario). In this scenario, the VPC wizard updates the main route table used with the
VPN-only subnet, and creates a custom route table and associates it with the public
subnet.
The instances in the VPN-only subnet can't reach the Internet directly; any
Internet-bound traffic must first traverse the virtual private gateway to your
network, where the traffic is then subject to your firewall and corporate security
policies. If the instances send any AWS-bound traffic (for example, requests to the
Amazon S3 or Amazon EC2 APIs), the requests must go over the virtual private
47 | P a g e
gateway to your network and then egress to the Internet before reaching AWS.
Currently, we do not support IPv6 for VPN connect
Rules for the WebServerSG Security Group The following table describes the inbound
and outbound rules for the WebServerSG security group. You'll add the inbound rules
yourself. The outbound rule is a default rule that allows all outbound communication to
anywhere — you do not need to add this rule yourself.
48 | P a g e
source security group to access instances in the security group. This does not add rules
from the source security group to this security group. Incoming traffic is allowed based
49 | P a g e
on the private IP addresses of the instances that are associated with the source security
group (and not the public IP or Elastic IP
The kind of rules you add may depend on the purpose of the instance.
The following table describes example rules for a security group for web servers. The
web servers can receive HTTP and HTTPS traffic
from all IPv4 and IPv6 addresses, and send SQL or MySQL traffic to a database server.
50 | P a g e
51 | P a g e
AWS Security Essentials
Region
Availability Zones
Endpoints
IAM
Compliance
VPC Endpoint :
Allows for a private connection to AWS service without going through the
internet.
Traffic does not leave the VPC network
52 | P a g e
VPC Endpoints are virtual devices and have scalable, redundant and highly
available.
An Elastic Network Interface (ENI) with a private address server as the endpoint
- Kinesis streams
- Elastic load Balancing
- EC2 API
- EC2 System Manger
- Service Catalog
Gateway:
- A target for a route table in your environment
Supported Services
- DynamoDB
- S3
LIMIATIONS
53 | P a g e
- Allows for large-scale granulatiry
- Users
- Password
- Access Keys
- Permissions
- Groups
- Roles
- HIPAA
- ISO Standards
- Various regulatory and security agencies around the world.
Does not mean that the application and data that you deploy in your AWS environment
are compliant.
The Shared Responsibility Model describes what Amazon Web Service is responsible
for and what YOU, the USER or CUSTOMER, is responsible for when it related to
SECURITY.
54 | P a g e
AWS Infrastructure Service
Includes like Amazon Virtual Private Cloud (VPC) , Amazon Elastic Compute
Cloud (Amazon EC2), Amazon Elastic Block Store (Amazon EBS) Auto Scaling
Password
Access Keys,
Permissions
Additional Concerns:
Data Encryption
Data Integrity
Service like Amazon Relational Database Service (Amazon RDS), Amazon Elastic
55 | P a g e
MapReduce (Amazon EMR), Amazon EC2 Container Service (Amazon ECS),
Data Encryption
Data Integrity
AWS Trusted Advisor tool and what it can show you about your resources and
environments.
56 | P a g e
Cost Optimization
Performance
Security
Fault Tolerance
1. Security Groups
2. Identity and Access Management
3. Multi Factor Authentication on ROOT account
4. EBS
5. RDS public snapshots
6. Performance (services limits)
Cost Optimization
Performance
Security
Fault Tolerance
Notification
Weekly updates
Programmatic Access
57 | P a g e
Infrastructure Security
Using private peered connection which might not need additional security
VPC networking ( subnets, security group and network access control list)
Network Segmentations
58 | P a g e
- Granular control over IP protocols
- Work with security group
- Ephemeral ports – Client request depending on OS ( 1024- 65535 )
Host-based firewall
- OS-level firewalls
Three tier application (Web in DMZ, Apps in the middle and DB in the last
59 | P a g e
Inbound Rule Security Group Automatic Load Balancing
60 | P a g e
Security Group for App Servers
RDS DB
From DMZ traffic to App Server for network access control List
61 | P a g e
Rule # Type Protocol Port Range Source Allow /
Deny
100 SSH 22 TCP 22 0.0.0.0/0 Allow
110 HTTP TCP 80 0.0.0.0/0 Allow
120 Custom TCP TCP 1024-65535 0.0.0.0/0 Allow
Rule
* All Traffic ALL ALL 0.0.0.0/0 DENY
Inbound Traffic for DMZ traffic to App Server for network access control List
INBOUND From DMZ traffic to App Server for network access control List
OUTBOUND From DMZ traffic to App Server for network access control
List
62 | P a g e
Rule Type Protocol Port Range Source Allow /
Deny
100 SSH 22 TCP 22 0.0.0.0/0 Allow
110 HTTP TCP 80 0.0.0.0/0 Allow
120 Custom TCP 1024- 0.0.0.0/0 Allow
TCP Rule 65535
All Traffic ALL ALL 0.0.0.0/0 DENY
Outbound Rules
100 MySOL TCP 3306
110 Custom TCP TCP 1024-65535 0.0.0.0/0 Allow
Rule
Access Advisor -
Encryption
Server-side Encryption
Data is encrypted as it is written to disk then decrypted as it is read from the disk
Often referred to as encryption “AT REST”
Client-side Encryption
Data is encrypted by the client before it is sent to the server, then decrypted
when the client receives data from the server.
Often referred to as encryption “IN TRANSIT”.
63 | P a g e
Symmetric Encryption
- Uses the same key to encrypt and decrypt
- Example Advance Encryption Standard (AES) 128, 192, and 256 bit
Asymmetric Encryption
- Uses different keys to encrypt and decrypt, a public and a private key
- The public key is available to any entity
- Example: Secure Sockets Layer (SSL), Transport Layer Security (TLS), SSH.
Managed service that allows you to create and control your encryption keys
- Advantage over HSM are:
- Can use IAM policies for KMS access
- AWS services integrate directly with KMS
Important Concepts
- KMS store Customer Master Keys (CMK)
- The process follows symmetric encryption but has a major twist.
- In some HSMs, there can be any number of key encryption keys (KEK)
- Process known as enveloping
- KMS only envelops one layer and store the “TOP” key, the CMK
-
-
Data in the cloud should be perceived to have the same needs and properties as data in
the legacy enviorment
64 | P a g e
How is data recovered when needed?
Where encryption keys are store can affect the over all risk of the data in severe ways.
AWS CloudFormation is a service that helps you model and set up your Amazon Web
Services resources so that you can spend less time managing those resources and
more time focusing on your applications that run in AWS. You create a template that
describes all the AWS resources that you want (like Amazon EC2 instances or Amazon
RDS DB instances), and AWS CloudFormation takes care of provisioning and
configuring those resources for you. You don't need to individually create and configure
AWS resources and figure out what's dependent on what; AWS CloudFormation
handles all of that. The following scenarios demonstrate how AWS CloudFormation can
help.
When you use AWS CloudFormation, you work with templates and stacks. You
create templates to describe your AWS resources and their properties. Whenever you
create a stack, AWS CloudFormation provisions the resources that are described in
your template.
Topics
Templates
Stacks
Change Sets
Templates
An AWS CloudFormation template is a JSON or YAML formatted text file. You can save
these files with any extension, such as .json, .yaml, .template, or .txt. AWS
CloudFormation uses these templates as blueprints for building your AWS resources.
For example, in a template, you can describe an Amazon EC2 instance, such as the
instance type, the AMI ID, block device mappings, and its Amazon EC2 key pair name.
Whenever you create a stack, you also specify a template that AWS CloudFormation
uses to create whatever you described in the template.
65 | P a g e
For example, if you created a stack with the following template, AWS CloudFormation
provisions an instance with an ami-2f726546 AMI ID, t1.micro instance type, testkey key
pair name, and an Amazon EBS volume.
For example, if you created a stack with the following template, AWS CloudFormation
provisions an instance with an ami-2f726546 AMI ID, t1.micro instance type, testkey key
pair name, and an Amazon EBS volume.
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
MyEC2Instance:
Type: "AWS::EC2::Instance"
Properties:
ImageId: "ami-2f726546"
InstanceType: t1.micro
KeyName: testkey
BlockDeviceMappings:
-
DeviceName: /dev/sdm
Ebs:
VolumeType: io1
Iops: 200
DeleteOnTermination: false
VolumeSize: 20
MyEIP:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref MyEC2Instance
Description:
This template deploys a VPC, with a pair of public and private subnets spread
route on the public subnets. It deploys a pair of NAT Gateways (one in each AZ),
66 | P a g e
and default routes for them in the private subnets.
Parameters:
EnvironmentName:
Type: String
VpcCIDR:
Description: Please enter the IP range (CIDR notation) for this VPC
Type: String
Default: 172.20.0.0/16
PublicSubnet1CIDR:
Description: Please enter the IP range (CIDR notation) for the public subnet in the
first Availability Zone
Type: String
Default: 172.20.1.0/24
PublicSubnet2CIDR:
Description: Please enter the IP range (CIDR notation) for the public subnet in the
first Availability Zone
Type: String
Default: 172.20.4.0/24
PrivateSubnet1CIDR:
67 | P a g e
Description: Please enter the IP range (CIDR notation) for the private subnet in the
first Availability Zone
Type: String
Default: 172.20.2.0/24
PrivateSubnet2CIDR:
Description: Please enter the IP range (CIDR notation) for the private subnet in the
second Availability Zone
Type: String
Default: 172.20.3.0/24
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
68 | P a g e
- Key: Name
InternetGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
PublicSubnet1:
Type: AWS::EC2::Subnet
Properties:
MapPublicIpOnLaunch: true
Tags:
- Key: Name
PublicSubnet2:
Type: AWS::EC2::Subnet
Properties:
69 | P a g e
CidrBlock: !Ref PublicSubnet1CIDR
MapPublicIpOnLaunch: true
Tags:
- Key: Name
PrivateSubnet1:
Type: AWS::EC2::Subnet
Properties:
MapPublicIpOnLaunch: false
Tags:
- Key: Name
PrivateSubnet2:
Type: AWS::EC2::Subnet
Properties:
70 | P a g e
MapPublicIpOnLaunch: false
Tags:
- Key: Name
NatGateway1EIP:
Type: AWS::EC2::EIP
DependsOn: InternetGatewayAttachment
Properties:
Domain: vpc
NatGateway2EIP:
Type: AWS::EC2::EIP
DependsOn: InternetGatewayAttachment
Properties:
Domain: vpc
NatGateway1:
Type: AWS::EC2::NatGateway
Properties:
NatGateway2:
Type: AWS::EC2::NatGateway
71 | P a g e
Properties:
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
Tags:
- Key: Name
DefaultPublicRoute:
Type: AWS::EC2::Route
DependsOn: InternetGatewayAttachment
Properties:
DestinationCidrBlock: 0.0.0.0/0
PublicSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
72 | P a g e
PrivateRouteTable1:
Type: AWS::EC2::RouteTable
Properties:
Tags:
- Key: Name
DefaultPrivateRoute1:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
PrivateSubnet1RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
PrivateRouteTable2:
Type: AWS::EC2::RouteTable
73 | P a g e
Properties:
Tags:
- Key: Name
DefaultPrivateRoute2:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
PrivateSubnet2RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
NoIngressSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "no-ingress-sg"
74 | P a g e
Outputs:
VPC:
PublicSubnets:
PrivateSubnets:
PublicSubnet1:
PublicSubnet2:
PrivateSubnet1:
75 | P a g e
PrivateSubnet2:
NoIngressSecurityGroup:
EC2Instance:
Type: AWS::EC2::Instance
Properties:
InstanceType:
Ref: InstanceType
76 | P a g e
SecurityGroups:
- Ref: InstanceSecurityGroup
KeyName:
Ref: KeyName
ImageId:
Fn::FindInMap:
- AWSRegionArch2AMI
- Ref: AWS::Region
- Fn::FindInMap:
- AWSInstanceType2Arch
- Ref: InstanceType
- Arch
Template Sections
Templates include several major sections. The Resources section is the only
required section. Some sections in a template can be in any order.
However, as you build your template, it might be helpful to use the
logical ordering of the following list, as values in one section might
refer to values from a previous section. The list gives a brief overview of each
section.
The AWS CloudFormation template version that the template conforms to.
The template format version is not the same as the API or WSDL version. The
template format version can change independently of the API and WSDL
versions.
Description (optional)
A text string that describes the template. This section must always follow the
template format version section.
Metadata (optional)
77 | P a g e
Objects that provide additional information about the template.
Parameters (optional)
Mappings (optional)
A mapping of keys and associated values that you can use to specify conditional
parameter values, similar to a lookup table. You can match a key to a
corresponding value by using the Fn::FindInMap intrinsic function in the
Resources and Outputs section.
Conditions (optional)
Transform (optional)
You can also use AWS::Include transforms to work with template snippets that
are stored separately from the main AWS CloudFormation template. You can
store your snippet files in an Amazon S3 bucket and then reuse the functions
across multiple templates.
Resources (required)
Outputs (optional)
78 | P a g e
Describes the values that are returned whenever you view your stack's
properties. For example, you can declare an output for an S3 bucket name and
then call the aws cloudformation describe-stacks AWS CLI command to view the
name.
Outputs:
set of outputs
Format Version
79 | P a g e
Parameters
Parameters:
InstanceTypeParameter:
Type: String
Default: t2.micro
AllowedValues:
- t2.micro
- m1.small
- m1.large
Description: Enter m1.small, or m1.large. Default is t2.micro.
80 | P a g e