AWS Certified Cloud Practitioner

Cloud Concepts

Benefits of the AWS Cloud

• On-demand self-service — provision resources without human interaction
• Broad network access — available over the network from any device
• Resource pooling — multi-tenant model, resources shared across customers
• Rapid elasticity — scale up or down automatically with demand
• Measured service — pay only for what you use
• Trade capital expense (CapEx) for operating expense (OpEx)
• Stop guessing capacity — scale as needed
• Benefit from massive economies of scale
• Increase speed and agility
• Go global in minutes

Cloud Deployment Models

• Public Cloud — everything runs on AWS infrastructure (most exam questions)
• Private Cloud — cloud-like platform in your own data center (e.g., VMware)
• Hybrid Cloud — combination of on-premises + public cloud connected via Direct Connect or VPN
• Multi-Cloud — using multiple cloud providers (AWS + Azure, AWS + GCP)

Cloud Service Models

• IaaS (Infrastructure as a Service) — you manage OS and above; AWS manages hardware. Example: EC2
• PaaS (Platform as a Service) — you manage only your application and data. Example: Elastic Beanstalk, RDS
• SaaS (Software as a Service) — you just use the software. Example: Gmail, Salesforce, Rekognition
• Serverless — no server management at all. Example: Lambda, DynamoDB

Security & Compliance

Shared Responsibility Model

• AWS is responsible FOR the cloud — hardware, data centers, global network, managed service patches
• Customer is responsible IN the cloud — OS patches, app security, IAM, data encryption, firewall rules
• Managed services (RDS, Lambda) shift more responsibility to AWS
• EC2 — customer manages OS, patches, application, and security groups

Identity & Access Management (IAM)

• Root account — created when you open an AWS account; never use for daily tasks; protect with MFA
• IAM User — a person or service with long-term credentials
• IAM Group — collection of users sharing the same permissions
• IAM Role — temporary credentials assumed by users, services, or applications
• IAM Policy — JSON document defining Allow/Deny permissions for actions on resources
• Principle of Least Privilege — grant only the permissions needed, nothing more
• MFA (Multi-Factor Authentication) — strongly recommended on all accounts

Security Services

• AWS Shield — DDoS protection. Standard (free, automatic); Advanced (paid, $3,000/month)
• AWS WAF — Web Application Firewall; filter HTTP requests by IP, geo, headers, request body
• Amazon GuardDuty — threat detection using ML; analyzes CloudTrail, VPC Flow Logs, DNS logs
• Amazon Inspector — automated security assessment for EC2 instances and container images
• AWS Macie — uses ML to discover and protect sensitive data (PII) in S3
• AWS KMS (Key Management Service) — create and manage encryption keys
• AWS Secrets Manager — store and rotate secrets (passwords, API keys, DB credentials)
• AWS Artifact — on-demand access to AWS compliance reports and agreements
• AWS CloudHSM — dedicated hardware security module for your own key management
• Amazon Cognito — add user sign-up, sign-in, and access control to apps

Compliance

• AWS is compliant with: SOC 1/2/3, PCI DSS, HIPAA, ISO 27001, FedRAMP
• Compliance is a shared responsibility — AWS certifies the infrastructure; you must certify your application
• AWS Artifact provides compliance documentation and agreements on demand

Cloud Technology & Services

Compute

• EC2 — virtual machines; choose instance type (CPU, RAM, storage, network)
• EC2 pricing: On-Demand (pay by hour/second), Reserved (1–3 yr, up to 72% off), Spot (up to 90% off, can be interrupted), Dedicated Hosts (physical server, compliance use)
• Auto Scaling — automatically add or remove EC2 instances based on demand
• Elastic Load Balancing (ELB) — distribute traffic across instances; ALB (HTTP/HTTPS), NLB (TCP), CLB (legacy)
• AWS Lambda — serverless functions; run code without servers; trigger by events; pay per invocation
• Amazon ECS — run Docker containers on EC2 or Fargate
• AWS Fargate — serverless containers; no EC2 management; pay per task
• Amazon EKS — managed Kubernetes
• AWS Elastic Beanstalk — PaaS; upload code, Beanstalk handles deployment, scaling, load balancing
• AWS Batch — run batch computing jobs at any scale
• AWS Outposts — run AWS infrastructure in your own data center

Storage

• S3 (Simple Storage Service) — object storage; unlimited scale; 11 9s durability; use for backups, static websites, data lakes
• S3 storage classes: Standard (frequent), Infrequent Access, One Zone-IA, Glacier Instant Retrieval, Glacier Flexible Retrieval, Glacier Deep Archive, Intelligent-Tiering
• EBS (Elastic Block Store) — block storage attached to a single EC2 instance; like a hard drive; data persists after instance stop
• EFS (Elastic File System) — shared file system; multiple EC2 instances can mount simultaneously; scales automatically
• Amazon FSx — fully managed file systems; FSx for Windows (SMB/Windows workloads), FSx for Lustre (HPC)
• AWS Storage Gateway — hybrid storage; bridge between on-premises and AWS S3/EBS
• AWS Snow Family — physical devices for large data migrations: Snowcone (8TB), Snowball (petabyte-scale), Snowmobile (100PB, a truck)

Databases

• Amazon RDS — managed relational DB; supports MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, Aurora
• Amazon Aurora — AWS cloud-native relational DB; 5× faster than MySQL, 3× PostgreSQL; auto-scales; multi-region
• Amazon DynamoDB — fully managed NoSQL key-value/document DB; single-digit millisecond latency; serverless; scales to any load
• Amazon ElastiCache — in-memory caching; Redis or Memcached; sub-millisecond latency
• Amazon Redshift — data warehouse; petabyte-scale; OLAP (analytics), not OLTP (transactions)
• Amazon DocumentDB — managed MongoDB-compatible document DB
• Amazon Neptune — managed graph database
• Amazon Keyspaces — managed Apache Cassandra-compatible DB

Networking

• VPC (Virtual Private Cloud) — your private network in AWS; you control IP ranges, subnets, routing, security
• Public subnet — resources have internet access via Internet Gateway
• Private subnet — no direct internet access; use NAT Gateway for outbound-only internet
• Security Groups — virtual firewall at the instance level; stateful; allow rules only
• Network ACLs (NACLs) — firewall at the subnet level; stateless; allow AND deny rules
• Internet Gateway — allows VPC to communicate with the internet
• NAT Gateway — allows private subnet instances to reach internet without being publicly accessible
• VPC Peering — connect two VPCs privately
• AWS Direct Connect — dedicated private network connection from your data center to AWS
• VPN — encrypted connection over public internet; cheaper than Direct Connect
• Amazon Route 53 — DNS service; domain registration, health checks, routing policies (Simple, Weighted, Latency, Failover, Geolocation)
• Amazon CloudFront — CDN; cache content at Edge Locations worldwide; reduce latency
• AWS Global Accelerator — improves global app availability using AWS backbone network

Management & Monitoring

• AWS CloudWatch — monitoring and observability; metrics, logs, alarms, dashboards; set alarms on any AWS metric
• AWS CloudTrail — audit log of all API calls made in your account; who did what, when, from where; enabled by default
• AWS Config — records and evaluates configuration changes to AWS resources; compliance auditing
• AWS Trusted Advisor — best practice recommendations across Cost, Performance, Security, Fault Tolerance, Service Limits
• AWS Systems Manager — view and control your infrastructure; patch management, run commands, parameter store
• AWS Personal Health Dashboard — alerts when AWS events may impact your resources
• AWS Organizations — manage multiple AWS accounts; consolidated billing; Service Control Policies (SCPs)
• AWS Control Tower — set up and govern a secure multi-account environment following best practices

Billing, Pricing & Support

AWS Pricing Fundamentals

• Three pricing drivers: Compute (per hour/second), Storage (per GB), Data Transfer OUT (free in, charged out)
• Free Tier: 12-month free (EC2 t2.micro, S3 5GB), always free (Lambda 1M requests, DynamoDB 25GB), trials
• On-Demand — no commitment, highest price, predictable short-term
• Reserved Instances — 1 or 3 year commitment; up to 72% savings; Standard (can't change), Convertible (can change)
• Savings Plans — flexible commitment to $ amount per hour; applies to EC2, Lambda, Fargate
• Spot Instances — bid on unused capacity; up to 90% off; can be interrupted with 2-minute notice
• Dedicated Hosts — physical server for your exclusive use; compliance/licensing requirements

Cost Management Tools

• AWS Pricing Calculator — estimate cost before you deploy
• AWS Cost Explorer — visualize, understand, and manage your AWS spending over time
• AWS Budgets — set budget thresholds and receive alerts when you approach or exceed them
• AWS Cost and Usage Report (CUR) — most comprehensive cost data; export to S3
• Consolidated Billing — combine billing for all AWS Organization accounts; volume discounts
• AWS Compute Optimizer — ML recommendations to right-size EC2, Lambda, EBS

Support Plans

• Basic — free; documentation, whitepapers, forums, AWS Personal Health Dashboard
• Developer — $29/month (or 3% of usage); business hours email support; general guidance < 24 hrs, system impaired < 12 hrs
• Business — $100/month (or 10% of usage); 24/7 phone/chat; production impaired < 4 hrs, production down < 1 hr
• Enterprise On-Ramp — $5,500/month; pool of TAMs; critical down < 30 min
• Enterprise — $15,000/month; dedicated TAM (Technical Account Manager); critical down < 15 min
• TAM = Technical Account Manager — your dedicated AWS advisor

Know the shared responsibility model cold — who manages what for EC2 vs RDS vs Lambda is a recurring question pattern.

Understand all four EC2 pricing models (On-Demand, Reserved, Spot, Dedicated) and when to use each. Cost optimization questions are common.

Know the difference between Region, Availability Zone, and Edge Location. They test this distinction frequently.

IAM basics: users, groups, roles, policies, and the principle of least privilege. Know the difference between a role and a user.

CloudWatch = monitoring metrics and logs. CloudTrail = API call audit log. Config = configuration change tracking. Know which is which.

Understand the four support plans (Basic, Developer, Business, Enterprise) and what you get at each tier — especially TAM access.