Лист за преговор: Mastering Cloud Infrastructure and Security

📋 Course Outline

1. Cloud concepts and global infrastructure
2. Security and compliance shared responsibility
3. Core AWS services for compute storage networking
4. Billing models and cost optimization
5. AI and ML services for GenAI use cases
6. Operational monitoring, logging and governance

📖 1. Cloud concepts and global infrastructure

🔑 Key Concepts & Definitions

• Elasticity : Elasticity is the ability to automatically scale resources up or down to match changing demand.
• Scalability : Scalability is the capacity of a system to handle growth in users, workload, or data by adding resources.
• High availability : High availability is designing systems to minimize downtime by using redundancy and failover.
• Fault tolerance : Fault tolerance is the ability to keep operating despite failures of components or availability zones.
• Disaster recovery : Disaster recovery is the set of practices and plans to restore service after major outages or disasters.

📝 Essential Points

• Elasticity is often implemented with auto scaling so capacity changes without manual intervention.
• Scalability can be vertical (bigger instances) or horizontal (more instances), and both affect architecture choices.
• High availability typically uses multiple instances and/or multiple Availability Zones to reduce single points of failure.
• Fault tolerance focuses on continued operation during component failures, not just recovery after downtime.
• Disaster recovery targets restoring service after a severe event, usually with defined recovery objectives.
• Global infrastructure enables lower latency and improved resilience by placing resources closer to users and using multiple regions.

💡 Memory Hook

Elasticity = elastic capacity; Availability = uptime; Fault tolerance = survive failures; DR = recover after disaster.

📖 2. Security and compliance shared responsibility

🔑 Key Concepts & Definitions

• Shared responsibility model : The shared responsibility model splits security duties between AWS and the customer based on what AWS manages versus what you manage.
• IAM : IAM is the AWS service for controlling who can access resources and what actions they can perform.
• MFA : MFA is an authentication method that requires a second factor in addition to a password.
• AWS Organizations : AWS Organizations is a service for centrally managing multiple AWS accounts under one organization.
• Service Control Policies : Service Control Policies are Organizations policies that restrict what actions accounts in an organization can perform.

📝 Essential Points

• AWS manages security of the underlying cloud infrastructure, while you manage security in the cloud you configure (for example, identities and data access).
• IAM policies determine permissions, and least privilege reduces risk by granting only required actions.
• MFA strengthens authentication for interactive access and helps prevent account compromise from stolen passwords.
• Organizations enables centralized governance across accounts, which supports consistent security baselines.
• SCPs limit permissions at the account level, even if individual IAM roles or users allow actions.
• KMS is used to protect data with encryption keys, and encryption is a core control for confidentiality and compliance.

💡 Memory Hook

Shared responsibility: AWS secures the cloud; you secure what you put in it.

📖 3. Core AWS services for compute storage networking

🔑 Key Concepts & Definitions

• Amazon EC2 : Amazon EC2 provides resizable compute capacity in the cloud using virtual servers.
• AWS Lambda : AWS Lambda runs code in response to events without managing servers.
• Amazon S3 : Amazon S3 is object storage designed for storing and retrieving data at scale.
• Amazon VPC : Amazon VPC is a logically isolated section of the AWS cloud where you define networking settings.
• Amazon CloudFront : Amazon CloudFront is a content delivery network that delivers data with low latency using edge locations.

📝 Essential Points

• EC2 is suitable when you need full control over the operating system, runtime, and networking on a per-instance basis.
• Lambda is event-driven and can reduce operational overhead by removing server management responsibilities.
• S3 supports multiple storage classes for different access patterns and cost/performance tradeoffs.
• EBS provides block storage for EC2 instances, while EFS provides shared file storage for multiple clients.
• RDS and Aurora are managed relational database services, and DynamoDB is a managed NoSQL database service.
• VPC lets you create subnets, route tables, and security controls so network traffic follows your design.

💡 Memory Hook

EC2 = servers you manage; Lambda = code you deploy; S3 = objects; VPC = your network.

📖 4. Billing models and cost optimization

🔑 Key Concepts & Definitions

• Savings Plans : Savings Plans are flexible pricing commitments that reduce compute costs in exchange for a consistent usage level.
• Reserved Instances : Reserved Instances are discounted pricing for committing to a specific instance type and term.
• Spot Instances : Spot Instances let you bid for unused capacity at potentially lower prices with possible interruptions.
• AWS Cost Explorer : AWS Cost Explorer analyzes billing data to visualize and understand cost trends and drivers.
• AWS Budgets : AWS Budgets lets you set cost or usage thresholds and receive alerts when you exceed them.

📝 Essential Points

• Savings Plans generally provide broader flexibility than Reserved Instances by applying to usage across compatible instance families or services.
• Reserved Instances offer discounts for a defined term and instance attributes, which can improve predictability for steady workloads.
• Spot Instances can be cost-effective for fault-tolerant workloads but may be interrupted when capacity is reclaimed.
• Cost Explorer helps identify which services and usage patterns drive spend over time.
• Budgets provide proactive controls by alerting you before costs exceed planned thresholds.
• Trusted Advisor can surface optimization recommendations, while the Pricing Calculator supports estimating costs before deployment.

💡 Memory Hook

Savings Plans = flexible commitment; RIs = fixed instance commitment; Spot = cheap but interruptible.

📖 5. AI and ML services for GenAI use cases

🔑 Key Concepts & Definitions

• Amazon Bedrock : Amazon Bedrock is a managed service that provides access to foundation models for building generative AI applications.
• Amazon SageMaker : Amazon SageMaker is a managed platform for building, training, and deploying machine learning models.
• Amazon Q : Amazon Q is an AI assistant service designed to help users and developers with productivity and application-related tasks.
• Responsible AI : Responsible AI refers to practices that address safety, fairness, privacy, and governance when using AI systems.
• Amazon Rekognition : Amazon Rekognition is a service for analyzing images and videos for visual features and content.

📝 Essential Points

• Bedrock supports building GenAI applications by integrating foundation models through managed APIs.
• SageMaker is commonly used when you need end-to-end ML workflows such as training and deploying models you control.
• Amazon Q is positioned for AI assistance to improve productivity and support development or business workflows.
• Responsible AI emphasizes governance and risk controls so outputs and data usage align with policy and safety expectations.
• Vision and text services like Rekognition and Textract/Comprehend support extracting and understanding content for downstream applications.
• GenAI use cases often require combining model access with data handling, security controls, and monitoring to meet business and compliance needs.

💡 Memory Hook

Bedrock = foundation models; SageMaker = your ML lifecycle; Responsible AI = safety + governance.

📖 6. Operational monitoring, logging and governance

🔑 Key Concepts & Definitions

• Amazon CloudWatch : Amazon CloudWatch provides monitoring and observability for AWS resources and applications.
• AWS CloudTrail : AWS CloudTrail records API activity to help audit and investigate actions taken in your AWS account.
• AWS Security Hub : AWS Security Hub aggregates security findings from multiple AWS services into a centralized view.
• Amazon GuardDuty : Amazon GuardDuty is a threat detection service that identifies suspicious activity using threat intelligence and behavioral signals.
• Amazon Macie : Amazon Macie is a service that helps discover and protect sensitive data in AWS using automated analysis.

📝 Essential Points

• CloudWatch metrics and alarms help you detect performance issues and trigger responses based on thresholds.
• CloudWatch Logs supports collecting and analyzing application and system logs for troubleshooting.
• CloudTrail provides an audit trail of API calls, which is essential for security investigations and compliance evidence.
• GuardDuty detects threats such as unusual API calls or suspicious network activity and produces findings for review.
• Security Hub centralizes findings so you can manage security posture across accounts and services.
• Macie helps identify sensitive data in S3, supporting data governance and risk reduction.

💡 Memory Hook

CloudWatch = performance; CloudTrail = who did what; GuardDuty = threat detection; Macie = sensitive data discovery.

📊 Synthesis Tables

Elasticity vs scalability vs high availability

⚠️ Common Pitfalls & Confusions

1. Confusing elasticity with scalability: elasticity reacts to current demand, while scalability is about growth capacity.
2. Assuming AWS is responsible for all security: the shared responsibility model splits duties between AWS and the customer.
3. Mixing up CloudWatch and CloudTrail: CloudWatch is monitoring/metrics/logs, while CloudTrail is API audit history.
4. Thinking Spot Instances guarantee availability: Spot can be interrupted, so designs must tolerate interruptions.
5. Using KMS incorrectly: encryption key management is part of protecting data, not just storing it in S3.

✅ Exam Checklist

1. Define elasticity, scalability, high availability, fault tolerance, and disaster recovery and match each to its purpose.
2. Explain the shared responsibility model and identify what you typically secure (identities, access, data protection, configuration).
3. Recognize core IAM concepts such as MFA and Organizations governance concepts like SCPs and how they restrict access.
4. Match AWS core services to their roles: EC2 vs Lambda, S3 vs EBS/EFS, and managed databases vs NoSQL.
5. Apply networking fundamentals: what VPC provides and how it supports controlled connectivity and isolation.
6. Choose appropriate billing tools and commitments: Savings Plans, Reserved Instances, Spot, Cost Explorer, and Budgets.
7. Identify cost-optimization tradeoffs between predictable commitments and interruptible capacity.
8. Select the right GenAI/ML service for a scenario: Bedrock for foundation models, SageMaker for ML lifecycle, and Amazon Q for AI assistance.
9. Use observability and governance services correctly: CloudWatch for monitoring/logs and CloudTrail for audit trails.
10. Connect security services to outcomes: GuardDuty for threats, Security Hub for aggregated findings, and Macie for sensitive data discovery.