Docsity
Docsity

Prepara tus exámenes
Prepara tus exámenes

Prepara tus exámenes y mejora tus resultados gracias a la gran cantidad de recursos disponibles en Docsity


Consigue puntos base para descargar
Consigue puntos base para descargar

Gana puntos ayudando a otros estudiantes o consíguelos activando un Plan Premium


Orientación Universidad
Orientación Universidad


AWS COMMAND CHEAT SHEET, Diapositivas de Tecnología Electrónica

AWS COMMAND CHEAT SHEET. Amazon

Tipo: Diapositivas

2025/2026

Subido el 05/02/2026

diana-franco-42
diana-franco-42 🇺🇸

1 documento

1 / 124

Toggle sidebar

Esta página no es visible en la vista previa

¡No te pierdas las partes importantes!

bg1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Vista previa parcial del texto

¡Descarga AWS COMMAND CHEAT SHEET y más Diapositivas en PDF de Tecnología Electrónica solo en Docsity!

AWS Certified Solutions Architect –

Associate Master Cheat Sheet

Table of Contents

 1.1. Cloud Computing Fundamentals  1.2. AWS-Fundamentals  1.3. IAM-Accounts-AWS-Organizations  1.4. Simple-Storage-Service-(S3)  1.5. Virtual-Private-Cloud-VPC  1.6. Elastic-Cloud-Compute-EC  1.7. Containers-and-ECS  1.8. Advanced-EC  1.9. Route- 53  1.10. Relational-Database-Service-RDS  1.11. Network-Storage-EFS  1.12. HA-and-Scaling  1.13. Serverless-and-App-Services  1.14. CDN-and-Optimization  1.15. Advanced-VPC  1.16. Hybrid-and-Migration  1.17. Security-Deployment-Operations  1.18. NoSQL-and-DynamoDB

1.1. Cloud Computing Fundamentals

Cloud computing provides

  1. On-Demand Self-Service: Provision and terminate using a UI/CLI without human interaction.
  2. Broad Network Access: Access services over any networks on any devices using standard protocols and methods.
  3. Resource Pooling: Economies of scale, cheaper service.
  4. Rapid Elasticity: Scale up and down automatically in response to system load.
  5. Measured Service: Usage is measured. Pay only for what you consume.

1.1.1. Public vs Private vs Multi Cloud

 Public Cloud: using 1 public cloud such as AWS, Azure, Google Cloud.  Private Cloud: using on-premises real cloud. Must meet 5 requirements.  Multi-Cloud: using more than 1 public cloud in one deployment.  Hybrid Cloud: using public and private clouds in one environment o This is NOT using Public Cloud and Legacy on-premises hardware.

1.1.2. Cloud Service Models

The Infrastructure Stack or Application Stack contains multiple components that make up the total service. There are parts that you manage as well as portions the vendor manages. The portions the vendor manages and you are charged for is the unit of consumption

  1. On-Premises: The individual manages all components from data to facilities. Provides the most flexibility, but also most IT intensive.
  2. Data Center Hosting: Place equipment in a building managed by a vendor. You pay for the facilities only.
  3. Infrastructure as a Service (IaaS): Vendor manages facilities and everything else related to servers up to the OS. You pay per second or minute for the OS used to the vendor. Lose some flexibility, but big risk reductions.
  4. Platform as a Service (PaaS): Good for running an application only. The unit of consumption is the runtime environment. You manage the application and the data, but the vendor manges all else.
  5. Software as a Service (SaaS): You consume the software as a service. This can be Outlook or Netflix. There are almost no risks or additional costs, but very little control.

There are additional services such as Function as a Service , Container as a Service , and DataBase as a Service which be explained later.

1.2. AWS-Fundamentals

AWS Support Plans

 Basic (free)  Developer (one user, general guidance)  Business (multiple users, personal guidance)  Enterprise (Technical account manager)

1.2.1. Public vs Private Services

 Geographical Separation o Useful for natural disasters o Provide isolated fault domain o Regions are 100% isolated  Geopolitical Separation o Different laws change how things are accessed o Stability from political events  Location Control o Tune architecture for performance o Duplicate infrastructure at closer points to customers

1.2.3. Regions and AZs

Region Name: Asia Pacific (Sydney) Region Code: ap-southeast- 2

AWS will provide between 2 and 6 AZs per region. AZs are isolated compute, storage, networking, power, and facilities. Components are allowed to distribute load and resilience by using multiple zones.

AZs are connected to each other with high speed redundant networks.

1.2.3.1. Service Resilience

  1. Globally Resilient: IAM or Route 53. No way for them to go down. Data is replicated throughout multiple regions.
  2. Region Resilient: Operate as separate services in each region. Generally replicate data to multiple AZs in that region.
  3. AZ Resilient: Run from a single AZ. It is possible for hardware to fail in an AZ and the service to keep running because of redundant equipment, but should not be relied on.

1.2.4. AWS Default VPC

VPC is a virtual network inside of AWS. A VPC is within 1 account and 1 region which makes it regionally resilient. A VPC is private and isolated until decided otherwise.

One default VPC per region. Can have many custom VPCs which are all private by default.

1.2.4.1. Default VPC Facts

VPC CIDR - defines start and end ranges of the VPC. IP CIDR of a default VPC is always: 172.31.0.0/

Configured to have one subnet in each AZ in the region by default.

Subnets are given one section of the IP ranges for the default service. They are configured to provide anything that is deployed inside those subnets with public IPv4 addresses.

In general do not use the Default VPC in a region because it is not flexible.

Default VPC is large because it uses the /16 range. A subnet is smaller such as /20 The higher the / number is, the smaller the grouping.

Two /17's will fit into a /16, sixteen /20 subnets can fit into one /16.

1.2.5. Elastic Compute Cloud (EC2)

Default compute service. Provides access to virtual machines called instances.

1.2.5.1. Infrastructure as as Service (IaaS)

The unit of consumption is an instance. An EC2 instance is configured to launch into a single VPC subnet. Private service by default, public access must be configured. The VPC needs to support public access. If you use a custom VPC then you must handle the networking on your own.

EC2 deploys into one AZ. If it fails, the instance fails.

Different sizes and capabilities. All use On-Demand Billing - Per second. Only pay for what you consume.

Local on-host storage or Elastic Block Storage

Pricing based on:

 CPU  Memory  Storage  Networking

Extra cost for any commercial software the instance deploys with.

1.2.5.2. Running State

Charged for all four categories.

 Running on a physical host using CPU.  Using memory even with no processing.  OS and its data are stored on disk, which is allocated to you.  Networking is always ready to transfer information.

1.2.5.3. Stopped State

Login to the instance using an SSH key pair. Private Key - Stored on local machine to initiate connection. Public Key - AWS places this key on the instance.

1.2.6. S3 (Default Storage Service)

Global Storage platform. Runs from all regions and is a public service. Can be accessed anywhere from the internet with an unlimited amount of users.

This should be the default storage platform

S3 is an object storage, not file, or block storage. You can't mount an S3 Bucket.

1.2.6.1. Objects

Can be thought of a file. Two main components:

 Object Key: File name in a bucket  Value: Data or contents of the object o Zero bytes to 5 TB

Other components:

 Version ID  Metadata  Access Control  Sub resources

1.2.6.2. Buckets

 Created in a specific AWS Region.  Data has a primary home region. Will not leave this region unless told.  Blast Radius = Region  Unlimited number of Objects  Name is globally unique  All objects are stored within the bucket at the same level.

If the objects name starts with a slash such as /old/Koala1.jpg the UI will present this as a folder. In actuality this is not true, there are no folders.

1.2.7. CloudFormation Basics

CloudFormation templates can be used to create, update, modify, and delete infrastructure.

They can be written in YAML or JSON. An example is provided below.

This is not mandatory unless a description is added

AWSTemplateFormatVersion: "version date"

Give details as to what this template does.

If you use this section, it MUST immediately follow the AWSTemplateFormatVersion.

Description: A sample template

Can control the command line UI. The bigger your template, the more likely

this section is needed

Metadata: template metadata

Prompt the user for more data. Name of something, size of instance,

data validation

Parameters: set of parameters

Another optional section. Allows lookup tables, not used often

Mappings: set of mappings

Decision making in the template. Things will only occur if a condition is met.

Step 1: create condition

Step 2: use the condition to do something else in the template

Conditions: set of conditions

Transform: set of transforms

The only mandatory field of this section

Resources: set of resources

Once the template is finished it can return data or information.

Could return the admin or setup address of a word press blog.

Outputs: set of outputs

1.2.8. Resources

An example which creates an EC2 instance

Resources: Instance: ## Logical Resource Type: 'AWS::EC2::Instance' ## This is what will be created Properties: ## Configure the resources in a particular way ImageId: !Ref LatestAmiId Instance Type: !Ref Instance Type KeyName: !Ref Keyname

Once a template is created, AWS will make a stack. This is a living and active representation of a template. One template can create infinite amount of stacks.

Has two states ok or alarm. A notification could be sent to an SNS topic or an action could be performed based on an alarm state. Third state can be insufficient data state. Not a problem, just wait.

1.2.10. Shared Responsibility Model

AWS: Responsible for security OF the cloud

Customer: Responsible for security IN the cloud

1.2.11. High Availability (HA), Fault-Tolerance (FT) and Disaster

Recovery (DR)

1.2.11.1. High Availability (HA)

 Aims to ensure an agreed level of operational performance , usually uptime , for a higher than normal period  Instead of diagnosing the issue, if you have a process ready to replace it, it can be fixed quickly and probably in an automated way.  Spare infrastructure ready to switch customers over to in the event of a disaster to minimize downtime  User disruption is not ideal, but is allowed o The user might have a small disruption or might need to log back in.  Maximizing a system's uptime o 99.9% (Three 9's) = 8.7 hours downtime per year. o 99.999 (Five 9's) = 5.26 minutes downtime per year.

1.2.11.2. Fault-Tolerance (FT)

 System can continue operating properly in the event of the failure of some (one or more faults within) of its components  Fault tolerance is much more complicated than high availability and more expensive. Outages must be minimized and the system needs levels of redundancy.  An airplane is an example of system that needs Fault Tolerance. It has more engines than it needs so it can operate through failure.

Example: A patient is waiting for a life saving surgery and is under anesthetic. While being monitored, the life support system is dosing medicine. This type of system cannot only be highly available, even a movement of interruption is deadly.

1.2.11.3. Disaster Recovery (DR)

 Set of policies, tools and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster.  DR can largely be automated to eliminate the time for recovery and errors.

This involves:

 Pre-planning o Ensure plans are in place for extra hardware o Do not store backups at the same site as the system  DR Processes o Cloud machines ready when needed

This is designed to keep the crucial and non replaceable parts of the system in place.

Used when HA and FT don't work.

1.2.12. Domain Name System (DNS)

DNS is a discovery service. Translates machines into humans and vice-versa. It is a huge database and has to be distributed.

Parts of the DNS system

 DNS Client: Piece of software running on the OS for a device you're using.  Resolver: Software on your device or server which queries DNS on your behalf.  Zone: A part of the DNS database. o This would be amazon.com o What the data is, its substance  Zone file: physical database for a zone o How physically that data is stored  Nameserver: where zone files are hosted

Steps:

Find the Nameserver which hosts a particular zone file. Query that Nameserver for a record that is in that zone file. It then passes the information back to the DNS client.

1.2.12.1. DNS Root

The starting point of DNS. DNS names are read right to left with multiple parts separated by periods.

www.netflix.com. The last period is assumed to be there in a browser when it's not present. The DNS Root is hosted on DNS Root Servers (13). These are hosted by 12 major companies.

 Route 53 will check with the top level domain to see if the name is available  Route 53 creates a zone file for the domain to be registered  Allocates nameservers for that zone o Generally four of these for one individual zone o This is a hosted zone o The zone file will be put on these four managed nameservers  Route 53 will communicate with the .org registry and add the nameserver records into the zone file for that top level domain. o This is done with a nameserver record (NS).

1.2.13.2. Route53 Details

Zone files in AWS Hosted on four managed name servers

 Can be public or private (linked to one or more VPCs)

1.2.14. DNS Record

 Nameserver (NS): Allows delegation to occur in the DNS.  A and AAAA Records: Maps the host to a v4 or v6 host type respectively. Most of the time you will make both types of record, A and AAAA.  CNAME Record Type: Allows DNS shortcuts to reduce admin overhead. CNAMES cannot point directly to an IP address, only another name.  MX records: How emails are sent. They have two main parts: o Priority: Lower values for the priority field are higher priority. o Value  If it is just a host, it will not have a dot on the right. It is assumed to be part of the same zone as the host.  If you include a dot on the right, it is a fully qualified domain name  TXT Record: Allows you to add arbitrary text to a domain. One common usage is to prove domain ownership.

1.2.14.1. TTL - Time To Live

This is a numeric setting on DNS records in seconds. Allows the admin to specify how long the query can be stored at the resolver server. If you need to upgrade the records, it is smart to lower the TTL value first.

Getting the answer from an Authoritative Source is known as an Authoritative Answer.

If another client queries the same thing, they will get back a Non-Authoritative response.

1.3. IAM-Accounts-AWS-Organizations

1.3.1. IAM Identity Policies

Identity Policies are attached to AWS Identities which are IAM users, IAM groups, and IAM roles. These are a set of security statements that ALLOW or DENY access to AWS resources.

When an identity attempts to access AWS resources, that identity needs to prove who it is to AWS, a process known as Authentication. Once authenticated, that identity is known as an authenticated identity

1.3.1.1. Statement Components

 Statement ID (SID): Optional field that should help describe o The resource you're interacting o The actions you're trying to perform  Effect: is either allow or deny. o It is possible to be allowed and denied at the same time  Action are formatted service:operation. There are three options: o specific individual action o wildcard as an action o list of multiple independent actions  Resource: similar to action except for format arn:aws:s3:::catgifs

1.3.1.2. Priority Level

 Explicit Deny: Denies access to a particular resource cannot be overruled.  Explicit Allow: Allows access so long there is not an explicit deny.  Default Deny (Implicit): IAM identities start off with no resource access.

1.3.1.3. Inline Policies and Managed Policies

 Inline Policy: grants access and assigned on each accounts individually.  Managed Policy (best practice): one policy is applied to all users at once.

1.3.2. IAM Users

Identity used for anything requiring long-term AWS access

 Humans  Applications  Service Accounts

If you can name a thing to use the AWS account, this is an IAM user.

Containers for users. You cannot login to IAM groups They have no credentials of their own. Used solely for management of IAM users.

Groups bring two benefits

  1. Effective administrative style management of users based on the team
  2. Groups can have Inline and Managed policies attached.

AWS merges all of the policies from all groups the user is in together.

 The 5000 IAM user limit applies to groups.  There is no all users IAM group. o You can create a group and add all users into that group, but it needs to be created and managed on your own.  No Nesting: You cannot have groups within groups.  300 Group Limit per account. This can be fixed with a support ticket.

Resource Policy A bucket can have a policy associated with that bucket. It does so by referencing the identity using an ARN (Amazon Reference Name). A policy on a resource can reference IAM users and IAM roles by the ARN. A bucket can give access to one or more users or one or more roles.

GROUPS ARE NOT A TRUE IDENTITY THEY CAN'T BE REFERENCED AS A PRINCIPAL IN A POLICY

An S3 Resource cannot grant access to a group, it is not an identity. Groups are used to allow permissions to be assigned to IAM users.

1.3.4. IAM Roles

A single thing that uses an identity is an IAM User.

IAM Roles are also identities that are used by large groups of individuals. If have more than 500 0 principals, it could be a candidate for an IAM Role.

IAM Roles are assumed you become that role.

This can be used short term by other identities.

IAM Users can have inline or managed policies which control which permissions the identity gets within AWS

Policies which grant, allow or deny, permissions based on their associations.

IAM Roles have two types of roles can be attached.

 Trust Policy: Specifies which identities are allowed to assume the role.  Permissions Policy: Specifies what the role is allowed to do.

If an identity is allowed on the Trust Policy , it is given a set of Temporary Security Credentials. Similar to access keys except they are time limited to expire. The identity will need to renew them by reassuming the role.

Every time the Temporary Security Credentials are used, the access is checked against the Permissions Policy. If you change the policy, the permissions of the temp credentials also change.

Roles are real identities and can be referenced within resource policies.

Secure Token Service (sts:AssumeRole) this is what generates the temporary security credentials (TSC).

1.3.5. When to use IAM Roles

Lambda Execution Role. For a given lambda function, you cannot determine the number of principals which suggested a Role might be the ideal identity to use.

 Trust Policy: to trust the Lambda Service  Permission Policy: to grant access to AWS services.

When this is run, it uses the sts:AssumeRole to generate keys to CloudWatch and S3.

It is better when possible to use an IAM Role versus attaching a policy.

1.3.5.1. Emergency or out of the usual situations

Break Glass Situation - There is a key for something the team does not normally have access to. When you break the glass, you must have a reason to do. A role can have an Emergency Role which will allow further access if its really needed.

1.3.5.2. Adding AWS into existing corp environment

You may have an existing identity provider you are trying to allow access to. This may offer SSO (Single Sign On) or over 5000 identities. This is useful to reuse your existing identities for AWS. External accounts can't be used to access AWS directly. To solve this, you allow an IAM role in the AWS account to be assumed by one of the active directories. ID Federation allowing an external service the ability to assume a role.

1.3.5.3. Making an app with 1,000,000 users

Web Identity Federation uses IAM roles to allow broader access. These allow you to use an existing web identity such as google, facebook, or twitter to grant access to the app. We can trust these web identities and allow those identities to assume an IAM role to access web resources such as DynamoDB. No AWS Credentials are stored on the application. Can scale quickly and beyond.

 A specific Organizational Unit  A specific member only.

The master account cannot be restricted by SCPs which means this should not be used because it is a security risk.

SCPs limit what the account, including root can do inside that account. They don't grant permissions themselves, just act as a barrier.

1.3.7.1. Allow List vs Deny List

Deny list is the default.

When you enable SCP on your org, AWS applies FullAWSAccess. This means SCPs have no effect because nothing is restricted. It has zero influence by themselves. { "Version": "2012- 10 - 17", "Statement": { "Effect": "Allow", "Action": "", "Resource": "" } }

SCPs by themselves don't grant permissions. When SCPs are enabled, there is an implicit deny.

You must then add any services you want to Deny such as DenyS { "Version": "2012- 10 - 17", "Statement": { "Effect": "Deny", "Action": "s3:", "Resource": "" } }

Deny List is a good default because it allows for the use of growing services offered by AWS. A lot less admin overhead.

Allow List allows you to be conscience of your costs.

 To begin, you must remove the FullAWSAccess list  Then, specify which services need to be allowed access.  Example AllowS3EC2 is below

{ "Version": "2012- 10 - 17", "Statement": [ { "Effect": "Allow", "Action": [

"s3:", "ec2:" ], "Resource": "*" } ] }

1.3.8. CloudWatch Logs

This is a public service, this can be used from AWS VPC or on premise environment.

This allows to store , monitor and access logging data.

 This is a piece of information data and a timestamp  Can be more fields, but at least these two

Comes with some AWS Integrations. Security is provided with IAM roles or Service roles Can generate metrics based on logs metric filter

1.3.8.1. Architecture of CloudWatch Logs

It is a regional service us-east- 1 Need logging sources such as external APIs or databases. This sends information as log events. These are stored in log streams. This is a sequence of log events from the same source.

Log Groups are containers for multiple logs streams of the same type of logging. This also stores configuration settings such as retention settings and permissions.

Once the settings are defined on a log group, they apply to all log streams in that log group. Metric filters are also applied on the log groups.

1.3.9. CloudTrail Essentials

Concerned with who did what.

Logs API calls or activities as CloudTrail Event

Stores the last 90 days of events in the Event History. This is enabled by default and is no additional cost.

To customize the service you need to create a new trail. Two types of events. Default only logs Management Events

 Management Events: Provide information about management operations performed on resources in the AWS account. Create an EC2 instance or terminating one.