AWS Cloud Practitioner Study Session Eight

January 02, 2026

I am taking the AWS Cloud Practitioner Exam in approximately two days and want to ensure I am prepared. This series will serve as non-exhaustive note taking for the information that I am internalizing as I go.

Study materials:

• Free Code Camp Preparation
• AWS Certified Solutions Architect Practice Tests
• AWS Cloud Practitioner Essentials
• AWS Documentation
  • What is Cloud Computing?
  • Shared Responsibility Model
  • Regions and Availability Zones
  • Containers on AWS
  • Amazon Elastic Container Registry
  • Amazon Elastic Container Service
  • Amazon Elastic Kubernetes Service
  • AWS Fargate
  • AWS Elastic Beanstalk
  • AWS Batch
  • What is Amazon Lightsail?
  • What is AWS Outposts?
  • Choosing a modern application strategy
  • AWS Global Infrastructure
  • AWS for the Edge
  • AWS CloudFormation
  • Amazon Virtual Private Cloud
  • Subnet
  • Internet gateway
  • Virtual private gateway
  • AWS Client VPN
  • AWS Site-to-Site VPN
  • AWS PrivateLink
  • AWS Direct Connect
  • Network Access Control List (network ACL)
  • Security groups
  • Domain Name System (DNS)
  • Amazon Route 53
  • Amazon CloudFront
  • AWS Global Accelerator
  • Amazon Transit Gateway
  • NAT Gateway
  • API Gateway
  • Amazon EC2 Instance Store User Guide
  • Amazon Elastic Block Store (Amazon EBS)
  • Amazon Elastic Block Store (Amazon EBS) FAQ
  • Amazon EBS Snapshots User Guide
  • Amazon Data Lifecycle Manager User Guide
  • Amazon Simple Storage Service (Amazon S3)
  • Amazon Simple Storage Service (Amazon S3) FAQ
  • Amazon S3 Storage Classes
  • Amazon S3 Versioning User Guide
  • Amazon S3 Buckets User Guide
  • Amazon Elastic File System (Amazon EFS)
  • Amazon Elastic File System (Amazon EFS) FAQ
  • Amazon FSx
  • Amazon FSx for Windows File Server
  • Amazon FSx for NetApp ONTAP
  • Amazon FSx for OpenZFS
  • Amazon FSx for Lustre
  • AWS Storage Gateway
  • Amazon S3 File Gateway
  • Tape Gateway
  • Volume Gateway
  • Amazon Relational Database Service (Amazon RDS)
  • Amazon RDS Security
  • Amazon Aurora
  • AWS Database Migration Service (AWS DMS)
  • Amazon DynamoDB
  • Amazon ElastiCache
  • Amazon DocumentDB
  • Amazon Backup
  • Amazon Neptune
  • What Is a Relational Database?
  • What Is a NoSQL Database?
  • What Is an In-Memory Caching Service?
  • AWS Shared Responsibility Model
  • Amazon Comprehend
  • Amazon Polly
  • Amazon Transcribe
  • Amazon Translate
  • Amazon Kendra
  • Amazon Rekognition
  • Amazon Textract
  • Amazon Lex
  • Amazon Personalize
  • Amazon SageMaker AI
  • Amazon SageMaker JumpStart
  • Amazon Bedrock
  • Amazon Q Business
  • Amazon Q Developer
  • Amazon Kinesis Data Streams
  • Amazon Data Firehose
  • Amazon S3
  • Amazon Redshift
  • AWS Glue Data Catalog
  • AWS Glue
  • Amazon EMR
  • Amazon Athena
  • Amazon QuickSight
  • Amazon OpenSearch Service
  • AWS Identity and Access Management (IAM)
  • AWS IAM Identity Center
  • AWS Secrets Manager
  • AWS Systems Manager
  • AWS Shield
  • AWS WAF
  • AWS Key Management Service (AWS KMS)
  • Amazon Macie
  • AWS Certificate Manager (ACM)
  • Amazon Inspector
  • Amazon GuardDuty
  • Amazon Detective
  • AWS Security Hub
• ChatGPT

Notes:

Authentication: Process of verifying identity of user or entity. Authorization: Grants users certain access rights / permissions.

Shared Responsibility Model

Customers: Security in the cloud: Customers are responsible for securing everything they create and manage in the AWS Cloud.

AWS: Security of the cloud: AWS operates, manages, controls components of all layers of the infrastructure. (Foundational software, virtualization, hardware and global infrastructure that supports DBs from which services operate.)

AWS Security Controls:

• Prevent security incidents through proper permission and access management.
• Protect networks, applications, data.
• Detect and respond to security incidents as they occur.

IAM is deny by default. IAM Roles allow users to gain temporary access to permissions. Example, an employee might need to work as a barista in morning and cashier in afternoon. An AWS account can only have one root user, which cannot be deleted.

Principle of least privilege dictactes that you should only give people and systems access to what they need and nothing else.

AWS IAM Identity Center

• Centralizes IAM, also connects to existing identity source, provides workforce with sso access to all connected AWS services and accounts (federated IAM).

Federated identity management is a system that allows users to access multiple applications, services, or domains uing a single set of credentials.

AWS Secrets Manager

• Provides a secure way to manage, rotate, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. This helps keep your applications, services, and IT resources safe.

Secrets are confidential or private information intended to be known only to specific individuals or groups. Examples: passwords, database credentials, API keys.

AWS Systems Manager

• Provides a centralized view of nodes across your org’s accounts and Regions in multi-cloud and hybrid environments. Enables quickly accessing node info, such as ID and OS details, automate registry edits, user management, secure patching.

Nodes are connection points in a network, system, or structure.

Network and Application Attacks

• DoS Attacks - Attacker floods web app with excessive network traffic.
• DDoS Attack - Attacker can use multiple infected computers to unknowingly send excessive traffic to web applciation.

AWS Network and Application Protection

• AWS Protection through Infrastructure

• Security Groups - Only allow in proper request traffic. Operate at the AWS network level so they can shrug off massive attacks using the entire AWS Region’s capacity.

• Elastic Load Balancing (ELB) - ELB handles traffic first before handing it off, so your frontend server is not overwhelmed. Like security groups, it runs at Region level.

• AWS Regions - Enormous capacity of Regions makes them difficult to overwhelm.

AWS Protection through Services

• AWS Standard Shield - Designed to automatically protect AWS customers from the most common, frequently occuring types of DDoS attacks at no cost.
• AWS Shield Advanced - Paid service that provides detailed attack diagnostics and ability to detect and mitigate sophisticated DDoS attacks. Integrates with CloudFront, Route 53, and ELB.
• AWS WAF - Web application firewall that monitors network requests that come into web apps. Checks IP address of requests against ACL.

Types of Data Encryption

• Data Encryption at Rest
• Data Encryption in Transit - SSL/TLS certificates are used to establish encrypted network connections fom one system to another.

AWS Data Protection

• Amazon S3 - All new buckets have encryption configred, all uploaded objects encrypted at rest.
• Amazon EBS - Volumes and snapshots can be encrypted at rest, including boot and data volumes of an Amazon EC2 instance.
• Amazon DynamoDB - Server-side encryption at rest is enabled on table data using encryption keys stored in AWS Key Management Service (AWS KMS)

AWS Protection Services

• AWS Key Management Service (AWS KMS) - Can use AWS KMS to create and manage cryptographic keys.
• Can control the use of keys across wide range of services and in your applications.
• Cryptographic key - Random string of digits used for locking (encrypting) and unlocking (decrypting) data

Amazon Macie

• Can monitor your sensitive data at rest to make sure it’s safe. Uses ML and automation to discover sensitive data stored in Amazon S3. Can use Macie to assess your security posture.

AWS Certificate Manager (ACM)

• Centralizes the management of SSL/TLS certificates that provide data encryption in transit. Can be used to protect various AWS services and connected on-prem resources.
• SSL/TLS certificates used to establish encrypted network connections from one system to another.

Detection and Response Services

• Amazon Inspector - Helps improve the security and compliance of applications by running automated security assessments for Amazon EC2 instances, containers, and Lambda functions.
• Amazon GuardDuty - Provides intelligent threat detection across your infrastructure and resources. Uses known malicious IP addresses, anomaly detection, ML to identify threats more accurately.
• Can view in AWS Management Console. Can configure AWS Lambda functions to perform remediation steps automatically.
• Amazon Detective - After threat detected, can use Amazon Detective to further investigate root cause. Uses visualizations
• AWS Security Hub - Brings multiple security services together into single place and format. Automatically aggregates security findings from AWS and partner services, organizes them into actionable, meaningful groupings called insights. Can accelerate time to resolution with automated remediation.