Section 16-20

Section 16: Account Management, Billing & Support

16.1 AWS Organizations

• Global service
• Allows to manage multiple AWS accounts
• The main account is the master account
• Cost Benefits:
  • Consolidated Billing across all accounts - single payment method. 跨所有账户的合并账单。
  • Pricing benefits from aggregated usage (volume discount for EC2, S3…). 从聚合的使用中获得价格优势（EC2，S3等的体积折扣）。
  • Pooling of Reserved EC2 instances for optimal savings. 优化节省的EC2实例的预留池。
• API is available to automate AWS account creation
• Restrict account privileges using Service Control Policies (SCP)

1. Multi Account Strategies 多账户策略

• Create accounts per department, per cost center, per dev / test / prod, based on regulatory restrictions (using SCP), for better resource isolation (ex: VPC), to have separate per-account service limits, isolated account for logging. 根据部门，成本中心，开发/测试/生产，基于监管限制（使用SCP）创建帐户，以实现更好的资源隔离（例如：VPC），以便具有单独的每帐户服务限制，用于记录的隔离帐户。
• Multi Account vs One Account Multi VPC
• Use tagging standards for billing purposes
• Enable CloudTrail on all accounts, send logs to central S3 account
• Send CloudWatch Logs to central logging account

2. AWS Organization – Consolidated Billing

• When enabled, provides you with:
  • Combined Usage – combine the usage across all AWS accounts in the AWS Organization to share the volume pricing, Reserved Instances and Savings Plans discounts. 将所有AWS帐户中的使用情况组合在一起，以共享体积定价，预留实例和节省计划折扣。
  • One Bill – get one bill for all AWS Accounts in the AWS Organization. 获得所有AWS帐户的一个帐单。
• The management account can turn off Reserved Instances discount sharing for any account in the AWS Organization, including itself. 管理帐户可以关闭任何AWS组织中的帐户的预留实例折扣共享，包括自身。

16.2 Service Control Policies (SCP) 服务控制策略

• Whitelist or blacklist IAM actions
• Applied at the OU or Account level
• Does not apply to the Master Account
• SCP is applied to all the Users and Roles of the Account, including Root user. SCP应用于帐户的所有用户和角色，包括Root用户。
• The SCP does not affect service-linked roles
  • Service-linked roles enable other AWS services to integrate with AWS Organizations and can't be restricted by SCPs.
• SCP must have an explicit Allow (does not allow anything by default)
• Use cases:
  • Restrict access to certain services (for example: can’t use EMR)
  • Enforce PCI compliance by explicitly disabling services

16.3 AWS Control Tower – Multi Account Management

• Easy way to set up and govern a secure and compliant multi-account AWS environment based on best practices. 一种简单的方法，可以根据最佳实践设置和管理安全合规的多帐户AWS环境。
• Benefits:
  • Automate the set up of your environment in a few clicks
  • Automate ongoing policy management using guardrails
  • Detect policy violations and remediate them
  • Monitor compliance through an interactive dashboard
• AWS Control Tower runs on top of AWS Organizations:
  • It automatically sets up AWS Organizations to organize accounts and implement SCPs (Service Control Policies)

16.4 Pricing Models in AWS

• AWS has 4 pricing models:
• Pay as you go: pay for what you use, remain agile, responsive, meet scale demands
• Save when you reserve: minimize risks, predictably manage budgets, comply with long-terms requirements. 最小化风险，可预测地管理预算，遵守长期要求。
  • Reservations are available for EC2 Reserved Instances, DynamoDB Reserved Capacity, ElastiCache Reserved Nodes, RDS Reserved Instance, Redshift Reserved Nodes
• Pay less by using more: volume-based discounts
• Pay less as AWS grows

Free services & free tier in AWS

• IAM
• VPC
• Consolidated Billing
• You do pay for the resources created
  • Elastic Beanstalk
  • CloudFormation
  • Auto Scaling Groups
• Free Tier: https://aws.amazon.com/free/
  • EC2 t2.micro instance for a year
  • S3, EBS, ELB, AWS Data transfer

16.5 Compute Pricing – EC2

• Only charged for what you use
• Number of instances
• Instance configuration:
  • Physical capacity
  • Region
  • OS and software
  • Instance type
  • Instance size
• ELB running time and amount of data processed
• Detailed monitoring
• On-demand instances:
  • Minimum of 60s
  • Pay per second (Linux/Windows) or per hour (other). Linux/Windows 按秒付费，其他按小时付费。
• Reserved instances:
  • Up to 75% discount compared to On-demand on hourly rate
  • 1- or 3-years commitment
  • All upfront, partial upfront, no upfront
• Spot instances:
  • Up to 90% discount compared to On-demand on hourly rate
  • Bid for unused capacity
• Dedicated Host:
  • On-demand
  • Reservation for 1 year or 3 years commitment
• Savings plans as an alternative to save on sustained usage

16.6 Compute Pricing – Lambda & ECS

• Lambda:
  • Pay per call
  • Pay per duration
• ECS:
  • EC2 Launch Type Model: No additional fees, you pay for AWS resources stored and created in your application. EC2 启动类型模型：无需额外费用，您只需为应用程序中存储和创建的 AWS 资源付费。
• Fargate:
  • Fargate Launch Type Model: Pay for vCPU and memory resources allocated to your applications in your containers. Fargate 启动类型模型：为分配给容器中应用程序的 vCPU 和内存资源付费。

16.7 Storage Pricing – S3

• Storage class: S3 Standard, S3 Infrequent Access, S3 One-Zone IA, S3 Intelligent Tiering, S3 Glacier and S3 Glacier Deep Archive.
• Number and size of objects: Price can be tiered (based on volume)
• Number and type of requests
• Data transfer OUT of the S3 region. Inbound data transfer in the S3 region is free. S3 区域内的入站数据传输是免费的。
• S3 Transfer Acceleration
• Lifecycle transitions
• Similar service: EFS (pay per use, has infrequent access & lifecycle rules)

16.8 Storage Pricing - EBS

• Volume type (based on performance)
• Storage volume in GB per month provisionned. 每月预配的存储量（以 GB 为单位）
• IOPS:
  • General Purpose SSD: Included
  • Provisioned IOPS SSD: Provisionned amount in IOPS
  • Magnetic: Number of requests
• Snapshots:
  • Added data cost per GB per month
• Data transfer:
  • Outbound data transfer are tiered for volume discounts
  • Inbound is free

16.9 Database Pricing - RDS

• Per hour billing
• Database characteristics:
  • Engine
  • Size
  • Memory class
• Purchase type:
  • On-demand
  • Reserved instances (1 or 3 years) with required up-front
• Backup Storage: There is no additional charge for backup storage up to 100% of your total database storage for a region.
• Additional storage (per GB per month)
• Number of input and output requests per month
• Deployment type (storage and I/O are variable):
  • Single AZ
  • Multiple AZs
• Data transfer:
  • Outbound data transfer are tiered for volume discounts
  • Inbound is free

16.10 Content Delivery – CloudFront

• Pricing is different across different geographic regions. 价格在不同的地理区域中有所不同。
• Aggregated for each edge location, then applied to your bill. 每个边缘位置聚合，然后应用于您的帐单。
• Data Transfer Out (volume discount)
• Number of HTTP/HTTPS requests

16.11 Networking Costs in AWS per GB - Simplified

• Use Private IP instead of Public IP for good savings and better network performance. 使用私有 IP 而不是公共 IP 可以获得更好的网络性能和更好的性能。
• Use same AZ for maximum savings (at the cost of high availability). 在同一可用区使用最大的节省（以高可用性为代价）。

16.12 Savings Plan

• Commit a certain $ amount per hour for 1 or 3 years
• Easiest way to setup long-term commitments on AWS
• EC2 Savings Plan
  • Up to 72% discount compared to On-Demand
  • Commit to usage of individual instance families in a region (e.g. C5 or M5)
  • Regardless of AZ, size (m5.xl to m5.4xl), OS (Linux/Windows) or tenancy
  • All upfront, partial upfront, no upfront
• Compute Savings Plan
  • Up to 66% discount compared to On-Demand
  • Regardless of Family, Region, size, OS, tenancy, compute options
  • Compute Options: EC2, Fargate, Lambda
• Machine Learning Savings Plan: SageMaker…
• Setup from the AWS Cost Explorer console
• Estimate pricing at https://aws.amazon.com/savingsplans/pricing/

16.13 AWS Compute Optimizer

• Reduce costs and improve performance by recommending optimal AWS resources for your workloads. 通过为您的工作负载推荐最佳的 AWS 资源，降低成本并提高性能。
• Helps you choose optimal configurations and rightsize your workloads (over/under provisioned). 帮助您选择最佳配置和调整您的工作负载（超/欠配置）。
• Uses Machine Learning to analyze your resources’ configurations and their utilization CloudWatch metrics
• Supported resources
  • EC2 instances
  • EC2 Auto Scaling Groups
  • EBS volumes
  • Lambda functions
• Lower your costs by up to 25%
• Recommendations can be exported to S3

16.14 Billing and Costing Tools

• Estimating costs in the cloud:
  • Pricing Calculator
• Tracking costs in the cloud:
  • Billing Dashboard
  • Cost Allocation Tags
  • Cost and Usage Reports
  • Cost Explorer
• Monitoring against costs plans:
  • Billing Alarms
  • Budgets

1. Cost Allocation Tags 成本分配标签

• Use cost allocation tags to track your AWS costs on a detailed level. 使用成本分配标签以详细级别跟踪您的 AWS 成本。
• AWS generated tags
  • Automatically applied to the resource you create
  • Starts with Prefix aws: (e.g. aws: createdBy)
• User-defined tags
  • Defined by the user
  • Starts with Prefix user:

2. Tagging and Resource Groups

• Tags are used for organizing resources 标签用于组织资源:
  • EC2: instances, images, load balancers, security groups…
  • RDS, VPC resources, Route 53, IAM users, etc…
  • Resources created by CloudFormation are all tagged the same way
• Free naming, common tags are: Name, Environment, Team …
• Tags can be used to create Resource Groups
  • Create, maintain, and view a collection of resources that share common tags
  • Manage these tags using the Tag Editor

3. Cost Explorer

• Visualize, understand, and manage your AWS costs and usage over time. 可视化，理解和管理您的 AWS 成本和使用情况。
• Create custom reports that analyze cost and usage data.
• Analyze your data at a high level: total costs and usage across all accounts
• Or Monthly, hourly, resource level granularity
• Choose an optimal Savings Plan (to lower prices on your bill)
• Forecast usage up to 12 months based on previous usage. 预测未来 12 个月的使用情况，基于以前的使用情况。

4. Billing Alarms in CloudWatch

• Billing data metric is stored in CloudWatch us-east-1
• Billing data are for overall worldwide AWS costs. 账单数据是针对全球 AWS 成本的。
• It’s for actual cost, not for projected costs
• Intended a simple alarm (not as powerful as AWS Budgets)

16.15 AWS Budgets

• Create budget and send alarms when costs exceeds the budget. 创建预算并在成本超过预算时发送警报。
• 3 types of budgets: Usage, Cost, Reservation
• For Reserved Instances (RI)
  • Track utilization
  • Supports EC2, ElastiCache, RDS, Redshift
• Up to 5 SNS notifications per budget
• Can filter by: Service, Linked Account, Tag, Purchase Option, Instance Type, Region, Availability Zone, API Operation, etc…
• Same options as AWS Cost Explorer!
• 2 budgets are free, then $0.02/day/budget

16.16 Trusted Advisor

• AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices, including performance, security, and fault tolerance, but also cost optimization and service limits. AWS Trusted Advisor 是一个在线工具，为您提供实时指导，帮助您按照 AWS 最佳实践来配置您的资源，包括性能，安全性和容错性，以及成本优化和服务限制。
• No need to install anything – high level AWS account assessment. 不需要安装任何东西 - 高级 AWS 帐户评估。
• Analyze your AWS accounts and provides recommendation on 5 categories. 分析您的 AWS 帐户并提供有关 5 个类别的建议。
• Cost optimization
• Performance
• Security
• Fault tolerance
• Service limits

16.17 AWS Support Plans Pricing

1. AWS Basic Support Plan

• Customer Service & Communities - 24x7 access to customer service, documentation, whitepapers, and support forums.
• AWS Trusted Advisor - Access to the 7 core Trusted Advisor checks and guidance to provision your resources following best practices to increase performance and improve security.
• AWS Personal Health Dashboard - A personalized view of the health of AWS services, and alerts when your resources are impacted.

2. AWS Developer Support Plan

• All Basic Support Plan +
• Business hours email access to Cloud Support Associates
• Unlimited cases / 1 primary contact
• Case severity / response times:
  • General guidance: < 24 business hours
  • System impaired: < 12 business hours

3. AWS Business Support Plan (24/7)

• Intended to be used if you have production workloads. 用于生产工作负载。
• Trusted Advisor – Full set of checks + API access
• 24x7 phone, email, and chat access to Cloud Support Engineers
• Unlimited cases / unlimited contacts
• Access to Infrastructure Event Management for additional fee.
• Case severity / response times:
  • General guidance: < 24 business hours
  • System impaired: < 12 business hours
  • Production system impaired: < 4 hours
  • Production system down: < 1 hour

4. AWS Enterprise On-Ramp Support Plan (24/7)

• Intended to be used if you have production or business critical workloads. 用于生产或业务关键工作负载。
• All of Business Support Plan +
• Access to a pool of Technical Account Managers (TAM)
• Concierge Support Team (for billing and account best practices)
• Infrastructure Event Management, Well-Architected & Operations Reviews. 基础设施事件管理，架构和运营审查。
• Case severity / response times:
  • …
  • Production system impaired: < 4 hours
  • Production system down: < 1 hour
  • Business-critical system down: <30 minutes. 业务关键系统停机: 小于30分钟。

5. AWS Enterprise Support Plan (24/7)

• Intended to be used if you have mission critical workloads. 用于关键工作负载。
• All of Business Support Plan +
• Access to a designated Technical Account Manager (TAM)
• Concierge Support Team (for billing and account best practices)
• Infrastructure Event Management, Well-Architected & Operations Reviews
• Case severity / response times:
  • …
  • Production system impaired: < 4 hours
  • Production system down: < 1 hour
  • Business-critical system down: < 15 minutes

16.18 Account Best Practices – Summary

• Operate multiple accounts using Organizations
• Use SCP (service control policies) to restrict account power.
• Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. 服务控制策略 (SCP) 是一种组织策略，可用于管理组织中的权限。
• Easily setup multiple accounts with best-practices with AWS Control Tower
• Use Tags & Cost Allocation Tags for easy management & billing
• IAM guidelines: MFA, least-privilege, password policy, password rotation
• Config to record all resources configurations & compliance over time
• CloudFormation to deploy stacks across accounts and regions
• Trusted Advisor to get insights, Support Plan adapted to your needs
• Send Service Logs and Access Logs to S3 or CloudWatch Logs. 发送服务日志和访问日志到 S3 或 CloudWatch 日志。
• CloudTrail to record API calls made within your account
• If your Account is compromised: change the root password, delete and rotate all passwords / keys, contact the AWS support

16.19 Billing and Costing Tools – Summary

• Compute Optimizer: recommends resources’ configurations to reduce cost
• Pricing Calculator: cost of services on AWS
• Billing Dashboard: high level overview + free tier dashboard
• Cost Allocation Tags: tag resources to create detailed reports
• Cost and Usage Reports: most comprehensive billing dataset
• Cost Explorer: View current usage (detailed) and forecast usage. 查看当前用量（详细）和预测用量。
• Billing Alarms: in us-east-1 – track overall and per-service billing
• Budgets: more advanced – track usage, costs, RI, and get alerts
• Savings Plans: easy way to save based on long-term usage of AWS

Section 17: Advanced Identity

17.1 AWS STS (Security Token Service) 安全令牌服务

• Enables you to create temporary, limitedprivileges credentials to access your AWS resources. 允许您创建临时的，有限的权限凭据来访问您的 AWS 资源。
• Short-term credentials: you configure expiration period
• Use cases
  • Identity federation: manage user identities in external systems, and provide them with STS tokens to access AWS resources. 身份联合：在外部系统中管理用户身份，并为他们提供 STS 令牌以访问 AWS 资源。
  • IAM Roles for cross/same account access
  • IAM Roles for Amazon EC2: provide temporary credentials for EC2 instances to access AWS resources

17.2 Amazon Cognito

• Identity for your Web and Mobile applications users (potentially millions). 用于 Web 和移动应用程序用户的身份（可能数百万）。
• Instead of creating them an IAM user, you create a user in Cognito

17.3 AWS Directory Services

• AWS Managed Microsoft AD
  • Create your own AD in AWS, manage users locally, supports MFA. 在 AWS 中创建自己的 AD，本地管理用户，支持 MFA。
  • Establish “trust” connections with your onpremise AD
• AD Connector
  • Directory Gateway (proxy) to redirect to onpremise AD, supports MFA. 目录网关（代理）重定向到本地 AD，支持 MFA。
  • Users are managed on the on-premise AD
• Simple AD
  • AD-compatible managed directory on AWS. 在 AWS 上的 AD 兼容托管目录。
  • Cannot be joined with on-premise AD

17.5 AWS IAM Identity Center IAM 身份中心

• One login (single sign-on) for all your
  • AWS accounts in AWS Organizations
  • Business cloud applications (e.g., Salesforce, Box, Microsoft 365, …)
  • SAML2.0-enabled applications
  • EC2 Windows Instances
• Identity providers
  • Built-in identity store in IAM Identity Center
  • 3rd party: Active Directory (AD), OneLogin, Okta…

17.6 Advanced Identity - Summary

• IAM
  • Identity and Access Management inside your AWS account. 身份和访问管理。
  • For users that you trust and belong to your company. 信任并属于您公司的用户。
• Organizations – manage multiple AWS accounts
• Security Token Service (STS) – temporary, limited-privileges credentials to access AWS resources. 临时的，有限的权限凭据来访问 AWS 资源。
• Cognito – create a database of users for your mobile & web applications. 为您的移动和 Web 应用程序创建用户数据库。
• Directory Services – integrate Microsoft Active Directory in AWS
• IAM Identity Center – one login for multiple AWS accounts & applications. 一个登录，多个 AWS 账户和应用程序。

Section 18: Other AWS Services

18.1 Amazon WorkSpaces

• Managed Desktop as a Service (DaaS) solution to easily provision Windows or Linux desktops. 管理的桌面即服务（DaaS）解决方案，可轻松配置 Windows 或 Linux 桌面。
• Great to eliminate management of on-premise VDI (Virtual Desktop Infrastructure). 用于消除本地 VDI（虚拟桌面基础架构）的管理。
• Fast and quickly scalable to thousands of users
• Secured data – integrates with KMS
• Pay-as-you-go service with monthly or hourly rates

18.2 Amazon AppStream 2.0

• Desktop Application Streaming Service
• Deliver to any computer, without acquiring, provisioning infrastructure
• The application is delivered from within a web browser.

Amazon AppStream 2.0 vs WorkSpaces

• Workspaces
  • Fully managed VDI and desktop available. 提供完全托管的 VDI 和桌面。
  • The users connect to the VDI and open native or WAM applications
  • Workspaces are on-demand or always on
• AppStream 2.0
  • Stream a desktop application to web browsers (no need to connect to a VDI). 将桌面应用程序流式传输到 Web 浏览器（无需连接到 VDI）。
  • Works with any device (that has a web browser)
  • Allow to configure an instance type per application type (CPU, RAM, GPU)

18.3 Amazon Sumerian

• Create and run virtual reality (VR), augmented reality (AR), and 3D applications. 创建和运行虚拟现实（VR），增强现实（AR）和 3D 应用程序。
• Can be used to quickly create 3D models with animations
• Ready-to-use templates and assets - no programming or 3D expertise required
• Accessible via a web-browser URLs or on popular hardware for AR/VR

18.4 AWS IoT Core

• IoT stands for “Internet of Things” – the network of internet-connected devices that are able to collect and transfer data. 物联网（Internet of Things，IoT）是指互联网连接的设备的网络，这些设备能够收集和传输数据。
• AWS IoT Core allows you to easily connect IoT devices to the AWS Cloud. AWS IoT Core 允许您轻松将 IoT 设备连接到 AWS 云。
• Serverless, secure & scalable to billions of devices and trillions of messages
• Your applications can communicate with your devices even when they aren’t connected
• Integrates with a lot of AWS services (Lambda, S3, SageMaker, etc.)
• Build IoT applications that gather, process, analyze, and act on data

18.5 Amazon Elastic Transcoder 弹性转码器

• Elastic Transcoder is used to convert media files stored in S3 into media files in the formats required by consumer playback devices (phones etc..). 弹性转码器用于将存储在 S3 中的媒体文件转换为消费者播放设备（手机等）所需的媒体文件格式。
• Benefits:
  • Easy to use
  • Highly scalable – can handle large volumes of media files and large file sizes
  • Cost effective – duration-based pricing model
  • Fully managed & secure, pay for what you use

18.6 AWS AppSync

• Store and sync data across mobile and web apps in real-time. 在移动和 Web 应用程序中实时存储和同步数据。
• Makes use of GraphQL (mobile technology from Facebook)
• Client Code can be generated automatically
• Integrations with DynamoDB / Lambda
• Real-time subscriptions
• Offline data synchronization (replaces Cognito Sync)
• Fine Grained Security
• AWS Amplify can leverage AWS AppSync in the background!

18.7 AWS Amplify

• A set of tools and services that helps you develop and deploy scalable full stack web and mobile applications. 一组工具和服务，可帮助您开发和部署可扩展的全栈 Web 和移动应用程序。
• Authentication, Storage, API (REST, GraphQL), CI/CD, PubSub, Analytics, AI/ML Predictions, Monitoring, Source Code from AWS, GitHub, etc…

18.8 AWS Device Farm

• Fully-managed service that tests your web and mobile apps against desktop browsers, real mobile devices, and tablets. 完全托管的服务，可将您的 Web 和移动应用程序测试与桌面浏览器，真实移动设备和平板电脑。
• Run tests concurrently on multiple devices (speed up execution)
• Ability to configure device settings (GPS, language, Wi-Fi, Bluetooth, …)

18.9 AWS Backup

• Fully-managed service to centrally manage and automate backups across AWS services. 完全托管的服务，可集中管理和自动备份 AWS 服务。
• On-demand and scheduled backups
• Supports PITR (Point-in-time Recovery)
• Retention Periods, Lifecycle Management, Backup Policies, …
• Cross-Region Backup
• Cross-Account Backup (using AWS Organizations)

18.10 Disaster Recovery Strategies

18.11 AWS Elastic Disaster Recovery (DRS) 弹性灾难恢复

• Used to be named “CloudEndure Disaster Recovery”
• Quickly and easily recover your physical, virtual, and cloud-based servers into AWS. 快速轻松地将您的物理，虚拟和基于云的服务器恢复到 AWS。
• Example: protect your most critical databases (including Oracle, MySQL, and SQL Server), enterprise apps (SAP), protect your data from ransomware attacks, …
• Continuous block-level replication for your servers

18.12 AWS DataSync

• Move large amount of data from on-premises to AWS. 从本地迁移到 AWS。
• Can synchronize to: Amazon S3 (any storage classes – including Glacier), Amazon EFS, Amazon FSx for Windows
• Replication tasks can be scheduled hourly, daily, weekly
• The replication tasks are incremental after the first full load.

18.13 AWS Application Migration Service (MGN) 应用迁移服务

• The “AWS evolution” of CloudEndure Migration, replacing AWS Server Migration Service (SMS)
• Lift-and-shift (rehost) solution which simplify migrating applications to AWS. 简化将应用程序迁移到 AWS。
• Converts your physical, virtual, and cloud-based servers to run natively on AWS. 将您的物理，虚拟和基于云的服务器转换为在 AWS 上运行。
• Supports wide range of platforms, Operating Systems, and databases
• Minimal downtime, reduced costs

18.14 AWS Fault Injection Simulator (FIS) 故障注入模拟器

• A fully managed service for running fault injection experiments on AWS workloads. 用于在 AWS 工作负载上运行故障注入实验的完全托管服务。
• Based on Chaos Engineering – stressing an application by creating disruptive events (e.g., sudden increase in CPU or memory), observing how the system responds, and implementing improvements
• Helps you uncover hidden bugs and performance bottlenecks. 帮助您发现隐藏的错误和性能瓶颈。
• Supports the following AWS services: EC2, ECS, EKS, RDS…
• Use pre-built templates that generate the desired disruptions

18.15 AWS Step Functions

• Build serverless visual workflow to orchestrate your Lambda functions. 构建无服务器可视化工作流以协调 Lambda 函数。

• Features: sequence, parallel, conditions, timeouts, error handling, …

• Can integrate with EC2, ECS, On-premises servers, API Gateway, SQS queues, etc…

• Possibility of implementing human approval feature

• Use cases: order fulfillment, data processing, web applications, any workflow. 用例：订单履行，数据处理，Web 应用程序，任何工作流。

18.16 AWS Ground Station

• Fully managed service that lets you control sattelite communications, process data, and scale your satellite operations. 全托管服务，可让您控制卫星通信，处理数据并扩展卫星业务。
• Provides a global network of satellite ground stations near AWS regions
• Allows you to download satellite data to your AWS VPC within seconds. 允许您在几秒钟内将卫星数据下载到 AWS VPC 中。
• Send satellite data to S3 or EC2 instance
• Use cases: weather forecasting, surface imaging, communications, video broadcasts

18.17 Amazon Pinpoint

• Scalable 2-way (outbound/inbound) marketing communications service. 可扩展的双向（出站/入站）营销通信服务。
• Supports email, SMS, push, voice, and in-app messaging
• Ability to segment and personalize messages with the right content to customers. 能够将正确的内容与客户分段和个性化消息。
• Possibility to receive replies
• Scales to billions of messages per day
• Use cases: run campaigns by sending marketing, bulk, transactional SMS messages
• Versus Amazon SNS or Amazon SES
  • In SNS & SES you managed each message's audience, content, and delivery schedule. 在 SNS 和 SES 中，您管理每条消息的受众，内容和交付时间表。
  • In Amazon Pinpoint, you create message templates, delivery schedules, highly-targeted segments, and full campaigns. 在 Amazon Pinpoint 中，您可以创建消息模板，交付时间表，高度定制的分段和完整的活动。

Section 19: AWS Architecting & Ecosystem 架构与生态系统

19.1 AWS Cloud Best Practices – Design Principles

• Scalability: vertical & horizontal
• Disposable Resources: servers should be disposable & easily configured
• Automation: Serverless, Infrastructure as a Service, Auto Scaling…
• Loose Coupling:
  • Monolith are applications that do more and more over time, become bigger
  • Break it down into smaller, loosely coupled components
  • A change or a failure in one component should not cascade to other components
• Services, not Servers:
  • Don’t use just EC2
  • Use managed services, databases, serverless, etc !

19.2 Well Architected Framework 6 Pillars 架构框架 6 个基石

• 1. Operational Excellence
• 2. Security
• 3. Reliability
• 4. Performance Efficiency
• 5. Cost Optimization
• 6. Sustainability
• They are not something to balance, or trade-offs, they’re a synergy. 它们不是要平衡或权衡，而是一个协同作用。

19.3 Operational Excellence

• Includes the ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures. 包括运行和监视系统以提供业务价值的能力，并持续改进支持的流程和程序。
• Design Principles
  • Perform operations as code - Infrastructure as code
  • Annotate documentation - Automate the creation of annotated documentation after every build. 每次构建后自动创建带注释的文档。
  • Make frequent, small, reversible changes - So that in case of any failure, you can reverse it
  • Refine operations procedures frequently - And ensure that team members are familiar with it
  • Anticipate failure
  • Learn from all operational failures

19.4 Security

• Includes the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. 包括通过风险评估和缓解策略保护信息，系统和资产的能力，同时提供业务价值。
• Design Principles
  • Implement a strong identity foundation - Centralize privilege management and reduce (or even eliminate) reliance on long-term credentials - Principle of least privilege - IAM. 实现强大的身份基础架构 - 集中权限管理并减少（甚至消除）对长期凭据的依赖 - 最小特权原则 - IAM。
  • Enable traceability - Integrate logs and metrics with systems to automatically respond and take action
  • Apply security at all layers - Like edge network, VPC, subnet, load balancer, every instance, operating system, and application
  • Automate security best practices
  • Protect data in transit and at rest - Encryption, tokenization, and access control
  • Keep people away from data - Reduce or eliminate the need for direct access or manual processing of data
  • Prepare for security events - Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery. 运行事件响应模拟并使用具有自动化功能的工具以提高检测，调查和恢复的速度。
  • Shared Responsibility Model

19.5 Reliability

• Ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues. 系统从基础架构或服务中断中恢复的能力，动态获取计算资源以满足需求，并缓解诸如配置错误或瞬态网络问题等中断。
• Design Principles
  • Test recovery procedures - Use automation to simulate different failures or to recreate scenarios that led to failures before. 使用自动化来模拟不同的故障或重新创建导致故障之前的场景。
  • Automatically recover from failure - Anticipate and remediate failures before they occur
  • Scale horizontally to increase aggregate system availability - Distribute requests across multiple, smaller resources to ensure that they don't share a common point of failure
  • Stop guessing capacity - Maintain the optimal level to satisfy demand without over or under provisioning - Use Auto Scaling
  • Manage change in automation - Use automation to make changes to infrastructure

19.6 Performance Efficiency

• Includes the ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve. 包括使用计算资源有效地满足系统要求的能力，并在需求变化和技术发展时保持该效率。
• Design Principles
  • Democratize advanced technologies - Advance technologies become services and hence you can focus more on product development
  • Go global in minutes - Easy deployment in multiple regions
  • Use serverless architectures - Avoid burden of managing servers
  • Experiment more often - Easy to carry out comparative testing
  • Mechanical sympathy - Be aware of all AWS services

19.7 Cost Optimization

• Includes the ability to run systems to deliver business value at the lowest price point. 包括以最低价格运行系统以提供业务价值的能力。
• Design Principles
  • Adopt a consumption mode - Pay only for what you use
  • Measure overall efficiency - Use CloudWatch
  • Stop spending money on data center operations - AWS does the infrastructure part and enables customer to focus on organization projects
  • Analyze and attribute expenditure 分析和归因支出 - Accurate identification of system usage and costs, helps measure return on investment (ROI) - Make sure to use tags
  • Use managed and application level services to reduce cost of ownership - As managed services operate at cloud scale, they can offer a lower cost per transaction or service

19.8 Sustainability

• The sustainability pillar focuses on minimizing the environmental impacts of running cloud workloads. 可持续性支柱侧重于最大限度地减少运行云工作负载对环境的影响。
• Design Principles
  • Understand your impact – establish performance indicators, evaluate improvements
  • Establish sustainability goals – Set long-term goals for each workload, model return on investment (ROI)
  • Maximize utilization – Right size each workload to maximize the energy efficiency of the underlying hardware and minimize idle resources.
  • Anticipate and adopt new, more efficient hardware and software offerings – and design for flexibility to adopt new technologies over time.
  • Use managed services – Shared services reduce the amount of infrastructure; Managed services help automate sustainability best practices as moving infrequent accessed data to cold storage and adjusting compute capacity.
  • Reduce the downstream impact of your cloud workloads – Reduce the amount of energy or resources required to use your services and reduce the need for your customers to upgrade their devices

19.9 AWS Right Sizing

• EC2 has many instance types, but choosing the most powerful instance type isn’t the best choice, because the cloud is elastic
• Right sizing is the process of matching instance types and sizes to your workload performance and capacity requirements at the lowest possible cost. 正确调整大小是以尽可能低的成本将实例类型和大小与您的工作负载性能和容量要求相匹配的过程。
• Scaling up is easy so always start small
• It’s also the process of looking at deployed instances and identifying opportunities to eliminate or downsize without compromising capacity or other requirements, which results in lower costs
• It’s important to Right Size…
  • before a Cloud Migration
  • continuously after the cloud onboarding process (requirements change over time)
• CloudWatch, Cost Explorer, Trusted Advisor, 3rd party tools can help

19.10 AWS IQ

• Quickly find professional help for your AWS projects. 快速为您的AWS项目寻找专业帮助。
• Engage and pay AWS Certified 3rd party experts for on-demand project work
• Video-conferencing, contract management, secure collaboration, integrated billing

19.11 AWS Professional Services & Partner Network 专业服务和合作伙伴网络

• The AWS Professional Services organization is a global team of experts
• They work alongside your team and a chosen member of the APN
• APN = AWS Partner Network
• APN Technology Partners: providing hardware, connectivity, and software. 提供硬件，连接和软件。
• APN Consulting Partners: professional services firm to help build on AWS. 专业服务公司帮助在AWS上构建。
• APN Training Partners: find who can help you learn AWS. 找到谁可以帮助您学习AWS。
• AWS Competency Program 能力计划: AWS Competencies are granted to APN Partners who have demonstrated technical proficiency and proven customer success in specialized solution areas. AWS Competencies由APN合作伙伴授予，这些合作伙伴已经在专业解决方案领域展示了技术熟练度并取得了客户成功。
• AWS Navigate Program: help Partners become better Partners. 帮助合作伙伴成为更好的合作伙伴。