I’m taking AWS training from Linux Academy along with some peers. These are my notes.

AWS Essentials

Our aim is AWS Certified Solutions Architect, but AWS Essentials is recommended as a first step, and our group is planning to discuss AWS Essentials at our first study meeting, so I’m starting with it. Well, I’m going back to it. As per my usual impatient self I watched the first couple of architect training videos before reviewing our study schedule.


I guess it’s good I went back to Essentials as IAM is one thing I didn’t really understand yet. I’ve been using my root account for my early projects which I know is wrong, but now I’m getting training on it.

  • Users and groups are obvious enough to me
    • Then again, I did learn that a user can have password and/or API key access. My existing users are API-key-only, and I haven’t signed in with a non-root user with a password yet (now I have!).
  • Policies are what I might call ACLs, and they can be applied to users, groups or roles
    • It makes sense to use groups to manage policies
    • They cannot be applied to services; e.g. to allow an EC2 instance to access an S3 bucket you have to create a Role, give the Role the policy and–and I haven’t done this yet–assign the role to the instance / service
  • Roles are basically groups for AWS services as services like EC2 instances can’t be given policies directly
  • Password policy was new to me
  • How to enable multi-factor authentication was new to me


I’m pretty good with networking, so most of this was familiar.


  • From the training video it’s unclear if a subnet can span AZs. I would think not, but the diagram leads me to wonder.
    • In later lessons they make clear a subnet cannot span AZs
  • I didn’t see how S3 fits into the VPC or if it does at all.
  • More specifically: are AZs and VPCs only for EC2 instances? Or can/do other services go in them as well?
    • The diagram does show RDS inside the VPC when showing an analogy of AWS VPC vs Facebook paradigm


These sounds like items that might show up on a test. They seem kind of obvious but might not stick in my mind if I don’t note them.

  • Only one IGW at a time can be attached to a VPC
  • You can’t detach an IGW if an active AWS resource is in the VPC

Also, I’m a little curious about what’s involved in an IGW as so far it seems like an on/off feature switch without configurable properties. Oh, seeing that the next section is route tables, I’m guessing IGW is the anchor/container for the routing tables.

Routing tables

  • It’s possible to route to detached gateways which show up as “black hole” routing
  • Cannot delete route if it has dependencies (associated subnets)


Seems straightforward so far, but I recall having to add a rule to allow port 22 when I created EC2 instances, and I don’t see that rule or the need for it here. And more recently I added port 8080 to wherever that was which clearly isn’t the VPC NACL list.

  • Ah, the end of the lesson mentions other services may have additional security, such as EC2 Security Groups. That must have been where I added ports 22 and 8080 for my EC2 spot instances.
  • A subnet can only be associated with one NACL list
  • A new NACL has default DENY all permissions. These last two bullet points seem like possible test questions, otherwise they seem somewhat obvious


This lesson is bugging me. Their diagram shows two subnets–one private, one public–in each of two VPC AZs. The lesson example sets up the four default subnets as these VPC subnets, but that’s four AZs, and each public VPC AZ is using a different AZ as its private VPC AZ. This works logically but doesn’t increase HA/FT and arguably decreases it, and definitely increases latency between the subnet pair in each VPC AZ. Maybe I’m missing something that will be better explained later. Or maybe they’re keeping things simple for the lesson at hand; I’m probably much more network knowledgable than their average student.

  • Can a VPC span regions? I’m thinking “no”
  • For my own “Project Omega” I’m setting up a new VPC and having the public/private subnets in the same AZ. This is a lot more clicking and typing, and I’m thinking the lesson did what it did to remain simple at this point.


I scored 100% on both quizzes so far, although I thought some of the questions’ wording in the VPC quiz were a bit ambiguous, but apparently I took their meaning correctly.


I’ve been using S3 to host websites, so it and CloudFront are what I’m most familiar with so far.

Buckets and Objects

Some things that sound test-worthy, so I’m noting them:

  • S3 bucket names must be globally unique
  • Bucket names
    • Must be 3-63 characters
    • Only lower-case, numbers and hyphens
    • Must not be formated as IP addresses


  • Once versioning is enabled for a bucket, it can’t be fully disabled
  • Versioning can be suspended for new objects in the bucket, but all objects with versions maintain their old versions
  • Newly uploaded objects don’t base their storage class on the old object
  • Question (which will probbly be answered soon): do past versions of objects still follow the lifecycle policy based on their creation date?


100% ヽ(⌐■_■)ノ♪♬



  • EC2 root store doesn’t have to be EBS-based but is by far the most common.
  • EBS volume can optionally persists past life of EC2 instance
  • Can’t mount snapshots directly, but can create EBS copy of snapshot for use

Security Groups

  • Where NACLs used the first matching policy, Security Groups evaulate all rules with all associated Security Groups
  • Only ALLOW rules
  • DENY is default
  • default SG allows all outbound traffic, disallows all inbound
  • Newly created SGs have no rules thus deny all traffic
  • From my own account I see that creating a new VPC creates a new default SG for that VPC

IP Addressing

  • EC2 instances can have or not have public IP addresses by default as set in VPC subnet settings
  • I’m wondering if an Amazon Linux AMI can reach its package repos without a public IP. Sounds like “no”, but I want to check.
  • I notice the public IP address doesn’t appear to need an entry in the routing table or presumably NACL CIDR ranges, but that makes sense for a few reasons even though there must be some clever translation behind the scenes.


Fail! _|___|_ ╰(º o º╰)

Ok, I missed one question, and on another I failed to read that I was supposed to pick two answers.

100% the second time though, but not so impressive as they were the same 8 questions and they already showed me what I got wrong.

RDS and DynamoDB


  • RDS is SQL
    • Actually an instance of one of several engines
    • Pricing structure strikes me as reminiscent of EC2
  • DynamoDB is NoSQL
    • No alternate engines available, just DynamoDB
    • Pricing structure strikes me as reminiscent of S3

I heard mentions of “instance”s of RDS, but that terminology isn’t used for DynamoDB. And I’ve seen an RDS instance in a subnet in the Project Omega diagrams. So I’m getting the impression RDS is a managed instance somewhat obfuscated where DynamoDB is more of a service I’m using a piece of. But I’m sure these things will become clear as the course goes on.

Provision RDS MySQL

  • No UI built-in for DBs


100% Back in the saddle again


I’ve heard of this and have a vague idea that it’s a messaging service, but it is by far the least familiar topic to me so far.

TL;DR topic-pub-sub messaging with endpoints including email and text

Quiz 100%


  • It’s a load balancer that can do tcp or http balancing in the classic lb
  • App ELB not really covered in this lesson
  • ELB has a security group like EC2 instances do
  • I’m assuming the ELB has a public IP and am wondering if the balanced nodes need public IPs. I’ll be patient and learn either in later lessons or a later lab



Auto Scaling

Quiz: Fail. Oops, missed one by mixing up service names.

Route 53

It’s DNS. I know DNS. I’m playing the video at double speed and it’s still painfully slow.

Quiz: 100%


I’ve toyed with Lambda, and I understand what it is.


I still know what it is

Lambda Test

Ooh, useful info:

  • Triggers can include SNS and CloudWatch. I’ve only used events and HTTP triggers so far
  • Can run a function inside a VPC, but don’t have to (guessing it affects access to private IPs)
  • I had forgotten about the monitoring tab. It’s useful.



What to do next

I decided to watch the summary video, and it was actually useful to see the training and certification roadmaps laid out.

  • CompTIA has Cloud Essentials and Cloud+ . I might see about Cloud+ if it’s useful in the industry
  • Linux certification might be something I could certify easily since I’ve been using it 22 years, so if the cert is valued I might consider it
  • Linux Academy’s Lambda Deep Dive might be worth a look as cloud functions are of particular interest to me, and I haven’t done enough with them yet
  • Some of LA’s security or DevOps courses might be worth a quick skimming