AWS Well-Architected Framework (June 2018 version)

Good Design Principles

The Five Pillars of the Well-Architected Framework

  1. OPS: Operational Excellence
  2. SEC: Security
  3. REL: Reliability
  4. PERF: Performance Efficiency
  5. COST: Cost Optimization

1) OPS: Operational Excellence (Whitepaper)

Design Principles for Operational Excellence

3 Areas: 1) PREPARE

3 Areas: 2) OPERATE

3 Areas: 3) EVOLVE

Best Practices

Key Services

2) SEC: Security

Design principles for Security

Best Practices

Key AWS Services

  1. Identity and Access Management
  2. Detective Control
    • AWS CloudTrail - records AWS API calls
    • AWS Config - inventory of AWS resources and config
    • AWS CloudWatch - monitoring and can trigger AWS CloudWatch Events
  3. Infrastructure Protection
    • Amazon VPC enables launching into virtual network
    • AWS Cloudfront is a global CDN
    • securely delivers data, videos, applications, and APIs
    • integrates with AWS Shield for DDos
    • AWS WAF deploys onto CloudFront or App Load Balancer
  4. Data Protection
    • As an AWS customer you maintain full control over your data.
    • Encrypt your data and manage keys, including regular key rotation.
    • AWS ELB (Elastic Load Balancer)
    • AWS EBS (Elastic Block Store)
    • AWS S3 (Simple Storage Service)
    • AWS RDS (Relational Database Service)
    • Amazon Macie - automatically discovers, classifies and protects sensitive data,
    • AWS KMS (Key Management Service) - makes it easy for you to create and control keys
  5. Incident Response
    • AWS CloudFormation - create a trusted env or clean room for investigations
    • AWS CloudWatch - can trigger responses (including AWS Lambda)

3) REL: Reliability

Best Practices - Foundations, Change management, Failure management

4) PERF: Performance Efficiency

Design Principles for Performance Efficiency

Best Practices & Key AWS Services for Performance Efficiency

5) Cost Optimization

Pillars for cost optimization & Key Services

  1. Cost-Effective Resources
  2. Matching supply and demand
  3. Expenditure Awareness
  4. Optimizing Over Time

Best Practices for Cost Optimization

Disaster Recovery Whitepaper (2014)


AWS Services for recovery

Cheat Sheet - AWS Services Summary

Original Source:

AWS Organizations

AWS Global Infrastructure (AWS Region, AZs, Edge locations)

AWS Services Region, AZ, Subnet VPC limitations

AWS Consolidated Billing

AWS Multiple Account Billing Strategy

Tags & Resource Groups


IDS/IPS: Strategies

IDS/IPS: DDOS Mitigation

Cheat Sheet - Security & Identity Services

Security & Identity Services: IAM

Security & Identity Services: IAM Role

IAM role scenarios

Security & Identity Services: IAM Best Practices

Security & Identity Services - CloudHSM

Cheat Sheet - Network Services

Network Services: AWS Directory Services

AWS Directory Services: Benefits

AWS Directory Services: Simple AD

AWS Directory Services: AD Connector

AWS Directory Services: Read-only Domain Controllers (RODCs)

AWS Directory Services: Writable Domain Controllers

Network Services: AWS WAF (Web Application Firewall)

Third Party WAF

Network Services: VPC (Virtual Private Cloud)

Network Services: VPC Components

Network Services: VPC NAT (Network Address Translation)

Network Services: VPC Route Tables

Network Services: VPC Subnets

Network Services: VPC ENI (Elastic Network Interface)

VPC Security Groups vs Network Access Control Lists

Security Groups Network ACLs
Stateful Statless
Instance level Subnet level
Only allows ALLOW rules Both Allow and Deny rules
Evaluates as a whole Evaluated in defined order

Network Services: VPC EIP (Elastic IPs)

Network Services: VPC Peering

Network Services: VPC Endpoints

Network Services: Direct Connect

Network Services: VPN

Direct Connect VPN IPSec
Expensive to Setup and Takes time Cheap & Immediate
Dedicated private connections Internet
Reduced data transfer rate Internet data transfer cost
Consistent performance Internet inherent variability
Do not provide Redundancy Provides Redundancy

Network Services: Route 53

Network Services: Route 53 Routing Policy

Cheat Sheet - Compute Services

Compute Services: EC2

Compute Services: EC2 Features

Compute Services: EC2 AMIs (Amazon Machine Images)

Compute Services: EC2 Purchasing Options

On-Demand Instances

Reserved Instances

1) Applications have steady state or predictable usage 2) Applications that require reserved capacity 3) Users able to make upfront payments to reduce their total computing cost even further - Buy when you know what you will need for the next 12+ months

Spot Instances

Compute Services: EC2 Enhanced Networking

Compute Services: EC2 Placement Group

  1. A placement group is a logical grouping of instances within a single availability zone
  2. Using placement groups enables applications to participate in a low latency, 10 Gbps network
  3. Placement Groups are recommended for applications that benefit from low network latency, high network throughput, or both

Compute Services: Load Balancing and Auto Scaling

Compute Services: AWS ELB (Elastic Load Balancer)

Compute Services: Auto Scaling

Compute Services: EC2 Auto Scaling Groups

Compute Services: EC2 Load Balancer (Classic Load Balancing)

Compute Services: AWS EBS (Elastic Block Store)

Cheat Sheet - Storage Services

Storage Services: S3

S3 resources

S3 Bucket & Object Operations

S3 Multipart Uploads allows

S3 Versioning

S3 Storage tiers

  Standard Standard IA Reduced Redundancy Glacier
Durability 99.999999999% 99.999999999% 99.99% 99.999999999%
Availability 99.99% 99.9% 99.99%  

S3 Lifecycle Management Policies

S3 Data Consistency Model

S3 Security

S3 Best Practices

Storage Services: AWS Glacier

Storage Services: AWS CloudFront

CloudFront Security

Storage Services: AWS Import/Export

Cheat Sheet - Database Services

Amazon RDS (Relational Database Service) (features)

RDS Multi-zone Deployment

RDS Read Replicas

Amazon DynamoDB - NoSQL, key-value and document database

Database Services: ElastiCache

ElastiCache with Redis

ElastiCache with Memcached

ElastiCache Redis vs Memcached

Database Services: Amazon Redshift

Cheat Sheet - Analytics Services

AWS Data Pipeline

Analytics Services: AWS EMR (Elatic Map Reduce)

Analytics Services: Amazon Kinesis

Kinesis vs SQS

Cheat Sheet - Application Services

Amazon SQS (Scalable Queue Service)

message sample allowing short and long polling

SQS Design Patterns

Amazon SNS (Simple Notification Service)

Amazon SWF

SWF Characteristics



Cheat Sheet - Management Tools

Amazon CloudFormation

CloudFormation Template

Elastic BeanStalk



Amazon CloudTrail

AWS Certified SysOps Admin - Associate

Monaitoring - Demonstrate ability to monitor availability and performance

AWS Certified Developer – Associate

The AWS Certified Developer – Associate exam validates technical expertise in developing and maintaining applications on the AWS platform. Exam concepts you should understand for this exam include:

Suggested White Papers:

Review Concepts:

Compute: 4 services depending on what we want to do

Storage Databases:


AWS Certified Security - Specialty Certification

Linux Academy: lucid charts @adriancantrill linkedin

Whitepapers to Read

IAM - Identity & Access Management


ROOT Best Practices:





STS (Security Token Service) - short term credentials to give access to an AWS resource


CloudWatch Alarms

CloudWatch Events