Principal: A person or application that can make an authenticated or anonymous request to perform an action on a system
Authentication: The process of authenticating a principal against an identity. This could be via username and password or API keys.
Identity: Objects that require authentication and are authorized to access resources
Authorization: The process of checking and allowing or denying access to a resource for an identity
Customer: Responsible for security IN the cloud. Customer Data, Platform, Applications, Identity and Access Management, Operating Systems, Network and Firewall Configuration, Encryption (at Rest and in Transit), Network Protection
AWS: Responsible for security OF the cloud. Software, Compute, Storage, Database, Network, Hardware/AWS Global Infrastructure, Regions, Availability Zones, Edge Locations
Service models define how a service or product is delivered, how we pay and what we receive. They also define which part of the product we manage and accept the risks for, as well as which part the vendor is responsible for.
Data-->Applications-->Code Runtime-->Operating System (OS)-->Virtualization-->Host/Servers-->Network and Storage-->Data Center
IaaS: Infrastructure as a Service: Data-->Applications-->Code Runtime-->Operating System managed by Customer. For example; AWS EC2 Instances, Microsoft Exchange
PaaS: Platform as a Service: Data-->Applications managed by Customer. For example; AWS Kubernetes
SaaS: Software as a Service: Data is managed by Customer. For example; Netflix, Office 365, Gmail
FaaS: Function as a Service: Data-->partial Application managed by customer. For example; AWS Lambda
High Availability: Hardware, software and configuration allowing a system to recover quickly in the event of a failure. Not to prevent a failure.
Fault Tolerance: System designed to operate through a failure with no user impact. More expensive and complex to achieve. For example, using ELB to divert traffic from faulty instance to working instance.
Recovery Point Objective (RPO): How much a business can tolerate to lose, expressed in time. The maximum time between a failure and the last successful backup.
Recovery Time Objective (RTO): The maximum amount of time a system can be down. How long a solution takes to recover.
Vertical Scaling is achieved by adding additional resources in the form of CPU or memory to an existing machine. By doing so, the machines able to service additional customers or perform compute tasks quicker. Eventually, maximum machine sized will constrain our ability to scale - either technically or from a cost perspective.
Horizontal Scaling is achieved by adding additional machines into a pool of resources, each of which provide the same service. Horizontal scaling suffers none of the size limitations of vertical scaling and can scale to nearly infinite levels but requires application support to scale effectively.
Architecturally, applications consist of three tiers;
Presentation tier interacts with the consumer of the application
Logic tier delivers the application functionality
Data tier controls interaction with a database of some kind
If these tiers are implemented in the same code base and not separated, we refer to it as a monolithic application. A monolithic application is hard to scale and generally has to be done vertically.
On the other hand, applications if designed correctly, implement the tiers as isolated components. Architecturally, these can be provisioned on separate machines or pools of machines. As each tier has differing demands on CPU, memory and disk I/O, it allows each tier's performance to be managed independently.
Encryption is the process of taking plaintext and converting it into ciphertext and converting ciphertext into plaintext. Plaintext and ciphertext can be text, images or any other form of data.
Encryption generally uses an algorithm and one or more keys. It is commonly used to encrypt data at rest or in transit.
The process can be symmetrical (where the same key is used for encryption and decryption) or asymmetrical (where different keys - called public and private keys - are used).
Demo of Symmetrical Encryption:
Start a linux instance. Log into instance.
echo "cats are amazing" > message.txtgpg -c message.txt (press ENTER and input a passphrase)ls -lagpg cache the passphrase. So we will clear the cache of gpg to demonstrate that we have given the file (message.txt.gpg) to another user along with passphrase to decrypt the file. 
echo RELOADAGENT | gpg-connect-agentgpg -o output.txt message.txt.gpg (press ENTER and input the passphrase)ls -lacat output.txtDemo of Asymmetrical Encryption:
rm message.txt.gpg (remove file message.txt.gpg)rm output.txt (remove file output.txt)gpg --gen-key (press ENTER and input 1 for default encryption selection, press ENTER to accept default key size, press ENTER to accept default expiry state, input y to confirm and press ENTER, input Real name ('userid') and press ENTER, input Email Address and press ENTER, input o to confirm and press ENTER, input a passphrase and press ENTER)Public and private key are now generated. Now we will export the public component of the encryption key.
gpg --armor --output pubkey.txt --export 'userid' (press ENTER)cat pubkey.txtBackup Private key
gpg --armor --output privkey.asc --export-secret-keys 'userid'Now to encrypt the message.txt file using public key just exported;
gpg --encrypt --recipient 'userid' message.txtNow decrypting the message.txt.gpg file using private key just backed up;
gpg --output afterdecryption.txt --decrypt message.txt.gpg (press ENTER and enter passphrase entered earlier)ls -lacat afterdecryption.txtImplementing a solution within AWS using products or product features that provide the required service for as little initial and ongoing cost as possible. Using our funds effectively and knowing if product X is better or worse than product Y for a given solution.
In a systems architecture context, implementing a given solution that secures data and operations as much as possible from an internal or external attack.
Data that represents what a customer is doing, what they have chosen, or what they have configured. Examples include items and quantities in a shopping card, notes on X-ray and 3D position of a real-time heart scan. Session state can be stored on a server (stateful server) or external to a server (stateless server).
A part of an application, system or platform that is not specific to our business. Allowing a vendor (AWS) to handle this part frees our staff to work on adding direct value to our customers.
Next: AWS Architecture