This url talks about the COVID-19 pandemic, which is caused by SARS-CoV-2, began in Wuhan, China, in December 2019. It spread globally, leading to significant health, social, and economic impacts. The World Health Organization declared it a public health emergency in January 2020 and ended the declaration in May 2023. The pandemic resulted in millions of cases and deaths worldwide.

This article emphasizes the risks of acting inauthentically on social media, as showed by BethAnn McLaughlin's creation of a false Twitter persona. One important aspect is how this fake account was able to win people over and elicit sympathy, showing how simple it is to incite hatred and spread misleading information online. The importance of information confirmation and the difficulties platforms encounter in recognizing and fighting fraud are highlighted by this case. It serves as a potent reminder of both the potential harm caused by such deceptions and the moral duties associated with social media use.

Social media brands are getting noticed for their human-like personas on the internet. There are pros such as building engagement, however it also raises ethical questions about these brands using serious issues, such as depression, to grab their target audience. There is some fear that young adults with mental health issues or isolation are turning to brands to relate to or create connections with. It's often hard to tell if there are real people or just simple marketing tactics to create more sales off of emotional engagement.

He says it was truly his passion but it’s not- he’s just now imagining another narcissistic fantasy. :(

Lack of consistent “no’s” and boundaries lead to reinforcement of entitlement. “Maybe if I throw a fit it can get me what I want just like last time.” I also experienced inconsistent boundaries growing up and it definitely led me to believe if I could portray myself just right I could get my way.

There’s always a hint of the true self even in the most severe cases

Mirroring to gain narcissistic supply

Interests seem to have always been dictated by how he’ll be perceived. No hint of any passions so far, indicating that early disconnect from true self.

Beginning of an inability to understand that it’s social presentation that mostly gains someone popularity, assumes it must be the clothes or hair. Once again a lack of social guidance is indicated.

Idealization of the popular kids. I also developed this awareness around his age and responded similarly.

Feelings of repeated abandonment and betrayal with no way to escape it- dreading being trapped in abusive and unsafe household repeatedly with no ability to leave. Controlled at both households, lack of protection/safety from mother, losing control socially. Could eventually cause a shift from a BPD presentation focused on acceptance and approval to an NPD presentation focused on control and admiration.

We can already see an emerging pattern of Elliot not knowing how to assert himself socially to get a desired outcome and sulking or withdrawing rather than adjusting and developing his approach. Jealousy might tie to an early borderline presentation depending on the root of the jealousy and how centered it was on James’ approval.

Already we see his main interests in life being completely shaped by how he comes across and his status. Hours just for that reason is excessive and points to an overly strong obsession with presentation and an idea of what makes you superior versus inferior.

Once again Elliot had a hyper-fixation on how he comes across and starts to notice when others seem “superior.”

Even though Elliot Rodger describes his early childhood as ideal and there’s no obvious sign of pathology, something was likely brewing beneath the surface because of how sudden his pathology exploded in middle school. His obsessive focus on earning validation—like the “green card” for perfect behavior- and blaming others for failures already suggests an early reliance on external achievements to feel worthy. This fragile self seemed masked by how well he did in simple, structured environments where the rules were clear and social success was straightforward. He could ignore deeper insecurities because the systems around him allowed him to thrive. However, when the social dynamics of middle school demanded more complex identity formation, like charisma, confidence, and individuality- his pathology surfaced abruptly. This sudden shift suggests something early we may never know had already caused Elliot to form a false self. His problems were hidden until middle school because he could do well in his current environment, which didn’t call for much an identity to succeed in connecting to others. He could just play and keep friends. Notice how already his focus was always on fitting in and doing well socially.

these kinds of videos do occur in Chinese platforms. There was a video publisher called Li Ziqi (李子柒）posted videos about managing a little space and other kinds. But later she was challenged if her video and the contents was supported by a team, or the video was performed. She stops posting video soon after that. There are a lot of performed videos nowadays but most of them people can tell they're performing, some even like looking at performed video.

Welcome back and in this lesson I want to cover CloudFormation conditions.

Now these are a useful feature of CloudFormation which allows a stack to react to certain conditions and change infrastructure which is deployed or specific configuration of that infrastructure based on those conditions.

Now it's a simple feature but it provides a lot of flexibility for architects, developers or engineers.

So let's jump in and step through exactly how it works and what features it provides.

So CloudFormation conditions are declared within an optional section of the template, the conditions section.

Now you can define many conditions within the conditions section of the template and the end effect is that each condition is evaluated to be true or false.

And these are processed before logical resources which are defined within a template, a processed by CloudFormation and physical resources are created to mirror those logical resources.

So essentially the conditions section of a template is evaluated first and then based on those conditions any logical resources which use those conditions that influences what physical resources are created and how they're created.

So these conditions use other intrinsic functions so AND = IF NOT AND OR and it uses these intrinsic functions to evaluate one or more things and then the result of those functions determines whether the condition itself is true or false.

Any logical resources within a template can have a condition associated with them and the condition that's associated with them defines whether they're created or not.

So if a condition that's associated with a resource is true then that logical resource is created.

If a condition that's associated with a resource is false that resource is not created.

Now an example is you could have a parameter value on a template which accepted a number.

Let's say 1, 2 or 3 and then we could create three conditions within a template.

Let's say 1AZ, 2AZ or 3AZ and each of these conditions would use intrinsic functions to evaluate whether the parameter value was 1, 2 or 3.

Now we could have many duplicate sets of resources defined within the CloudFormation template and certain of those resources would only be created if 2AZ was true and certain resources would only be created if 3AZ were true.

We could also have conditions which react to the environment type parameter of a template.

So based on whether the template was prod or dev we could control the size of instances created by a CloudFormation stack.

So these are just two relatively common ways that conditions are used within a CloudFormation stack and a CloudFormation template.

Now let's take a look at how this looks visually and I'm going to step through a pretty simple example.

So we have three major component parts.

First we have a template parameter.

In this example, EnvType.

An EnvType can be dev or prod and it represents what the template is being used for.

So development activities or production usage.

Then also within the template we have a condition defined inside the conditions block of the template and this uses the equals intrinsic function to check if the value of the EnvType parameter is prod and if it is then this condition is prod is set to true.

Finally conditions are used within resources of the template.

In this case the word pressed to myEIP and myEIP2 resources they all reference this condition.

And just before anyone provides feedback for anyone with a really keen eye these templates are not complete.

So let's just refer to them as pseudo CloudFormation.

They're cut down to only show what matters for this lesson.

The flow through this architecture would start with our developer Bob who would decide on a value of dev or prod for the EnvType parameter when applying it.

So this would set that parameter value.

Now the template as I've just mentioned has the conditions block which is evaluated first by CloudFormation before even considering the resources.

So this evaluates to true or false.

If the EnvType parameter in the template is prod then this condition evaluates to true otherwise it's false.

Now the next stage is that the processing of the resources within the stack begins when processing the resources for any resources which use the isProd condition they're only created if the condition that they reference is true.

So in this example if the isProd condition is false then only the wordpress resource is created.

Because all of the other three have the condition which if it's false will cause those resources not to be created.

Now if the isProd condition was true then wordpress2 would also be created so we'd have two EC2 instances and each of those would also be allocated with an elastic IP.

So myEIP and myEIP2.

So just to reiterate this if a logical resource does not have a condition then it's created regardless.

If a logical resource does reference a condition then that logical resource is only used so a physical resource is only created if that condition evaluates to true.

If it evaluates to false then no physical resource is created for that corresponding logical resource.

Now when you step through the flow of using these conditions they aren't actually that difficult to understand.

You define a condition, you set it to true or false using one of the intrinsic functions and then you use that condition within resources in the template.

Now conditions can also be nested so you could have an isProd condition.

You could also have another condition such as createS3 bucket and if this was true it would create the S3 bucket.

And then you could have a condition which controls if a bucket policy is applied to the bucket and you could configure it so that that bucket policy would only be applied if a bucket is created and if that stack is a production stack.

So you can nest conditions together and make a condition that evaluates to true only if two other conditions also evaluate to true and this nesting is done by using these intrinsic functions.

Now I'll be showing you lots of different examples of conditions in my demos and advanced demos that you'll find through all of my courses.

So always make a habit as you do the demos to review the cloud formation templates which are used.

So seeing these through practical examples will help improve your understanding.

With that you'll be able to read templates and with more and more practice you'll find that writing them becomes much easier.

At this point though that's everything that I wanted to cover in this theory lesson about cloud formation conditions.

Thanks for watching.

Go ahead and complete this video and when you're ready I look forward to you joining me in the next.

Welcome back and in this video I want to talk about cloud formation outputs and outputs are optional within a template.

Many don't have them but they're useful in providing status information or showing how to access services which are created by a cloud formation stack.

Now this is going to be a really quick video so let's jump in and get started.

So the output section of a template is entirely optional.

You can implement perfectly valid cloud formation templates without using an output section but if you do decide to include an output section then you can create outputs within that section.

Essentially you can declare values inside this section which will be visible as outputs when using the CLI, they'll be visible as outputs when using the console UI and and this is a really important point they will be accessible from a parent stack when using nesting and these outputs can be exported allowing cross stack references.

Now outputs are not a complex topic and so I don't want to dwell too much on how they work because you'll be getting some practical experience in an upcoming demo video.

Visually though this is how it might look if you're declaring a simple output.

So in this example we're provisioning an EC2 instance which is running WordPress and this is an output within that template.

So what we're doing is defining an output called WordPress URL and then we're defining two key value pairs description and value.

So description is something which is visible from the CLI console UI and is passed back to the parent stack when nested stacks are being used.

So you can always access the description and it's best practice to provide a description which makes this useful to anyone who might not have seen the template.

Now the second part is the value and the value is important.

The value determines exactly what you want to be exposed by the cloud formation stack once the stack is in a create complete state.

So in this case what we're actually doing is creating a value by joining two other things together.

So we're using the join intrinsic function which I've covered in a different video and we're joining the literal string of HTTPS colon forward slash forward slash and the logical resource attribute of DNS name and this is how we can create a URL for accessing the service that's created by this cloud formation template.

So we're using the join function to generate a simple string from two different things from HTTPS colon slash slash which is a literal string and then the attribute of the instance which is created elsewhere in this template.

So the output will be HTTPS colon slash slash and then the DNS name of the instance and this will provide a method for anyone who's implementing this template to be able to access the service.

So that's everything I wanted to cover about cloud formation outputs.

They're not all that complicated you'll be getting some practical experience in using them in an upcoming demo video and when I talk about cross stack references you'll see how we can extend this by exporting a particular output or set of outputs but at this point I want to keep things simple and that's everything that you need to be aware of when it comes to cloud formation outputs.

So go ahead complete this video and when you're ready I look forward to you joining me in the next.

Welcome back and in this video I want to talk about CloudFormation mappings.

And in keeping with the theme from the last few videos, this is also a feature of CloudFormation which makes it easier to design portable templates.

Now this is going to be a fairly brief video so let's jump in and get started.

CloudFormation templates can contain a mappings object.

Remember at a top level a YAML or JSON template is just a collection of top-level key value pairs.

Now resources is one, parameters is one and now I'm introducing mappings as another.

The mappings object can contain many mapping logical resources and each of these maps keys to values allowing information lookup.

So you might use mappings to map the environment for example production to a particular database configuration or a specific SSH key.

Now these mappings can have one level of lookup so you can provide a key and get a value back or they can have top and second level keys.

Now a common example is a mapping of AMI IDs based on the top level key of region and the second level key of architecture.

Mappings use another intrinsic function which I haven't introduced yet called find in map and an example which I'll show next is the common use case which I just talked about using find in map to retrieve a given Amazon machine image ID for a particular region and a particular architecture.

Now at this point the key thing to remember about mappings is that they help you, you guessed it, improve template portability.

They let you store some data which can be used to influence how the template behaves for a given input.

So let's have a look at a simplified example visually on the next screen.

Now this is an example of one mapping which is called region map which is in the mappings part of a cloud formation template and this is an example of the find in map function that you will use to lookup data using the mapping.

Now to use a mapping it's actually pretty simple.

First we have to use this find in map function and we need to specify a number of pieces of information to this find in map function.

The first thing that we need to specify is the name of the mapping that we're going to use in this case region map.

So this allows the intrinsic function find in map to query a particular mapping in the mappings area of the cloud formation template.

Now the next part this is mandatory we always need to provide at least one top level key.

In this case we need to provide an item that we will use to lookup information from the mapping.

Now in this case we're using a pseudo parameter.

A WS double colon region will always resolve to the region that this template is being applied in to create a stack.

So in this case let's assume that it's US - East - 1.

Now the mapping to use and this top level key are the only mandatory parts of find in map and if we only provided these two then it would retrieve the entire object below US - East - 1 on this example.

But in this case we're going to provide a second level key, HVM 64.

And if we provide this as well it will perform a second level of lookup.

Meaning in this case we will retrieve the AMI ID for US - East - 1 using the HVM 64 architecture.

So this is a simple example but it's a fairly common scenario where you use the mappings area of a template to store an AMI lookup table that you can use to retrieve a particular suitable AMI for a given AWS region and a given architecture.

Now you could change this, you could use a particular AMI for a particular region and a particular application or a particular environment type.

But you can perform one or two level lookups using find in map.

Now again in a future video you're going to get the chance to experience this yourself in a demo video but for now I just wanted to introduce the theory, the architecture behind mappings.

So that's everything I wanted to cover in this video so go ahead, complete the video and when you're ready I look forward to you joining me in the next.

Here, Elizabeth takes on a protective role, much like Victor’s own intentions throughout the novel, where he seeks to shield his family from the monster he created. This act by Elizabeth highlights her proactive nature and care for her family, reflecting the broader themes of responsibility and the consequences of one’s actions that permeate the story.

the creature reflects on the initial confusion and overwhelming nature of his earliest experiences. This sets the tone for his narrative, emphasizing his artificial "birth" into the world as a fully formed but mentally infantile being. The sentence highlights his unique struggle with identity and existence, marking the beginning of his journey towards self-awareness and understanding, which are central to the novel's exploration of what it means to be human and the ethical implications of creating life.

The creature reflects on his cautious admiration of the De Lacey family, highlighting his isolation and yearning for companionship. This moment is critical as it underscores his innate desire for social connection and acceptance, which starkly contrasts with the harsh rejection he faces from society, thus deepening the novel’s exploration of themes such as alienation and the innate need for belonging. This introspection sets the stage for his further observations and the development of his understanding of human dynamics, which are pivotal for his character evolution and the tragic choices he makes later in the narrative.

This aentence reflects the foundational aspects of Victor and Elizabeth's relationship, emphasizing that their differing personalities enhance their bond rather than create conflict, showcasing an idealized view of complementarity in relationships. This theme is recurrent in Victor's narrative, presenting early instances of idealism that contrast sharply with the darker realities he later confronts, thereby setting up the novel's exploration of the conflict between idealism and reality.

The passage illustrates Victor's idealization of Elizabeth, portraying her almost as a divine figure. This characterization sets a high standard of purity and grace, foreshadowing the stark contrast between the innocence and beauty attributed to Elizabeth and the subsequent perception of monstrosity and rejection faced by Victor's creation. This difference underscores themes of acceptance and prejudice that are central to the novel.

The speaker reflects on their youthful dreams and ambitions, contrasting their initial desire for a seafaring life with a later fascination for poetry. Reading great poets inspired them profoundly, elevating their spirit and igniting their own creative aspirations. They describe their brief foray into poetry as a blissful, almost divine experience, imagining themselves achieving literary greatness alongside figures like Homer and Shakespeare.

The speaker conveys an overwhelming sense of ambition and curiosity, driven by the desire to explore uncharted territories and make groundbreaking discoveries. They express excitement about observing celestial phenomena and the possibility of walking on land untouched by humans. This adventurous spirit overrides any fear of danger or death, likened to the carefree joy of a child on a playful expedition. The speaker justifies their voyage by emphasizing its potential benefits for humanity, such as discovering a polar passage to reduce travel time or unlocking the mysteries of the magnet.

The speaker rejects conventional views of the Arctic as a desolate, icy wasteland, instead envisioning it as a land of beauty, light, and wonder. They describe the sun as eternally visible and the environment as calm and serene, free from frost and snow. With a blend of imagination and trust in earlier explorers, the speaker portrays the Arctic as a paradise of unparalleled natural phenomena, filled with the promise of extraordinary discoveries. This romanticized vision highlights themes of ambition, the sublime, and the tension between imagination and reality.

Victor Frankenstein is found

Walton's desire for a friend.

Walton describes his ambition and reasons for his expedition

In this line, Victor describes the feeling of being stuck after all the intense emotions he's gone through. The "dead calmness" he talks about is a state of numbness, where he's no longer hopeful or afraid, just empty.

Welcome back and in this video I want to cover CloudFormation intrinsic functions.

Up until this point everything that you've defined within a CloudFormation template has either been static or accepted using parameters.

While intrinsic functions allow you to gain access to data at runtime, your template can take actions based on how things are when the template is being used to create a stack and that's really powerful.

In this lesson I want to cover the theory of intrinsic functions but don't worry you'll be getting the chance to use them practically in an upcoming demo video so let's jump in and get started.

Now I want to quickly step through the functions that we're going to be looking at over the remaining videos of this CloudFormation series and then we can look at some of them visually and technically step through how they work.

So first we're going to be looking at the ref and get attribute function or get at and these both allow you to reference a value from one logical resource or parameter in another one.

If you create a VPC in a template and you want to make sure that another resource such as a subnet goes inside that VPC then you can reference the VPC within other logical resources.

Next we've got join and split and these as the name suggests allow you to join strings together or split them up.

An example usage might be is if you create an EC2 instance which is given a public IP version for DNS name then you can use the join function to create a web URL that anyone can use to access that resource.

Next is get azs which can be used to get a list of availability zones for a given AWS region and the select function which allows you to select one element from that list and these two are commonly used together to pick an availability zone from the list of availability zones in one particular region.

Next are a set of conditional logic functions if and equals not and or and these can be used to provision resources based on conditional checks.

So for example if a certain parameter is set to prod then deploy big instances.

If it's dev then deploy smaller ones.

Next is base64 and sub.

Many parts of AWS accept input using base64 encoding.

For example if you're providing EC2 with some user data for automated builds then you need to provide this using base64.

So the base64 function accepts non-encoded text and its outputs base64 encoded text that you can then provide to that resource.

Sub allows you to substitute things within text based on runtime information.

So you might be passing build information into EC2 and you want to provide a value from the template parameters in which case sub can help you do that.

And then next we've got sider which lets you build sider blocks for networking.

It's a way to automatically configure the network ranges subnet used within a cloud formation template.

Now there are others such as import value, find in map and transform and I'll be covering these in dedicated videos later in this series.

Each one of these functions can be used in isolation or used together to implement some pretty advanced logic within templates.

Now let's take a look at how these work visually and technically and once again don't worry you will be getting the chance to use all of these practically in upcoming demo video.

Two of the most common intrinsic functions within cloud formation are ref and get at meaning get attribute.

It's important that you understand how these are used and the differences between the two.

So let's use this as an example.

A template with a logical resource which we're going to use to create a stack and this creates a physical resource in this case a t3.micro EC2 instance.

Now every parameter and logical resource within cloud formation has a main value which it returns so for example the main value returned by an EC2 instance is its physical resource ID.

The main value for a parameter logically enough is its value and the ref function can be used as the name suggests to reference this main value of a parameter or a logical resource.

Now if you look at the cloud formation simplified example at the bottom left you will see next to image ID we're referencing latest AMI ID which is a parameter and that's how we can use parameters with logical resources by referencing them.

We can also use ref with logical resources as I just described so when an EC2 instance is created once it reaches a create complete state then it makes available a range of data.

The primary value its physical ID can be accessed using the ref intrinsic function.

Now there are also secondary values depending on the type of resource that you're deploying and these can be accessed using the get at function.

With this function you provide the logical resource name and the name of an attribute and examples of this free EC2 might be the public IP address or the public DNS name of the instance.

Ref and get at are critical.

They're used in almost all cloud formation templates to access logical resource attributes, template parameters, pseudo parameters and much more.

They'll be the key to evolving the non-portable template that you created in the previous demo video through to being a portable template so it's really important that you understand how both of these work.

Next I want to talk about the get azs function and the select function.

Now these are often used together which is why I've included them on the same example.

Get azs is an environmental awareness function.

Let's say that we're deploying a template into US East 1 and let's assume this region has 6 azs, US East 1A, 1B, 1C, 1D, 1E and 1F.

Now if you wanted to launch an EC2 instance into one of these azs you would need to know its name.

Basically you would need to know a list of names for all of the valid azs in that region and then you would need to pick one.

Remember from the previous demo video we're trying to ensure that our templates are portable so hard coding, availability zone names is a bad practice.

What you can do is use the get azs function and with this you can either explicitly specify a region, you can use the region pseudo parameter or you can leave it blank and then it will use the region currently being used to create the stack.

What it will do is return a list of availability zones within that region.

There is a little nuance here though under normal circumstances it should return a list of all the azs in that region but what it actually does is to return a list of all azs within that region where the default VPC has subnets in that az.

Now normally these are one and the same but if you have a default VPC where you've deleted subnets then the list that you're going to get back is not going to have all available azs.

So if you don't have a default VPC or if you have the default VPC in its form where it does have subnets for all azs in that region then it will return a list of all available azs within that region.

But if you have a badly configured default VPC then you might get some inconsistent results.

But having this dynamic list of availability zones is really powerful because then you can use the select function to select a numbered one from that list.

Now select accepts a list and an index starting at zero which returns the first object in that list.

So it allows you to dynamically refer to azs in the current region without explicitly stating their identifiers which makes templates much more portable.

It's one part of ensuring that templates can be applied to all regions without having issues and it's something that you're going to get experience of very soon in the next demo video.

Now I'm going to start moving through the rest of these much faster because some of these intrinsic functions are much more situational and you're going to get experience of them as we move through this series of videos.

Next we have the join function and the split function.

Now split accepts a single string value and a delimiter pipe in this example and it outputs a list where each object in the list is part of the original split.

So in this example we provide split with a single string, ruffle pipe, truffles pipe, penny pipe, winky and we get as an output a list where each object in that list is one of those cat names which can be referenced individually.

Now join is the reverse of this.

You provide a delimiter and a list of values and the join function joins them together to make a string.

In this case we're creating a web URL for a WordPress EC2 instance by combining https// and the DNS name of the instance and note how that's obtained with the get at function which I've just covered.

Okay so moving on, next we have base64 and sub.

Now this is an example of user data which I'm going to be covering soon.

Essentially it's a script that you provide to instances which allow them to perform auto configuration.

Now this user data needs to be provided using base64 encoded text but as you can see this isn't the case.

It's simply using plain text.

The base64 function accepts normal text and it encodes it and then passes the output which is base64 into an instance which is the format that that instance needs.

So if you're operating with any AWS resources which require base64 then you can use this function, provide the function with some normal text and it will output the base64 encoded text that you need.

Now the substitute or sub function allows you to do replacements on variables.

So for example this is a variable.

This is the instance ID attribute of the instance logical resource.

By putting it in this format so dollar, curly bracket, variable name, close curly bracket the sub function will replace it with the actual runtime value, the instance ID.

Now there are some restrictions.

You can't do self references.

So in this case this user data could only reference the instance ID of another instance.

This example is actually an invalid one which I wanted to show you visually.

The formatting is correct but it actually shows a self reference.

How can we pass in an attribute of a physical instance before the physical instance is created?

So this is not valid but during an upcoming demo video I'm going to be covering how to use these effectively and you're going to get plenty of practical experience of using the sub function within your own cloud formation templates.

Now the format of using things in substitutions is either the left one for a parameter, the middle one for the primary value of a resource and this is like using the ref function and the right is the format for using attributes.

The logical resource name and then the attribute name and again don't worry you're going to get plenty of practical experience of using this in an upcoming demo video.

The last function I want to talk about is actually a really cool feature of cloud formation which makes networking much easier.

So when you're creating VPCs you have to provide a side arrange for the VPC to use.

Inside that side arrange you've historically had to manually assign rangers for the sub nets inside that VPC.

With this function you can use it to reference the side arrange in this example of a VPC.

You can tell it how many sub nets you want to allocate and then finally you can tell it the size of those sub nets and from that it will output a list of side arrangers which you can use within sub nets within a VPC and you can combine this with the select function to allocate those to sub nets individually.

So in both of these examples sub net one and sub net two what we're doing is we're using the side function, we're passing it the side arrange of the VPC, we're telling it we want 16 ranges in total and we're giving it the size for those ranges.

Both of them output a list of possible ranges to use and we're selecting the first one so index zero for sub net one and the second one so index one for sub net two.

And this is an example of how we can assign side arrangers to sub nets in a more automated way.

It assists again in making templates more portable by auto assigning things.

Now it does have its limitations, it's all based on the parent VPC side arrange and it can't allocate or unallocate ranges but luckily I'm going to show you some really cool techniques how you can fix that in later videos of this series.

Now at this point that's everything I wanted to cover, I wanted to quickly go through some common intrinsic functions that you might use while you're creating cloud formation templates.

Now very soon there's going to be another demo video where you're going to get some practical experience to all of the theoretical concepts that I've been talking about in this block of theory videos.

So don't worry we start with a theory, we make sure that you're entirely comfortable with that and then you'll get the opportunity to practice that in a demo video.

Now that's everything that I wanted to cover in this video so as always please go ahead and complete the video and when you're ready I'll look forward to you joining me in the next.

Welcome back and in this video I want to talk about template and pseudo parameters, two types of parameters which can be used within CloudFormation templates and which can influence logical resources within those templates.

Now we've got a lot to cover so let's jump in and get started.

Parameters both template and pseudo parameters allow input.

They let external sources provide input into CloudFormation.

For template parameters this means that the human or automated process can provide input via the console, CLI or API when a stack is created or updated.

An example of this might be the size of the instance or the environment that the template is for.

So for example dev, test or prod.

Now parameters are defined inside a template along with the resources and the values for those parameters can be referenced within logical resources also within that template which allows them to influence the physical resources and/or the configuration of those physical resources when a template is used with a stack to provision AWS resources.

For every parameter that you define in a template you can provide configuration for that specific parameter.

You can define defaults for it so if no value is explicitly provided then that default applies.

You can define allowed values so maybe a list of instance types which are valid for the template.

You can define restrictions such as the minimum and maximum length or even allowed patterns.

You can also define the parameter as using no echo which is useful for passwords where you don't want the input to be visible when it's being typed.

And then finally each parameter can have a type.

You have simple ones like string, number or list but you also have AWS specific ones which allow you to specify a VPC from a list or subnets from a list and some of these can be populated so from the console UI perspective they're interactive based on the region and the account that you're applying the template within.

Now you're going to be getting some practical experience of working with parameters in a future demo video.

For now I just want you to have a basic awareness.

Now visually parameter architecture looks like this.

Parameters start by being defined within a cloud formation template and let's use this as an example.

I've defined two parameters here so instance type which is a string and it has a default of t3.micro together with a set of three allowed values.

I've also provided a description which makes it easier to use from the console UI and then second we have instance AMI ID which is a normal string type parameter with no allowed values so this is simple free text.

Now this example is part of a wider template which includes an EC2 logical resource so if we load this into cloud formation via the console UI then this is what we might see a user interface presentation of those parameters.

At this stage we enter values or we accept the default values and we move through the process of creating the stack.

Conceptually this means that the template defines things based on the resources declared within it and the interactive values provided via the parameters so both of these are combined and are used to create the stack.

It means that the stack creates physical resources based both on the logical resources and the effect on them which the parameters have.

In this case based on the parameter values we would create an instance with one of three sizes and use a certain Amazon machine image.

Now most of this applies to both template and pseudo parameters.

The thing unique to template parameters is that the personal process provides the values into cloud formation either explicitly or by implicitly accepting the defaults.

Pseudo parameters can be treated in the same way but they're provided by AWS so let's have a look at that visually.

Now we start off with a familiar architecture a cloud formation template is used to create a cloud formation stack.

The template could be using the template parameters I've just been talking about.

You don't have to pick one type over the other.

Template and pseudo parameters can be used in a complementary way.

With pseudo parameters what happens is that AWS make available parameters which can be referenced and these exist even if you don't define them in the parameters section of the template.

So conceptually think of these as being injected by AWS into the template and stack.

Now an example of a pseudo parameter is AWS double colon region and the value of this parameter always matches whichever region a template is being applied in to create a stack.

In this example US - East - 1.

Other pseudo parameters include AWS double colon stack ID which matches the unique ID of the stack, AWS double colon stack name which matches the name on the stack and AWS double colon account ID which is populated with the account ID of the account that the stack is being created in.

So pseudo parameters think of them like template parameters but instead of being populated by a human or a process when creating the stack they're populated by AWS.

Now both types of parameters are useful in ensuring that a template is portable and can adjust based on input from the person or process creating the stack.

Static templates are much less flexible and this functionality goes a long way to removing the negative aspects of static templates.

From a best practice perspective you should aim to minimize the number of parameters which you have which require explicit input.

Now this means wherever possible using defaults and where possible getting values from AWS rather than whoever is implementing the stack.

In the videos which follow as well as learning more about the features of cloud formation which help with template portability you're going to get the chance to experiment with all of those features in some demos.

I'm introducing the theory first and then you'll get the chance to experience it yourself.

Now with that being said that's everything that I wanted to cover in this video so go ahead and complete the video and when you're ready I look forward to you joining me in the next.

Welcome back and in this video I want to cover two things which are at the core of CloudFormation as a product.

Physical resources and logical resources.

In covering both of those you're also going to be learning about templates and stacks.

So this will be a good video to cover the basics of CloudFormation.

Now we've got a lot to cover so let's jump in and get started.

CloudFormation begins with a template which is a document written in either YAML or JSON, both of which you should now have an awareness of.

And defined within a CloudFormation template are logical resources.

Think of logical resources as what you want to create but not how you want them created.

When using CloudFormation you focus on the what and let CloudFormation deal with the how.

CloudFormation templates can be used to create CloudFormation stacks.

And a template can be used to create one stack, a hundred stacks or twenty stacks in different regions.

The idea is that one template defines what resources you want.

And defining good templates means a template can be used many times in many accounts in many regions.

And we refer to that as a portable template.

The initial job of a stack is to create physical resources based on the logical resources defined within the template.

For every logical resource in a template when a stack is created a physical resource is also created.

If a stack's template is updated in some way and then the stack itself is updated the physical resources are also changed.

The stack keeps the logical and physical resources in sync.

If a stack is deleted then normally the physical resources are also deleted.

So think about CloudFormation as a product which looks at a template specifically the logical resources within a template.

And then it creates, modifies or deletes physical resources as required.

So visually it looks like this.

This is a CloudFormation template and this one has been written using YAML.

The template contains logical resources.

In this example instance is the name of the logical resource and this is the type.

So AWS double colon EC2 double colon instance.

Now logical resources are generally going to have properties which are used by CloudFormation when configuring the actual physical resources.

In this example this sets the Amazon machine image to use, the type of the instance and the SSH key pair to use when connecting to the instance.

So the collection of logical resources and other things which I'll be covering in future videos is called a CloudFormation template.

And this template can be used to create one or many CloudFormation stacks.

And a stack when created also creates physical resources based on the logical resources.

So this means because we've set the AMI to use in the template and the SSH key to use these will be used when creating the physical resource.

In this case an EC2 instance.

So this physical EC2 instance is a representation of the logical resource defined in the CloudFormation template.

Now the stack will also react to template changes to update or delete physical resources as required.

Once a logical resource defined inside the CloudFormation template moves into a create complete state, meaning that the physical resource has been created, then the logical resource can be referenced by other logical resources to retrieve various physical configuration elements or IDs.

For example in this case the physical machine ID of the EC2 instance.

So in summary logical resources are contained inside CloudFormation templates.

CloudFormation templates are used to create CloudFormation stacks and the stacks job is to create, update or delete physical resources based on what's contained in that template.

CloudFormation as a product aims to keep the two in sync, so physical and logical resources.

So when you use a template to create a stack, CloudFormation will scan the template and create a stack with logical resources inside and then create physical resources which match those logical resources.

If you update the template then you can use it to update that same stack.

When you do that the stack's logical resources will change, either new logical resources will be added or existing ones are updated or deleted and CloudFormation will perform the same actions on the physical resources.

So adding new ones, updating existing ones or removing physical resources entirely.

If you delete a stack its logical resources are also deleted which causes it to delete the matching physical resources.

CloudFormation is a really powerful tool which you'll be using extensively in the real world and this is the same whether you're a solutions architect, a developer or an engineer.

I use CloudFormation constantly in all of the AWS courses that I create and so by taking the courses you'll be gaining a lot of practical and theory understanding of how CloudFormation works.

Now if you're taking any of my courses with my CloudFormation mini deep dive then you'll be learning even more.

By talking about every important aspect of CloudFormation that's relevant for the course that you're taking as well as giving you plenty of practical examples.

CloudFormation lets you automate infrastructure.

Imagine that you host WordPress blogs.

You can use one template to create one, ten, a hundred or more deployments rather than having to create a hundred individual sites.

CloudFormation can also be used as part of change management.

You can store templates in source code repositories, add changes and get approval before applying them.

Or they can be used to just quickly spin up one-off deployments and if you're taking any of my AWS courses you'll be seeing that I'll be using CloudFormation extensively as part of any of the practical demo lessons in the course.

We'll be using templates to spin up any of the infrastructure that will support the demo lesson that you're going to be taking.

Now that's all of the theory that I wanted to cover about physical and logical resources within CloudFormation.

It is a fairly theoretical topic but you need to understand what a physical resource is, what a logical resource is and how the two relate together as far as they're used within CloudFormation.

Now at this point that's everything that I wanted you to cover in this video so go ahead and complete the video and when you're ready I'll look forward to you joining me in the next.

I really resonate with this line. It's useful because it reflects a reality experienced by many creatives, where we often feel hesitant to even start a project due to fear of failure, making mistakes and overly high standards. By demanding absolute perfection and not allowing room for mistakes, we deter our own growth and exploration as a creative person and remain stuck in the past. I am still trying to navigate through this myself, but have made progress.

I believe in this take because many people. Believe that creativity is something people are born with. You can't be creative in your own right. But that's false creativity is the target and achieved anyone can do it.

I feel like this type of abstraction process has been something that I personally have always used to generate ideas or even come up with designs i the past. This level of abstraction is the reason to why I can create music the way I do and perform well in creative setting the way I do.

I think this point was pretty interesting. This reminds me of how in class, we talked about how when brainstorming ideas, we need to unfilter out our ideas and let them flow out, because if we filter out our ideas, we may lose out on interesting ideas that can contribute to the bigger picture of how we want the project to look like. Plus, taking a little bit and looking back at the idea later can also add interesting insights that make it useful as opposed to just saying it's a dumb idea and forgetting about it.

I actually really do agree with the notion that it is very hard to generate anything in a vacuum. I feel like nothing really does come from within, it really is up to the creator to be inspired or influenced by something to some level.

I think this is why non-STEM degrees are dying out. Anything that requires abstract thinking or creativity is looked down upon, ex: Humanities majors seen as "easy" or "not useful." I think that the skills used in these fields create a more well-rounded person and help foster innovation. In the context of informatics, I think that learning to brainstorm and generate ideas for designs and systems by understanding the broader social and ethical implications is important and can lead to more impactful solutions. Fostering this creativity through interdisciplinary learning provides a more comprehensive understanding of many challenges and how to approach them.

This is something I can really relate to as an artist and poet. Some of the best advice I have received on getting unstuck from a creative block is to just draw spirals. The action of putting pen to paper itself does something to inspire creativity. It feels less daunting when you begin to take up space on the page. I think this is a similar process with design. When you start noticing inspiration, you'll find there is no shortage of it. Writing down when you find that inspiration helps you build off of it and create even better ideas.

I think that this raises the question of what constitutes a "rich context." People may stay in their own bubble and not branch out, leading to ideas that are limited to their own environment and experiences. I think it should involve exposure to different perspectives, cultures, and settings. Additionally, maybe rich contexts can include platforms such as books, films, or online spaces that can serve as gateways.

It ties back to assumption 1: "Half of being creative is believing you can, because the ability is already in you." There is a great contradiction in learning to be creative, as creativity itself is boundary-breaking, undisciplined thinking. Alongside the self-confidence talk of believing that you can do it, the mindset below is very help: How do we break things so we can make it better? How can we capture things/potential for improvement that were so obvious yet overlooked? Maybe thinking and behaving like a curious beginner is the answer.

This part of the reading is interesting because it shows how personal experience can drive creativity. I agree that students, having sat through countless lectures, are in a great position to suggest meaningful improvements. It’s a good reminder that our frustrations and experiences can lead to valuable ideas, even in areas we might not think we’re experts in.

It is clear to see here that the natives were the kind to give and Columbus had other underlying intentions with his time there, mentions of gold, and who possessed it. Of course, he mentions all the things that the natives gifted but overall, there was always an objective.

I notice here there are many goods the natives were able to trade with, much of that seemed valuable to them but maybe not as much to Columbus.

this is super interesting!

The potential of the genealogical approach to clearly and structuredly trace links graphically makes complicated social linkages easier to comprehend, which is what I find most fascinating about it. It's amazing how a tool as basic as circles, triangles, and lines can provide information about a society's underpinnings. This raises the question of how this approach may be modified to accommodate contemporary, varied family configurations like mixed or chosen families. It also speaks to my experience researching my family's history, where I was able to gain a deeper understanding of my ancestry by visualizing links.

Clifford Geertz's idea of "thick description" intrigued me as it emphasizes how ethnography shows the more profound significance of cultural activities. It caused me to consider how context affects comprehension, particularly when it comes to commonplace behaviors that could appear meaningless without justification. I'm curious in how anthropologists impartially strike a balance between etic (outer) and emic (insider) viewpoints. Is an emic perspective always filtered via the prism of the outsider's culture, or may they truly understand it? This speaks to my experience as a Punjabi Hindu, where appreciating ethnic customs and behaviors requires an awareness of context.

This approach is fascinating as it challenges anthropologists to bridge cultural divides while encouraging self-reflection among readers. It raises questions about how effectively this balance can be achieved—can anthropologists truly present a culture without unintentionally exoticizing or oversimplifying it? This method underscores the importance of meticulous writing and thorough interpretation to foster understanding without reinforcing stereotypes.

I can relate to the authors experience in Brazil. I grew up Vietnamese American which exposed me to two different cultures and experiences. Even now, my family always comments on my body and face as if it’s a normal topic of conversation. I hear comments about my weight, hair, complexion every day from my mom, specifically. Sometimes they can be harsh and rarely are they positive, but I’ve gotten used to it. I’ve always told myself just Vietnamese culture. American culture is very different. I learned that from a young age. I remember I made a comment on my classmates weight when I was in the third grade and I hurt his feelings and had to speak to the teacher after class. I didn’t fully understand then the impact my words had on him, but looking back, I realized the difference between what I’m used to at home and what is the cultural norm here in the states. I’ve had many other eye-opening experiences like this throughout the years. I understand now that there are different values and beliefs between the two cultures and I must learn to respect both.

It is very interesting to me that anthropologist describe a group of people as strange or having unusual features. These descriptions can be more in depth and list what type of actions or features that seem to be unusual to the cultural anthropologists. I think it is important when describing different cultures that it is necessary to be detailed and thorough with their descriptions of certain cultures or groups of individuals. I also thought that it was very interesting that the cultural anthropologists believed in cultural determinism because I have personally never heard or learned of it I though it was very intriguing to read about.

The fire is being given some human characteristics.

People can hear this in their heads.

This shows a schedule that Ray is trying to show a routine.

Noted from the previous line where it says "her who sees well everywhere," it makes sense she approached Juan Diego even if he tried to avoid her by going around the hill.

This shows the care that John has for his wife.

The way the speaker describes this person is very telling.

I enjoy the symbolism of this statement. You can really imagine what the speaker is talking about.

I find it interesting that the person who's point of view it is views themselves as a normal person.

I don't understand how the exponent for H20 is 0 and the exponent for (CH3)3CBr isn't also 0. How do you determine the m and n with out knowing the molarities?

My cooking/soup analogy!

Watching TV is somewhat a passive experience, and also engages less of the senses. Not just bodily (sight, smell, touch, hearing), but also how emotion, excitement, danger influences the perception of time and proximity to others. In a cypher, to watch is to displace. You may as well bring yourself as an audience member.

So then, to dance or watch dance should I consider it an invitation to interact and respect space? Does the dancer take priority over the viewers on a groove space? If I take the dance floor, can I expect others to move, and if they do not make way, or ask me to stop. Are they perhaps in the wrong?

Also love that the audience's energy fuels the performance. Without a crowd, we only see the end product and not the engine. The byproducts and not the reaction.

This is how I feel about build season and punk worksites. If you wanna participate in collective action, know where to not put your body. Know where to put your weight. Yelling is just part of communication, unless pointed and demeaning. Know who the leads are. Keep an eye out for yourself and others.

the circle as an organism has a sort of ecology and life cycle of its own. the cypher is made of people, but has a life of its own made up of the exchange, transformation, and recirculation of energy. The cypher is not merely just made of moving bodies in closeness. There's a shared sense of connection that makes reactions possible fueling the cypher's metabolism.

I am working on a framework for understanding different social circles. It starts with observing and conceptualizing groups of people as overlapping semi-permeable membranes. The distinctions are not always clear, and sometimes the distinctions I make about belonging and kinship also influence the generalizations that can be pulled about said groups. Sometimes a groups of strangers on a dance floor can feel like the author's description of cyphers, and knowing how to be a participant observer, respecting space, showing interest, sometimes mirroring movements lets me join in and pass a threshold/cross membranes.

to participate as a viewer also means to draw from your own experiences (conscious or not) in your response. there is some psychic exchange between performer, viewer, movement, music.

As an analogy, it would be hard to gain an understanding of a dish I've never had from just the raw ingredients eaten seprately. Perhaps there is needed infusing, mellowing by roasting, aromas from toasting, removal of seeds and stems, fermentation, baking, stewing that makes the experience nourishing to more than just the stomach. And perhaps a recipe is incomplete without it's original name, a visit to its place of procurement, attachment to its means of production, and the occasion for which it is prepared as a remedy for heartache, celebration, and expression of love.

strong defense of history and legacy. the role of earlier figures is not just in their innovations, but also the groundwork laid to create a shared form of art.

The crowd also serves a regulating role to channel and regulate the energy. There are spaces in which I feel unsafe or alien because of a lack of feedback. And when a conflict or fight breaks out, when we all get on the same page, I have found faith and safety again. Perhaps the cypher operates similarly, a somewhat rehearsed occasion of collective engagement and drama that brings people together without witnessing or experiencing harm?

Though, what separates this form from say a nationally recognized participatory occasion like football or boxing? Perhaps it is because the goal of breaking isn't to cause physical harm on another?

Academic participation is cerebral and perhaps objectifying. As a researcher, it's not enough to describe from a disembodied perspective. A disembodied or empirical presence can not account for why a ritual or performance is necessary. A disembodied perspective is really a conceit, as in it is a refusal for the account to leave it's origin and bias, which is in fact grounded in the observer's own body. A way of engaging with dance as an observer needs participation. It needs to integrate your own feelings, the unspoken rules of a dance floor, engagement with the performer.

when the lights go down, we are called into bodies--our own and those of others. When the light goes on, we separate again. There is an exchange and transformation of energy, a sense of self that is communal being affirmed, a lack of reservation about bodies and appearances in the aftermath, perhaps a sense of collective trust in seeing the emotional extremes of others transformed into movement and cause for closeness instead of separation.

Passage starts with the narrator's presence, expanding to venue and event. Follows the flow of time as day unfolds.

This article provides an analysis of how trolls spread false information and hoaxes by taking advantage of the weaknesses in the mainstream media. The "Bald for Bieber" hoax is a notable example of how trolls used sensationalism in the media and fan culture to spread misleading narratives. This shows how important it is for reporters and media outlets to give fact-checking and source verification top priority, especially in the quick-changing digital world where false information can spread quickly and seriously harm people.

the Spaghetti-tree hoax was a three minute April Fools day joke broadcast by BBC panorama. This joke was about a southern Switzerland family that makes spaghetti out of a tree. This prank was possible because pasta was an unfamiliar concept to many Britons. This was a created by a producer based on childhood memories and an audience of about 8 millions people with 44% of them British.

This statement raises an important point about the burden of handling harassment on victims. I totally agree that this strategy is bad since it basically places the blame on the individuals the trolls target rather than the trolls themselves. This makes me think of the larger problem of victim-blaming in many social settings, where the impacted people are supposed to handle the issue instead of the system dealing with the root cause. Since it holds trolls accountable and promotes safer online environments, the idea of "skilled moderation" and platform rule enforcement seems like a more proactive and equitable solution.

This statement shows how inauthenticity has been a recurrent theme throughout human history and is not exclusive to the digital age. Seeing examples that span centuries, from trade disputes to photographic deception, is fascinating. It gets me to thinking about how inauthentic behavior hasn't necessarily changed because of technology, even though it has changed the medium. However, I question whether, in contrast to these historical instances, the scope of inauthenticity today makes it more difficult to identify or counter. Is the quick dissemination of false information in the digital age a modern rerun of these historical practices, or is it a new kind of mass deception?

I think what Morton is saying here is that the natives had such a pure way of living that if the people from England were to live like them there wouldn't be so many people as "beggars."

Although Morton may view the natives as inferior I can see he does note here a trait they obtain and follow by that he wishes was portrayed with his own people. The concept of "listen to your elders," in short, is what I've gathered from this reflection of his because in native culture it was what they did, they respected and followed them.

I like this description here that Thomas Morton notes because it shows the dynamic the natives had with women and men. We can tell by their clothing that women cover up more than men, however it is unlike the dynamic of colonist women and men. The cover up of colonist women is different from native for different reasonings/beliefs.

I think Thomas Morton is reflecting on the natives humility and kindness here. Where he mentions that they offer food, "if he sleep until their meat be dished up," I think this portrays the level of people they were because they were kind enough to cook for those that slept in their hospitality.

Im just adding on here but usually you choose between zswap and zram. The latter acts as a block device to store compressed page and thus finds use in embedded Linux systems while the former requires an existing swap device to act as a fallback for removing entries. This means that the policy likely here is choosing an internal compression storage in RAM based on the system (Embedded vs Server/datacenter)

Signals that this process is low priority and allows the scheduler to run higher priority processes. Not a policy but low prioritization can indicate importance of zswap policies

Checks if zswap device is full and if any zpools are available to store page. The check is based on what percentage of pool and RAM the user has allocated to zswap. The true policy arises in the question of WHY the user has set the percentage to those values. The shrink function is enabled in the case that there is no space in zswap.

Dictates the type of compression algorithm to use as a string, with tradeoffs in speed vs size compressed. Can also be changed at boot time by changing boot params in sysfs

Once you hit max no of pools, you dictate the max percentage of pages that a specific pool can accept before LRU page eviction to swap device

ok

Did anyone ever "convert" to their way? Like how we have read about English settlers joining native American tribes?

I am unsure what they are trying to say here, can anyone explain?

Could this be because within the village the people have relied on the natural resources provided from the earth, but now that the population has increase disease is starting to spread more.

I have experienced this in online gaming where I or a teammate is not as good as other advanced players, so other teams or players among us decide to only attack the weaker player repeatedly. This often leads me to be frustrated, to get off the game, or to restart with other players. This also happens over the microphone with other players who are intentionally rude to try and provoke me or other players.

Zeus is invoked as the protector of oaths, which is important considering Jason’s betrayal to his marriage with Medea. Medea appeals to Zeus to uphold the sacredness of these oaths, stressing the gravity of Jason’s betrayal. This invocation shows the religious and moral depths of Jason’s actions because breaking an oath before the Gods was considered a grave offense in Ancient Greek culture.

Kovacs, David. “Zeus in Euripides’ medea.” The American Journal of Philology, vol. 114, no. 1, 1993, p. 45, https://doi.org/10.2307/295381.

To get kelvin from celsius, add 273.15

6 would be the uncertain number

When there’s no counting, the number will be uncertain rather than certain

When you’re able to count, the number will be a certain number

Its an atom because it can no longer be cut further and therefore is the smallest piece

Its equal throughout the whole substancce

Mass and weight are not the same. Weight can change to due to the force of gravity but mass stays the same

The more mass, the more it takes to accelerate it

Physical States are solids, liquids, and gases

Microscopes are tools used to capture and making biological cells visible to the human eye

Knowing both biology and chemistry is key to understanding both

Used to benefit the elimination of disorders and injuries

Capitaineries existed in disregard to the lower classes; the phrase "helpless" children emphasizes the way the monarchy and nobility utilized their privilege at the expense to the peasantry. Nobility used the capitaineries for hunting as sport, not for survival, though largely affecting the survival and standard of living for others.

It is noted that Voltaire's belief is highly influenced by the enlightenment. Blame is placed on religion in relation to overarching government policies, a sentiment with arose with the age of the enlightenment in France. Voltaire argues that government officials and lawmakers should be overseeing the functions of the nation, rather than the church and those within it. Voltiare mentions a set of "weighs and measures and one system of law," similar to the constitution created by the American revolutionaries.

I think that the things I change about myself on social media, are parts of myself that I want to share to the public. They are true to me but I feel that social media tends to only show the good or fun parts of peoples lives which can affect others mental health. People who compare themselves to others online are only seeing the good parts of their lives which can lead to jealousy due to individuals assuming their whole life is always filled with fun exciting events similar to the posts. .

the creator of "Infinite Scroll" expresses his regret for the negative impact his social media invention had on society. His platform was created to make the experience of using other social media sites such as Facebook, and twitter easier for users. However, he received back lash for excessive screen time, and electronic addictions especially among teen users. He is now apart of an organization that supports face to face interactions and addresses the harm of digital addiction which can lead to depression.

What I like is that this points out that the student is gaining knowledge in multiple areas. It is a way that students can retain knowledge and be able to expand the knowledge. I think that it helps them learn more in the subject art is being integrated into. Art is a great tool for teachers to use in the classroom.

I really like how this talked about how over time they start to take more responsibility for their learning. I think that teachers take a big part in this also by helping them get their along the way by making feedback on students work and playing an active roll in the students learning. If we can be this active step in our students work then we will see great outcomes.

This reminds me of the take that emojis are (on a super basic level) reinventing heiroglyphics as a way to communicate via symbols. So in that respect--this reliance on visual literacy has ALWAYS been a way for us to communicate, we simply lean into more or less depending on the era and culture

unknown but overall it took him multiple voyages to get to where he initially wanted to go as far as the king and queen were concerned he did some good he discovered lands that they didn't know anything about and it gave them the means to spread their knowledge and their concourse I guess Christopher Columbus's travels were extensive and he discovered a lot of areas that were formerly you could say but overall when it came to the Americas Christopher Columbus discovered something that he wasn't even looking for at least that's what I get from his travels and his voyages his plan was to find a new faster route to Asia instead he discovered the Americas.

I keep coming back to this. With lack of context, it makes most sense to assume that Columbus truly thought the voyage would be forty-four leagues. However, I like to think that he knew it would be longer, but that his crew wouldn't agree to such a long voyage, so he lied to them. "Fifty-nine leagues, they would never agree to. I'll tell them fourty-four.'

Very similar to what David Deutsch writes in The Beginning of Infinitiy

Milliman makes it clear that Christianity did not blanketly condemn games and that a primary concern was the risk for blasphemy via angry outbursts (594). However, this line still surprised me. The Lenten season is generally very pensive and a time of abstaining from things (in my experience), so if there was ever a time to condemn gaming, I would have expected it to come then. Yet here FitzStephen talks about games, military games nonethless, during this time were casually and even a bit positively. Furthermore, his description of the horses illustrates a very exciting and joyful scene-- a tone that seems to be disjointed from the liturgical season.

copyright is the fall of man

set your code free

Wow that's the licence I want

This sounds like we will not be doing a group project but rather interacting with our same group members throughout the semester for our discussions. I'm curious as to what the benefits are of interacting with our same group members versus interacting as a whole class.

• I am most interested in this learning outcome because prior to this year, I was unaware that policy making was an option for a career path let alone the various factors that go into policy making. During training for my current occupation, there was a person that came to speak with my cohort who disclosed that was there job to assess how companies operate and then provide them with policies to implement to better the company. I've always wondered how companies come up with their policies and what factors go into changing them.

Similar to the ego, Rajas fuels action and decision making. Lord Krishna describes Rajas as a force that binds people to action and desire, keeping them from achieving liberation. It’s associated to action and a constant yearning for pleasure and success. Of course, in present time, excessive Rajas can lead to stress, anxiety and burnout because of all the constant activity.

Bhatia, Subhash C, et al. “The Bhagavad Gita and Contemporary Psychotherapies.” Indian Journal of Psychiatry, U.S. National Library of Medicine, Jan. 2013, pmc.ncbi.nlm.nih.gov/articles/PMC3705702/.

Mand sevant interpreter - nature do understand - only observed fact thought - course of nature Beyond this not - knows - can dp anything

https://www.theguardian.com/us-news/2025/jan/23/big-oil-445m-trump-congress

Report: https://climatepower.us/research-polling/big-oil-spent-450-million-to-influence-trump-the-119th-congress/

https://www.theguardian.com/business/2025/jan/25/the-oil-crisis-fuelled-by-russias-war-is-evaporating-and-so-are-the-profits

Horses must have been very valuable to have in these times, as most of which I'd assume were brought over from over seas. To be forced to eat these horses really emphasizes the dire situation these men were in.

Note: This response was posted by the corresponding author to Review Commons. The content has not been altered except for formatting.

Learn more at Review Commons

Reply to the reviewers

The authors do not wish to provide a response at this time.

Note: This preprint has been reviewed by subject experts for Review Commons. Content has not been altered except for formatting.

Learn more at Review Commons

Referee #4

Evidence, reproducibility and clarity

In this study Ermanoska and Rodal explored how the presynaptic actomyosin and its subcellular organization and function are assembled and how they respond to mechanical forces. In particular, the authors describe a new type of actin assembly that extends as a continuum through the Drosophila NMJ: this linear actin assembly is in part co-localized with NMII and with Tropomyosin, which led the authors to hypothesize that it may have contractile properties. They follow with knock down (KD) experiments of NMII in motor neurons and show that this KD changes linear actin and also reduces postsynaptic NMII and Integrin receptor levels (pre- and post-synaptically). This data suggests an intricate trans-synaptic molecular interplay between motor neurons and the muscle. Finally, in Figure 6 the authors manipulate axonal mechanical tension through the cutting or not cutting of the nerve bundle and argue that mechanical tension is also required to maintain this type of linear actin core. Altogether, this manuscript describes a potentially very interesting phenomenon whereby mechanical forces contribute to neuronal structure, namely through the control of actin types of assembly and provides some data supporting that actin/NMII/Integrins interact trans-synaptically to transmit force information between cells.

However, in its current format this study is a bit preliminary and mechanistically incomplete. The data regarding the description of 2 distinct types of actin assemblies, with distinct half-lives and stability is convincing, and well-documented but the remainder of the manuscript is more preliminary and not fully sustained by the data presented. The data regarding mechanical forces is particularly unprecise, but it can potentially unveil a novel mechanism that (at least in part) explains how force and biochemical signaling are integrated by neurons. In sum, this manuscript describes an interesting topic but the current version can be significantly improved with additional experiments and/or controls.

Below are my specific comments. If addressed, this manuscript should be published as it significantly adds to the emerging field of mechanobiology and intercellular communication. It provides a new way to look at the effect of mechanical forces in the context of synaptic biology.

Major comments and suggestions for experiments:

• In the images presented on Fig. 2A and 2B, both Arp2-3-GFP and Dia-GFP seem to co-localize with the filamentous F-actin signal, and the authors state this. However, the Pearson correlation is weak, leading the authors to "remove" this claim. On the contrary, the Tm signal is said to have a strong Pearson Correlation. However, looking at the images, it is very hard to understand why the signals are not correlated. Can the authors explain how they quantified the correlation? If Arp2-3-GFP and Dia-GFP are not enriched on linear F-actin, the chosen images are not appropriate.Alternatively, can the authors find a better way to assess colocalization? % of puncta colocalized? Also, I suggest that the quantification of these data, which is currently on Fig. S3 to be moved to the main figure 2.
• Also on Figure 2D, the Lifeact::Halo is a lot smoother than on the other panels with the same marker, and is very much alike the QmN-Tm signal, raising the possibility of a bleed-through artifact. Given that the authors have an antibody against Tm1, can they use it on larvae that express Lifeact::Halo (without QmN-Tm1) to confirm the degree of co-localization (which based on Figure 2E appears as the authors claim, but that is not very convincing on Fig.2D, where it looks like there may be some bleed-through of the channels).
• In figure 3, for consistency, can the authors use Lifeact in zip KD rather than GMA? Or is there a specific reason for this change relative to Fig. 1 and 2? Alternatively, it would be important to show that GMA and Lifeact have similar expression patterns, by co-expressing them simultaneously.
• Figures 2 and 3 raise the idea that there are contractile actin fibers, and this is an important message of this paper. Therefore, it would help to have additional data regarding the manipulation of NMII. Namely, 1) whether expressing RNAi against Sqh gives rise to the same effects as the KD of Zip, and 2) what is the effect of expressing UAS-Sqh CA (phosphomimetic) and UAS-Sqh DN (non phosphorylatable) on linear actin and on the levels of postsynaptic NMII, and pre- and post-synaptic Integrin receptor levels.
• The idea of NMII neuronal KD influencing postsynaptic NMII levels is rather intriguing and potentially very interesting. Is this interaction reciprocal? What happens if Zip is KD in the muscle? Does it influence presynaptic NMII levels? Same comment for Integrin staining. Also, can the authors comment on how they envision that NMII KD can lead to a generalized reduction in the whole muscle? NMII and Integrin should be quantified in non-synaptic and synaptic areas of the muscle.
• The difference in intensity of NMII and Integrins is quite striking and meaningful in terms of trans-synaptic signaling. To validate the quantifications shown in Figures 4 and 5, it is critical to be confident that the larvae analyzed are both time and size matched. Because the authors don't state it clearly, it is a formal possibility that the developmental timing is slightly different between controls and KDs, which could lead to lower levels of NMII and Integrins due to timing rather than manipulation or genotype. If this is the case, the two situations (time and size matching) should be analyzed for post-synaptic reductions of NMII and Integrins. To further confirm a direct effect of NMII KD leading to pre- and post-synaptic alterations of NMII and Integrins, it would be important to use a neuronal line that is expressed in a subset of motor neurons and compare with non-expressing NMJs in the same larvae. This would remove possible effects of the developmental timing. Additionally, since every marker analyzed is reduced, it would be important to find a marker that is unaltered by the KD of Zip (FasII?). Without these controls/extra experiments, the claims regarding NMII and Integrin reduction are not well supported.
• Figure 6: in this figure the authors cut the nerve and then measure actin intensity, and types of actin assemblies. This data is used to conclude that axonal severing impacts mechanical properties of axons and changes actin distribution and types of assemblies. Even though the concept is novel and interesting, the data is not sufficient for the claims. Ideally, it would be important to be able to control and quantify the stretch force applied and the level that is required to promote the distinct types of actin structure. I do understand that these experiments may be difficult to perform, and may require methodologies that are not standard. However, there are ways to improve this data. For example, since these measurements of actin levels and distribution are performed live, it would be important to do a time-lapse movie to understand how linear actin is lost and puncta of actin increase, followed by a quantification of these parameters.

Even though it is hard to provide a "force number", it is relatively simple to repeat the experiment from Figure 6 in conditions of cut and uncut nerve, but adding a stretched nerve condition. Does stretch promote linear actin? To perform this experiment, the authors can pull the brain and its nerves up and glue it in a way that the nerve bundles are connected to the NMJ but are more stretched than in the dissected "loose" condition. Additionally, the authors should analyze how manipulation of actin polymerization (LatA and JASPA) impact this process. Finally, since the authors show in Figures 4 and 5 that manipulations that result in the decrease of linear actin leads to reductions of Integrins and NMII, they should assess if changing the mechanical tension of the nerve also impacts these signaling pathways. - Perhaps a bit out of scope, but very much related: what happens to actin structure after muscle contraction? In other words, does mechanical pressure at the NMJ also alter actin?

Minor comments:

• In all Figures, it is not stated from how many independent experiments/crosses are the data derived from. In most experiments, the number of larvae analyzed is on the low end.
• In Figure 3 and Figure S5, in the zip KD (at least by eye) bouton size looks increased. Is there a difference? Since it looks obvious by eye, can the authors quantify this morphological feature, that can also be related with an actomyosin cortex?
• Can the authors specify that the control UAS-BL35785 is and RNAi against mCherry (in the Tables and perhaps also in the legend)?
• In the discussion, the authors state that they "We took advantage of the Drosophila model and targeted NMII directly by neuronal depletion of both the heavy chain and light chain of NMII. Interestingly, we observed major perturbations of presynaptic actin subpopulations, including of the linear presynaptic actin core." Unless I am missing some Figure, I could not find this data regarding Sqh. The KD of Sqh appears only in Supp Figure 4, to validate the efficacy of KD and not actin. This should be corrected.

Methods:

• Can the authors say if the crosses were performed in vials or cages? This can significantly change some NMJ parameters.
• Extra information regarding the mounting of the larvae for live imaging can be provided: if the larvae is not fixed, how do the authors control the positioning in the drop of HL3.1? How is the stretching/non-stretching of the nerve controlled for? Or are the larvae glue on the side with the double-sided sticky tape? These details can be provided to assure reproducibility by other labs.
• If I understood correctly, in the LatA experiment, the larvae are imaged in the absence of LatA. This is not clear in the results section and should be corrected.
• Please provide more details on how were the correlations performed?

Significance

This study describes the existence of an new actin assembly, linear actin, that extends through the Drosophila larval NMJ. To my knowledge this is reported for first time and has functional implications, since the authors hypothesize that this structure has contractile properties. This study also proposes that mechanical forces can directly be sensed by actin, which modifies its structure and alters signaling molecules at the synapse, namely through transsynaptic signaling, via Integrins. Altogether, the idea represents a novel concept, with an attempt to provide some mechanistic detail (even though it lacks data to support some of the hypothesis).

This study is of interest to both specialized and broad audiences, interested in basic research.

Note: This preprint has been reviewed by subject experts for Review Commons. Content has not been altered except for formatting.

Learn more at Review Commons

Referee #3

Evidence, reproducibility and clarity

The advent of super-resolution microscopy has dramatically increased our understanding of the organization and function of the cytoskeleton in neurons. However, there are still areas which remain poorly understood, particularly in neuronal subtypes that are not conventional models for studying the neuronal cytoskeleton. Here Ermanoska and Rodal use super-resolution microscopy and improved probes for imaging actin in Drosophila motor neurons and have identified a novel linear actin structure in the presynaptic terminal of motor neurons. This linear structure appears to be regulated by non-muscle myosin 2 and is important in maintaining the integrity of the neuromuscular connection. For example, the authors show that depleting NM2 in the neurons alters the amount of linear F-actin and the distribution of integrins at the presynaptic terminal. Additionally, performing an axotomy also reduces these linear structures at the nerve terminal, presumably due to decreased tension along the neuron.

Since this is a review of a preprint, I will limit my assessment of the manuscript to what I feel are the major issues in the hopes that it will be helpful to the authors in reworking the manuscript for submission. Most of these points could be addressed in multiple ways.

Major issues and outstanding questions:

1. Axonal actin bundles have been previously identified, though that would not have been clear from reading this paper. The work of Ganguly et. al, JCB 2015; Chakrabarty et al, JCB 2019; Phillips et al., J Neurosci Methods; Gallo J Cell Sci 2006; Brown and Bridgeman Dev. Neurobiol 2009; Orlava et al. Dev. Neurobiol 2007; and Ketshek et al eLife 2021 should be cited and discussed in the context of this work. Interestingly, many of the linear bundles of actin filaments described above are associated with NM2-dependent axonal retraction. The works should be cited and discussed in the context of the results found in this manuscript.
2. Are there similar bundles along the axons of these motor neurons, or do they only occur at the presynaptic terminal? Or does the type of imaging and model system being used only allow for these structures to be visualized at the presynaptic terminal?
3. The term "Molecular composition of linear actin structures" is being overused here- you are only showing the colocalization of tropomyosin 1.
4. If Tm1 is important for these structures, why are they still present when it is deleted? I do not see the quantification of linear actin when Tm1 is depleted. Additionally, when integrin redistribution is being measured in Sup. Fig 6, I do not see the Tm1 depleted data despite Tm1 being in the title of the figure.
5. Is there an increase in activated NM2 at the presynaptic terminal? What happens if you increase NM2 activity in these neurons?
6. There is a depletion of NM2 particles in the postsynaptic terminal when NM2 is being depleted in only the neurons- but is NM2 expression being affected in the muscle cells or only localization of puncta to the nerve terminals?
7. What is the functional consequence when linear actin structures are depleted- Denervation? Decreased synaptic activity? Anything?
8. It would really help to strengthen the conclusions of this paper if NM2 could be locally and acutely activated or inactivated at the nerve terminal. Nearly all the phenotypes observed are due to global perturbations that may have broad consequences.
9. Are these structures present at the presynaptic nerve terminal in other species? If not, or if you do not want to look into it, then it might be more appropriate to add "in Drosophila" to the title.

Significance

This manuscript presents an exciting concept that will be of high interest to cellular neuroscientists and cytoskeletal biologists. There are also interesting implications that could be made with aging and neurodegenerative diseases of the neuromuscular system. The manuscript is well written and contains rigorous experimentation and analysis of the data. My main issue with it, however, is that the conclusions seem preliminary and are heavily reliant on correlation. Additionally, there is a complete lack of discussion of similar structures that have been seen in axons. Finally, all of the data is from one cell type from a single species, which limits how broadly the results can be interpreted and whether this data has potential relevance to human aging/disease, which would help it reach a larger audience. Basically, I am confident that the data that is presented is correct, though it is potentially being overinterpreted when being put into a broader context.

Note: This preprint has been reviewed by subject experts for Review Commons. Content has not been altered except for formatting.

Learn more at Review Commons

Referee #2

Evidence, reproducibility and clarity

Summary: In this study, Drosophila larval NMJs were used to investigate the very interesting and innovative hypothesis that actomyosin-mediated contractility generates and responds to cellular forces at the neuron-muscle interface. In summary, the authors identified a new presynaptic actomyosin subpopulation that transmits signals to adjacent muscle tissue that together with with integrin receptors governs the mechanobiology of the neuromuscular junction.

While this study presents exciting evidence supporting the existence of a cable-like actomyosin structure traversing the NMJ, some of the conclusions are not fully supported by the data provided. It is unclear how this actomyosin arrangement differs (or not) from other longitudinal myosin arrangements found in the axon shaft. In this respect, it would be informative to provide images of the axon shaft to further verify the possible presynaptic specificity of this actomyosin arrangement, and check whether alternatively it might exist as a continuum of actin cables already present in the axon shaft.

The data presented in Figure 2F is insufficient to claim that a presynaptic actomyosin core exists. As it is, the myosin puncta shown do not definitely support that such a structure exists. Alternative approaches such as using fluorescent NMII fusions that allow visualizing simultaneously the N- and C-terminal domains of the NMII heavy chain could be used.

Claims on the effect of the neuronal actomyosin assemblies on tension, in the absence of experiments directly assessing tension, should be down toned.

Also, the data provided in the axotomy experiments is not sufficient to claim that axonal severing is sensed specifically at the presynaptic terminal in a similar manner to neuronal NMII depletion. Axotomy is certainly followed by degeneration and dismantling of different axonal cytoskeleton compartments including the formation of altered actin arrangements, including those of the presynaptic terminal.

Significance

This is a very interesting study that raises a novel hypothesis on how neuronal mechanobiology is governed. If complemented with additional experiments further supporting the existence of a specific actomyosin arrangement in presynaptic terminals, this study will certainly be of high significance to the field and of broad interest to readers that are not experts on the topic.

Note: This preprint has been reviewed by subject experts for Review Commons. Content has not been altered except for formatting.

Learn more at Review Commons

Referee #1

Evidence, reproducibility and clarity

In this study, Ermanoska and Rodal describe the features of a recently described (by the same group) presynaptic entity in the NMJ. The authors find evidence of diverse types of actin assemblies along the presynaptic contact, patches, and cables (similar to structures observed during fission yeast division). Among these proteins, NMII (Sqh) seems prominently featured. Zip mutations apparently alter the distribution of the actin, albeit modestly, and also affect integrin patching at the synapse. Finally, the authors provide evidence that mechanical severing induces specific actin remodeling.

The study is provocative, but some of the conclusions of the study are quite evident and predictable. Also, the localization of the proteins at presynaptic cables is not as clear as the authors describe them. Finally, the effects of NMII depletion using siRNA are compounded by possible off-targets effects that the authors shrewdly attribute to presynaptic-specific phenotypes. Proof of this is quite weak and it seems likely that some neuron-specific promoters are leaking beyond neurons.

Major issues:

• The authors have made a large effort to characterize the presynaptic actin structures in as much detail as possible, but this reviewer is apprehensive regarding the validity of the observations made in the presence of highly perturbing probes. It is well-known in the field that most actin-binding probes, including moesin-actin BD, Lifeact, utrophin, etc., have no perturbing effects... except in neurons. In their previous publication (eLife 2017), the authors used GFP-actin (which display binding kinetic alterations), MA and Lifeact, and got away with it. They never stained with phalloidin, which is the gold standard for unperturbed F-actin visualization. Given the level of structural detail the authors are getting into, they need to address the visualization of these structures in a totally unperturbed manner.
• Sqh:GFP does not really localize in the structures, but everywhere (Fig. 2F). Again, Sqh:GFP is a notoriously flaky probe (DOI: 10.1002/cm.21212) that makes this reviewer nervous in the absence of additional validation, which in this case may take the form of HA/myc/FLAG-tagging (which require staining but does not interfere with Zip:Sqh binding) or endogenous staining, particularly with phospho-specific antibodies (for use in Drosophila samples, see for example DOI: 10.1038/emboj.2010.338).
• What is the actual efficiency of NMII depletion? This is a stubborn molecule difficult to deplete efficiently in most systems.
• The authors observed that NMII depletion driven by RNAi under a neuronal specific promoter also reduces NMII expression in the post-synaptic region and the muscle. The authors claim that this is specific and not leaky by examining NMII expression in the absence of C155-Gal4. To the extent of this reviewer's knowledge, this is thus based on the specificity of C155. However, it has been well documented and explicitly stated that Drosophila enhancer-Gal4 lines show ectopic expression during development (paper by this title, using C155-Gal4 among other promoters, DOI: 10.1098/rsos.170039). Those authors observed expression in wing cells, for example, which casts severe doubt on this particular conclusion.
• What would be the effect of severing in NMII-depleted presynaptic assemblies?

Referees cross-commenting

I concur with the comments of my esteemed colleagues. Still, I am concerned regarding the use of the C155-Gal4 promoter and its effects outside of neurons. The conclusion that that NMII depletion driven by RNAi under a neuronal specific promoter also reduces NMII expression in the post-synaptic region and the muscle is potentially the most striking finding of the paper, but the fact that this promoter (which is potentially leaky) is used dampens my enthusiasm. Also, the use of the actin probes is a problem, and one I don't see fixed by the fact they published a previous paper before using them. Maybe the reviewers then had less or no experience with these probes. I have in the past, and I cannot let this slide

Significance

As described in the previous section, the study has several built-in limitations that dampen this reviewer's enthusiasm for the overall story, including the limitations of the molecular tools used, which are quite-artifact prone (this reviewer has plenty of firsthand experience with all these tools in mammalian models, and has suffered some of them to become big, months-consuming artifacts). Also, the authors use fly lines that either are leaky; or they elect not to explore the most interesting piece of data in the paper, which is the transsynaptic effect on NMII expression. This reviewer suspects that the authors have not pursued this vigorously because they have their own suspicions in this regard.

If properly carried out, this study would have filled an important gap, since most existing studies have so far focused on the post-synaptic region, hence it'd be important to find out precisely what is happening on the other side. But this study does not clarify this.

The audience would have been mainly cell biologists, cellular neurobiologists and "fly people", with some transversal interest from the budding mechanobiology community. But the story is quite flawed, beyond revision given the approaches used (and trusted) by the authors. I cannot recommend publication of this manuscript if the issues raised here are not addressed.

This really made me think about how difficult communication with anyone and everyone was during the pandemic, and since the ending of shut downs and quarantines I have noticed a deterioration of social skills and social communication. It seems that the amount of time we had to spend in isolation damaged communication abilities

This type of situation that hits my 'tism/adhd ticks with a vengeance. I truly struggle with these daily interactions every time i come into contact with them. As someone with a passion for psychology i do fully understand the reason for phatic communion and why humans in general need these human to human transactions, again the true "lone Wolf" comes into play. Why would someone not shorten the wasted time in having a falsified conversation about how you are doing, when neither party has an interest in the response and usually using these interactions as a segway into talking about themselves. I usually throw a head nod, it saves so much time and the same interest insome one is conveyed. I suppose i come across this issue because i am someone that asks you a question because i actually care about the answer you are giving and have no interest in talking about myself in the process. Im working on this with myself but its the hardest thing in the world to be apart of for myself.

Learning communication or simply getting better at it is not only beneficial to the person taking the class but also to those around them. People can most definitely appreciate someone who can communicate simply and being able to get a point across. It is all-in-all a beneficial tool to everyone involved with it. It is also safe to say that it can help benefit most if not all people who use it well and appropriately.

I selected the word "Mountains" because it serves as a physical depiction of the strength and power of Christ, ultimately showing that God is more powerful than even a mountain. The purpose of this piece is to explore the overwhelming power of Christ through a comparison with nature, demonstrated by the mountains. Mountains are strong, stand tall, and seem to endure through everything, much like Christ himself. Additionally, the word is capitalized, which draws the eye and adds further emphasis. Mountains are referenced twice as "skipping like rams" to show that even a mountain would submit to Christ. This imagery is powerful because it contrasts the typical view of mountains as immovable and permanent. The idea of mountains "skipping" suggests that even the most powerful parts of creation are nothing in comparison with Christ. Something as large as a mountain can be moved by the strength of Christ, offering a clear example of the power God possesses through the natural world.

I’ve chosen Almighty as the most heavily contextual word in this poem, carrying a profound significance as it represents the figure of God and the extent of his immense powers. This duality in meaning has inclined me to highlight its importance. Almighty is used as a name for God in the poem and in many scriptures, yet it also serves as a declaration of the supreme, immense strength that God has exercised over the world in dark and intense ways. As a name, Almighty functions as a declaration of this overwhelming strength. It also encapsulates the feeling of unease and even danger when recollecting the actions of a mighty and unforgiving god, the speaker’s fear underscoring the tension between human frailty and this infinite, immortal divinity. Introducing the tension that comes with praising God through recognizing our weaknesses and powerlessness forces us to confront our vulnerabilities, adding depth to the reverence of God.

I interpreted this segment as stating that Britain has an obligation to demonstrate that they are capable of living up to their ancestor's accomplishments. Therefore, they are inclined to maintain their trade influence by expanding west, and to do so with commitment. Anything less would negatively affect their reputation.

This is an interesting bit of insight as to an English perspective on their changing state in trade influence, and by extension, degree in power and wealth. It was stated earlier that England was late to the game when it comes to pushing out into the west; without context, one could infer that it was largely in response to these effects that Britain decided to take action and establish colonies in the Americas.

major 🔑

I never knew what this stood for until now! it'll be a huge help next time I compose emails so that im not sending the same email to others!

when it comes to sharing files or documents email is much preferred because there is security behind it. In my job we share a lot of confidential information about clients and their accounts so we always use email to send information with extra security, the type of security you wouldn't get if you get files and documents texted to you.

Although sometimes I find emails and text to be generically the same, emails do tend to bring forth a more professional tone due to the information being shared unlike it would be if it was a simple text. Something about emails make everything seem so professional with the etiquette and mannerism behind it.

This is like trying to set a good first impression that is why it is important to be polite.

This could be a very simple overlook most of the time. Its important to remember the email you are using to send a professional email.

This connects to when the text states, "Strong subject lines, clear formatting, and concise writing are all characteristics of a well-written email." It is part of the clear formatting.

original

Man, being the servant and interpreter of Nature, can do and understand so much and so much only as he has observed in fact or in thought - of the course of nature. Beyond this he neither knows anything nor can do anything

to

Man, being the servant and interpreter of Nature, can do and understand so much and so much only as he has

observed in fact or in thought

of the course of nature. Beyond this he neither knows anything nor can do anything

Like the clove informal assessments

even with the use of sentence frames, teachers need to ensure that students are familiar with the words and the grammatical strucutre of the sentences.

Laws of Hywel Dda by [[National Library of Wales]]

Laws of Hywel Dda by [[Friends of the National Libraries]]

I feel these two point tie into the listen to understand and not to respond practices along with phatic communication. Bringing psychology into this one of the things that is ensured human to human is the interest in themselves, whether self preservation or simply self interest. People usually default to listening to respond due to subconscious need to talk about themselves and relate to themselves.

Immune cells are very specific in their jobs.

the content of any medium is another medium

Acheiropoieta — also called icons made without hands — are Christian icons which are said to have come into existence miraculously; not created by a human. Invariably these are images of Jesus or the Virgin Mary. - like the miracle toast

because the world is already inherently informational

I am curious about the common tale about Greenland and Iceland being reversely named in attempt to trick people.

this statement pairs well with humans being such pack animals. It is very rare to find a person who is truly a "Lone Wolf". I don't know what else to add to this other then that was the thought that popped into my head. communication absolutely is a shaper or world and reality, of a singular person or a whole wide scale.

The entirety of communication differences within cultures is very relevant in my life. I am Bi-Racial with my mother from the borrows in New York and my fathers family from farm land Utah. As a child the differences in communication, family intentions and food are polar opposites of each other. My mothers family, big loud, and proud family block parties are a normal thing done as both a celebration and as a family gathering of support and love. Meanwhile, my fathers side of the family gathers in big numbers that is quiet, intimate, usually at my grandmas house which is a smaller setting. It was an interesting difference growing up in that setting but very relevant to the differences in cultural communication and integrating those differences into each other growing up just being myself in either setting.

I think this claim is really important to point out. Namely, because it is very true. Every little thing influences how what we say is perceived and how we personally perceive those things. I think with this, I can argue that this is why how we say things matter. If you're at a library and you are screaming about the outfit you have on, versus being with your friend doing the same action. One will most definitely be seen in a negative light as the other situation will be perceived more positively.

I can see through these examples that crime measurements are sort of used for people sick reasons, specifically the last example. It reminds me in my old small town how a group of firefighter had this argument that crime in out town was raising because of a rise of Mexican descending people were moving to our town. It was this whole debate but luckily nothing ever came about it, but they tried to argue that they were all criminals and should leave.

Key

In my mind the survey would be amazing, but at the same time if it is not anonymous as a victim I'd be shared knowing a secret or something I have e been hiding will be discovered. So I could see how some people may fake their responses due to things like this.

There was more reasons why people dot report crime than I thought. The one about someone potentially committing a crime was crazy to me because I guess I always thought of victims as people that were in a crime not as people that could commit a crime.

It was crazy for me to read about how much can change in the data due to how certain things are handled and dealt with.

I didn't know that there was a branch of the FBI that was specifically used for Criminologists to collect data and figure out if policies were good or not. I find that really interesting.

DiLulios claim caused a domino effect within the criminal justice system which in turn causes already arrested criminals or people standing trial to be sentenced longer and punished worse.

Dr. DiLulio is an example of the bias in the criminal justice and Criminology system. His lie probably revealed some people's fears to be true, thus growing their own personal biases and making it so people of color had to live in more fear of being treated badly or distrusted because of this lie.

I'm curious to see the analytics and what apps and programs are being used to measure marketing efforts.

I previously assumed Digital Marketing was a single role that handled everything. Learning about the various specialized roles and different focus areas within Digital Marketing was eye-opening. While the field initially seemed overwhelming to enter, understanding that I can focus on mastering specific components makes it feel more achievable. I also learned that video content is just one piece of the puzzle, whereas previously I thought it was the primary starting point for attracting an audience.

Watching the Digital Marketing video has me thinking and excited about the creation of funnels and the steps you take to engage and attract potential customers at every stage of the buyer's journey (even that was an interesting concept). I didn't think blogs were that cool before, but I now understand how useful and strategic they are when trying to attract customers—not just any customers, but those who are interested in what you offer based on what they search. That's wild!

It's amazing how digital platforms can bring together different cultures! By watching these food vloggers, we're not just learning recipes but we're also gaining insight into cultures that bring ancient traditions into our kitchens. Digital existence allows us to experience a slice of history through something as universal as cooking. I think it's quite fascinating how the internet can play such a crucial learning role in people's lives.

Shots fired.

OCCUPIED TERRITORIES -unique - extraordinary generosity -strategic liability - coop efforts benefits Israel and US - Cold War asset to limit Soviets -useful intel during that period -backing Israel is not cheap and hurts relations with Arab world -Isreal did not step up with Iran issues -a strategic burden for us - AFTER 9/11 the line was both us and Isreal threatened bt te terror in muslim world Israel is a liability in the war on terror and the ability to deal i w rogue states

Building in the West Bank after the recent demolition of Gaza and Trump's recent comment when signing bill 1/22-1/24 time period about the good real estate there.

What was our position in the October War? Why are we still doing this for a developed nation?

Welcome back and in this lesson I want to talk briefly about Amazon Guard Duty.

Now this is something which you only need detailed knowledge of for the security specialty stream of training.

Now I'll try to keep this lesson as efficient as possible so let's jump in and get started.

Now it's important at the outset that you know what Guard Duty is and what makes it special.

So it's a security service but specifically it's a continuous security monitoring service.

This means once enabled it's running all the time trying to protect your account and resources from any security issues.

Now the way that it works is that it can be integrated with supported data sources and I'll talk about this more on the next screen.

It's constantly reviewing those data sources for anything occurring within the account and it also uses artificial intelligence and machine learning plus threat intelligent feeds.

Now the aim of the product is to identify any unexpected or unauthorized activity on the account.

Guard Duty is doing this in an intelligent way so you aren't having to identify things you usually do or define what normal activity is.

It attempts to learn this on its own and using threat intelligence feeds it tries to spot odd or worrying activity as it occurs on the account.

Now you can influence this so white listing IPs and influencing what it sees as okay behavior but the whole point of the product is that on the whole it learns patterns of what happens normally within any managed accounts.

Now if it finds something which logically is called a finding then it can be configured to notify somebody or initiate an event driven process of protection and/or remediation.

Now this might be a lambda function performing some kind of remediation or an event driven workflow via cloud watch events but Guard Duty can be part of an automatic event driven security response and that's really cool.

What's even more awesome is that it actually supports multiple accounts via a master and member account architecture.

When you enable Guard Duty you're essentially making the account that you enable it in the master Guard Duty account and then you can invite other AWS accounts and if they accept they become member Guard Duty accounts meaning the product supports a single location for managing multiple AWS accounts.

Now architecturally the product looks like this.

First we have Guard Duty and Guard Duty receives logs from supported data sources.

At the time of creating this lesson this includes DNS logs from Route 53 showing DNS requests, VPC flow logs showing traffic metadata for any traffic flowing through a VPC, cloud trail event logs showing any API calls within the account, cloud trail management events which cover any control plane level events and then finally cloud trail S3 data events which cover any interactions with objects within S3.

Now all of those are ingested together with various threat intelligent feeds and are used to generate findings which show any unusual or unexpected behavior.

These findings can be sent to cloud watch events now known as event bridge which can be used to handle event driven notification and automatic remediation.

So event bridge can use S&S for notifications to any team members or external security management systems or it can invoke Lambda functions which can interact with AWS APIs, products and services to help automatically remediate any security issues maybe to add an explicit deny rule to a network ACL if there's a potential intrusion.

Now that's pretty much all you need to know for the exam and to get started using the product in the real world.

Now thanks for watching go ahead and complete this lesson and then when you're ready I'll look forward to you joining me in the next.

Welcome back and in this video I'm going to be talking about Amazon Inspector.

Now this is a service which is really simple to use and it only features in a relatively minor way on most of the AWS exams.

So this is a fundamental video.

If appropriate for the course that you're taking, I'll be going into much more detail in separate videos.

For this video you just need to have a basic awareness of what this product does and how to use it effectively.

Now nearly all of my lessons contain visuals because I find this helps students to learn better.

But in this case Inspector is just one of those services which is easy to understand but very detailed in terms of what it does.

And unfortunately this means it's going to be a text heavy lesson.

So let's jump in and get started.

Amazon Inspector is a product designed to check EC2 instances, the operating systems running on those instances as well as container workloads for any vulnerabilities or deviations against best practice.

The idea is to run an assessment of varying lengths, say 15 minutes, 1, 8 or 12 hours and even 1 day and identify any unusual traffic or configurations which put applications on the instances, the instances themselves or containers at risk.

Now at the end of this process the product will provide you with a review of findings ordered by severity.

In the exam if you see anything about a security report then think Inspector.

But remember it's checking instances, their operating systems, containers and any other networking components involved.

Now Inspector can work with two main types of assessments.

A network assessment can be conducted without using an Inspector agent but adding an agent provides additional richer information.

It can also run a network and/or host assessment which does use an agent.

The host assessment looks at OS level vulnerabilities and this needs access to inside of the instance, so the instance OS and this requires an agent.

With Inspector rules packages determine what is checked.

The first package, network reachability which can be done with no agent or with an agent for additional rich information.

This checks how an instance or group of instances is exposed to public networks, so it checks end-to-end reachability.

So EC2, application load balancers, Direct Connect, elastic load balancers, network interfaces, internet gateways, access control lists, route tables, security groups.

It even checks subnet and VPC configuration and even exposure from virtual private gateways and any VPC peering.

The network reachability rules package returns the following types of findings.

First, for recognized ports, so well-known ports, it confirms if the port is recognized with a listener, i.e. is it exposed to the public networks and is the operating system listening on that port, or recognized port no listener where it's exposed to the internet but with nothing listening, or if you don't use an agent, a recognized port which is exposed but there is no agent to check if the operating system is listening, and this is why using an agent always adds more information versus no agent.

Now lastly, it can identify any unrecognized ports which are exposed with listeners.

So for the exam, this is what the network reachability rules package does.

You might see that term, you need to know what it does, or it might request you to suggest a product which can do this type of analysis and then question whether an agent is required.

And so these are all key points to understand.

We also have rules packages which do require an agent, so host assessments, and all of these are really, really important to remember for the exam.

These are pure keywords, so easy to remember but massively important.

First, there is the common vulnerabilities and exposures or CVE package, and CVE is a database of known cyber security vulnerabilities, each of which is assigned a CVE number, and this package checks against those.

If you see CVE in the exam, think Inspector.

And a report will include any CVE IDs for anything found on the instances or containers.

Next, we have the Center for Internet Security or CIS Benchmarks.

The formal definition is the CIS Security Benchmark Program provides well-defined, unbiased, consensus-based industry best practices to help organizations assess and improve their security.

This rules package checks against that.

So again, if you see CIS as an exam question, think Inspector.

Then finally, we have Security Best Practices for Inspector, which is just a collection of best practices provided by Amazon, including things like disabling root login over SSH, using only modern version numbers for SSH, password complexity checks, and permissions on certain folders.

Again, if you see anything of this nature in the exam, think Inspector.

And that really is everything that you need to know at this fundamental level for this product.

Again, if you're studying for a particular exam which requires more information, I will have additional videos covering everything else in depth.

This is just a fundamental 101 level lesson.

Now, you'll know by now I do hate teaching based on just keywords, but this is one of those outliers where you don't really need to know all of the details.

But I don't want you dropping exam marks because you don't know any of these really valuable keywords.

And again, I'm just going to repeat this one more time.

If applicable for the course that you're studying, I'll be covering Inspector in much more detail in other dedicated lessons.

For now, though, that is everything I wanted to cover.

So go ahead and complete this video.

And when you're ready, I'll look forward to you joining me in the next.

Frente al tema de corporalidades, en ambos países, los datos judiciales reflejan cómo las violencias de género afectan los cuerpos y vidas de las personas involucradas, especialmente mujeres y poblaciones vulnerabilizadas. Sin embargo, la falta de estandarización y transparencia limita la capacidad de analizar estas experiencias de manera integral. Los casos incluyen detalles sensibles como el tipo de violencia sufrida y los contextos socioeconómicos, enfatizando la importancia de las corporalidades en el diseño de políticas públicas basadas en evidencia.

En cuanto a traducción, el proceso de convertir sentencias legales en datos estructurados involucra traducciones significativas, tanto desde el lenguaje natural de los documentos hacia categorías estandarizadas, como desde los sistemas judiciales hacia bases de datos públicas. Herramientas como “IA2” en Argentina y “Mis Aplicaciones” en México permiten anonimizar y adaptar sentencias para su publicación, aunque la traducción de estos datos al dominio público sigue siendo manual y limitada por los criterios subjetivos de los operadores judiciales.

La Inteligencia Artificial juega un papel clave en la anonimización y estructuración de datos judiciales, pero enfrenta limitaciones. En Argentina, herramientas como IA2 automatizan parte del proceso, pero el trabajo manual sigue siendo necesario para agregar contexto y garantizar precisión. En México, el uso de Inteligencia Artificial está restringido a eliminar datos personales y depende de las decisiones de los jueces sobre qué información es de interés público. Estas implementaciones reflejan un potencial subutilizado de la Inteligencia Artificial para apoyar un análisis más amplio y sistemático de los casos de violencia de género (GBV por su sigla en inglés).

La ausencia de estadísticas oficiales sobre violencia de género (GBV por su sigla en inglés) en América Latina ha llevado a mujeres y organizaciones a registrar feminicidios mediante el análisis de medios impresos y digitales. Estos esfuerzos, como los informes de “La Casa del Encuentro” en Argentina y el mapa interactivo de feminicidios de María Salguero en México, no solo dan visibilidad a las víctimas, sino que también sensibilizan a la sociedad y a las autoridades públicas sobre la gravedad del problema.

Desde el punto de vista de las corporalidades, los registros de feminicidios resaltan las historias individuales de las víctimas, mostrando su identidad, contexto y las circunstancias específicas de su muerte. Esto humaniza las estadísticas y visibiliza cómo las violencias machistas afectan de manera particular a los cuerpos de mujeres y personas diversas en diferentes esferas, incluyendo lo doméstico, laboral e institucional.

En cuanto a traducción, la incorporación de herramientas tecnológicas, como los plugins de navegador y sistemas de alerta por correo, automatiza la recopilación de datos a partir de fuentes mediáticas. Estas herramientas permiten capturar y traducir información de textos periodísticos a bases de datos estructuradas, facilitando el análisis y la comunicación de los casos a nivel local e internacional.

En cuanto a Inteligencia Artificial, iniciativas como “Datos contra el feminicidio” integran aprendizaje automático (machine learning) para identificar y procesar información relevante sobre feminicidios. Estas tecnologías contribuyen a la sistematización de datos. Es esencial ampliar el enfoque para capturar todas las formas y modalidades de violencia de género. Esto permitirá diseñar políticas públicas más efectivas que aborden la prevención, sanción y erradicación de estas violencias, destacando la necesidad de un enfoque integral y situado en el contexto latinoamericano.

Los riesgos de sesgos, falta de transparencia y consecuencias perjudiciales en la Inteligencia Artificial han sido ampliamente documentados. Frente a esto, el proyecto propone un enfoque feminista y colaborativo, usando la Inteligencia Artificial como herramienta de apoyo, no como sustituto del conocimiento humano, para abordar la violencia de género (GBV por su sigla en inglés) y fomentar la justicia social.

Dentro de las corporalidades, se destaca la importancia de la participación humana, especialmente de expertos con conocimientos sobre desigualdades estructurales, para garantizar un diseño inclusivo y contextualizado. Esto se alinea con principios feministas que priorizan las intersecciones de género, raza y clase, y evita el uso de Inteligencia Artificial para vigilancia o control, optando por enfoques que respeten las diferencias corporales y contextos sociales.

En cuanto al tema de la traducción, el proyecto utiliza modelos de procesamiento de lenguaje natural (NLP) adaptados a contextos hispanohablantes, como BETO, un modelo BERT entrenado en español. Este enfoque permite estructurar información de documentos legales, asegurando que los datos se procesen en su idioma y contexto originales, evitando sesgos asociados con modelos entrenados en inglés.

La Inteligencia Artificial consiste en no automatizar decisiones judiciales ni predecir comportamientos, sino colaborar con expertos para estructurar datos legales y fomentar transparencia. Se inspira en enfoques feministas que abordan dinámicas de poder en sistemas sociotécnicos, subrayando la importancia de datos de alta calidad para informar políticas públicas basadas en evidencia y justicia abierta.

Las autoras, feministas de América Latina y Suecia, hablan sobre las desigualdades sociales desde una óptica que combina raza, clase social y género, inspirándose en diversas corrientes del feminismo, incluyendo el transfeminismo, el feminismo negro, indígena y el feminismo contra el capacitismo.

En cuanto a las corporalidades sobre la base de una experiencia situada, las autoras subrayan que ninguna experiencia vital tiene mayor peso que otra, integrando las voces de mujeres y personas LGBTIQ+ desde diversas realidades. Reconocen la pluralidad del feminismo y buscan visibilizar las múltiples luchas dentro de los movimientos feministas, destacando el impacto del género en la vida cotidiana y los sistemas de poder.

Por el lado de la traducción de datos y la justicia abierta, las autoras se inspiran en el feminismo de datos, y proponen el uso de herramientas de Inteligencia Artificial para traducir datos judiciales relacionados con violencia de género en formatos abiertos y contextuales. Esto busca hacer visibles las resoluciones legales sin descontextualizarlas ni comprometer datos sensibles, contribuyendo a la formulación de políticas públicas basadas en evidencia.

La Inteligencia Artificial y el anti-soluccionismo, adoptan una postura crítica hacia la idea de que la Inteligencia Artificial puede “resolver” problemas sociales complejos como la violencia de género. En cambio, argumentan que la Inteligencia Artificial puede ser una herramienta para colaborar con actores humanos expertos en estos temas, ayudando a sistematizar datos de calidad. Rechazan la noción de que la Inteligencia Artificial pueda ser feminista por sí misma, pero promueven su uso por parte de feministas para avanzar en causas sociales.

La propuesta, que se desarrolla con organizaciones como DataGénero y el Criminal Court 10 de Buenos Aires, incluye el diseño y prueba de una Inteligencia Artificial en contextos judiciales. Este enfoque colaborativo, nutrido por alianzas con colectivos de desarrollo de software y procesamiento de lenguaje natural, busca integrar perspectivas interseccionales del Sur Global en la creación de tecnologías justas y éticas.

El prototipo propuesto se alinea con la Agenda 2030 de las Naciones Unidas para el Desarrollo Sostenible, especialmente con el ODS 16 (Paz, Justicia e Instituciones Sólidas), promoviendo sociedades justas, pacíficas e inclusivas. El principio de justicia abierta impulsa instituciones transparentes y responsables, garantiza el acceso a la información y protege las libertades fundamentales.

Dos metas clave del ODS 16 son especialmente relevantes: la Meta 3, que fomenta el acceso equitativo a la justicia y el Estado de derecho, y la Meta 7, que promueve la toma de decisiones inclusivas, participativas y representativas. La judicatura es esencial para cumplir estas metas, contribuyendo además a los ODS 5 (Igualdad de género y empoderamiento de las mujeres) y 10 (Reducción de desigualdades dentro y entre países).

Welcome to this lesson where we're going to be covering Amazon Macie.

Now we have a lot to cover so let's jump in and get started.

So what is Macie?

Well, it's a data security and data privacy service.

You'll understand now the architecture of the simple storage service known as S3.

It's one of AWS's most popular services and it can host huge quantities of large or small objects at scale.

It can also be made public and for some time it's been a constant source of risk within organizations because of the fact that data can be leaked if the service is misconfigured.

So Macie is a service which can be used to discover, monitor and protect data which is stored within S3 buckets.

It's critical if an organization wants to control the security of its data that it needs to have an awareness of where that data is and what exactly it contains.

So once enabled and pointed at buckets within your AWS account or AWS accounts, Macie can get to work discovering data and this might mean data which is classed as personally identifiable information or PII or personal health information known as PHI as well as financial data and many other types of data.

Now these high level categories include a huge range of data which you personally will have day to day familiarity with.

Things like AWS access keys, SSH keys, PGP keys or bank account numbers, credit card numbers or expiry dates, health insurance numbers, birth dates, drivers license numbers, national insurance numbers, passport numbers, addresses and much more.

It's the first job of Macie to identify and inventory this data.

So by using Macie you'll know what you have, what it contains and where it is.

Now the way that it does this is using data identifiers.

Think of these like rules which your objects and their contents are assessed against and there are two types of data identifiers.

Managed data identifiers and custom data identifiers.

Now managed data identifiers are built into the product.

They use a combination of criteria and techniques including machine learning and pattern matching to analyse the data that you specify.

They're designed to detect sensitive data types for many countries and regions including multiple types of personally identifiable information, personal health information and financial data.

And this type of identifier can be used to detect almost all common types of sensitive data that you might need to manage within your organisation.

Now you can also build custom data identifiers for your business.

These are proprietary so you can look for specific data which your business needs to identify and control.

An example you might use a regular expression known as a reg X to search for certain patterns of specific text within your business.

Maybe employee IDs or performance reports.

With Macy you create discovery jobs which use these identifiers and look for anything matching on buckets.

If anything is found these jobs generate findings and you can view these findings interactively or they can be used as part of integrations with other AWS services.

For example security hub or finding events can be generated and passed into EventBridge and then they can be used for automatic event driven remediation.

So it's a super powerful architecture.

Now one final thing which you need to understand before we review the architecture visually is that Macy uses a multi account architecture.

One account is the administrator account and that can be used to manage Macy within member accounts.

And this multi account structure can be done either using AWS organisations or by explicitly inviting accounts.

And once invited buckets across all accounts within the Macy organisation can be evaluated in the same way.

Now let's just take a second to review the architecture visually.

We start with one or more S3 buckets and then the Macy service itself and then we create a discover job.

And within the discover job we can specify which buckets we want to analyse which means detecting and classifying data within those buckets.

The discovery job has a schedule so this controls when it runs and how frequently it runs and then the job uses a combination of managed data identifiers and custom data identifiers.

And these are the things which actually identify and classify the types of data that Macy is locating.

So it's these things which are the important part of the whole process.

Now as an output to the discovery job findings are generated and these can be viewed either using the console interactively or and this is the more common use case.

They can be used with a vent bridge in the form of event findings generation which can then be delivered to other AWS services.

And this is commonly used for integration or for event driven remediation in this example where a Lambda function can receive the event and can perform some kind of automatic fix based on the finding.

So at a high level that's how the architecture looks.

And before we finish up with this lesson I want to explore a number of other important elements of the service and we're going to start with looking in more detail at the managed and custom data identifiers.

To discover sensitive data within Amazon Macy you create and run data discovery jobs.

A data discovery job analyzes objects within S3 buckets to determine whether the objects contain sensitive data.

And the way that it does this is via data identifiers.

First we have managed data identifiers and these are created and managed by AWS.

And as I mentioned earlier in this lesson they can be used to identify a growing list of sensitive data types.

Now I've included a link attached to this lesson which details the full range of data which is matched by this type of identifier.

But it's things like various credentials, financial data, credit cards, bank details and more.

Things like health data or anything personally identifying such as addresses, passports, drivers licenses and much much more.

It's a pretty comprehensive list so it's worth checking out the link that's included with this lesson which gives a full overview.

In addition to this anyone can create custom data identifiers.

Now the foundation of these are regular expressions which define a pattern to match within data.

This one for instance matches any data which contains the letters A through to Z and then a dash and then eight digits.

Anything that you can define using regular expressions you can match using custom data identifiers.

And these are generally used for data patterns which are custom to your organization as with this example of an employee ID.

You can optionally add keywords to custom data identifiers which must occur within a definable proximity to the pattern matched by the regular expressions.

And this definable distance is called the maximum match distance.

And then finally you can also include ignore words.

So if the regex match is something but an ignore word is there in addition it's ignored and doesn't match.

So keywords, maximum match distance and ignore words are all refiners.

They help you start with a regex pattern but influence how something is classified based on those refinements.

So these identifiers run in addition to built in checks that Macy performs and then findings are generated.

And Macy will produce two types of findings.

Policy findings and sensitive data findings.

Macy generates policy findings when the policies or settings for an S3 bucket are changed in a way that reduces the security of the bucket or its objects but crucially after Macy is enabled.

For example if the default encryption on a bucket was enabled when you enabled Macy and then default encryption is later disabled on that bucket then this is highlighted as a policy finding.

So that's an example of a policy finding.

Macy generates the other type of finding which is a sensitive data finding when it discovers sensitive data in S3 objects that you configure it to analyze.

And it determines what is sensitive data based on the jobs and identifiers which you configure and which I've just stepped through.

So some examples of policy findings are S3 block public access disabled which is triggered if the block public access settings on a bucket are disabled.

Another is S3 bucket encryption disabled which is triggered logically when encryption on a bucket is disabled.

Another is S3 bucket public which is triggered when a bucket policy or ACL changes are made which make a bucket public and another is S3 bucket shared externally and this is triggered when a bucket policy or ACL allows an AWS account other than those within the Macy organization access to this bucket.

So these are all policy changes which Macy decides reduce the security of a bucket or objects in that bucket and so trigger policy findings.

So these are called policy findings and there are more of these and I've included a link attached to this lesson which details all of them and that's really worth a look through just to become familiar with all of the different things that Macy can identify.

Now examples of sensitive data findings include these and it's worth pointing out that there are many more of them.

Again I've included a comprehensive list which is attached to this lesson but for now let's just focus on these important examples.

First we have S3 object credentials and this matches any exposed SSH keys or AWS access keys that Macy can locate.

We've also got S3 object custom identifier and this matches anything defined within custom data identifiers.

We have S3 object financial which matches credit card numbers or bank account numbers and much more.

We have S3 object multiple which occurs when more than one thing is identified.

We have S3 object personal which covers personally identifiable information such as full names, mailing addresses, personal health information such as health insurance or medical identification numbers or combinations of those.

Now this isn't an exhaustive list.

Again I've included a link attached to this lesson which gives you a full overview.

And that at a high level is Macy.

It's a useful tool which you'll need to understand for the exam.

If you see any questions regarding the classification of data within S3 so identifying data, discovering data or reacting to sensitive data automatically then Macy is probably the product to use.

Now that's everything I wanted to cover within this theory lesson.

If you're doing any of my courses where practical knowledge of Macy is required then there's going to be a demo lesson immediately following this one.

If not then this theory is all that you'll need.

So at this point this is the end of the lesson.

Thanks for watching.

Go ahead and complete this video and when you're ready I'll look forward to you joining me in the next.

Welcome back and in this lesson I want to talk about AWS config.

Now let's just jump in and get started because we've got a lot to cover.

AWS config is an interesting service because people often misunderstand what it does.

This is especially important within exam situations where you don't have the benefit of Google and have to make architectural decisions quickly.

Now AWS config has two main jobs.

Its primary function is to record changes over time on resources within an AWS account.

Once enabled, the configuration of every resource in the account is monitored.

Every time a resource's configuration changes, a configuration item is created which stores the configuration of that resource at a specific point in time.

The information which is stored is the configuration of the resource, the relationship to other resources and who makes any changes.

So for example, if you had a security group attached to an instance and you added a rule to that security group, then it would track the pre-change state, the post-change state, the fact that you changed it and the fact that it was attached to that EC2 instance.

Now this makes AWS config great for auditing changes and for checking if resources are compliant with standards defined by your organization.

The most important thing to understand about AWS config is that it doesn't prevent changes happening.

It's not a permissions product or a protection product.

Even if you define standards for resources, it can check compliance against those standards but it doesn't prevent you from breaching those standards and creating non-compliant resources.

An example of compliance might be a certain set of allowed ports within security groups.

You can add additional ports exposing an instance to a certain amount of risk.

Now AWS config won't stop you but that non-compliance, that additional port will be identified.

Now config is a regional service so when enabled it monitors changes within a particular AWS region in a particular AWS account but it can be configured for cross-region and cross-account aggregation.

It can also generate notifications via SNS and it can generate events via EventBridge and Lambda when resources change in terms of their compliance state so while AWS config won't prevent you changing something it can be used for automatic remediation.

Now the product stores all of the configuration data and changes in a consistent format within the S3 config bucket and the product allows you to access that data so all of the configuration history of all of the resources and you can interact with them directly from that bucket or using the AWS config APIs.

Now there are two sides to AWS config, the features which are standard and the parts of the product which are optional.

Now the standard part is on the left and the optional part is on the right.

So starting on the left we have some account resources and we have AWS config.

To use the product we have to enable it and this enables the recorder functionality and this takes config information of all the resources and stores them in an S3 bucket, the config bucket and this is all part of the standard functionality provided by the product.

Now you could just enable all of this functionality and leave this as it is.

This would allow you to record and review all changes to resources over time.

Every time a change happens a configuration item would be generated and all of these for all resources would be stored in a standard format in the config bucket.

But we can do a lot more with the product and this is where the real power of AWS config comes from because we can use config rules.

Now config rules are either AWS managed ones or you can define your own which uses Lambda.

What happens is that these rules evaluate resources against a defined standard.

Resources based on these rules are either compliant or non-compliant based on if they meet criteria specified within the config rule.

Now custom rules use Lambda to evaluate if resources match criteria.

The Lambda function does the evaluation using whatever things that you can code and then returns information back to AWS config.

AWS config can then notify or work with other products for automatic remediation.

For example, it can use SNS to send either a stream of changes or compliance notifications and these will either go to human operators or other applications to deal with.

In addition though you can integrate AWS config with EventBridge.

So for any changes in the state of config rules whenever anything becomes compliant or non-compliant this event can be sent to EventBridge and then EventBridge can be used to invoke Lambda functions to perform automatic remediation of any changes.

So to fix the problems automatically.

Now this isn't strictly part of AWS config.

You're essentially using EventBridge to send any events from AWS config to targets to perform this automatic remediation.

You can also fix these type of config changes using SSM.

So AWS config can integrate with systems manager and apply fixes to remediate any issues.

But Lambda can be more flexible for account level things whereas SSM can be effective for anything relating to the configuration of instances.

Now that's all of the theory that I wanted to cover in this lesson.

Go ahead and complete this lesson and then when you're ready I look forward to you joining me in the next lesson.

The distribution of light intensity due to superposition of the waves from the two coherent source of light has a constant phase relation between them and hence phenomenon in which equi-spaced bright and dark bands is produced. This phenomenon is called interference.

Welcome back and in this lesson I want to talk about CloudHSM.

Now this is a product which is similar to KMS in terms of the functionality which it provides, in that it's an appliance which creates, manages and secures cryptographic material or keys.

Now there are a few key differences and you need to know these differences because it will help you decide on when to use KMS and when to use CloudHSM.

And you might face an exam question where you need to select between these two.

So let's jump in and get started.

Now I promised you at the start of the course I wouldn't use facts and figures in lessons unless absolutely required.

You shouldn't have to remember lots of different facts and figures unless they influence the architecture.

Now this unfortunately is going to be one of the lessons where I do have to introduce some keywords that you simply need to remember.

Because in this lesson the detail, the difference between CloudHSM and KMS really matters.

Now let's start by quickly talking about KMS.

KMS is the key management service within AWS.

So it's used essentially for encryption within AWS and it integrates with other AWS products.

So it can generate keys, it can manage keys, other AWS services integrate with it for their encryption.

But it has one security concern, at least if you operate in a really demanding security environment.

And that's that it's a shared service.

While your part of KMS is isolated, under the covers you're using a service which other accounts within AWS also use.

What's more, while the permissions within AWS are strict, AWS do have a certain level of access to the KMS product.

They manage the hardware and the software of the systems which provide the KMS product to you as a customer.

Now behind the scenes KMS uses what's called a HSM which stands for Hardware Security Module.

And these are actually industry standard pieces of hardware which are designed to manage keys and perform cryptographic operations.

Now you can actually run your own HSM on-premise.

Cloud HSM is essentially a true single tenant HSM that's hosted within the AWS cloud.

So if you hear the term HSM mentioned, it could refer to both Cloud HSM which is hosted by AWS or an on-premise HSM device.

Now specifically focusing on Cloud HSM, AWS provision it and they're responsible for hardware maintenance.

But they have no access to the part of the unit where the keys are stored and managed.

It's actually a physically tamper resistant piece of hardware.

So it's not something that they can gain access to.

Generally if you as the customer lose access to a HSM, that's it, game over.

You can reprovision them but there's no easy way to recover data.

Now there's actually a well-known standard for these cryptographic modules.

It's called the Federal Information Processing Standard Publication 140-2.

You can easily determine the capability of any HSM modules based on their compliance with this standard.

And I've included a link in the lesson description with additional information.

But Cloud HSM is FIPS 140-2 Level 3 compliant and it's the Level 3 which really matters in the context of this lesson.

KMS in comparison is overall 140-2 Level 2 compliant and some of the areas of the KMS product are also compliant with Level 3.

Now this matters.

This is really important.

If you see an exam question or if you're in a real world production situation which requires 140-2 Level 3 overall, then you have to use Cloud HSM or your own on-premises HSM device.

And that's a fact that you really need to remember for the exam.

Another important distinction between KMS and Cloud HSM is how you access the product.

With KMS, all operations are performed with AWS standard APIs and all permissions are also controlled with IAM permissions.

Now Cloud HSM isn't so integrated with AWS and this is by design.

With Cloud HSM, you access it with industry standard APIs.

Now examples of this are PKCS 11, the JCE extensions or the CryptoNG extensions.

And I've highlighted the keywords that you should try to build up an association with Cloud HSM.

So if you see any of these keywords listed in the exam or in production situations, then you know you need a HSM appliance, either on-premise or Cloud HSM hosted by AWS.

Now it used to be that there was no real overlap between Cloud HSM and KMS.

They were completely different.

But more recently, you can use a feature of KMS called a custom key store.

And this custom key store can actually use Cloud HSM to provide this functionality, which means that you get many of the benefits with Cloud HSM together with the integration with AWS.

So when you're facing any exam questions, you still should be able to look for these keywords to distinguish between situations when you use KMS versus Cloud HSM.

Now just to summarize before we move on from this screen, I want you to focus on doing your best to remember all of the three key points that are highlighted with the exam power-up icon.

If you can remember those, then you should be in a really good position to determine whether to use KMS or Cloud HSM within exam questions.

Now I want to look at the architecture of Cloud HSM as a product, and I think it's best that we do that visually.

Now architecturally, Cloud HSMs are not actually deployed inside a VPC that you control.

They're deployed into an AWS managed Cloud HSM VPC that you have no visibility of.

So architecturally, this is how that looks.

So on the left, we've got a customer managed VPC.

On the right, we've got the Cloud HSM VPC that's managed by AWS.

We're using two availability zones, and inside the customer managed VPC, we've gone ahead and created two private subnets, one in availability zone A and one in availability zone B.

Now inside the Cloud HSM VPC, to achieve high availability, you need to deploy multiple HSMs and configure them as a cluster.

So a HSM by default is not a highly available device.

It's a physical network device that runs within one availability zone.

So in order to provide a fully highly available system, we need to create a cluster and have at least two HSMs in that cluster, one of them in every availability zone that you use within a VPC.

Now once HSM devices are configured to be in a cluster, then they replicate any keys, any policies, or any other important configuration between all of the HSM devices in that cluster.

So that's managed by default, by the appliances themselves.

That's not something that you need to configure.

So the HSMs operate from this AWS managed VPC, but they're injected into your customer managed VPC via elastic network interfaces.

So you get one elastic network interface for every HSM that's inside the cluster injected into your VPC.

Once these interfaces have been injected into your customer managed VPC, then any services which are also inside that VPC can utilize the HSM cluster by using these interfaces.

And if you want to achieve true high availability, then logically instances will need to be configured to low balance across all of the different interfaces.

Now also in order to utilize the cloud HSM devices, then a client needs to be installed on the EC2 instances, which are going to be configured to access the cloud HSM.

So this is a background process known as the cloud HSM client.

And this needs to be installed on the EC2 instance in order for it to access the HSM appliances.

And then once the cloud HSM client is installed, then you can utilize industry standard API's such as PK, CS11, JCE and crypto NG to access the HSM cluster.

Now a really important thing to understand about cloud HSM, because this is a distinguishing factor between it and KMS, is that while AWS do provision the HSM, they're actually partitioned and they're tamper resistant.

So AWS have no access to the area of the HSM appliances which store the keys.

Only you can control these.

You manage them, you're responsible for them.

Now AWS can perform things like software updates and other maintenance tasks, but these don't take place on the area of the HSM which is used to perform cryptographic operations.

Only you as an administrator or anyone that you delegate that to has the ability to interact with the secure area of the HSM devices.

Now before we finish this lesson, there are a few more things that I want to cover.

So these are points that I think you should be aware of.

So some of these are use cases, some of these are limitations that will help you select between using cloud HSM and using something like KMS.

So first, by default there's no native integration between cloud HSM and any AWS products.

So one example of this is that you can't use cloud HSM in conjunction with S3 server-side encryption.

That's not a capability that it has.

Cloud HSM is not accessed using AWS standard APIs at least by default and so you can't integrate it directly with any AWS services.

Now you could, for example, use cloud HSM to perform client-side encryption.

So if you've got an encryption library on a particular local machine and you want to encrypt objects before you upload them to S3, then you can use it to perform that encryption on the object before you upload it to the S3 service.

But this is not integrated with S3.

You're just using it to perform encryption on the objects before you provide them to S3.

Now a cloud HSM can also be used to offload SSL or TLS processing from web servers.

And if you do that, then the web servers can benefit from A, not having to perform those cryptographic operations, but also the cloud HSM is a custom designed piece of hardware that accelerates those processes.

So it's much more economical and efficient to have a cloud HSM device performing those cryptographic operations versus doing it on a general purpose EC2 instance.

So that's something that a cloud HSM can do for you, but KMS natively cannot.

Now other products that you might use inside AWS can also benefit from cloud HSM, products which are able to interact using these industry standard APIs.

And this includes products like Oracle databases.

So they can utilize cloud HSM for performing transparent data encryption or TDE.

So this is a method that Oracle has for encrypting data that it manages on your behalf.

And it can utilize a cloud HSM device to perform the encryption operations and to manage the keys.

Now this does mean that because a cloud HSM device is something that's entirely managed by you, you're the only entity that initially starts off with access to be able to interact with the encryption materials.

So the keys, it means that if you use a cloud HSM and integrate it with an Oracle database, then you're doing so in a way which means that AWS have no ability to decrypt that data.

And so if you're operating in a highly restricted regulatory environment where you really need to use strong encryption and verify exactly who has the ability to perform encryption operations, then generally cloud HSM is an ideal product to support that.

And then lastly in a similar way, cloud HSM can also be used to protect the private keys for a certificate authority.

So if you're running your own certificate authority, you can utilize cloud HSM to manage the private keys for that certificate authority.

Now just to summarize at this point, the overall theme is that for anything which isn't specific to AWS, for anything which expects to have access to a hardware security module using industry standard APIs, then the ideal product for that is cloud HSM.

For anything that uses standards for anything that has to integrate with products which aren't AWS, then cloud HSM is ideal.

For anything which does require AWS integration, then natively cloud HSM isn't suitable.

If FIPS 140-2 Level 3 is mentioned, then it's cloud HSM.

If integration with AWS is mentioned, then it's probably going to be KMS.

If you need to utilize industry standard encryption APIs, then it's likely to be cloud HSM.

Now that's everything that we need to cover.

I just wanted you to be able to handle any curveball HSM style questions that you might encounter in the exam.

So thanks for watching, go ahead and complete this video and then when you're ready, I'll look forward to you joining me in the next one.

Ah, this is why you might not see so much biomass with CCS. If the capacity factor is low, then it's hard to justify the cost of the CCS kit.

Welcome back and in this lesson I want to talk about AWS Shield, which is an essential tool to protect any internet connected environment from distributed denial of service attacks.

Now it's important for the exam, but especially so for the real world.

So let's jump in and get started.

So AWS Shield actually comes in two forms, Shield Standard and Shield Advanced.

Both of them provide protection against DDoS attacks, but there's a huge difference in their respective capabilities.

First, Shield Standard is free for AWS customers, whereas Shield Advanced is a commercial extra product, which comes with additional costs and benefits, which I'll detail later in this lesson.

The product protects against three different types or layers of DDoS attack.

Now I've covered these in the DDoS lesson in the technical fundamental section of the course, but as a reminder, these categories are Network Volumetric Attacks, so these are things which operate at layer three of the OSI 7 layer model, and these are designed to simply overwhelm the system being attacked, so to direct as much raw network data at a target as possible.

Next, we have Network Protocol Attacks, such as SYNFLUDS, and these operate at layer four of the OSI model.

Now there are various types of protocol attack, but one common one is to generate a huge number of connections from a spoofed IP address and then just leave these connections open, so never terminating them, and while the CPU memory and data resources of the target will be fine, its ability to service real connections will be impacted by the huge volume of fake ones.

To understand this, imagine a call centre where people call up and just leave the phone line silent.

The operators won't be doing anything, but there won't be capacity for new calls to be answered.

Now Network Protocol Attacks can also be combined with volumetric attacks, but by default, you should view these as two different things.

Lastly, we have Application Layer Attacks, which operate at layer seven, for example, Web Request Floods.

Imagine you have a part of your web app which allows searchers.

Think of something like this which lets you search for every cat image in the world ever.

From the perspective of the attacker, this uses almost no resources to run.

It can be done hundreds, thousands or millions of times per second.

But from the perspective of the system being attacked, this might take two to three seconds to return data, maybe even more.

And so it's possible to de-doss a system by using the application as intended, where certain parts of the application are cheap to request, but expensive to deliver the result.

So those are the types of things which SHIELD protects against.

Now I want to spend a little time delving deeper into the capabilities of SHIELD Standard and Advanced, together with the differences.

And I want to focus on when you might pick one versus the other.

So let's start with SHIELD Standard.

SHIELD Standard, as I mentioned earlier, is free for all AWS customers, so you benefit from its protection automatically without you having to do anything.

The protection is at the perimeter of the network, which can either be in your region, meaning as data flows into a VPC, or it can be at the edge of the AWS network if you use CloudFront or Global Accelerator.

SHIELD Standard protects against common network or transport layer attacks.

So that's attacks at layer three or four of the OSI seven layer model.

Now you get the best protection if you use Route 53, CloudFront or Global Accelerator.

Now SHIELD Standard doesn't provide much in the way of proactive capability or any form of explicit configurable protection.

It's just there working away in the background.

Now that's the foundation, the baseline of the product.

Now let's look at what extra things SHIELD Advanced offers.

So SHIELD Advanced, as a starting point, is a commercial product.

In fact, it costs $3,000 per month per organization.

Now this is important, it's not per AWS account.

If you have multiple accounts where you're wanting the advanced level of protection that SHIELD Advanced offers, then just make sure they're in the same AWS organization and you can share the one single investment.

Now the cost while it is per month is part of a one year commitment.

So at 3K per month, this means $36,000 per calendar year.

And there's also a charge for data out for using the product.

Now SHIELD Advanced protects more than standard.

It covers CloudFront, Route 53, Global Accelerator, anything associated with elastic IPs, for example EC2.

It also covers application, classic and network load balances.

It's a comprehensive set of DDoS protections for your network perimeter.

Now what's really important to understand as a concept is that the protections offered by SHIELD Advanced are not automatic.

You need to explicitly enable protections, either in SHIELD Advanced or as part of AWS Firewall Manager when using SHIELD Advanced policies.

It's an explicit act, remember that.

You might find a question on the exam where you need to answer whether these protections require explicit configuration or they happen in the background.

Now SHIELD Advanced offers two other really important benefits and it's important to understand that these are not technical functionality differences, but they're important nonetheless.

First you get cost protection.

And this means that if you as a customer incur any costs for any attacks which should be mitigated by AWS SHIELD Advanced, but aren't, then you're protected against those costs.

And an example of this might be EC2 scaling events caused by excessive load.

Now there are restrictions, it needs to be something SHIELD Advanced should cover and you should have enabled the coverage on that resource.

Now I've included a link attached to this video which covers this particular feature in much more detail.

You don't need to understand the detail for the exam, but for the real world it's good knowledge to have.

Now the other benefit is a proactive style of management as well as access to the AWS SHIELD Response Team known as SRT.

With proactive management, the SHIELD Response Team contacts you directly when the availability or performance of your application is affected because of a possible attack.

And this provides the quickest level of response.

It allows the SHIELD Response Team to begin troubleshooting even before they've established contact with you, the customer.

Now to use this you need to provide your contact details in advance and enable the feature.

And when you do, the SHIELD Response Team will contact you when any attacks are detected.

You can also contact the SHIELD Response Team to log support tickets.

And the SLA for this depends on your support plan.

It might be one hour or 15 minutes.

These are all things that you need to think about and decide upon up front.

Now let's step through some of the technical ways in which SHIELD Advanced helps us.

The first unique feature of SHIELD Advanced is the integration with the web application firewall.

SHIELD Advanced uses the web application firewall to implement its protection against layer 7 attacks.

And if you have a SHIELD Advanced subscription, this includes basic WAF fees to implement these protections.

This is one of the differences in feature benefits which SHIELD Advanced provides over SHIELD Standard.

And so it's an important one to keep in mind.

Another benefit that SHIELD Advanced provides is advanced real-time metrics and reports for DDoS events and attacks.

And these can be accessed via the SHIELD Advanced Console or APIs and via CloudWatch.

Now, if you have a business need for SHIELD Advanced, if you can justify the cost, you're also going to have a need for this enhanced level of visibility.

So this is another one to keep in mind.

You also have health-based detection and this is using Route 53 health checks to implement application-specific health checks.

Now, this allows you to reduce any false positives detected by AWS SHIELD.

And it's used alone or in combination with the proactive engagement team to provide faster detection and mitigation of any issues.

Health-based detection is actually a requirement for using the proactive engagement team.

Again, another important thing to remember.

Now, lastly, you also have protection groups and you can use protection groups to create groupings of resources which SHIELD Advanced protects.

You can define the criteria for membership in a protection group so any new resources are automatically included.

And with these groups, you gain the ability to manage protection at a group level versus a resource level which can significantly decrease the admin overhead of using the product.

Now, at this point, that's everything I wanted to cover about AWS SHIELD at a high level.

If the topic that you're studying requires any additional detail, there will be additional deep dive lessons.

If not, don't worry, this is everything that you need to know.

But at this point, that's the end of this video.

So go ahead and complete the video and when you're ready, I'll look forward to you joining me in the next.

Welcome back and in this video I want to talk about the web application firewall known as WAF.

Now this is a key part of the AWS network and network security product set so let's jump in and get started.

Now WAF is AWS's implementation of a layer 7 or application layer firewall which we talked about in a previous video.

That means a firewall which is capable of understanding layer 7 protocols such as HTTP and HTTPS.

Now before I talk in detail about the features of the product I want to visually step through how a WAF architecture might look.

Now the example I'll be using is relatively complex.

They can range from fairly simple through to this type of example which is relatively complex involving event-driven security response.

So we start with an AWS environment and we decide to use a web application firewall which protects web resources which supports WAF and these include CloudFront, application load balancers, AppSync and API Gateway.

Now WAF is the product but the actual unit of configuration within the product is known as the web access control list known as web ACL and it's this which is used by WAF and also associated with the various supported services.

So you would associate a web ACL with a CloudFront distribution and this would result in the CloudFront distribution being protected by WAF.

So WAF can protect global services such as CloudFront but also regional resources such as application load balancers, API gateways and AppSync and you need to configure this when you create the web ACL essentially creating it in a region rather than globally as is the case for CloudFront.

Now within a web ACL you have rule groups and rules and I'll be talking more about how this is architected later in this video.

At a high level this might be things like AWS managed rules or simple allow or deny lists.

It might cover things like SQL injections or cross-site scripting attacks, HTTP floods or might relate to things like IP reputation and even protect against known botnets.

It's these rule groups and rules which control how the WAF product reacts to incoming traffic allowing connections from valid users while hopefully blocking those from bots and other attackers against your web resources.

Now this alone would be a super useful product which offers significant security benefits but when we combine this with other AWS products and architectures it can be even more useful.

You can obviously update the web ACLs manually based on human identified security events or risks but you could also do simple automated things such as using event bridge and scheduled rules to pass various publicly maintained IP lists to block known bad actors.

Now WAF does output logs and logging can be directed at S3 directly at cloud watch logs or kinesis firehose.

Now importantly if you want to react to logs quickly you shouldn't directly use S3 as these are delivered directly approximately every five minutes.

Firehose can be configured to put the logging data into any of its supported destinations including S3 and then all of these destinations can be integrated with an event driven security response architecture so using a combination of products such as S3 events, Lambda, Athena and EventBridge you can extract and identify intelligence to act on and then use this intelligence to update web ACLs to improve the security of the platform in a way which doesn't require humans.

So this type of architecture is based on taking basic WAF and creating a feedback loop to take data, identify actionable intelligence and then automate changes based on that intelligence.

And now that you have a visual idea about how a WAF implementation might look let's look at the raw features and how everything fits together.

I mentioned earlier in this video that the web access control list or web ACL is the main unit of configuration within WAF.

A web ACL is what controls if traffic is allowed or blocked.

The starting point of a web ACL is a default action which will either allow or block any traffic which isn't matched by the ACL.

Which one of these you pick depends on if you're using WAF to explicitly protect against certain exploits or if you want to only allow known good traffic through to your web resources.

Additionally a web ACL is created for either cloud front which is a global service or a regional service such as an application load balancer, API gateway or AppSync.

If you create a web ACL designed for a regional service then you have to define a region for the web ACL which matches the region that your services are located in.

Now web ACLs on their own don't do anything you have to add rule groups or rules and these are processed in order.

This order can be changed so you can move rules and rule groups around.

Now I'm going to talk about rule groups and rules in a second but conceptually rules have a certain compute requirement based on their complexity.

Web access control lists have a limit of how much compute requirements rules contained within them can use.

An AWS have a concept called web ACL capacity units or WCU and this is not to be confused with DynamoDB WCU which is right capacity units.

Web ACL capacity units are an indication at the complexity of rules and a web ACL has a default maximum of 1500 WCU that can be increased with a support ticket.

Web ACLs are the things which are associated with resources so you associate a web ACL for example with a cloudfront distribution and this association can take some time it depends on the service.

Cloudfront for example needs to update the distribution and then push this out to edge locations so this can take a fair bit of time.

Adjusting a web ACL which is already associated to resources is quicker so keep that in mind.

Now this is web ACLs at a high level these are the things which contain rules or rule groups and the things which are associated with resources.

Importantly the relationship is currently that a resource can have one web ACL but one web ACL can be associated with many resources.

Now also because of the global nature of cloudfront you can't associate a cloudfront web ACL with a regional resource or vice versa and web ACLs can currently not be used with AWS outposts.

Okay let's move on and talk about rule groups.

Rule groups as the name suggests are groups of rules they contain rules.

They're used by web ACLs they're a feature which allows grouped admin of rules.

They don't themselves have any default actions they're added to web ACLs and the web ACLs have the default action for anything not matched by rules either within groups or added directly to that web ACL.

Now rule groups are either managed by AWS or a marketplace vendor, yours so managed by you or service owned for example SHIELD or firewall manager owned groups.

AWS managed rule groups are mostly available for free for AWS WAF customers.

The AWS WAF bot control and fraud control account takeover protection rule groups do have additional fees and I'll be talking about this later in the video where I talk about pricing.

Now any rule groups obtained via the marketplace also generally have a subscription attached to them so you need to keep this in mind.

Rule groups can be reused within many web ACLs.

They're a separate entity and a web ACL can reference one or more rule groups.

When you create a rule group you define upfront the WCU capacity and the default maximum is the same 1500 WCU.

This indicates the amount of resources the rule group uses with its rules and it helps inform anyone using the rule group when they're building a web ACL.

So now that we've talked about rule groups which are essentially an admin or contain a concept and rule groups can be referenced from web ACLs let's talk in more detail about the rules themselves.

Now within WAF rules have a simple enough structure.

We've got type, statement and action.

The type of rule determines at a high level how it works.

The statement consists of one or more things which match traffic or not and the action is what WAF does if a match occurs.

Now rules are one of two types.

We've got regular and rate based.

Regular rules are designed to match if something occurs.

Rate based are designed to match if something occurs at a certain rate.

An example of this might be that you might have a rule to allow SSH connections from a certain IP address and this is an example of a regular rule but you might want another rule which allows you to do something if anyone attempted to connect via SSH save 5,000 times in a five-minute period because this would suggest a brute force attack.

So you need to understand the differences between regular and rate based rules.

Then you have the statement of a rule and this is the main part of a rule.

It defines what the rule checks for.

For regular rules think of this as a what.

What does the rule match against?

Examples might be incoming TCP port 80 or incoming SSH or it might be requests which have a certain HTTP header.

For rate based rules it's slightly different.

You're either going to be applying a rate limit on the number of connections for a source IP address or you're going to be applying a rate limit to connections which come from an IP address which also match certain criteria.

So for example you might want a rule to apply if a client makes 5,000 connections over a five-minute period or you might only want this to apply if 5,000 connections to SSH are made within a five-minute period.

Now in terms of criteria you can match against things like origin country, IP address, label and I'll talk more about this in a second.

Headers, cookies, query parameters, your IPath, query string, the body of a request or the HTTP method.

Now for the body it's important to understand that WAF is only checking the first 8,192 bytes.

Again remember this one for the exam.

Now depending on the criteria that you select from this list you can then choose how to match.

Examples include exact matches, starts with, ends with, contains and much more.

You can even match using regular expressions.

Now you can also have more than one statement.

Rules can have a single statement but also multiple and if you do have multiple you can choose whether to use and/or not conditions so you can define a pretty complex set of evaluation conditions.

Now next we have the rule action and for regular rules these can allow block count or run a capture.

For rate-based rules you can block count or run a capture.

Allow and block obviously affect whether traffic is allowed.

Count just counts the number of requests and records that data and capture runs a capture on the request so if a valid response is received it treats it as a count records it and continues processing and if the capture fails it's blocked and processing stops.

Now it makes sense that allow is not valid for rate-based rules since conceptually you want to do something if a rate is above a certain value and it doesn't make sense that that something is allow.

So remember with rate-based rules you're essentially wanting to perform an action if a rate is above a certain level.

So remember with rate-based rules you only have block count and capture you don't have allow.

Now you can also add custom responses as an optional extra.

If your action is block then this can be a custom response or a custom header.

For allows counts and capture this can be a custom header only.

This custom header means your application itself can react to traffic which has been matched and custom headers are prefixed with x-amzn-waf- and the header is used so that your application can react in some way to traffic which has been affected by a rule.

Now optionally labels can also be added.

Labels are internal to WAF but what it allows is multi-stage flows where one rule can add a label and whether another rule runs can be based on the label being present or not.

Labels as I just mentioned are internal to WAF only and they can be referenced from other rules within a single web ACL.

They don't persist outside of that.

Now importantly using labels relies on WAF not stopping processing and this is an important thing to understand with allow and block actions if a rule matches no further action occurs.

Processing for that bit of traffic on that web ACL is stopped.

For count and capture actions processing continues and this is where you typically use labels in follow-up rules which react in different ways based on that label being present.

Now let's finish up by talking about pricing.

With WAF you're charged a monthly price for every web ACL.

Now currently this is $5 per month and I've put an asterisk next to this because this is subject to change so don't be surprised if this specific value is different when you're watching this lesson.

Now also remember that web ACLs can be reused across different supported products and this is a monthly price per web ACL.

There's also a charge per rule on a web ACL and this is a monthly charge currently $1 per month but again this is subject to change and also you're going to be charged another monthly fee for every rule group or managed rule group that you add to your web ACL.

You've also got a charge for every request processed by a web ACL.

Now again currently this is $0.6 per month for every 1 million requests.

Now this charge is per web ACL so although you're only charged the single fee per web ACL and this can be reused across different products logically the more products that you use a web ACL on the higher the number of requests so this particular part of the pricing architecture will increase the more usage a web ACL has.

Now if you need to understand this in detail I do suggest using the AWS pricing calculator and I've linked this attached to this video.

This makes it really easy to just enter some values and see the true breakdown of using the WAF product.

Now in addition to these costs there are also optional security features which can be enabled on your web ACL and these are in the area of intelligent threat mitigation and these come with additional fees.

So first we have bot control and this comes with a monthly fee as well as a request based fee so this is a charge for every 1 million requests and again these are both subject to change they're accurate at the moment but don't be surprised if these prices are different when you're watching this video.

Next we have captures and there's a price per 1000 challenge attempts and again this is subject to change.

Next the fraud control and account takeover has a monthly charge and then a charge for every 1000 login attempts analyzed and lastly of course any marketplace rule groups that you choose to utilize will come with extra costs and these are all things that you need to keep in mind.

So that's the architecture and feature overview of the WAF product.

Now elsewhere in the course if appropriate there's going to be a demo where you can get experience of working with WAF in a practical sense.

If you don't need practical knowledge for the particular thing that you're studying then this is all the information that you require.

At this point though that's all of the theory that I want to discuss so go ahead and complete the video and when you're ready I look forward to you joining me in the next.

Welcome back and in this video I want to talk in general about application layer firewalls also known as layer 7 firewalls named after the layer of the OSI model that they operate at.

Now I want to keep this video pretty generic and talk about how AWS implement this within their product set in a separate video.

So let's just jump in and get started.

Now before I talk about the high level architecture and features of layer 7 firewalls, let's quickly refresh our knowledge of layer 3, 4 and 5.

So we start with a layer 3 and 4 firewall which is helping to secure the Categorum application.

Now this is accessed by millions of people globally because it's that amazing.

Now because this is layer 3 and 4, the firewall sees packets and segments, IP addresses and ports.

It sees two flows of communications, requests from the laptop to the server and then responses from the server back to the laptop.

Because this firewall is limited to layer 3 and 4 only, these are viewed as separate and unrelated.

You need to think of these as different streams of data, request and response, even though they're part of the same communication from a human perspective.

Now if we enhance the firewall, this time adding session capability, then the same communication between the laptop and server can be viewed as one.

The firewall understands that the request and the response are part of the same session and this small difference both reduces the admin overhead, so one rule instead of two, but this also lets you implement more contextual security where you can think of response traffic in the context that it's response to an original request and treat that differently than traffic in the same direction which is not a response.

Now this next point is really important.

In both cases, these firewalls don't understand anything above the layer at which they operate.

The top firewall operates layer 3 and 4, so it understands layers 1, 2, 3 and 4.

The bottom firewall does this plus layer 5.

Now what this means is that both of them can see IP addresses, ports, flags and the bottom one can do all of this and additionally it can understand sessions.

Neither of them though can understand the data which flows over the top of this.

They have no visibility into layer 7, for example, HTTP.

So they can't see headers or any of the other data that's been transferred over HTTP.

To them, the layer 7 stuff is opaque.

A cat image is the same as a dog image is the same as some malware and this is a significant limitation and it exposes the things that we're protecting to a wide range of attacks.

Now layer 7 firewalls fix many of these limitations so let's take a look at how.

Let's consider the same architecture where we have a client on the left and then a server or application on the right that we're trying to protect.

In the middle we have a layer 7 firewall and so that you'll remember it's a layer 7 firewall.

Let's add a robot, a smart robot.

With this firewall we still have the same flow of packets and segments and a layer 7 firewall can understand all of the lower layers but it adds additional capabilities.

Let's consider this example where the Categor application is connected using a HTTPS connection.

So encrypted HTTP and HTTP is the layer 7 protocol.

The first important thing to realize is that layer 7 firewalls understand various layer 7 protocols and the example we're stepping through is HTTP so they understand how that protocol transfers data, its architecture, headers, data, hosts, all of the things which happen at layer 7 or below.

It also means that it can identify normal or abnormal elements of a layer 7 connection which means it can protect against various protocol specific attacks or weaknesses.

In this example so a HTTPS connection to the Categor server the HTTPS connection would be terminated on the layer 7 firewall so while the client thinks that it's connecting to the server the HTTPS tunnel would be stripped away leaving just HTTP which it could analyze as it transits through the firewall.

So a new HTTPS connection would be created between the layer 7 firewall and the back end server so from the server and client perspective this process is occurring transparently.

The crucial part of this is that between the original HTTPS connection and the new HTTPS connection the layer 7 firewall sees an unencrypted HTTP connection so this is plain text and because the firewall understands the layer 7 protocol it can see and understand everything about this protocol stream.

Data at layer 7 can be inspected, blocked, replaced or tagged and this might be protecting against adult content, spam, off topic content or even malware.

So in this example you might be looking to protect the integrity of the Categor application.

You'll logically allow cat pictures but might be less okay with doggoes.

You might draw a line and not allow other animals sheep for example might be considered spam.

Maybe you're pretty open and inclusive and only block truly dangerous content such as malware and other exploits.

Because you can see and understand one or more application protocols you can be very granular in how you allow or block content.

You can even replace content so if adult images flow through these can be replaced with a nice kitten picture or other baby animals.

You can even block specific applications such as Facebook and even block the flow of business data leaving the organization onto services such as Dropbox.

The key thing to understand is that a layer 7 firewall keeps all of the layer 3, 4 and 5 features but can react to layer 7 elements.

This includes things like DNS names which are used, the rate of flow so how many connections per second, you can even react to content or headers.

Whatever elements are contained in that specific layer 7 protocol which the firewall understands.

Now some layer 7 firewalls only understand HTTP, some understand SMTP which is the protocol used for email delivery.

The limit is only based on what the firewall software supports.

Now that's everything that I wanted to cover at a high level.

Coming up in future videos I'm going to be covering how AWS implements layer 7 firewall capability into its product set.

For now though this high level understanding is what I wanted to help with in this video.

So go ahead and complete the video.

Thanks for watching and when you're ready I'll look forward to you joining me in the next.

Welcome back.

In this lesson, I want to introduce the AWS Secrets Manager.

It's often one that gets confused with the SSM Parameter Store.

Inside the Parameter Store, you can create secure strings which allow you to store passwords.

So logically, it's confusing.

So when should you use the Parameter Store versus the Secrets Manager?

So let's take a look at that and make sure that you're 100 percent comfortable with selecting between both of these products for the exam.

So for Secrets Manager, the functionality that the product provides and the way that it's architected, they're both pretty easy to understand.

For the exam though, the main thing to lock in is when you should use Secrets Manager versus Parameter Store.

So let's get that out of the way.

It shares functionality with Parameter Store.

So that's the starting point.

Don't worry too much if for certain scenarios, you can't really pick between them because for certain things you can use either and achieve the same result.

Secrets Manager though, as the name suggests, is designed specifically for secrets.

So this means things like passwords and API keys.

So in the exam, if you see those keywords, so API keys or passwords, then you should default to Secrets Manager.

Secrets Manager is usable from the console, the CLI, the API, and software development kits.

It's actually designed architecturally to be integrated inside other applications.

So that's one of the most common use cases that Secrets Manager is integrated with other applications.

Another key differentiator of Secrets Manager is that it actually supports the automatic rotation of secrets.

This uses Lambda.

Essentially, a Lambda function is invoked periodically and it's used to update the secrets.

And for certain AWS products such as RDS, Secrets Manager supports direct integration.

So as well as being able to periodically change a secret that's stored inside Secrets Manager, the product can also make sure that any authentication built into that product such as RDS is also changed.

So it's kept synchronized with Secrets Manager.

So if Lambda is invoked and changes a secret, so rotates a secret, then the password inside an RDS instance can also be changed.

And that integration is only supported for a certain limited set of products.

And RDS is one of those products.

So in the exam, if you see any mention of rotating secrets and more specifically, rotating secrets with RDS, then it's almost certain that Secrets Manager is the right answer.

So the product at a fundamental level, just like with Parameter Store, lets you store secrets.

But in this case, this product is specifically designed and focuses on the storage and rotation of these secrets.

So the product keeps them safe, they're encrypted at rest.

It integrates with IAM, so you can use IAM permissions to control access to the secrets.

It rotates them and clients can use Secrets Manager to access the secrets and then use these to communicate with say a database in a safe and secure way.

So let's have a look visually at an example architecture that involves Secrets Manager.

I want to use an example of a web application which allows you to share funny images showing happy things.

So you guessed it, we're talking about Categor.

Categor uses the Secrets Manager SDK.

So the SDK is part of the application and it uses this SDK to retrieve database credentials.

So the SDK uses IAM credentials for authorization, generally a role, but it might also use access keys, even though this is less ideal.

These credentials are used to interact with Secrets Manager and retrieve the secrets for the database that the application uses.

So once the application has these secrets, it can use them to securely access the database.

Now, so far all of this functionality could also be provided using the SSM parameter store.

It has the capability to store secure strings and we could use these secure strings which are encrypted to store any database connectivity information.

What sets the Secrets Manager apart is that periodically the Secrets Manager can invoke a Lambda function to rotate credentials.

Now the Lambda function will require permissions to do this and it gets those permissions from an execution role and it will use these permissions both to update the secret that is stored within Secrets Manager, but also if you use supported products such as RDS, then the actual authentication information inside RDS can also be updated and kept in sync with the secrets that are inside the Secret Manager product.

So if you're using a supported integrated product, then everything is managed end to end by Secrets Manager.

It can handle the rotation of credentials, it can handle the update of the products which use those credentials and as long as the application keeps checking in with Secrets Manager, it can always ensure that it has access to the most updated versions of those secrets.

Now it's also worth mentioning that secrets are secured using KMS, so you never risk any leakage via physical access to the AWS hardware and KMS also ensures role separation which means that you need permissions both to KMS and to Secrets Manager in order to access secrets and decrypt them.

With a specific focus on the exam, if you see any questions where you suspect that Secrets Manager might be involved, you need to do keyword analysis.

So you need to determine if the question mentions anything in the area of secrets, you need to check if the question mentions anything to do with rotation and if it mentions either of them or both of them and if it's also mentions a product such as RDS, then you're almost certain to be using Secrets Manager for the correct answer.

So the key differentiating point between Secrets Manager and the parameter store tends to be whether it explicitly mentions secrets, whether it talks about rotation and whether it talks about integration with specific products, specifically RDS.

Now most questions in the exam won't present you with a situation where you have to pick between Secrets Manager and the parameter store.

Generally the question will present a scenario and you will either have parameter store or Secrets Manager as an answer.

It's very rare that you have both.

If you do have both, then you need to be looking for keywords around rotation, integration and the specific mention of secrets.

And if you see any of those, it's likely that Secrets Manager will be the correct answer versus the parameter store.

If you need to store anything but secrets, so hierarchical configuration information, maybe the configuration for the CloudWatch agent, anything of that nature, that tends to be the type of situation where you would use the parameter store.

If it's just Secrets, if it's rotation, if it's product integration, then it's Secrets Manager.

With that being said, that's everything that I wanted to cover in this architectural theory lesson.

Go ahead, complete the video, and then when you're ready, I'll look forward to you joining me in the next.

human knowledge is acquired through everyday experience. Aristotle's views spawned the empiricist school of thought whose basic belief in the power of experience was subsequently championed by Locke, Berkeley, Hume, and Mill.