forked from guifre/notes
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathaws.txt
384 lines (271 loc) · 18.8 KB
/
aws.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
*AWS services*narrative
Advantages of moving to cloud
Global in minutes (deploy in different locations)
Focus on business differentiations
Economies of scale
Increase speed and agility
Stop guessing capacity
Click and go, no need to ship pc
Concepts
Each region is an independent set of data centres.
**Availability zones**: interconnected data centres within the same region isolated from failures. They are connected with low latency network. You can achieve high availability by deploying the data/components in two availability zones within the same region.
**Hybrid deployment**: mix of cloud and on premises.
**Durability**: Probability that you will recover some persisted data in a given time.
**Availability**: Probability that you will access some data, any time in a given time.
5 Pillars for well architected cloud
Operational Excellence
Security
Reliability
Performance Efficiency
Cost Optimization
4 support plans
Basic
Developer
Business
Enterprise
Accessing AWS
Console
Cli
Sdk
SAML authentication flow
Protocol to federate your users to AWS console. The auth flow is:
The authenticated user in client's site triggers the federate functionality.
The portal generates a SAML authentication response that includes assertions and attributes about the user
The client browser is then redirected to the AWS single sign-on endpoint posting the SAML assertion
The AWS console endpoint validates the SAML assertion and generates a redirect to access the management console (suing STS)
The browser follows the redirect which brings into the AWS console as an authenticated user
Services
**Elastic load balancing**: Distributed load across multiple EC2 instances
**Elastic beanstalk**: easiest way to get a web app running on AWS. Handles lid balancing, resource provisioning.
**Amazon private cloud (VPC)**: allows launching AWS resources in virtual networks. You can define sub networks, gateways and route tables.
**AWS direct connect**: dedicated network from organizations to AWS.
**Amazon route 53**: dns web service. You can register your domain names and resolve.
**Amazon Simple Storage Service (S3)**: data storage, access through http.
**Amazon glacier**: low cost storage for archiving and long term backup.
**Amazon elastic block store (EBS)**: block level volumes for EC2 instances.
**AWS storage gateway**: allows connecting on premises devices with AWS storage solutions.
**Cloud Front**: CDN, delivers dynamic and static and streaming content from a global network of edge locations.
Database services
**Amazon relational database service (RDS)**: secure, high available, production ready, fault tolerant, db. Provides replications and scalability.
**DynamoDB**: NoSQL db for low latency apps at any scale. Supports document and key value models.
**Redshift**: petabyte scale data warehouse, standard sql interface
**Elastic cache**: in memory cache.
**Cloud watch**: monitoring service, collects and tracks metrics
**Cloud formation**: Json templating language to describe AWS resources
**CloudTrail**: records API calls and delivers log files for review and audit.
**AWS config**: provides resource inventory and configuration history.
Security and identity services
**Identity and access management (IAM)**: creation of users and groups and use permissions to allow and deny access to their AWS.
**Key management service (KMS)**: creates and controls encryption keys. Integrates with other services to encrypt data.
**Directory service**: set up and run Microsoft active directory.
**Certificate manager**: provisions, manages and deploys tls certificates.
**Web application firewall**: blocks malicious traffic.
Other services
**API gateway**: Makes it easy to create and deploy APIs.
**Elastic transcoder**: media transcoder in the cloud.
**Simple notification system (SNS)**: producer subscriber system to send messages and consume data.
**Simple email service (SES)**: system to send emails.
**Simple workflow service (SWF)**: system to execute tasks, if one fail it reruns.
**Simple queue service (SQS)**: cost effective queue.
Simple Storage Service (S3)
Common use cases:
Backup and archive
Content and media distribution
Big data analysis
Static website hosting
Disaster recovery
Data reside in buckets
Provides REST API with CRUD (create read update delete) operations
You don't have to worry about storage limits or capacity planning or durability. Efficient for frequently accessed data.
Each bucket can hold unlimited objects of up to 5TB and lives in a single region.
Each object is identified with a key and has metadata associated
Format: **https://${BUCKET_NAME}.s3.amazonaws.com/${OBJECT_KEY}**
Can be used to host static websites with **<bucket-name>.s3-website-<AWS-region>.amazonaws.com** You can use Cloudfront as a CDN to make the website fast globally. You can configure redirects
Only the owner of an Amazon S3 bucket can permanently delete a version.
S3 can achieve at least 3,500 PUT/POST/DELETE and 5,500 GET requests per second per prefix in a bucket (you can use random prefixes to increase the throughput in data-intensive applications).
Max object size: 5TB. Min object size: 0bytes, except for S3 IA that has a min size of 128kb. Default maximum number of buckets per region: 100
You can write objects directly to an edge location to reduce latency to some users.
**Concurrency**: Eventual consistency for updated data and read-after-write for new data Updates are atomic: requesting a file immediately after an update will give you either the old data or the new data (no partially updated or corrupted data).
**Access control**: iam policies, query string auth and s3 bucket policies.
You can use prefixes for object hierarchy aggregation.
**Reduce Redundancy Storage (RRS)**: cheaper strategy (less redundancy).
**Infrequent Access (IA)**: cheaper strategy (less bandwidth).
You can set lifecycle rules: where data is moved to IA or RRS.
Supports versioning if objects.
**MFA delete**: Deleting an object requires an extra token.
**Cross region replication (CRR)**: async replicate all objects to another region. Good to reduce latency. Requires src and dst with versioning enabled, correct S3 permissions, and different regions.
You can set up **logging** of requests.
**Events notifications** can be sent after events such as upload. Can be sent to an SQS, SNS, or a lambda.
You can specify world readable, IAM permissions or temporary public URLs that expire.
Durability & Availability table
**Class Durability Availability
STANDARD 99,999999999% 99,99%
STANDARD_IA 99,999999999% 99,9%
ONEZONE_IA 99,999999999% 99,5%
GLACIER 99,999999999% 99,99%*
REDUCED_REDUNDANCY 99,99% 99,99%**
Encryption
**SSE-S3**: fully managed encryption at rest.
**SSE-C**: encryption at rest with custom encryption keys (to be provided together with the uploaded or download the file). The key is not stored by AWS. Use this option if you want to maintain your own encryption keys, but don't want to implement or leverage a client-side encryption library.
**SSE-KMS**: encryption at rest using keys managed through the KMS service. Allows to define fine grained permissions based on the permissions of KMS keys. Best solution for compliance (PCI-DSS, HIPAA, etc.).
Transfer optimizations
**S3 transfer acceleration**: Improves latency.
HTTP multi-part upload to transfer big files.
**Snowball**: For transferring massive amounts of data.
**Storage gateway**: If your storage needs to exist also on premise (hybrid cloud storage).
Storage gateway offers 2 main volume modes:
**Cached volumes**: Stores files in the cloud and keeps a local cache to speed up reads
**Stored volumes**: Optimized for low latency, stores files locally and asynchronously sends back up point-in-time snapshots to S3.
Amazon Glacier
Low-cost storage service, good for long term backups and for infrequently used data storage.
Data is stored in *archives**, each can hold up to 40TB of data and is referenced by an **ID**, not a user-friendly key.
**Vaults** are containers of archives, you can have up to 1000 vaults. Each vault can have different IAM policies.
You can also specify lock policies, such as write once read many (WORM).
You can retrieve 5% of the data for free every month.
Encryption at rest can not be disabled.
Files can be restored through the web console or the S3 API (RestoreRequest action).
Elastic Compute Cloud (EC2)
Resizable compute capacity. Virtual machines are called **instances**.
Each instance type has CPU, memory, storage and network performance. There are different instance families (m,t,s...) each scales the price and the property of the family linear. Network performance increases as the family type grows (Up to 10Gbps).
Families
Compute optimized (c4)
Memory optimized (r3)
Storage optimized (i2)
GPU-based instances (gs)
**Amazon machine images (AMIs)**: Is a OS image, usually contains patches and additional apps. Are based on x86 Windows/Linux. Can be:
Published by AWS
Marketplace: Customers can provide and sell their AMIs.
Generated from existing instances: Facilitates reusing instances.
Uploaded virtual servers: exported from vmware, virtualbox or others.
Addressing
DNS: each instance gets a unique domain name
Public IP
Elastic IP: reserved IP, not tight to an instance.
Access is granted through public key authentication.
**Security groups**: is a virtual firewall that allows you to allow traffic from or to certain ports and IPs. You can associate it with an EC2 instance or a VPC. By default denies everything.
**User data** is a script you can pass to the instance that runs after startup, to do initialization tasks. It is not encrypted.
Each instance has metadata associated, it can be found at **http://169.254.169.254/latest/meta-data**. It includes security groups, instance Id, type amd AMI.
You can set Tags (key-value) to your instances to easily identify them.
You can monitor instances using **CloudWatch**.
Instances can be resized.
Pricing
**On-demand**: no upfront commitment, fixed price.
**Reserved instances**: You can save up to 75% if you commit to a certain time. Price will vary depending on the time and if you pay upfront. You can improve specs after purchase.
**Spot instances**: Customer specified how much he is willing to pay for the instance. If they pricing goes below the requested one, you will get a machine until it goes up again. Cheapest option. Should only be used for workloads tolerant to interruption.
Tenancy options
**Shared tenancy**: Default option, same host machine might host instances from different customers.
**Dedicated instances**: Run on hardware that's dedicated t o a single customer.
**Dedicated host**: Customer has more granularity and can specify which host to run the instance. It is also fully dedicated for the customer.
**Placement groups** enable applications to participate in low-latency 10Gbps network. The instance must support it.
**Instance store**
Instance types
**Instance stores**: Ephemeral storage of HDDs or SSDs attached to the host machine. Very cost effective, ideal for temporary storage (caches, buffers). Data is lost if the instance terminates or reboots.
**Elastic Block Store (EBS)**: Persistent block-level storage to use in EC2. It is automatically replicated in the availability zone. They can be attached to a single instance.
Types:
**Magnetic volumes**: lowest performance and lowest cost per GB. From 1GB to 1TB, 100 IOPS on average. Good solution for data accessed infrequently, sequential reads.
**General purpose SSD**: Strong performance, moderate price. From 1GB to 16TB. 3 IOPS per GB, up to 10K IOPS. I.E 1TB-> 3K IOPS. Good for medium sized DBs, boot volumes and dev environments.
**Provisioned IOPS SSD**: Highest performance, highest price, from 4GB to 16TB. Well suited for business critical apps with large performance, large DBs workloads.
**Snapshots** allow you to backup a EBS volume taking a point in time snapshot. Are stored in S3 technology. You pay for the storage cost. Storage in the same region, you will need to copy it if need an instance in different region.
EBS offers native encryption, through **Key Management System (KMS)** to handle key management. Data is encrypted using AES256. Snapshots from encrypted volumes are automatically encrypted, as volumes created from snapshots.
Virtual Private Cloud (VPC)
Select ipv4 ranges called inter domain routing (CIDR), creating subnets, route tables, network gateways, and security settings.
Each VPC belongs to a region. Each VPC is isolated even with the same ip ranges.
Mandatory components are: Subnets, Route tables, DHCP, ACLs, Security groups
Optional components: Internet gateway, Elastic ip, Elastic network interface (eni), Endpoints, Peering, Nat gateways, Virtual private gateways (vpg), Customer gateway (cgw), Virtual private networks (vpn),
Subnets
AWS reserves the first 4 IPs.
Each subnet exists in a single availability zone.
Types
public (traffic redirected to Igw)
private
vpn only.
Route tables
Rules to determine where traffic gets directed
Internet gateway igw
Vpc component that allows VPC to access the internet. It is a target in your route tables. The EC2 instance also needs a public or EIP address
Elastic IP Addresses (EIP)
Public IP address you can assign to a VPC or ec2 instance. You can shutdown a machine and maintain the public ip in your account.
Elastic network interfaces (EINs)
Can be attached to a VPC and is associated to a subnet. Has one public IP and multiple private ones. You can use two EINs to have an instance in two subnetworks.
Endpoints
Allows you to create a private connection between a VPC and another AWS service, such as S3, without requiring internet access or a NAT instance.
Peering
Allows connecting two VPCs as if they were the same network. Can be between different accounts but has to be the same region.
Security groups
Stateful firewall that controls inbound and outbound traffic to AWS resources. All ec2 instances must be launched with a security group. Supports allow rules only. Stateful: Return traffic is automatically allowed. Applies to individual instances attached.
Network access control list (ACLs)
Stateless firewall attached to VPCs. Set of rules that determines if traffic is allowed in or out a subnet. You are expected to create similar rules as the security grups to defensa in depth. Supports allow and deny rules.Stateless: return traffic must be allowed. Applies to all instances in the VPC.
Network address translation (NAT) instances/gateways
Allows connecting to the internet instances that are in private subnets. You can use a Nat instance, Eip and Security groups to create instances that can have outbound internet access but no inbound.
Identity and Access Management (IAM)
Used to control who is authenticated and authorized to access a resource.
Provides granular permissions and shared access to your account.
**Identity federation**: You can grant access to users who have already authenticated somewhere else (i.e. corporate network).
Cloudtrail logs will contains what IAM issues the request
IAM supports **PCI compliance**
It's free
**Principal** is an entity that can make operations on an AWS resource (users, roles, federated users an apps).
Request contains:
Actions or operations
Resource where the action will be performed
Principal: user performing the action
Environment data: Ip address, user agent, SSL enabled....
Resource data: Data about the resource (can be ddb data).
Authentication
username and password from console
access key and secret key from API or CLI
You might also use **Multi factor authentication (MFA)**
Authorization
Most policies are stored in JSON documents.
Policies define specify the permissions that are allowed or deined for principals.
**Identity-based**: grant access to users
**Resource-based**: popular for granting cross account access.
ACL: todo
Security Token Service (STS)
TODO
When you create your AWS account you get a root user
Users
Entity that represents a service or person and uses IAM to interact with AWS
Can use console or API
has a username/password to sign in
belongs to a group that has permissions policies attached or by directly attaching it permissions without group
Groups
Collection of IAM users
All have same permissions (easier to manage)
A group can not be identified as a **Principal** in a **resource based trust policy**
Roles
Same as user but has no credentials (username/password)
It is intended to be assumable by anyone who needs it
A user can assume a role temporarily for a specific task.
Can be assigned to a **federated user**
Temporary credentials
When to create user instead of a role
You need a user to interact with the CLI
When you are the only person using it
When to create a role instead of a user
App running in EC2 instance needs to authenticate to interact(assume role, with the policy attached to it. Not auth as user)
App in phone makes requests to AWS (cognito or federate)
You want your corporate users to authenticate so they dont have to sign in again (federate into aws)
Users
Is identified with a friendly name (shown in aws console)
**Amazon resource name (ARN)** used to uniquely identify the user across all AWS
Credentials
console password
access keys (key id + secret access key)
ssh keys for code commit
server certificate to authenticate to some services
AssumeRole
Used by API operations that access resources from same or other accounts
API can assume a role to do specific tasks, specifying an ARN
1. Create policy that allows production app to access ListBucket:
*{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::productionapp/*"
},*
2. Create a role with the previous policy
3. Switch role CLI (your user needs permissions to assumerole):
*aws sts assume-role --role-arn "arn:aws:iam::999999999999:role/UpdateApp" --role-session-name "David-ProdUpdate"*