Aws Certified Solutions Architect Professional Slides v13

!
"

Disclaimer: These slides are copyrighted and #

%
"
&
'
strictly for personal use only (
)
#
&
(
*
+
#
(
! This document is reserved for people enrolled into the "
!
Ultimate AWS Certified
Cer tified Solutions Architect Professional course ,

)
-
/
.
0
! Please do not share this document, it is intended for personal use and exam 1
2
preparation only, thank you. .
3
1
1
4
.
! If you’ve obtained these slides for free on a website that is not the course’s 5
6
website, please reach out to piracy@datacumulus.com
piracy@datacumulus.com.. Thank
Thanks!
s! 6
7
8
1
-
1
! Best of luck for the exam and happy learning 9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
#
&
(
*
+
#
(
"
AWS Certified Solutions !

,

)
-
/
.
0
Architect Professional Course 1

2
.
3
1
1
SAP-C01 4
.
5
6
6
7
8
1
-
1
9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Setting the right expectations for this course &
'
(
)
&
#
(
*
! This course is all slides based +
#
(
"
!I’m assuming you have experience
exper ience using AWS
AWS !
!No hands-on will come with the course
course.. You should know the basics
ba sics ,

)
!It’s fast paced. Your time is valuable. Feel free to slow me down to 0.75x -
/
.
0
! If you just passed the AWS
AWS Cer tified Solutions Architect AssociateAssociate cer t 1
2
.
! I recommend you go through AWS Certified Developer,
Developer, SysOps & DevOps 3
1
I know you are eager to get the
th e SAP cer tification, but take your time 1
! 4
.
5
!
6
TheIs AWS
!
A WS knowledge
extrem
extremely similar toneeded
ely similar knowfor
the knowledgethe
ledge forSA Pro exam
SAA
SAA 6
7
8
1
!The questions are more complex, and knowing details is very important -
1
9
!It’s possible that multiple answers are correct,
cor rect, but one is the most appropriate :
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

The AWS Cer tified Solutions Architect %

"
&
'
Professional Exam (
)
&
#
(
*
+
#
(
"
! Is HARD !
,
! Tests real AWS
AWS exper
e xperience
ience
)
-
/
.
0
!
Will test you
you on some
some very
ver y subtle service features 1
2
.
3
1
1
! I have included quizzes
quizzes for every
ever y single section BUT… 4
.
5
!
6
!
The
Theyquizzes areyou
only help not extract
“scenario b ased”
based”
some / ”exam-like”
important notions out of what you’re learning 6
7
8
1
! This is my optimal way of teaching you about specific topics -
1
9
! Please trust my teaching process :
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Practice Exams &
'
(
)
&
#
(
*
! This course does not come with practice pr actice exams +
#
(
"
!I recommend you look on Udemy for extra practice exams !
,
!I really want to focus this course on the knowledge needed
)
-
! /
.
0
I may come up with a practice exam at some point (to be purchased separately) 1
2
.
3
! Warning: 1
1
4
.
This course is on the NEW CERTIFICA
! CERTIFICATION
TION (SAP-C01) 5
6
!
You may see outdated content
cont ent in other practice
pr actice exams, other courses,
cour ses, etc… 6
7
8
! This course is not incomplete , it’s more targeted towards the knowledge you 1
-
1
actually need to know to pass the exam 9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
&
#
(
*
+
#
(
"
!
,

)
-
/
.
0
1
2
.
3
1
1
Identity & Federation Section 4

.
5
6
6
7
8
1
-
1
9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
IAM – What should
should you
you know
know by now
now &
'
(
)
&
#
(
*
! Users: long term credentials +
#
(
"
! Groups !
,
! Roles: shor
short-term
t-term credentials, uses STS
)
-
! /
.
0
EC2 Instance EC2 met
metada
adata
ta ser
! Service
Ser vice Roles:Roles: uses theCodeDeploy
API Gateway, service.
CodeDeploy,, etc… vice. One
One role at a time per instance 1
2
.
! Cross Account roles 3
1
1
! Policies 4
.
5
! AWS Managed 6
6
! Customer Managed 6
7
8
! Inline Policies 1
-
1
9
! Resource Based Policies (S3 bucket, SQS queue, etc…) :
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
IAM Policies Deep Dive &
'
(
)
&
#
(
*
! Anatomy of a policy: JSON doc with Effect, +
#
Action,, Resourc
Action Resource,
e, Conditions,
Condit ions, Policy
Policy Variables (
"
!
! Explicit DENY has precedence over ALLOW ,

)
! Best practice: use least privilege for -
/
.
0
maximum security 1
2
! Access Advisor: See permissions granted and .
3
when last accessed 1
Access Analyzer: Analyze resources that are 1
! 4
.
shared with external entity 5
6
6
!
Navigate Examples at: 6
https://docs.aws.amazon.com/IAM/latest/User 7
8
1
Guide/access_policies_examples.html -
1
9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
IAM AWS
AWS Manage
Managedd Policie
oliciess &
'
(
)
&
#
(
*
+
AdministratorAccess #
(
"
!
,
!
)
-
"#$%&'()"* ",-.,/.-/.0"1 /
.
"2343$5$)3"* 6 0
1
2
! .
3
"788$93"*
"788$93"* ":;;(<"1 1
":93'()"* "="1 1
4
.
">$&(?%9$"* "=" 5
6
6
@ 6
A 7
8
@ 1
-
1
9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
IAM AWS
AWS Manage
Managedd Policie
oliciess &
'
(
)
&
#
(
*
PowerUserAccess +
#
(
"
!
! E! ,

)
"#$%&'()"* ",-.,/.-/.0"1 "788$93"* ":;;(<"1 -
/
.
0
"2343$5$)3"*
! 6 ":93'()"* 6
"'45*F%$43$2$%G'9$H')I$J>(;$"1 1
2
.
"788$93"*
"788$93"* ":;;(<"1 "'45*K$;$3$2$%G'9$H')I$J>(;$"1 3
"B(3:93'()"* 6 "'45*H'&3>(;$&"1 1
1
"'45*="1 "(%C4)'D43'()&*K$&9%'L$M%C4)'D43'()N1 4
.
5
"(%C4)'D43'()&*="1 "499(?)3*H'&3>$C'()&"
6
6
"499(?)3*=" A1 6
A1 ">$&(?%9$"* "=" 7
8
1
">$&(?%9$"* "=" @ -
1
@1E A 9
:
;
@ :
:
<
=
7
9
B(3$ O(< NB(3:93'()N '& ?&$J ')&3$4J (8 K$)P >
;
! #$%&'()% *((+%,
! #$%&'()% *((+%,
!
"
#
%

"
IAM Policies Conditions &
'
(
)
&
#
(
!"#$%&'&#$! ) * !*+#$%&'&#$,#-./0'#/1! ) * !*+#$%&'&#$,2
!*+#$%&'&#$,2.31!
.31! ) !*+#$%&'&#$,4056.1! 11 *
+
#
(
"
!
Operators: ,
! String (StringEquals, StringNotEqu
StringNotEquals,
als, StringLike…
StringLike…)
)
)
-
! "Condition": {"StringEquals": {"aws:PrincipalTag/job-category": "iamuser-admin"}} /
.
"Condition": {"StringLike": {"s3:prefix": [ "", "home/", "home/${aws:username}/" ]}} 0
!
1
2
! Numeric (NumericEqu
(NumericEquals,
als, NumericNotEq
NumericNotEquals,
uals, NumericLessT
NumericLessThan…)
han…) .
3
! Date (DateEquals, DateNotEquals, DateLessThan…) 1
1
! Boolean (Bool): 4
.
5
! “Condition": {"Bool": {"aws:SecureTransport": "true"}}
!
6
6
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} 6
! (Not)IpAddress: 7
8
"Condition": {"IpAddress": {"aws:SourceIp": "203.0.113.0/24"}} 1
!
-
1
ArnEquals, ArnLike 9
!
:
;
! Null: "Condition":{"Null":{"aws:TokenIssueTime":"true"}} :
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
IAM Poli
olicie
ciess Var
ariables
iables and Tags &
'
(
)
&
#
(
Example: ${aws:usernam
${aws:username} e} *
+
"Resource": ["arn:aws:s3:::m
["arn:aws:s3:::mybucket/${aws:
ybucket/${aws:username}/*"]
username}/*"] #
! (
"
!
,

)
AWS Specific: -
/
.
0
!
aws:CurrentTime, aws:TokenIssueTime, aws:principaltype, aws:SecureTransport, 1
2
aws:SourceIp, aws:userid, ec2:SourceInstanceARN .
3
1
1
4
Service
Ser vice Specific:
Specific: .
5
! 6
6
s3:prefix, s3:max-keys, s3:x-amz-acl, sns:Endpoint, sns:Protocol… 6
7
8
1
-
Tag Based
Based:: 1
9
:
! iam:ResourceTag/key-name, aws:PrincipalTag/key-name… ;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
IAM Roles vs Resource Based Policies &
'
(
)
&
#
(
*
! Attach a policy to a resource (example: S3 bucket policy) versus +
#
(
"
attaching of a using a role as a proxy !
,

)
-
/
.
Q&$% >(;$ 0
:99(?)3 : :99(?)3 S 1
2
.
3
:54D() 2R 1
1
4
.
:99(?)3 S 5
6
6
6
2R S?9I$3 7
8
Q&$% 1
:99(?)3 : T(;'9P -
1
9
:
;
:54D() 2R :
:
<
=
:99(?)3 S 7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
IAM Roles vs Resource Based Policies &
'
(
)
&
#
(
*
! When you assume a role (user, application or service), you give up your +
#
original permissions and take the permissions
per missions assigned to the role (
"
!
,

)
-
!
/
.
0
When
up any using a resource
resource based policy
permissions policy, the principal doesn’t have
have to give
give 1
2
.
3
1
1
4
.
! Example: User in account A needs to scan a DynamoDB table
table in 5
6
6
Account A and dump it in an S3 bucket in Account
Account B. 6
7
8
1
-
1
9
:
! Supported by: Amazon S3 buckets, SNS topics, SQS queues ;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Using STS to Assume a Role &
'
(
)
&
#
(
*
! Define an IAM Role within your ?==:;.&><. :TU
+
#
(
"
account or cross-account !
,
! Define which principals can access
)
!"# #%# -
/
.
0
this IAM Role user 1
2
! Use AWS STSST S (Secur
(Security
ity Token 2')&,(1(7 .
+'45(*27 3
Service) to retrieve credentials and 4('8'-2*1/
1
1
4
impersonate the IAM Role you &'()*++*,-+ .
5
6
6
have access to (Ass
Assum
umeRo
eRole
le API) 6
7
8
! Temporar
emporaryy credentials can be valid 1
-
1
between 15 minutes to 1 hour 9
:
;
.,/' 0+1)' ,( :
,23'( 144,5-26 :
<
=
7
9!: 9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Assuming a Role with STS &
'
(
)
&
#
(
! Provide access for an IAM user in one AWS
AWS account that you own to access *
+
resources in another account that you own #
(
"
!
! Provide access to IAM users in AWS accounts owned by third parties ,

)
! Provide access for ser
services
vices offered by AWS
AWS to AWS
AWS resources -
/
.
0
! Provide access for externally authenticated users (identity federation) 1
2
.
3
1
! Ability to revoke active sessions and credentials for a role 1
4
.
(by adding a policy using a time statement – AWSRevokeOlderSessions) 5
6
6
6
7
8
When you assume a role (user,
(user, application or ser
se r vice), you give up your original 1
-
1
permissions and take the permissions assigned to the role 9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

Providing Access to an IAM User in Your or %

"
&
'
Anothe
Ano therr AWS Accou
Accountnt That You Own (
)
&
#
(
*
! You can grant your IAM users
user s permission
per mission to switch to roles within your AWS
AWS +
AWS accounts that you own.
account or to roles defined in other AWS #
(
"
!
,
V$%5')43$ 7F, U)&34)9$
)
Q&$% >(;$ -
/
.
:99(?)3 : :99(?)3 := 0
1
2
.
3
1
! Benefits: 1
4
.
5
! You must explicitly grant your users
user s permission to assume the role.
6
6
!
Your users must actively switch to the role using the AWS Management Console or 6
assume the role using the AWS CLI or AWS API 7
8
You can add multi-factor authentication MFA) protection to the role so that only users 1
!
-
1
who sign in with an MFA device can assume the role 9
:
! Least privilege + auditing using CloudTrail ;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Cross account access with STS &
'
(
)
&
#
(
*
'.B.<>/;.2- ?99>:2- +
@4>8:9-A>2 ?99>:2- #
(
"
!
7" $%&'( 8*.+,.- *06. ,2+, )*+(,- ,
!"#"$%&/"0- +8803(,
+8803(, *.+%9:*',.
)
<" =-.*- *.>3.-,- -
+88.-- ,0 &'%+12-3%0,&& /38;., W%(?X* V$&3$%& /
.
$88.-- ,0 *06. 0
1
2
.
3
?" @A@ *.,3*(- 1
W%(?X* K$G$;(X$%& 1
>(;$* QXJ43$:XX 506. 8*.%.(,'+6- 4
.
5
6
6
!" $%&'( )*+(,- &.&/.*- 01 ,2. 6
)*034 !"#"$%&"'( 4.*&'--'0( ,0 7
B" =-.* 8+( +88.-- 8
+--3&. ,2. *&+,-".&& 506. 1
2R L?9I$3* X%(J?93'()4XX ,2. @< /38;., /C 3-'() -
1
9
,2. *06. 8*.%.(,'+6- :
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

Providing Access to AWS

AWS Accoun
Accounts
ts Owned by %
"
&
'
Third Par
Parties
ties (
)
&
#
(
*
! Zone of trust
tr ust = accounts, organizations that you own
own +
#
(
"
! Outside Zone of Tr ust = 3rd parties !
,

)
! Use IAM Access Analyzer to find out which resources are exposed -
/
.
0
1
! For granting access to a 3rd party: 2
.
3
! The 3rd party AWS account ID 1
1
An External ID (secret between you and the 3rd party) 4
.
!
5
rd
! 6
6
To uniquely associate with the role between
be tween you and 3 party 6
! Must be provided when defining the trust
tr ust and when assuming the role 7
8
Must be chosen by the 3rd party 1
! -
1
9
! Define permissions in the IAM policy :
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
The confused deputy &
'
(
)
&
#
(
*
+
#
(
"
!
,

)
-
/
.
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
STS Important
Impor tant APIs &
'
(
)
&
#
(
*
! AssumeRole: access a role within your account or cross-account +
#
(
"
! AssumeRoleWithSAML: return credentials for users
user s logged with SAML !
,
! AssumeRoleWithWebIdentity : return creds for users
user s logged with an IdP
)
-
/
.
!
Example providers include Amazon Cognito, Login with Amazon, Facebook, 0
1
Google, or any OpenID Connect-compatible identity provider 2
.
3
! AWS recommends using Cognito instead 1
1
4
! GetSessionToken : for MFA, from a user or AWS account root
r oot user .
5
6
6
! GetFederationToken: obtain temporary creds for a federated user, 6
7
usually a proxy app that will give the creds to a distributed
distr ibuted app inside a 8
1
-
corporate network 1
9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Identity Federation in AWS &
'
(
)
&
#
(
*
! Federation lets users outside of AWS to assume user 3rd party +
temporar y role for accessing AWS resources.
resources. #
(
"
<>CA2 !
! These users assume identity provided access role. ,

)
-
/
.
!
Federations can have many flavors:
flavors: DAB.= 0
1
! SAML 2.0 94.8.2-A1<= 2
.
! Custom Identity Broker 3
1
! Web
W eb Identity Federation with Amazon Cognito 1
4
.
! Web
W eb Identity Federation without Amazon Cognito ?99.== ?E) #4:=- 5
! 6
6
!
Single Sign On
Non-SAML with AWS Microsoft AD 6
7
8
1
-
1
! Using federation, you don’t need to create IAM users 9
:
(user management is outside of AWS)
AWS) ;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"

#
%

"
SAML 2.0 Federation &
'
(
)
&
#
(
*
! To integrate Active Directory / ADFS with AWS (or any SAML 2.0) +
#
(
"
! Provides access to AWS Console or CLI (through temporar y creds) !
,

)
! No need to create an IAM user for each of your employees
employees -
.
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
9
:
;
:
:
<
=
!""#$%&&'()$*+,$*+-+.(/*)(-
!""#$%&&'()$*+,$*+-+.(/*)(-&012&3+"4$"&5$467
&012&3+"4$"&5$46789'4&9':6(34$:#
89'4&9':6(34$:#6(;9'46$:$+-3*!
6(;9'46$:$+-3*!"-3
"-3 !""#$%&&'()$*+,$*+-+
#$%&&'()$*+,$*+-+.(/*)(-&012
.(/*)(-&012&3+"4$"&5$46789'
&3+"4$"&5$46789'4&9':6(34$:#6(;
4&9':6(34$:#6(;9'46$:4/+<34=)(
9'46$:4/+<34=)(/$(34=$+-3*!"-
/$(34=$+-3*!"-33
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
SAML
SAML 2.0 Fede
Federation
ration – Act
Activ
ive
e Direct
Director
oryy FS &
'
(
)
&
#
(
*
! Same process as with any SAML 2.0 compatible IdP +
#
(
"
!
,

)
.
-
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
9
:
;
:
:
<
=
'$$&-.//(0-1(2(34)1542/6748-/-%59+:$;/
'$$&-.//(0-1(2(34)1542/6748-/-%59+:$;/(0-<=%>%+($
(0-<=%>%+($%><(9$'%)$:5($:4)<0:$
%><(9$'%)$:5($:4)<0:$'<(5$:?%<>:+%5$4+;
'<(5$:?%<>:+%5$4+;<=%>%+($:4)
<=%>%+($:4)<-%+?:5%-<(><=-/
<-%+?:5%-<(><=-/ 7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
SAML 2.0 Federation &
'
(
)
&
#
(
*
! Needs to setup a trust
tr ust between AWS IAM and SAML (both ways) +
#
(
"
! SAML 2.0 enables web-based, cross domain SSO !
,

)
! Uses the
th e STS API: AssumeRoleWit
AssumeRoleWithSAML
hSAML .
-
/
0
1
2
.
3
! Note federation through SAML is the “old way” of
of doing things 1
1
4
.
5
! Amazon
Amazon Single
Single Sign On (SSO) Federation is the new managed and 6
6
simpler way 6
7
8
! Read more here: https://aws.amazon.com/blogs/security/enabling-federation-to- 1
-
1
aws-using-windows-active-directory-adfs-and-saml-2-0/ 9
:
;
:
:
<
=
7
9
>

! #$%&'()% *((+%,
!

"
#
%

"
Custom Identity Broker Application &
'
(
)
&
#
(
*
! Use only if identity provider is not compatible with SAML 2.0 +
#
(
"
! The identity broker must determine the appropriate
appropr iate IAM policy !
,

)
! Uses the S TS API: AssumeRole or GetFederationToken
t he STS .
-
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
9
:
;
:
:
<
=
7
O33X&*YYJ(9&Z4<&Z454D()Z9(5YU:[Y;43$&3YQ&$%W?'J$Y'J\%(;$&\
9
9(55()/&9$)4%'(&\8$J$%43$J/?&$%&ZO35; >
;
! #$%&'()% *((+%,
!
"
#

Web Identity Federation –

Web %
"
&
'
AssumeRoleWithWebIdentity (
)
&
#
(
*
+
#
(
"
!
,

)
.
-
/
0
!
Not recommended by AWS – 1
2
use Cognito instead (allows
(a llows for .
3
anonymous users, data 1
1
4
.
synchronization,
synchroniz ation, MFA)
MFA) 5
6
6
6
7
8
1
-
1
9
:
;
!""#$%&&'()$*+,+-(.+/$*).&
!""#$%&&'()$*+,+-(.+/$*).&0.12$&+,+-(.
0.12$&+,+-(.'3.+,('4&5+"0$"&'0605(#
'3.+,('4&5+"0$"&'0605(#07829'0&:;<
07829'0&:;<*!",5
*!",5 :
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Web
Web Identity Federation – AWS Cognito &
'
(
)
&
#
(
*
! Preferred way for Web
Web Identity +
Federation #
(
"
! Create IAM Roles using Cognito with !
,
the least privilege needed
needed
)
! Build
Build trust between
between the OIDC
OIDC IdP and .
-
/
AWS
AW S 0
1
2
.
3
! Cognito benefits: 1
1
4
.
! Support for anonymous users 5
! 6
6
!
Support for MFA
Data synchronization 6
'$$&-.//>45-1(0-1(2(34)1542/@A*/7($%-$/B-%+C9:>%/:>
'$$&-.//>45-1(0-1(2(34)1542/@A*/7($%-$/B-%+C9:>%/:>D+47%-D&+4?:>%+-D4:>5D548):$41'$27 7
D+47%-D&+4?:>%+-D4:>5D548):$41'$27 8
1
-
1
9
:
! Cognit o replac
Cognito replaces
es a Token Vending ;
Machine (TVM) :
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Web
Web Identity Federation – IAM Policy
Policy &
'
(
)
&
#
(
*
! After being authenticated +
#
(
with Web Identity Feder
Federation,
ation, "
!
you can identify the user with ,

)
an IAM policy variable. .
-
/
0
1
2
.
3
! Examples: 1
1
!cognito- 4
.
5
identity.amazonaws.com:sub 6
6
!www.amazon.com:user_id 6
7
8
!graph.facebook.com:id 1
-
1
accounts.google.com:sub 9
! :
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
What is Microsoft Active Directory
Director y (AD)? &
'
(
)
#
&
(
*
! Found on any Window
Windowss Ser ver +
#
(
"
with AD Domain Services
Ser vices K(54') F()3%(;;$% !
,
! Database of objects: User
)
](O) .
-
/
0
Accounts, Computers, Printers, T4&&<(%J 1
2
File Shares, Security Groups .
3
1
! Centralized security 1
4
.
5
management, create account, 6
6
assign permissions 6
7
8
1
! Objects are organized in trees -
1
9
:
;
! A group of trees is a forest :
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
What is ADFS (AD Federation Services)?
Ser vices)? &
'
(
)
#
&
(
*
! ADFS: provide single sign-on across applications +
#
(
"
! SAML across 3rd par ty: AWS Console
Con sole,, Dropbox, Office365, etc… !
,

)
.
-
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
9
:
;
:
:
<
'$$&-.//(0-1(2(34)1542/6748-/-%59+:$;/'40<$4<%-$(67:-'<=
'$$&-.//(0-1(2(34)1542/6748-/-%59+:$;/' 40<$4<%-$(67:-'<=%>%+($%><(55%--<$4<;49
%>%+($%><(55%--<$4<;49+<(0-<
+<(0-< =
7
9
+%-49+5%-<6;<9-:)8<(5$:?%<>:+%5$4+;
+%-49+5%-<6;<9-:)8<(5$:?%<>:+%5$4+;<9-%+<($$+:6
<9-%+<($$+:69$%-/
9$%-/ >
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Director
Directoryy Services
Ser vices &
'
(
)
#
&
(
*
! AWS Managed
Manag ed Microsoft AD 4?3O 3%?&3 4?3O +
#
Create your own AD in AWS, manage users
! (
"
locally, supports MFA !
,
Establish “trust” connections with your on-
!

)
premise AD "2F/4.; ?' ?E) 3121C.8 ?'
.
-
/
0
1
2
! AD Connector X%(^P 4?3O
.
3
Directory Gateway (proxy) to redirect to on-
! 1
1
premise AD 4
.
5
Users are managed on the on-premise AD
!
6
"2F/4.; ?' ?' G>22.9->4 6
6
7
! Simple AD 8
1
-
1
!AD-compatible managed directory
director y on AWS
AWS 9
:
!Cannot be joined with on-premise AD
AD ;
:
:
<
=
7
)A;/<. ?' 9
>
;
! #$%&'()% *((+%,
!
"
#

AWS Director
Directoryy Services
Ser vices %
"
&
'
AWS Managed Microsoft AD (
)
#
&
(
*
+
! Managed Service: Microsoft AD in your AWS VPC #
(
"
! EC2 Windows Instances: EFG
!
! EC2 Windows instances can join the domain and run
r un ,
traditional AD applications (sharepoint,
(sharepoint, etc)
)
A?(:7(6:7:$; H4)%
! .
-
/
Seamlessly Domain&Join
Multiple Accounts VPCsAmazon EC2 Instances from 0
1
2
! Integrations: .
3
! RDS for SQL Ser
Server
ver,, AWS Work
orkspaces,
spaces, Quicksight… :XX& '>;1A2 G>2-4><<.4= 1
rd 1
! AWS SSO to provide access to 3 party applications 4
.
5
!
6
Standalone
premise ADrepository in AWS
AWS or joined to on- A?(:7(6:7:$; H4)% 6
6
7
8
! Multi AZ deployment of AD in 2 AZ, # of DC 1
(Domain Controllers) can be increased for scaling -
1
9
:
! Automated backups :XX& ?' 'G ?' 'G ;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Microsoft
Microsoft Manag
Managed
ed AD - Integration
Integrationss &
'
(
)
#
&
(
*
+
#
(
"
2:[H !
,

)
=>? A(7 D,+-(. D,+-(. D,+-(. D,+-(. D:?
.
-
/
?BC ?07607 :(7E?#+)0$ B29)E$98!" F(..0)" :(7E>()$ ?9.850G?98. H. VO%(?CO :_2 22M 0
1
2
.
3
1
1
4
.
?' -6>F61K 5
6
%>4.=- -4:=- 6
#418A-A>21< ?' ?//<A91-A>2= 6
7
8
1
?E) 3121C.8 -
1
IJ-.28 "2 @4.;A=. ?' 9
3A94>=>H- ?' 'G :
;
:
:
<
ZB7V :XX& 2O4%$T(')3 2`H 2$%G$% =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Connect to on-premise AD &
'
(
)
#
&
! Ability to connect your on-premise EFG (
*
2'3$/3(/2'3$ #TB +
Active Directory to AWS
AWS Managed #
Microsoft AD M% K'%$93 F())$93 (
"
!
! Must establish a Direct Connect "2F/4.;A=. ?E) 3121C.8 ,
(DX) or VPN connection
)
3A94>=>H- ?' 3A94>=>H- ?' 'G
.
-
/
!
Can setup three kinds of forest 3%?&3 0
trust: 1
2
.
! One way trust: 3
AWS => On-Premise 3%?&3
1
One way trust: 1
! 4
.
On-Premise => AWS + ,
% ( ) * + 2 - * +
+ 2$45;$&& 5
# % & '
# # 5
4
14 " 2 6 "
!
# 6
Two 6
AWSway forest trust:
! On-Premise
! -
" . ( / 0
011 2
2 3 4 " J(54') a(')
6
7
8
! Forest trust is different than 1
synchronization (replication is not 7F, -
1
9
supported) :
;
V%4J'3'()4;
V%4J'3'()4; :K 4XX
:
:
<
=
7
9

;
! #$%&'()% *((+%,
!
"
#

Solution Architecture:
Solution Architecture: %
"
&
'
Active Directory Replication (
)
#
&
(
*
! You may want to create a replica of your AD on EC2 in the cloud to +
#
(
"
minimize latency of in case DX or VPN goes down !
,
! Establish trust
tr ust between the AWS
AWS Managed Microsoft AD and EC2
)
.
-
/
0
EFG 1
2
"2F/4.;A=. 3A94>=>H- ?' >2 IGL ?E) 3121C.8 .
3
3A94>=>H- ?' ).<H 3121C.8 &./<A91 3A94>=>H- ?' 'G 1
1
4
.
3%?&3 5
%$X;'943'() 6
6
3%?&3 6
7
8
1
-
1
9
K(54')* K(54')* K(54')* :
;
()X%$5:KZ$^45X;$Z9(5 ()X%$5:KZ$^45X;$Z9(5 4<&:KZ$^45X;$Z9(5 :
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

AWS Director
Directoryy Services
Ser vices %
"
&
'
AD Connector (
)
#
&
(
*
! AD Connector is a director
director y +
#
(
gateway to redirect directory "
!
requests to your on-premises ,

)
Microsoft Active Directory
Director y .
-
/
0
! No caching capability 1
2
.
3
! Manage users
user s solely on-premise, no 1
1
possibility of setting up a trust 4
.
5
!
6
6
VPN or Direct Connect 6
7
! Doesn’t work with SQL Server, 8
1
-
1
doesn’t do seamless joining, can’t 9
:
share directory ;
'$$&-.//(0-1(2(34)1542/6748-/-%59+:$;/'
'$$&-.//(0-1(2(34)1542/6748-/-%59+:$;/'40<$4<54))%5$
40<$4<54))%5$<;49+<4)<&
<;49+<4)<&+%2:-%-<(5$:?%<>:+%5$4+;
+%2:-%-<(5$:?%<>:+%5$4+;<$4<
<$4< :
:
<
(0-<9-:)8<(><54))%5$4+/ =
7
9
>
;
! #$%&'()% *((+%,
!
"
#

AWS Director
Directoryy Services
Ser vices %
"
&
'
Simple AD (
)
#
&
(
*
! Simple AD is an inexpensive Active Directory–compatible service
ser vice with +
#
(
"
the common director
directoryy features. !
,
! Supports
Suppor ts joining EC2 instances, manage users
user s and groups
)
.
-
/
0
! Does not support MFA, RDS SQL server, AWS SSO 1
2
.
3
! Small: 500 users, large: 5000 users 1
1
4
.
! Powered by Samba 4, compatible with Microsoft AD 5
6
6
! lower cost, low scale, basic AD compatible, or LDAP compatibility 6
7
8
1
! No trust relationship -
1
9
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Organizations &
'
(
)
#
&
(
*
! Master accounts must invite Child Accounts +
#
(
"
! Master accounts can create Child Accounts
Accounts !
,

)
! Master can access child accounts using: .
-
/
0
! CloudFormation StackSets
CloudFormation StackSets to create IAM roles
roles in target accounts
accounts 1
2
.
! Assume the roles using the STS Cross Account capability 3
1
1
! Strategy to create a dedicated account for logging or security 4
.
5
6
6
!
API is available to automate AWS account creation 6
7
8
! Integration with AWS
AWS Single Sign-On (SSO) 1
-
1
9
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Organi
Organizat
zation
ionss - Fea
Featur
tures
es &
'
(
)
#
&
(
*
! Consolidated billing features: +
#
(
"
! Consolidated Billing
Consolidated Billing across all accounts
accounts - single payment
payment method
method !
,
! Pricing benefits
ben efits from aggregated usage (volume discount for EC2, S3…)
)
.
-
/
0
1
2
.
! All Features (Default): 3
1
! Includes consolidated billing features 1
4
.
5
! 6
You can use SCP 6
! Invited accounts must approve enabling all features 6
7
8
1
! Ability to apply an SCP to prevent member accounts from leaving the org -
1
9
:
! Can’t switch back to Consolidated Billing Features only ;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Multi Account Strategies
Str ategies &
'
(
)
#
&
(
*
! Create accounts per department, per cost center center,, per dev / test / +
#
prod, based on regulatory restrictions (using SCP), for better (
"
!
resource isolation (ex VPC),, to have separate per-account
(ex:: VPC) per-account service
ser vice ,

)
limits, isolated account for logging, .
-
/
0
1
2
.
3
! Multi Account vs One Account Multi VPC 1
1
4
! Use tagging standards for billing purposes .
5
6
6
! Enable CloudTrail on all accounts, send logs to central S3 account 6
7
8
! Send CloudWatch
CloudWatch Logs to central
centr al logging account 1
-
1
9
:
! Establish Cross Account
Account Roles for Admin
Admin purposes
pur poses ;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Organiza
Organizatio
tional
nal Unit
Unitss (OU)
(OU) - Exa
Examp
mples
les &
'
(
#
)
&
(
*
+
*:=A2.== +2A- I2BA4>2;.2-1< MAH.9K9<. @4>N.9-FO1=.8 #
(
"
!
,

)
.
-
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
O33X&*YY4<&Z454D()Z9(5Y4)&<$%&Y499(?)3/5
O33X&*YY4<&Z454D()Z9(5Y4)&<$% &Y499(?)3/54)4C$5$)3Y4<&/
4)4C$5$)3Y4<&/ 9
:
5?;3'/499(?)3/L';;')C/&3%43$CPY ;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Organization &
'
(
#
)
&
>((3 MQ (
*
+
#
(
"
!
31=-.4 ?99>:2- ,

)
.
-
/
0
1
'.B "+ @4>8 "+ 2
.
3
1
1
4
.
5
6
%A2129. "+ P& "+ 6
6
7
8
1
-
1
9
:
;
<
:
=
7

>
;
! #$%&'()% *((+%,
!
"
#
%

"
Service Control Policies (SCP) &
'
(
#
)
&
(
*
! Whitelist or blacklist IAM actions +
#
(
"
! Applied at the OU or Account level !
,
! Does not apply to the Master Account
)
.
-
/
!
SCP is applied to all the Users and Roles of the Account, including Root user 0
1
2
! The SCP does not affect service-linked roles .
3
! Ser vice-linked roles enable other AWS
Service-linked AWS services
ser vices to integrate with AWS
AWS Organizations 1
1
4
and can't be restricted by SCPs. .
5
6
!
SCP must have an explicit Allow
Allow (does not allow anything by default) 6
6
7
8
! Use cases: 1
-
1
! Restrict access to cer tain services
ser vices (for example: can’t use EMR) 9
:
! Enforce PCI compliance by explicitly disabling
disabling services
ser vices ;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
SCP Hierarchy &
'
(
#
)
&
(
*
+
#
%:<<?E)?99.== )G@ &>>- "+ (
"
! Master Account !
! Can do anything ,
! (no SCP apply)
)
.
-
/
'.2K?99.==?-0.21 )G@ [4&3$% :99(?)3 !
Account A 0
! Can do anything 1
2
! EXCEPT access Redshift .
'.2K&.8=0AH- )G@ @4>8 "+ (explicit Deny from OU) 3
1
! Account B 1
4
.
! Can do anything 5
?:-0>4AQ.&.8=0AH- )G@ :99(?)3 : ! EXCEPT access Redshift 6
(explicit Deny from Prod OU) 6
EXCEPT access Lambda 6
'.2K?E)M1;O81 )G@ P& "+ %A2129. "+ !
7
(explicit Deny from HR OU) 8
1
! Account C -
1
9
:99(?)3 S :99(?)3 F ! Can do anything :
;
! EXCEPT access Redshift
(explicit Deny from Prod OU)
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

SCP Examples %

"
&
'
(
#
)
&
(
Blacklist and Whitelist strategies
strategies *
+
#
(
"
!
,

)
.
-
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
9
:
;
<
:
2(64 4?+-#34$% !""#$%&&'(
!""#$%&&'()$*+,$*+-+.(/*)(
)$*+,$*+-+.(/*)(-&(6@+/9.+"
-&(6@+/9.+"9(/$&3+"4$"&8
9(/$&3+"4$"&8$46@89'4&(6@$:-
$46@89'4&(6@$:-+/+@4:#(39
+/+@4:#(39)94$:4?+-#34=$)#
)94$:4?+-#34=$)#$*!"-3
$*!"-3 =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
IAM Policy Evaluation Logic &
'
(
#
)
&
(
*
+
#
(
"
!
,

)
.
-
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
9
:
;
<
:
'$$&-.//>45-1(0-1(2(34)1542/@A*/7($%-$/B-%+C9:>
'$$&-.//>45-1(0-1(2(34)1542/@A*/7($%-$/B-%+C9:>%/+%=%+%)5%D&47:5:%-D%?
%/+%=%+%)5%D&47:5:%-D%?(79($:4)<748:51'$27
(79($:4)<748:51'$27
=

9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Organiz
Organizati
ations
ons – Res
Reser
erve
ved
d Instan
Instances
ces &
'
(
#
)
&
(
*
! For billing purposes,
p urposes, the consolidated billing feature of AWS
AWS Organizations
Or ganizations +
#
treats all the accounts in the organization as one account. (
"
!
! This means that all accounts in the organization can receive the hourly cost ,

)
by any other account. .
-
/
!
benefit of Reserved Instances that are purchased
The payer account (master account) of an organization can turn off Reserved
Reser ved
0
1
2
.
Instance (RI) discount and Savings Plans discount sharing for any accounts in 3
that organization, including the payer account 1
1
4
.
! This means that RIs and Savings Plans discounts aren't shared between any 6
5
accounts that have sharing turned off. 6
6
7
8
! To share an RI or Savings Plans
P lans discount with an account, both accounts must 1
-
1
have sharing turned on. 9
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Resource Access Manager (RAM) &
'
(
#
)
&
(
*
! Share AWS
AWS resources that you own with other AWS
AWS accounts +
#
! Share with any account or within your Organization (
"
!
! Avoid resource duplication! ,

)
!
.
-
/
VPCallow
!
Subnets:
to have all the resources launched in the same subnets 0
1
must be from the same AWS Organizations. 2
! .
!Cannot share security
secur ity groups and default VPC 3
1
!Participants can manage their own resources in there 1
4
.
!Participants
Par ticipants can't view, modify
modify,, delete resources that belong to other par ticipants or the owner
6
5
! AWS Tra
ransit
nsit Gatew
Gateway
ay 6
6
7
! Route53 Resolver Rules 8
1
-
1
! License Manager Configurations 9
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Single Sign-On (SSO) &
'
(
#
)
&
(
*
! Centrally manage Single Sign-On +
to access multiple accounts and #
(
"
3 -party business applications. !
,
! Integrated with AWS
)
.
-
/
Organizations 0
1
! Supports SAML 2.0 markup 2
.
3
! Integration with on-premise 1
1
Active
Active Directory
Director y 4
.
! 6
5
Centralized 6
managementpermission 6
7
8
! Centralized auditing with 1
-
1
CloudTrail 9
:
;
!""#$%&&+/$*+,+-(.*)(,&45(8$
!""#$%&&+/$*+,+-(.*)(,&45(8$&$0)279"3&9."7('2)9.8G+/$G$9.850G$98.G(
&$0)279"3&9."7('2)9.8G+/$G$9.850G$98.G(.&
.&
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Single
Single Sign-On
Sign-On (SSO)
(SSO) – Setup with
with AD &
'
(
#
)
&
(
*
+
Options for integration #
(
"
!
1. Standal
alo
one AWS ,
Managed Microsoft
)
.
-
/
AD 0
1
2
2. AD Connector to .
3
on-premise AD 1
1
4
.
3. AWS Ma Managed 6
5
Microsoft AD with 6
6
7
two-wayy forest trust
two-wa 8
1
-
with on-premise AD 1
9
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
SSO – vs Assu
AssumeR
meRole
oleWit
WithSA
hSAML
ML &
'
(
#
)
&
(
*
?==:;.&><.EA-0)?3M ?E) ))" +
UJ$)3'3P 23(%$ #
:_2 22M (
"
R+> T4%3P UKT 2:[H ,Z- F(5X43'L;$ !
H(C') T(%4;
H(C') T(%34; ,
UJ$)3'3P 23(%$ ')3$C%43'()
)
.
-
/
0
1
2
.
=
0
3
"
2 ' ) 1
7 C 1
.
?
(
; 4
.
D
I
C 6
5
6
6
7
8
1
-
1
9
:
;
S%(<&$% U)3$%849$
S%(<&$% U)3$%849$ <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Summar
Summaryy of Identity & Federation
Federation &
'
(
#
)
&
(
*
! Users and Accounts all in AWS +
#
! AWS
AW S Organizations (
"
!
! Federation with SAML ,

)
! Federation without SAML with a custom IdP (GetFederationT
(GetFederationToken)
oken) .
-
/
! Federation with SSO for multiple accounts with AWS
AWS Organizations 0
1
2
! Web
W eb Identity Federation (not recommended)
recommended) .
3
! Cognito for most web and mobile applications (has anonymous mode, MFA) 1
1
4
.
! Active Directory
Director y on AWS:
6
5
!
Microsoft AD: standalone or setup trust
tr ust AD with on-premise, has MFA, seamless
seamless join, RDS integration
integr ation 6
! AD Connector:
Connector : proxy
proxy requests to on-premise 6
7
8
! Simple AD: standalone & cheap AD-compatible with no MFA, no advanced capabilities 1
-
1
! Single Sign On to connect to multiple AWS Accounts (Organization) and SAML apps 9
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
#
)
&
(
*
+
#
(
"
!
,

)
.
-
/
0
1
2
.
3
1
1
4
.
6
5
6
Security Section 6
7
8
1
-
1
9
:
;
<
:
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Clou
CloudT
dTrrail &
'
(
#
)
&
(
*
! Provides governance, compliance and audit for your AWS Account +
#
(
"
! CloudTrail is enabled by default! !
,

)
!
.
-
/
GetConsole
!
an histor
historyy of events / API calls made within your AWS
AWS Account by: 0
1
2
.
! SDK 3
1
! CLI 1
4
.
! 6
5
AWS Services 6
6
! Can put logs from CloudTrail into CloudWatch Logs 7
8
1
-
1
! If a resource is deleted in AWS, look into CloudTrail first! 9
:
;
<
:
:

7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
CloudTrail continued… &
'
(
#
)
&
(
*
! CloudTrail console shows the past 90 days of activity +
#
(
"
! The default UI only shows
sh ows “Create
“Create”,
”, “Modify” or “Delete
“Delete”” events !
,

)
.
-
/
0
1
CloudT
Clou dTra
railil Tra
Trail:
il: 2
.
3
! Get a detailed list of all the events you choose
choose 1
1
4
.
! 6
5
Can include events happening at the object level in S3 6
6
! Ability to store these events in S3 for further
fur ther analysis 7
8
1
-
1
! Can be region specific or be global & include global events (IAM, etc) 9
:
;
<
:
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

CloudT
CloudTrail – Solut
Solution
ion Archit
Architecture
ecture:: %
"
&
'
(
#
)
&
Delivery
7G$%P
to S3 (
*
+
#
(
"
b 5')?3$& H'8$9P9;$ T(;'9P !
W;49'$% ,
227/2R cJ$84?;3d
)
.
-
F;(?JV%4'; (% 227/e[2
2R /
0
S3 Enhancements: 1
K$;'G$%P 2
2R 7G$)3& .
)(3'8'943'()& ! Enable Vers
Versioning
ioning 3
1
! MFA Delete Protection 1
4
.
2`21 2B21 H45LJ4
!
5
6
S3 Lifecycle Policy (S3 IA, Glacier…) 6
! S3 Object Lock 6
2B2 2`2 7
8
! SSE-S3 or SSE-KMS encryption 1
-
1
Feature to perform CloudT
CloudTrail
rail Log File Integrity 9
! :
validation ;
<
:
:
(SHA 256 for hashing and signing) =
7
9
>
;
! #$%&'()% *((+%,
!
"
#

CloudT
CloudTrail - Soluti
Solution
on Architectur
Architecture:
e: %
"
&
'
(
#
)
&
Multi Account, Multi Region Logging (
*
+
#
A5549)$ A (
"
!
,

)
#%59+:$; A5549)$
.
-
/
0
F;(?JV%4'; 1
5749>$+(:7<695,%$/(5549)$<A 2
5749>$+(:7<695,%$/(5549)$<I
.
5749>$+(:7<695,%$/(5549)$<GJ
3
1
A5549)$ I 1
2R 4
.
5
6
f 2R S?9I$3 T(;'9P 6
6
Observations: 7
8
F;(?JV%4'; 1
! The S3 bucket policy is necessary for cross-account delivery -
1
9
:
! If Account A wants to access its CloudTrail files: ;
! Option 1: create a cross-account role and assume the
th e role <
:
:
Option 2: edit the bucket policy =
7
9
>
;
! #$%&'()% *((+%,
!
"
#

CloudT
CloudTrail - Soluti
Solution
on Architectur
Architecture:
e: %
"
&
'
(
#
)
&
Alertt for API calls
Aler (
*
+
#
(
"
&3%$45 !
,

)
.
-
F;(?JV%4'; F_ H(C& [$3%'9 g';3$%& F_ :;4%5 2B 2 /
0
1
2
.
3
1
! Log filter metrics can be used to detect a high level of API happening 1
4
.
5
6
!
Ex: Count occurrences of EC2 TerminateInstances API 6
6
7
! Ex: Count of API calls per user 8
1
-
1
9
! Ex: Detect high level of Denied API calls :
;
<
:
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
CloudTrail: How to react to events the fastest? &
'
(
#
)
&
(
*
Overall, CloudTrail may take up to 15 minutes to deliver events +
#
(
"
!
,
! CloudWatch Events:
)
.
-
!
Can be triggered for any API call in CloudTrail /
0
1
! The fastest, most reactive way 2
.
3
! CloudTrail Delivery in CloudWatch Logs: 1
1
!Events are streamed 4
.
! 5
6
Can perform a metric filter to analyze occurrences and detect anomalies 6
6
! CloudTrail Delivery in S3: 7
8
1
!Events are delivered every 5 minutes -
1
9
!Possibility of analyzing logs integrity, deliver cross account, long-term storage :
;
<
:
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS KMS (Key Management Service) &
'
(
#
)
&
(
*
! Anytime you hear “encr
“encryption”
yption” for an AWS
AWS ser vice, it’s
it’s most likely KMS +
#
(
"
! Easy way to control access to your data, AWS manages keys for us !
,
! Fully integrated with IAM for authorization
)
.
-
/
! Seamlessly integrated into: 0
1
2
! Amazon EBS: encrypt volumes .
3
! Amazon S3: Ser
Server
ver side encryption of objects 1
1
! Amazon Redshift: encryption of data 4
.
!
5
6
Amazon RDS: encr
encryption
yption of data 6
! Amazon SSM: Parameter store 6
7
8
! Etc… 1
-
1
9
! But you can also use the CLI / SDK :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS KMS 101 &
'
(
#
)
&
(
*
! The value in KMS is that the CMK used to encrypt data can never be +
#
(
retrieved by the user,
user, and the CMK can be rotated for extra
extr a security "
!
,
! Never ever store your secrets in plaintext, especially in your code!
)
.
-
/
!
Encrypted secrets can be stored in the code / environment variables 0
1
2
! KMS can only help in encrypting
encry pting up to 4KB of data per call .
3
1
! If data > 4 KB,
KB , use Envelope
Envelope Encryption
Encr yption 1
4
.
!
5
6
To give access to KMS to someone: 6
6
! Make sure the Key Policy allows the user 7
8
Make sure the IAM Policy allows the API calls 1
! -
1
9
:
! Track API calls made to KMS in CloudTrail ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Types of KMS Keys &
'
(
#
)
&
(
*
! Customer Manager CMK: +
#
(
"
Create, manage and use,
! use , can enable or disable !
,
Possibility of rotation policy (new key generated
! gener ated every
ever y year,
year, old key preser ved)
)
.
-
/
!
Can add a key policy (resource policy) 0
1
! Leverage for envelope encryption 2
.
3
1
1
4
.
! AWS managed CMK: 5
6
6
Used by AWS ser vice (aws/s3, aws/ebs, aws/redshift)
!
6
7
8
Managed by AWS
! 1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

How does KMS work? %

"
&
'
#
)
(
API – Encrypt and Decrypt

&
(
*
R3) +
#
(
"
F;'$)3 cFHU Y 2Ked I294K/- :TU 89"#: ;<= *"$>?,,?.6, !
!"#
,

.
-
)
!"#$"% '"() *+,,-.$/0 G3R /
0
1 2 34 T$%8(%5 $)9%PX3'() 1
2
.
2$)J $)9%PX3$J &$9%$3 3
56#$7*%"/ !"#$"% 1
1
4
.
5
6
G3R 6
F;'$)3 cFHU Y 2Ked '.94K/- :TU 89"#: ;<= *"$>?,,?.6, 6
T$%8(%5 J$9%PX3'() !"#
7
8
1
-
1
9
2$)J J$9%PX3$J &$9%$3 :
!"#$"% ?6 *@+?6%"(% ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Parameter Store &
'
#
)
(
&
(
*
! Secure storage for configuration and secrets !&&/*412*,-+ +
#
(
"
! Optional Seamless Encryption using KMS !
,
! Serverless, scalable, durable, easy SDK, free T;4')3$^3 7)9%PX3$J
-
)
.
9()8'C?%43'() 9()8'C?%43'() /
! Version tracking of configurations / secrets 0
1
2
.
! Configuration management using path & IAM 3
##: ;1(1)'2'( 1
! Notifications with CloudWatch Events !"#$% '() #2,(' 1
4
.
*#+,-..-/0.
!
5
6
Integration with CloudFormation K$9%PX3'()
6
6
7
8
2$%G'9$ 1
-
1
! Can retrieve secrets from Secrets Manager using 9
:
the SSM Parameter Store API !"# <:#
;
:
<

=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Parameter Store Hierarchy
Hier archy &
'
#
)
(
&
(
*
! /my-department/ +
#
(
"
! my-app/ W$3T4%45$3$%& (%
W$3T4%45$3$%& !
! dev/ W$3T4%45$3$%&SPT43O :TU ,

! db-url ='> ?1)@81 -
)
.
! db-password A5-42*,- /
0
1
! prod/ 2
.
! db-url 3
;(,8 ?1)@81 1
! db-password 1
A5-42*,- 4
.
! other-app/ 5
6
6
! /other-department/ 6
7
8
! /aws/referenc
/aws/reference/secretsmanager/secre
e/secretsmanager/secret_ID_in_Secrets_Manager
t_ID_in_Secrets_Manager 1
-
1
9
:
! /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Secrets Manager &
'
#
)
(
&
(
*
! Newer service,
ser vice, meant
meant for storing secrets +
#
(
"
! Capability to force rotation of secrets every X days !
,

! -
)
.
/
Automate generation of secrets on rotation (uses Lambda) 0
1
! Integration with Amazon RDS (MySQL, PostgreSQL, Auror
Aurora)
a) 2
.
3
! Secrets are encrypted using KMS 1
1
4
.
5
6
6
6
! Mostly meant for RDS integration 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
RDS - Securi
ritty &
'
#
)
(
&
(
*
! KMS encryption at rest for underlying EBS volumes / snapshots +
#
(
"
! Transparent Data Encryption (TDE) for Oracle and SQL Server !
,

! -
)
.
/
SSL encryption
encr yption to RDS is possible for
for all DB (in-flight) 0
1
! IAM authentication for MySQL and PostgreSQL 2
.
3
! Authorization still happens within RDS (not in IAM) 1
1
4
.
! 5
6
Can copy an un-encrypted RDS snapshot into an encrypted one 6
6
! CloudTrail
CloudTrail cannot be used to track
tr ack queries
quer ies made within RDS 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
SSL/
SSL/TL
TLS
S - Ba
Basi
sics
cs &
'
#
)
(
&
(
*
! SSL refers to Secure Sockets Layer, used to encrypt connections +
#
(
"
! TLS refers to Transport Layer Security, which is a newer version !
,

! -
)
.
Nowadays, TLS cer tificates are mainly
mainly used, but people still refer as SSL /
0
1
2
.
3
! Public SSL certificates are issued by Certificate Authorities (CA) 1
1
4
.
! 5
6
Comodo, Symantec, GoDaddy, GlobalSign, Digicert, Letsencrypt, etc… 6
6
7
8
1
-
1
! SSL certificates
cer tificates have
have an expiration date (you set) and must be renewed 9
:
;
:

:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
SSL
SSL Enc
Encrr yp
ypti
tion
on – Ho
How
w it
it works
works &
'
#
)
(
&
(
*
! Asymmetric +
#
Encryption is (
"
.Z F;'$)3 &$)J& O$;;(1 9'XO$% &?'3& h %4)J(5 expensive (SSL) !
,
! Symmetric
-
)
.
encryption /
cheaper is
,Z 2$%G$% >$&X()&$ <'3O &$%G$% %4)J(5 h 0
G<A.2- 22H 9$%3'8'943$ cT?L;'9 e$Pd 1
).4B.4 2
.
RZ F;'$)3 G$%'8'$& ! Asymmetric 3
22H 9$%3'8'943$ handshake is used to 1
1
iZ [4&3$% I$P c&P55$3%'9d C$)$%43$J 4)J &$)3 exchange a per- 4
.
$)9%PX3$J ?&')C 3O$ T?L;'9 e$P bZ 2$%G$% G$%'8'$& 5
6
F;'$)3 22H 9$%3 client random
symmetric key 6
c(X3'()4;d 6
! Possibility of client 7
8
1
jZ [4&3$% I$P sending an SSL -
1
0Z 2$9?%$ 2P55$3%'9 F(55?)'943'() ') T;49$ certificate as well 9
'& J$9%PX3$J :
;
(two-way certificate)
:
<
:
?&')C T%'G43$ e$P =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
SSL – Ser
Serve
verr Name
Name Ind
Indica
icatio
tion
n (SNI)
(SNI) &
'
#
)
(
&
(
*
! SNI solves the problem of loading multiple SSL H+6@4" @6(8# I(6
+
certific
cer tificates
ates onto one web server (to serve ,,,*-F)(6#*)(-
#
(
multiple websites) "
!
! It’s a “newer” protocol, and requires the client ,

to indicate the hostname of the target server
ser ver -
)
.
in the initial SSL handshake H+6@4" @6(8# I(6 /
D(-+9/E*4?+-#34*)(- 0
0 ,(83' 39G4 1
! The server will then find the correct 2
,,,*-F)(6#*)(- .
certificate,
cer tificate, or return the default one 3
1
1
F;'$)3 :HS 4
.
Note: 5
6
AAB C46"%
6
! Only works for ALB & NLB (newer 5$4 "!4 )(664)" D(-+9/E*4?+-#34*)(-
6
generation), CloudFront AAB )46"
7
8
1
! Does not work for CLB (older gen) AAB C46"% -
1
,,,*-F)(6#*)(- 9
:
;
EZ :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
SSL – Man in the
the Middl
Middle
e Att
Attacks
acks &
'
)
(
#
&
(
*
+
kVVT kVVT #
(
"
!
,

-
)
.
+=.4 @A41-. ).4B.4 D>>8 ).4B.4 /
0
c94) ')3$%9$X3 X49I$3&d 1
2
.
3
1
1
kVVT2 kVVT2 4
.
5
6
6
6
+=.4 7
8
@A41-. ).4B.4 D>>8 ).4B.4 1
U8 ')8$93$J1 3O$ ?&$% 54P 3%?&3 3O$ -
1
2$)J 84I$ 22H 9$%3 3( Q&$% 9
lX'%43$ 22H 9$%3'8'943$N :
K$9%PX3& 4)J ;

<
:
%$/$)9%PX3& X49I$3& =
7
9
>
;
! #$%&'()% *((+%,
!
"
#

SSL – Man in the

the Middl
Middle
e Att
Attack
ack %
"
&
'
)
(
#
&
How to prevent (
*
+
#
1. Don’t
Don’t use public-fac
public-facing
ing HTTP
HTTP, use HTTPS
HTTPS (meaning,
(meaning, use SSL/TLS
SSL/TLS (
"
!
certificates) ,

-
)
.
/
2. Use a DNS
DNS tha
hatt has
has DN
DNS
SSE
SEC
C 0
1
! To send a client to a pirate server, a DNS response needs to be “forged” by a 2
.
server which intercepts them 3
1
It is possible to protect your domain name by configuring DNSSEC 1
! 4
.
!
5
6
Amazon Route 53 supports DNSSEC for domain registration. 6
! Route 53 supports DNSSEC for DNS ser vice as of December
December 2020 (using KMS) 6
7
8
1
! r un a custom DNS ser ver on Amazon EC2 for example (Bind is
You could also run -
1
9
the most popular,
popular, dnsmasq, KnotDNS, PowerDNS). :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Certificate
Cer tificate Manager (ACM)
(ACM) &
'
)
(
#
&
(
*
! To host public SSL certificates in AWS, you can: +
Buy your own and upload them using the CLI #
! (
"
! Have ACM provision and renew public SSL !
certificates for you (free of cost) ,
T?L;'9 <<<
-
)
.
kVVT2 >$m?$&3 22H /
0
! ACM loads SSL certificates on the following 3$%5')43'() 1
2
integrations: T%(G'&'() 4)J .
[4')34') F$%3 3
! Load Balancers (including the ones created by EB) 1
1
! CloudFront distributions 4
.
! 5
6
APIs on API Gateways :F[ 6
T%'G43$ :_2 6
! SSL certificates is overall a pain to manually kVVT >$m?$&3 7
8
1
manage, so ACM is great to leverage in your -
1
9
AWS infrastructure! :
;
:
<
:
H$&& FTQ 9(&3 ') 7F, =
7
9
VO4)I& 3( 22H 3$%5')43'() 8(% 3O$ 7HS >
;
! #$%&'()% *((+%,
!
"
#
%

"
ACM – Go
Good
od to kn
kno
ow &
'
)
(
#
&
(
*
! Possibility of creating public certificates +
Must verify public DNS #
! (
"
! Must be issued by a trusted public certificate authority (CA) !
,
! Possibility of creating private certificates
-
)
.
!
For your internal applications /
0
! You create your own private CA 1
2
! Your applications must trust
tr ust your private CA .
3
! Certificate renewal: 1
1
4
.
! Automatically done if generated
gener ated provisioned by ACM
ACM
5
6
Any manually uploaded certificates
!
cer tificates must
must be renewed manually and re-uploaded 6
! ACM is a regional service 6
7
8
To use with a global application (multiple ALB for example), you need to issue an SSL cer
! certificate
tificate 1
-
in each region
re gion where you application is deployed. 1
9
You cannot copy cer ts across regions :
!
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
CloudHSM &
'
)
(
#
&
(
*
! KMS => AWS
AWS manages the software for encr yption +
#
(
! CloudHSM
CloudH SM => AWS provisions encr yption hardware
provisions encr "
!
,
! Dedicated Hardware (HSM = Hardware Security Module)
-
)
.
!
You manage your own encryption keys entirely (not AWS) /
0
1
! HSM device is tamper resistant, FIPS 140-2 Level
L evel 3 compliance 2
.
3
! symmetric and asymmetric encryption (SSL/TLS keys)
Supports both symmetric 1
1
4
! No free tier available .
5
6
! Must use
use the CloudHSM
CloudHSM Client Softwa
Software
re 6
6
! Redshift
Redshift supports CloudHSM for database
database encryption and key managem
management
ent 7
8
1
-
1
! Good option to use with SSE-C encryption 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Clou
CloudH
dHSM
SM Di
Diag
agram
ram &
'
)
(
#
?E) ;121C.= -0. P148614. &
(
*
+
#
(
"
!
,
22H F())$93'()
-
)
.
+=.4 ;121C.= -0. R.K= /
0
1
2
.
?E) G<>:8P)3 3
G<>:8P)3 G<A.2- 1
1
4
.
5
6
6
6
IAM permissions: CloudH
CloudHSM
SM Sof
Softwa
tware:
re: 7
8
1
-
1
9
! CRUD an HSM Cluster ! Manage the Keys :
;
:
<
!
:
Manage the Users =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Clou
CloudH
dHSM
SM – Hi
High
gh Ava
vaililab
abililit
ity
y &
'
)
(
#
&
(
*
! CloudHSM
CloudHSM clus
clusters
ters are spread across Multi
Multi AZ (HA) +
#
(
"
! Great for availability and durability !
,
A?(:7(6:7:$; H4)% K
-
)
.
/
0
F;(?Jk2[ . 1
2
.
3
1
1
4
.
5
6
A?(:7(6:7:$; H4)% L
6
6
F;(?Jk2[ F;'$)3 7
8
1
F;(?Jk2[ , -
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Clou
Cloud
dHSM vs KM
KMS &
'
)
(
#
&
(
*
A'125(' !"# <:# !"# B/,58C#: +
#
%'-1-47 A,", >B@%?C%"6+6% :"7 ,%.$+D" !?6D@" %"6+6% :"7 ,%.$+D"E (
"
!
/"/?#+%"/ %. .6" #B,%.>"$
,
<'7+ 3"7, .-6"/ +6/ >+6+D"/ F7 8B,%.>"$ >+6+D"/ 3"7,
-
)
.
<G! /
0
1
D-4(7&2*,- !B**.$%, .6@7 ,7>>"%$?# :"7 !B**.$%, F.%9 ,7>>"%$?# +6/ 2
.
"6#$7*%?.6 +,7>>"%$?# "6#$7*%?.6 3
1
B(7&2,E(1&3*4 !44'/'(12*,- H.6" !!IJKI! <##"@"$+%?.6 1
4
.
L$+#@" KM5 <##"@"$+%?.6
5
6
<'7 #2,(1E' 1-8 :1-1E')'-2 <##",,?F@" N$.> >B@%?*@" M"*@.7"/ +6/ >+6+D"/ N$.> + 6
$"D?.6, #B,%.>"$ PQ8R 6
7
8
8"6%$+@?O"/ >+6+D">"6% N$.> <##",,?F@" +6/ #+6 F" ,9+$"/ 1
;<= +#$.,, PQ8, B,?6D PQ8 *""$?6D -
1
9
:
A('' %*'( !>1*/1@*/*27 S", H. ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#


"
&
'
)
(
#
&
SSL on ALB (
*
+
#
18"( A)+39/@ @6(8#
(
"
!
,

-
)
.
kVVT /
0
1
2
.
kVVT2 3
1
1
4
.
5
6
6
:HS <'3O 22H 9$%3 6
8%(5 :F[ 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#


"
&
'
)
(
#
&
SSL on web server EC2 instances (
*
+
#
(
"
18"( A)+39/@ @6(8#
&.-4A.B. ))M /4AB1-. 5.K !
43 7F, L((3 3'5$ ,

c?&$% J434d -
)
.
kVVT2 U)&34;; 9$%3& () 7F, /
0
1
2
.
3
VFT kVVT2 1
1
4
.
5
6
kVVT2 T$%8(%5')C 22H $)9%PX3'() Y 6
22[ T4%45$3$% 23(%$ 6
BHS J$9%PX3'() 94) ?&$ FTQ %$&(?%9$& 7
8
1
-
1
U:[ X$%5'&&'()& 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#


"
&
'
)
(
#
&
Clou
Cloud
dHSM – SS
SSL
L Off
fflo
load
adin
ingg 18"(
A)+39/@
(
*
+
! You can offload SSL to @6(8# #
(
"
22H
Clou
CloudH
dHSM
SM (S(SSL
SL (88;(4J')C
!
,
Acceleration) kVVT2
-
)
.
! Supported by NGINX & /
0
VFT kVVT2 1
Apache Web ser vers 2
.
3
! Extra security:
secur ity: the SSL kVVT2 1
1
private key never leaves
leaves the BHS F;(?Jk2[ 4
.
5
6
HSM device 6
6
! Must setup a cryptographi
cr yptographicc 7
8
user (CU) on the 1
-
1
9
Clou
CloudH
dHSM
SM de
devi
vice
ce :
;
F;(?Jk2[
:
<
c5?;3'/:nd :
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
S3 Encryption for Objects &
'
)
(
#
&
(
*
! There are 4 methods of encrypting objects in S3 +
#
(
"
!
,

! -
)
.
SSE-S3: encr
encrypts
ypts S3 objects using keys handled & managed by AWS /
0
1
! SSE-KMS: leverage AWS
AWS Key Management Ser vice to manage encr
encryption
yption 2
.
3
keys 1
1
4
.
! SSE-C: when you want to manage your own encryption keys 5
6
6
! Client Side Encryption 6
7
8
1
-
1
9
:
! Glacier: all data is AES-256
AES-256 encr ypted, key under AWS
AWS control ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Encryption
Encr yption in transit (SSL)
(SSL) &
'
)
(
#
&
(
*
! AWS S3 exposes: +
#
(
"
! HTTP endpoint: non encrypted !
,
! HTTPS endpoint: encryption in flight
-
)

.
/
0
1
2
! You’re free to use the endpoint you want, but HTTPS is recommended .
3
1
! HTTPS is mandatory for SSE-C 1
4
.
5
6
!
Encryption
Encr yption in flight is also called SSL / TLS 6
6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Events in S3 Buckets &
'
)
(
#
&
(
*
! S3 Access Logs: +
Detailed records for the requests that are made to a bucket #
!
(
"
! Might take hours to deliver !
! Might be incomplete (best effort) ,
!
-
)

.
S3 Events Notifications: /
! Receive notifications
notifications when certain
cer tain events happen in your bucket 0
1
! E.g.: new objects created, object removal, restore objects, replication events 2
.
! Destinations: SNS, SQS queue, Lambda 3
1
! Typically delivered in seconds but can take minutes, notification
notification for every
ever y object if versioning is 1
enabled, else risk of one notification for two same object write done simultaneously 4
.
5
6
! Trusted Advisor: 6
! Check the bucket permission (is the bucket public?) 6
7
8
! CloudWatch Events: 1
-
1
!Need to enable CloudTrail
CloudTrail object level logging on S3 first 9
:
!Target can be Lambda, SQS, SNS, etc… ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
S3 Security &
'
)
(
#
&
(
*
! User based +
#
(
"
IAM policies - which API calls should be allowed
! allowed for a specific
specific user from IAM !
,
console
-
)

.
/
0
1
2
.
! Resource Based 3
1
!Buckett Policies
Bucke Policies - bucke
buckett wide rules from the
the S3 console
console - allo
allows
ws cross account
account 1
4
.
! 5
6
Object Access Control
Control List (ACL)
(ACL) – finer grain 6
! Buckett Access
Bucke Access Control List (ACL)
(ACL) – less common 6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
S3 Bucket Policies &
'
)
(
#
&
(
*
! Use S3 bucket for policy to: +
#
(
"
! Grant public access to the bucket !
,
! Force objects to be encrypted at upload
-
)

.
! Grant access to another account Cross Account) /
0
1
! Optional Conditions on: 2
.
3
! Public IP or Elastic
Public Elastic IP (not on Private IP) 1
1
! Source VPC or Source VPC Endpoint – only works with VPC Endpoints 4
.
5
6
!
CloudFront Origin Identity 6
6
! MFA 7
8
1
-
! Examples here: https://docs.aws.amazon.com/AmazonS3/latest/dev/example- 1
9
:
bucket-policies.html ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
S3 pre-signed URLs &
'
)
(
#
&
(
*
! Can generate pre-signed URLs using SDK or CLI +
#
! For downloads (easy, can use the CLI) (
"
!
! For uploads (harder, must use the SDK) ,
! Valid for a default
d efault of 3600 seconds, can change timeout with --expires-in -
)

.
[TIME_BY_SECONDS] argument /
0
1
! Users given a pre-signed URL inherit the permissions of the person who 2
.
generated the URL for GET / PUT 3
1
1
4
.
5
6
! Examples : 6
!Allow only logged-in users to download a premium video on your S3 bucket 6
7
8
!Allow an ever changing list of users
user s to download files by generating URLs dynamically 1
-
1
!Allow temporarily a user to upload a file to a precise location in our bucket 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
VPC Endpoint Gateway for S3 &
'
)
(
#
EFG &
(
*
+
@:O<A9 666 #
(
"
2R S?9I$3 !
S?9I$3 X(;'9P LP ?E)S)>:49.(@ T/:O<A9 (@U ,
-
)

.
T?L;'9 U)&34)9$ U)3$%)$3
W43$<4P /
0
1
2
.
3
2R S?9I$3 1
X%'G43$ 1
4
.
S?9I$3 X(;'9P LP
5
6
?E)S)>:49.V/9. 6
#TF 7)JX(')3 c()$ (% 8$< $)JX(')3&d 6
T%'G43$ U)&34)9$ 7
8
W43$<4P 1
M> -
1
9
:
;
:
<
?E)S)>:49.V/9 :
c$)9(5X4&& 4;; X(&&'L;$ #TF $)JX(')3&d =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
S3 Object Lock & Glacier Vault Lock &
'
)
(
#
&
(
*
! S3 Object Lock +
#
(
"
!Adopt a WORM
WORM (Write Once Read !
Many) model "ON.9- ,
! -
)

.
Block an object
specified amountversion
of timedeletion for a /
0
1
2
.
3
! Glacier Vault Lock
Lo ck 1
1
4
.
!
5
6
Adopt a WORM
WORM (Write Once Read
Many) model V1:<- M>95 @><A9K 6
6
! Lock the policy for future edits (can no MLa$93 94)o3 L$ J$;$3$J 7
8
1
longer be changed) -
1
9
! Helpful for compliance and data retention :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!

"
#
%

"
Networ
Networkk Security &
'
)
(
#
&
(
*
! Security Groups EFG +
Attached to ENI (Elastic Network
Network Interfaces) – EC2, #
!
F967:5 -96)%$ (
"
RDS, Lambda in VPC, etc !
! Are stateful (any traffic
tr affic in is allowed to go out, any
any traffic ,
out can go back in)
-
)

.
!
Can reference by CIDR and security group id B:FH /
Supports security group references for VPC peering 0
!
1
2
! Default: inbound denied, outbound all allowed .
3
! NACL Network ACL): #%59+:$; 8+49& 1
1
Attached at the subnet level
! 4
! 5
.
Are stateless (inbound
(inbound and outbound rules apply for all P>=- 6
traffic) 6
! Can only reference a CIDR range (no hostname) %A4.61<< 6
7
8
! Default: allow all inbound, allow all outbound 1
-
1
! New NACL: denies all inbound, denies all outbound 9
:
;
Host Firewall
:
<
Software based, highly customizable
! :
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
What’ss a DDOS* Attack?
What’ &
'
)
(
#
=K'&3%'L?3$J K$)'4;/(8/2$%G'9$ &
2>4;1< :=.4= (
*
+
#
(
B(3 499$&&'L;$ "
!
B(3 %$&X()&'G$ ,
-
)

.
/
0
1
2
.
3
1
1
1--195.4 4
5
.
6
1//<A91-A>2 6
6
=.4B.4 7
8
1
-
1
9
:
;
:
<
;1=-.4= :
=
7
O>-= 9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Type of Attacks on your infrastr
infrastructure
ucture &
'
)
(
#
&
(
*
! Distributed Denial of Service (DDoS): +
#
(
"
! When your service
ser vice is unavailable because it’s
it’s receiving too many requests !
,
! SYN Flood (Layer 4): send too many TCP connection requests
)

-
.
! UDP Reflection (Layer 4): get other servers
ser vers to send many big UDP requests /
0
1
! DNS flood attack: overwhelm the DNS so legitimate users can’t find the site 2
.
3
! Slow Loris attack: a lot of HTTP connections are opened and maintained 1
1
4
5
.
6
6
! Application level attacks: 6
7
8
! more complex, more specific (HTTP level) 1
-
1
Cache bursting strategies: overload the backend database by invalidating cache 9
! :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
DDoS Protect
Protection
ion on
on AWS &
'
)
(
#
&
(
*
! AWS Shield Standard: protects against DDoS attack for your website and +
applications, for all customers at no additional costs #
(
"
!
! AWS Shield Advanced: 24/7 premium DDoS protection ,
! )

-
.
AWS WAF: Filter specific requests based on rules /
0
! CloudFront and Route 53: 1
2
!Availability
Availability protection using global edge network .
3
!Combined with AWS AWS Shield, provides
provides DDoS attack mitigation at the edge 1
1
4
! Be ready to scale – leve
leverage
rage AWS
AWS Auto
Auto Scaling 5
.
6
! Separate static resources (S3 / CloudFront) from dynamic ones (EC2 / ALB) 6
6
7
8
! Read the whitepaper for details: 1
-
https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf 1
9
:

:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Sample Reference Architecture &
'
)
(
#
&
(
*
+
#
(
"
!
,
)

-
.
/
0
1
2
.
3
1
1
4
5
.
6
6
6
7
8
1
-
1
9
:

:
<
:
O33X&*YY4<&Z454D()Z9(5Y4)&<$%&Y)$3<(%I')CY4<&/JJ(&/433
O33X&*YY4<&Z454D()Z9(5Y4)&<$%&Y)$3<(%I')CY4<&/JJ(&/43349I/5'3'C4
49I/5'3'C43'()Y
3'()Y =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Shield
Shield &
'
)
(
#
&
(
*
! AWS Shield Standard: +
#
(
"
Free service that is activated for every AWS customer
! !
,
Provides protection from attacks such as SYN/UDP Floods, Reflection attacks
!
)

-
.
and other layer 3/layer 4 attacks /
0
1
2
! AWS Shield Advanced:
Advanc ed: .
3
Optional DDoS mitigation service ($3,000 per month per organization)
! 1
1
4
!
5
.
6
Protect
Balancingagainst
(ELB),more sophisticated
Amazon attack
CloudFront, AWSonGlobal
Amazon EC2, Elastic
Accelerator, andLoad
Route 53 6
6
! 24/7 access to AWS DDoS response team (DRP) 7
8
1
-
1
! Protect against higher fees during usage spikes due to DDoS 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS WAF – Web Application Firewall &
'
)
(
#
&
(
*
! Protects your web applications from common web exploits (Layer 7) +
#
(
"
! Deploy on Application Load Balancer (localized rules) !
,
! Deploy on API Gateway (rules running at the regional or edge level) )

-
.
/
! Deploy on CloudFront (rules globally on edge locations) 0
1
2
! Used to front other solutions: CLB, EC2 instances, custom origins, S3 websites) .
3
! WAF
WAF is not for DDoS protection 1
1
4
! 5
.
6
Define
!RulesW ebinclude:
can ACL (W
ACL (Web eb Access Contro
Controll List):
L ist):
IP addresses, HTTP headers, HTTP body, or URI strings 6
6
! Protects from common attack - SQL injection and Cross-Site Scripting (XSS) 7
8
1
-
1
! Size constraints, Geo match 9
:
Rate-based rules (to count occurrences of events) ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Firewall Manager &
'
)
(
#
&
(
*
! Manage rules
r ules in all accounts of an
a n AWS Organization +
#
(
"
!
,
!
)

-
.
Common set of security rules /
0
1
! WAF
W AF rules (Application Load Balancer,
Balancer, API Gateways, CloudFront) 2
.
3
! AWS Shield
Sh ield Advanced
Advance d (ALB,
( ALB, CLB,
CLB , Elastic IP,
IP, CloudFront) 1
1
4
!
5
.
6
Security Groups for EC2 and ENI resources in VPC 6
6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Blocking an IP address &
'
)
(
#
&
(
*
+
#
(
"
!
EFG
,
)

-
.
#%59+:$; 8+49& /
0
1
2
.
3
1
B:FH 1
4
G<A.2- 5
.
7F, U)&34)9$ 6
T?L;'9 UT 6
6
f MX3'()4; g'%$<4;; 7
8
2(83<4%$ ') 7F, 1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Blocki
Blocking
ng an IP
IP addres
addresss – wit
with
h an ALB &
'
)
(
#
&
(
*
+
#
(
"
!
,
EFG
)

-
.
AMI #%59+:$; 8+49& NGL #%59+:$; 8+49& /
0
1
2
.
3
1
B:FH 1
4
G<A.2- 5
.
7F, U)&34)9$ 6
?//<A91-A>2 M>18 *1<129.4 T%'G43$ UT 6
G>22.9-A>2 #.4;A21-A>2 6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Blocki
Blocking
ng an IP addre
address
ss – wit
with
h an NLB
NLB &
'
)
(
#
&
(
*
+
#
(
"
!
EFG
,
)

-
.
D+--,2*03)2 NGL #%59+:$; 8+49& /
0
1
2$$& 9;'$)3o& UT 2
2$$& 9;'$)3o& UT .
3
1
B:FH 1
4
G<A.2- 5
.
!.-6>45 M>18 *1<129.4 7F, U)&34)9$ 6
#41HHA9 C>.= -04>:C0 T%'G43$ UT 6
6
!> ).9:4A-K D4>:/ 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Blocking
Blocking an IP address – ALB + WAF &
'
)
(
#
&
(
*
+
#
(
"
EFG !
,
AMI #%59+:$; 8+49& NGL #%59+:$; 8+49&
)

-
.
/
0
1
2
.
B:FH 3
?M* 1
G<A.2- 1
7F, U)&34)9$ 4
5
.
T%'G43$ UT 6
6
6
7
8
E?% 1
-
1
(@ 1884.== HA<-.4A2C 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Blocking an IP address – ALB, CloudFront WAF &
'
)
(
#
&
(
*
+
#
EFG (
"
!
AMI #%59+:$; 8+49& NGL #%59+:$; 8+49& ,
)

-
.
F;(?Jg%()3 T?L;'9 UT& /
0
1
2
.
3
G<A.2- @:O<A9 ?M* 1
G<>:8%4>2- 7F, U)&34)9$ 1
4
D.> &.=-4A9-A>2 T%'G43$ UT
5
.
6
B:FH 6
6
7
8
B:FH )(3 O$;X8?; 1
-
1
9
:
E?% ;
:
(@ 1884.== HA<-.4A2C <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Inspector &
'
)
(
#
&
(
*
! Only for EC2 instances (started
(star ted from an AMI) +
#
(
"
! Analyze the running OS against known vulnerabilities !
,
!
)

-
.
Analyze against unintended network accessibility /
! AWS Inspector Agent must be installed on OS in EC2 instances 0
1
2
.
3
1
1
! Define template (rules
(r ules package,
package , duration,
duration, attributes, SNS topics) 4
5
.
6
! No own
own custom rules possible
possible – only use AWS managed rules 6
6
7
8
1
-
1
9
:
After the assessment, you get a report
repor t with a list of vulnerabilities
vulner abilities ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Config &
'
)
(
#
&
(
*
! Helps with auditing and recording compliance of your AWS
AWS resources
resou rces +
#
(
"
! Helps record configurations and changes over time !
,
!
)

-
.
AWS Config Rules does not prevent actions from happening (no deny) /
0
! Questions that can be solved by AWS Config: 1
2
! Is there unrestricted SSH access to my security groups? .
3
! Do my buckets have any public access? 1
1
4
! 5
.
How has my ALB configuration changed over time? 6
6
! You can receive alerts (SNS notifications) for any changes 6
7
8
1
! AWS Config is a per-region service -
1
9

! Can be aggregated across regions and accounts ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Config Resource &
'
)
(
#
&
(
*
! View compliance of a resource over time +
#
(
"
!
,
)

-
.
/
0
1
2
.
! View configuration of a resource over time 3
1
1
4
5
.
6
6
6
7
8
1
-
1
9
View CloudTrail API calls if enabled :
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Config Rules &
'
)
(
#
&
(
*
! Can use AWS
AWS managed config rules
r ules (over 75) +
#
(
! Can make custom config rules
r ules (must be defined in AWS
AWS Lambda) "
!
! Evaluate if each EBS disk is of type gp2 ,
! )

-
Evaluate if each EC2 instance is t2.micro .
/
! Rules can be evaluated / triggered: 0
1
2
! For each config change .
3
! And / or: at regular time intervals 1
1
! Can trigger CloudWatch Events if the rule
r ule is non-compliant (and chain with Lambda) 4
5
.
!
Rules can have auto remediations: 6
6
! If a resource is not compliant, you can trigger an auto remediation 6
7
8
! Define the remediation through SSM Automations 1
-
1
! Ex: remediate security group rules, stop instances with non-approved tags 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Managed Logs &
'
)
(
#
&
(
*
! Load Balancer Access Logs (ALB, (ALB , NLB
NLB,, CLB) => to S3 +
Access logs for your Load Balancers #
! (
"
!
! CloudTrail
CloudT rail Logs => to S3 and CloudWatch
Cloud Watch Logs ,
!Logs for API calls made within your account )

-
.
! VPC Flow Logs => to S3 and CloudWatch Logs /
0
Information about IP traffic
traffic going to and from network interfaces in your
your VPC 1
! 2
.
! Route 53 Access Logs => to CloudWatch Logs 3
1
!Log information about the queries that Route 53 receives 1
4
5
.
! S3 Access Logs => to S3 6
!Server access logging provides detailed records for the requests that are made to a bucket 6
6
7
! CloudFront Access Logs => to S3 8
1
-
1
!Detailed information about every user request that CloudFront receives 9
:
! AWS Config => to S3 ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
GuardDuty &
'
)
(
#
&
(
*
! Intelligent Threat discovery to Protect AWS
AWS Account +
#
(
! Uses Machine Learning algo rithms, anomaly detection, 3rd party data
Lea rning algorithms, "
!
,
! One click to enable (30 days trial), no need to install software
)

-
.
/
0
1
! Input data includes: 2
.
! CloudTrail Logs: unusual API calls, unauthorized deployments 3
1
! VPC Flow Logs: unusual internal traffic, unusual IP address 1
4
! 5
.
DNS Logs: compromised
compromised EC2 instances sending encoded data within DNS queries 6
6
6
! Can setup CloudWatch Event rules to be notified in case of findings 7
8
1
-
1
! CloudWatch Events rules can target AWS
AWS Lambda or o r SNS 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
GuardDuty &
'
)
(
#
&
(
*
+
#
(
"
!
,
)!)
)

-
D:148':-K .
V@G %<>6 M>C= /
0
1
2
.
G<>:8#41A< M>C= 3
1
1
4
5
.
'!) M>C= T?E) '!)U G<>:8E1-90 IB.2- M1;O81 6
6
6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
#
&
(
*
+
#
(
"
!
,
)

-
.
/
0
Compute and Load Balancing 1

2
.
3
1
1
4
5
.
6
Section 6
6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Solution Architecture on AWS
AWS &
'
(
)
#
&
G190A2C W ).==A>2 M1K.4 (
*
G>;/:-. M1K.4 +
'!) M1K.4 7;4&3'F49O$1 K:p1 #
7F,1 :2W1 H45LJ4 (
>(?3$ bR KP)45(KS1 >K2 "
7F21 g4%C43$1 S439O1 7[> !
,
'1-1O1=. M1K.4
)

-
>K21 :?%(%41 KP)45(KS .
/
7;4&3'92$4%9O1 2R1 >$J&O'83 0
1
2
.
'.9>:/<A2C "490.=-41-A>2 M1K.4 3
E.O M1K.4 2`21 2B21 e')$&'& 1
1
:54D() [`1 23$X g?)93'()& 4
FHS1 :HS1 BHS 5
.
:TU W43$<4P1 7;4&3'9 UT 6
6
)->41C. M1K.4 6
7
8
7S21 7g21 U)&34)9$ 23(%$ 1
-
1
9
:
;
:
G'! M1K.4 )-1-A9 ?==.-= M1K.4 T=->41C.U <
:
2R1 W;49'$% =
F;(?Jg%()3 7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
EC2 Instance Types – Main ones &
'
(
)
#
&
(
*
! R: applica
applications
tions that needs
needs a lot of RAM – in-me
in-memory
mory caches +
#
(
! C: applica
applications
tions that needs
needs good CPU – comput
computee / databases "
!
,
! M: applications that are balanced (think “medium”) – general / web app
)

-
.
! I: applica
applications
tions that need good local I/O (instance
(instance storage) – database
databasess /
0
1
! G: applica
applications
tions that need
need a GPU – video rendering
rendering / machine learning
learning 2
.
3
1
1
4
! T2 / T3: burstable instances
insta nces (up to a capacity) 5
.
6
! T2 / T3 - unlim
unlimited:
ited: unlim
unlimited
ited burst 6
6
7
8
1
-
1
! Real-world tip: use https://www.ec2instances.info
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
EC2
EC2 - Pl
Plac
acem
emen
entt Grou
Groups
ps &
'
(
)
#
&
(
*
! Control the EC2 Instance placement strategy using placement groups +
#
(
"
! Group Strategies: !
,
! Cluster —clusters instances into a low-latency
low-latency group in a single Availabili
Availability
ty Zone
)

-
!
Spread —spreads instances
instances across underlying hardware
hardware (max 7 instances per group per .
/
AZ) – critica
criticall applicat
applications
ions 0
1
2
! Partition —spreads instances
instances across many
many different par
partitions
titions (which rely
rely on different
different sets .
3
of racks) within an AZ. Scales to 100s of EC2 instances per group (Hadoop, Cassandra, 1
Kafka) 1
4
5
.
! You can move an instance into or out of a placement group 6
6
!Your first need to stop it 6
7
8
!You then need to use the CLI (modify-instance-placement) 1
-
1
You can then start your instance 9
! :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

Placement Groups %

"
&
'
(
)
#
Cluster &
(
*
+
#
7F, 7F, 7F, (
"
T;49$5$)3 C%(?X !
245$ >49I F;?&3$% ,
)

-
245$ :n H(< ;43$)9P .
.-WLX& )$3<(%I /
7F, 7F, 7F, 0
1
2
.
3
1
1
! Pros: Great network
network (10 Gbps bandwidth between between instances) 4
5
.
! Cons: If the rack
r ack fails, all instances fails at the same time 6
6
6
! ins tance type that has Enhanced Networking
Note: choose than instance 7
8
1
-
! Use case: 1
9
:
! Big Data job that needs to complete fast
;
:
!
Application that needs extremely low latency and high network
networ k throughput <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

Placement Groups %

"
&
'
(
)
#
Spread
Q&/$4&3/.4 Q&/$4&3/.L Q&/$4&3/.9 ! Pros:
&
(
*
+
#
! Can span across Availability
Availability (
"
Zones (AZ) !
,
! Reduced risk is simultaneou
simultaneouss
)

-
7F, 7F, 7F, failure .
/
! EC2 Instances are on different 0
1
physical hardware 2
.
k4%J<4%$ . k4%J<4%$ R k4%J<4%$ b 3
! Cons: 1
1
! Limited to 7 instances per AZ 4
5
.
per placement group 6
! Use case: 6
6
7F, 7F, 7F, ! Application that needs to 7
8
1
maximize high availability -
1
9
! Critical Applications where :
k4%J<4%$ , k4%J<4%$ i k4%J<4%$ j
;
:
each instance
from must
failure from be isolated
each other <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

Placements Groups %

"
&
'
(
)
#
Partition?&/$4&3/.4 ! Up to 7 par
partition
titionss per AZ
&
(
*
+
#
(
! Up to 100s of EC2 instances "
!
,
7F, 7F, 7F, ! The instances in a partition do
)

-
not share racks with the instances .
/
in the other partitions 0
1
7F, 7F, 7F, 2
! A partition failure can affect many .
3
EC2 but won’t affect other 1
1
7F, 7F, 7F,
partitions 4
.
5
! EC2 instances get access to the 6
6
partition information as metadata 6
7F, 7F, 7F, 7
8
! Use cases: HDFS, HBase, 1
-
1
T4%3'3'() . T4%3'3'() , T4%3'3'() R Cassandra, Kafka 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
EC2 Instanc
Instancee Launch Types &
(
'
)
#
&
(
*
! On Demand Instances: shor
shortt workload,
wor kload, predictable pricing, reliable +
#
(
"
! Spot Instances:
In stances: shor
shortt workloads,
work loads, for cheap, can lose instances (not reliable) !
,
! )

-
Reserved:
Reserved(MINIMUM
Instances:
Instanc 1 year)
es: long
.
/
! workloads 0
1
2
!Conver
Conv ertible
tible Reserved Instanc
Instances:
es: long workloads with flexible instances .
3
!Scheduled Reserved Instances: example – every Thursday between
between 3 and
and 6 pm 1
1
4
! .
5
Dedicated Instances: no other customers will share your hardware 6
6
! Dedicated Hosts: book an entire physical server, control instance placement 6
7
8
Great for software licenses that operate
! op erate at the core, or CPU socket level 1
-
1
! Can define host affinity so that instance reboots are kept on the same host 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
EC2 included metrics &
(
'
)
#
&
(
*
! CPU: CPU Utilizatio
Utilization
n + Credit Usage / Balance +
#
(
"
! Network:
Network: Netw
Network
ork In / Out !
,
)

-
! .
Status Check: /
0
! Instance status = check the EC2 VM 1
2
.
! System status = check the underlying hardware 3
1
1
! Disk: Read / Write for Ops / Bytes (only for instance
instance store) 4
.
5
6
6
6
7
8
1
-
1
9
! RAM is NO
N OT included in the AWS
AWS EC2 metrics :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
EC2 Instance Recovery &
(
'
)
#
&
(
*
! Status Check: +
#
(
"
! Instance status = check the EC2 VM !
,
! System status = check the underlying hardware )

-
.
/
0
1
2
5()'3(% 4;$%3 .
3
1
1
.
4
5
7F, U)&34)9$ F;(?J_439O :;4%5 )!) #>/A9 6
6
)-1-:=G0.95%1A<.8X)K=-.; 6
7
8
1
7F, U)&34)9$ >$9(G$%P -
1
9
:
;
:
! Recovery: Same Pri
Private
vate,, Public
Public,, Elastic IP, metada
metadata,
ta, placement group
g roup <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Auto
Auto Scaling
Scaling – Sca
Scalin
lingg Poli
Policie
ciess &
(
'
)
#
&
(
*
! Simple / Step Scaling: increase or decrease instances based on two CW +
#
(
"
alarms !
,
! )

-
.
Target
adjust Tracking: select a metric and a target value, ASG will smartly /
0
1
2
! Keep average CPU at 40% .
3
! Keep request count per target at 1000 1
1
.
4
5
6
6
6
! To scale based on RAM, you must use a Custom CloudWatch Metric 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Auto
Auto Scal
Scaling
ing – Goo
Good
d to
to kno
know
w &
(
'
)
#
&
(
*
! Spot Fleet support (mix on Spot and On-Demand instances) +
#
(
"
! To upgrade
upgr ade an AMI, must update th e launch configuration / template
upda te the !
,
! You must terminate instances manually )

-
.
! CloudFormation can help with that step (we’ll see it later) /
0
1
! Scheduled scaling actions: 2
.
3
!Modify the ASG settings (min / max / desired) at pre-defined time 1
1
!Helpful when patterns are known in advance .
4
5
6
! Lifecycle Hooks: 6
6
! Perform actions before an instance is in service, or before it is terminated 7
8
1
-

Examples: cleanup,
cleanup, log extraction, special health checks 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Auto
Auto Scali
Scaling
ng – Sca
Scalin
lingg Proces
Processes
ses &
(
'
)
#
&
(
*
! Launch: Add a new EC2 to the group,
g roup, increasing the capacity +
#
(
! Terminate: Removes an EC2 instance from the group, decreasing its capacity. "
!
HealthCheck: Checks the health of the instances ,
!
)

-
! ReplaceUnhealthy: Terminate unhealthy instances and re-create them .
/
0
1
! AZRebalance: Balancer the number of EC2 instances across AZ 2
.
3
! AlarmNotification: Accept notification from CloudWatch 1
1
! ScheduledActions: Performs scheduled actions that you create. .
4
5
6
! AddToLoadBalancer: Adds instances to the load balancer or target group 6
6
7
8
1
-
! We
We can suspend these processes! 1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Auto
Auto Scal
Scaling
ing – Hea
Health
lth Che
Checks
cks &
(
'
)
#
&
(
*
! Health checks available: D""' PI?M#P GPIGR +
#
(
"
! EC2 Status Checks YO$4;3O/&$%G$% !
,
! ELB Health Checks (HTTP) )

-
.
?)D /
! ASG will launch a new IGL
0
1
#14C.- D4>:/ 2
instance after terminating .
3
an unhealthy one 1
1
*?' PI?M#P GPIGR
.
4
5
!
Make sure the health check 6
6
Y)?5L$%/9?&3(5$%& KS 94;;
is simple and checks the 6
7
8
correct thing 1
-
1
?)D 9
:
#14C.- D4>:/ IGL '* ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Auto
Auto Scaling
Scaling – Upd
Updati
ating
ng an appli
applicati
cation
on &
(
'
)
#
&
(
*
G<A.2- +
#
(
"
!
,
)

-
.
/
0
?M* 1
2
.
3
1
1
18"( A)+39/@ 76(8#
.
4
5
6
6
6
7
8
1
-
1
9
7F, U)&34)9$& :
;
:
H4?)9O V$5X;43$ <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Auto
Auto Scaling
Scaling – Sol
Soluti
ution
on Arch
Archite
itectur
cture
e &
(
'
)
#
&
(
*
+
#
(
"
?M* ?M* !
,
)

-
A+*)., )*034 7 A+*)., )*034 ! .
/
245$ 34%C$3 C%(?X 2X;'3 3%488'9 L$3<$$) VW 0
1
2
18"( A)+39/@ 76(8# 18"( A)+39/@ 76(8# E 18"( A)+39/@ 76(8# J .
3
1
1
.
4
5
6
6
6
7F, U)&34)9$& 7F, U)&34)9$& 7F, U)&34)9$& 7F, U)&34)9$& 7
8
H4?)9O V$5X;43$ G. H4?)9O V$5X;43$ G, H4?)9O V$5X;43$ G. H4?)9O V$5X;43$ G, 1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Auto
Auto Scaling
Scaling – Sol
Soluti
ution
on Arch
Archite
itectur
cture
e &
(
'
)
G<A.2- #.=- G<A.2-
G< A.2- #
&
(
*
KB2 `?$%P +
#
(
"
!
&>:-. Z[ @.4+*+,. ,
)

G!?3I E6'.(, /+-.% FG &+(3+6 ,.-,'() -
.
E.AC0-.8 4.9>48 F0+% ,.-,'() /
0
?M* Y ?M* L 1
2
.
3
1
1
18"( A)+39/@ 76(8# E 18"( A)+39/@ 76(8# J
.
4
5
6
6
6
7
8
1
-
1
9
7F, U)&34)9$& 7F, U)&34)9$& :
;
:
H4?)9O V$5X;43$ G. H4?)9O V$5X;43$ G, <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
EC2 Spot Instances &
(
'
)
#
&
(
*
! Can get a discount of up to 90% compared to On-demand +
#
(
"
! Define max spot price and get the instance while current spot price < max !
,
! The hourly spot price varies based on offer and capacity
)

-
! pr ice > your max price you can choose to stop or terminate your
If the current spot price .
/
instance with a 2 minutes grace period. 0
1
2
.
! Other strategy: Spot Block 3
“block” spot instance during a specified time frame (1 to 6 hours) without interruptions
interr uptions 1
! 1
! .
4
5
In rare situations, the instance may be reclaimed 6
6
6
7
8
! Used for batch jobs,
jo bs, data analysis, or workloads
wor kloads that are resilient to failures.
failure s. 1
-
1
9
! Not great for critical jobs or databases :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
EC2 Spot Instances &
(
'
)
#
&
(
*
+
#
(
"
!
,
)

-
.
/
0
1
2
.
3
1
1
.
4
5
Q&$%/J$8')$J 54^ X%'9$ 6
6
6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
'$$&-.//54)-47%1(0-1(2(34)1542/%5L-&/?K/-&
'$$&-.//54)-47%1(0-1(2(34)1542/%5L-&/?K/-&4$/'42%O+%8:4)P9-<%(-$<K
4$/'42%O+%8:4)P9-<%(-$<KQ
Q >
;
! #$%&'()% *((+%,
!
"
#
%

"
Spot Fleets &
(
'
)
#
&
(
*
! Collection (Fleet) of Spot Instances and optionally on-demand instances +
#
(
"
! Set a maximum price
pr ice you’re
you’re willing to pay per Spot Instances or all !
,
)

!
-
Can have a mix of instance types (M5.large
(M5.large,, M5.xlarge
M5.xlarge,, C5.2xlarge
C5.2xlarge,, etc..) .
/
0
1
2
.
3
! Supports:
Suppor ts: EC2 standalone,
standalone , Auto Scaling Groups (launch template), ECS
ECS 1
1
.
4
5
(underlying ASG), AWS Batch (Managed Compute Environment) 6
6
! Soft limits: 6
7
8
! Target capacity
cap acity per Spot Fleet or EC2 fleet: 10,000 1
-
1
9
! Target capacity
cap acity across all Spot Fleet and EC2 Fleet in a region: 100,000 :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS ECS
ECS – Ela
Elasti
sticc Conta
Containe
inerr Ser
Ser vic
vice
e &
(
'
)
#
&
(
*
! ECS is a container orchestration service +
#
(
"
! ECS helps you run Docker containers on EC2 machines !
,
)

!
-
ECS is complicated, and made of: .
/
0
! “ECS Core”: Running ECS on user
user-provisioned
-provisioned EC2 instances 1
2
.
! Fargate: Running ECS tasks on AWS-provisioned compute (serverless) 3
1
! EKS: Running ECS on AWS-powered
AWS-powered Kubernetes
Kubern etes (running
(ru nning on EC2)
EC 2) 1
.
4
5
! ECR: Docker Container Registr
Registryy hosted by AWS
AWS 6
6
6
! ECS & Docker are very popular for microservices 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
What’ss Docker?
What’ &
(
'
)
#
&
(
*
! Docker is a “container technology” +
#
(
"
! Run a containerized application on any machine with Docker installed !
,
)

-
! Containers allows our application to work the same way anywhere .
/
0
1
! Containers are isolated from each other 2
.
3
! Control how much
much memory
memor y / CPU is allocated to your container 1
1
.
4
5
!
Ability to restrict network rules 6
6
6
! More efficient than Vir
Virtual
tual machines 7
8
1
-
1
! Scale containers up and down very quickly (seconds) 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS EC
ECS
S – Us
Use
e case
casess &
'
(
)
#
&
(
*
! Run microservices +
#
! Ability to run multiple docker containers
containers on the same machine (
"
!
! Easy service
ser vice discovery features to enhance communication ,

)
!
Direct integration with Application Load Balancers -
.
/
! Auto scaling capability 0
1
2
.
3
! Run batch processing / scheduled tasks 1
1
! .
4
5
Schedule ECS containers to run on On-demand / Reserved / Spot instances 6
6
6
! Migrate applications to the cloud 7
8
1
-
1
! Dockerize legacy applications running on premise 9
:
! Move Docker
Docker containers to run on ECS ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!

"
#
%

"
AWS EC
ECS
S – Co
Conc
ncep
epts
ts &
'
(
)
#
&
(
*
! ECS cluster
cluster:: set of EC2 +
#
(
instances "
!
,
! ECS ser vice: applications
)
V4&I 9()34')$% V4&I 9()34')$
9()34')$%% V4&I 9()34')$
9()34')$%% -
definitions running
definitions r unning on ECS .
/
0
cluster V4&I 9()34')$% V4&I 9()34')$
9()34')$%% V4&I 9()34')$
9()34')$%% 1
2
.
3
! ECS tasks + definition: IG) ).4BA9. 1
1
containers running to create .
4
5
the application V4&I 9()34')$% V4&I 9()34')$
9()34')$%% 6
6
6
! ECS IAM roles: roles assigned "-0.4 IG) ).4BA9. 7
8
1
to tasks to interact with 7F, 7F, 7F, -
1
9
AWS :
;
:
IG) G<:=-.4 <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS ECS
ECS – ALB inte
integratio
gration
n &
'
(
)
#
&
(
*
! Application Load Balancer (ALB) 3 +
KP)45'9 % r 9()34')$% #
has a direct integration feature ( q (
X(%3 T 0
j B(J$Za& "
with ECS called “port mapping” !
54XX')C ,
!

)
-
This allows
ofyou
the to runapplication
multiple 3
% j 9()34')$% .
instances same ( q /
T b
r B(J$Za& 0
1
on the same EC2 machine T(%3 q- Y iiR 2
.
3
! Use cases: 3 1
% q 9()34')$% 1
! Increased resiliency even if running ( i
0 .
4
5
on one EC2 instance T R B(J$Za& 6
! Maximize utilization of CPU / cores ?//<A91-A>2 6
M>18 *1<129.4 6
Ability to perform rolling upgrades 3 7
% j 8
!
b 9()34')$% 1
without impacting application uptime ( q -
T r B(J$Za& 1
9
:
;
:
<
:
IGL A2=-129. =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Fargate &
'
(
)
#
&
(
*
! When launching an ECS Cluster,
Cluster, we have
have to create our
our EC2 instances +
#
(
"
! If we need to scale, we need to add EC2 instances !
,

)
!
-
So we manage infrastructure… .
/
0
1
2
.
3
! With Fargate, it’s all Serverless!
Ser verless! 1
1
.
4
5
!
We don’t provision
We provision EC2 instances
instances 6
6
6
! We
We just create task definitions,
definitions, and AWS will run our containers for us 7
8
1
-
1
! To scale, just increase the task number. Simple! No more EC2 ! 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
ECS
ECS – Se
Secu
curity
rity & Netw
Networkin
orkingg &
'
(
)
#
&
(
*
! IAM security +
#
! EC2 Instance Role must have basic ECS permissions (
"
!
! ECS Task level should
sho uld have an IAM Task Role (maximum
( maximum securi
security)
ty) ,
!

)
-
Secrets
!
and Configuration injection into parameters, environment variables:
Integration with SSM Parameter Store & Secrets Manager
.
/
0
1
2
! Tasks networking: .
3
! none: no network connectivity, no port mappings 1
bridge: uses Docker’s virtual container-based network 1
!
.
4
5
! host: bypass Docker’s network, uses the underlying host network interface 6
! awsvpc: 6
6
! Every tasks launched on the instance gets its own ENI and a private IP address 7
8
1
! Simplified networking, enhanced security, security groups, monitoring, VPC flow logs -
1
Default mode for Fargate 9
!
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
ECS
ECS – Se
Serr vi
vice
ce Au
Auto
to Scal
Scalin
ingg &
'
(
)
#
&
(
*
! CPU and RAM is tracked in CloudW
CloudWatch
atch at the ECS service
ser vice level +
#
(
"
! Target Tracking: target a specific average CloudWatch metric !
,

)
-
!
Step Scaling: scale based on CloudWatch alarms .
/
0
1
! Scheduled Scaling: based on predictable changes 2
.
3
1
1
.
4
5
!
ECS Ser
Service
vice Scaling (task level) EC2 Auto Scaling (instance level) 6
6
6
! Fargate Auto Scaling is much
much easier to setup (because serverless)
ser verless) 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
ECS
ECS – Sp
Spot
ot Ins
Insta
tanc
nces
es &
'
(
)
#
&
(
*
! ECS Classic:
Cl assic: +
#
(
"
! Can have the underlying EC2 instances as Spot Instances (managed by an ASG) !
,
!

)
Instances -
! Good for may
cost go into draining
savings, mode to
but will impact remove running tasks
reliability .
/
0
1
2
.
3
1
! Fargate: Spot Instances are available as of Dec 2019: 1
.
4
5
! Specify minimum of tasks for on-demand baseline workload 6
6
! Add tasks running
r unning on Fargate
Far gate Spot for cost-savings (can be reclaimed by AWS) 6
7
8
1
! Regardless of On-demand or Spot, Fargate scales well based on load -
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

AWS Lambda Integrations %

"
&
'
(
)
Main ones #
&
(
*
+
#
(
"
!
,

)
-
.
/
0
1
2
?E) )[ \ ?E) (># .
?@( D1-.61K RA2.=A= 'K21;>'* 3
)A;/<. )->41C. ).4BA9. (2-.42.- >H #0A2C= 1
1
.
4
5
6
6
6
7
8
1
-
1
9
:
;
:
G<>:8E1-90 IB.2-= G<>:8E1-90 M>C= ?E) )!) ?E) G>C2A-> ?;1Q>2
)]) <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Example: Ser
Server
verless
less Thumbnail creation &
'
(
)
#
&
(
*
+
#
(
"
!
O
& ,
X ?
)
!.6 -0:;O21A< A2 )[ -
.
/
3%'CC$% 0
1
2
.
X ? 3
& O 1
U54C$ )45$ 1
.
4
5
!.6 A;1C. A2 )[ ?E) M1;O81
G4.1-.= %:29-A>2
1 #0:;O21A< U54C$ &'D$ 6
F%$43'() J43$ 6
$39E 6
7
8
1
-
1
9
3.-181-1 A2 'K21;>'* :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Example: Ser
Server
verless
less CRON Job &
'
(
)
#
&
(
*
+
#
(
"
!
,

)
-
.
/
0
1
V%'CC$% 2
.
7G$%P . O(?% 3
1
1
.
4
5
G<>:8E1-90 IB.2-= 6
?E) M1;O81 %:29-A>2
6
@.4H>4; 1 -1=5 6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Lambda Language Support (runtimes) &
'
(
)
#
&
(
*
! AWS supported: Node.js (JavaScript), Python, Ruby, Java (Java 8 +
#
(
"
compatible), Golang, C# (.NET Core), C# / Powershell !
,

)
-
.
/
0
! Ability to write / use a custom runtime (community supported): 1
2
.
! Ex: C++, Rust, etc… 3
1
1
.
4
5
6
! If Docker, you should use ECS, Fargate or Batch, not Lambda 6
6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Lamb
Lambda
da – Li
Limi
mits
ts to
to kno
know &
'
(
)
#
&
(
*
! RAM: 128 MB to 3G +
#
(
"
! CPU: !
,

)
! is linked to RAM (cannot be set manually) -
.
/
! 2 vCPU are allocated after 1.5G of RAM 0
1
2
.
! Timeout: up to 15 minutes 3
1
1
! .
4
5
/tmp storage: 512 MB (can’t process
process BIG files)
files) 6
! Deployment
Deployme nt package limit: 250 MB including layers 6
6
7
8
! Concurrency execution: 1000 – soft limit that can be increased 1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

Lambda
Lambda – Lat
Latenci
encies
es Consi
Considerati
derations
ons %
"
&
'
(
)
(approximates) #
&
(
*
+
#
! Lambda Latency: (
"
!
! Cold Lambda Invocation: ~100ms :TU W43$<4P ,
!

)
!
Warm Lambda
New feature of Invocation:
Invocation: ~ms
“provisioned concurrency” -
.
(Dec 2019) to reduce # of cold starts /
0
1
API Gateway invocation: 100 ms 2
! .
3
! CloudFront invocation: 100 ms H45LJ4 1
1
! .
4
5
If you chain
Gateway, with otherALB,
CloudFront, ser vices
services (APISQS,
Lambda, 6
Step Functions…), add their latencies as 6
6
well 7
8
1
! X-Ray can help visualize the end-to-end -
1
latency 9
:
;
:TU W43$<4P F;(?Jg%()3 7HS :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Lamb
Lambda
da - Se
Secu
curit
rity
y &
'
(
)
#
&
(
*
! IAM Roles for Lambda to grant <%'3$
+
#
(
"
access to other AWS
AWS services
ser vices !
,

)
-
.
/
0
! Resource-based Policies for 1
2
.
Lambda (similar to S3 bucket 3
1
policies): 1
.
4
5
! Allow other accounts to invoke or 6
6
manage Lambda 6
7
8
! Allow other services to invoke or 1
-
1
manage Lambda 9
:
;
T8.HA2. -04>:C0 -0. GM(U :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Lambda in a VPC &
'
(
7^3$%)4; :TU )
#
&
(
*
'.H1:<- M1;O81 './<>K;.2- M1;O81 A2 V@G +
#
(
"
1KA C3(8' 1KA C3(8' !
,

)
T?L;'9
F967:5 -96)%$ KP)45(KS -
.
/
<<< 0
!?#
!?# (DE 1
<(%I& 2
KP)45(KS .
7)JX(')3 3
1
1
EFG R F+:?($% #96)%$ EFG R F+:?($% #96)%$
.
4
5
B(3 <(%I')C 6
<(%I')C 6
6
7

1
-
1
:&&'C) &$9?%'3P C%(?X T%'G43$ >K2 9
T%'G43$ >K2 :
;
:
<
:
=
7
!>-.S M1;O81 F G<>:8E1-90 M>C= 6>45= .B.2 9
>
6A-0>:- .28/>A2- >4 !?# D1-.61K ;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Lambda Logging
Logging,, Monitor
Monitoring
ing and Tracing &
'
(
)
#
&
(
*
! CloudWatch: +
#
(
"
! AWS Lambda execution logs are stored in AWS AWS CloudWatch Logs !
! AWS Lambda metrics are displayed in AWS AWS CloudWatch Metrics (successful ,

)
invocations, error rates, latency, timeouts, etc…) -
.
/
! Make sure your AWS
AWS Lambda
Lamb da function has an execution role with an IAM
I AM policy 0
1
2
that authorizes writes to CloudWatch Logs .
3
! X-Ray: 1
1
.
4
5
!
It’s possible to trace Lambda with X-Ray 6
! Enable in Lambda configuration (runs the X-Ray daemon for you) 6
6
7
Use AWS
AWS SDK in Code 8
1
-
! Ensure Lambda Function has correct IAM Execution Role 1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Lambda
Lambda – Syn
Synchr
chrono
onous
us Invo
Invocati
cations
ons &
'
(
)
#
&
(
*
! Synchronous: CLI, SDK, API Gateway +
#
(
"
! Results is returned right away !
,
!
)
Error handling must happen client side (retries, exponential backoff, etc…) -
.
/
0
')G(I$ 1
2
.
2Ke K( &(5$3O')C 3
1
>$&X()&$ 1
.
4
5
6
')G(I$ X%(^P 6
6
7
F;'$)3 K( &(5$3O')C 8
1
-
1
>$&X()&$ >$&X()&$ 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Lambdaa – Asynch
Lambd Asynchronous
ronous In
Invoc
vocation
ation &
'
(
)
#
&
(
*
! S3, SNS, CloudWatch Events…
E vents… %$3%'$& +
#
(
"
! Lambda attempts to retry on B$< 8';$ $G$)3 !
4&P)9 ')G(943'() ,

)
errors (3 tries total) -
.
/
0
! Make sure the processing is 1
2
.
idempotent (in case of retries) 3
KH` 8(% 1
1
84';$J X%(9$&&')C .
4
5
6
! Can define a DLQ (dead-letter 6
6
7
queue) SNS or SQS for )]) 8
1
-
1
failed processing 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Lambda
Lambda – Ev
Event
ent Sour
Source
ce Mapp
Mapping
ing &
'
(
)
#
&
(
*
! Kinesis Data Streams, SQS, SQS FIFO +
queue, DynamoDB Streams #
e')$&'& (
"
! Common denominator:
denominator : records need !
to be polled from the source ,

)
! All records are respect ordering -
.
properties except for SQS standard TMHH >7VQ>B S:VFk /
0
1
2
.
! If your function returns an error, the H45LJ4 3
entire batch is reprocessed until IB.2- )>:49. 31//A2C 1
1
.
4
success c')3$%)4;d 5
! Kinesis, DynamoDB Stream: stop shard 6
processing 6
! SQS FIFO: stop, unless a SQS DLQ has UB#Me7 _UVk 7#7BV S:VFk 6
7
been defined 8
1
! Need to make sure your Lambda -
1
function is idempotent 9
:
;
H45LJ4 g?)93'() :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Lamb
Lambda
da – De
Desti
stina
nati
tion
onss &
'
(
)
#
&
(
*
! Nov 2019: Can configure to send result to a +
destination #
(
"
! Asynchronous invocations - can define
define destinatio
destinations
ns for !
successful and failed event: ,

)
!
Amazon SQS -
.
! Amazon SNS /
AWS Lambda 0
!
1
!""#$%&&'()$*+,$*+-+.(/*)(-&3+-<'+&3+"4$"&'@&9/;()+"9(/=+$F/)*!"-3 2
! Amazon
Amazon EventBrid
EventBridge
ge bus .
3
! Note: AWS recommends you use destinations instead of 1
DLQ now (but both can be used at the same time) 1
.
4
5
6
! Event Source mapping: for discarded event batches 6
6
! Amazon SQS
8
Amazon SNS 1
!
-
1
9
! Note: you can send events to a DLQ directly from SQS
;
:
:
<
:
=
7
!""#$%&&'()$*+,$*+-+.(/*)(-&3+-<'+&3+"4$"&'@&9/;()+"9(/=4;4/"$(86)4-+##9/@*!"-3 9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Lambda Ver
ersions
sions &
'
(
)
#
&
(
*
! When you work on a Lambda function, +
we work on $LATEST #
(
"
sH:V72V !
! When we’re
we’re ready to publish a Lambda c5?34L;$d ,

)
function, we create a version -
.
/
! Versions are immutable 0
1
2
! Versions have increasing version numbers .
3
! Versions get their own ARN
ARN (Amazon 1
1
.
4
#. #, 5
Resource Name) cU55?34L;$d cU55?34L;$d 6
! Version = code + configuration (nothing 6
6
can be
be changed
changed - imm
immutab
utable)
le)
7
8
1
! Each version of the lambda function can -
1
9
be accessed ;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Lambda Aliases &
'
(
)
#
&
Q&$%& (
*
! Aliases are ”pointers”
”pointer s” to Lambda +
function versions #
(
"
!
! We
W e can define a “dev”, ”test”,
,

)
“prod” aliases and have them point -
.
at different lambda versions K7# :;'4& T>MK :;'4& V72V :;'4& /
0
1
! Aliases are mutable c5?34L;$d c5?34L;$d c5?34L;$d 2
.
3
! Aliases enable Blue / Green 1
1
deployment by assigning weights to bt .
4
rbt 5
lambda functions 6
6
! Aliases enable stable configuration 6
7
of our event triggers / destinations sH:V72V #. #,
8
1
-
1
! Aliases have their own ARNs c5?34L;$d cU55?34L;$d cU55?34L;$d 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
AWS Lambda
Lambda Aliase
Aliasess with
with API Gateway &
'
(
)
#
&
(
*
T>MK :;'4& +
#
(
"
T%(J 234C$ rbt !
#.
,

)
-
.
bt /
!> ?@( D1-.61K 9012C.= 0
V72V :;'4& M1;O81 1<A1= 9012C.= 1
2
.
V$&3 234C$ 3
1
#, 1
.
4
.--t 5
6
6
K7# :;'4& 6
7
8
K$G 234C$ .--t 1
-
1
sH:V72V 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Lambda & CodeDeploy &
'
(
)
#
&
(
*
! CodeDeploy can help you automate +
traffic shift for Lambda aliases [4I$ p G4%P (G$% 3'5$ ?)3'; p v .--t #
(
"
!
! Feature is integrated within the SAM
T>MK :;'4& ,

)
framework -
.
! Linear: grow traffic every N minutes until .-- u pt /
0
100% #. 1
2
! Linear10PercentEvery3Minutes .
3
! Linear10PercentEvery10Minutes 1
1
!
.
4
Canary: tr 5
!
tryy X percent then 100%
Canary10Percent5Minutes pt 6
F(J$K$X;(P 6
!Canary10Percent30Minutes #, 6
7
8
! AllAtOnce: immediate 1
-
1
9
! Can create Pre & Post Traffic hooks
h ooks to
;
:
check the health of the Lambda function :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
Types of load balancer on AWS &
'
(
)
#
&
(
*
! AWS has 3 kinds of managed Load Balancers +
#
(
"
!
! Classic
Classic Load
Load Balan
Balancer
cer (v1
(v1 - old generat
generation)
ion) – 2009
,

)
! HTTP, HTTPS, TCP -
.
/
! Applicat
Application
ion Load
Load Balancer
Balancer (v2
(v2 - new generat
generation)
ion) – 2016 0
1
HTTP, HTTPS, WebSocket 2
!
.
3
! Netwo
Network
rk Load Balanc
Balancer
er (v2
(v2 - new generat
generation
ion)) – 2017 1
1
!
.
4
TCP,, TLS (secure
TCP 5
! Overall, it is (recommended
secure TCP) & UDP
to use the newer / v2 generation load balancers as they 6
6
provide more features 6
7
8
1
-
1
! You can setup internal (private) or external (public) ELBs 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

Classic Load Balancers (v1) %

"
&
'
(
)
Listeners MA=-.2.4 (2-.421< #
&
(
*
kVVT +
#
kVVT cH0d kVVT2 c5?&3 ')&34;; (
"
!
9$%3'8'943$ () 7F,d
,

)
-
.
kVVT2 cH0d /
kVVT 0
22H 3$%5')43'() 1
kVVT2 c5?&3 ')&34;; 2
;'&3$)$% ')3$%)4; [?&3 ')&34;; .
9$%3'8'943$ () 7F,d 3
9$%3'8'943$ () FHS 1
1
.
4
VFT 5
6
F;'$)3 FHS 7F, VFT cHid 22H c5?&3 ')&34;; 6
6
9$%3'8'943$ () 7F,d 7
8
1
-
1
9
22H &$9?%$ VFT cHid VFT ;
:
[?&3 ')&34;; 22H c5?&3 ')&34;; :
<
:
9$%3'8'943$ () FHS 9$%3'8'943$ () 7F,d =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
Classic Load Balancers (v1) #
&
(
*
! Health Checks can be HTTP (L7) or TCP (L4) based +
#
(
"
!
,

)
!
Supports only one SSL certificate -
.
/
! The SSL cer tificate can have many SAN (Subject Alternate Name), but the SSL 0
1
certificate must be changed anytime a SAN is added / edited / removed 2
.
3
! Better to use ALB with SNI (Server Name Indication) if possible 1
1
!
.
4
5
Can use multiple CLB if you want distinct SSL certificates 6
6
6
7
! TCP => TCP passes all the traffic
tr affic to the EC2 instance 8
1
-
1
! Only way to use 2-way SSL authentication 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
Application
!
Load Balancer
Application load balancers (v2)
is Layer 7 (HTTP)
#
&
(
*
+
#
(
"
!
!
,

)
Load balancing to multiple HTTP applications across machines -
.
(target groups) /
0
1
2
! Load balancing to multiple applications on the same machine .
3
1
(ex: containers) 1
4
.
5
! Supportt for HTTP/2 and WebSocket
Suppor 6
6
6
! Supportt redirects (from HTTP to HTTPS for example)
Suppor 7
8
1
-
1
9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
Application
!Routing tables to Load
different Balancer
target groups:(v2)
#
&
(
*
+
#
! Routing based on path in URL (example.com/users & example.com/ posts) (
"
!
! Routing based on hostname in URL (one.example.com & other.example.com)
,

)
! Routing based on Query String, Headers -
.
/
(example.com/users? id=123&order=false ) 0
1
2
.
3
1
!
4
1
.
5
ALB are a Docker
(example: great fit &forAmazon
micro services
ser vices & container-based
ECS) container-based application 6
6
6
! Has a port mapping feature to redirect to a dynamic port in ECS 7
8
1
-
1
! In comparison, we’d need multiple Classic Load Balancer per application 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

Application Load Balancer (v2) %

"
&
'
(
)
HTTP Bas
Based
ed Traffic #
&
(
*
+
#
(
"
+ I !
* " 0 9
) $ ) $
# # .
& O ,

)
!!! >(?3$ Y?&$% kVVT ( " "
& ! /
.
F
O
3
-
.
% # - ; /
$ ) + 4 0
# , + $ 1
"
!
" k 2
.
7^3$%)4; 3
:XX;'943'() 1
4
1
.
H(4J S4;4)9$% 5
cG,d + I 6
* ( 0 9 6
) ' ) $
>(?3$ Y&$4%9O U)G(I$& # $ .& O 6
&
!!! ( & "
#
F 7
8
/
& % -
. O 1
% 3
; -
$ # + 4 1
# ) + $ 9
" ,
!
" k ;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
Application Load Balancer (v2) #
&
(
*
! Tar
arget
get Groups: +
#
(
"
! EC2 instances
instances (can be managed
managed by an ASG) – HTTP !
! ECS tasks
tasks (managed
(managed by ECS
ECS itself)
itself) – HTTP ,

)
! Lambda functions
functions – HTTP request
request is translated
translated into a JSON event
event -
.
/
0
! IP Addresses – must be private IPs (ex: instances in peered VPC
VPC,, on-premise) 1
2
.
! ALB can route to multiple target groups 3
! Health checks are at the target group level 1
4
1
.
5
6
6
! SSL certificates: 6
7
8
! Supports multi
multiple
ple listeners 1
-
1
! Supports
Supports SNI - Server Name
Name Indicat
Indication
ion 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
Network Load Balancer (v2) #
&
(
*
! Network load balancers
balancer s (Layer 4) allow to do: +
#
(
! tr affic to your instances (UD
Forward TCP traffic (UDP
P support
support – Jun 2019
2019)) "
!
! Handle millions of request per seconds ,

)
! NLB has one static IP per AZ, and supports assigning Elastic IP -
.
/
(helpful for whitelisting specific IP) 0
1
2
! Lesss latency
Les latency ~10
~1000 ms (vs 400
400 ms for ALB
ALB)) .
3
! Support for TLS 1
4
1
.
!
Suppor t for WebSockets
WebSockets 5
6
6
6
7
! Network Load Balancers are mostly used: 8
1
-
1
! for extreme performance
performance,, TCP or UDP traffic
tr affic 9
;
:
!
with AWS Private Link to expose a service internally :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
Network Load Balancer (v2) #
&
(
*
! Tar
arget
get Groups: +
#
(
"
! EC2 instances (can be managed by an ASG) – TCP !
! ,

)
ECS tasks (managed
(managed by ECS itself) – TCP -
.
! IP addresses – Private IP only,
only, even outside your VPC /
0
1
2
.
3
! Proxy Protocol: 1
4
1
.
! Send additional connection information such as the source and destination 5
6
6
! The load balancer prepends a proxy protocol header to the TCP data 6
7
8
! Helpful when you have the “IP addresses” target group type 1
-
1
! You can retrieve the source IP address of the originating client 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
Cross-Zone Load Balancing #
&
(
*
! With Cross Zone Load +
#
Balancing: each load (
"
!
balancer instance
E(#P ,

)
distributes evenly -
.
across all registered /
0
1
instances in all
a ll AZ 2
.
3
! Otherwise, each load 12 3 12 4 12 5 1
4
1
.
5
balancer
distributesnode
requests 6
6
evenly across the
6
7
8
registered instances in 1
-
its Availability Zone 1
E(#P"+# 9
;
:
only. :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
Cross-Zone Load Balancing #
&
(
*
! Classic Load Balancer +
#
(
"
!Disabled by default !
!No charges for inter AZ data if enabled ,

)
-
.
/
0
! Application Load Balancer 1
2
.
Always on (can’t be disabled)
!
3
1
No charges for inter AZ data
!
4
1
.
5
6
6
! Network Load Balancer 6
7
8
1
Disabled by default
! -
1
9
!
;
:
You pay charges ($) for inter AZ data if enabled :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
Load
!
Balancer Stickiness
It is possible to implement stickiness so that
#
&
(
*
+
the same client is always redirected to the #
(
"
same instance behind a load balancer F;'$)3 : F;'$)3 S F;'$)3 F !
! ,

)
This works for
Application Classic
Load Load Balancers &
Balancers -
.
/
0
! The “cookie” used for stickiness has an 1
2
expiration date you control .
3
! Use case: make
make sure the user doesn’t lose his 1
4
1
.
session data 5
6
! Enabling stickiness may bring imbalance to the 6
load over the backend EC2 instances 6
7
8
! Alternative is to cache session data in 7F, 7F, 1
-
1
ElastiCache, DynamoDB for example U)&34)9$ U)&34)9$ 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
APII Ga
AP Gate
tewa
wayy – Ov
Over
ervi
view
ew #
&
(
*
>72V :TU T>Mpw >7`Q72V2 F>QK +
#
(
"
!&%)*+
!
!&%)*+ !01 !"#
,-+%&*,. ,
client 2%345%- $%&'(%
)
-
.
/
0
! Helps expose Lambda, HTTP & AWS AWS Services
Ser vices as an API 1
2
.
3
! API versioning, authorization, traffic management (API keys, throttles), 1
4
1
.
5
huge scale, ser
serverless,
verless, req/r
req/resp
esp transfo
transformations
rmations,, OpenA
OpenAPI
PI spec, COR
CORS
S 6
6
6
7
! Limits to know: 8
1
-
1
!29 seconds timeout 9
;
:
!
10 MB max payload size :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
API Gate
Gatewa
wayy – Dep
Deplo
loyme
yment
nt Stage
Stagess #
&
(
*
! API changes are deployed to “Stages” (as many as you want) +
#
(
"
! Use the naming you like for stages (dev, test, prod) !
,

)
! Stages can be rolled back as a histor
historyy of deployments is kept -
.
/
0
T>MK :;'4& 1
2
.
3
T%(J 234C$ rbt 1
#. 4
1
.
5
6
bt 6
V72V :;'4& 6
7
8
1
V$&3 234C$
23 4C$ -
1
9
#, ;
:
.--t :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
API Gat
Gatewa
ewayy – Int
Integrati
egrations
ons #
&
(
*
! HTTP +
#
(
"
!Expose HTTP endpoints in the backend !
!Example: internal HTTP API on premise, Application Load Balancer… ,

)
Why? Add rate limiting, caching, user authentications, API keys, etc…
!
-
.
/
0
! Lambda Function 1
2
.
Invoke Lambda function
!
3
1
!
4
1
.
Easy way to expose
exp ose REST API backed by AWS
AWS Lambda 5
! AWS Service 6
6
6
! Expose any AWS API through
t hrough the API Gateway? 7
8
1
! Example: star
startt an AWS
AWS Step Function
Functio n workflow, post a message
messa ge to SQS -
1
9
!
;
:
Why? Add authentication, deploy publicly,
publicly, rate control… :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

Solution Architecture Discussion: %

"
&
'
(
)
API Gateway in front of S3 #
&
(
*
+
! You will be impacted by the 10 MB payload size limit #
(
"
!
U <4)3 3( ?X;(4J 4 8';$ X%(^P
G<A.2- ,

)
?//<A91-A>2 -
.
/
0
1
2
! Better architecture: .
3
1
U <4)3 3( ?X;(4J 4 8';$ ')G(I$
4
1
.
G<A.2- 5
?//<A91-A>2 6
g(%<4%J Q>H 6
>$3?%) Q>H
>$3?%) Q>H 6
7
8
1
W$)$%43$ X%$/&'C)$J Q>H -
1
9
;
:
QX;(4J 3( 2R ?&')C 3O$ X%$/&'C)$J Q>H :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
API Gatew
Gateway
ay - Endp
Endpoint
oint Types #
&
(
*
! Edge-Optimized (default): For global clients +
#
(
"
!Requests are routed through the CloudFront Edge locations (improves latency) !
! ,

)
The API Gateway still lives in only one region -
.
/
! Regional: 0
1
2
!For clients within the same region .
3
!Could manually combine with CloudFront (more control over the caching 1
4
1
.
strategies and the distribution) 5
6
6
Private: 6
7
8
! Can only be accessed from your VPC using an interface VPC endpoint (ENI) 1
-
1
9
! Use a resource policy to define access ;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
Caching API
API responses 6784+3
#
&
(
*
! Caching reduces the number of calls made to the +
backend #
(
"
!
! Default TTL (time to live) is 300 seconds
,

)
(min: 0s, max: 3600
3600s)
s) -
.
! Caches are defined per stage /
0
FO$9I 1
! le to override cache settings per method
Possible
Possib !01 949O$ 2
.
W43$<4P 3
! Clients can invalidate the cache with header: 2%345%-
949O$ 1
Cache-Control: max-age=0 (with proper IAM 4
1
.
authorization) 5
6
U8 949O$ 5'&& 6
Able to flush the entire cache (invalidate it) 6
immediately 7
8
1
! Cache encryption option -
1
L49I$)J 9
!
;
:
Cache capacity between 0.5GB to 237GB :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
APII Gat
AP Gatew
ewaay - Err
Errors
ors #
&
(
*
! 4xx means Client errors +
#
! 400: Bad Request (
"
!
! 403: Access Denied, WAF filtered
,

429: Quota exceeded, Throttle )
! -
.
/
0
1
2
! 5xx means
means Server
Ser ver errors .
3
! 502: Bad Gateway Exception, usually for an incompatible output returned from a 1
4
1
.
Lambda proxy integration backend and occasionally for out-of-order invocations
invocations due to 5
heavy loads. 6
6
! 503: Service Unavailable Exception 6
7
8
! 504: Integration Failure – ex Endpoint Request Timed-out Exception 1
-
API Gateway requests time out after 29 second maximum 1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
APII Gat
AP Gatew
ewaay – Se
Secu
curity
rity )
#
&
(
*
! Load SSL certificates
cer tificates and use Route53 to define
define a CNAME +
#
(
"
! Resource Policy (~S3 Bucket Policy): !
,

!
control who can access the API )
-
.
/
! Users from AWS
AWS accounts,
a ccounts, IP or CIDR blocks, VPC or VPC Endpoints 0
1
2
.
! IAM Execution Roles for API Gateway at the API level 3
1
!
4
1
.
To invoke a Lambda Function, an AWS service… 5
6
! CORS (Cross-origin resource sharing): 6
6
! Browser based security 7
8
1
-
1
! Control which domains can call your API 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
API Gatewa
Gatewayy – Aut
Authen
hentic
ticati
ation
on )
#
&
(
*
! IAM based access +
Good for providing access within your own #
! 6784+3 (
"
infrastructure !
!Pass IAM credentials in headers through Sig V4 :?3O$)3'943'() ,

)
f C$3 3(I$) -
.
/
! Lambda Authorizer
Authorizer (formerly
(former ly Custom 0
1
Authorizer) 2
T4&& 3(I$) .
!Use Lambda to verify a custom OAuth / SAML / 3
3rd party authentication 1
4
1
.
?@( D1-.61K 5
6
! Cognito User Pools 6
! Client authenticates with Cognito 6*9+83* :;4< 0**7;
6
T4&& 'J$)3'3P 7
8
! Client passes the token to API Gateway 1
-
1
! API Gateway knows out-of-the-box how to verify 9
:
;
to token *195.28 :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
API Gateway – Logging, Monitoring, Trac
racing
ing )
#
&
(
*
! CloudWatch Logs: +
#
(
"
!Enable CloudWatch logging at the Stage level (with Log Level – ERROR, INFO) !
!
,

Can log full requests / responses data(customizable) )
! Can send API Gateway Access Logs -
.
/
0
! Can send logs directly into Kinesis Data Firehose (as an alternative to CW logs) 1
2
.
! CloudWatch
CloudWatch Metrics:
Metr ics: 3
1
!
4
1
.
Metrics are by stage, possibility to enable , detailed metrics 5
! IntegrationLatency
, Latency
, CacheHitCount CacheMissCount 6
6
! X-Ray: 6
7
8
1
!Enable tracing to get extra information about requests in API Gateway -
1
9
! :
;
X-Ray API Gateway + AWS
AWS Lambda gives you the full picture :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
Rout
Route
e 53
53 – Re
Reco
cord
rdss )
#
&
(
*
! Route53 is a Managed DNS (Domain Name System) +
#
(
"
!
,

)
! A: hostname to IPv4 -
.
/
0
1
! AAAA: hostname to IPv6 2
.
3
! CNAME: hostname to hostname 1
4
1
.
5
! Alias: hostname to
t o AWS resource
reso urce 6
6
! Use for: CLB, ALB, NLB, CloudFront, S3 bucket, Elastic Beanstalk 6
7
8
! Can be used for root apex record (mydomain.com) 1
-
1
9
!
:
;
Other record types are not needed for the exam :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
Route
Route 53 – Dia
Diagram
gram for
for A Record
Record )
#
&
(
*
+
#
(
"
? $ & 3 4 ' ) 9 ( 5
Z 9
!
>
> $ m 5 ) ,

)
K B P
2 X X
XZZ 5
5 P J ( j 0Z q
q b
5 4
i
Z i b Z j &>:-. Z[ -
.
R , UU T
T * R
UU T T G i d
/
0
9 I
3
3
(
( 1
L 4 * O
L ( & 3
2 $ ) J 9 ( % J
2
J O .
c: % % $ H 3

3
'
O
3O VV V 1
_ 4
1
.
k k
VV
V V
T
( & 3
T > $
$ m
m ?$ 5
* 5 P ?
3* &
&3
3 ( @
@ S [
6
4
4 [
X X Z5 L 7^ 6
P J Z 7 6
J(
5
( ' ' _ ` 7a Z
54 7
8
) Z9 (
)
E.O O4>6=.4 ( 5
5 1
-
1
k V V
V T 9
EA<< 9190. -0. 4.=:<- H>4 T > $
$ :
;
#0. ##M >H -0. 4.9>48 & X
X (
() )
&
&$
$
:
<
:
=
7
?//<A91-A>2 ).4B.4 9
>
(@S [L7^Z7_`7aZ ;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
DNS Records TTL (Time to Live) )
#
&
(
*
KB2 >$m?$&3 ! High TTL: (e.g.
(e .g. 24hr) +
#
'!) G190. (
"
%>4 ##M 8:41-A>2
5P4XXZ5PJ(54')Z9(5 !Less traffic on DNS !
! ,

Possibly )
records outdated -
.
2$)J L49I UT* R,ZibZj0Zqb /
0
c: %$9(%J* O(&3 3( UTGid ! Low TTL
TTL:: (e.g 60 s) 1
2
.
b ##M S [cc =
More traffic on DNS 3
!
1
! 4
1
.
KB2 >$m?$&3 Records are outdated 5
for less time 6
5P4XXZ5PJ(54')Z9(5
E.O O4>6=.4 &>:-. Z[ 6
! Easy to change records 6
7
8
1
-
1
2$)J L49I UT* .rbZ,RZibZ,, 9
! :
;
c: %$9(%J* O(&3 3( UTGid TTL
each isDNS
mandat
mandator
ory
recordy for :
<
b ##M S [cc = :
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
Simple Routing Policy )
#
&
(
*
! Maps a hostname to a single +
#
(
"
resource !
,

! )
You can’t attach health 8((Z$^45X;$Z9(5 -
.
/
checks to simple routing 0
1
2
policy :* ..Z,,ZRRZii .
3
1
4
1
.
E.O O4>6=.4 &>:-. Z[ 5
! If multiple values are 6
6
6
returned, a random
r andom one is 7
8
1
chosen by the client -
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
Weighted
Weighted Routing Policy
Policy )
#
&
(
*
! Control the % of the requests +
#
(
that go to specific
specific endpoint "
!
! ,

Helpful test 1% of traffic on 0 - t E.AC0-S `c )
new apptoversion
ver sion for example -
.
/
0
1
! Helpful to split traffic
tr affic between 2
.
3
regions – Lo
two regions Loadad Bala
Balanc
ncin
ing
g ,-t 1
4
1
.
!
Can be associated with E.AC0-S Lc
5
6
Health Checks &>:-. Z[
Health Checks 6
6
. - 7
! Note: The weights
weig hts don’t
d on’t need t 8
1
-
1
to sum up to 100 9
:
;
:
<
:
=
7
9
E.AC0-S Yc >
;
! #$%&'()% *((+%,
!
"
#

Failover Routing Policy %

"
&
'
(
Acti
Ac tivve - Pas
assi
sivve )
#
&
(
*
+
#
(
"
k$4;3O 9O$9I !
T;1281->4KU ,

)
-
.
/
@4A;14K 0
KB2 >$m?$&3 1
2
.
3
g4';(G$% 1
4
1
.
5
6
E.O O4>6=.4 &>:-. Z[
6
6
7
8
1
-
1
9
:
;
).9>2814K :
<
:
T8A=1=-.4 4.9>B.4KU =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
Latency Routing Policy )
#
&
(
*
! Redirect to the server that +
has the least latency close to #
(
"
us !
,

!
Super helpful when latency )
-
.
of users is a priority /
0
1
! Latency is evaluated in terms 2
.
of user to designated AWS
AWS 3
Region 1
4
1
.
! Germany users may be 5
6
directed to the US (if that s 6
6
the lowest latency) 7
8
1
! Has a failover capability if you -
1
9
:
;
enable health checks :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
:* ..Z,,ZRRZii
&
'
(
Geo Location Routing Policy )
#
&
(
*
! Different from Latency based! +
#
(
"
! This is routing based on user !
,

location )
-
.
K7g:QHV /
0
! Here we specify: traffic from the :* 1
2
.
UK should go to this specific IP RRZiiZbbZjj 3
1
!
4
1
.
Should create a “default” policy 5
6
(in case there’s no match on
(in case there s no match on 6
6
location) 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
:* ,,ZRRZiiZbb ;
! #$%&'()% *((+%,
!

"
#
%

"
&
'
(
Route
Route 53
53 - Com
Comple
plex
x / Nested
Nested Reco
Records
rds )
#
&
(
*
+
?&/$4&3/./<<<Z$^45X;$Z9(5 #
<<<Z$^45X;$Z9(5 (
"
E.AC0-.8 q- !
M1-.29K
,
:;'4& c3( 4 >bR %$9(%Jd VPX$* : c.qrZ.bjZ,rZRRd
)
?&/$4&3/./<<<Z$^45X;$Z9(5 -
.
VPX$* : /
E.AC0-.8 ,- 0
>$C'()* ?&/$4&3/. 1
VPX$* : c.-qZq,ZqbZ.iRd 2
.
3
1
4
1
.
<<<Z$^45X;$Z9(5 4X/&(?3O$4&3/./<<<Z$^45X;$Z9(5 5
E.AC0-.8 R- 6
M1-.29K 6
VPX$* : c,-,Zb.Zq0Z.,bd 6
:;'4& c3( 4 >bR %$9(%Jd 7
4X/&(?3O$4&3/./<<<Z$^45X;$Z9(5 8
VPX$* : 1
E.AC0-.8 .- -
1
>$C'()* 4X/&(?3O$4&3/.
VPX$* : c..,Z.jZ,Zijd :
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
Multi Value Routing Policy )
#
&
(
*
! Use when routing traffic
tr affic to multiple resources +
#
(
"
! Want
Want to associate a Route
Route 53 health checks
checks with records !
,

)
! Up to 8 healthy records are returned for each Multi Value query
quer y -
.
/
0
1
! Multi Value is not a substitut
substitutee for having an
a n ELB 2
.
3
1
4
1
.
5
6
6
6
7
8
1
-
1
:
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
Rout
Route
e 53
53 – Go
Good
od to kno
know
w )
#
&
(
*
! Private DNS: +
#
(
"
! Can use Route 53 for internal private DNS !
! ,

)
Must enable the VPC settings enableDnsHostNames
enableDnsHostNames and enableDnsSuppor
enableDnsSupportt -
.
! DNSSEC (protect against Man In the Middle attack): /
0
1
Amazon Route 53 suppor ts DNSSEC for domain registration.
!
2
.
3
Route 53 supports DNSSEC for DNS service as of December 2020 (using KMS)
!
1
!
1
4
.
You could also run
r un a custom DNS server Amazon EC2 for example ( Bind is the
ser ver on Amazon 5
most popular, dnsmasq, KnotDNS, PowerDNS). 6
6
6
! 3
party registrar: 7
8
1
! You can buy the domain out of AWS and use Route 53 as your DNS provider -
1
:
9
;
!
Update the NS records on the 3 rd party regi
registrar
strar :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
Health Checks with Route 53 )
#
&
(
*
! Health Check => automated DNS failovers: +
#
(
"
!
D,+-(. =(2"0 JK 70)(7' ,

)
L5+"0.)3M 80(#7(N9,9"3M 0")O 1. Healt
Hea lth
h chec
checks
(application, ks thatt moni
tha
server, mo nitor
othertor
AWSan endp
eresource)
ndpoi
oint
nt -
.
L4+3"! C!4)G /
L4+3"! C!4)G
2. Health
Heal th che
checks
cks tha
thatt moni
monitor
tor othe
otherr heal
health
th che cks 0
checks 1
2
(calculated health checks) .
3
3. Health
Heal th che
checks
cks tha
thatt moni
monitor
tor Clou
CloudW
dWatc
atch
h alarms
alarms 1
1
4
DCP DCP (full contro
controll ) – e.g. throttles of DynamoDB, .
throttles 5
alarms on RDS, custom metrics, etc 6
6
6
18"( A)+39/@ @6(8# 18"( A)+39/@ @6(8# 7
8
1
-
Health Checks are integrated with CW metrics 1
0/$"+/)4 0/$"+/)4
:
9
;
M4@9(/ E M4@9(/ J :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
Route
Route 53 Hea
Health
lth Chec
Checks
ks – good to know
know )
#
&
(
*
! Health Checks can be setup to pass / fail +
#
(
"
based on !
,

first 5120 bytes of the response
text in the first )
-
.
/
! Health Checks pass only with the 2xx and 0
1
2
3xx status response P##@ 91<< &.-:42 LJJ [JJ .
3
#> W0.1<-0 "/-A>21<<K =>;. -.J- 1
!
1
4
.
Calculated
!
health individual
Create separate checks health checks 5
6
6
! Specify how many of the health checks need to P##@ ).4B.4
6
7
8
pass to make the parent pass c7F,1 T?L;'9 2$%G$%Ed 1
-
1
! :
9
;
Health Checks can trigger
tr igger CW Alarms
Alarms :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
Health
Health Che
Checks
cks – Priva
Private
te Hoste
Hosted
d Zones
Zones AS# G749>
)
#
&
(
*
! Route 53 health checkers are outside +
the VPC QRF #
(
"
! They can’t access private endpoints !
(private VPC or on-premise resource) k$4;3O F+:?($% -96)%$
,

)
9O$9I$% -
.
/
Options: 0
1
2
! To check a resource within a VPC, you .
must assign a public IP address 3
1
! 1
4
.
You can
check theconfigure
health ofthe
an health checker
external to
resource 5
6
the instance relies on, for example a
database server 6
6
You can create a CloudWatch metric F_ :;4%5 7
8
!
1
and associate an alarm. You then create -
1
a health check that checks the alarm
:
9
;
itself :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

Health Checks Solution Architecture %

"
&
'
(
RDS multi-region failover )
#
&
(
*
+
"/-A>2 YS #
kVVT 94;; (
"
YO$4;3O/JL %(?3$ !
&') 31A2
,
:=F.1=-FY k$4;3O 9O$9I
)
-
.
"/-A>2 LS /
0
F_ :;4%5 1
2
:&P)9 %$X;'943'() .
F_ :;4%5 ;')I$J 3( k$4;3O FO$9I 3
1
1
4
.
5
6
&') &.18 &./<A91 T%(5(3$ >$4J >$X;'94& 3%'CC$% F_ 7G$)3 ;')I$J 3( F_ :;4%5 6
6
:=F6.=-FL cM% 2B2 3(X'9d 7
8
1
-
1
QXJ43$ KB2
:
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

Route 53 Solution Architecture %

"
&
'
(
Sharing a Private
Pr ivate Zone across VPC )
#
&
(
*
A5549)$ K A5549)$ L +
#
(
"
! Having a central private !
“Shared Services”
Ser vices” DNS can
,
ease management
)
-
.
! Oher accounts may want to T#'(+%> #%+?:5%-U /
0
access the central private DNS A5549)$ 1
records #TF T$$%')C #TF T$$%')C 2
.
3
1. Cononnnec
ecti
tivi
vity
ty betw
betwee
een
n VPC 1
1
4
.
must be established (VPC
peering) #TF T$$%')C #TF T$$%')C 5
&>:-. Z[
6
2. Must pr
Must prog
ogra
ramm
mmat
atic
ical
allly (C
(CLI
LI)) @4AB1-. d>2. 6
6
associate the VPC with the 7
8
central hosted zone A5549)$ V A5549)$ W 1
-
1
! One association must be :
9
;
created for each new account :
<
:
=
7
O33X&*YY4<&Z454D()Z9(5YX%$5'?5&?XX(%3YI)(<;$JC$/ 9
>
;
! #$%&'()% *((+%,
9$)3$%YX%'G43$/O(&3$J/D()$/J'88$%$)3/499(?)3Y
!
"
#
%

"
&
'
(
Solution Architecture Comparisons
Compar isons )
#
&
(
*
! EC2 on its own with Elastic IP +
#
(
"
! EC2 with Route53 !
,

)
!
ALB + ASG -
.
/
! ALB + ECS on EC2 0
1
2
.
! ALB + ECS on Fargate 3
1
1
4
!
.
ALB + Lambda 5
6
! API Gateway + Lambda 6
6
7
8
! API Gateway + AWS
AWS Service
Ser vice 1
-
1
! :
9
;
API Gateway + HTTP backend (ex: ALB) :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
EC2 with Elastic IP S5+$"9) ;R D''70$$
)
#
&
(
*
! Quick failover +
#
(
"
:99$&& ')&34)9$ ?&')C ! The client should not !
T?L;'9 UT c7;4&3'9 UT ,

)
see the change
happen -
.
/
0
1
Q&$%
! Helpful if the client 2
.
3
T?L;'9 7F, needs to resolve by 1
1
4
.
static Public IP 5
address 6
6
6
! Does not scale 7
8
1
-
[(G$ 7;4&3'9 UT ! Cheap 1
:
9
;
U) 94&$ (8 K> :
234)JLP U)&34)9$ <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
Statele
Stateless
ss web
web app - scal
scaling
ing horizo
horizonta
ntalllly
y )
#
&
(
*
+
#
KB2 `?$%P (
"
: >$9(%J T?L;'9 7F, ')&34)9$1 !
,
VVH . O(?% B( 7;4&3'9 UT
)
-
.
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
:
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
Statele
Stateless
ss web
web app - scal
scaling
ing horizo
horizonta
ntalllly
y (
)
#
&
(
*
+
#
! “DNS-based load (
"
KB2 `?$%P
!
: >$9(%J balancing”
,
VVH . O(?% ! Ability to use multiple
)
-
.
instances /
0
1
! Route53 TTL implies 2
.
client may get outdated 3
information 1
1
4
.
! Clients must have logic to 5
6
deal with hostname 6
resolution failures 6
7
8
! Adding an instance may 1
-
1
not receive full traffic :
9
;
right away due to DNS :
TTL <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
ALB + ASG ! Scales well, classic architecture
(
)
#
&
(
KB2 `?$%P *
18"( A)+39/@ @6(8# +
:;'4& >$9(%J ! New instances are in service
ser vice right away
away.. #
(
"
1;+93+<939"F .(/4 E
VVH . O(?% ! Users are not sent to instances that are !
,
out-of-service
)
! Time to scale is slow (EC2 instance -
.
!"#$%#&$%$'( *+,- . '+ / startup + bootstrap)
bootstrap) – AMI can
can help /
0
1
! ALB is elastic but can’t handle sudden, 2
.
huge peak of demand (pre-warm) 3
1;+93+<939"F .(/4 J
! Could lose a few requests if instances 1
1
4
are overloaded .
5
! CloudWatch used for scaling
CloudWatch 6
6
:HS f ! Cross-Zone balancing for even traffic 6
k$4;3O FO$9I& 7
8
distribution 1
f [?;3' :n -
1
1;+93+<939"F .(/4 N
:
9
;
! Target utilization should be between :
40% and 70% <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
ALB + ECS on EC2 (backed by ASG) (
)
#
&
(
KB2 `?$%P 18"( A)+39/@ @6(8# O PCA ! Same properties as ALB + *
+
:;'4& >$9(%J #
VVH . O(?% 1;+93+<939"F .(/4 E ASG (
"
!
,
!
Application is run on )
-
.
!"#$%#&$%$'( *+,- . '+ / Docker /
0
1
2
! ASG + ECS allows to have .
3
dynamic
dynamic por t mappings
1;+93+<939"F .(/4 J
1
1
4
.
5
Tough to orchestrate ECS 6
6
:HS f service
ser vice auto-scaling + ASG 6
k$4;3O FO$9I& 7
8
f [?;3' :n 1;+93+<939"F .(/4 N
auto-scaling 1
-
1
:
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
ALB + ECS on Fargate (
)
#
&
(
KB2 `?$%P Q+6@+"4 O A46;9)4 18"( A)+39/@ ! Application is run on *
+
:;'4& >$9(%J #
VVH . O(?% 1;+93+<939"F .(/4 E Docker (
"
!
,
!
Ser vice Auto Scaling is easy
Service )
-
.
/
! Time to be in-service is 0
1
2
quick (no need to launch an .
3
1;+93+<939"F .(/4 J
EC2 instance in advance) 1
1
4
.
5
Still limited by the ALB in 6
6
case of sudden peaks 6
7
8
1
! “serverless”
“ser verless” application tier -
1
1;+93+<939"F .(/4 N
:
9
;
! “managed” load balancer :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
ALB + Lambda ! Limited to Lambda’s runtimes
(
)
#
&
(
KB2 `?$%P *
+
:;'4& >$9(%J #
! Seamless scaling thanks to (
"
VVH . O(?% Lambda !
,

! Simple way to expose )
-
.
Lambda functions as HTTP/S /
0
without all the features from 1
2
API Gateway .
3
1
! Can combine with WAF 1
4
.
(Web
(W eb Application Firewall) 5
6
:HS ! Good for hybrid 6
6
microservices 7
8
1
-
! Example: use ECS for some 1
:
9
;
requests,
others use Lambda for :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
API Gateway + Lambda (
)
#
&
(
*
! Pay per request, seamless scaling, +
#
fully serverless (
"
!
! ,
Soft
1000limits: 10000/sLambda
API Gateway
Gateway,, )
concurrent -
.
/
0
! API Gateway features: 1
2
.
!&%)*+ !01 !"# authentication, rate limiting, 3
client
2%345%- $%&'(% caching, etc… 1
4
.
5
Lambda Cold Start time may 6
increase latency for some 6
6
requests 7
8
1
-
1
! Fully integrated with X-Ray :
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
API Gateway + AWS Service
Ser vice (as a proxy) (
)
#
&
(
"R *
+
! Lower latency, cheaper #
(
"
TQV !
! Not using Lambda concurrent ,

)
capacityy, no custom
capacit cu stom code
c ode -
.
!"# /
client
!&%)*+ !01 )]) 0
2%345%-
$%&'(%
! Expose AWS
AWS APIs securely
secur ely 1
2
.
*I##I& through API Gateway 3
1
4
.
!
SQS, SNS, Step Functions… 5
6
6
! Remember API Gateway has a 6
7
8
client
!&%)*+ !01 #=# payload limit of 10 MB (can be 1
-
2%345%- 1
:
9
;
a problem for S3 proxy) :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
API Gateway
Gateway + HTTP backend
backend (ex:
(ex: ALB) (
)
#
&
(
*
! Use API Gateway features on +
#
(
"
top of custom
custom HTTP backend !
,

(authentication, rate control, )
-
.
API keys, caching…) /
0
1
2
.
3
!&%)*+ !01
client
kVVT 2$%G$%
2%345%- ! 1
4
c$^* :HS1 ()/X%$5d Can connect to… .
5
6
! On-premise service 6
6
7
! Application Load Balancer 8
1
-
1
!
rd :
9
;
3 par
party
ty HTTP
HTTP service :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
#
&
(
*
+
#
(
"
!
,

)
-
.
/
0
1
2
.
3
1
4
.

Storage Secti
Section
on 6
6
6
7
8
1
-
1
:
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
EBS (
)
#
&
(
*
! Network drive you attach to +
#
ONE
ONE inst
instance
ance onl
only
y (
"
"#$%&#'$(& !
!
,
Linked to a specific availability
)
zone (transfer: snapshot => -
.
/
restore) 7F, 7F, 7F, 0
1
2
.
! Volumes can be resized 3
1
4
.
5
7S2 6
! Make sure you choose an c.-WSd
7S2 6
instance type that is EBS 7S2 cb-WSd 6
7
8
optimized to enjoy maximum c.--WSd 1
-
1
throughput :
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
EBS – Volume Types (
)
#
&
(
*
! gp2: General Pur
Purpose
pose Volumes (cheap) +
#
(
"
! 3 IOPS / GiB,
GiB , minimum 100 IOPS, burst
burst to 3000 IOPS, max 16000 IOPS !
! ,
GiB – 16 TiB , +1 TB = +3000 IOPS
1 Gi
)
-
! io1: Provisioned IOPS (expensive) .
/
0
Min 100 IOPS, Max 64000 IOPS (Nitro) or 32000 (other) 1
! 2
.
! 4 GiB
GiB - 16 TiB. Siz
Size
e of
of volu
volume
me and IOP
IOPS
S are
are inde
independ
pendent
ent 3
1
4
! .
st1: Throughput Optimized HDD 5
6
! 500
500 GiB
GiB – 16 Ti
TiB
B , 50
500
0 MiB
MiB /s thr
throu
ough
ghpu
putt 6
6
! sc1: Cold HDD, Infrequently accessed data 7
8
1
-
1
! 250
250 GiB
GiB – 16 Ti
TiB
B , 25
250
0 MiB
MiB /s thr
throu
ough
ghpu
putt
:
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
EBS
EBS – RA
RAID
ID Con
Conffig
igurat
uration
ionss (
)
#
&
(
*
+
#
(
"
!
,

)
IGL A2=-129. IGL A2=-129. -
.
/
0
1
2
.
M)$ ;(C'94; G(;?5$ >:UK - c4JJd M)$ ;(C'94; G(;?5$ >:UK . c5'%%(%d 3
1
4
$'3O$% L(3O .
5
6
: 6
: S : 6
7
8
F K S S 1
-
1
F F
:
9
;
I*) V><:;
:;.
.Y I*) V><:
<:;.
;. L I*) V><:
<:;.
;. Y I*) V><:
<:;
;. L :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
EBS Snapshots (
)
#
&
(
*
! Incremental – only backup
Incremental backup changed
changed blocks
blocks +
#
(
"
! EBS backups use IO and you shouldn’t run them while your application is !
,
handling a lot of traffic
)
-
.
! Snapshots will be stored in S3 (but you won’t directly see them) /
0
1
! Not necessary
necessar y to detach volume to do snapshot, but recommended 2
.
3
! Can copy snapshots across region (for DR) 1
4
.
! Can make Image (AMI) from Snapshot 5
6
6
! EBS volumes
volumes restored
restored by snapshots need
need to be pre-warmed (using
(using fio or dd 6
7
8
command to read the entire volume) 1
-
1
! :
9
;
Snapshots can be automated using Amazon Data Lifecycle Manager :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
Local EC2 Instance Store V.4K 0AC0 ("@) (
)
#
&
(
*
! Physical disk attached to the +
#
(
"
physical server where your EC2 is !
,
! Ver
eryy High IOPS (because physical)
)
-
.
/
0
! Disks up to 7.5 TiB (can change
change 1
2
.
over time), stripped to reach 30 3
1
4
.
TiB (can change ov
over
er time…)
time…) 5
6
! Block Storage (just like EBS) 6
6
7
! Cannot be increased in size 8
1
-
1
! :
9
;
Risk of data loss if hardware fails :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
EBS vs Instance Store (
)
#
&
(
*
! Some instance do not come
co me with Root EBS volumes +
#
(
"
! Instead, they
they come with “Instance Store” (= ephemeral storage)
s torage) !
,
!
Instance store is physically attached to the machine (EBS is a network drive)
)
-
.
/
! Pros: 0
1
2
! Better I/O performance (EBS gp2 has an max IOPS of 16000, io1 of 64000) .
3
! Good for buffer / cache / scratch data / temporary content
1
4
!
Data survives reboots .
5
6
! Cons: 6
6
! On stop or termination,
t ermination, the instance store is lost 7
8
1
! You can’t resize the instance store -
1
! :
9
Backups must be operated by the user ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
EFS
EFS – El
Elast
astic
ic Fil
File
e Syste
System
m (
)
#
&
(
*
! Managed NFS (network file system) that can be mounted on many EC2 +
#
(
"
! EFS works with EC2 instances in multi-AZ, & on–premise (DX & VPN) !
,

)
! Highly available, scalable, expensive (3x gp2), pay per GB used -
.
/
0
1
2
.
7F, 7F, 7F, 3
?&/$4&3/.4 ?&/$4&3/.L ?&/$4&3/.9
1
4
.
5
6
6
6
7
8
2$9?%'3P W%(?X 1
-
1
:
9
7g2 ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
EFS
EFS – El
Elast
astic
ic Fil
File
e Syste
System
m (
)
#
&
(
*
! Use cases: content management, web serving, data sharing, Wordpress +
#
(
"
! Compatible with Linux bas ed AMI (not Windows), POSIX-compliant
Li nux based !
,

)
! Uses NFSv4.1 protocol -
.
/
0
1
! Uses security group to control access to EFS 2
.
3
! Encryption at rest using KMS 1
4
.
5
! Can only attach to one VPC, create one ENI (mount target)
targ et) per AZ 6
6
6
7
8
1
-
1
:
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
EFS – Perf
erforman
ormance
ce & Storage
Storage Class
Classes
es (
)
#
&
(
*
! EFS Scale +
#
!1000s of concurrent
concurr ent NFS clients, 10 GB+ /s throughput (
"
!
!Grow to Petabyte-scale network file system ,

)
! Performance mode (set at EFS creation time) -
.
/
! General purpose (default): latency-sensitive use cases (web
( web server
ser ver,, CMS, etc…) 0
1
! Max I/O – higher latency,
latency, higher throughput, highly parallel (big data, media processing) 2
.
3
! Throughput Mode
1
4
! .
Bursting Mode: common for filesystems (intensive work, then almost nothing), linked to FS size 5
! Provisioned IO Mode: high throughput to storage ratio (if burst is not enough) – expensive 6
6
Storage Tiers (lifecycle management
management feature – mov
move
e file after N days
days)) 6
!
7
8
Standard: for
for frequently accessed
ac cessed file 1
!
-
1
! :
9
Infrequent access: higher cost to retrieve the file, lower
lower price point to store the file ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
EFS - On-
On-Pre
Premi
mise
se & VPC Peering
Peering (
)
#
&
(
*
+
#
D:? F5(2' (
"
>$J?)J4)9P ') Kp Y Kp !
,
(% Kp Y #TB QRF QRF
)
-
.
/
Bg2 [(?)3 V4%C$3 LP UTGi 0
:54D() 7g2 1
c)(3 KB2d 2
7BU .
K'%$93 F())$93 3
1
4

M> Y :BK 7BU 5
#TF 6
X$$%')C 6
2'3$/3(/2'3$ #TB 7BU 7F, 6
M)/X%$5'&$ 2$%G$% 7
8
1
-
1
:
9
>$J?)J4)9P ') 5(?)3 34%C$3 ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
S3 – Overvi
erview
ew (
)
#
&
(
*
! Object storage,
storage , ser
serverless,
verless, unlimited
unlimited storage,
stor age, pay-as-you-go
pay-as-you-go +
#
(
"
! Good to store static content (image, video files) !
,
! Access objects by key, no indexing facility
)
-
.
/
! Not a filesystem, cannot be mounted natively on EC2 0
1
2
.
3
1
4
Anti patterns: .
5
! Lots of small files 6
6
POSIX file system (use EFS instead), file
file locks 6
!
7
8
1
! Search features, queries, rapidly changing data -
1
!
:
9
;
Website
Website with dynamic content :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
S3 Storage Classes Comparison #F 9-2'//*E'-2G #F J/14*'(
(
)
#
&
(
#F #21-81(8 #F #2
#21-8
1-81(
1(8G9
8G9!
! #F H-
H-'
' I,
I,-'G
-'G9!
9! #F J/
J/14*
14*'(
'( *
%*'(*-E =''& !(43*>' +
#
(
"
='+*E-'8 K,( TTRTTTTTTTTTU TTRTTTTTTTTTU TTRTTTTTTTTTU TTRTTTTTTTTTU TTRTTTTTTTTTU TTRTTTTTTTTTU
!
85(1@*/*27 'VV TW,0 'VV TW,0 'VV TW,0 'VV TW,0 'VV TW,0 'VV TW,0 ,
='+*E-'8 K,(
)
T TRTTU
TT TTRTU TTRTU TTRXU TTRTTU TTRTTU -
.
1>1*/1@*/*27 /
0
!>1*/1@*/*27 #?! TTRTU TTU TTU TTU TTRTU TTRTU 1
2
!>1*/1@*/*27 .
YZ YZ YZ V YZ YZ 3
I,-'+
1
4
:*-*)5) .
+2,(1E' 85(12*,- HJ< Z[ /+7, Z[ /+7, Z[ /+7, T[ /+7, V\[ /+7, 5
6
431(E' 6
6
.'2(*'>1/ K'' HJ<
HJ< HJ<
HJ< *"$ ]4 $"
$"%$
%$?"
?"^^"/ *"$ ]4 $"
$"%$
%$?"
?"^^"/ *"$ ]4 $"
$"%$
%$?"
?"^^"/ *"$ ]4 $"
$"%$
%$?"
?"^^"/ 7
8
1
-
1
!
:
9
;
You can transition
tr ansition objects between tiers (or delete) using S3 Lifecycle Policies
Policies :
<
:
=
7
9
O33X&*YY4<&Z454D()Z9(5Y&RY&
O33X&*YY4<&Z454D 3(%4C$/9;4&&$&Y >
()Z9(5Y&RY&3(%4C$/9;4&&$&Y ;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
S3 – Re
Repl
plic
icat
atio
ion
n ?&/$4&3/.
(
)
#
&
(
*
! Cross Region Replication (CRR) +
#
(
"
! Same Region Replication (SRR) :54D() 2R !
,
! Combine with Lifecycle Policies F>>
)
-
.
/
0
1
?&/<$&3/, 2
.
! Helpful to reduce latency 3
1
4
Helpful for disaster recover
recovery
y :54D() 2R .
5
6
! Helpful for security H'8$9P9;$ T(;'9P 3( V%
V%4)&'3'()
4)&'3'() 6
6
7
8
1
?&/<$&3/, -
1
! :
9
;
S3 bucket versioning must be enabled W;49'$%
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
S3 Events Notifications (
)
#
&
(
! S3:ObjectCreated, S3:ObjectRemoved, 2`2 *
+
S3:ObjectRestore, S3:Replication… #
(
"
! Object name filtering possible (*.jpg) 2B2 !
,
!
Use case: generate thumbnails of images
)
uploaded to S3 -
.
/
$G$)3& 0
1
2
! S3 event notifications typically deliver events .
in seconds but can sometimes take a minute 3
or longer 2`2 1
4
:54D() 2R H45LJ4 g?)93'() .
! If two writes are made to a single non- 5
versioned object at the same time, it is +-C(8 6
possible that only a single event notification 6
6
will be sent 7
8
H45LJ4 g?)93'() 1
! If you want to ensure that an event -
1
:
9
notification
you can enable
is sent
versioning
for every
onsuccessful
your bucket.
write, KH` ;
:
Y K$&3')43'() <
:
=
7
2`2 9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
S3 – Clo
Cloud
udW
Watch Ev
Event
entss (
)
#
&
(
*
! By default, CloudTrail records S3 2B2
+
#
bucket-level API calls F;(?JV%4'; MLa$93/H$G$; (
"
5()'3(%')C !
,
!
CloudTrail logs for object-level
)
Amazon S3 actions can be enabled -
.
/
2`2 0
! This helps us generate events for $G$)3& 1
2
.
object-level API (GetObject, 3
1
4
PutObject, DeleteObject,
PutObjectAcl, etc… ) :54D() 2R F;(?J_439O H45LJ4 .
5
7G$)3& 6
! Full list here: 6
6
https://docs.aws.amazon.com/Amazo 7
8
S439O 1
-
nS3/latest/dev/cloudtrail-logging.html 1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
S3 – Bas
Baseli
eline
ne Perf
erforman
ormance
ce (
)
#
&
(
*
! Amazon S3 automatically scales to high request rates,
r ates, latency 100-200 ms +
#
(
"
! Your application can achieve at least 3,500 PUT/COPY/POST/DELETE and !
,
5,500 GET/HEAD requests per second per prefix in a bucket.
)
-
.
! There are no limits to the number of prefixes in a bucket. /
0
1
! Example (object path => prefix): 2
.
3
! bucket/folder1/sub1/file
bucket/folde r1/sub1/file => /folder1/su
/folder1/sub1/
b1/
1

bucket/folde r1/sub2/file => /folder1/su
bucket/folder1/sub2/file /folder1/sub2/
b2/ .
5
! bucket/1/file => /1/ 6
6
! bucket/2/file => /2/ 6
7
8
! If you spread reads across all four prefixes evenly, you can achieve 22,000 1
-
1
9
:
;
requests per second for GET and HEAD :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
S3 Performance (
)
#
&
(
*
! Multi-Par t upload:
Multi-Par ! S3 Transfer Acceler
Acce leration
ation (upload only) +
#
(
"
recommended for files > 100MB,
! 1 00MB, ! Increase transfer speed by transferring !
,
must use for files > 5GB file to an AWS
AWS edge location
locatio n which will
)
forward the data to the S3 bucket in the -
.
! Can help parallelize uploads (speed /
0
up transfers) target region 1
2
.
! Compatible with multi-part upload 3
K'G'J$ 1
T4%4;;$; ?X;(4J& 4
.
U) X4%3& 5
6
g4&3 g4&3 6
cX?L;'9 <<<d cX%'G43$ :_2d 6
7
8
g';$ ') Q2: I8C. M>91-A>2 1
)[ *:95.- -
1
:54D() 2R Q2: 9
:
SUW 8';$ :?&3%4;'4 ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

%

"
&
'
S3 Perfo
erformance
rmance – S3 Byte-R
Byte-Range
ange Fetche
Fetchess (
)
#
&
(
*
! Parallelize GETs by requesting specific +
byte ranges #
(
"
!
! ,
Better resilience in case of failures
)
-
Can be used to retrieve only partial .
/
0
Can be used to speed up downloads data (for example the head of a file) 1
2
.
3
1
g';$ ') 2R g';$ ') 2R 4
.
5
6
SP3$/%4)C$ %$m?$&3 8(% O$4J$% 6
c8'%&3 pp LP3$&d 6
7
8
1
E -
1
T4%3 . T4%3 , T4%3 B O$4J$%
9
:
;
>$m?$&3& ') X4%4;;$; :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
S3 Select & Glacier Select (
)
#
&
(
*
! Retrieve less data using SQL by performing server side filtering +
#
(
"
! Can filter by rows & columns (simple SQL statements) !
,

)
! Less network transfer, less CPU cost client-side -
.
/
0
1
2
.
3
F2# 8';$
1
4
.
W$3 F2# <'3O 2R 2$;$93 5
6
6
2$)J 8';3$%$J J434&$3 6
7
8
:54D() 2R 1
-
1
9
:
;
2$%G$%/&'J$ 8';3$%')C :
'$$&-.//(0-1(2(34)1542/6748-/(0-/-V<87(5:%+<-%7%5$/ <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
S3 Acces
Accesss Points (
)
#
&
(
*
! Each Access
Access Point
Point gets its own DNS and policy to limit who can access it +
#
(
"
! A specific IAM user / group !
,
! One policy per Point => Easier to manage than complex bucket policies
p er Access Point
)
-
.
/
! Can restrict
restr ict to traffic from a specific VPC 0
1
2
.
! Access points are linked to a specific bucket (unique name per acct/region) 3
1
4
.
F47:5; $4 8+()> +/0 (55%-- 5
Z:)()5%
g')4)9$ :T g')4)9$ K434* lY8')4)9$YZZZZ
lY8')4)9$YZZZ ZN 6
X4 ( -&%5:=:5 /=:)()5% &+%=:Y
B-%+- / C+49& 6
6
#(7%- F47:5; $4 8+()> +/0 (55%-- 7
8
X4 ( -&%5:=:5 /-(7%- &+%=:Y 24;$& :T 24;$& K434* lY8')4)9$YZZZZ
lY8') 4)9$YZZZZNN 1
B-%+- / C+49& -
1
9
:
A)(7;$:5- F47:5; $4 8+()> +/0 (55%-- ;
B-%+- / C+49& :)4;P3'9& :T 2'5X;$ S?9I$3 T(;'9P :
X4 (77 $'% 695,%$ <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
VPC Endpoints with S3 Access Points (
)
#
&
(
*
! Can for the usage of Amazon +
#
(
"
S3 Access Points
Points through the !
,
VPC endpoint only
)
-
.
1. VP
VPCC End
Endpo
poin
intt Pol
Polic
icyy to
to /
0
1
block access to Amazon
Amazon S3 2
.
3
2. S3 buc
uckket pol
polic
icyy to
to blo
block
ck 1
4
.
access from outside the 5
6
VPC 6
6
7
8
3. S3 Ac
Acce
cess
ss Poi
oint
nt lilink
nked
ed to 1
-
1
the S3 VPC Endpoint 9
:
;
:
<
:
!""#$%&&'($)'*'+,-).,*&/0,1$&$",2'13&*'-'14-15'*'+,-5$65'..3$$5(4"!57#.53-8#,4-"$5'-85$65'..3$$5#,4-"$&
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

S3 Solution Architecture :2W

%
"
&
'
Exposing Static Objects (
)
#
&
(
*
+
#
(
"
!
,
7F, U)&34)9$ 23(%$
)
-
.
/
F;(?Jg%()3 :HS 7g2 0
1
2
.
3
1
4
.
5
6
6
6
7
8
1
-
1
F;(?Jg%()3 2R 9
:
F;(?Jg%()3 7F, 7S2 ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

S3 Solution Architecture %

"
&
'
Indexing objects in DynamoDB (
)
#
&
(
*
+
#
(
"
!
,
<%'3$&
)
-
.
/
0
1
:54D() 2R H45LJ4 g?)93'() KP)45(KS V4L;$ 2
.
3
1
4
.
5
6
?@( H>4 >ON.9- ;.-181-1 6
/ 2$4
2$4%9O
%9O LP J43
J43$
$ 6
7
8
/ V(34; &3(%
&3(%4C$
4C$ ?&$J LP
LP 4 9?&3
9?&3(5$%
(5$% 1
-
/ H'&3 (8 4;; (La$93
(La$93&& <'3O
<'3O 9$%34')
9$%34') 433%
433%'L?3$&
'L?3$& 9
1
:
/ g')J 4;;
4;; (La$93&
(La$93& ?X;(4J$J <'3O') 4 J43$
J43$ %4)C$
%4)C$ ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

Solution Architecture on AWS

AWS %
"
&
'
Dynamic vs Static Content (
)
G190A2C W ).==A>2 M1K.4 #
&
(
*
K:p h KP)45(KS +
#
(
"
'!) M1K.4
'K21;A9 G>2-.2- T&I)#e P##@ =.4B.4US
!
,
>(?3$ bR :HS f 7F,
)
:TU W43$<4P f H45LJ4 -
.
/
0
1
'1-1O1=. M1K.4 2
.
KP)45'9 KP)45(KS 3
1
4
.
G'! M1K.4 ?X;(4J 5
')J$^ 6
F;(?Jg%()3 6
2343'9 9()3$)3 6
7
8
2343'9 1
$G$)3& H45LJ4 -
9
1
:
g?)93'() ;
:
<
:
T%$/&'C)$J Q>H )-1-A9 ?==.-= M1K.4 =
7
9
2R >
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
(
)
#
&
(
*
+
#
(
"
!
,

)
-
.
/
0
1
2
.
3
1
4
Caching Section .
5
6
6
6
7
8
1
-
9
1
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
AWS CloudFront (
)
#
&
(
*
! Content Delivery Network (CDN) +
#
(
"
! Improves
Improv es read performance, content !
,
is cached at the edge
)
-
.
/
! 216 Point of Presence globally (edge 0
1
2
locations) .
3
!
1
4
DDoS protection,
Shield, AWS integration
Web Applicat
Web ion with
Application .
5
6
Firewall 6
6
7
8
! Can expose external HTTPS and !.B$#") 9%%*,)JJ+-,R+>+O.6R#.>J#@.B/N$.6%JN"+%B$",J_6#`,6a@.#`b 1
-
9
1
:
can talk to internal
inter nal HTTPS backends ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
Clou
CloudF
dFro
ront
nt – Orig
Origin
inss (
)
#
&
(
*
! S3 bucket +
For distributing files and caching them at the edge
ed ge #
! (
"
! Enhanced security with CloudFront Origin
Or igin Access Identity
!
,
!
CloudFront can be used as an ingress (to upload files to S3)
)
-
.
! S3 website /
0
! Must first enabled the bucket as a static S3 website 1
2
.
! Custom Origin (HTTP) 3
!Application Load Balancer
1
4
.
! EC2 instance 5
! API Gateway (for more control… otherwise use API Gateway Edge) 6
6
! Any HTTP backend you want 6
7
8
1
-
! 9
1
:
Possibil
ossibility
ity to have
have a primary
primar y and secondary origin (HA - Failo
Failover)
ver) ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
Clou
CloudF
dFro
ront
nt – S3 as
as an Origi
Origin
n (
)
#
&
D:? F5(2'
(
*
+
#
(
"
F967:5 000
1+-234# (56 !
,
7JC$ 1+-234# (56
7JC$
)
-
.
H(& :)C$;$& [?5L4' /
0
1
2
1+-234# (56 1+-234# (56 .
3
1
M%'C') c2R L?9I$3d 4
.
5
F967:5 000 "?( 6
6
7JC$ 7JC$ 6
7
8
2x( T4?;( [$;L(?%)$ 1
-
9
1
:
;
"4ACA2 ?99.== (8.2-A-K :
<
:
b )[ O:95.- /><A9K =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
CloudF
CloudFron
rontt – EC2 or
or ALB as
as an origin
origin (
)
#
&
#%59+:$; 8+49& (
*
+
?<<>6 @:O<A9 (@ >H I8C. M>91-A>2= #
(
"
!
,

)
7JC$ H(943'() 7F, U)&34)9$ -
.
/
3:=- L$ T?L;'9 0
1
2
.
3
1
?<<>6 @:O<A9 (@ >H #%59+:$; 8+49&
?<<>6 ).9:4A-K D4>:/
#%59+:$; 8+49& 4
.
5
I8C. M>91-A>2= >H M>18 *1<129.4 6
6
6
7
8
1
7JC$ H(943'() :XX;'943'() H(4J S4;4)9$% 7F, U)&34)9$& -
9
1
:
@:O<A9 (@= 3:=- O. @:O<A9 G12 O. @4AB1-. ;
:
<
:
=
7
9
'$$&.//>[9+:\)=[9-,]15749>=+
'$$&.//>[9+:\)=[9-,]15749>=+4)$1)%$/$447-/7:-$
4)$1)%$/$447-/7:-$<5749>=+4)$
<5749>=+4)$<:&-
<:&- >
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
CloudFront vs S3 Cross Region Replication (
)
#
&
(
*
! CloudFront: +
#
(
"
! Global Edge network
!
,
!
Files are cached for a TTL (maybe a day)
)
! Great for static content that must be available everywhere -
.
/
0
1
2
.
3
! S3 Cross Region Replication:
1
4
! Must be setup for each region you want replication to happen .
5
6
! Files are updated in near real-time 6
6
! Read only 7
8
1
! Great for dynamic content that needs to be available at low-latency in few -
9
1
:
regions ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
CloudFront Geo Restriction (
)
#
&
(
*
+
#
(
"
! You can restrict who can access your distribution !
,
Whitelist: Allow your users to access your content only if they're in one of the
)
!
-
.
countries on a list of approved countries. /
0
1
2
! Blacklist: Prevent your users from accessing your content if they're in one of the .
3
countries on a blacklist of banned countries.
1
4
.
5
6
! The “countr y” is determined using a 3rd par
“country” party
ty Geo-IP database
database 6
6
7
8
1
! Use case: Copyright Laws to control access to content -
9
1
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
CloudFront Signed URL / Signed Cookies (
)
#
&
(
*
! You want to distribute paid shared content to premium users over the world +
#
(
"
! We
W e can use CloudFront Signed URL / Cookie. We attach a policy with:
!
,
!
Includes URL expiration
)
! Includes IP ranges to access the data from -
.
/
0
! Trusted signers (which AWS accounts can create signed URLs) 1
2
.
! How long should the URL be valid for? 3
1
!
Shared content (movie, music): make it short (a few minutes) 4
.
! Private content (private to
t o the user): you can make it last for years 5
6
6
6
7
8
! Signed URL = access to individual files (one signed URL per file) 1
-
9
1
:
!
Signed Cookies = access to multiple files (one signed cookie for many files) ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%

"
&
'
CloudFront Signed URL Diagram (
)
#
&
D,+-(. F5(2'<7(." D,+-(. ?K (
*
+
#
(
"
!
,
2'C)$J Q>H
)
M:U -
.
/
0
F590." H4T0)" 1
S'80 5()+"9(. 2
.
3
>$3?%)
1
:?3O$)3'943'() 2'C)$J Q>H 4
.
f :?3O(%'D43'() S'80 5()+"9(. 5
6
6
6
7
8
1
Q&$ :_2 2Ke -
9
1
:
D##59)+"9(. W$)$%43$ 2'C)$J Q>H ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#

CloudFront Signed URL vs %

"
&
'
S3 Pre-Signed URL (
)
#
&
(
*
+
! CloudFront Signed URL: ! S3 Pre-Signed URL: #
(
"
! ! !
,
Allow
the access to a path, no matter
origin Issue a request
pre-signed as the person who
the URL
)
-
.
/
! Account wide key-pair, only the root ! Uses the IAM key of the signing 0
1
can manage it IAM principal 2
.
3
! Can filter by IP,
IP, path, date,
date , expir
expiration
ation ! Limited lifetime

Aws Certified Solutions Architect Professional Slides v13

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aws Certified Solutions Architect Professional Slides v13

Uploaded by

Copyright:

Available Formats

Disclaimer: These slides are copyrighted and #

AWS Certified Solutions !

Architect Professional Course 1

The AWS Cer tified Solutions Architect %

Identity & Federation Section 4

Providing Access to an IAM User in Your or %

Providing Access to AWS

Web Identity Federation –

SCP Examples %

How does KMS work? %

API – Encrypt and Decrypt

SSL – Man in the

Solution Architecture: %

Solution Architecture: %

Solution Architecture: %

Compute and Load Balancing 1

Placement Groups %

Placement Groups %

Placements Groups %

AWS Lambda Integrations %

Classic Load Balancers (v1) %

Application Load Balancer (v2) %

Solution Architecture Discussion: %

Failover Routing Policy %

Health Checks Solution Architecture %

Route 53 Solution Architecture %

S3 Solution Architecture :2W

S3 Solution Architecture %

Solution Architecture on AWS

CloudFront Signed URL vs %

You might also like