Professional Documents
Culture Documents
Aws Certified Solutions Architect Professional Slides v13
Aws Certified Solutions Architect Professional Slides v13
!
"
"
Setting the right expectations for this course &
'
(
)
&
#
(
*
! This course is all slides based +
#
(
"
!I’m assuming you have experience
exper ience using AWS
AWS !
!No hands-on will come with the course
course.. You should know the basics
ba sics ,
)
!It’s fast paced. Your time is valuable. Feel free to slow me down to 0.75x -
/
.
0
! If you just passed the AWS
AWS Cer tified Solutions Architect AssociateAssociate cer t 1
2
.
! I recommend you go through AWS Certified Developer,
Developer, SysOps & DevOps 3
1
I know you are eager to get the
th e SAP cer tification, but take your time 1
! 4
.
5
!
6
TheIs AWS
!
A WS knowledge
extrem
extremely similar toneeded
ely similar knowfor
the knowledgethe
ledge forSA Pro exam
SAA
SAA 6
7
8
1
!The questions are more complex, and knowing details is very important -
1
9
!It’s possible that multiple answers are correct,
cor rect, but one is the most appropriate :
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
"
Practice Exams &
'
(
)
&
#
(
*
! This course does not come with practice pr actice exams +
#
(
"
!I recommend you look on Udemy for extra practice exams !
,
!I really want to focus this course on the knowledge needed
)
-
! /
.
0
I may come up with a practice exam at some point (to be purchased separately) 1
2
.
3
! Warning: 1
1
4
.
This course is on the NEW CERTIFICA
! CERTIFICATION
TION (SAP-C01) 5
6
!
You may see outdated content
cont ent in other practice
pr actice exams, other courses,
cour ses, etc… 6
7
8
! This course is not incomplete , it’s more targeted towards the knowledge you 1
-
1
actually need to know to pass the exam 9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
&
#
(
*
+
#
(
"
!
,
)
-
/
.
0
1
2
.
3
1
1
"
IAM – What should
should you
you know
know by now
now &
'
(
)
&
#
(
*
! Users: long term credentials +
#
(
"
! Groups !
,
! Roles: shor
short-term
t-term credentials, uses STS
)
-
! /
.
0
EC2 Instance EC2 met
metada
adata
ta ser
! Service
Ser vice Roles:Roles: uses theCodeDeploy
API Gateway, service.
CodeDeploy,, etc… vice. One
One role at a time per instance 1
2
.
! Cross Account roles 3
1
1
! Policies 4
.
5
! AWS Managed 6
6
! Customer Managed 6
7
8
! Inline Policies 1
-
1
9
! Resource Based Policies (S3 bucket, SQS queue, etc…) :
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
IAM Policies Deep Dive &
'
(
)
&
#
(
*
! Anatomy of a policy: JSON doc with Effect, +
#
Action,, Resourc
Action Resource,
e, Conditions,
Condit ions, Policy
Policy Variables (
"
!
! Explicit DENY has precedence over ALLOW ,
)
! Best practice: use least privilege for -
/
.
0
maximum security 1
2
! Access Advisor: See permissions granted and .
3
when last accessed 1
Access Analyzer: Analyze resources that are 1
! 4
.
shared with external entity 5
6
6
!
Navigate Examples at: 6
https://docs.aws.amazon.com/IAM/latest/User 7
8
1
Guide/access_policies_examples.html -
1
9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
IAM AWS
AWS Manage
Managedd Policie
oliciess &
'
(
)
&
#
(
*
+
AdministratorAccess #
(
"
!
,
!
)
-
"#$%&'()"* ",-.,/.-/.0"1 /
.
"2343$5$)3"* 6 0
1
2
! .
3
"788$93"*
"788$93"* ":;;(<"1 1
":93'()"* "="1 1
4
.
">$&(?%9$"* "=" 5
6
6
@ 6
A 7
8
@ 1
-
1
9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
IAM AWS
AWS Manage
Managedd Policie
oliciess &
'
(
)
&
#
(
*
PowerUserAccess +
#
(
"
!
! E! ,
)
"#$%&'()"* ",-.,/.-/.0"1 "788$93"* ":;;(<"1 -
/
.
0
"2343$5$)3"*
! 6 ":93'()"* 6
"'45*F%$43$2$%G'9$H')I$J>(;$"1 1
2
.
"788$93"*
"788$93"* ":;;(<"1 "'45*K$;$3$2$%G'9$H')I$J>(;$"1 3
"B(3:93'()"* 6 "'45*H'&3>(;$&"1 1
1
"'45*="1 "(%C4)'D43'()&*K$&9%'L$M%C4)'D43'()N1 4
.
5
"(%C4)'D43'()&*="1 "499(?)3*H'&3>$C'()&"
6
6
"499(?)3*=" A1 6
A1 ">$&(?%9$"* "=" 7
8
1
">$&(?%9$"* "=" @ -
1
@1E A 9
:
;
@ :
:
<
=
7
9
B(3$ O(< NB(3:93'()N '& ?&$J ')&3$4J (8 K$)P >
;
! #$%&'()% *((+%,
! #$%&'()% *((+%,
!
"
#
%
"
IAM Policies Conditions &
'
(
)
&
#
(
!"#$%&'&#$! ) * !*+#$%&'&#$,#-./0'#/1! ) * !*+#$%&'&#$,2
!*+#$%&'&#$,2.31!
.31! ) !*+#$%&'&#$,4056.1! 11 *
+
#
(
"
!
Operators: ,
! String (StringEquals, StringNotEqu
StringNotEquals,
als, StringLike…
StringLike…)
)
)
-
! "Condition": {"StringEquals": {"aws:PrincipalTag/job-category": "iamuser-admin"}} /
.
"Condition": {"StringLike": {"s3:prefix": [ "", "home/", "home/${aws:username}/" ]}} 0
!
1
2
! Numeric (NumericEqu
(NumericEquals,
als, NumericNotEq
NumericNotEquals,
uals, NumericLessT
NumericLessThan…)
han…) .
3
! Date (DateEquals, DateNotEquals, DateLessThan…) 1
1
! Boolean (Bool): 4
.
5
! “Condition": {"Bool": {"aws:SecureTransport": "true"}}
!
6
6
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} 6
! (Not)IpAddress: 7
8
"Condition": {"IpAddress": {"aws:SourceIp": "203.0.113.0/24"}} 1
!
-
1
ArnEquals, ArnLike 9
!
:
;
! Null: "Condition":{"Null":{"aws:TokenIssueTime":"true"}} :
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
IAM Poli
olicie
ciess Var
ariables
iables and Tags &
'
(
)
&
#
(
Example: ${aws:usernam
${aws:username} e} *
+
"Resource": ["arn:aws:s3:::m
["arn:aws:s3:::mybucket/${aws:
ybucket/${aws:username}/*"]
username}/*"] #
! (
"
!
,
)
AWS Specific: -
/
.
0
!
aws:CurrentTime, aws:TokenIssueTime, aws:principaltype, aws:SecureTransport, 1
2
aws:SourceIp, aws:userid, ec2:SourceInstanceARN .
3
1
1
4
Service
Ser vice Specific:
Specific: .
5
! 6
6
s3:prefix, s3:max-keys, s3:x-amz-acl, sns:Endpoint, sns:Protocol… 6
7
8
1
-
Tag Based
Based:: 1
9
:
! iam:ResourceTag/key-name, aws:PrincipalTag/key-name… ;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
IAM Roles vs Resource Based Policies &
'
(
)
&
#
(
*
! Attach a policy to a resource (example: S3 bucket policy) versus +
#
(
"
attaching of a using a role as a proxy !
,
)
-
/
.
Q&$% >(;$ 0
:99(?)3 : :99(?)3 S 1
2
.
3
:54D() 2R 1
1
4
.
:99(?)3 S 5
6
6
6
2R S?9I$3 7
8
Q&$% 1
:99(?)3 : T(;'9P -
1
9
:
;
:54D() 2R :
:
<
=
:99(?)3 S 7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
IAM Roles vs Resource Based Policies &
'
(
)
&
#
(
*
! When you assume a role (user, application or service), you give up your +
#
original permissions and take the permissions
per missions assigned to the role (
"
!
,
)
-
!
/
.
0
When
up any using a resource
resource based policy
permissions policy, the principal doesn’t have
have to give
give 1
2
.
3
1
1
4
.
! Example: User in account A needs to scan a DynamoDB table
table in 5
6
6
Account A and dump it in an S3 bucket in Account
Account B. 6
7
8
1
-
1
9
:
! Supported by: Amazon S3 buckets, SNS topics, SQS queues ;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Using STS to Assume a Role &
'
(
)
&
#
(
*
! Define an IAM Role within your ?==:;.&><. :TU
+
#
(
"
account or cross-account !
,
! Define which principals can access
)
!"# #%# -
/
.
0
this IAM Role user 1
2
! Use AWS STSST S (Secur
(Security
ity Token 2')&,(1(7 .
+'45(*27 3
Service) to retrieve credentials and 4('8'-2*1/
1
1
4
impersonate the IAM Role you &'()*++*,-+ .
5
6
6
have access to (Ass
Assum
umeRo
eRole
le API) 6
7
8
! Temporar
emporaryy credentials can be valid 1
-
1
between 15 minutes to 1 hour 9
:
;
.,/' 0+1)' ,( :
,23'( 144,5-26 :
<
=
7
9!: 9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Assuming a Role with STS &
'
(
)
&
#
(
! Provide access for an IAM user in one AWS
AWS account that you own to access *
+
resources in another account that you own #
(
"
!
! Provide access to IAM users in AWS accounts owned by third parties ,
)
! Provide access for ser
services
vices offered by AWS
AWS to AWS
AWS resources -
/
.
0
! Provide access for externally authenticated users (identity federation) 1
2
.
3
1
! Ability to revoke active sessions and credentials for a role 1
4
.
(by adding a policy using a time statement – AWSRevokeOlderSessions) 5
6
6
6
7
8
When you assume a role (user,
(user, application or ser
se r vice), you give up your original 1
-
1
permissions and take the permissions assigned to the role 9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
!
"
#
%
"
Cross account access with STS &
'
(
)
&
#
(
*
'.B.<>/;.2- ?99>:2- +
@4>8:9-A>2 ?99>:2- #
(
"
!
7" $%&'( 8*.+,.- *06. ,2+, )*+(,- ,
!"#"$%&/"0- +8803(,
+8803(, *.+%9:*',.
)
<" =-.*- *.>3.-,- -
+88.-- ,0 &'%+12-3%0,&& /38;., W%(?X* V$&3$%& /
.
$88.-- ,0 *06. 0
1
2
.
3
?" @A@ *.,3*(- 1
W%(?X* K$G$;(X$%& 1
>(;$* QXJ43$:XX 506. 8*.%.(,'+6- 4
.
5
6
6
!" $%&'( )*+(,- &.&/.*- 01 ,2. 6
)*034 !"#"$%&"'( 4.*&'--'0( ,0 7
B" =-.* 8+( +88.-- 8
+--3&. ,2. *&+,-".&& 506. 1
2R L?9I$3* X%(J?93'()4XX ,2. @< /38;., /C 3-'() -
1
9
,2. *06. 8*.%.(,'+6- :
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
!
"
#
%
"
The confused deputy &
'
(
)
&
#
(
*
+
#
(
"
!
,
)
-
/
.
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
STS Important
Impor tant APIs &
'
(
)
&
#
(
*
! AssumeRole: access a role within your account or cross-account +
#
(
"
! AssumeRoleWithSAML: return credentials for users
user s logged with SAML !
,
! AssumeRoleWithWebIdentity : return creds for users
user s logged with an IdP
)
-
/
.
!
Example providers include Amazon Cognito, Login with Amazon, Facebook, 0
1
Google, or any OpenID Connect-compatible identity provider 2
.
3
! AWS recommends using Cognito instead 1
1
4
! GetSessionToken : for MFA, from a user or AWS account root
r oot user .
5
6
6
! GetFederationToken: obtain temporary creds for a federated user, 6
7
usually a proxy app that will give the creds to a distributed
distr ibuted app inside a 8
1
-
corporate network 1
9
:
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Identity Federation in AWS &
'
(
)
&
#
(
*
! Federation lets users outside of AWS to assume user 3rd party +
temporar y role for accessing AWS resources.
resources. #
(
"
<>CA2 !
! These users assume identity provided access role. ,
)
-
/
.
!
Federations can have many flavors:
flavors: DAB.= 0
1
! SAML 2.0 94.8.2-A1<= 2
.
! Custom Identity Broker 3
1
! Web
W eb Identity Federation with Amazon Cognito 1
4
.
! Web
W eb Identity Federation without Amazon Cognito ?99.== ?E) #4:=- 5
! 6
6
!
Single Sign On
Non-SAML with AWS Microsoft AD 6
7
8
1
-
1
! Using federation, you don’t need to create IAM users 9
:
(user management is outside of AWS)
AWS) ;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
SAML 2.0 Federation &
'
(
)
&
#
(
*
! To integrate Active Directory / ADFS with AWS (or any SAML 2.0) +
#
(
"
! Provides access to AWS Console or CLI (through temporar y creds) !
,
)
! No need to create an IAM user for each of your employees
employees -
.
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
9
:
;
:
:
<
=
!""#$%&&'()$*+,$*+-+.(/*)(-
!""#$%&&'()$*+,$*+-+.(/*)(-&012&3+"4$"&5$467
&012&3+"4$"&5$46789'4&9':6(34$:#
89'4&9':6(34$:#6(;9'46$:$+-3*!
6(;9'46$:$+-3*!"-3
"-3 !""#$%&&'()$*+,$*+-+
#$%&&'()$*+,$*+-+.(/*)(-&012
.(/*)(-&012&3+"4$"&5$46789'
&3+"4$"&5$46789'4&9':6(34$:#6(;
4&9':6(34$:#6(;9'46$:4/+<34=)(
9'46$:4/+<34=)(/$(34=$+-3*!"-
/$(34=$+-3*!"-33
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
SAML
SAML 2.0 Fede
Federation
ration – Act
Activ
ive
e Direct
Director
oryy FS &
'
(
)
&
#
(
*
! Same process as with any SAML 2.0 compatible IdP +
#
(
"
!
,
)
.
-
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
9
:
;
:
:
<
=
'$$&-.//(0-1(2(34)1542/6748-/-%59+:$;/
'$$&-.//(0-1(2(34)1542/6748-/-%59+:$;/(0-<=%>%+($
(0-<=%>%+($%><(9$'%)$:5($:4)<0:$
%><(9$'%)$:5($:4)<0:$'<(5$:?%<>:+%5$4+;
'<(5$:?%<>:+%5$4+;<=%>%+($:4)
<=%>%+($:4)<-%+?:5%-<(><=-/
<-%+?:5%-<(><=-/ 7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
SAML 2.0 Federation &
'
(
)
&
#
(
*
! Needs to setup a trust
tr ust between AWS IAM and SAML (both ways) +
#
(
"
! SAML 2.0 enables web-based, cross domain SSO !
,
)
! Uses the
th e STS API: AssumeRoleWit
AssumeRoleWithSAML
hSAML .
-
/
0
1
2
.
3
! Note federation through SAML is the “old way” of
of doing things 1
1
4
.
5
! Amazon
Amazon Single
Single Sign On (SSO) Federation is the new managed and 6
6
simpler way 6
7
8
! Read more here: https://aws.amazon.com/blogs/security/enabling-federation-to- 1
-
1
aws-using-windows-active-directory-adfs-and-saml-2-0/ 9
:
;
:
:
<
=
7
9
>
! #$%&'()% *((+%,
!
"
#
%
"
Custom Identity Broker Application &
'
(
)
&
#
(
*
! Use only if identity provider is not compatible with SAML 2.0 +
#
(
"
! The identity broker must determine the appropriate
appropr iate IAM policy !
,
)
! Uses the S TS API: AssumeRole or GetFederationToken
t he STS .
-
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
9
:
;
:
:
<
=
7
O33X&*YYJ(9&Z4<&Z454D()Z9(5YU:[Y;43$&3YQ&$%W?'J$Y'J\%(;$&\
9
9(55()/&9$)4%'(&\8$J$%43$J/?&$%&ZO35; >
;
! #$%&'()% *((+%,
!
"
#
!
"
#
%
"
Web
Web Identity Federation – AWS Cognito &
'
(
)
&
#
(
*
! Preferred way for Web
Web Identity +
Federation #
(
"
! Create IAM Roles using Cognito with !
,
the least privilege needed
needed
)
! Build
Build trust between
between the OIDC
OIDC IdP and .
-
/
AWS
AW S 0
1
2
.
3
! Cognito benefits: 1
1
4
.
! Support for anonymous users 5
! 6
6
!
Support for MFA
Data synchronization 6
'$$&-.//>45-1(0-1(2(34)1542/@A*/7($%-$/B-%+C9:>%/:>
'$$&-.//>45-1(0-1(2(34)1542/@A*/7($%-$/B-%+C9:>%/:>D+47%-D&+4?:>%+-D4:>5D548):$41'$27 7
D+47%-D&+4?:>%+-D4:>5D548):$41'$27 8
1
-
1
9
:
! Cognit o replac
Cognito replaces
es a Token Vending ;
Machine (TVM) :
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Web
Web Identity Federation – IAM Policy
Policy &
'
(
)
&
#
(
*
! After being authenticated +
#
(
with Web Identity Feder
Federation,
ation, "
!
you can identify the user with ,
)
an IAM policy variable. .
-
/
0
1
2
.
3
! Examples: 1
1
!cognito- 4
.
5
identity.amazonaws.com:sub 6
6
!www.amazon.com:user_id 6
7
8
!graph.facebook.com:id 1
-
1
accounts.google.com:sub 9
! :
;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
What is Microsoft Active Directory
Director y (AD)? &
'
(
)
#
&
(
*
! Found on any Window
Windowss Ser ver +
#
(
"
with AD Domain Services
Ser vices K(54') F()3%(;;$% !
,
! Database of objects: User
)
](O) .
-
/
0
Accounts, Computers, Printers, T4&&<(%J 1
2
File Shares, Security Groups .
3
1
! Centralized security 1
4
.
5
management, create account, 6
6
assign permissions 6
7
8
1
! Objects are organized in trees -
1
9
:
;
! A group of trees is a forest :
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
What is ADFS (AD Federation Services)?
Ser vices)? &
'
(
)
#
&
(
*
! ADFS: provide single sign-on across applications +
#
(
"
! SAML across 3rd par ty: AWS Console
Con sole,, Dropbox, Office365, etc… !
,
)
.
-
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
9
:
;
:
:
<
'$$&-.//(0-1(2(34)1542/6748-/-%59+:$;/'40<$4<%-$(67:-'<=
'$$&-.//(0-1(2(34)1542/6748-/-%59+:$;/' 40<$4<%-$(67:-'<=%>%+($%><(55%--<$4<;49
%>%+($%><(55%--<$4<;49+<(0-<
+<(0-< =
7
9
+%-49+5%-<6;<9-:)8<(5$:?%<>:+%5$4+;
+%-49+5%-<6;<9-:)8<(5$:?%<>:+%5$4+;<9-%+<($$+:6
<9-%+<($$+:69$%-/
9$%-/ >
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Director
Directoryy Services
Ser vices &
'
(
)
#
&
(
*
! AWS Managed
Manag ed Microsoft AD 4?3O 3%?&3 4?3O +
#
Create your own AD in AWS, manage users
! (
"
locally, supports MFA !
,
Establish “trust” connections with your on-
!
)
premise AD "2F/4.; ?' ?E) 3121C.8 ?'
.
-
/
0
1
2
! AD Connector X%(^P 4?3O
.
3
Directory Gateway (proxy) to redirect to on-
! 1
1
premise AD 4
.
5
Users are managed on the on-premise AD
!
6
"2F/4.; ?' ?' G>22.9->4 6
6
7
! Simple AD 8
1
-
1
!AD-compatible managed directory
director y on AWS
AWS 9
:
!Cannot be joined with on-premise AD
AD ;
:
:
<
=
7
)A;/<. ?' 9
>
;
! #$%&'()% *((+%,
!
"
#
AWS Director
Directoryy Services
Ser vices %
"
&
'
AWS Managed Microsoft AD (
)
#
&
(
*
+
! Managed Service: Microsoft AD in your AWS VPC #
(
"
! EC2 Windows Instances: EFG
!
! EC2 Windows instances can join the domain and run
r un ,
traditional AD applications (sharepoint,
(sharepoint, etc)
)
A?(:7(6:7:$; H4)%
! .
-
/
Seamlessly Domain&Join
Multiple Accounts VPCsAmazon EC2 Instances from 0
1
2
! Integrations: .
3
! RDS for SQL Ser
Server
ver,, AWS Work
orkspaces,
spaces, Quicksight… :XX& '>;1A2 G>2-4><<.4= 1
rd 1
! AWS SSO to provide access to 3 party applications 4
.
5
!
6
Standalone
premise ADrepository in AWS
AWS or joined to on- A?(:7(6:7:$; H4)% 6
6
7
8
! Multi AZ deployment of AD in 2 AZ, # of DC 1
(Domain Controllers) can be increased for scaling -
1
9
:
! Automated backups :XX& ?' 'G ?' 'G ;
:
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Microsoft
Microsoft Manag
Managed
ed AD - Integration
Integrationss &
'
(
)
#
&
(
*
+
#
(
"
2:[H !
,
)
=>? A(7 D,+-(. D,+-(. D,+-(. D,+-(. D:?
.
-
/
?BC ?07607 :(7E?#+)0$ B29)E$98!" F(..0)" :(7E>()$ ?9.850G?98. H. VO%(?CO :_2 22M 0
1
2
.
3
1
1
4
.
?' -6>F61K 5
6
%>4.=- -4:=- 6
#418A-A>21< ?' ?//<A91-A>2= 6
7
8
1
?E) 3121C.8 -
1
IJ-.28 "2 @4.;A=. ?' 9
3A94>=>H- ?' 'G :
;
:
:
<
ZB7V :XX& 2O4%$T(')3 2`H 2$%G$% =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Connect to on-premise AD &
'
(
)
#
&
! Ability to connect your on-premise EFG (
*
2'3$/3(/2'3$ #TB +
Active Directory to AWS
AWS Managed #
Microsoft AD M% K'%$93 F())$93 (
"
!
! Must establish a Direct Connect "2F/4.;A=. ?E) 3121C.8 ,
(DX) or VPN connection
)
3A94>=>H- ?' 3A94>=>H- ?' 'G
.
-
/
!
Can setup three kinds of forest 3%?&3 0
trust: 1
2
.
! One way trust: 3
AWS => On-Premise 3%?&3
1
One way trust: 1
! 4
.
On-Premise => AWS + ,
% ( ) * + 2 - * +
+ 2$45;$&& 5
# % & '
# # 5
4
14 " 2 6 "
!
# 6
Two 6
AWSway forest trust:
! On-Premise
! -
" . ( / 0
011 2
2 3 4 " J(54') a(')
6
7
8
! Forest trust is different than 1
synchronization (replication is not 7F, -
1
9
supported) :
;
V%4J'3'()4;
V%4J'3'()4; :K 4XX
:
:
<
=
7
9
;
! #$%&'()% *((+%,
!
"
#
Solution Architecture:
Solution Architecture: %
"
&
'
Active Directory Replication (
)
#
&
(
*
! You may want to create a replica of your AD on EC2 in the cloud to +
#
(
"
minimize latency of in case DX or VPN goes down !
,
! Establish trust
tr ust between the AWS
AWS Managed Microsoft AD and EC2
)
.
-
/
0
EFG 1
2
"2F/4.;A=. 3A94>=>H- ?' >2 IGL ?E) 3121C.8 .
3
3A94>=>H- ?' ).<H 3121C.8 &./<A91 3A94>=>H- ?' 'G 1
1
4
.
3%?&3 5
%$X;'943'() 6
6
3%?&3 6
7
8
1
-
1
9
K(54')* K(54')* K(54')* :
;
()X%$5:KZ$^45X;$Z9(5 ()X%$5:KZ$^45X;$Z9(5 4<&:KZ$^45X;$Z9(5 :
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
AWS Director
Directoryy Services
Ser vices %
"
&
'
AD Connector (
)
#
&
(
*
! AD Connector is a director
director y +
#
(
gateway to redirect directory "
!
requests to your on-premises ,
)
Microsoft Active Directory
Director y .
-
/
0
! No caching capability 1
2
.
3
! Manage users
user s solely on-premise, no 1
1
possibility of setting up a trust 4
.
5
!
6
6
VPN or Direct Connect 6
7
! Doesn’t work with SQL Server, 8
1
-
1
doesn’t do seamless joining, can’t 9
:
share directory ;
'$$&-.//(0-1(2(34)1542/6748-/-%59+:$;/'
'$$&-.//(0-1(2(34)1542/6748-/-%59+:$;/'40<$4<54))%5$
40<$4<54))%5$<;49+<4)<&
<;49+<4)<&+%2:-%-<(5$:?%<>:+%5$4+;
+%2:-%-<(5$:?%<>:+%5$4+;<$4<
<$4< :
:
<
(0-<9-:)8<(><54))%5$4+/ =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
AWS Director
Directoryy Services
Ser vices %
"
&
'
Simple AD (
)
#
&
(
*
! Simple AD is an inexpensive Active Directory–compatible service
ser vice with +
#
(
"
the common director
directoryy features. !
,
! Supports
Suppor ts joining EC2 instances, manage users
user s and groups
)
.
-
/
0
! Does not support MFA, RDS SQL server, AWS SSO 1
2
.
3
! Small: 500 users, large: 5000 users 1
1
4
.
! Powered by Samba 4, compatible with Microsoft AD 5
6
6
! lower cost, low scale, basic AD compatible, or LDAP compatibility 6
7
8
1
! No trust relationship -
1
9
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Organizations &
'
(
)
#
&
(
*
! Master accounts must invite Child Accounts +
#
(
"
! Master accounts can create Child Accounts
Accounts !
,
)
! Master can access child accounts using: .
-
/
0
! CloudFormation StackSets
CloudFormation StackSets to create IAM roles
roles in target accounts
accounts 1
2
.
! Assume the roles using the STS Cross Account capability 3
1
1
! Strategy to create a dedicated account for logging or security 4
.
5
6
6
!
API is available to automate AWS account creation 6
7
8
! Integration with AWS
AWS Single Sign-On (SSO) 1
-
1
9
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Organi
Organizat
zation
ionss - Fea
Featur
tures
es &
'
(
)
#
&
(
*
! Consolidated billing features: +
#
(
"
! Consolidated Billing
Consolidated Billing across all accounts
accounts - single payment
payment method
method !
,
! Pricing benefits
ben efits from aggregated usage (volume discount for EC2, S3…)
)
.
-
/
0
1
2
.
! All Features (Default): 3
1
! Includes consolidated billing features 1
4
.
5
! 6
You can use SCP 6
! Invited accounts must approve enabling all features 6
7
8
1
! Ability to apply an SCP to prevent member accounts from leaving the org -
1
9
:
! Can’t switch back to Consolidated Billing Features only ;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Multi Account Strategies
Str ategies &
'
(
)
#
&
(
*
! Create accounts per department, per cost center center,, per dev / test / +
#
prod, based on regulatory restrictions (using SCP), for better (
"
!
resource isolation (ex VPC),, to have separate per-account
(ex:: VPC) per-account service
ser vice ,
)
limits, isolated account for logging, .
-
/
0
1
2
.
3
! Multi Account vs One Account Multi VPC 1
1
4
! Use tagging standards for billing purposes .
5
6
6
! Enable CloudTrail on all accounts, send logs to central S3 account 6
7
8
! Send CloudWatch
CloudWatch Logs to central
centr al logging account 1
-
1
9
:
! Establish Cross Account
Account Roles for Admin
Admin purposes
pur poses ;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Organiza
Organizatio
tional
nal Unit
Unitss (OU)
(OU) - Exa
Examp
mples
les &
'
(
#
)
&
(
*
+
*:=A2.== +2A- I2BA4>2;.2-1< MAH.9K9<. @4>N.9-FO1=.8 #
(
"
!
,
)
.
-
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
O33X&*YY4<&Z454D()Z9(5Y4)&<$%&Y499(?)3/5
O33X&*YY4<&Z454D()Z9(5Y4)&<$% &Y499(?)3/54)4C$5$)3Y4<&/
4)4C$5$)3Y4<&/ 9
:
5?;3'/499(?)3/L';;')C/&3%43$CPY ;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Organization &
'
(
#
)
&
>((3 MQ (
*
+
#
(
"
!
31=-.4 ?99>:2- ,
)
.
-
/
0
1
'.B "+ @4>8 "+ 2
.
3
1
1
4
.
5
6
%A2129. "+ P& "+ 6
6
7
8
1
-
1
9
:
;
<
:
=
7
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Service Control Policies (SCP) &
'
(
#
)
&
(
*
! Whitelist or blacklist IAM actions +
#
(
"
! Applied at the OU or Account level !
,
! Does not apply to the Master Account
)
.
-
/
!
SCP is applied to all the Users and Roles of the Account, including Root user 0
1
2
! The SCP does not affect service-linked roles .
3
! Ser vice-linked roles enable other AWS
Service-linked AWS services
ser vices to integrate with AWS
AWS Organizations 1
1
4
and can't be restricted by SCPs. .
5
6
!
SCP must have an explicit Allow
Allow (does not allow anything by default) 6
6
7
8
! Use cases: 1
-
1
! Restrict access to cer tain services
ser vices (for example: can’t use EMR) 9
:
! Enforce PCI compliance by explicitly disabling
disabling services
ser vices ;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
SCP Hierarchy &
'
(
#
)
&
(
*
+
#
%:<<?E)?99.== )G@ &>>- "+ (
"
! Master Account !
! Can do anything ,
! (no SCP apply)
)
.
-
/
'.2K?99.==?-0.21 )G@ [4&3$% :99(?)3 !
Account A 0
! Can do anything 1
2
! EXCEPT access Redshift .
'.2K&.8=0AH- )G@ @4>8 "+ (explicit Deny from OU) 3
1
! Account B 1
4
.
! Can do anything 5
?:-0>4AQ.&.8=0AH- )G@ :99(?)3 : ! EXCEPT access Redshift 6
(explicit Deny from Prod OU) 6
EXCEPT access Lambda 6
'.2K?E)M1;O81 )G@ P& "+ %A2129. "+ !
7
(explicit Deny from HR OU) 8
1
! Account C -
1
9
:99(?)3 S :99(?)3 F ! Can do anything :
;
! EXCEPT access Redshift
(explicit Deny from Prod OU)
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
!
"
#
%
"
IAM Policy Evaluation Logic &
'
(
#
)
&
(
*
+
#
(
"
!
,
)
.
-
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
9
:
;
<
:
'$$&-.//>45-1(0-1(2(34)1542/@A*/7($%-$/B-%+C9:>
'$$&-.//>45-1(0-1(2(34)1542/@A*/7($%-$/B-%+C9:>%/+%=%+%)5%D&47:5:%-D%?
%/+%=%+%)5%D&47:5:%-D%?(79($:4)<748:51'$27
(79($:4)<748:51'$27
=
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Organiz
Organizati
ations
ons – Res
Reser
erve
ved
d Instan
Instances
ces &
'
(
#
)
&
(
*
! For billing purposes,
p urposes, the consolidated billing feature of AWS
AWS Organizations
Or ganizations +
#
treats all the accounts in the organization as one account. (
"
!
! This means that all accounts in the organization can receive the hourly cost ,
)
by any other account. .
-
/
!
benefit of Reserved Instances that are purchased
The payer account (master account) of an organization can turn off Reserved
Reser ved
0
1
2
.
Instance (RI) discount and Savings Plans discount sharing for any accounts in 3
that organization, including the payer account 1
1
4
.
! This means that RIs and Savings Plans discounts aren't shared between any 6
5
accounts that have sharing turned off. 6
6
7
8
! To share an RI or Savings Plans
P lans discount with an account, both accounts must 1
-
1
have sharing turned on. 9
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Resource Access Manager (RAM) &
'
(
#
)
&
(
*
! Share AWS
AWS resources that you own with other AWS
AWS accounts +
#
! Share with any account or within your Organization (
"
!
! Avoid resource duplication! ,
)
!
.
-
/
VPCallow
!
Subnets:
to have all the resources launched in the same subnets 0
1
must be from the same AWS Organizations. 2
! .
!Cannot share security
secur ity groups and default VPC 3
1
!Participants can manage their own resources in there 1
4
.
!Participants
Par ticipants can't view, modify
modify,, delete resources that belong to other par ticipants or the owner
6
5
! AWS Tra
ransit
nsit Gatew
Gateway
ay 6
6
7
! Route53 Resolver Rules 8
1
-
1
! License Manager Configurations 9
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Single Sign-On (SSO) &
'
(
#
)
&
(
*
! Centrally manage Single Sign-On +
to access multiple accounts and #
(
"
3 -party business applications. !
,
! Integrated with AWS
)
.
-
/
Organizations 0
1
! Supports SAML 2.0 markup 2
.
3
! Integration with on-premise 1
1
Active
Active Directory
Director y 4
.
! 6
5
Centralized 6
managementpermission 6
7
8
! Centralized auditing with 1
-
1
CloudTrail 9
:
;
!""#$%&&+/$*+,+-(.*)(,&45(8$
!""#$%&&+/$*+,+-(.*)(,&45(8$&$0)279"3&9."7('2)9.8G+/$G$9.850G$98.G(
&$0)279"3&9."7('2)9.8G+/$G$9.850G$98.G(.&
.&
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Single
Single Sign-On
Sign-On (SSO)
(SSO) – Setup with
with AD &
'
(
#
)
&
(
*
+
Options for integration #
(
"
!
1. Standal
alo
one AWS ,
Managed Microsoft
)
.
-
/
AD 0
1
2
2. AD Connector to .
3
on-premise AD 1
1
4
.
3. AWS Ma Managed 6
5
Microsoft AD with 6
6
7
two-wayy forest trust
two-wa 8
1
-
with on-premise AD 1
9
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
SSO – vs Assu
AssumeR
meRole
oleWit
WithSA
hSAML
ML &
'
(
#
)
&
(
*
?==:;.&><.EA-0)?3M ?E) ))" +
UJ$)3'3P 23(%$ #
:_2 22M (
"
R+> T4%3P UKT 2:[H ,Z- F(5X43'L;$ !
H(C') T(%4;
H(C') T(%34; ,
UJ$)3'3P 23(%$ ')3$C%43'()
)
.
-
/
0
1
2
.
=
0
3
"
2 ' ) 1
7 C 1
.
?
(
; 4
.
D
I
C 6
5
6
6
7
8
1
-
1
9
:
;
S%(<&$% U)3$%849$
S%(<&$% U)3$%849$ <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Summar
Summaryy of Identity & Federation
Federation &
'
(
#
)
&
(
*
! Users and Accounts all in AWS +
#
! AWS
AW S Organizations (
"
!
! Federation with SAML ,
)
! Federation without SAML with a custom IdP (GetFederationT
(GetFederationToken)
oken) .
-
/
! Federation with SSO for multiple accounts with AWS
AWS Organizations 0
1
2
! Web
W eb Identity Federation (not recommended)
recommended) .
3
! Cognito for most web and mobile applications (has anonymous mode, MFA) 1
1
4
.
! Active Directory
Director y on AWS:
6
5
!
Microsoft AD: standalone or setup trust
tr ust AD with on-premise, has MFA, seamless
seamless join, RDS integration
integr ation 6
! AD Connector:
Connector : proxy
proxy requests to on-premise 6
7
8
! Simple AD: standalone & cheap AD-compatible with no MFA, no advanced capabilities 1
-
1
! Single Sign On to connect to multiple AWS Accounts (Organization) and SAML apps 9
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
#
)
&
(
*
+
#
(
"
!
,
)
.
-
/
0
1
2
.
3
1
1
4
.
6
5
6
Security Section 6
7
8
1
-
1
9
:
;
<
:
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Clou
CloudT
dTrrail &
'
(
#
)
&
(
*
! Provides governance, compliance and audit for your AWS Account +
#
(
"
! CloudTrail is enabled by default! !
,
)
!
.
-
/
GetConsole
!
an histor
historyy of events / API calls made within your AWS
AWS Account by: 0
1
2
.
! SDK 3
1
! CLI 1
4
.
! 6
5
AWS Services 6
6
! Can put logs from CloudTrail into CloudWatch Logs 7
8
1
-
1
! If a resource is deleted in AWS, look into CloudTrail first! 9
:
;
<
:
:
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
CloudTrail continued… &
'
(
#
)
&
(
*
! CloudTrail console shows the past 90 days of activity +
#
(
"
! The default UI only shows
sh ows “Create
“Create”,
”, “Modify” or “Delete
“Delete”” events !
,
)
.
-
/
0
1
CloudT
Clou dTra
railil Tra
Trail:
il: 2
.
3
! Get a detailed list of all the events you choose
choose 1
1
4
.
! 6
5
Can include events happening at the object level in S3 6
6
! Ability to store these events in S3 for further
fur ther analysis 7
8
1
-
1
! Can be region specific or be global & include global events (IAM, etc) 9
:
;
<
:
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
CloudT
CloudTrail – Solut
Solution
ion Archit
Architecture
ecture:: %
"
&
'
(
#
)
&
Delivery
7G$%P
to S3 (
*
+
#
(
"
b 5')?3$& H'8$9P9;$ T(;'9P !
W;49'$% ,
227/2R cJ$84?;3d
)
.
-
F;(?JV%4'; (% 227/e[2
2R /
0
S3 Enhancements: 1
K$;'G$%P 2
2R 7G$)3& .
)(3'8'943'()& ! Enable Vers
Versioning
ioning 3
1
! MFA Delete Protection 1
4
.
2`21 2B21 H45LJ4
!
5
6
S3 Lifecycle Policy (S3 IA, Glacier…) 6
! S3 Object Lock 6
2B2 2`2 7
8
! SSE-S3 or SSE-KMS encryption 1
-
1
Feature to perform CloudT
CloudTrail
rail Log File Integrity 9
! :
validation ;
<
:
:
(SHA 256 for hashing and signing) =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
CloudT
CloudTrail - Soluti
Solution
on Architectur
Architecture:
e: %
"
&
'
(
#
)
&
Multi Account, Multi Region Logging (
*
+
#
A5549)$ A (
"
!
,
)
#%59+:$; A5549)$
.
-
/
0
F;(?JV%4'; 1
5749>$+(:7<695,%$/(5549)$<A 2
5749>$+(:7<695,%$/(5549)$<I
.
5749>$+(:7<695,%$/(5549)$<GJ
3
1
A5549)$ I 1
2R 4
.
5
6
f 2R S?9I$3 T(;'9P 6
6
Observations: 7
8
F;(?JV%4'; 1
! The S3 bucket policy is necessary for cross-account delivery -
1
9
:
! If Account A wants to access its CloudTrail files: ;
! Option 1: create a cross-account role and assume the
th e role <
:
:
Option 2: edit the bucket policy =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
CloudT
CloudTrail - Soluti
Solution
on Architectur
Architecture:
e: %
"
&
'
(
#
)
&
Alertt for API calls
Aler (
*
+
#
(
"
&3%$45 !
,
)
.
-
F;(?JV%4'; F_ H(C& [$3%'9 g';3$%& F_ :;4%5 2B 2 /
0
1
2
.
3
1
! Log filter metrics can be used to detect a high level of API happening 1
4
.
5
6
!
Ex: Count occurrences of EC2 TerminateInstances API 6
6
7
! Ex: Count of API calls per user 8
1
-
1
9
! Ex: Detect high level of Denied API calls :
;
<
:
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
CloudTrail: How to react to events the fastest? &
'
(
#
)
&
(
*
Overall, CloudTrail may take up to 15 minutes to deliver events +
#
(
"
!
,
! CloudWatch Events:
)
.
-
!
Can be triggered for any API call in CloudTrail /
0
1
! The fastest, most reactive way 2
.
3
! CloudTrail Delivery in CloudWatch Logs: 1
1
!Events are streamed 4
.
! 5
6
Can perform a metric filter to analyze occurrences and detect anomalies 6
6
! CloudTrail Delivery in S3: 7
8
1
!Events are delivered every 5 minutes -
1
9
!Possibility of analyzing logs integrity, deliver cross account, long-term storage :
;
<
:
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS KMS (Key Management Service) &
'
(
#
)
&
(
*
! Anytime you hear “encr
“encryption”
yption” for an AWS
AWS ser vice, it’s
it’s most likely KMS +
#
(
"
! Easy way to control access to your data, AWS manages keys for us !
,
! Fully integrated with IAM for authorization
)
.
-
/
! Seamlessly integrated into: 0
1
2
! Amazon EBS: encrypt volumes .
3
! Amazon S3: Ser
Server
ver side encryption of objects 1
1
! Amazon Redshift: encryption of data 4
.
!
5
6
Amazon RDS: encr
encryption
yption of data 6
! Amazon SSM: Parameter store 6
7
8
! Etc… 1
-
1
9
! But you can also use the CLI / SDK :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS KMS 101 &
'
(
#
)
&
(
*
! The value in KMS is that the CMK used to encrypt data can never be +
#
(
retrieved by the user,
user, and the CMK can be rotated for extra
extr a security "
!
,
! Never ever store your secrets in plaintext, especially in your code!
)
.
-
/
!
Encrypted secrets can be stored in the code / environment variables 0
1
2
! KMS can only help in encrypting
encry pting up to 4KB of data per call .
3
1
! If data > 4 KB,
KB , use Envelope
Envelope Encryption
Encr yption 1
4
.
!
5
6
To give access to KMS to someone: 6
6
! Make sure the Key Policy allows the user 7
8
Make sure the IAM Policy allows the API calls 1
! -
1
9
:
! Track API calls made to KMS in CloudTrail ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Types of KMS Keys &
'
(
#
)
&
(
*
! Customer Manager CMK: +
#
(
"
Create, manage and use,
! use , can enable or disable !
,
Possibility of rotation policy (new key generated
! gener ated every
ever y year,
year, old key preser ved)
)
.
-
/
!
Can add a key policy (resource policy) 0
1
! Leverage for envelope encryption 2
.
3
1
1
4
.
! AWS managed CMK: 5
6
6
Used by AWS ser vice (aws/s3, aws/ebs, aws/redshift)
!
6
7
8
Managed by AWS
! 1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
!
"
#
%
"
AWS Parameter Store &
'
#
)
(
&
(
*
! Secure storage for configuration and secrets !&&/*412*,-+ +
#
(
"
! Optional Seamless Encryption using KMS !
,
! Serverless, scalable, durable, easy SDK, free T;4')3$^3 7)9%PX3$J
-
)
.
9()8'C?%43'() 9()8'C?%43'() /
! Version tracking of configurations / secrets 0
1
2
.
! Configuration management using path & IAM 3
##: ;1(1)'2'( 1
! Notifications with CloudWatch Events !"#$% '() #2,(' 1
4
.
*#+,-..-/0.
!
5
6
Integration with CloudFormation K$9%PX3'()
6
6
7
8
2$%G'9$ 1
-
1
! Can retrieve secrets from Secrets Manager using 9
:
the SSM Parameter Store API !"# <:#
;
:
<
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Parameter Store Hierarchy
Hier archy &
'
#
)
(
&
(
*
! /my-department/ +
#
(
"
! my-app/ W$3T4%45$3$%& (%
W$3T4%45$3$%& !
! dev/ W$3T4%45$3$%&SPT43O :TU ,
! db-url ='> ?1)@81 -
)
.
! db-password A5-42*,- /
0
1
! prod/ 2
.
! db-url 3
;(,8 ?1)@81 1
! db-password 1
A5-42*,- 4
.
! other-app/ 5
6
6
! /other-department/ 6
7
8
! /aws/referenc
/aws/reference/secretsmanager/secre
e/secretsmanager/secret_ID_in_Secrets_Manager
t_ID_in_Secrets_Manager 1
-
1
9
:
! /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2 ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Secrets Manager &
'
#
)
(
&
(
*
! Newer service,
ser vice, meant
meant for storing secrets +
#
(
"
! Capability to force rotation of secrets every X days !
,
! -
)
.
/
Automate generation of secrets on rotation (uses Lambda) 0
1
! Integration with Amazon RDS (MySQL, PostgreSQL, Auror
Aurora)
a) 2
.
3
! Secrets are encrypted using KMS 1
1
4
.
5
6
6
6
! Mostly meant for RDS integration 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
RDS - Securi
ritty &
'
#
)
(
&
(
*
! KMS encryption at rest for underlying EBS volumes / snapshots +
#
(
"
! Transparent Data Encryption (TDE) for Oracle and SQL Server !
,
! -
)
.
/
SSL encryption
encr yption to RDS is possible for
for all DB (in-flight) 0
1
! IAM authentication for MySQL and PostgreSQL 2
.
3
! Authorization still happens within RDS (not in IAM) 1
1
4
.
! 5
6
Can copy an un-encrypted RDS snapshot into an encrypted one 6
6
! CloudTrail
CloudTrail cannot be used to track
tr ack queries
quer ies made within RDS 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
SSL/
SSL/TL
TLS
S - Ba
Basi
sics
cs &
'
#
)
(
&
(
*
! SSL refers to Secure Sockets Layer, used to encrypt connections +
#
(
"
! TLS refers to Transport Layer Security, which is a newer version !
,
! -
)
.
Nowadays, TLS cer tificates are mainly
mainly used, but people still refer as SSL /
0
1
2
.
3
! Public SSL certificates are issued by Certificate Authorities (CA) 1
1
4
.
! 5
6
Comodo, Symantec, GoDaddy, GlobalSign, Digicert, Letsencrypt, etc… 6
6
7
8
1
-
1
! SSL certificates
cer tificates have
have an expiration date (you set) and must be renewed 9
:
;
:
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
SSL
SSL Enc
Encrr yp
ypti
tion
on – Ho
How
w it
it works
works &
'
#
)
(
&
(
*
! Asymmetric +
#
Encryption is (
"
.Z F;'$)3 &$)J& O$;;(1 9'XO$% &?'3& h %4)J(5 expensive (SSL) !
,
! Symmetric
-
)
.
encryption /
cheaper is
,Z 2$%G$% >$&X()&$ <'3O &$%G$% %4)J(5 h 0
G<A.2- 22H 9$%3'8'943$ cT?L;'9 e$Pd 1
).4B.4 2
.
RZ F;'$)3 G$%'8'$& ! Asymmetric 3
22H 9$%3'8'943$ handshake is used to 1
1
iZ [4&3$% I$P c&P55$3%'9d C$)$%43$J 4)J &$)3 exchange a per- 4
.
$)9%PX3$J ?&')C 3O$ T?L;'9 e$P bZ 2$%G$% G$%'8'$& 5
6
F;'$)3 22H 9$%3 client random
symmetric key 6
c(X3'()4;d 6
! Possibility of client 7
8
1
jZ [4&3$% I$P sending an SSL -
1
0Z 2$9?%$ 2P55$3%'9 F(55?)'943'() ') T;49$ certificate as well 9
'& J$9%PX3$J :
;
(two-way certificate)
:
<
:
?&')C T%'G43$ e$P =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
SSL – Ser
Serve
verr Name
Name Ind
Indica
icatio
tion
n (SNI)
(SNI) &
'
#
)
(
&
(
*
! SNI solves the problem of loading multiple SSL H+6@4" @6(8# I(6
+
certific
cer tificates
ates onto one web server (to serve ,,,*-F)(6#*)(-
#
(
multiple websites) "
!
! It’s a “newer” protocol, and requires the client ,
to indicate the hostname of the target server
ser ver -
)
.
in the initial SSL handshake H+6@4" @6(8# I(6 /
D(-+9/E*4?+-#34*)(- 0
0 ,(83' 39G4 1
! The server will then find the correct 2
,,,*-F)(6#*)(- .
certificate,
cer tificate, or return the default one 3
1
1
F;'$)3 :HS 4
.
Note: 5
6
AAB C46"%
6
! Only works for ALB & NLB (newer 5$4 "!4 )(664)" D(-+9/E*4?+-#34*)(-
6
generation), CloudFront AAB )46"
7
8
1
! Does not work for CLB (older gen) AAB C46"% -
1
,,,*-F)(6#*)(- 9
:
;
EZ :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
SSL – Man in the
the Middl
Middle
e Att
Attacks
acks &
'
)
(
#
&
(
*
+
kVVT kVVT #
(
"
!
,
-
)
.
+=.4 @A41-. ).4B.4 D>>8 ).4B.4 /
0
c94) ')3$%9$X3 X49I$3&d 1
2
.
3
1
1
kVVT2 kVVT2 4
.
5
6
6
6
+=.4 7
8
@A41-. ).4B.4 D>>8 ).4B.4 1
U8 ')8$93$J1 3O$ ?&$% 54P 3%?&3 3O$ -
1
2$)J 84I$ 22H 9$%3 3( Q&$% 9
lX'%43$ 22H 9$%3'8'943$N :
K$9%PX3& 4)J ;
<
:
%$/$)9%PX3& X49I$3& =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
!
"
#
%
"
AWS Certificate
Cer tificate Manager (ACM)
(ACM) &
'
)
(
#
&
(
*
! To host public SSL certificates in AWS, you can: +
Buy your own and upload them using the CLI #
! (
"
! Have ACM provision and renew public SSL !
certificates for you (free of cost) ,
T?L;'9 <<<
-
)
.
kVVT2 >$m?$&3 22H /
0
! ACM loads SSL certificates on the following 3$%5')43'() 1
2
integrations: T%(G'&'() 4)J .
[4')34') F$%3 3
! Load Balancers (including the ones created by EB) 1
1
! CloudFront distributions 4
.
! 5
6
APIs on API Gateways :F[ 6
T%'G43$ :_2 6
! SSL certificates is overall a pain to manually kVVT >$m?$&3 7
8
1
manage, so ACM is great to leverage in your -
1
9
AWS infrastructure! :
;
:
<
:
H$&& FTQ 9(&3 ') 7F, =
7
9
VO4)I& 3( 22H 3$%5')43'() 8(% 3O$ 7HS >
;
! #$%&'()% *((+%,
!
"
#
%
"
ACM – Go
Good
od to kn
kno
ow &
'
)
(
#
&
(
*
! Possibility of creating public certificates +
Must verify public DNS #
! (
"
! Must be issued by a trusted public certificate authority (CA) !
,
! Possibility of creating private certificates
-
)
.
!
For your internal applications /
0
! You create your own private CA 1
2
! Your applications must trust
tr ust your private CA .
3
! Certificate renewal: 1
1
4
.
! Automatically done if generated
gener ated provisioned by ACM
ACM
5
6
Any manually uploaded certificates
!
cer tificates must
must be renewed manually and re-uploaded 6
! ACM is a regional service 6
7
8
To use with a global application (multiple ALB for example), you need to issue an SSL cer
! certificate
tificate 1
-
in each region
re gion where you application is deployed. 1
9
You cannot copy cer ts across regions :
!
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
CloudHSM &
'
)
(
#
&
(
*
! KMS => AWS
AWS manages the software for encr yption +
#
(
! CloudHSM
CloudH SM => AWS provisions encr yption hardware
provisions encr "
!
,
! Dedicated Hardware (HSM = Hardware Security Module)
-
)
.
!
You manage your own encryption keys entirely (not AWS) /
0
1
! HSM device is tamper resistant, FIPS 140-2 Level
L evel 3 compliance 2
.
3
! symmetric and asymmetric encryption (SSL/TLS keys)
Supports both symmetric 1
1
4
! No free tier available .
5
6
! Must use
use the CloudHSM
CloudHSM Client Softwa
Software
re 6
6
! Redshift
Redshift supports CloudHSM for database
database encryption and key managem
management
ent 7
8
1
-
1
! Good option to use with SSE-C encryption 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Clou
CloudH
dHSM
SM Di
Diag
agram
ram &
'
)
(
#
?E) ;121C.= -0. P148614. &
(
*
+
#
(
"
!
,
22H F())$93'()
-
)
.
+=.4 ;121C.= -0. R.K= /
0
1
2
.
?E) G<>:8P)3 3
G<>:8P)3 G<A.2- 1
1
4
.
5
6
6
6
IAM permissions: CloudH
CloudHSM
SM Sof
Softwa
tware:
re: 7
8
1
-
1
9
! CRUD an HSM Cluster ! Manage the Keys :
;
:
<
!
:
Manage the Users =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Clou
CloudH
dHSM
SM – Hi
High
gh Ava
vaililab
abililit
ity
y &
'
)
(
#
&
(
*
! CloudHSM
CloudHSM clus
clusters
ters are spread across Multi
Multi AZ (HA) +
#
(
"
! Great for availability and durability !
,
A?(:7(6:7:$; H4)% K
-
)
.
/
0
F;(?Jk2[ . 1
2
.
3
1
1
4
.
5
6
A?(:7(6:7:$; H4)% L
6
6
F;(?Jk2[ F;'$)3 7
8
1
F;(?Jk2[ , -
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Clou
Cloud
dHSM vs KM
KMS &
'
)
(
#
&
(
*
A'125(' !"# <:# !"# B/,58C#: +
#
%'-1-47 A,", >B@%?C%"6+6% :"7 ,%.$+D" !?6D@" %"6+6% :"7 ,%.$+D"E (
"
!
/"/?#+%"/ %. .6" #B,%.>"$
,
<'7+ 3"7, .-6"/ +6/ >+6+D"/ F7 8B,%.>"$ >+6+D"/ 3"7,
-
)
.
<G! /
0
1
D-4(7&2*,- !B**.$%, .6@7 ,7>>"%$?# :"7 !B**.$%, F.%9 ,7>>"%$?# +6/ 2
.
"6#$7*%?.6 +,7>>"%$?# "6#$7*%?.6 3
1
B(7&2,E(1&3*4 !44'/'(12*,- H.6" !!IJKI! <##"@"$+%?.6 1
4
.
L$+#@" KM5 <##"@"$+%?.6
5
6
<'7 #2,(1E' 1-8 :1-1E')'-2 <##",,?F@" N$.> >B@%?*@" M"*@.7"/ +6/ >+6+D"/ N$.> + 6
$"D?.6, #B,%.>"$ PQ8R 6
7
8
8"6%$+@?O"/ >+6+D">"6% N$.> <##",,?F@" +6/ #+6 F" ,9+$"/ 1
;<= +#$.,, PQ8, B,?6D PQ8 *""$?6D -
1
9
:
A('' %*'( !>1*/1@*/*27 S", H. ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
!
"
#
!
"
#
!
"
#
%
"
S3 Encryption for Objects &
'
)
(
#
&
(
*
! There are 4 methods of encrypting objects in S3 +
#
(
"
!
,
! -
)
.
SSE-S3: encr
encrypts
ypts S3 objects using keys handled & managed by AWS /
0
1
! SSE-KMS: leverage AWS
AWS Key Management Ser vice to manage encr
encryption
yption 2
.
3
keys 1
1
4
.
! SSE-C: when you want to manage your own encryption keys 5
6
6
! Client Side Encryption 6
7
8
1
-
1
9
:
! Glacier: all data is AES-256
AES-256 encr ypted, key under AWS
AWS control ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Encryption
Encr yption in transit (SSL)
(SSL) &
'
)
(
#
&
(
*
! AWS S3 exposes: +
#
(
"
! HTTP endpoint: non encrypted !
,
! HTTPS endpoint: encryption in flight
-
)
.
/
0
1
2
! You’re free to use the endpoint you want, but HTTPS is recommended .
3
1
! HTTPS is mandatory for SSE-C 1
4
.
5
6
!
Encryption
Encr yption in flight is also called SSL / TLS 6
6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Events in S3 Buckets &
'
)
(
#
&
(
*
! S3 Access Logs: +
Detailed records for the requests that are made to a bucket #
!
(
"
! Might take hours to deliver !
! Might be incomplete (best effort) ,
!
-
)
.
S3 Events Notifications: /
! Receive notifications
notifications when certain
cer tain events happen in your bucket 0
1
! E.g.: new objects created, object removal, restore objects, replication events 2
.
! Destinations: SNS, SQS queue, Lambda 3
1
! Typically delivered in seconds but can take minutes, notification
notification for every
ever y object if versioning is 1
enabled, else risk of one notification for two same object write done simultaneously 4
.
5
6
! Trusted Advisor: 6
! Check the bucket permission (is the bucket public?) 6
7
8
! CloudWatch Events: 1
-
1
!Need to enable CloudTrail
CloudTrail object level logging on S3 first 9
:
!Target can be Lambda, SQS, SNS, etc… ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
S3 Security &
'
)
(
#
&
(
*
! User based +
#
(
"
IAM policies - which API calls should be allowed
! allowed for a specific
specific user from IAM !
,
console
-
)
.
/
0
1
2
.
! Resource Based 3
1
!Buckett Policies
Bucke Policies - bucke
buckett wide rules from the
the S3 console
console - allo
allows
ws cross account
account 1
4
.
! 5
6
Object Access Control
Control List (ACL)
(ACL) – finer grain 6
! Buckett Access
Bucke Access Control List (ACL)
(ACL) – less common 6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
S3 Bucket Policies &
'
)
(
#
&
(
*
! Use S3 bucket for policy to: +
#
(
"
! Grant public access to the bucket !
,
! Force objects to be encrypted at upload
-
)
.
! Grant access to another account Cross Account) /
0
1
! Optional Conditions on: 2
.
3
! Public IP or Elastic
Public Elastic IP (not on Private IP) 1
1
! Source VPC or Source VPC Endpoint – only works with VPC Endpoints 4
.
5
6
!
CloudFront Origin Identity 6
6
! MFA 7
8
1
-
! Examples here: https://docs.aws.amazon.com/AmazonS3/latest/dev/example- 1
9
:
bucket-policies.html ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
S3 pre-signed URLs &
'
)
(
#
&
(
*
! Can generate pre-signed URLs using SDK or CLI +
#
! For downloads (easy, can use the CLI) (
"
!
! For uploads (harder, must use the SDK) ,
! Valid for a default
d efault of 3600 seconds, can change timeout with --expires-in -
)
.
[TIME_BY_SECONDS] argument /
0
1
! Users given a pre-signed URL inherit the permissions of the person who 2
.
generated the URL for GET / PUT 3
1
1
4
.
5
6
! Examples : 6
!Allow only logged-in users to download a premium video on your S3 bucket 6
7
8
!Allow an ever changing list of users
user s to download files by generating URLs dynamically 1
-
1
!Allow temporarily a user to upload a file to a precise location in our bucket 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
VPC Endpoint Gateway for S3 &
'
)
(
#
EFG &
(
*
+
@:O<A9 666 #
(
"
2R S?9I$3 !
S?9I$3 X(;'9P LP ?E)S)>:49.(@ T/:O<A9 (@U ,
-
)
.
T?L;'9 U)&34)9$ U)3$%)$3
W43$<4P /
0
1
2
.
3
2R S?9I$3 1
X%'G43$ 1
4
.
S?9I$3 X(;'9P LP
5
6
?E)S)>:49.V/9. 6
#TF 7)JX(')3 c()$ (% 8$< $)JX(')3&d 6
T%'G43$ U)&34)9$ 7
8
W43$<4P 1
M> -
1
9
:
;
:
<
?E)S)>:49.V/9 :
c$)9(5X4&& 4;; X(&&'L;$ #TF $)JX(')3&d =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
S3 Object Lock & Glacier Vault Lock &
'
)
(
#
&
(
*
! S3 Object Lock +
#
(
"
!Adopt a WORM
WORM (Write Once Read !
Many) model "ON.9- ,
! -
)
.
Block an object
specified amountversion
of timedeletion for a /
0
1
2
.
3
! Glacier Vault Lock
Lo ck 1
1
4
.
!
5
6
Adopt a WORM
WORM (Write Once Read
Many) model V1:<- M>95 @><A9K 6
6
! Lock the policy for future edits (can no MLa$93 94)o3 L$ J$;$3$J 7
8
1
longer be changed) -
1
9
! Helpful for compliance and data retention :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Networ
Networkk Security &
'
)
(
#
&
(
*
! Security Groups EFG +
Attached to ENI (Elastic Network
Network Interfaces) – EC2, #
!
F967:5 -96)%$ (
"
RDS, Lambda in VPC, etc !
! Are stateful (any traffic
tr affic in is allowed to go out, any
any traffic ,
out can go back in)
-
)
.
!
Can reference by CIDR and security group id B:FH /
Supports security group references for VPC peering 0
!
1
2
! Default: inbound denied, outbound all allowed .
3
! NACL Network ACL): #%59+:$; 8+49& 1
1
Attached at the subnet level
! 4
! 5
.
Are stateless (inbound
(inbound and outbound rules apply for all P>=- 6
traffic) 6
! Can only reference a CIDR range (no hostname) %A4.61<< 6
7
8
! Default: allow all inbound, allow all outbound 1
-
1
! New NACL: denies all inbound, denies all outbound 9
:
;
Host Firewall
:
<
Software based, highly customizable
! :
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
What’ss a DDOS* Attack?
What’ &
'
)
(
#
=K'&3%'L?3$J K$)'4;/(8/2$%G'9$ &
2>4;1< :=.4= (
*
+
#
(
B(3 499$&&'L;$ "
!
B(3 %$&X()&'G$ ,
-
)
.
/
0
1
2
.
3
1
1
1--195.4 4
5
.
6
1//<A91-A>2 6
6
=.4B.4 7
8
1
-
1
9
:
;
:
<
;1=-.4= :
=
7
O>-= 9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Type of Attacks on your infrastr
infrastructure
ucture &
'
)
(
#
&
(
*
! Distributed Denial of Service (DDoS): +
#
(
"
! When your service
ser vice is unavailable because it’s
it’s receiving too many requests !
,
! SYN Flood (Layer 4): send too many TCP connection requests
)
-
.
! UDP Reflection (Layer 4): get other servers
ser vers to send many big UDP requests /
0
1
! DNS flood attack: overwhelm the DNS so legitimate users can’t find the site 2
.
3
! Slow Loris attack: a lot of HTTP connections are opened and maintained 1
1
4
5
.
6
6
! Application level attacks: 6
7
8
! more complex, more specific (HTTP level) 1
-
1
Cache bursting strategies: overload the backend database by invalidating cache 9
! :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
DDoS Protect
Protection
ion on
on AWS &
'
)
(
#
&
(
*
! AWS Shield Standard: protects against DDoS attack for your website and +
applications, for all customers at no additional costs #
(
"
!
! AWS Shield Advanced: 24/7 premium DDoS protection ,
! )
-
.
AWS WAF: Filter specific requests based on rules /
0
! CloudFront and Route 53: 1
2
!Availability
Availability protection using global edge network .
3
!Combined with AWS AWS Shield, provides
provides DDoS attack mitigation at the edge 1
1
4
! Be ready to scale – leve
leverage
rage AWS
AWS Auto
Auto Scaling 5
.
6
! Separate static resources (S3 / CloudFront) from dynamic ones (EC2 / ALB) 6
6
7
8
! Read the whitepaper for details: 1
-
https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf 1
9
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Sample Reference Architecture &
'
)
(
#
&
(
*
+
#
(
"
!
,
)
-
.
/
0
1
2
.
3
1
1
4
5
.
6
6
6
7
8
1
-
1
9
:
:
<
:
O33X&*YY4<&Z454D()Z9(5Y4)&<$%&Y)$3<(%I')CY4<&/JJ(&/433
O33X&*YY4<&Z454D()Z9(5Y4)&<$%&Y)$3<(%I')CY4<&/JJ(&/43349I/5'3'C4
49I/5'3'C43'()Y
3'()Y =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Shield
Shield &
'
)
(
#
&
(
*
! AWS Shield Standard: +
#
(
"
Free service that is activated for every AWS customer
! !
,
Provides protection from attacks such as SYN/UDP Floods, Reflection attacks
!
)
-
.
and other layer 3/layer 4 attacks /
0
1
2
! AWS Shield Advanced:
Advanc ed: .
3
Optional DDoS mitigation service ($3,000 per month per organization)
! 1
1
4
!
5
.
6
Protect
Balancingagainst
(ELB),more sophisticated
Amazon attack
CloudFront, AWSonGlobal
Amazon EC2, Elastic
Accelerator, andLoad
Route 53 6
6
! 24/7 access to AWS DDoS response team (DRP) 7
8
1
-
1
! Protect against higher fees during usage spikes due to DDoS 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS WAF – Web Application Firewall &
'
)
(
#
&
(
*
! Protects your web applications from common web exploits (Layer 7) +
#
(
"
! Deploy on Application Load Balancer (localized rules) !
,
! Deploy on API Gateway (rules running at the regional or edge level) )
-
.
/
! Deploy on CloudFront (rules globally on edge locations) 0
1
2
! Used to front other solutions: CLB, EC2 instances, custom origins, S3 websites) .
3
! WAF
WAF is not for DDoS protection 1
1
4
! 5
.
6
Define
!RulesW ebinclude:
can ACL (W
ACL (Web eb Access Contro
Controll List):
L ist):
IP addresses, HTTP headers, HTTP body, or URI strings 6
6
! Protects from common attack - SQL injection and Cross-Site Scripting (XSS) 7
8
1
-
1
! Size constraints, Geo match 9
:
Rate-based rules (to count occurrences of events) ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Firewall Manager &
'
)
(
#
&
(
*
! Manage rules
r ules in all accounts of an
a n AWS Organization +
#
(
"
!
,
!
)
-
.
Common set of security rules /
0
1
! WAF
W AF rules (Application Load Balancer,
Balancer, API Gateways, CloudFront) 2
.
3
! AWS Shield
Sh ield Advanced
Advance d (ALB,
( ALB, CLB,
CLB , Elastic IP,
IP, CloudFront) 1
1
4
!
5
.
6
Security Groups for EC2 and ENI resources in VPC 6
6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Blocking an IP address &
'
)
(
#
&
(
*
+
#
(
"
!
EFG
,
)
-
.
#%59+:$; 8+49& /
0
1
2
.
3
1
B:FH 1
4
G<A.2- 5
.
7F, U)&34)9$ 6
T?L;'9 UT 6
6
f MX3'()4; g'%$<4;; 7
8
2(83<4%$ ') 7F, 1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Blocki
Blocking
ng an IP
IP addres
addresss – wit
with
h an ALB &
'
)
(
#
&
(
*
+
#
(
"
!
,
EFG
)
-
.
AMI #%59+:$; 8+49& NGL #%59+:$; 8+49& /
0
1
2
.
3
1
B:FH 1
4
G<A.2- 5
.
7F, U)&34)9$ 6
?//<A91-A>2 M>18 *1<129.4 T%'G43$ UT 6
G>22.9-A>2 #.4;A21-A>2 6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Blocki
Blocking
ng an IP addre
address
ss – wit
with
h an NLB
NLB &
'
)
(
#
&
(
*
+
#
(
"
!
EFG
,
)
-
.
D+--,2*03)2 NGL #%59+:$; 8+49& /
0
1
2$$& 9;'$)3o& UT 2
2$$& 9;'$)3o& UT .
3
1
B:FH 1
4
G<A.2- 5
.
!.-6>45 M>18 *1<129.4 7F, U)&34)9$ 6
#41HHA9 C>.= -04>:C0 T%'G43$ UT 6
6
!> ).9:4A-K D4>:/ 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Blocking
Blocking an IP address – ALB + WAF &
'
)
(
#
&
(
*
+
#
(
"
EFG !
,
AMI #%59+:$; 8+49& NGL #%59+:$; 8+49&
)
-
.
/
0
1
2
.
B:FH 3
?M* 1
G<A.2- 1
7F, U)&34)9$ 4
5
.
T%'G43$ UT 6
6
6
7
8
E?% 1
-
1
(@ 1884.== HA<-.4A2C 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Blocking an IP address – ALB, CloudFront WAF &
'
)
(
#
&
(
*
+
#
EFG (
"
!
AMI #%59+:$; 8+49& NGL #%59+:$; 8+49& ,
)
-
.
F;(?Jg%()3 T?L;'9 UT& /
0
1
2
.
3
G<A.2- @:O<A9 ?M* 1
G<>:8%4>2- 7F, U)&34)9$ 1
4
D.> &.=-4A9-A>2 T%'G43$ UT
5
.
6
B:FH 6
6
7
8
B:FH )(3 O$;X8?; 1
-
1
9
:
E?% ;
:
(@ 1884.== HA<-.4A2C <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Inspector &
'
)
(
#
&
(
*
! Only for EC2 instances (started
(star ted from an AMI) +
#
(
"
! Analyze the running OS against known vulnerabilities !
,
!
)
-
.
Analyze against unintended network accessibility /
! AWS Inspector Agent must be installed on OS in EC2 instances 0
1
2
.
3
1
1
! Define template (rules
(r ules package,
package , duration,
duration, attributes, SNS topics) 4
5
.
6
! No own
own custom rules possible
possible – only use AWS managed rules 6
6
7
8
1
-
1
9
:
After the assessment, you get a report
repor t with a list of vulnerabilities
vulner abilities ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Config &
'
)
(
#
&
(
*
! Helps with auditing and recording compliance of your AWS
AWS resources
resou rces +
#
(
"
! Helps record configurations and changes over time !
,
!
)
-
.
AWS Config Rules does not prevent actions from happening (no deny) /
0
! Questions that can be solved by AWS Config: 1
2
! Is there unrestricted SSH access to my security groups? .
3
! Do my buckets have any public access? 1
1
4
! 5
.
How has my ALB configuration changed over time? 6
6
! You can receive alerts (SNS notifications) for any changes 6
7
8
1
! AWS Config is a per-region service -
1
9
! Can be aggregated across regions and accounts ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Config Resource &
'
)
(
#
&
(
*
! View compliance of a resource over time +
#
(
"
!
,
)
-
.
/
0
1
2
.
! View configuration of a resource over time 3
1
1
4
5
.
6
6
6
7
8
1
-
1
9
View CloudTrail API calls if enabled :
:
;
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Config Rules &
'
)
(
#
&
(
*
! Can use AWS
AWS managed config rules
r ules (over 75) +
#
(
! Can make custom config rules
r ules (must be defined in AWS
AWS Lambda) "
!
! Evaluate if each EBS disk is of type gp2 ,
! )
-
Evaluate if each EC2 instance is t2.micro .
/
! Rules can be evaluated / triggered: 0
1
2
! For each config change .
3
! And / or: at regular time intervals 1
1
! Can trigger CloudWatch Events if the rule
r ule is non-compliant (and chain with Lambda) 4
5
.
!
Rules can have auto remediations: 6
6
! If a resource is not compliant, you can trigger an auto remediation 6
7
8
! Define the remediation through SSM Automations 1
-
1
! Ex: remediate security group rules, stop instances with non-approved tags 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Managed Logs &
'
)
(
#
&
(
*
! Load Balancer Access Logs (ALB, (ALB , NLB
NLB,, CLB) => to S3 +
Access logs for your Load Balancers #
! (
"
!
! CloudTrail
CloudT rail Logs => to S3 and CloudWatch
Cloud Watch Logs ,
!Logs for API calls made within your account )
-
.
! VPC Flow Logs => to S3 and CloudWatch Logs /
0
Information about IP traffic
traffic going to and from network interfaces in your
your VPC 1
! 2
.
! Route 53 Access Logs => to CloudWatch Logs 3
1
!Log information about the queries that Route 53 receives 1
4
5
.
! S3 Access Logs => to S3 6
!Server access logging provides detailed records for the requests that are made to a bucket 6
6
7
! CloudFront Access Logs => to S3 8
1
-
1
!Detailed information about every user request that CloudFront receives 9
:
! AWS Config => to S3 ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
GuardDuty &
'
)
(
#
&
(
*
! Intelligent Threat discovery to Protect AWS
AWS Account +
#
(
! Uses Machine Learning algo rithms, anomaly detection, 3rd party data
Lea rning algorithms, "
!
,
! One click to enable (30 days trial), no need to install software
)
-
.
/
0
1
! Input data includes: 2
.
! CloudTrail Logs: unusual API calls, unauthorized deployments 3
1
! VPC Flow Logs: unusual internal traffic, unusual IP address 1
4
! 5
.
DNS Logs: compromised
compromised EC2 instances sending encoded data within DNS queries 6
6
6
! Can setup CloudWatch Event rules to be notified in case of findings 7
8
1
-
1
! CloudWatch Events rules can target AWS
AWS Lambda or o r SNS 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
GuardDuty &
'
)
(
#
&
(
*
+
#
(
"
!
,
)!)
)
-
D:148':-K .
V@G %<>6 M>C= /
0
1
2
.
G<>:8#41A< M>C= 3
1
1
4
5
.
'!) M>C= T?E) '!)U G<>:8E1-90 IB.2- M1;O81 6
6
6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
#
&
(
*
+
#
(
"
!
,
)
-
.
/
0
Section 6
6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Solution Architecture on AWS
AWS &
'
(
)
#
&
G190A2C W ).==A>2 M1K.4 (
*
G>;/:-. M1K.4 +
'!) M1K.4 7;4&3'F49O$1 K:p1 #
7F,1 :2W1 H45LJ4 (
>(?3$ bR KP)45(KS1 >K2 "
7F21 g4%C43$1 S439O1 7[> !
,
'1-1O1=. M1K.4
)
-
>K21 :?%(%41 KP)45(KS .
/
7;4&3'92$4%9O1 2R1 >$J&O'83 0
1
2
.
'.9>:/<A2C "490.=-41-A>2 M1K.4 3
E.O M1K.4 2`21 2B21 e')$&'& 1
1
:54D() [`1 23$X g?)93'()& 4
FHS1 :HS1 BHS 5
.
:TU W43$<4P1 7;4&3'9 UT 6
6
)->41C. M1K.4 6
7
8
7S21 7g21 U)&34)9$ 23(%$ 1
-
1
9
:
;
:
G'! M1K.4 )-1-A9 ?==.-= M1K.4 T=->41C.U <
:
2R1 W;49'$% =
F;(?Jg%()3 7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
EC2 Instance Types – Main ones &
'
(
)
#
&
(
*
! R: applica
applications
tions that needs
needs a lot of RAM – in-me
in-memory
mory caches +
#
(
! C: applica
applications
tions that needs
needs good CPU – comput
computee / databases "
!
,
! M: applications that are balanced (think “medium”) – general / web app
)
-
.
! I: applica
applications
tions that need good local I/O (instance
(instance storage) – database
databasess /
0
1
! G: applica
applications
tions that need
need a GPU – video rendering
rendering / machine learning
learning 2
.
3
1
1
4
! T2 / T3: burstable instances
insta nces (up to a capacity) 5
.
6
! T2 / T3 - unlim
unlimited:
ited: unlim
unlimited
ited burst 6
6
7
8
1
-
1
! Real-world tip: use https://www.ec2instances.info
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
EC2
EC2 - Pl
Plac
acem
emen
entt Grou
Groups
ps &
'
(
)
#
&
(
*
! Control the EC2 Instance placement strategy using placement groups +
#
(
"
! Group Strategies: !
,
! Cluster —clusters instances into a low-latency
low-latency group in a single Availabili
Availability
ty Zone
)
-
!
Spread —spreads instances
instances across underlying hardware
hardware (max 7 instances per group per .
/
AZ) – critica
criticall applicat
applications
ions 0
1
2
! Partition —spreads instances
instances across many
many different par
partitions
titions (which rely
rely on different
different sets .
3
of racks) within an AZ. Scales to 100s of EC2 instances per group (Hadoop, Cassandra, 1
Kafka) 1
4
5
.
! You can move an instance into or out of a placement group 6
6
!Your first need to stop it 6
7
8
!You then need to use the CLI (modify-instance-placement) 1
-
1
You can then start your instance 9
! :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
!
"
#
!
"
#
!
"
#
%
"
EC2 Instanc
Instancee Launch Types &
(
'
)
#
&
(
*
! On Demand Instances: shor
shortt workload,
wor kload, predictable pricing, reliable +
#
(
"
! Spot Instances:
In stances: shor
shortt workloads,
work loads, for cheap, can lose instances (not reliable) !
,
! )
-
Reserved:
Reserved(MINIMUM
Instances:
Instanc 1 year)
es: long
.
/
! workloads 0
1
2
!Conver
Conv ertible
tible Reserved Instanc
Instances:
es: long workloads with flexible instances .
3
!Scheduled Reserved Instances: example – every Thursday between
between 3 and
and 6 pm 1
1
4
! .
5
Dedicated Instances: no other customers will share your hardware 6
6
! Dedicated Hosts: book an entire physical server, control instance placement 6
7
8
Great for software licenses that operate
! op erate at the core, or CPU socket level 1
-
1
! Can define host affinity so that instance reboots are kept on the same host 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
EC2 included metrics &
(
'
)
#
&
(
*
! CPU: CPU Utilizatio
Utilization
n + Credit Usage / Balance +
#
(
"
! Network:
Network: Netw
Network
ork In / Out !
,
)
-
! .
Status Check: /
0
! Instance status = check the EC2 VM 1
2
.
! System status = check the underlying hardware 3
1
1
! Disk: Read / Write for Ops / Bytes (only for instance
instance store) 4
.
5
6
6
6
7
8
1
-
1
9
! RAM is NO
N OT included in the AWS
AWS EC2 metrics :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
EC2 Instance Recovery &
(
'
)
#
&
(
*
! Status Check: +
#
(
"
! Instance status = check the EC2 VM !
,
! System status = check the underlying hardware )
-
.
/
0
1
2
5()'3(% 4;$%3 .
3
1
1
.
4
5
7F, U)&34)9$ F;(?J_439O :;4%5 )!) #>/A9 6
6
)-1-:=G0.95%1A<.8X)K=-.; 6
7
8
1
7F, U)&34)9$ >$9(G$%P -
1
9
:
;
:
! Recovery: Same Pri
Private
vate,, Public
Public,, Elastic IP, metada
metadata,
ta, placement group
g roup <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Auto
Auto Scaling
Scaling – Sca
Scalin
lingg Poli
Policie
ciess &
(
'
)
#
&
(
*
! Simple / Step Scaling: increase or decrease instances based on two CW +
#
(
"
alarms !
,
! )
-
.
Target
adjust Tracking: select a metric and a target value, ASG will smartly /
0
1
2
! Keep average CPU at 40% .
3
! Keep request count per target at 1000 1
1
.
4
5
6
6
6
! To scale based on RAM, you must use a Custom CloudWatch Metric 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Auto
Auto Scal
Scaling
ing – Goo
Good
d to
to kno
know
w &
(
'
)
#
&
(
*
! Spot Fleet support (mix on Spot and On-Demand instances) +
#
(
"
! To upgrade
upgr ade an AMI, must update th e launch configuration / template
upda te the !
,
! You must terminate instances manually )
-
.
! CloudFormation can help with that step (we’ll see it later) /
0
1
! Scheduled scaling actions: 2
.
3
!Modify the ASG settings (min / max / desired) at pre-defined time 1
1
!Helpful when patterns are known in advance .
4
5
6
! Lifecycle Hooks: 6
6
! Perform actions before an instance is in service, or before it is terminated 7
8
1
-
Examples: cleanup,
cleanup, log extraction, special health checks 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Auto
Auto Scali
Scaling
ng – Sca
Scalin
lingg Proces
Processes
ses &
(
'
)
#
&
(
*
! Launch: Add a new EC2 to the group,
g roup, increasing the capacity +
#
(
! Terminate: Removes an EC2 instance from the group, decreasing its capacity. "
!
HealthCheck: Checks the health of the instances ,
!
)
-
! ReplaceUnhealthy: Terminate unhealthy instances and re-create them .
/
0
1
! AZRebalance: Balancer the number of EC2 instances across AZ 2
.
3
! AlarmNotification: Accept notification from CloudWatch 1
1
! ScheduledActions: Performs scheduled actions that you create. .
4
5
6
! AddToLoadBalancer: Adds instances to the load balancer or target group 6
6
7
8
1
-
! We
We can suspend these processes! 1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Auto
Auto Scal
Scaling
ing – Hea
Health
lth Che
Checks
cks &
(
'
)
#
&
(
*
! Health checks available: D""' PI?M#P GPIGR +
#
(
"
! EC2 Status Checks YO$4;3O/&$%G$% !
,
! ELB Health Checks (HTTP) )
-
.
?)D /
! ASG will launch a new IGL
0
1
#14C.- D4>:/ 2
instance after terminating .
3
an unhealthy one 1
1
*?' PI?M#P GPIGR
.
4
5
!
Make sure the health check 6
6
Y)?5L$%/9?&3(5$%& KS 94;;
is simple and checks the 6
7
8
correct thing 1
-
1
?)D 9
:
#14C.- D4>:/ IGL '* ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Auto
Auto Scaling
Scaling – Upd
Updati
ating
ng an appli
applicati
cation
on &
(
'
)
#
&
(
*
G<A.2- +
#
(
"
!
,
)
-
.
/
0
?M* 1
2
.
3
1
1
18"( A)+39/@ 76(8#
.
4
5
6
6
6
7
8
1
-
1
9
7F, U)&34)9$& :
;
:
H4?)9O V$5X;43$ <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Auto
Auto Scaling
Scaling – Sol
Soluti
ution
on Arch
Archite
itectur
cture
e &
(
'
)
#
&
(
*
+
#
(
"
?M* ?M* !
,
)
-
A+*)., )*034 7 A+*)., )*034 ! .
/
245$ 34%C$3 C%(?X 2X;'3 3%488'9 L$3<$$) VW 0
1
2
18"( A)+39/@ 76(8# 18"( A)+39/@ 76(8# E 18"( A)+39/@ 76(8# J .
3
1
1
.
4
5
6
6
6
7F, U)&34)9$& 7F, U)&34)9$& 7F, U)&34)9$& 7F, U)&34)9$& 7
8
H4?)9O V$5X;43$ G. H4?)9O V$5X;43$ G, H4?)9O V$5X;43$ G. H4?)9O V$5X;43$ G, 1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Auto
Auto Scaling
Scaling – Sol
Soluti
ution
on Arch
Archite
itectur
cture
e &
(
'
)
G<A.2- #.=- G<A.2-
G< A.2- #
&
(
*
KB2 `?$%P +
#
(
"
!
&>:-. Z[ @.4+*+,. ,
)
G!?3I E6'.(, /+-.% FG &+(3+6 ,.-,'() -
.
E.AC0-.8 4.9>48 F0+% ,.-,'() /
0
?M* Y ?M* L 1
2
.
3
1
1
18"( A)+39/@ 76(8# E 18"( A)+39/@ 76(8# J
.
4
5
6
6
6
7
8
1
-
1
9
7F, U)&34)9$& 7F, U)&34)9$& :
;
:
H4?)9O V$5X;43$ G. H4?)9O V$5X;43$ G, <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
EC2 Spot Instances &
(
'
)
#
&
(
*
! Can get a discount of up to 90% compared to On-demand +
#
(
"
! Define max spot price and get the instance while current spot price < max !
,
! The hourly spot price varies based on offer and capacity
)
-
! pr ice > your max price you can choose to stop or terminate your
If the current spot price .
/
instance with a 2 minutes grace period. 0
1
2
.
! Other strategy: Spot Block 3
“block” spot instance during a specified time frame (1 to 6 hours) without interruptions
interr uptions 1
! 1
! .
4
5
In rare situations, the instance may be reclaimed 6
6
6
7
8
! Used for batch jobs,
jo bs, data analysis, or workloads
wor kloads that are resilient to failures.
failure s. 1
-
1
9
! Not great for critical jobs or databases :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
EC2 Spot Instances &
(
'
)
#
&
(
*
+
#
(
"
!
,
)
-
.
/
0
1
2
.
3
1
1
.
4
5
Q&$%/J$8')$J 54^ X%'9$ 6
6
6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
'$$&-.//54)-47%1(0-1(2(34)1542/%5L-&/?K/-&
'$$&-.//54)-47%1(0-1(2(34)1542/%5L-&/?K/-&4$/'42%O+%8:4)P9-<%(-$<K
4$/'42%O+%8:4)P9-<%(-$<KQ
Q >
;
! #$%&'()% *((+%,
!
"
#
%
"
Spot Fleets &
(
'
)
#
&
(
*
! Collection (Fleet) of Spot Instances and optionally on-demand instances +
#
(
"
! Set a maximum price
pr ice you’re
you’re willing to pay per Spot Instances or all !
,
)
!
-
Can have a mix of instance types (M5.large
(M5.large,, M5.xlarge
M5.xlarge,, C5.2xlarge
C5.2xlarge,, etc..) .
/
0
1
2
.
3
! Supports:
Suppor ts: EC2 standalone,
standalone , Auto Scaling Groups (launch template), ECS
ECS 1
1
.
4
5
(underlying ASG), AWS Batch (Managed Compute Environment) 6
6
! Soft limits: 6
7
8
! Target capacity
cap acity per Spot Fleet or EC2 fleet: 10,000 1
-
1
9
! Target capacity
cap acity across all Spot Fleet and EC2 Fleet in a region: 100,000 :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS ECS
ECS – Ela
Elasti
sticc Conta
Containe
inerr Ser
Ser vic
vice
e &
(
'
)
#
&
(
*
! ECS is a container orchestration service +
#
(
"
! ECS helps you run Docker containers on EC2 machines !
,
)
!
-
ECS is complicated, and made of: .
/
0
! “ECS Core”: Running ECS on user
user-provisioned
-provisioned EC2 instances 1
2
.
! Fargate: Running ECS tasks on AWS-provisioned compute (serverless) 3
1
! EKS: Running ECS on AWS-powered
AWS-powered Kubernetes
Kubern etes (running
(ru nning on EC2)
EC 2) 1
.
4
5
! ECR: Docker Container Registr
Registryy hosted by AWS
AWS 6
6
6
! ECS & Docker are very popular for microservices 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
What’ss Docker?
What’ &
(
'
)
#
&
(
*
! Docker is a “container technology” +
#
(
"
! Run a containerized application on any machine with Docker installed !
,
)
-
! Containers allows our application to work the same way anywhere .
/
0
1
! Containers are isolated from each other 2
.
3
! Control how much
much memory
memor y / CPU is allocated to your container 1
1
.
4
5
!
Ability to restrict network rules 6
6
6
! More efficient than Vir
Virtual
tual machines 7
8
1
-
1
! Scale containers up and down very quickly (seconds) 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS EC
ECS
S – Us
Use
e case
casess &
'
(
)
#
&
(
*
! Run microservices +
#
! Ability to run multiple docker containers
containers on the same machine (
"
!
! Easy service
ser vice discovery features to enhance communication ,
)
!
Direct integration with Application Load Balancers -
.
/
! Auto scaling capability 0
1
2
.
3
! Run batch processing / scheduled tasks 1
1
! .
4
5
Schedule ECS containers to run on On-demand / Reserved / Spot instances 6
6
6
! Migrate applications to the cloud 7
8
1
-
1
! Dockerize legacy applications running on premise 9
:
! Move Docker
Docker containers to run on ECS ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS EC
ECS
S – Co
Conc
ncep
epts
ts &
'
(
)
#
&
(
*
! ECS cluster
cluster:: set of EC2 +
#
(
instances "
!
,
! ECS ser vice: applications
)
V4&I 9()34')$% V4&I 9()34')$
9()34')$%% V4&I 9()34')$
9()34')$%% -
definitions running
definitions r unning on ECS .
/
0
cluster V4&I 9()34')$% V4&I 9()34')$
9()34')$%% V4&I 9()34')$
9()34')$%% 1
2
.
3
! ECS tasks + definition: IG) ).4BA9. 1
1
containers running to create .
4
5
the application V4&I 9()34')$% V4&I 9()34')$
9()34')$%% 6
6
6
! ECS IAM roles: roles assigned "-0.4 IG) ).4BA9. 7
8
1
to tasks to interact with 7F, 7F, 7F, -
1
9
AWS :
;
:
IG) G<:=-.4 <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS ECS
ECS – ALB inte
integratio
gration
n &
'
(
)
#
&
(
*
! Application Load Balancer (ALB) 3 +
KP)45'9 % r 9()34')$% #
has a direct integration feature ( q (
X(%3 T 0
j B(J$Za& "
with ECS called “port mapping” !
54XX')C ,
!
)
-
This allows
ofyou
the to runapplication
multiple 3
% j 9()34')$% .
instances same ( q /
T b
r B(J$Za& 0
1
on the same EC2 machine T(%3 q- Y iiR 2
.
3
! Use cases: 3 1
% q 9()34')$% 1
! Increased resiliency even if running ( i
0 .
4
5
on one EC2 instance T R B(J$Za& 6
! Maximize utilization of CPU / cores ?//<A91-A>2 6
M>18 *1<129.4 6
Ability to perform rolling upgrades 3 7
% j 8
!
b 9()34')$% 1
without impacting application uptime ( q -
T r B(J$Za& 1
9
:
;
:
<
:
IGL A2=-129. =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Fargate &
'
(
)
#
&
(
*
! When launching an ECS Cluster,
Cluster, we have
have to create our
our EC2 instances +
#
(
"
! If we need to scale, we need to add EC2 instances !
,
)
!
-
So we manage infrastructure… .
/
0
1
2
.
3
! With Fargate, it’s all Serverless!
Ser verless! 1
1
.
4
5
!
We don’t provision
We provision EC2 instances
instances 6
6
6
! We
We just create task definitions,
definitions, and AWS will run our containers for us 7
8
1
-
1
! To scale, just increase the task number. Simple! No more EC2 ! 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
ECS
ECS – Se
Secu
curity
rity & Netw
Networkin
orkingg &
'
(
)
#
&
(
*
! IAM security +
#
! EC2 Instance Role must have basic ECS permissions (
"
!
! ECS Task level should
sho uld have an IAM Task Role (maximum
( maximum securi
security)
ty) ,
!
)
-
Secrets
!
and Configuration injection into parameters, environment variables:
Integration with SSM Parameter Store & Secrets Manager
.
/
0
1
2
! Tasks networking: .
3
! none: no network connectivity, no port mappings 1
bridge: uses Docker’s virtual container-based network 1
!
.
4
5
! host: bypass Docker’s network, uses the underlying host network interface 6
! awsvpc: 6
6
! Every tasks launched on the instance gets its own ENI and a private IP address 7
8
1
! Simplified networking, enhanced security, security groups, monitoring, VPC flow logs -
1
Default mode for Fargate 9
!
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
ECS
ECS – Se
Serr vi
vice
ce Au
Auto
to Scal
Scalin
ingg &
'
(
)
#
&
(
*
! CPU and RAM is tracked in CloudW
CloudWatch
atch at the ECS service
ser vice level +
#
(
"
! Target Tracking: target a specific average CloudWatch metric !
,
)
-
!
Step Scaling: scale based on CloudWatch alarms .
/
0
1
! Scheduled Scaling: based on predictable changes 2
.
3
1
1
.
4
5
!
ECS Ser
Service
vice Scaling (task level) EC2 Auto Scaling (instance level) 6
6
6
! Fargate Auto Scaling is much
much easier to setup (because serverless)
ser verless) 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
ECS
ECS – Sp
Spot
ot Ins
Insta
tanc
nces
es &
'
(
)
#
&
(
*
! ECS Classic:
Cl assic: +
#
(
"
! Can have the underlying EC2 instances as Spot Instances (managed by an ASG) !
,
!
)
Instances -
! Good for may
cost go into draining
savings, mode to
but will impact remove running tasks
reliability .
/
0
1
2
.
3
1
! Fargate: Spot Instances are available as of Dec 2019: 1
.
4
5
! Specify minimum of tasks for on-demand baseline workload 6
6
! Add tasks running
r unning on Fargate
Far gate Spot for cost-savings (can be reclaimed by AWS) 6
7
8
1
! Regardless of On-demand or Spot, Fargate scales well based on load -
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
!
"
#
%
"
Example: Ser
Server
verless
less Thumbnail creation &
'
(
)
#
&
(
*
+
#
(
"
!
O
& ,
X ?
)
!.6 -0:;O21A< A2 )[ -
.
/
3%'CC$% 0
1
2
.
X ? 3
& O 1
U54C$ )45$ 1
.
4
5
!.6 A;1C. A2 )[ ?E) M1;O81
G4.1-.= %:29-A>2
1 #0:;O21A< U54C$ &'D$ 6
F%$43'() J43$ 6
$39E 6
7
8
1
-
1
9
3.-181-1 A2 'K21;>'* :
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Example: Ser
Server
verless
less CRON Job &
'
(
)
#
&
(
*
+
#
(
"
!
,
)
-
.
/
0
1
V%'CC$% 2
.
7G$%P . O(?% 3
1
1
.
4
5
G<>:8E1-90 IB.2-= 6
?E) M1;O81 %:29-A>2
6
@.4H>4; 1 -1=5 6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Lambda Language Support (runtimes) &
'
(
)
#
&
(
*
! AWS supported: Node.js (JavaScript), Python, Ruby, Java (Java 8 +
#
(
"
compatible), Golang, C# (.NET Core), C# / Powershell !
,
)
-
.
/
0
! Ability to write / use a custom runtime (community supported): 1
2
.
! Ex: C++, Rust, etc… 3
1
1
.
4
5
6
! If Docker, you should use ECS, Fargate or Batch, not Lambda 6
6
7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Lamb
Lambda
da – Li
Limi
mits
ts to
to kno
know &
'
(
)
#
&
(
*
! RAM: 128 MB to 3G +
#
(
"
! CPU: !
,
)
! is linked to RAM (cannot be set manually) -
.
/
! 2 vCPU are allocated after 1.5G of RAM 0
1
2
.
! Timeout: up to 15 minutes 3
1
1
! .
4
5
/tmp storage: 512 MB (can’t process
process BIG files)
files) 6
! Deployment
Deployme nt package limit: 250 MB including layers 6
6
7
8
! Concurrency execution: 1000 – soft limit that can be increased 1
-
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
Lambda
Lambda – Lat
Latenci
encies
es Consi
Considerati
derations
ons %
"
&
'
(
)
(approximates) #
&
(
*
+
#
! Lambda Latency: (
"
!
! Cold Lambda Invocation: ~100ms :TU W43$<4P ,
!
)
!
Warm Lambda
New feature of Invocation:
Invocation: ~ms
“provisioned concurrency” -
.
(Dec 2019) to reduce # of cold starts /
0
1
API Gateway invocation: 100 ms 2
! .
3
! CloudFront invocation: 100 ms H45LJ4 1
1
! .
4
5
If you chain
Gateway, with otherALB,
CloudFront, ser vices
services (APISQS,
Lambda, 6
Step Functions…), add their latencies as 6
6
well 7
8
1
! X-Ray can help visualize the end-to-end -
1
latency 9
:
;
:TU W43$<4P F;(?Jg%()3 7HS :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Lamb
Lambda
da - Se
Secu
curit
rity
y &
'
(
)
#
&
(
*
! IAM Roles for Lambda to grant <%'3$
+
#
(
"
access to other AWS
AWS services
ser vices !
,
)
-
.
/
0
! Resource-based Policies for 1
2
.
Lambda (similar to S3 bucket 3
1
policies): 1
.
4
5
! Allow other accounts to invoke or 6
6
manage Lambda 6
7
8
! Allow other services to invoke or 1
-
1
manage Lambda 9
:
;
T8.HA2. -04>:C0 -0. GM(U :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Lambda in a VPC &
'
(
7^3$%)4; :TU )
#
&
(
*
'.H1:<- M1;O81 './<>K;.2- M1;O81 A2 V@G +
#
(
"
1KA C3(8' 1KA C3(8' !
,
)
T?L;'9
F967:5 -96)%$ KP)45(KS -
.
/
<<< 0
!?#
!?# (DE 1
<(%I& 2
KP)45(KS .
7)JX(')3 3
1
1
EFG R F+:?($% #96)%$ EFG R F+:?($% #96)%$
.
4
5
B(3 <(%I')C 6
<(%I')C 6
6
7
1
-
1
:&&'C) &$9?%'3P C%(?X T%'G43$ >K2 9
T%'G43$ >K2 :
;
:
<
:
=
7
!>-.S M1;O81 F G<>:8E1-90 M>C= 6>45= .B.2 9
>
6A-0>:- .28/>A2- >4 !?# D1-.61K ;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Lambda Logging
Logging,, Monitor
Monitoring
ing and Tracing &
'
(
)
#
&
(
*
! CloudWatch: +
#
(
"
! AWS Lambda execution logs are stored in AWS AWS CloudWatch Logs !
! AWS Lambda metrics are displayed in AWS AWS CloudWatch Metrics (successful ,
)
invocations, error rates, latency, timeouts, etc…) -
.
/
! Make sure your AWS
AWS Lambda
Lamb da function has an execution role with an IAM
I AM policy 0
1
2
that authorizes writes to CloudWatch Logs .
3
! X-Ray: 1
1
.
4
5
!
It’s possible to trace Lambda with X-Ray 6
! Enable in Lambda configuration (runs the X-Ray daemon for you) 6
6
7
Use AWS
AWS SDK in Code 8
1
-
! Ensure Lambda Function has correct IAM Execution Role 1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Lambda
Lambda – Syn
Synchr
chrono
onous
us Invo
Invocati
cations
ons &
'
(
)
#
&
(
*
! Synchronous: CLI, SDK, API Gateway +
#
(
"
! Results is returned right away !
,
!
)
Error handling must happen client side (retries, exponential backoff, etc…) -
.
/
0
')G(I$ 1
2
.
2Ke K( &(5$3O')C 3
1
>$&X()&$ 1
.
4
5
6
')G(I$ X%(^P 6
6
7
F;'$)3 K( &(5$3O')C 8
1
-
1
>$&X()&$ >$&X()&$ 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Lambdaa – Asynch
Lambd Asynchronous
ronous In
Invoc
vocation
ation &
'
(
)
#
&
(
*
! S3, SNS, CloudWatch Events…
E vents… %$3%'$& +
#
(
"
! Lambda attempts to retry on B$< 8';$ $G$)3 !
4&P)9 ')G(943'() ,
)
errors (3 tries total) -
.
/
0
! Make sure the processing is 1
2
.
idempotent (in case of retries) 3
KH` 8(% 1
1
84';$J X%(9$&&')C .
4
5
6
! Can define a DLQ (dead-letter 6
6
7
queue) SNS or SQS for )]) 8
1
-
1
failed processing 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Lambda
Lambda – Ev
Event
ent Sour
Source
ce Mapp
Mapping
ing &
'
(
)
#
&
(
*
! Kinesis Data Streams, SQS, SQS FIFO +
queue, DynamoDB Streams #
e')$&'& (
"
! Common denominator:
denominator : records need !
to be polled from the source ,
)
! All records are respect ordering -
.
properties except for SQS standard TMHH >7VQ>B S:VFk /
0
1
2
.
! If your function returns an error, the H45LJ4 3
entire batch is reprocessed until IB.2- )>:49. 31//A2C 1
1
.
4
success c')3$%)4;d 5
! Kinesis, DynamoDB Stream: stop shard 6
processing 6
! SQS FIFO: stop, unless a SQS DLQ has UB#Me7 _UVk 7#7BV S:VFk 6
7
been defined 8
1
! Need to make sure your Lambda -
1
function is idempotent 9
:
;
H45LJ4 g?)93'() :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Lamb
Lambda
da – De
Desti
stina
nati
tion
onss &
'
(
)
#
&
(
*
! Nov 2019: Can configure to send result to a +
destination #
(
"
! Asynchronous invocations - can define
define destinatio
destinations
ns for !
successful and failed event: ,
)
!
Amazon SQS -
.
! Amazon SNS /
AWS Lambda 0
!
1
!""#$%&&'()$*+,$*+-+.(/*)(-&3+-<'+&3+"4$"&'@&9/;()+"9(/=+$F/)*!"-3 2
! Amazon
Amazon EventBrid
EventBridge
ge bus .
3
! Note: AWS recommends you use destinations instead of 1
DLQ now (but both can be used at the same time) 1
.
4
5
6
! Event Source mapping: for discarded event batches 6
6
! Amazon SQS
8
Amazon SNS 1
!
-
1
9
! Note: you can send events to a DLQ directly from SQS
;
:
:
<
:
=
7
!""#$%&&'()$*+,$*+-+.(/*)(-&3+-<'+&3+"4$"&'@&9/;()+"9(/=4;4/"$(86)4-+##9/@*!"-3 9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Lambda Ver
ersions
sions &
'
(
)
#
&
(
*
! When you work on a Lambda function, +
we work on $LATEST #
(
"
sH:V72V !
! When we’re
we’re ready to publish a Lambda c5?34L;$d ,
)
function, we create a version -
.
/
! Versions are immutable 0
1
2
! Versions have increasing version numbers .
3
! Versions get their own ARN
ARN (Amazon 1
1
.
4
#. #, 5
Resource Name) cU55?34L;$d cU55?34L;$d 6
! Version = code + configuration (nothing 6
6
can be
be changed
changed - imm
immutab
utable)
le)
7
8
1
! Each version of the lambda function can -
1
9
be accessed ;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Lambda Aliases &
'
(
)
#
&
Q&$%& (
*
! Aliases are ”pointers”
”pointer s” to Lambda +
function versions #
(
"
!
! We
W e can define a “dev”, ”test”,
,
)
“prod” aliases and have them point -
.
at different lambda versions K7# :;'4& T>MK :;'4& V72V :;'4& /
0
1
! Aliases are mutable c5?34L;$d c5?34L;$d c5?34L;$d 2
.
3
! Aliases enable Blue / Green 1
1
deployment by assigning weights to bt .
4
rbt 5
lambda functions 6
6
! Aliases enable stable configuration 6
7
of our event triggers / destinations sH:V72V #. #,
8
1
-
1
! Aliases have their own ARNs c5?34L;$d cU55?34L;$d cU55?34L;$d 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
AWS Lambda
Lambda Aliase
Aliasess with
with API Gateway &
'
(
)
#
&
(
*
T>MK :;'4& +
#
(
"
T%(J 234C$ rbt !
#.
,
)
-
.
bt /
!> ?@( D1-.61K 9012C.= 0
V72V :;'4& M1;O81 1<A1= 9012C.= 1
2
.
V$&3 234C$ 3
1
#, 1
.
4
.--t 5
6
6
K7# :;'4& 6
7
8
K$G 234C$ .--t 1
-
1
sH:V72V 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Lambda & CodeDeploy &
'
(
)
#
&
(
*
! CodeDeploy can help you automate +
traffic shift for Lambda aliases [4I$ p G4%P (G$% 3'5$ ?)3'; p v .--t #
(
"
!
! Feature is integrated within the SAM
T>MK :;'4& ,
)
framework -
.
! Linear: grow traffic every N minutes until .-- u pt /
0
100% #. 1
2
! Linear10PercentEvery3Minutes .
3
! Linear10PercentEvery10Minutes 1
1
!
.
4
Canary: tr 5
!
tryy X percent then 100%
Canary10Percent5Minutes pt 6
F(J$K$X;(P 6
!Canary10Percent30Minutes #, 6
7
8
! AllAtOnce: immediate 1
-
1
9
! Can create Pre & Post Traffic hooks
h ooks to
;
:
check the health of the Lambda function :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
Types of load balancer on AWS &
'
(
)
#
&
(
*
! AWS has 3 kinds of managed Load Balancers +
#
(
"
!
! Classic
Classic Load
Load Balan
Balancer
cer (v1
(v1 - old generat
generation)
ion) – 2009
,
)
! HTTP, HTTPS, TCP -
.
/
! Applicat
Application
ion Load
Load Balancer
Balancer (v2
(v2 - new generat
generation)
ion) – 2016 0
1
HTTP, HTTPS, WebSocket 2
!
.
3
! Netwo
Network
rk Load Balanc
Balancer
er (v2
(v2 - new generat
generation
ion)) – 2017 1
1
!
.
4
TCP,, TLS (secure
TCP 5
! Overall, it is (recommended
secure TCP) & UDP
to use the newer / v2 generation load balancers as they 6
6
provide more features 6
7
8
1
-
1
! You can setup internal (private) or external (public) ELBs 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
!
"
#
%
"
&
'
(
)
Classic Load Balancers (v1) #
&
(
*
! Health Checks can be HTTP (L7) or TCP (L4) based +
#
(
"
!
,
)
!
Supports only one SSL certificate -
.
/
! The SSL cer tificate can have many SAN (Subject Alternate Name), but the SSL 0
1
certificate must be changed anytime a SAN is added / edited / removed 2
.
3
! Better to use ALB with SNI (Server Name Indication) if possible 1
1
!
.
4
5
Can use multiple CLB if you want distinct SSL certificates 6
6
6
7
! TCP => TCP passes all the traffic
tr affic to the EC2 instance 8
1
-
1
! Only way to use 2-way SSL authentication 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
Application
!
Load Balancer
Application load balancers (v2)
is Layer 7 (HTTP)
#
&
(
*
+
#
(
"
!
!
,
)
Load balancing to multiple HTTP applications across machines -
.
(target groups) /
0
1
2
! Load balancing to multiple applications on the same machine .
3
1
(ex: containers) 1
4
.
5
! Supportt for HTTP/2 and WebSocket
Suppor 6
6
6
! Supportt redirects (from HTTP to HTTPS for example)
Suppor 7
8
1
-
1
9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
Application
!Routing tables to Load
different Balancer
target groups:(v2)
#
&
(
*
+
#
! Routing based on path in URL (example.com/users & example.com/ posts) (
"
!
! Routing based on hostname in URL (one.example.com & other.example.com)
,
)
! Routing based on Query String, Headers -
.
/
(example.com/users? id=123&order=false ) 0
1
2
.
3
1
!
4
1
.
5
ALB are a Docker
(example: great fit &forAmazon
micro services
ser vices & container-based
ECS) container-based application 6
6
6
! Has a port mapping feature to redirect to a dynamic port in ECS 7
8
1
-
1
! In comparison, we’d need multiple Classic Load Balancer per application 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
!
"
#
%
"
&
'
(
)
Application Load Balancer (v2) #
&
(
*
! Tar
arget
get Groups: +
#
(
"
! EC2 instances
instances (can be managed
managed by an ASG) – HTTP !
! ECS tasks
tasks (managed
(managed by ECS
ECS itself)
itself) – HTTP ,
)
! Lambda functions
functions – HTTP request
request is translated
translated into a JSON event
event -
.
/
0
! IP Addresses – must be private IPs (ex: instances in peered VPC
VPC,, on-premise) 1
2
.
! ALB can route to multiple target groups 3
! Health checks are at the target group level 1
4
1
.
5
6
6
! SSL certificates: 6
7
8
! Supports multi
multiple
ple listeners 1
-
1
! Supports
Supports SNI - Server Name
Name Indicat
Indication
ion 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
Network Load Balancer (v2) #
&
(
*
! Network load balancers
balancer s (Layer 4) allow to do: +
#
(
! tr affic to your instances (UD
Forward TCP traffic (UDP
P support
support – Jun 2019
2019)) "
!
! Handle millions of request per seconds ,
)
! NLB has one static IP per AZ, and supports assigning Elastic IP -
.
/
(helpful for whitelisting specific IP) 0
1
2
! Lesss latency
Les latency ~10
~1000 ms (vs 400
400 ms for ALB
ALB)) .
3
! Support for TLS 1
4
1
.
!
Suppor t for WebSockets
WebSockets 5
6
6
6
7
! Network Load Balancers are mostly used: 8
1
-
1
! for extreme performance
performance,, TCP or UDP traffic
tr affic 9
;
:
!
with AWS Private Link to expose a service internally :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
Network Load Balancer (v2) #
&
(
*
! Tar
arget
get Groups: +
#
(
"
! EC2 instances (can be managed by an ASG) – TCP !
! ,
)
ECS tasks (managed
(managed by ECS itself) – TCP -
.
! IP addresses – Private IP only,
only, even outside your VPC /
0
1
2
.
3
! Proxy Protocol: 1
4
1
.
! Send additional connection information such as the source and destination 5
6
6
! The load balancer prepends a proxy protocol header to the TCP data 6
7
8
! Helpful when you have the “IP addresses” target group type 1
-
1
! You can retrieve the source IP address of the originating client 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
Cross-Zone Load Balancing #
&
(
*
! With Cross Zone Load +
#
Balancing: each load (
"
!
balancer instance
E(#P ,
)
distributes evenly -
.
across all registered /
0
1
instances in all
a ll AZ 2
.
3
! Otherwise, each load 12 3 12 4 12 5 1
4
1
.
5
balancer
distributesnode
requests 6
6
evenly across the
6
7
8
registered instances in 1
-
its Availability Zone 1
E(#P"+# 9
;
:
only. :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
Cross-Zone Load Balancing #
&
(
*
! Classic Load Balancer +
#
(
"
!Disabled by default !
!No charges for inter AZ data if enabled ,
)
-
.
/
0
! Application Load Balancer 1
2
.
Always on (can’t be disabled)
!
3
1
No charges for inter AZ data
!
4
1
.
5
6
6
! Network Load Balancer 6
7
8
1
Disabled by default
! -
1
9
!
;
:
You pay charges ($) for inter AZ data if enabled :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
Load
!
Balancer Stickiness
It is possible to implement stickiness so that
#
&
(
*
+
the same client is always redirected to the #
(
"
same instance behind a load balancer F;'$)3 : F;'$)3 S F;'$)3 F !
! ,
)
This works for
Application Classic
Load Load Balancers &
Balancers -
.
/
0
! The “cookie” used for stickiness has an 1
2
expiration date you control .
3
! Use case: make
make sure the user doesn’t lose his 1
4
1
.
session data 5
6
! Enabling stickiness may bring imbalance to the 6
load over the backend EC2 instances 6
7
8
! Alternative is to cache session data in 7F, 7F, 1
-
1
ElastiCache, DynamoDB for example U)&34)9$ U)&34)9$ 9
;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
APII Ga
AP Gate
tewa
wayy – Ov
Over
ervi
view
ew #
&
(
*
>72V :TU T>Mpw >7`Q72V2 F>QK +
#
(
"
!&%)*+
!
!&%)*+ !01 !"#
,-+%&*,. ,
client 2%345%- $%&'(%
)
-
.
/
0
! Helps expose Lambda, HTTP & AWS AWS Services
Ser vices as an API 1
2
.
3
! API versioning, authorization, traffic management (API keys, throttles), 1
4
1
.
5
huge scale, ser
serverless,
verless, req/r
req/resp
esp transfo
transformations
rmations,, OpenA
OpenAPI
PI spec, COR
CORS
S 6
6
6
7
! Limits to know: 8
1
-
1
!29 seconds timeout 9
;
:
!
10 MB max payload size :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
API Gate
Gatewa
wayy – Dep
Deplo
loyme
yment
nt Stage
Stagess #
&
(
*
! API changes are deployed to “Stages” (as many as you want) +
#
(
"
! Use the naming you like for stages (dev, test, prod) !
,
)
! Stages can be rolled back as a histor
historyy of deployments is kept -
.
/
0
T>MK :;'4& 1
2
.
3
T%(J 234C$ rbt 1
#. 4
1
.
5
6
bt 6
V72V :;'4& 6
7
8
1
V$&3 234C$
23 4C$ -
1
9
#, ;
:
.--t :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
API Gat
Gatewa
ewayy – Int
Integrati
egrations
ons #
&
(
*
! HTTP +
#
(
"
!Expose HTTP endpoints in the backend !
!Example: internal HTTP API on premise, Application Load Balancer… ,
)
Why? Add rate limiting, caching, user authentications, API keys, etc…
!
-
.
/
0
! Lambda Function 1
2
.
Invoke Lambda function
!
3
1
!
4
1
.
Easy way to expose
exp ose REST API backed by AWS
AWS Lambda 5
! AWS Service 6
6
6
! Expose any AWS API through
t hrough the API Gateway? 7
8
1
! Example: star
startt an AWS
AWS Step Function
Functio n workflow, post a message
messa ge to SQS -
1
9
!
;
:
Why? Add authentication, deploy publicly,
publicly, rate control… :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
!
"
#
%
"
&
'
(
)
API Gatew
Gateway
ay - Endp
Endpoint
oint Types #
&
(
*
! Edge-Optimized (default): For global clients +
#
(
"
!Requests are routed through the CloudFront Edge locations (improves latency) !
! ,
)
The API Gateway still lives in only one region -
.
/
! Regional: 0
1
2
!For clients within the same region .
3
!Could manually combine with CloudFront (more control over the caching 1
4
1
.
strategies and the distribution) 5
6
6
Private: 6
7
8
! Can only be accessed from your VPC using an interface VPC endpoint (ENI) 1
-
1
9
! Use a resource policy to define access ;
:
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
Caching API
API responses 6784+3
#
&
(
*
! Caching reduces the number of calls made to the +
backend #
(
"
!
! Default TTL (time to live) is 300 seconds
,
)
(min: 0s, max: 3600
3600s)
s) -
.
! Caches are defined per stage /
0
FO$9I 1
! le to override cache settings per method
Possible
Possib !01 949O$ 2
.
W43$<4P 3
! Clients can invalidate the cache with header: 2%345%-
949O$ 1
Cache-Control: max-age=0 (with proper IAM 4
1
.
authorization) 5
6
U8 949O$ 5'&& 6
Able to flush the entire cache (invalidate it) 6
immediately 7
8
1
! Cache encryption option -
1
L49I$)J 9
!
;
:
Cache capacity between 0.5GB to 237GB :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
APII Gat
AP Gatew
ewaay - Err
Errors
ors #
&
(
*
! 4xx means Client errors +
#
! 400: Bad Request (
"
!
! 403: Access Denied, WAF filtered
,
429: Quota exceeded, Throttle )
! -
.
/
0
1
2
! 5xx means
means Server
Ser ver errors .
3
! 502: Bad Gateway Exception, usually for an incompatible output returned from a 1
4
1
.
Lambda proxy integration backend and occasionally for out-of-order invocations
invocations due to 5
heavy loads. 6
6
! 503: Service Unavailable Exception 6
7
8
! 504: Integration Failure – ex Endpoint Request Timed-out Exception 1
-
API Gateway requests time out after 29 second maximum 1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
APII Gat
AP Gatew
ewaay – Se
Secu
curity
rity )
#
&
(
*
! Load SSL certificates
cer tificates and use Route53 to define
define a CNAME +
#
(
"
! Resource Policy (~S3 Bucket Policy): !
,
!
control who can access the API )
-
.
/
! Users from AWS
AWS accounts,
a ccounts, IP or CIDR blocks, VPC or VPC Endpoints 0
1
2
.
! IAM Execution Roles for API Gateway at the API level 3
1
!
4
1
.
To invoke a Lambda Function, an AWS service… 5
6
! CORS (Cross-origin resource sharing): 6
6
! Browser based security 7
8
1
-
1
! Control which domains can call your API 9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
API Gatewa
Gatewayy – Aut
Authen
hentic
ticati
ation
on )
#
&
(
*
! IAM based access +
Good for providing access within your own #
! 6784+3 (
"
infrastructure !
!Pass IAM credentials in headers through Sig V4 :?3O$)3'943'() ,
)
f C$3 3(I$) -
.
/
! Lambda Authorizer
Authorizer (formerly
(former ly Custom 0
1
Authorizer) 2
T4&& 3(I$) .
!Use Lambda to verify a custom OAuth / SAML / 3
3rd party authentication 1
4
1
.
?@( D1-.61K 5
6
! Cognito User Pools 6
! Client authenticates with Cognito 6*9+83* :;4< 0**7;
6
T4&& 'J$)3'3P 7
8
! Client passes the token to API Gateway 1
-
1
! API Gateway knows out-of-the-box how to verify 9
:
;
to token *195.28 :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
API Gateway – Logging, Monitoring, Trac
racing
ing )
#
&
(
*
! CloudWatch Logs: +
#
(
"
!Enable CloudWatch logging at the Stage level (with Log Level – ERROR, INFO) !
!
,
Can log full requests / responses data(customizable) )
! Can send API Gateway Access Logs -
.
/
0
! Can send logs directly into Kinesis Data Firehose (as an alternative to CW logs) 1
2
.
! CloudWatch
CloudWatch Metrics:
Metr ics: 3
1
!
4
1
.
Metrics are by stage, possibility to enable , detailed metrics 5
! IntegrationLatency
, Latency
, CacheHitCount CacheMissCount 6
6
! X-Ray: 6
7
8
1
!Enable tracing to get extra information about requests in API Gateway -
1
9
! :
;
X-Ray API Gateway + AWS
AWS Lambda gives you the full picture :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
Rout
Route
e 53
53 – Re
Reco
cord
rdss )
#
&
(
*
! Route53 is a Managed DNS (Domain Name System) +
#
(
"
!
,
)
! A: hostname to IPv4 -
.
/
0
1
! AAAA: hostname to IPv6 2
.
3
! CNAME: hostname to hostname 1
4
1
.
5
! Alias: hostname to
t o AWS resource
reso urce 6
6
! Use for: CLB, ALB, NLB, CloudFront, S3 bucket, Elastic Beanstalk 6
7
8
! Can be used for root apex record (mydomain.com) 1
-
1
9
!
:
;
Other record types are not needed for the exam :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
Route
Route 53 – Dia
Diagram
gram for
for A Record
Record )
#
&
(
*
+
#
(
"
? $ & 3 4 ' ) 9 ( 5
Z 9
!
>
> $ m 5 ) ,
)
K B P
2 X X
XZZ 5
5 P J ( j 0Z q
q b
5 4
i
Z i b Z j &>:-. Z[ -
.
R , UU T
T * R
UU T T G i d
/
0
9 I
3
3
(
( 1
L 4 * O
L ( & 3
2 $ ) J 9 ( % J
2
J O .
c: % % $ H 3
3
'
O
3O VV V 1
_ 4
1
.
k k
VV
V V
T
( & 3
T > $
$ m
m ?$ 5
* 5 P ?
3* &
&3
3 ( @
@ S [
6
4
4 [
X X Z5 L 7^ 6
P J Z 7 6
J(
5
( ' ' _ ` 7a Z
54 7
8
) Z9 (
)
E.O O4>6=.4 ( 5
5 1
-
1
k V V
V T 9
EA<< 9190. -0. 4.=:<- H>4 T > $
$ :
;
#0. ##M >H -0. 4.9>48 & X
X (
() )
&
&$
$
:
<
:
=
7
?//<A91-A>2 ).4B.4 9
>
(@S [L7^Z7_`7aZ ;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
DNS Records TTL (Time to Live) )
#
&
(
*
KB2 >$m?$&3 ! High TTL: (e.g.
(e .g. 24hr) +
#
'!) G190. (
"
%>4 ##M 8:41-A>2
5P4XXZ5PJ(54')Z9(5 !Less traffic on DNS !
! ,
Possibly )
records outdated -
.
2$)J L49I UT* R,ZibZj0Zqb /
0
c: %$9(%J* O(&3 3( UTGid ! Low TTL
TTL:: (e.g 60 s) 1
2
.
b ##M S [cc =
More traffic on DNS 3
!
1
! 4
1
.
KB2 >$m?$&3 Records are outdated 5
for less time 6
5P4XXZ5PJ(54')Z9(5
E.O O4>6=.4 &>:-. Z[ 6
! Easy to change records 6
7
8
1
-
1
2$)J L49I UT* .rbZ,RZibZ,, 9
! :
;
c: %$9(%J* O(&3 3( UTGid TTL
each isDNS
mandat
mandator
ory
recordy for :
<
b ##M S [cc = :
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
Simple Routing Policy )
#
&
(
*
! Maps a hostname to a single +
#
(
"
resource !
,
! )
You can’t attach health 8((Z$^45X;$Z9(5 -
.
/
checks to simple routing 0
1
2
policy :* ..Z,,ZRRZii .
3
1
4
1
.
E.O O4>6=.4 &>:-. Z[ 5
! If multiple values are 6
6
6
returned, a random
r andom one is 7
8
1
chosen by the client -
1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
Weighted
Weighted Routing Policy
Policy )
#
&
(
*
! Control the % of the requests +
#
(
that go to specific
specific endpoint "
!
! ,
Helpful test 1% of traffic on 0 - t E.AC0-S `c )
new apptoversion
ver sion for example -
.
/
0
1
! Helpful to split traffic
tr affic between 2
.
3
regions – Lo
two regions Loadad Bala
Balanc
ncin
ing
g ,-t 1
4
1
.
!
Can be associated with E.AC0-S Lc
5
6
Health Checks &>:-. Z[
Health Checks 6
6
. - 7
! Note: The weights
weig hts don’t
d on’t need t 8
1
-
1
to sum up to 100 9
:
;
:
<
:
=
7
9
E.AC0-S Yc >
;
! #$%&'()% *((+%,
!
"
#
!
"
#
%
"
&
'
(
Latency Routing Policy )
#
&
(
*
! Redirect to the server that +
has the least latency close to #
(
"
us !
,
!
Super helpful when latency )
-
.
of users is a priority /
0
1
! Latency is evaluated in terms 2
.
of user to designated AWS
AWS 3
Region 1
4
1
.
! Germany users may be 5
6
directed to the US (if that s 6
6
the lowest latency) 7
8
1
! Has a failover capability if you -
1
9
:
;
enable health checks :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
:* ..Z,,ZRRZii
&
'
(
Geo Location Routing Policy )
#
&
(
*
! Different from Latency based! +
#
(
"
! This is routing based on user !
,
location )
-
.
K7g:QHV /
0
! Here we specify: traffic from the :* 1
2
.
UK should go to this specific IP RRZiiZbbZjj 3
1
!
4
1
.
Should create a “default” policy 5
6
(in case there’s no match on
(in case there s no match on 6
6
location) 7
8
1
-
1
9
:
;
:
<
:
=
7
9
>
:* ,,ZRRZiiZbb ;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
Route
Route 53
53 - Com
Comple
plex
x / Nested
Nested Reco
Records
rds )
#
&
(
*
+
?&/$4&3/./<<<Z$^45X;$Z9(5 #
<<<Z$^45X;$Z9(5 (
"
E.AC0-.8 q- !
M1-.29K
,
:;'4& c3( 4 >bR %$9(%Jd VPX$* : c.qrZ.bjZ,rZRRd
)
?&/$4&3/./<<<Z$^45X;$Z9(5 -
.
VPX$* : /
E.AC0-.8 ,- 0
>$C'()* ?&/$4&3/. 1
VPX$* : c.-qZq,ZqbZ.iRd 2
.
3
1
4
1
.
<<<Z$^45X;$Z9(5 4X/&(?3O$4&3/./<<<Z$^45X;$Z9(5 5
E.AC0-.8 R- 6
M1-.29K 6
VPX$* : c,-,Zb.Zq0Z.,bd 6
:;'4& c3( 4 >bR %$9(%Jd 7
4X/&(?3O$4&3/./<<<Z$^45X;$Z9(5 8
VPX$* : 1
E.AC0-.8 .- -
1
>$C'()* 4X/&(?3O$4&3/.
VPX$* : c..,Z.jZ,Zijd :
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
Multi Value Routing Policy )
#
&
(
*
! Use when routing traffic
tr affic to multiple resources +
#
(
"
! Want
Want to associate a Route
Route 53 health checks
checks with records !
,
)
! Up to 8 healthy records are returned for each Multi Value query
quer y -
.
/
0
1
! Multi Value is not a substitut
substitutee for having an
a n ELB 2
.
3
1
4
1
.
5
6
6
6
7
8
1
-
1
:
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
Rout
Route
e 53
53 – Go
Good
od to kno
know
w )
#
&
(
*
! Private DNS: +
#
(
"
! Can use Route 53 for internal private DNS !
! ,
)
Must enable the VPC settings enableDnsHostNames
enableDnsHostNames and enableDnsSuppor
enableDnsSupportt -
.
! DNSSEC (protect against Man In the Middle attack): /
0
1
Amazon Route 53 suppor ts DNSSEC for domain registration.
!
2
.
3
Route 53 supports DNSSEC for DNS service as of December 2020 (using KMS)
!
1
!
1
4
.
You could also run
r un a custom DNS server Amazon EC2 for example ( Bind is the
ser ver on Amazon 5
most popular, dnsmasq, KnotDNS, PowerDNS). 6
6
6
! 3
party registrar: 7
8
1
! You can buy the domain out of AWS and use Route 53 as your DNS provider -
1
:
9
;
!
Update the NS records on the 3 rd party regi
registrar
strar :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
Health Checks with Route 53 )
#
&
(
*
! Health Check => automated DNS failovers: +
#
(
"
!
D,+-(. =(2"0 JK 70)(7' ,
)
L5+"0.)3M 80(#7(N9,9"3M 0")O 1. Healt
Hea lth
h chec
checks
(application, ks thatt moni
tha
server, mo nitor
othertor
AWSan endp
eresource)
ndpoi
oint
nt -
.
L4+3"! C!4)G /
L4+3"! C!4)G
2. Health
Heal th che
checks
cks tha
thatt moni
monitor
tor othe
otherr heal
health
th che cks 0
checks 1
2
(calculated health checks) .
3
3. Health
Heal th che
checks
cks tha
thatt moni
monitor
tor Clou
CloudW
dWatc
atch
h alarms
alarms 1
1
4
DCP DCP (full contro
controll ) – e.g. throttles of DynamoDB, .
throttles 5
alarms on RDS, custom metrics, etc 6
6
6
18"( A)+39/@ @6(8# 18"( A)+39/@ @6(8# 7
8
1
-
Health Checks are integrated with CW metrics 1
0/$"+/)4 0/$"+/)4
:
9
;
M4@9(/ E M4@9(/ J :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
Route
Route 53 Hea
Health
lth Chec
Checks
ks – good to know
know )
#
&
(
*
! Health Checks can be setup to pass / fail +
#
(
"
based on !
,
first 5120 bytes of the response
text in the first )
-
.
/
! Health Checks pass only with the 2xx and 0
1
2
3xx status response P##@ 91<< &.-:42 LJJ [JJ .
3
#> W0.1<-0 "/-A>21<<K =>;. -.J- 1
!
1
4
.
Calculated
!
health individual
Create separate checks health checks 5
6
6
! Specify how many of the health checks need to P##@ ).4B.4
6
7
8
pass to make the parent pass c7F,1 T?L;'9 2$%G$%Ed 1
-
1
! :
9
;
Health Checks can trigger
tr igger CW Alarms
Alarms :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
Health
Health Che
Checks
cks – Priva
Private
te Hoste
Hosted
d Zones
Zones AS# G749>
)
#
&
(
*
! Route 53 health checkers are outside +
the VPC QRF #
(
"
! They can’t access private endpoints !
(private VPC or on-premise resource) k$4;3O F+:?($% -96)%$
,
)
9O$9I$% -
.
/
Options: 0
1
2
! To check a resource within a VPC, you .
must assign a public IP address 3
1
! 1
4
.
You can
check theconfigure
health ofthe
an health checker
external to
resource 5
6
the instance relies on, for example a
database server 6
6
You can create a CloudWatch metric F_ :;4%5 7
8
!
1
and associate an alarm. You then create -
1
a health check that checks the alarm
:
9
;
itself :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
!
"
#
"
&
'
(
Solution Architecture Comparisons
Compar isons )
#
&
(
*
! EC2 on its own with Elastic IP +
#
(
"
! EC2 with Route53 !
,
)
!
ALB + ASG -
.
/
! ALB + ECS on EC2 0
1
2
.
! ALB + ECS on Fargate 3
1
1
4
!
.
ALB + Lambda 5
6
! API Gateway + Lambda 6
6
7
8
! API Gateway + AWS
AWS Service
Ser vice 1
-
1
! :
9
;
API Gateway + HTTP backend (ex: ALB) :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
EC2 with Elastic IP S5+$"9) ;R D''70$$
)
#
&
(
*
! Quick failover +
#
(
"
:99$&& ')&34)9$ ?&')C ! The client should not !
T?L;'9 UT c7;4&3'9 UT ,
)
see the change
happen -
.
/
0
1
Q&$%
! Helpful if the client 2
.
3
T?L;'9 7F, needs to resolve by 1
1
4
.
static Public IP 5
address 6
6
6
! Does not scale 7
8
1
-
[(G$ 7;4&3'9 UT ! Cheap 1
:
9
;
U) 94&$ (8 K> :
234)JLP U)&34)9$ <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
Statele
Stateless
ss web
web app - scal
scaling
ing horizo
horizonta
ntalllly
y )
#
&
(
*
+
#
KB2 `?$%P (
"
: >$9(%J T?L;'9 7F, ')&34)9$1 !
,
VVH . O(?% B( 7;4&3'9 UT
)
-
.
/
0
1
2
.
3
1
1
4
.
5
6
6
6
7
8
1
-
1
:
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
Statele
Stateless
ss web
web app - scal
scaling
ing horizo
horizonta
ntalllly
y (
)
#
&
(
*
+
#
! “DNS-based load (
"
KB2 `?$%P
!
: >$9(%J balancing”
,
VVH . O(?% ! Ability to use multiple
)
-
.
instances /
0
1
! Route53 TTL implies 2
.
client may get outdated 3
information 1
1
4
.
! Clients must have logic to 5
6
deal with hostname 6
resolution failures 6
7
8
! Adding an instance may 1
-
1
not receive full traffic :
9
;
right away due to DNS :
TTL <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
ALB + ASG ! Scales well, classic architecture
(
)
#
&
(
KB2 `?$%P *
18"( A)+39/@ @6(8# +
:;'4& >$9(%J ! New instances are in service
ser vice right away
away.. #
(
"
1;+93+<939"F .(/4 E
VVH . O(?% ! Users are not sent to instances that are !
,
out-of-service
)
! Time to scale is slow (EC2 instance -
.
!"#$%#&$%$'( *+,- . '+ / startup + bootstrap)
bootstrap) – AMI can
can help /
0
1
! ALB is elastic but can’t handle sudden, 2
.
huge peak of demand (pre-warm) 3
1;+93+<939"F .(/4 J
! Could lose a few requests if instances 1
1
4
are overloaded .
5
! CloudWatch used for scaling
CloudWatch 6
6
:HS f ! Cross-Zone balancing for even traffic 6
k$4;3O FO$9I& 7
8
distribution 1
f [?;3' :n -
1
1;+93+<939"F .(/4 N
:
9
;
! Target utilization should be between :
40% and 70% <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
ALB + ECS on EC2 (backed by ASG) (
)
#
&
(
KB2 `?$%P 18"( A)+39/@ @6(8# O PCA ! Same properties as ALB + *
+
:;'4& >$9(%J #
VVH . O(?% 1;+93+<939"F .(/4 E ASG (
"
!
,
!
Application is run on )
-
.
!"#$%#&$%$'( *+,- . '+ / Docker /
0
1
2
! ASG + ECS allows to have .
3
dynamic
dynamic por t mappings
1;+93+<939"F .(/4 J
1
1
4
.
5
Tough to orchestrate ECS 6
6
:HS f service
ser vice auto-scaling + ASG 6
k$4;3O FO$9I& 7
8
f [?;3' :n 1;+93+<939"F .(/4 N
auto-scaling 1
-
1
:
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
ALB + ECS on Fargate (
)
#
&
(
KB2 `?$%P Q+6@+"4 O A46;9)4 18"( A)+39/@ ! Application is run on *
+
:;'4& >$9(%J #
VVH . O(?% 1;+93+<939"F .(/4 E Docker (
"
!
,
!
Ser vice Auto Scaling is easy
Service )
-
.
/
! Time to be in-service is 0
1
2
quick (no need to launch an .
3
1;+93+<939"F .(/4 J
EC2 instance in advance) 1
1
4
.
5
Still limited by the ALB in 6
6
case of sudden peaks 6
7
8
1
! “serverless”
“ser verless” application tier -
1
1;+93+<939"F .(/4 N
:
9
;
! “managed” load balancer :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
ALB + Lambda ! Limited to Lambda’s runtimes
(
)
#
&
(
KB2 `?$%P *
+
:;'4& >$9(%J #
! Seamless scaling thanks to (
"
VVH . O(?% Lambda !
,
! Simple way to expose )
-
.
Lambda functions as HTTP/S /
0
without all the features from 1
2
API Gateway .
3
1
! Can combine with WAF 1
4
.
(Web
(W eb Application Firewall) 5
6
:HS ! Good for hybrid 6
6
microservices 7
8
1
-
! Example: use ECS for some 1
:
9
;
requests,
others use Lambda for :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
API Gateway + Lambda (
)
#
&
(
*
! Pay per request, seamless scaling, +
#
fully serverless (
"
!
! ,
Soft
1000limits: 10000/sLambda
API Gateway
Gateway,, )
concurrent -
.
/
0
! API Gateway features: 1
2
.
!&%)*+ !01 !"# authentication, rate limiting, 3
client
2%345%- $%&'(% caching, etc… 1
4
.
5
Lambda Cold Start time may 6
increase latency for some 6
6
requests 7
8
1
-
1
! Fully integrated with X-Ray :
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
API Gateway + AWS Service
Ser vice (as a proxy) (
)
#
&
(
"R *
+
! Lower latency, cheaper #
(
"
TQV !
! Not using Lambda concurrent ,
)
capacityy, no custom
capacit cu stom code
c ode -
.
!"# /
client
!&%)*+ !01 )]) 0
2%345%-
$%&'(%
! Expose AWS
AWS APIs securely
secur ely 1
2
.
*I##I& through API Gateway 3
1
4
.
!
SQS, SNS, Step Functions… 5
6
6
! Remember API Gateway has a 6
7
8
client
!&%)*+ !01 #=# payload limit of 10 MB (can be 1
-
2%345%- 1
:
9
;
a problem for S3 proxy) :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
API Gateway
Gateway + HTTP backend
backend (ex:
(ex: ALB) (
)
#
&
(
*
! Use API Gateway features on +
#
(
"
top of custom
custom HTTP backend !
,
(authentication, rate control, )
-
.
API keys, caching…) /
0
1
2
.
3
!&%)*+ !01
client
kVVT 2$%G$%
2%345%- ! 1
4
c$^* :HS1 ()/X%$5d Can connect to… .
5
6
! On-premise service 6
6
7
! Application Load Balancer 8
1
-
1
!
rd :
9
;
3 par
party
ty HTTP
HTTP service :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
(
)
#
&
(
*
+
#
(
"
!
,
)
-
.
/
0
1
2
.
3
1
4
.
Storage Secti
Section
on 6
6
6
7
8
1
-
1
:
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
EBS (
)
#
&
(
*
! Network drive you attach to +
#
ONE
ONE inst
instance
ance onl
only
y (
"
"#$%&#'$(& !
!
,
Linked to a specific availability
)
zone (transfer: snapshot => -
.
/
restore) 7F, 7F, 7F, 0
1
2
.
! Volumes can be resized 3
1
4
.
5
7S2 6
! Make sure you choose an c.-WSd
7S2 6
instance type that is EBS 7S2 cb-WSd 6
7
8
optimized to enjoy maximum c.--WSd 1
-
1
throughput :
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
EBS – Volume Types (
)
#
&
(
*
! gp2: General Pur
Purpose
pose Volumes (cheap) +
#
(
"
! 3 IOPS / GiB,
GiB , minimum 100 IOPS, burst
burst to 3000 IOPS, max 16000 IOPS !
! ,
GiB – 16 TiB , +1 TB = +3000 IOPS
1 Gi
)
-
! io1: Provisioned IOPS (expensive) .
/
0
Min 100 IOPS, Max 64000 IOPS (Nitro) or 32000 (other) 1
! 2
.
! 4 GiB
GiB - 16 TiB. Siz
Size
e of
of volu
volume
me and IOP
IOPS
S are
are inde
independ
pendent
ent 3
1
4
! .
st1: Throughput Optimized HDD 5
6
! 500
500 GiB
GiB – 16 Ti
TiB
B , 50
500
0 MiB
MiB /s thr
throu
ough
ghpu
putt 6
6
! sc1: Cold HDD, Infrequently accessed data 7
8
1
-
1
! 250
250 GiB
GiB – 16 Ti
TiB
B , 25
250
0 MiB
MiB /s thr
throu
ough
ghpu
putt
:
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
EBS
EBS – RA
RAID
ID Con
Conffig
igurat
uration
ionss (
)
#
&
(
*
+
#
(
"
!
,
)
IGL A2=-129. IGL A2=-129. -
.
/
0
1
2
.
M)$ ;(C'94; G(;?5$ >:UK - c4JJd M)$ ;(C'94; G(;?5$ >:UK . c5'%%(%d 3
1
4
$'3O$% L(3O .
5
6
: 6
: S : 6
7
8
F K S S 1
-
1
F F
:
9
;
I*) V><:;
:;.
.Y I*) V><:
<:;.
;. L I*) V><:
<:;.
;. Y I*) V><:
<:;
;. L :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
EBS Snapshots (
)
#
&
(
*
! Incremental – only backup
Incremental backup changed
changed blocks
blocks +
#
(
"
! EBS backups use IO and you shouldn’t run them while your application is !
,
handling a lot of traffic
)
-
.
! Snapshots will be stored in S3 (but you won’t directly see them) /
0
1
! Not necessary
necessar y to detach volume to do snapshot, but recommended 2
.
3
! Can copy snapshots across region (for DR) 1
4
.
! Can make Image (AMI) from Snapshot 5
6
6
! EBS volumes
volumes restored
restored by snapshots need
need to be pre-warmed (using
(using fio or dd 6
7
8
command to read the entire volume) 1
-
1
! :
9
;
Snapshots can be automated using Amazon Data Lifecycle Manager :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
Local EC2 Instance Store V.4K 0AC0 ("@) (
)
#
&
(
*
! Physical disk attached to the +
#
(
"
physical server where your EC2 is !
,
! Ver
eryy High IOPS (because physical)
)
-
.
/
0
! Disks up to 7.5 TiB (can change
change 1
2
.
over time), stripped to reach 30 3
1
4
.
TiB (can change ov
over
er time…)
time…) 5
6
! Block Storage (just like EBS) 6
6
7
! Cannot be increased in size 8
1
-
1
! :
9
;
Risk of data loss if hardware fails :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
EBS vs Instance Store (
)
#
&
(
*
! Some instance do not come
co me with Root EBS volumes +
#
(
"
! Instead, they
they come with “Instance Store” (= ephemeral storage)
s torage) !
,
!
Instance store is physically attached to the machine (EBS is a network drive)
)
-
.
/
! Pros: 0
1
2
! Better I/O performance (EBS gp2 has an max IOPS of 16000, io1 of 64000) .
3
! Good for buffer / cache / scratch data / temporary content
1
4
!
Data survives reboots .
5
6
! Cons: 6
6
! On stop or termination,
t ermination, the instance store is lost 7
8
1
! You can’t resize the instance store -
1
! :
9
Backups must be operated by the user ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
EFS
EFS – El
Elast
astic
ic Fil
File
e Syste
System
m (
)
#
&
(
*
! Managed NFS (network file system) that can be mounted on many EC2 +
#
(
"
! EFS works with EC2 instances in multi-AZ, & on–premise (DX & VPN) !
,
)
! Highly available, scalable, expensive (3x gp2), pay per GB used -
.
/
0
1
2
.
7F, 7F, 7F, 3
?&/$4&3/.4 ?&/$4&3/.L ?&/$4&3/.9
1
4
.
5
6
6
6
7
8
2$9?%'3P W%(?X 1
-
1
:
9
7g2 ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
EFS
EFS – El
Elast
astic
ic Fil
File
e Syste
System
m (
)
#
&
(
*
! Use cases: content management, web serving, data sharing, Wordpress +
#
(
"
! Compatible with Linux bas ed AMI (not Windows), POSIX-compliant
Li nux based !
,
)
! Uses NFSv4.1 protocol -
.
/
0
1
! Uses security group to control access to EFS 2
.
3
! Encryption at rest using KMS 1
4
.
5
! Can only attach to one VPC, create one ENI (mount target)
targ et) per AZ 6
6
6
7
8
1
-
1
:
9
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
EFS – Perf
erforman
ormance
ce & Storage
Storage Class
Classes
es (
)
#
&
(
*
! EFS Scale +
#
!1000s of concurrent
concurr ent NFS clients, 10 GB+ /s throughput (
"
!
!Grow to Petabyte-scale network file system ,
)
! Performance mode (set at EFS creation time) -
.
/
! General purpose (default): latency-sensitive use cases (web
( web server
ser ver,, CMS, etc…) 0
1
! Max I/O – higher latency,
latency, higher throughput, highly parallel (big data, media processing) 2
.
3
! Throughput Mode
1
4
! .
Bursting Mode: common for filesystems (intensive work, then almost nothing), linked to FS size 5
! Provisioned IO Mode: high throughput to storage ratio (if burst is not enough) – expensive 6
6
Storage Tiers (lifecycle management
management feature – mov
move
e file after N days
days)) 6
!
7
8
Standard: for
for frequently accessed
ac cessed file 1
!
-
1
! :
9
Infrequent access: higher cost to retrieve the file, lower
lower price point to store the file ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
EFS - On-
On-Pre
Premi
mise
se & VPC Peering
Peering (
)
#
&
(
*
+
#
D:? F5(2' (
"
>$J?)J4)9P ') Kp Y Kp !
,
(% Kp Y #TB QRF QRF
)
-
.
/
Bg2 [(?)3 V4%C$3 LP UTGi 0
:54D() 7g2 1
c)(3 KB2d 2
7BU .
K'%$93 F())$93 3
1
4
M> Y :BK 7BU 5
#TF 6
X$$%')C 6
2'3$/3(/2'3$ #TB 7BU 7F, 6
M)/X%$5'&$ 2$%G$% 7
8
1
-
1
:
9
>$J?)J4)9P ') 5(?)3 34%C$3 ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
S3 – Overvi
erview
ew (
)
#
&
(
*
! Object storage,
storage , ser
serverless,
verless, unlimited
unlimited storage,
stor age, pay-as-you-go
pay-as-you-go +
#
(
"
! Good to store static content (image, video files) !
,
! Access objects by key, no indexing facility
)
-
.
/
! Not a filesystem, cannot be mounted natively on EC2 0
1
2
.
3
1
4
Anti patterns: .
5
! Lots of small files 6
6
POSIX file system (use EFS instead), file
file locks 6
!
7
8
1
! Search features, queries, rapidly changing data -
1
!
:
9
;
Website
Website with dynamic content :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
S3 Storage Classes Comparison #F 9-2'//*E'-2G #F J/14*'(
(
)
#
&
(
#F #21-81(8 #F #2
#21-8
1-81(
1(8G9
8G9!
! #F H-
H-'
' I,
I,-'G
-'G9!
9! #F J/
J/14*
14*'(
'( *
%*'(*-E =''& !(43*>' +
#
(
"
='+*E-'8 K,( TTRTTTTTTTTTU TTRTTTTTTTTTU TTRTTTTTTTTTU TTRTTTTTTTTTU TTRTTTTTTTTTU TTRTTTTTTTTTU
!
85(1@*/*27 'VV TW,0 'VV TW,0 'VV TW,0 'VV TW,0 'VV TW,0 'VV TW,0 ,
='+*E-'8 K,(
)
T TRTTU
TT TTRTU TTRTU TTRXU TTRTTU TTRTTU -
.
1>1*/1@*/*27 /
0
!>1*/1@*/*27 #?! TTRTU TTU TTU TTU TTRTU TTRTU 1
2
!>1*/1@*/*27 .
YZ YZ YZ V YZ YZ 3
I,-'+
1
4
:*-*)5) .
+2,(1E' 85(12*,- HJ< Z[ /+7, Z[ /+7, Z[ /+7, T[ /+7, V\[ /+7, 5
6
431(E' 6
6
.'2(*'>1/ K'' HJ<
HJ< HJ<
HJ< *"$ ]4 $"
$"%$
%$?"
?"^^"/ *"$ ]4 $"
$"%$
%$?"
?"^^"/ *"$ ]4 $"
$"%$
%$?"
?"^^"/ *"$ ]4 $"
$"%$
%$?"
?"^^"/ 7
8
1
-
1
!
:
9
;
You can transition
tr ansition objects between tiers (or delete) using S3 Lifecycle Policies
Policies :
<
:
=
7
9
O33X&*YY4<&Z454D()Z9(5Y&RY&
O33X&*YY4<&Z454D 3(%4C$/9;4&&$&Y >
()Z9(5Y&RY&3(%4C$/9;4&&$&Y ;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
S3 – Re
Repl
plic
icat
atio
ion
n ?&/$4&3/.
(
)
#
&
(
*
! Cross Region Replication (CRR) +
#
(
"
! Same Region Replication (SRR) :54D() 2R !
,
! Combine with Lifecycle Policies F>>
)
-
.
/
0
1
?&/<$&3/, 2
.
! Helpful to reduce latency 3
1
4
Helpful for disaster recover
recovery
y :54D() 2R .
5
6
! Helpful for security H'8$9P9;$ T(;'9P 3( V%
V%4)&'3'()
4)&'3'() 6
6
7
8
1
?&/<$&3/, -
1
! :
9
;
S3 bucket versioning must be enabled W;49'$%
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
S3 Events Notifications (
)
#
&
(
! S3:ObjectCreated, S3:ObjectRemoved, 2`2 *
+
S3:ObjectRestore, S3:Replication… #
(
"
! Object name filtering possible (*.jpg) 2B2 !
,
!
Use case: generate thumbnails of images
)
uploaded to S3 -
.
/
$G$)3& 0
1
2
! S3 event notifications typically deliver events .
in seconds but can sometimes take a minute 3
or longer 2`2 1
4
:54D() 2R H45LJ4 g?)93'() .
! If two writes are made to a single non- 5
versioned object at the same time, it is +-C(8 6
possible that only a single event notification 6
6
will be sent 7
8
H45LJ4 g?)93'() 1
! If you want to ensure that an event -
1
:
9
notification
you can enable
is sent
versioning
for every
onsuccessful
your bucket.
write, KH` ;
:
Y K$&3')43'() <
:
=
7
2`2 9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
S3 – Clo
Cloud
udW
Watch Ev
Event
entss (
)
#
&
(
*
! By default, CloudTrail records S3 2B2
+
#
bucket-level API calls F;(?JV%4'; MLa$93/H$G$; (
"
5()'3(%')C !
,
!
CloudTrail logs for object-level
)
Amazon S3 actions can be enabled -
.
/
2`2 0
! This helps us generate events for $G$)3& 1
2
.
object-level API (GetObject, 3
1
4
PutObject, DeleteObject,
PutObjectAcl, etc… ) :54D() 2R F;(?J_439O H45LJ4 .
5
7G$)3& 6
! Full list here: 6
6
https://docs.aws.amazon.com/Amazo 7
8
S439O 1
-
nS3/latest/dev/cloudtrail-logging.html 1
9
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
S3 – Bas
Baseli
eline
ne Perf
erforman
ormance
ce (
)
#
&
(
*
! Amazon S3 automatically scales to high request rates,
r ates, latency 100-200 ms +
#
(
"
! Your application can achieve at least 3,500 PUT/COPY/POST/DELETE and !
,
5,500 GET/HEAD requests per second per prefix in a bucket.
)
-
.
! There are no limits to the number of prefixes in a bucket. /
0
1
! Example (object path => prefix): 2
.
3
! bucket/folder1/sub1/file
bucket/folde r1/sub1/file => /folder1/su
/folder1/sub1/
b1/
1
bucket/folde r1/sub2/file => /folder1/su
bucket/folder1/sub2/file /folder1/sub2/
b2/ .
5
! bucket/1/file => /1/ 6
6
! bucket/2/file => /2/ 6
7
8
! If you spread reads across all four prefixes evenly, you can achieve 22,000 1
-
1
9
:
;
requests per second for GET and HEAD :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
S3 Performance (
)
#
&
(
*
! Multi-Par t upload:
Multi-Par ! S3 Transfer Acceler
Acce leration
ation (upload only) +
#
(
"
recommended for files > 100MB,
! 1 00MB, ! Increase transfer speed by transferring !
,
must use for files > 5GB file to an AWS
AWS edge location
locatio n which will
)
forward the data to the S3 bucket in the -
.
! Can help parallelize uploads (speed /
0
up transfers) target region 1
2
.
! Compatible with multi-part upload 3
K'G'J$ 1
T4%4;;$; ?X;(4J& 4
.
U) X4%3& 5
6
g4&3 g4&3 6
cX?L;'9 <<<d cX%'G43$ :_2d 6
7
8
g';$ ') Q2: I8C. M>91-A>2 1
)[ *:95.- -
1
:54D() 2R Q2: 9
:
SUW 8';$ :?&3%4;'4 ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
S3 Perfo
erformance
rmance – S3 Byte-R
Byte-Range
ange Fetche
Fetchess (
)
#
&
(
*
! Parallelize GETs by requesting specific +
byte ranges #
(
"
!
! ,
Better resilience in case of failures
)
-
Can be used to retrieve only partial .
/
0
Can be used to speed up downloads data (for example the head of a file) 1
2
.
3
1
g';$ ') 2R g';$ ') 2R 4
.
5
6
SP3$/%4)C$ %$m?$&3 8(% O$4J$% 6
c8'%&3 pp LP3$&d 6
7
8
1
E -
1
T4%3 . T4%3 , T4%3 B O$4J$%
9
:
;
>$m?$&3& ') X4%4;;$; :
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
S3 Select & Glacier Select (
)
#
&
(
*
! Retrieve less data using SQL by performing server side filtering +
#
(
"
! Can filter by rows & columns (simple SQL statements) !
,
)
! Less network transfer, less CPU cost client-side -
.
/
0
1
2
.
3
F2# 8';$
1
4
.
W$3 F2# <'3O 2R 2$;$93 5
6
6
2$)J 8';3$%$J J434&$3 6
7
8
:54D() 2R 1
-
1
9
:
;
2$%G$%/&'J$ 8';3$%')C :
'$$&-.//(0-1(2(34)1542/6748-/(0-/-V<87(5:%+<-%7%5$/ <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
S3 Acces
Accesss Points (
)
#
&
(
*
! Each Access
Access Point
Point gets its own DNS and policy to limit who can access it +
#
(
"
! A specific IAM user / group !
,
! One policy per Point => Easier to manage than complex bucket policies
p er Access Point
)
-
.
/
! Can restrict
restr ict to traffic from a specific VPC 0
1
2
.
! Access points are linked to a specific bucket (unique name per acct/region) 3
1
4
.
F47:5; $4 8+()> +/0 (55%-- 5
Z:)()5%
g')4)9$ :T g')4)9$ K434* lY8')4)9$YZZZZ
lY8')4)9$YZZZ ZN 6
X4 ( -&%5:=:5 /=:)()5% &+%=:Y
B-%+- / C+49& 6
6
#(7%- F47:5; $4 8+()> +/0 (55%-- 7
8
X4 ( -&%5:=:5 /-(7%- &+%=:Y 24;$& :T 24;$& K434* lY8')4)9$YZZZZ
lY8') 4)9$YZZZZNN 1
B-%+- / C+49& -
1
9
:
A)(7;$:5- F47:5; $4 8+()> +/0 (55%-- ;
B-%+- / C+49& :)4;P3'9& :T 2'5X;$ S?9I$3 T(;'9P :
X4 (77 $'% 695,%$ <
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
VPC Endpoints with S3 Access Points (
)
#
&
(
*
! Can for the usage of Amazon +
#
(
"
S3 Access Points
Points through the !
,
VPC endpoint only
)
-
.
1. VP
VPCC End
Endpo
poin
intt Pol
Polic
icyy to
to /
0
1
block access to Amazon
Amazon S3 2
.
3
2. S3 buc
uckket pol
polic
icyy to
to blo
block
ck 1
4
.
access from outside the 5
6
VPC 6
6
7
8
3. S3 Ac
Acce
cess
ss Poi
oint
nt lilink
nked
ed to 1
-
1
the S3 VPC Endpoint 9
:
;
:
<
:
!""#$%&&'($)'*'+,-).,*&/0,1$&$",2'13&*'-'14-15'*'+,-5$65'..3$$5(4"!57#.53-8#,4-"$5'-85$65'..3$$5#,4-"$&
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
!
"
#
!
"
#
!
"
#
%
"
&
'
(
)
#
&
(
*
+
#
(
"
!
,
)
-
.
/
0
1
2
.
3
1
4
Caching Section .
5
6
6
6
7
8
1
-
9
1
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
AWS CloudFront (
)
#
&
(
*
! Content Delivery Network (CDN) +
#
(
"
! Improves
Improv es read performance, content !
,
is cached at the edge
)
-
.
/
! 216 Point of Presence globally (edge 0
1
2
locations) .
3
!
1
4
DDoS protection,
Shield, AWS integration
Web Applicat
Web ion with
Application .
5
6
Firewall 6
6
7
8
! Can expose external HTTPS and !.B$#") 9%%*,)JJ+-,R+>+O.6R#.>J#@.B/N$.6%JN"+%B$",J_6#`,6a@.#`b 1
-
9
1
:
can talk to internal
inter nal HTTPS backends ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
Clou
CloudF
dFro
ront
nt – Orig
Origin
inss (
)
#
&
(
*
! S3 bucket +
For distributing files and caching them at the edge
ed ge #
! (
"
! Enhanced security with CloudFront Origin
Or igin Access Identity
!
,
!
CloudFront can be used as an ingress (to upload files to S3)
)
-
.
! S3 website /
0
! Must first enabled the bucket as a static S3 website 1
2
.
! Custom Origin (HTTP) 3
!Application Load Balancer
1
4
.
! EC2 instance 5
! API Gateway (for more control… otherwise use API Gateway Edge) 6
6
! Any HTTP backend you want 6
7
8
1
-
! 9
1
:
Possibil
ossibility
ity to have
have a primary
primar y and secondary origin (HA - Failo
Failover)
ver) ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
Clou
CloudF
dFro
ront
nt – S3 as
as an Origi
Origin
n (
)
#
&
D:? F5(2'
(
*
+
#
(
"
F967:5 000
1+-234# (56 !
,
7JC$ 1+-234# (56
7JC$
)
-
.
H(& :)C$;$& [?5L4' /
0
1
2
1+-234# (56 1+-234# (56 .
3
1
M%'C') c2R L?9I$3d 4
.
5
F967:5 000 "?( 6
6
7JC$ 7JC$ 6
7
8
2x( T4?;( [$;L(?%)$ 1
-
9
1
:
;
"4ACA2 ?99.== (8.2-A-K :
<
:
b )[ O:95.- /><A9K =
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
CloudF
CloudFron
rontt – EC2 or
or ALB as
as an origin
origin (
)
#
&
#%59+:$; 8+49& (
*
+
?<<>6 @:O<A9 (@ >H I8C. M>91-A>2= #
(
"
!
,
)
7JC$ H(943'() 7F, U)&34)9$ -
.
/
3:=- L$ T?L;'9 0
1
2
.
3
1
?<<>6 @:O<A9 (@ >H #%59+:$; 8+49&
?<<>6 ).9:4A-K D4>:/
#%59+:$; 8+49& 4
.
5
I8C. M>91-A>2= >H M>18 *1<129.4 6
6
6
7
8
1
7JC$ H(943'() :XX;'943'() H(4J S4;4)9$% 7F, U)&34)9$& -
9
1
:
@:O<A9 (@= 3:=- O. @:O<A9 G12 O. @4AB1-. ;
:
<
:
=
7
9
'$$&.//>[9+:\)=[9-,]15749>=+
'$$&.//>[9+:\)=[9-,]15749>=+4)$1)%$/$447-/7:-$
4)$1)%$/$447-/7:-$<5749>=+4)$
<5749>=+4)$<:&-
<:&- >
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
CloudFront vs S3 Cross Region Replication (
)
#
&
(
*
! CloudFront: +
#
(
"
! Global Edge network
!
,
!
Files are cached for a TTL (maybe a day)
)
! Great for static content that must be available everywhere -
.
/
0
1
2
.
3
! S3 Cross Region Replication:
1
4
! Must be setup for each region you want replication to happen .
5
6
! Files are updated in near real-time 6
6
! Read only 7
8
1
! Great for dynamic content that needs to be available at low-latency in few -
9
1
:
regions ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
CloudFront Geo Restriction (
)
#
&
(
*
+
#
(
"
! You can restrict who can access your distribution !
,
Whitelist: Allow your users to access your content only if they're in one of the
)
!
-
.
countries on a list of approved countries. /
0
1
2
! Blacklist: Prevent your users from accessing your content if they're in one of the .
3
countries on a blacklist of banned countries.
1
4
.
5
6
! The “countr y” is determined using a 3rd par
“country” party
ty Geo-IP database
database 6
6
7
8
1
! Use case: Copyright Laws to control access to content -
9
1
:
;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
CloudFront Signed URL / Signed Cookies (
)
#
&
(
*
! You want to distribute paid shared content to premium users over the world +
#
(
"
! We
W e can use CloudFront Signed URL / Cookie. We attach a policy with:
!
,
!
Includes URL expiration
)
! Includes IP ranges to access the data from -
.
/
0
! Trusted signers (which AWS accounts can create signed URLs) 1
2
.
! How long should the URL be valid for? 3
1
!
Shared content (movie, music): make it short (a few minutes) 4
.
! Private content (private to
t o the user): you can make it last for years 5
6
6
6
7
8
! Signed URL = access to individual files (one signed URL per file) 1
-
9
1
:
!
Signed Cookies = access to multiple files (one signed cookie for many files) ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#
%
"
&
'
CloudFront Signed URL Diagram (
)
#
&
D,+-(. F5(2'<7(." D,+-(. ?K (
*
+
#
(
"
!
,
2'C)$J Q>H
)
M:U -
.
/
0
F590." H4T0)" 1
S'80 5()+"9(. 2
.
3
>$3?%)
1
:?3O$)3'943'() 2'C)$J Q>H 4
.
f :?3O(%'D43'() S'80 5()+"9(. 5
6
6
6
7
8
1
Q&$ :_2 2Ke -
9
1
:
D##59)+"9(. W$)$%43$ 2'C)$J Q>H ;
:
<
:
=
7
9
>
;
! #$%&'()% *((+%,
!
"
#