Amazon Web Service

AWS CheckList

Security Group cannot deny connection, but only allow.

Typical Comparison

  • Beanstalk - OpsWorks - CloudFormation
    • Beanstalk - A fully managed service for deploying and scaling web applications and services.
    • OpsWorks - A configuration management service for provisioning and managing applications on EC2 instances.
    • CloudFormation - An infrastructure as code (IaC) service for defining and managing AWS resources.
  • DataSync - Storage Gateway
    • data-sync
      • one-time or infrequent large data migration
      • data transferring using various protocols and data filtering options
      • secure and efficient data transfer with integrity checks and encryption
    • storage gateway
      • continuous data access and synchronization between on-premises and cloud
      • low-latency access to on-premises from cloud-applications
      • data backup and disaster recovery to S3
      • scalable and cost-effective solution for frequent data access and transfers
  • ENA - EFA
    • ENA
      • general purpose workloads
      • low latency compared to standard ENI
      • higher throughput for data transfer
      • supported by a wider range of instance types
      • suitable for applications like web servers, databases, containerized workloads
    • EFA
      • ultra low latency and high throughput for HPC and ML
      • by-passes the operating system kernel for direct communication with the network adapter
      • requires special drivers and software libraries for applications to leverage its full potential
  • Cross-Region Read Replicas - Multi-AZ RDS
    • HA and low latency for mission-critical apps - MultiAZ RDS - SYNC - Automatic FailOver
    • Global user base, disaster recovery, analytics workloads or read-heavy applications - Cross-Region RR - ASYNC - Manual Failover
  • S3 Object Key - Object Metadata
  • Direct Connect - Site to Site VPN
    • DC - a dedicated network connection between your on-premises infra and a specific AWS Direct Connect location
      • high bandwidth and low latency
      • lower cost for large or frequent data transfers
      • more scalable - 1Gbps ~ 100Gbps
      • multiple connection options
      • on-premise equipment and AWS direct connection location setup are needed
      • connection is limited to a specific AWS location and region
      • requires installation and management of physical infrastructure
    • SiteToSite VPN - a secure tunnel established over the public internet to connect your on-premises network to your VPC in AWS
      • use existing internet connection and requires minimal configuration
      • connects to any VPC in any AWS Region or AZ
      • no need for additional hardware or physical connections
      • encrypts data in transit using IPSec tunnels
      • relies on public internet, leading potential fluctuations and high latency
      • potential security risks
      • limited bandwidth
  • AWS Config - AWS CloudTrail - AWS Inspector
    • AWS Config - Continuously evaluates the configuration of your AWS resources against desired configurations set by you or industry standards
      • key features
        • rule-based evaluations to monitor resource configuration changes
        • recording configuration snapshots for historical analysis
        • integration with AWS security-hub for aggregated resource insights
        • support for custom rules and remediation actions
      • use cases
        • ensuring adherence to specific compliance standards
        • detecting configuration drift and unauthorized changes
        • maintaining consistent configurations across multiple resources
        • automating remediation actions for non-compliant configurations
    • CloudTrail - Records API calls made to AWS services within your account, providing a log of actions taken
      • key features
        • comprehensive logging of API calls with user identity, timestamps, request details
        • customizable event selection for filtering specific activities
        • integration with AWS cloud-watch logs for centralized log management and analysis
        • support for delivering logs to S3 buckets or external destinations
      • use cases
        • auditing user activity and tracking resource modifications
        • investigating security incidents and potential unauthorized access
        • complying with audit requirements and regulatory regulations
        • analyzing trends and user behavior for identifying best practices
    • Inspector - A service for assessing the security and compliance of your AWS resources
      • key features
        • performs automated assessments of your resources against security best practices
        • identifies potential vulnerabilities and configuration weakness in your resources
        • provides recommendations for remediation and improvement
        • integrates with AWS security hub for comprehensive security posture management
      • use cases
        • proactively identifying potential security risks and compliance issues in your AWS environment
        • prioritizing remediation efforts based on identified vulnerabilities
        • demonstrating compliance with security and data protection regulations
  • WAF - Security Group - NACL
    • WAF
      • prevent SQL injection, XSS, DDoS
      • configurable rules based on IP, request methods, headers, body content to allow or block traffic
      • pay as you go pricing based on web ACL resources, web requests, web ACL rule evaluations
    • NACL
      • controlling inbound and outbound traffic at the subnet level
      • simple rules based on IP, protocols, ports to allow or deny traffic
    • SG
      • instance level in/out-bound traffic control
      • similar to NACLs but can also be stateful
  • NAT Gateway - NAT Instance
  • Geolocation routing policy - Geo-proximity routing policy
  • EC2 - ECS - Lambda
  • S3 - EBS - EFS
  • CloudFormation - OpsWork - Beanstalk
  • SQS - SNS - SES - MQ
  • RDS - DynamoDB - ElastiCache
  • RDS - Aurora

CheatSheet

  • General Migration Tools
    • AWS Migration Hub – provides a single location to track the progress of application migrations across multiple AWS and partner solutions. Using Migration Hub allows you to choose the AWS and partner migration tools that best fit your needs, while providing visibility into the status of migrations across your portfolio of applications.
    • AWS Application Discovery Service – collects and presents configuration, usage, and behavior data from your servers to help you plan your migration.
    • AWS Application Migration Service (AMS) – an agent-less service for migrating thousands of on-premises workloads to AWS.
    • AWS Database Migration Service (DMS) – helps you migrate databases to AWS. The source database remains fully operational during the migration.
    • AWS Snowball – a petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of AWS.
    • AWS Snowmobile – an exabyte-scale data transfer service used to move extremely large amounts of data to AWS.
    • AWS Direct Connect – lets you establish a dedicated network connection line between your network and one of the AWS Direct Connect locations.
    • Amazon Kinesis Firehose – a fully managed service for loading streaming data into AWS.
    • AWS Marketplace – where you can purchase different types of software and licenses offered by AWS Partners and other AWS Users.

When & What

  • For continuous monitoring and change tracking: Choose AWS Config.
  • For comprehensive action logging and audit trails: Choose AWS CloudTrail.
  • For automated security and compliance assessments: Choose AWS Inspector.

TODO

  • DynamoDB
  • Aurora serverless mode
  • cloud-formation service dependency control, how to
  • s3 select
    • bucket
    • key
  • how to enforce resource tag
    • IAM Policy
    • SCPs
  • s3 glacier archive retrieval
    • expedited
    • standard
    • bulk
    • Provisioned capacity helps ensure that your retrieval capacity for Expedited retrievals from S3 Glacier Flexible Retrieval is available when you need it.
  • secret manager or system manager parameter store
    • rotation
    • cost
  • how to get instance’s ip address
    • To view the private IPv4 address, public IPv4 address, and all other categories of instance metadata from within a running instance, use the following URL: http://169.254.169.254/latest/meta-data/
  • when to use volume gateway rather than file gateway
    • Data Access Patterns: If your application requires low-latency access to the entire dataset, Volume Gateway with Cached Volumes or Stored Volumes might be more suitable. If file-based access is sufficient, File Gateway could be appropriate.
    • Local Storage Requirements: If you need the entire dataset locally on-premises, Volume Gateway with Stored Volumes may be more suitable.
    • Backup and DR Requirements: Consider whether you need to take advantage of Amazon S3 for backup and disaster recovery. Volume Gateway with Stored Volumes and File Gateway both support storing data in S3, but they have different use cases.
    • Data Size: Volume Gateway might be more appropriate for large datasets that need to be locally available.

IAM policy evaluation logic

  1. Deny evaluation
  2. Organization SCPs
  3. Resource based policies
  4. Identity based policies
  5. IAM permissions boundaries
  6. Session policies

TODO 20240220

  • cost optimization
    • compute optimization
    • saving plans
AWS
Licensed under CC BY-NC-SA 4.0
© 2021 - 2024 harus-note
Get Things Done
Built with Hugo
Theme Stack designed by Jimmy