Back
Back
Posts List
  1. IAM
  2. 第五节: EC2–Elastic Compute Cloud
    1. !!!!EC2 purchasing option:
    2. 错题:
    3. 第六节:EC2 Storage
      1. 第一种:Elastic Block Store
      2. 第二种:EC2 Instance Store
      3. 第三种:EFS: Elastic File Storage file
  3. 第7节:ELB & ASG -Elastic Load Balancing & Auto Scaling Groups
    1. Load balancer: 感觉有点像分流
    2. 3 kinds of load balancers offered by AWS:
  4. 第八节:AWS S3
    1. S3 能用来做什么–google drive
    2. S3桶(Bucket)
    3. S3 命名空间(Namespace)
    4. 区域(Region)
    5. S3 - Versioning
    6. S3 - Lifecycle Management
    7. S3 - Security
    8. AWS Storage Gateway
    9. Snowmobile
  5. 第九节: Database
  6. 第十节: ECS,Lambda,Batch,LightSail
  7. IaaS & PaaS & SaaS 三兄弟
  8. 第十一节:
    1. CloudFormation: (AWS only)–Iaas
    2. Beanstalk: (AWS only)-Paas
    3. CodeDeploy (hybrid):
    4. Systems Manager (hybrid):
    5. OpsWorks (hybrid):
  9. 第十二节课 Leveraging the AWS Global Infrastructure
    1. S3 Cross Region Replcation VS CloundFront
    2. AWS Global Accelerator VS CloundFront
  10. 第十三节: Clound Intergations
    1. Amazon SQS-standard queue
    2. Amazon SNS-simple notification
    3. SNS vs SQS:
  11. 第十四节:Clound Monitoring Section
    1. CloundWatch Metric & Alarm
    2. CloundWatch log
    3. CloundWatch Event == EventBridge
    4. CloundTrail
    5. AWS X-Ray
  12. 第十五节:VPC (1~2questions)
    1. 1. Vpc,subnets, internet Gateways & NAT Gateways
    2. 2. Network ACL(access control list) vs Security Groups
    3. 3. VPC Flow Logs,VPC Peering,VPC Endpoints
    4. 4. Site to Site VPN vs Direct Connect
    5. 5. Transit Gateway– a way to connect hundreds/thousands of VPC together
  13. 第十六节:Security & Compliance
    1. Resonsibilty:
    2. DDOS Protection
    3. Penetration Testing on AWS
    4. AWS KMS(Key Mangment Service)
      1. 1 AWS managed keys
      2. 2 Customer managed keys–cost money
      3. 3 Customer key stores –hardware-CloundHSMs
    5. Aws Secrets Manager–paid
    6. Artifact:
    7. GuardDuty:
    8. Inspector: –ec2
    9. Config:
    10. Macie:
    11. CloudTrail :
  14. 第十八节:Machine Learning
  15. 第十九节:Account Management,bill
    1. AWS Organizations-global service
    2. Pricing Models in AWS

awspre

笔记

IAM

What is a proper definition of IAM Roles?

An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group. Instead, trusted entities assume roles, such as IAM users, applications, or AWS services such as EC2.

角色(roles)类似于用户,但没有任何访问凭证(密码或者密钥),它一般被赋予某个资源(包括用户),使其临时具备某些权限。比如说一个 EC2 instance 需要访问 DynamoDB,我们可以创建一个具有访问 DynamoDB 权限的角色,允许其被 EC2 service 代入(AssumeRule),然后创建 ec2 的 instance-profile 使用这个角色。这样,这个 EC2 instance 就可以访问 DynamoDB 了。当然,这样的权限控制也可以通过在 EC2 的文件系统里添加 AWS 配置文件设置某个用户的密钥(AccessKey)来获得,但使用角色更安全更灵活。角色的密钥是动态创建的,更新和失效都毋须特别处理。想象一下如果你有成百上千台 EC2 instance,如果使用某个用户的密钥来访问 AWS SDK,那么,只要某台机器的密钥泄漏,这个用户的密钥就不得不手动更新,进而手动更新所有机器的密钥。这是很多使用 AWS 多年的老手也会犯下的严重错误。

按照 AWS 的定义:

IAM enables you to control who can do what in your AWS account.

它提供了用户(users)管理,群组(groups)管理,角色(roles)管理和权限(permissions)管理等供 AWS 的客户来管理自己账号下面的资源。


第五节: EC2–Elastic Compute Cloud

特性包括:

虚拟机 instances

系统镜像 amazon machine images(AMIs)

环境配置(cpu 内存 硬盘 网络等)instance types

安全登录信息(公钥 私钥)key pairs

临时数据存储 instance store volumes

持久化存储 Amazon EBS volumes

分布全球的物理存储中心 regions and Availability Zones

防火墙(iptables) security groups

公网ip Elastic IP addresses

元数据(metadata)tags

虚拟私有网络 virtual private clouds (VPCs)


!!!!EC2 purchasing option:

  • one demand:
  • Reserved:
  • spot instance:
  • dedicated host:
  • EC2 Dedicated Instances vs EC2 Dedicated Hosts

    EC2 Dedicated Instances: per instance billing(subject to a $2 per region fee)( 这个hosts是没有的 唯一的)

​ EC2 Dedicated Hosts: lots of access to the underlying hardware

An important difference between a Dedicated Host and a Dedicated instance is that a Dedicated Host gives you additional visibility and control over how instances are placed on a physical server, and you can consistently deploy your instances to the same physical server over time. As a result, Dedicated Hosts enable you to use your existing server-bound software licenses and address corporate compliance and regulatory requirements.

错题:

Which network security tool can you use to control traffic in and out of EC2 Instances?

A. Network Access Control list (NACL)

B. Identity and Mangement Access (I AM)

C GuardDuty

D Security Groups

note: Security Groups operate at instance level and can control traffic. 讲座 34:Security Groups & Classic Ports Overview

Security Groups 在EC2 Mangment Console的 Network & Security 下面

How long can you reserve an EC2 Reserved Instance?

A 1 or 3 years

B Anytime between 1 and 3 years


7/13

第六节:EC2 Storage

复习第4章节 iam 管理的 role是什么

复习第5&6章节

  • EC2 定义

  • security group port SSH

  • EBS

  • EBS snapshot

  • EC2 isntance store vs EBS

  • EFS VS EBS

  • AMI

EC2 Instance Storage Section

第一种:Elastic Block Store

An EBS (Elastic Block Store) Volume is a network drive you can attach to your instances while they run

  • It allows your instances to persist data, even after their termination

  • They can only be mounted to one instance at a time (at the CCP level)

  • They are bound to a specific availability zone

when you create an EBS volume in an Availability Zone, it is automatically replicated within that zone to prevent data loss due to failure of any single hardware component

EBS Snapshots

To move a volume across, you first need to snapshot it

  • Can copy snapshots across AZ or Region
第二种:EC2 Instance Store

If you need a high-performance hardware disk, use EC2 Instance Store

  • Better I/O performance
  • EC2 Instance Store lose their storage if they’re stopped (ephemeral)
  • Good for buffer / cache / scratch data / temporary content
  • Risk of data loss if hardware fails
  • Backups and Replication are your responsibility

![image-20200713224117684](/Users/lujin/Library/Application Support/typora-user-images/image-20200713224117684.png)

第三种:EFS: Elastic File Storage file

storage mountable to multiple EC2 instances at the same time. Shared system file

image-20200715212126923

7/15

第7节:ELB & ASG -Elastic Load Balancing & Auto Scaling Groups

1 Scalability 是一种ability能力 去scale out or scale up

  • Vertical Scalability–increasing the size of the instance –scale up/scale down–database
  • Horizontal Scalability (= elasticity)–increasing the number of instances / systems for your application–scale out/ in--web app

2 Elasticity 当system可以scalable,–auto scaling -clound friendy

3 (Agility) distractor –new IT resources are only a click away, which means that you reduce the time to make those resources available to your developers from weeks to just minutes

High AvailabilityThe goal of high availability is to survive a data center loss (disaster)

Run instances for the same application across multi AZ

–Auto Scaling Group multi AZ

–Load Balancer multi AZ

Load balancer: 感觉有点像分流

Why use a load balancer?

  • Spread load across multiple downstream instances

  • Expose a single point of access (DNS) to your application

  • Seamlessly handle failures of downstream instances

  • Do regular health checks to your instances

  • Provide SSL termination (HTTPS) for your websites

  • High availability across zones

Which of the following statements is NOT a feature of Load Balancers?

Load Balancers cannot help with back-end autoscaling. You should use Auto Scaling Groups.

Elastic Load Balancer–An ELB (Elastic Load Balancer) is a managed load balancer

–AWS guarantees that it will be working

–AWS takes care of upgrades, maintenance, high availability

–AWS provides only a few configuration knobs

3 kinds of load balancers offered by AWS:

  • application load balancer–(HTTP / HTTPS only) – Layer 7

  • network load balancer–(ultra-high performance, allows for TCP) – Layer 4

  • Classic Load Balancer (slowly retiring) – Layer 4 & 7 不会是正确选项!已经淘汰了!!!!


Application load balancer

  • 分流 HTTP & HTTPS 流量的最佳選擇
  • Application aware,可以讓源端的服務獲得額外的資訊(例如:使用者所在位置、使用的語系…等等)
  • 可以根據使用者資訊 & 條件設定 request routing policy,將流量導向特定的服務

key terms:

listeners

Target

Target Group

负载均衡的作用

对多台云服务器进行流量分发的服务。负载均衡可以通过流量分发扩展应用系统对外的服务能力,通过消除单点故障提升应用系统的可用性。

  1. 提高可用性和访问速度
    在单个可用区或多个可用区内的多个目标之间自动分配流量。
  2. 运行状况检查
    检测无法正常运行的目标、停止向它们发送流量,然后将负载分散到剩余的正常运行的目标上。
  3. 安全性功能
    创建和管理与负载均衡器关联的安全组,以提供更多联网和安全选项。
  4. TLS 终止
    提供集成化证书管理和 SSL/TLS 解密,可以灵活地集中管理负载均衡器的 SSL 设置,并从应用程序上卸载 CPU 密集型工作。

Amazon 提供的 ELB 服务包含三种类型:ALB, NLB, CLB。

ALB

Application Load Balancer 运行于请求级别(第 7 层),可根据请求的内容将流量路由至 EC2 实例、容器、IP 地址和 Lambda 函数等目标。Application Load Balancer 最适合 HTTP 和 HTTPS 流量的高级负载均衡,面向交付包括微服务和基于容器的应用程序在内的现代应用程序架构,提供高级请求路由功能。Application Load Balancer 通过确保始终使用最新的 SSL/TLS 密码和协议,简化并提高应用程序的安全性。

ABL于2016年8月发布,与现有的负载均衡器(OSI第4层TCP/UDP均衡器)不同,ALB将查看数据包并将其发送到正确的服务。单个ALB可以为许多后端服务平衡流量,而不是为每个服务运行弹性负载均衡器。例如,包含的URL /api可以路由到与包含的URL /signup不同的后端服务。

![image-20200710105245642](/Users/lujin/Library/Application Support/typora-user-images/image-20200710105245642.png)

Auto Scaling 是在公有雲上必用的功能之一,可以根據系統負載來自動調整資源佈

![image-20200710112231064](/Users/lujin/Library/Application Support/typora-user-images/image-20200710112231064.png)


块存储、文件存储、对象存储 https://www.zhihu.com/question/21536660

第八节:AWS S3

  • 对象存储
    • 数据(包括文件/视频/图片)以及相关的源数据都是以对象(objects)的方式来存储的
    • 不能以S3来当做操作系统的文件系统
    • 对象(object)最大支持5TB
  • 高耐用
    • Object 提供11个9,99.999999999%的持久性
      • 意味着每一亿个object才会丢失一个object
      • S3存储的对象会在同一个Region的多个AZ中保存多份拷贝
  • 高可用
    • 提供99.99%的可用性
  • 高扩展
    • 提供无限的存储空间
  • 基于WEB
    • 上传和下载数据基于HTTP/HTTPS请求
  • 安全性
    • 可以选择多种方式来加密数据
  • 计费模式
    • Pay as you go - Pay only for what you use

S3 Object的基本点:

  • Key(文件名)
  • Value (数据)
  • Version ID
  • Metadata
  • Subresources
    • ACL (Access Control List)
    • Torrent (BitTorrent 种子)

S3 能用来做什么–google drive

  • 备份
  • 存储内容
  • 大数据分析
  • 挂载静态网站
  • 灾难恢复

S3桶(Bucket)

  • Bucket就是用来存储对象(object)的一个集合
    • Bucket和Object都是资源(resources), 也就是aws能操作的一个实体(entity)
  • 可以容纳无限的Object
  • 默认一个账户可以创建100个bucket,这个上限是软性限制,可以通过向AWS提交case来提高上限
  • Bucket需要归属于某个Region,不是Global的。虽然S3的web console页面是Global的。
  • Bucket由附属的子资源(subresources)来定义bucket的配置

S3 命名空间(Namespace)

区域(Region)

  • Region就是bucket实际存放的位置
  • 存放在某个Region的Object永远不会离开这个Region,除非你显式地将它传输出去
  • 选取Bucket的Region的时候,需要考虑延迟,费用等因素。因为建造和运营成本不同,AWS各个Region的S3费用并不相同。而一般来说,选择最近的Region,延迟就越小。

S3 - Versioning

  • 保存一个object的所有版本,即使删除(删除只是增加了一个Deleting Mark,并非真的删除)
  • 是个很好的备份工具
  • 一旦启用,无法再停下(disable),只能暂停(suspended)
  • 和 Lifecycle Rules 集成
  • MFA Delete 功能,要求通过 Multi-factor Authentication才能删除
  • Cross Region Replication 也要求源和目标 bucket 都要开启Versioning

S3 - Lifecycle Management

  • 可以和 Versioning 结合使用,也可以不结合
  • 可以用于 current version 和 previous version
  • 可以做以下操作:
    • 变成 Standard IA (Infequent Access) (128KB, 30 days after)
    • 存档到 Glacier (30 days after IA)
    • 永久删除

S3 - Security

  • 默认情况下,新的 bucket 是 Private 的
  • 你可以设置访问控制,用:
    • Bucket Policies
    • Access Control Lists
  • S3 Bucket 可以设置 log 下所有请求,存到另一个bucket里去

AWS Storage Gateway

is bridge between on-premise data and could data in S3

Snowmobile

is used to move exabytes of data in or out of AWS (1 EB=1,000 PBs=1,000,000 TBs)

Amazon S3 Standard-Infrequent Access allow you to store infrequently accessed data, with rapid access when needed, has a high durability, and is stored in several Availability Zones to avoid data loss in case of a disaster. It can be used to store data for disaster recovery, backups, etc.


第九节: Database

PPT 背诵summary


7/19

第十节: ECS,Lambda,Batch,LightSail

Exam! run docker containers on AWS, —think ECS

  • ECS–Elastic Container Service–ec2

  • Fargate-serverless

  • ECR–store image

Docker is a software development platform that allows you to run applications the same way, regardless of where they are run. It can scale containers up and down within seconds.


7/21

AWS CloudFormation 为您提供了一种通用语言,用于对您的云环境中的 AWS 和第三方应用程序资源进行建模和预配置。AWS CloudFormation 使您可以跨所有区域和账户,使用编程语言或简单的文本文件以自动化的安全方式,为您的应用程序需要的所有资源建模并进行预置。

AWS CodeDeploy 是一项将软件自动部署到各种计算服务(例如 Amazon EC2、AWS Fargate、AWS Lambda 和本地服务器)的完全托管的部署服务。借助 AWS CodeDeploy,您可以更轻松地快速发布新功能,避免在应用程序部署过程中出现停机,并简化应用程序的更新工作。您可以使用 AWS CodeDeploy 自动执行软件部署,而无需执行容易出错的手动操作。服务根据您的部署需求进行扩展。

AWS Systems Manager 是一项 AWS 服务,可用于查看和控制 AWS 上的基础设施。通过使用 Systems Manager 控制台,您可以查看多个 AWS 服务中的操作数据,并在不同的 AWS 资源中自动完成操作任务。Systems Manager 扫描托管实例并报告检测到的任何策略违规(或采取纠正措施),以帮助您保持安全性和合规性。

IaaS & PaaS & SaaS 三兄弟

邊準備證照邊隨手作筆記,雖然 IaaS & PaaS & SaaS 這是 800 年前的詞,但現在好像還是常常聽到?!從原本自家 On - Premises 全自架開始延伸到 IaaS & PaaS & SaaS 三種雲端分層,先用一個生活化的例子來舉例

❤想吃草莓蛋糕 ❤

有 4 種方式達到這個願望

1. 自己在家做草莓蛋糕 (On-Premises)

從買蛋+麵粉+草莓、準備烤箱到打蛋器擀麵棍擠花袋全自己準備

2. 去動手做或蛋糕烘培坊的地方製作 (IaaS 基礎設施即服務 )

店家提供菜譜、材料、高級烤箱、麵粉蛋汁與新鮮草莓,自己只需要根據有的器材與食材去製作喜歡的樣式的草莓蛋糕

3. 用 Uber Eats 叫外送 (PaaS 平臺即服務)

支付些許手續費,透過第三方提供的服務達成吃草莓蛋糕的心願

4. 直接 Lady M 吃草莓蛋糕 (SaaS 軟體即服務)

準備好錢直接享受店家製作的草莓蛋糕


下面這張圖解釋的蠻清楚,從純地端需要營運的項目到全託管的示意圖。

Image for post

Image for post

https://docs.microsoft.com/EN-US/learn/modules/principles-cloud-computing/5-types-of-cloud-services

  • IaaS 基礎設施即服務 ( Infrastructure as a Service) 使用者需管理與設定大多數的基礎設施,從作業系統到虛擬機器運算資源的規格建制等都需控管,設定好需要的條件即可取得資源。
    - 舉例說明 VM 與 Storage 為 IaaS
  • PaaS 平臺即服務 ( Platform as a Service ) 使用者管理營運的部分較 IaaS 少,省去管理 Server 或是 VM ,可把大多數的心力擺放在程式與資料端的優化與精進,提供執行環境或是開發環境讓使用者延伸運用。
    - 舉例說明 Azure SQL Database、App Service、Azure Container Instances 為 PaaS
  • SaaS 軟體即服務 ( Software as a Service ) 使用者只須要享受服務商已經作好的服務,由雲端服務供應商全權處理,通常月租、訂閱或是需要註冊的服務歸為 SaaS 。
    - 舉例說明 O365、Gmail 為 SaaS

第十一节:

CloudFormation: (AWS only)–Iaas

• Infrastructure as Code, works with almost all of AWS resources

• Repeat across Regions & Accounts

Beanstalk: (AWS only)-Paas

• Platform as a Service (PaaS), limited to certain programming languages or Docker

• Deploy code consistently with a known architecture: ex, ALB + EC2 + RDS

CodeDeploy (hybrid):

• deploy & upgrade any application onto servers

Systems Manager (hybrid):

• patch, configure and run commands at scale

OpsWorks (hybrid):

• managed Chef and Puppet in AWS


7/24

第十二节课 Leveraging the AWS Global Infrastructure

  • Regions vs. edge location ???

    • Regions: For deploying applications and infrastructure

    • Availability Zones: Made of multiple data centers

    • Edge Locations (Points of Presence): for content delivery as close as possible to users

    分发节点,是指亚马逊在全球建立的,对源服务器发布的内容进行缓存的节点。终端用户访问时,从最近的节点提供数据。

  • Route 53–> 4 routing policies

  • AWS CloundFront–>CDN (Content Delivery Network)

    Amazon CloudFront类似于CDN,提供全球的内容分发服务,它在全球都有很多edge location,使你的客户能最小延迟的拿到数据。

    他的原理是这样的,你会配置一个origin,当请求来的时候,CloudFront会根据配置去相应的origin拿数据,并缓存起来到全球的各个edge location。下次客户就直接在最近的edge location拿数据就行了。Origin可以是Amazon S3 buckets,也可以是自己的Web Servers。你给客户的就是一个cloudfront.net的域名。CloudFront确保每一次请求都是最近的edge location服务的。变化传播到全球的各个edge location需要15分钟左右。

  • Amazon S3 Transfer Acceleration

    enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path.

S3 Cross Region Replcation VS CloundFront

S3 cross 是read only

Edge locations are not just READ only, you can write to them too (ie put an object on to them).

AWS Global Accelerator VS CloundFront

错题:

Which Route 53 Routing Policies would you use to route traffic to multiple resources in proportions that you specify?

A. Simple Routing Policy

B. Weighted Routing Policy

C. Latency Routing Policy

D. Failover Routing Policy


第十三节: Clound Intergations

Amazon SQS-standard queue

–Queue Service in AWS

Amazon SQS automatically deletes messages that have been in a queue for more than maximum message retention period. The default message retention period is 4 days

–use to decouple application

SQS 是 AWS 的消息队列服务,用于暂存消息并等待接收者处理。

Amazon SNS-simple notification

–Notification Service in AWS

–No message retention 信息保留

–notification,subscribers,publishers http/https, email/sqs/lambda/mobile

SNS vs SQS:

  • 相同点:都是消息服务
  • 不同点:SNS 是 Push,而 SQS 是 Pull (Poll)

错题:

1. Which service is a fully managed pub/sub messaging service that makes it easy to set up, operate, and send notifications from the cloud, using a push-based system?

A SNS

B SQS

C ASG

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. It is not a pub/sub messaging service, and it uses a pull-based system.

Amazon Simple Notification Service (SNS) is a highly available, durable, secure, fully managed pub/sub messaging service that enables you to decouple microservices, distributed systems, and serverless applications. It uses a push-based system

2. Which service allows you to send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available, using a pull-based system?

A SNS

B SQS

C ASG


第十四节:Clound Monitoring Section

CloundWatch Metric & Alarm

Amazon CloudWatch 实时监控您的 Amazon Web Services (AWS) 资源以及您在 AWS 中运行的应用程序。您可以使用 CloudWatch 收集和跟踪指标,这些指标是您可衡量的相关资源和应用程序的变量。

CloundWatch log

Amazon CloudWatch Logs 支持您使用现有系统、应用程序和自定义日志文件来监控系统与应用程序,并进行故障排除。借助 CloudWatch Logs,您可以近乎实时地监控日志中的特定短语、值或模式。例如,您可以针对系统日志中出错的次数设置警报,或查看应用程序日志中的 Web 请求延迟图表。然后,您可以查看原始日志数据,了解问题根源。比如说我在lambda上面允许的代码错误的报告或者return的结果

CloundWatch Event == EventBridge

Amazon CloudWatch Events 提供近乎实时的系统事件流,这些系统事件描述 Amazon Web Services (AWS) 资源的变化

CloundTrail

AWS CloudTrail 是一项 AWS 服务,可帮助对您的 AWS 账户进行监管、合规性检查、操作审核和风险审核。用户、角色或 AWS 服务执行的操作将记录为 CloudTrail 中的事件。事件包括在 AWS 管理控制台、AWS Command Line Interface 和 AWS 开发工具包和 API 中执行的操作。

AWS X-Ray

helps developers analyze and debug production as well as distributed applications

错题:

How would you describe Amazon CloudWatch Logs?

A A single, highly scalable service that centrailzes the logs from all of your system,applications,and AWS services that you use

B A service that provides a real-time stream of system events that describe changes in AWS resources

C A service that enable governece, compliance,operational auditing, and risk auditing of your AWS account

D A service that lets you run code without provisioning or managing severs

解析

A You can use Amazon CloudWatch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Route 53, and other sources.

B clound event

C cloundtrail


第十五节:VPC (1~2questions)

1. Vpc,subnets, internet Gateways & NAT Gateways

VPC -Virtual Private Cloud: private network to deploy your resources (regional resource)

Subnets allow you to partition your network inside your VPC (Availability Zone resource)

​ • A public subnet is a subnet that is accessible from the internet

​ • A private subnet is a subnet that is not accessible from the internet

​ • To define access to the internet and between subnets, we use Route Tables .

Internet Gateways—at the VPC level, provide Internet Access

NAT Gateways (AWS-managed) & NAT Instances (self-managed)—give internet access to private subnets

题目 Your private subnets need to connect to the Internet while still remaining private. Which AWS-managed VPC component allows you to do this? 选NAT Gateways

2. Network ACL(access control list) vs Security Groups

Network ACL: 1.operates at the subnet level

​ 2.supports allow rules and deny rules

​ 3.is stateless:return traffic must be explicitly allowed by rules

Security Groups: 1.operates at the instance level

​ 2.supports allow rules only

​ 3.is stateful:return traffic is auto allowed,regarless of any rules

3. VPC Flow Logs,VPC Peering,VPC Endpoints

•VPC Peering: Connect two VPC with non overlapping IP ranges, nontransitive

• VPC Endpoints: Provide private access to AWS Services within VPC

VPC Endpoints Gateway: S3 & DynamoDB

VPC ENDpoints Interface: the res

• VPC Flow Logs: network traffic logs

4. Site to Site VPN vs Direct Connect

Site to Site VPN–public network—建立需要他们俩个:On-premises–Customer Gateway(CGW)–AWS-Virtual Private Gatway(VGW)

Direct Connect–private network– 一个月- private, secure and fast

5. Transit Gateway– a way to connect hundreds/thousands of VPC together

错题:

You need a logically isolated section of AWS, where you can launch AWS resources in a private network that you define. What should you use?

A Subnets

B AZ

C A VPC

D NAT Instances

A A subnet is a range of IP addresses in your VPC. It allows you to partition your network inside your VPC.

D NAT Instances allow your instances in your private subnets to access the Internet while remaining private, and are managed by you. They are not used to launch AWS resources.

C A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.


第十六节:Security & Compliance

Resonsibilty:

1 AWS-Security of the Clound

2 Customer-Security in the Clound

3 Shared Controls

DDOS Protection

  1. AWS Shield Standard 不要钱的–layer 3
  2. AWS shield Advanced 要钱的 24/7 access
  3. AWS WAF(Web Application Firewall)–layer 7–http/s
  4. CloudFront and Route 53
  5. be ready ro auto-scalling EC2 instances

Penetration Testing on AWS

1 有一些允许我们自己去测试攻击 without permission

2 但是像那种ddos,port flooding, protocal flooding, dns zone walking–amzon route 53 hosted zone 是不行滴

AWS KMS(Key Mangment Service)

encryption for aws service, think KMS

KMS= AWS manages the encryption keys for us

Encryption Opt-in: option

• EBS volumes: encrypt volumes

• S3 buckets: Server-side encryption of objects

• Redshift database: encryption of data

• RDS database: encryption of data

• EFS drives: encryption of data

Encryption Automatically enabled:

• CloudTrail Logs

• S3 Glacier

• Storage Gateway

1 AWS managed keys

​ aws/s3, aws/ebs, aws/redshift

2 Customer managed keys–cost money

​ Create, manage and use, can enable or disable

​ Possibility of rotation policy (new key generated every year, old key preserved)

​ Possibility to bring-your-own-key

3 Customer key stores –hardware-CloundHSMs

​ KMS => AWS manages the software for encryption

​ CloudHSM => AWS provisions encryption hardware

​ Dedicated Hardware (HSM = Hardware Security Module)

• You manage your own encryption keys entirely (not AWS)

Aws Secrets Manager–paid

EXAM–secret to be managing in RDS (mysql,postgresql..)and to be rotate !! 选 Aws Secrets Manager

Artifact:

Get access to compliance reports such as PCI, ISO, etc…

GuardDuty:

Find malicious behavior with VPC, DNS & CloudTrail Logs

Inspector: –ec2

For EC2 only, install agent and find vulnerabilities

Config:

Track config changes and compliance against rules

Macie:

Find sensitive data (ex: PII–personally identifiable information –data) in Amazon S3 buckets

CloudTrail :

Track API calls made by users within account


7/27

第十八节:Machine Learning

• Rekognition: face detection, labeling, celebrity recognition

• Transcribe: audio to text (ex: subtitles)

• Polly: text to audio

• Translate: translations

• Lex: build conversational bots – chatbots

• Connect: cloud contact center

• Comprehend: natural language processing

• SageMaker : machine learning for every developer and data scientist


第十九节:Account Management,bill

AWS Organizations-global service

-manage multiple aws accounts-main account=master account

-Cost Benefits:

Consolidated Billing across all accounts - single payment method

• Pricing benefits from aggregated usage (volume discount for EC2, S3…)

Pooling of Reserved EC2 instances for optimal savings

-API is available to automate AWS account creation

-Restrict account privileges using Service Control Policies (SCP)!!!!!!

Service control polices

Pricing Models in AWS

支持一下
扫一扫,支持forsigner
  • 微信扫一扫
  • 支付宝扫一扫