Skip to main content

AWS

Concepts

Disaster Recovery Strategies

  • The selection criteria for disaster recovery strategies involves balancing lower RTO/RPO benefits against implementation and operational costs.
    • Backup and Restore Strategy:
      • Cheapest disaster recovery option on AWS
      • Good balance of benefits and cost
      • Suitable when data loss of few hours is tolerable
      • Mitigates regional disasters by replicating data to other AWS Regions
      • Requires redeploying infrastructure, configuration, and application code in recovery Region
    • Pilot Light Strategy:
      • Replicate data between Regions with core workload infrastructure provisioned
      • Data replication resources (databases, object storage) always on
      • Application servers loaded but switched off until DR failover
      • Core infrastructure always available for quick production environment provisioning
      • Higher cost than backup and restore
    • Warm Standby Strategy:
      • Scaled-down but fully functional production copy in another Region
      • Extends pilot light concept with always-on workload in another Region
      • Enables easier testing and continuous testing for DR confidence
      • Costly strategy used only for business-critical applications
    • Multi-site Active/Active Strategy:
      • Workload runs simultaneously in multiple AWS Regions
      • Serves traffic from all deployed regions
      • Users can access workload from any deployed Region
      • Most complex and costliest disaster recovery approach
  • CloudEndure Disaster Recovery (AWS Marketplace):
    • Continuous block-level replication of server-hosted applications and databases from any source into AWS
    • Sub-second RPOs with continuous asynchronous replication to low-cost staging area
    • Automated machine conversion with RTO of minutes, supports thousands of machines in parallel
    • Point-in-time recovery for ransomware/corruption scenarios, non-disruptive DR drills
    • Supports all applications/databases on Windows/Linux, replicates entire machines including OS, state, applications
    • Use cases: On-premises to AWS DR, EC2 workload DR (not RDS)
Readings

Local Zones

  • Local Zones are an AWS infrastructure deployment type that places compute, storage, database, and select services close to large population, industry, and IT centers.
  • The low latency capability enables single-digit millisecond latency for applications positioned closer to end-users in specific geographic areas.
  • Common use cases include media & entertainment content creation, real-time gaming, live video streaming, and machine learning inference.
  • Key benefits include ultra-low latency, geographically distributed infrastructure, and improved user experience for latency-sensitive applications.

Elastic IP Address

  • The no-charge conditions for free Elastic IP usage require all of the following to be true: the Elastic IP address is associated with an EC2 instance, the associated instance is running, the instance has only one Elastic IP address attached, and the Elastic IP address is associated with an attached network interface like a Network Load Balancer or NAT gateway.

Reserved Instances and Capacity

  • Reserved Instances and Capacity represent a cost optimization strategy across multiple AWS services through capacity reservation and upfront commitment.
  • The payment terms offer No Upfront, Partial Upfront, or All Upfront options for flexible financial planning.
  • The duration options typically include 1-year or 3-year commitment terms for different planning horizons.
  • Services supporting reservations include Amazon EC2 Reserved Instances for discounted instance usage compared to On-Demand, Amazon DynamoDB Reserved Capacity for significant savings on predictable throughput needs, Amazon ElastiCache Reserved Nodes with low one-time payments and hourly discounts, Amazon RDS Reserved Instances available for all major database engines, and Amazon Redshift Reserved Nodes for continuous cluster operations.
  • Key benefits include substantial cost savings, predictable pricing, capacity guarantees, and improved budget planning.
  • Primary use cases encompass predictable workloads, long-term projects, steady-state applications, and comprehensive cost optimization strategies.

Security Groups

  • A security group can be assigned to resources created in the same VPC as the security group or to resources in other VPCs if using the Security Group VPC Association feature to associate the security group to other VPCs in the same Region.
  • Multiple security groups can also be assigned to a single resource.
  • When creating a security group, a name and a description must be provided.
  • Naming rules:
    • Name must be unique within the VPC
    • Names are not case-sensitive
    • Names and descriptions can be up to 255 characters in length
    • Names and descriptions are limited to specific characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;!$*
    • When the name contains trailing spaces, the space is trimmed at the end of the name
    • Can't start with sg-
  • Security groups are stateful - if a request is sent from an instance, the response traffic for that request is allowed to reach the instance regardless of the inbound security group rules.
  • Security groups do not filter traffic destined to and from:
    • Amazon Domain Name Services (DNS)
    • Amazon Dynamic Host Configuration Protocol (DHCP)
    • Amazon EC2 instance metadata
    • Amazon ECS task metadata endpoints
    • License activation for Windows instances
    • Amazon Time Sync Service
    • Reserved IP addresses used by the default VPC router
  • Best practices:
    • Authorize only specific IAM principals to create and modify security groups
    • Create the minimum number of security groups needed, to decrease the risk of error
    • When adding inbound rules for ports 22 (SSH) or 3389 (RDP), authorize only specific IP address ranges
    • Do not open large port ranges - ensure that access through each port is restricted to the sources or destinations that require it
    • Consider creating network ACLs with rules similar to security groups, to add an additional layer of security to the VPC
  • A highly available, scalable technology that can be used to privately connect VPC to services and resources as if they were in the VPC.
  • Does not need to use an internet gateway, NAT device, public IP address, AWS Direct Connect connection, or AWS Site-to-Site VPN connection to allow communication with the service or resource from private subnets.
  • Controls the specific API endpoints, sites, services, and resources that are reachable from the VPC.
  • VPC endpoints can be created, accessed, and managed using:
    • AWS Management Console - Provides a web interface to access AWS PrivateLink resources
    • AWS Command Line Interface (AWS CLI) - Provides commands for a broad set of AWS services, including AWS PrivateLink
    • AWS CloudFormation - Create templates that describe AWS resources to provision and manage them as a single unit
    • AWS SDKs - Provide language-specific APIs that handle connection details, signatures, request retries, and errors
    • Query API - Provides low-level API actions called using HTTPS requests for direct access to Amazon VPC

Server-side Encryption

  • Encryption of data at its destination by the application or service that receives it.
  • Amazon S3 encrypts data at the object level as it writes it to disks in AWS data centers and decrypts it when accessed.
  • As long as the request is authenticated and access permissions exist, there is no difference in the way encrypted or unencrypted objects are accessed.
  • All Amazon S3 buckets have encryption configured by default, and all new objects uploaded to an S3 bucket are automatically encrypted at rest.
  • When storing data in Amazon S3, there are four mutually exclusive options for server-side encryption:
    • Server-side encryption with Amazon S3 managed keys (SSE-S3):
      • Default option for server-side encryption
      • Each object is encrypted with a unique key
      • SSE-S3 encrypts the key itself with a root key that it regularly rotates
      • Uses 256-bit Advanced Encryption Standard (AES-256) to encrypt data
    • Server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS):
      • Provided through integration of AWS KMS service with Amazon S3
      • Provides more control over keys - can view separate keys, edit control policies, and follow keys in AWS CloudTrail
      • Can create and manage customer managed keys or use AWS managed keys unique to the user, service, and Region
    • Dual-layer server-side encryption with AWS KMS keys (DSSE-KMS):
      • Similar to SSE-KMS but applies two individual layers of object-level encryption instead of one
      • Both layers of encryption are applied on the server side
      • Can use a wide range of AWS services and tools to analyze data in S3 while satisfying compliance requirements
    • Server-side encryption with customer-provided keys (SSE-C):
      • Customer manages the encryption keys
      • Amazon S3 manages the encryption as it writes to disks and the decryption when accessing objects
  • When changing the default encryption configuration of a bucket to SSE-KMS, the encryption type of existing Amazon S3 objects is not changed.
  • To change the encryption type of pre-existing objects after updating default encryption configuration to SSE-KMS, Amazon S3 Batch Operations can be used to copy existing objects back to the same bucket as SSE-KMS encrypted objects.
  • When using access points for Amazon FSx file systems using S3 access points, there is one option for server-side encryption:
    • Server-side encryption with Amazon FSx (SSE-FSX):
      • All Amazon FSx file systems have encryption configured by default
      • Encrypted at rest with keys managed using AWS Key Management Service
      • Data is automatically encrypted and decrypted by the file system as data is being written to and read from the file system
      • These processes are handled transparently by Amazon FSx

Network Access Control Lists (NACLs)

  • Allow or deny specific inbound or outbound traffic at the subnet level.
  • Can use the default network ACL for the VPC, or create a custom network ACL with rules similar to security groups to add an additional layer of security.
  • No additional charge for using network ACLs.
  • Network ACL associations:
    • Each subnet must be associated with a network ACL
    • If not explicitly associated, the subnet is automatically associated with the default network ACL
    • Can create a custom network ACL and associate it with a subnet to allow or deny specific traffic at the subnet level
    • Can associate a network ACL with multiple subnets, but a subnet can be associated with only one network ACL at a time
    • When associating a network ACL with a subnet, the previous association is removed
  • Network ACL rules:
    • Has inbound rules and outbound rules
    • Each rule can either allow or deny traffic
    • Each rule has a number from 1 to 32766
    • Rules are evaluated in order, starting with the lowest numbered rule
    • If traffic matches a rule, the rule is applied and no additional rules are evaluated
    • Network ACL rules are evaluated when traffic enters and leaves the subnet, not as it is routed within a subnet
  • NACLs are stateless - information about previously sent or received traffic is not saved. If a NACL rule allows specific inbound traffic to a subnet, responses to that traffic are not automatically allowed.
  • Limitations:
    • Can't block DNS requests to or from the Route 53 Resolver (VPC+2 IP address or AmazonProvidedDNS)
    • Can't block traffic to the Instance Metadata Service (IMDS)
    • Do not filter traffic destined to and from:
      • Amazon Domain Name Services (DNS)
      • Amazon Dynamic Host Configuration Protocol (DHCP)
      • Amazon EC2 instance metadata
      • Amazon ECS task metadata endpoints
      • License activation for Windows instances
      • Amazon Time Sync Service
      • Reserved IP addresses used by the default VPC router

AWS Well-Architected Framework

  • Provides guidance on building secure, high-performing, resilient, and efficient infrastructure for cloud-based applications.
  • Based on six pillars that provide a consistent approach for customers and partners to evaluate architectures and implement designs that will scale over time:
    • Operational excellence
    • Security
    • Reliability
    • Performance efficiency
    • Cost optimization
    • Sustainability

Services

AWS Artifact

  • Provides on-demand downloads of AWS security and compliance documents.
  • Available documents include:
    • Compliance reports with International Organization for Standardization (ISO) standards
    • Payment Card Industry (PCI) Security Standards reports
    • System and Organization Controls (SOC) reports
    • Certifications from accreditation bodies that validate the implementation and operating effectiveness of AWS security controls
  • Provides downloads of security and compliance documents for independent software vendors (ISVs) who sell their products on AWS Marketplace.
  • Enables users to review, accept, and track the status of agreements with AWS for individual AWS accounts and for multiple AWS accounts in an organization.
  • Documents can be submitted to auditors or regulators as audit artifacts to demonstrate the security and compliance of AWS infrastructure and services.
  • Can be used as guidelines to evaluate cloud architecture and assess the effectiveness of company internal controls.
  • AWS customers are responsible for developing or obtaining documents that demonstrate the security and compliance of their companies.
  • AWS provides AWS Artifact documents and agreements free of charge.

AWS Budgets

  • Used to track and take action on AWS costs and usage.
  • Can monitor aggregate utilization and coverage metrics for Reserved Instances (RIs) or Savings Plans.
  • Enables simple-to-complex cost and usage tracking with various budget configurations.
  • Budget information is updated up to three times a day, typically 8–12 hours after the previous update.
  • Can track blended, unblended, net unblended, amortized, and net amortized costs.
  • Can include or exclude charges such as discounts, refunds, support fees, and taxes.
  • Types of budgets:
    • Cost budgets - Set spending limits for services and receive alerts when costs approach or exceed defined threshold
    • Usage budgets - Establish usage limits for one or more services and get notified when usage approaches or exceeds set threshold
    • RI utilization budgets - Define a utilization threshold for RIs and receive alerts when usage falls below this level
    • RI coverage budgets - Set a coverage threshold and get alerted when the percentage of instance hours covered by RIs falls below this level
    • Savings Plans utilization budgets - Establish a utilization threshold for Savings Plans and receive notifications when usage drops below this level
    • Savings Plans coverage budgets - Define a coverage threshold and get alerted when the percentage of eligible usage covered by Savings Plans falls below this level
  • Optional notifications can warn when you exceed or are forecasted to exceed budgeted amounts, or fall below target utilization and coverage.
  • Notifications can be sent to Amazon SNS topic, email address, or both.
  • In organizations with consolidated billing, management account owners can use IAM policies to control access to budgets by member accounts.
  • A budget is only visible to users with access to the account that created the budget and with access to the budget itself.

AWS CloudHSM

  • Combines the benefits of the AWS cloud with the security of hardware security modules (HSMs).
  • A hardware security module (HSM) is a computing device that processes cryptographic operations and provides secure storage for cryptographic keys.
  • Provides complete control over high availability HSMs that are in the AWS Cloud.
  • Offers low-latency access and a secure root of trust that automates HSM management including:
    • Backups
    • Provisioning
    • Configuration
    • Maintenance

AWS CloudTrail

  • A service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.
  • Can be used to record AWS API calls and other activity for your AWS account and save the recorded information to log files in an Amazon Simple Storage Service (Amazon S3) bucket that you choose.
  • By default, the log files delivered by CloudTrail to your S3 bucket are encrypted using server-side encryption with Amazon S3 managed keys (SSE-S3).

AWS Compute Optimizer

  • Helps identify the optimal AWS resource configurations using machine learning to analyze historical utilization metrics.
  • Delivers recommendations for:
    • Amazon EC2 instance types
    • Amazon EBS volume configurations
    • AWS Lambda function memory sizes
  • Calculates an individual performance risk score for each resource dimension of the recommended instance, including:
    • CPU
    • Memory
    • EBS throughput
    • EBS IOPS
    • Disk throughput
    • Network throughput
    • Network packets per second (PPS)
  • Provides EC2 instance type and size recommendations for EC2 Auto Scaling groups with a fixed group size, meaning desired, minimum, and maximum are all set to the same value and have no scaling policy attached.
  • Supports IOPS and throughput recommendations for General Purpose (SSD) (gp3) volumes and IOPS recommendations for Provisioned IOPS (io1 and io2) volumes.
  • Helps optimize two categories of Lambda functions:
    • Lambda functions that may be over-provisioned in memory sizes
    • Compute-intensive Lambda functions that may benefit from additional CPU power

AWS Config

  • Provides a detailed view of the configuration of AWS resources in the AWS account.
  • Shows how resources are related to one another and how they were configured in the past so configurations and relationships changes can be seen over time.
  • Designed to help oversee application resources in the following scenarios:
    • Resource Administration
    • Auditing and Compliance
    • Managing and Troubleshooting Configuration Changes
    • Security Analysis

Amazon CloudWatch

  • Can monitor estimated AWS charges by enabling monitoring of estimated charges for the AWS account.
  • When monitoring is enabled, estimated charges are calculated and sent several times daily to CloudWatch as metric data.
  • Billing metric data is stored in the US East (N. Virginia) Region and represents worldwide charges.
  • This data includes estimated charges for every service in AWS that is used, in addition to the estimated overall total of AWS charges.
  • The alarm triggers when account billing exceeds the threshold specified.
  • It triggers only when the current billing exceeds the threshold and doesn't use projections based on usage so far in the month.
  • If a billing alarm is created at a time when charges have already exceeded the threshold, the alarm goes to the ALARM state immediately.

AWS Cost and Usage Reports (AWS CUR)

  • Contains the most comprehensive set of cost and usage data available.
  • You can use Cost and Usage Reports to publish your AWS billing reports to an Amazon Simple Storage Service (Amazon S3) bucket that you own.
  • You can receive reports that break down your costs by:
    • Hour, day, or month
    • Product or product resource
    • Tags that you define yourself
  • AWS updates the report in your bucket once a day in comma-separated value (CSV) format.
  • You can view the reports using spreadsheet software such as Microsoft Excel or Apache OpenOffice Calc, or access them from an application using the Amazon S3 API.
  • Tracks your AWS usage and provides estimated charges associated with your account.
  • Each report contains line items for each unique combination of AWS products, usage type, and operation that you use in your AWS account.
  • You can customize the reports to aggregate the information either by the hour, day, or month.
  • AWS Cost and Usage Reports can:
    • Deliver report files to your Amazon S3 bucket
    • Update the report up to three times a day
    • Create, retrieve, and delete your reports using the AWS CUR API Reference

AWS Database Migration Service (AWS DMS)

  • Helps migrate databases from on-premises to AWS quickly and securely.
  • The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database.
  • Can migrate data to and from the most widely used commercial and open-source databases.

Amazon DynamoDB

  • A fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.
  • Offers built-in security, continuous backups, automated multi-region replication, in-memory caching, and data export tools.
  • DynamoDB global tables:
    • Replicate data automatically across your choice of AWS Regions
    • Automatically scale capacity to accommodate your workloads
    • Enables globally distributed applications to access data locally in selected regions for single-digit millisecond read and write performance
    • Offers active-active cross-region support
  • DynamoDB Accelerator (DAX):
    • An in-memory cache that delivers fast read performance for your tables at scale
    • Improves read performance by up to 10 times - taking the time required for reads from milliseconds to microseconds, even at millions of requests per second
    • Does not offer active-active cross-Region configuration

Amazon Elastic Block Store (EBS)

  • An easy to use, high-performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) instances for both throughput and transaction-intensive workloads at any scale.
  • Encryption (at rest and during transit) is an optional feature for EBS and has to be enabled by the user.

Amazon Elastic File System (Amazon EFS)

  • Provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources.
  • A regional service storing data within and across multiple Availability Zones (AZs) for high availability and durability.
  • Amazon EC2 instances can access the file system across AZs, regions, and VPCs.
  • On-premises servers can access using AWS Direct Connect or AWS VPN.
  • Supports two forms of encryption for file systems:
    • Encryption of data in transit
    • Encryption at rest
  • This is an optional feature and has to be enabled by user if needed.
  • Amazon EFS - Infrequent Access storage class:
    • Cost-optimized for files accessed less frequently
    • Data stored on this storage class costs less than Standard
    • Pay a fee each time you read from or write to a file

Amazon FSx for Windows File Server

  • Provides fully managed, highly reliable, and scalable file storage that is accessible over the industry-standard Service Message Block (SMB) protocol.
  • Built on Windows Server, delivering a wide range of administrative features such as:
    • User quotas
    • End-user file restore
    • Microsoft Active Directory (AD) integration
  • Provides high levels of throughput, IOPS and consistent sub-millisecond latencies to support a wide spectrum of workloads.
  • Accessible from Windows, Linux, and macOS compute instances and devices.
  • For Windows-based applications, provides fully managed Windows file servers with features and performance optimized for "lift-and-shift" business-critical application workloads including:
    • Home directories (user shares)
    • Media workflows
    • ERP applications
  • Accessible from Windows and Linux instances via the SMB protocol.

Amazon GuardDuty

  • A threat detection service that continuously monitors, analyzes, and processes AWS data sources and logs in your AWS environment.
  • Uses threat intelligence feeds and machine learning to identify suspicious and potentially malicious activities.
  • Automatically ingests foundational data sources including:
    • CloudTrail events
    • VPC flow logs
    • DNS logs
  • Threat detection scenarios:
    • Compromised AWS credentials
    • Data exfiltration risks
    • Unauthorized cryptomining
    • Malware presence
    • Unauthorized behaviors in cloud environments (EC2, EKS, ECS)
  • Protection plans:
    • S3 Protection
    • EKS Protection
    • Runtime Monitoring
    • Malware Protection (EC2 and S3)
    • RDS Protection
    • Lambda Protection
  • Security findings:
    • Generates detailed security findings
    • Provides information about potentially compromised resources
    • Consolidates findings across accounts
  • Integration capabilities:
    • Works with AWS Security Hub
    • Integrates with Amazon Detective
    • Compatible with Amazon EventBridge
  • Supports PCI DSS compliance

AWS Identity and Access Management (IAM)

  • A web service that helps securely control access to AWS resources.
  • Core components:
    • Identities: Root user, additional users (administrators, analysts, developers), principals (IAM users, federated principals, roles, applications)
    • Access management: Authentication (verifying user credentials) and authorization (granting specific resource permissions)
  • Controls who can authenticate and access AWS resources and manages permissions through policies.
  • Provides infrastructure for access control across AWS services.
  • Authentication process: Users sign in with credentials, system matches credentials to trusted principals, validates authorization for specific resource access.
  • Eventually consistent across global data centers and free service integrated with multiple AWS services.
  • Security best practices:
    • Use federation with identity providers for human users
    • Require multi-factor authentication (MFA)
    • Prefer temporary credentials over long-term access keys
    • Protect root user credentials and avoid using root user for daily tasks
    • Apply "least-privilege permissions"
    • Start with AWS managed policies, then move to custom policies
    • Use IAM Access Analyzer to generate fine-grained policies, validate policy security, and preview public/cross-account access
    • Regularly review and remove unused credentials/permissions
    • Use policy conditions to restrict access
    • Implement permissions boundaries
    • Use IAM roles for temporary credentials
    • Continuously refine permissions based on actual usage

Amazon Kendra

  • An intelligent search service powered by machine learning that reimagines enterprise search for websites and applications.
  • Enables employees and customers to easily find content even when it's scattered across multiple locations and content repositories within the organization.
  • Allows users to stop searching through troves of unstructured data and discover the right answers to questions when needed.
  • A fully managed service with no servers to provision, and no machine learning models to build, train, or deploy.
  • Supports unstructured and semi-structured data in formats including:
    • .html
    • MS Office (.doc, .ppt)
    • PDF
    • Text formats
  • Unlike conventional search technology, natural language search capabilities return answers quickly and accurately, no matter where the information lives within the organization.
  • Deep learning models come pre-trained across 14 industry domains, allowing it to extract more accurate answers across a wide range of business use cases from the get-go.
  • Search results can be fine-tuned by manually adjusting the importance of data sources, authors, freshness, or using custom tags.

Instance Store

  • Provides temporary block-level storage for your EC2 instance.
  • This storage is provided by disks that are physically attached to the host computer.
  • Ideal for temporary storage of information that changes frequently, such as:
    • Buffers
    • Caches
    • Scratch data
    • Other temporary content
  • Can also be used to store temporary data that you replicate across a fleet of instances, such as a load-balanced pool of web servers.
  • Consists of one or more instance store volumes exposed as block devices.
  • The size and number of devices available varies by instance type and instance size.
  • The virtual devices for instance store volumes are given virtual device names in order from ephemeral0 to ephemeral23.

Amazon Macie

  • A fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
  • Helps identify and alert you to sensitive data, such as personally identifiable information (PII).

Amazon Relational Database Service (Amazon RDS)

  • Can encrypt your Amazon RDS DB instances.
  • Data that is encrypted at rest includes:
    • The underlying storage for DB instances
    • Its automated backups
    • Read replicas
    • Snapshots
  • Encryption for RDS is an additional feature and the user needs to enable it.

AWS Organizations

  • A service to centrally manage and govern environments as AWS resources grow and scale across multiple AWS accounts.
  • Enables creation and management of multiple AWS accounts and groups them into organizational units (OUs) for better organization and management.
  • Features:
    • Account management - programmatically create new accounts and centrally provision resources and permissions
    • Organizational units (OUs) - group accounts by application, service, or organizational structure
    • Consolidated billing - centralize billing and cost management across all member accounts
    • Cross-account resource sharing - share resources between accounts using AWS RAM
    • IAM Identity Center integration - unified access management across all accounts
    • Centralized security tools - provide security team with organization-wide visibility and control
    • Audit and compliance - audit environment with AWS CloudTrail and enforce backup and configuration policies
  • Primary benefits include simplified multi-account environment management, enhanced security and governance, centralized cost and resource control, and scalable cloud infrastructure management.
  • Particularly useful for automating account creation, defining audit and compliance policies, providing security team tools, and centralizing IT service management.
  • Service control policies (SCPs) - control access to AWS resources, services, and regions at the organizational level:
    • A type of organization policy that manages maximum available permissions for IAM users and IAM roles in the organization
    • Do not grant permissions but define a permission guardrail or set limits on actions that IAM users and roles can perform
    • Available only in organizations that have all features enabled, not available with consolidated billing features only
    • Use almost the same syntax as AWS IAM permission policies but never grant permissions
    • Effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by identity-based and resource-based policies
    • Affect only IAM users and roles managed by accounts that are part of the organization
    • Do not affect resource-based policies directly or users/roles from accounts outside the organization
    • Restrict permissions for IAM users and roles in member accounts, including the member account's root user
    • Do not affect users or roles in the management account
    • Do not affect service-linked roles that enable other AWS services to integrate with AWS Organizations
    • If a permission is blocked at any level, a user or role in the affected account can't use that permission even with AdministratorAccess policy
    • When SCP policy type is disabled, all SCPs are automatically detached and lost

AWS Shield

  • A managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
  • Provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection.
  • Offers general protection against DDoS attacks for all resources in the AWS network, not an instance-level security assessment service.
  • AWS Shield Standard is activated for all AWS customers by default.
  • AWS Shield Advanced provides higher levels of protection with:
    • Exclusive access to advanced, real-time metrics and reports for extensive visibility into attacks
    • DRT (DDoS response team) assistance for intelligent DDoS attack detection and mitigation
    • Multi-layer protection for network layer (layer 3), transport layer (layer 4), and application layer (layer 7) attacks
    • Expanded DDoS attack protection for web applications running on:
      • Amazon Elastic Compute Cloud
      • Elastic Load Balancing (ELB)
      • Amazon CloudFront
      • Amazon Route 53
      • AWS Global Accelerator

Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)

  • For data that is accessed less frequently but requires rapid access when needed.
  • Unlike other Amazon S3 Storage Classes which store data in a minimum of three Availability Zones (AZ), S3 One Zone-IA stores data in a single Availability Zone (AZ).

Amazon S3 Storage Classes and Lifecycle Management

  • Offers a range of storage classes designed for different use cases:
    • S3 Standard - general-purpose storage of frequently accessed data
    • S3 Intelligent-Tiering - data with unknown or changing access patterns
    • S3 Standard-Infrequent Access (S3 Standard-IA) - long-lived, but less frequently accessed data
    • S3 One Zone-Infrequent Access (S3 One Zone-IA) - long-lived, but less frequently accessed data
    • Amazon S3 Glacier (S3 Glacier) - long-term archive
    • Amazon S3 Glacier Deep Archive (S3 Glacier Deep Archive) - digital preservation
  • Storage classes are for different storage pattern needs, not a data protection mechanism for S3.
  • Amazon S3 Lifecycle configuration manages S3 objects so they are stored cost-effectively throughout their lifecycle.
  • With S3 Lifecycle configuration rules, can tell Amazon S3 to transition objects to less expensive storage classes, or archive or delete them.
  • S3 lifecycle configuration does the hard lifting of moving data into cost-effective storage classes without user intervention.

Amazon S3 Transfer Acceleration (Amazon S3TA)

  • Enables fast, easy, and secure transfers of files over long distances between client and an S3 bucket.
  • Takes advantage of Amazon CloudFront's globally distributed edge locations.
  • As data arrives at an edge location, data is routed to Amazon S3 over an optimized network path.

Amazon S3 Versioning

  • A means of keeping multiple variants of an object in the same bucket.
  • Can be used to preserve, retrieve, and restore every version of every object stored in Amazon S3 bucket.
  • Enables easy recovery from both unintended user actions and application failures.
  • Versioning-enabled buckets enable recovery of objects from accidental deletion or overwrite.
  • When an object is deleted, instead of removing it permanently, Amazon S3 inserts a delete marker, which becomes the current object version.

AWS Site-to-Site VPN

  • Enables users to securely connect on-premises network or branch office site to Amazon Virtual Private Cloud (Amazon VPC).
  • VPN Connections are a good solution for immediate need with low to modest bandwidth requirements.
  • This connection goes over the public internet.
  • Components of AWS Site-to-Site VPN:
    • Virtual private gateway (VGW) / Transit Gateway - the VPN concentrator on the Amazon side of the AWS Site-to-Site VPN connection
    • Customer Gateway - a resource in AWS that provides information to AWS about the Customer gateway device

AWS Transit Gateway

  • A highly scalable service that connects multiple VPCs and on-premises networks through a central hub.
  • Facilitates secure, private connectivity between VPCs and supported services without using the public internet.
  • Enables customers to connect thousands of VPCs.
  • You can attach all your hybrid connectivity (VPN and Direct Connect connections) to a single gateway, consolidating and controlling your organization's entire AWS routing configuration in one place.
  • Controls how traffic is routed among all the connected spoke networks using route tables.
  • This hub-and-spoke model simplifies management and reduces operational costs because VPCs only connect to the Transit Gateway instance to gain access to the connected networks.

AWS Firewall Manager

  • Simplifies administration and maintenance tasks across multiple accounts and resources for a variety of protections, including AWS WAF, AWS Shield Advanced, Amazon VPC security groups and network ACLs, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall.
  • Set up protections just once and the service automatically applies them across accounts and resources, even as new accounts and resources are added.
  • Benefits:
    • Helps to protect resources across accounts
    • Helps to protect all resources of a particular type, such as all Amazon CloudFront distributions
    • Helps to protect all resources with specific tags
    • Automatically adds protection to resources that are added to the account
    • Allows subscription of all member accounts in an AWS Organizations organization to AWS Shield Advanced, and automatically subscribes new in-scope accounts that join the organization
    • Allows applying security group rules to all member accounts or specific subsets of accounts in an AWS Organizations organization, and automatically applies the rules to new in-scope accounts that join the organization
    • Lets you use your own rules, or purchase managed rules from AWS Marketplace
  • Particularly useful when wanting to protect the entire organization rather than a small number of specific accounts and resources, or if frequently adding new resources that need protection.
  • Provides centralized monitoring of DDoS attacks across the organization.

AWS WAF

  • A web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to your protected web application resources.
  • Protected resource types:
    • Amazon CloudFront distribution
    • Amazon API Gateway REST API
    • Application Load Balancer
    • AWS AppSync GraphQL API
    • Amazon Cognito user pool
    • AWS App Runner service
    • AWS Verified Access instance
    • AWS Amplify
  • Lets you control access to content based on specified conditions, such as IP addresses that requests originate from or the values of query strings.
  • Behavior options:
    • Allow all requests except specified ones - useful for public websites while blocking attackers
    • Block all requests except specified ones - useful for restricted websites with identifiable users
    • Count requests that match criteria - track web traffic without modifying handling, useful for monitoring and testing
    • Run CAPTCHA or challenge checks - implement controls against requests to help reduce bot traffic
  • Benefits:
    • Additional protection against web attacks using specified criteria:
      • IP addresses that requests originate from
      • Country that requests originate from
      • Values in request headers
      • Strings that appear in requests (specific strings or regex patterns)
      • Length of requests
      • Presence of SQL code that is likely to be malicious (SQL injection)
      • Presence of a script that is likely to be malicious (cross-site scripting)
    • Rules that can allow, block, or count web requests that meet specified criteria
    • Reusable rules for multiple web applications
    • Managed rule groups from AWS and AWS Marketplace sellers
    • Real-time metrics and sampled web requests
    • Automated administration using the AWS WAF API
  • For additional protection against DDoS attacks, AWS provides AWS Shield Standard and AWS Shield Advanced:
    • AWS Shield Standard:
      • Automatically included at no extra cost beyond what is already paid for AWS WAF and other AWS services
    • AWS Shield Advanced:
      • Provides expanded DDoS attack protection for Amazon EC2 instances, Elastic Load Balancing load balancers, CloudFront distributions, Route 53 hosted zones, and AWS Global Accelerator standard accelerators
      • Incurs additional charges
      • Features include:
        • Automatic application layer DDoS mitigation
        • Advanced event visibility
        • Dedicated support from the Shield Response Team (SRT)
      • Recommended for high visibility websites or those prone to frequent DDoS attacks

VPC Endpoints

  • Enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
  • Instances in your VPC do not require public IP addresses to communicate with resources in the service.
  • Traffic does not leave the Amazon network between your VPC and the other service.
  • Two types of VPC endpoints:
    • Interface endpoints:
      • An elastic network interface with a private IP address from the IP address range of your subnet
      • Serves as an entry point for traffic destined to a supported service
      • Powered by AWS PrivateLink technology for private access using private IP addresses
    • Gateway endpoints:
      • A gateway specified as a target for a route in your route table for traffic destined to a supported AWS service
      • Only Amazon S3 and Amazon DynamoDB support VPC gateway endpoints
  • All other services that support VPC Endpoints use a VPC interface endpoint (note that Amazon S3 supports both VPC interface and gateway endpoints)

Comparison

Security Group vs NACL

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level.

A network access control list (network ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets (i.e. it works at subnet level).

References