Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
This certification is mostly used by people to get the understanding of the AWS
services.
On Demand
Low Cost and Flexible.
only charges per hr
short term
good for first time apps or prototypes.
No upfront payment.
Reserved Instances
Good for committed applications.
Standard savings 75% (Cannot change the RI attributes.)
Best for long term
You can schedule to reserve the instances.
there’s a commitment like 1 to 3 year with AWS.
RI’s can be shared between multiple accounts.
You can even sell your unused instances.
Spot instances
You can think of it has a hotel who offers discounts to fill there spots.
Just like hotel aws uses similar approach to maximize the usage of there idle
servers.
There are conditions such as,
Instances can be terminated anytime.
If you instance gets terminated you dont get charged for partial hour of usuage.
If you terminate an instance you will be charged for any hour that it ran.
Good for applications feasible for very low usage.
It provides you 90% savings.
Dedicated
Its the most expensive EC2 instance.
Its built for tenant customers. Its more useful for large enterprises.
Its offered both in demand and reserved.
Billing and Pricing
AWS Free Services
IAM (Identity Access Management) –> used for creating user roles.
Auto Scaling
CloudFormation
Elastic Bean
Opswork
Amplify
AppSync
CodeStar
AWS Cost Explorer
NOTE: Services in bold are free but they can provision AWS Services to cost money.
A tool that allows you build reports for execs to show how much you can save.
Only for approximation purposes.
AWS Landing Zone
Meant for enterprises.
Automatically provisions and configure new accounts via Service Catalog template.
uses SSO.
AWS Resource Groups & Tagging
Tags are words or phrases that act as metadata for organizing AWS resources.
Resource Groups are collection of resources that share one or more tag.
Resource Group can display following details of about a group of resource based on.
Metrics
Alarms
Configuration Settings.
AWS QuickStart
Prebuilt templates offered by AWS or AWS partners that helps you deploy popular
stacks on AWS. This allows to reduce the manual effort.
HIPPA
PCI (Payment Card Data/You can readmore by googling it)
ReadMore Here
AWS Artifact
A no cost, self service portal for on demand access to AWS compliance reports.
AWS Inspector
AWS inspector is a tool that runs a security benchmarks against specific EC2
instances. The most popular one is run by CIS (Center for Internet Security) which
has 699 benchmarks.It can even inspect the network to check if there are any ports
are open and running.
Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities XXE
Broken Access Control
Security Misconfigurations
XSS Cross Site Scripting
Insecure Deserialization
Using Components with known Vulnerabilities
Insufficient logging and Monitoring
AWS Shield
A managed DDOS(Distributed Denial of Service) protection service that safeguards
applications running on aws.
All AWS customers benefit from the automatic protections of AWS shield standard at
no charge.
When you route your traffic through ROUTE53 or CloudFront you are using AWS Shield.
7 Application
4 Transport
3 Network
There’s also a paid tier known as Shield Advance and that costs $3000/Year(upfront
or Commitment). It gives you extra protection with 24/7 support and its available
on
Amazon Route 53
Amazon CloudFront
ELB
AWS Global Accelarator
Elastic IP(Amazon Elastic Compute Cloud and Netword and Load Balancer).
AWS Penetration Testing
An authorized service that allows you simulate a cyber attack on a computer system,
performed to evaluate the security of the system.
Permitted Services
EC2 Instances,NAT Gateways, and ELB.
RDS
CloudFront
Aurora
API Gateways
AWS Lambda and Lambda@Edge function
LightSail resources.
Prohibited Services
DNS zone walking via Amazon Route 53 Hosted Zones.
DoS(Denial Of Service),DDoS,Simulated DoS,Simulated DDoS.
Port flooding
Protocol flooding
Request flooding
Amazon Guard Duty Service
IDS: Intrustion Detection System
Guard Duty is a threat detection service that continuously monitors for the
malicious,suspicious activity and unauthorized behavior. It uses machine learning
ty8111o analyze following AWS logs.
CloudTrail Logs.
VPC Flow Logs
DNS logs.
It will alert you of the findings which you can automate an incident response via
CloudWatch Events or 3rd Party Software.
Amazon Macie
Macie is fully managed service that continuously monitors S3 data access activity
for anomalies and generates detailed alerts when it detects risk of unqthorized
access or inadvertent data leaks.
Anonymized Access.
Config Compliance
Credential loss
Data Compliance
File Hosting
Identity Enumeration
Information Loss
Location Anomaly
Open Permisson
Privilege Escalation
Ransomware
Service Disruption
Suspiscious Activity
Security Groups VS NACLs(Network Access Control Lists)
Security Groups Network Access Control Lists (NACLs)
Acts as a firewall at the instance level. Acts as a firewall at the subnet level
Implicitly denies all traffic. You create Allow rules (For Example allow an `EC2`
Instance to access `port 22`) You create `allow` and `deny` rules
AWS VPN(Virtual Private Network)
It allows you create a secure and private tunnel from your network or device to the
aws global network.
Lets say you have 1000 videos and you need to transcode them into different formats
then this might be a useful service. You can even add watermarks and insert intro
infront of every video.
SNS
It uses PubSub model which is also known as publisher subscriber model.
It sends notifications to subscribers via protocols such as HTTP,Email SQS and SMS.
It is generally used for sending plaintext emails which is triggered via other aws
services. The best example can be billing alerts.
Can retry sending in case of failure for HTTPS.
Its good for webhooks,internal emails and triggering lambda functions.
SQS (Examples RabbitMQ) - (think of it as message broker service)
Queue Up Messages, Guaranteed Delivery
It places messages into a queue and applications pull queue using AWS SDK.
It can retain a message for up to 14 days.
Can send them in sequential order or parallel.
Can ensure only one message is sent.
Can ensure messages are delivered at least once.
Really good for delayed tasks,queueing up emails.
You can readmore about this here