ProjectsMicroblogGet TechResources
menu

AWS SAA study notes 01

13 April, 2021
Back

Index

  • Security groups and NACL
  • Containers
  • EFA
  • CloudFormation
  • AWS Organizations
  • EFS encryption
  • General encryption
  • Hybrid in-transit encryption
  • Spot instance
  • Hibernated instance

Security groups and NACL

  • Security groups are firewalls at the instance level (eg: EC2). NACLs are firewalls at the VPC level.
  • Security groups are stateful. Permitted inbound traffic is also allowed for outbound. NACLs are stateless. Both outbound and inbound traffic must be explicitly defined.
  • Every rule of security groups are evaluated. If there are conflicting rules, the priority is to deny traffic. NACL rules are evaluated in heirarchy. Rules with smaller index take priority over rules with index.

Containers

  • You need to manage instances on ECS, but not on Elastic Beanstalk before deploying Dockerfile.

EFA

  • For apps that require HPC (High Performance Compute).
  • Has OS-bypass, meaning the app can talk directly to the EFA devices.
  • EFA and instances must be in the same subnet.
  • CloudWatch can monitor EFA metrics.
  • Ref

CloudFormation

  • CloudFormation makes systems engineers lives easier (but doesn't automate anything).
  • Elastic Beanstalk makes developer's lives easier.
  • Parameters - enables you to customize the template. DB user, password, and SSH location go here.
  • Mappings - specifies the region where the resources will be deployed.
  • Resources - specifies the AWS services to deploy. Eg: EC2, security group.
  • Outputs - declares outputs that can be imported into other stacks, returned, or viewed from the AWS console.

AWS Organizations

Service control policies set permissions for Organizational Units to access AWS services (works on Allow and Deny). They don't affect the management account. They work more like guardrails. IAM is still required to grant permissions to users.

EFS encryption

  • You can manage in-transit file encryption by using EFS Mount.
  • EFS Mount can automatically spin up Stunnel, an open-source TLS/SSL tunneling service, when you mount it on the instance.
  • Otherwise, you would have to manually manage Stunnel.

General encryption

There are two ways to perform encryption:

  • Symmetric encryption only has one private key which is shared with the client. This is the older, more risky, but faster performance method.
  • Asymmetric encryption has one public key, which is shared with the client for encryption and a private key which is kept confidential for decryption.

AWS KMS is a key management system. You can generate keys from it or import your own for safe keeping. It supports both symmetric and asymmetric encryptions.

CMK or Customer Master Keys are used to generate, encrypt and decrypt data. CMK is created in KMS.

Data keys are the keys that are used to encrypt the data. Usually stored with the data. The data key itself would also be encrypted. Not stored or managed in AWS KMS.

Data key pairs are asymmetric data keys generated by the CMK. Also not managed by AWS KMS.

Hybrid in-transit encryption

  • Direct Connect doesn't provide an encrypted connection.
  • VPN does

Spot instance

  • Spot block instance allows you to run spot instances uninterrupted between 1 to 6 hours at a low cost.

Hibernated instance

  • While an instance is in hibernation, you pay only for the EBS storage and any Elastic IP addresses attached to the instance. Ref.

Back