Index

• RAID
• Athena
• Data replication
• Restricting access with CloudFront
• ECS definitions
• Analyzing user requests
• AWS Glue
• Cybersecurity
• Auth
• Third party CA

RAID

RAID can be implemented on both EBS and instance store volumes. AWS Ref.

• RAID 0 is used to achieve high performance by distributing I/O across the volume in a stripe.
• RAID 1 is used for mirroring for redundancy.

Instance stores can have higher I/O performance than Provisioned IOPS SSD volumes.

Athena

AWS Athena is a serverless SQL editor to analyse data from S3.

Use case

• S3 allows you to create access logs and store the file back in the same bucket.
• You can use Athena to query the access logs (eg: who deleted an item, list all activities of a user, IP addresses that performed a specific action).
• • Eg: SELECT userIp, getRequests, date, time FROM s3logs.logstable WHERE key = "private/item.png" AND operation like '%DELETE%';

Data replication

AWS DataSync is a copy service for large datasets. Keywords are replication, copying, and duplication as opposed to other services that a dominantly for data transfer or backups.

AWS Ref.

Restricting access with CloudFront

When to use signed-url or signed-cookies.

Signed-URL

• Restrict access to individual files (eg: downloads).
• Clients that don't support cookies (eg: non-browsers).

Signed cookies

• Provide access to multiple files.
• When URLs should remain the same.

AWS Ref.

ECS definitions

• Dockerfile contains information to spin up a container image. It's kept in the ECR.
• ECR is the registry to store the image.
• ECS objects are defined in this order, inside out from the container to the cluster layer.

1. Container definition
2. Task definition
3. Service
4. Cluster

• Container definition defines the image, memory and CPU of the container.
• Task definition defines the network mode (awsvpc), task IAM role, launch type (EC2 or Fargate), task memory, and task CPU.
• Task is the unit of work that runs in the container.
• Service defines the number of desired tasks (instances), security group, and load balancer for long-running tasks.
• Cluster is a group of instances in an AZ to host tasks. VPC and subnets are defined here.

Analyzing user requests

• AWS X-Ray traces and analyzes end-to-end user requests that travel through the API Gateway.
• VPC Flow Logs analyses IP traffic to and from network interfaces.

AWS Glue

• AWS Glue is a serverless ETL service.
• AWS Glue Studio is the frontend GUI for Glue.

Cybersecurity

• AWS Shield protects against most DDoS attacks. Works with CloudFront and Route53. Has Standard (free) and Advanced (paid) tiers. AWS Ref.
• AWS WAF is a web app firewall service that protects against common app vulnerabilities. Doesn't defend against DDoS at the VPC layer.
• AWS Firewall Manager simplifies WAF administration and maintenance.
• AWS GuardDuty is an intelligence threat detection service for horizon scanning.
• AWS Inspector is a security assessment service that assesses based on best practices and common vulnerabilities.

Auth

• Federated identity provider authenticates users. Examples of identity providers are Google, Facebook, AWS.
• Cognito User Pools handles authentication with federated identity providers for you. Paid per user per month.
• Cognito Identity Pools authorize users to AWS resources (like IAM roles). Free.

You can combine both to authenticate users and authorize services they can access.

AWS Ref.

Third party CA

This topic is for TLS/SSL. AWS Ref.

• AWS Certificate Manager is recommended to store SSL certificates over IAM certificate store.
• IAM certificate store allows SSL certificate upload too via CLI but not recommended. Mostly for regions that do not have ACM.