Professional Documents
Culture Documents
General
techstudyslack.com
ramdotj@gmail.com
https://talk.cantrill.io
rammohanj
akshaj11ct
iamadmin
Gan*12aws
aC kEY AKIASP3J7Z4IUUITD7TV
HoPgGISDSXYOKFkkLLl55gZB7Un
QPk3tIjdsK4TM
ramdotj+awsd@gm
241368529668
RMJ-AWSD
Gan*12aws
CLI commands
YAML JSON
--- {
doe: "a deer, a female deer" "doe": "a deer, a female deer",
ray: "a drop of golden sun" "ray": "a drop of golden sun",
pi: 3.14159 "pi": 3.14159,
xmas: true "xmas": true,
french-hens: 3 "french-hens": 3,
calling-birds: "calling-birds": [
- huey "huey",
- dewey "dewey",
- louie "louie",
- fred "fred"
xmas-fifth-day: ],
calling-birds: four "xmas-fifth-day": {
french-hens: 3 "calling-birds": "four",
golden-rings: 5 "french-hens": 3,
partridges: "golden-rings": 5,
count: 1 "partridges": {
location: "a pear tree" "count": 1,
turtle-doves: two "location": "a pear tree"
},
foo: { thing1: huey, thing2: louie, thing3: dewey } "turtle-doves": "two"
}
names: [ "one", "two", "three", "four" ] }
import yaml
if __name__ == '__main__':
Networking
VPC:
- Is within 1 account and 1 region
- 1 Default VPC per region and custom VPC’s
- Private and Isolated by Default
- Every VPC is assigned a range of IP Addressses called VPC CIDR. Default VPC gets one
CIDR range (172.31.0.0/16). Custom VPC can have many CIDR ranges
- Default VPC will have 1 subnet in every AZ. Can be deleted and recreated.
- /20 subnet is created for Default VPC
- Default VPC will have public IP v4 addresses
-
EC2:
IAAS – Consumer manages the O/S and upwards
Private service – Runs in the private subnet by default
Instance fails if EZ Fails
Storage
- Local
- EBS (Network Storage)
States
- Running
- Stopped
- Terminated(Non-reversible action)
Connect to EC2
- EC2 Instance connect
- SSH Client (Use .pem File)
- Session Manager
When you terminate EC2 Instance, security groups do not get deleted. You need to delete them
manually
S3
- Public Service, Global – Region Based
- Object Storage system Not File or block
- Region resilient Data is Replicated across AZ’s in that region
- Unlimited storage
- Object 0 – 5 TB
- Bucket Name must be globally unique and can hold unlimited no. of Objects
- Flat structure. /old/a.jpg is presented as a folder. /old is prefix
- Bucket names 3-63 chars. all lowercase or number. No _
- Bucket limit soft – 100 Hard - 1000
Cloud Formation Basics
Resources – without this nothing will happen
If you have Description and AwsTemplateformatversion, Description must follow the
AWSTemplateFormatVersion (Not a Mandatory Field).
CloudWatch
- Metrics AWS Products, Apps, On-premises
- Logs AWS Products, Apps, On-premises
- Events AWS Events & Schedules
Route 53:
Register Domains
Host zones – managed nameservers
Global service – single database
DNS records are essentially instructions created by and stored on DNS servers in what is
called a Zone File.
IAM
Nothing can overrule Explicit Deny
EXPLICIT DENY EXPLICIT ALLOW DEFAULT DENY (IMPLICIT)
Groups cannot be referenced as a principal in Policy. For Ex: Bucket policy cannot use Group as
a principal.
S3
S3 is private by Default
- Can allow/deny other accounts to resources in your account
- Can allow/deny anonymous prinicpals
- S3 is a resource policy ie. Has a principal statement
- ACL – cannot have a single ACL that applies to multiple objects
- Block public access applies only to Anonymous principals
S3 Versioning:
Once Enabled cannot be Disabled
Once Enabled can be suspended and further enabled. Suspend will still keep the old versions
If ID is not specified during retrieval, current version is retrieved
When you delete , delete marker is added. If you undelete the delete marker, object will be
active again
When you assume a Role, temp. credentials are generated by STS (Secure Token Service)
Organization
- If you add an account by creating, you can switch roles easily
- If you add an account by invite, the invited account should have a role created and use
the inviting account as the trusted account
Cloudwatch Logs:
Public service – Usable from AWS or on-premises
A log stream is a sequence of log events that share the same source. Each
separate source of logs in CloudWatch Logs makes up a separate log stream. A log
group is a group of log streams that share the same retention, monitoring, and access
control settings.
CLOUD TRAIL:
- Logs API Calls/ Account Activities as a cloudtrail Event
- Default stores 90 days data in Event History (No Cost)
- Management Events, Data Events and Insight Events
Global services like IAM, STS, Cloudfront log to US-EAST-1
Create a trail on your own to store Data events as well and store the logs in S3 bucket stored as
compressed JSON files. It can also put the data in cloud watch logs.
CloudTrail:
Enabled by Default – 90 Days – No S3
CLoudstream events also get logged into a logstream in a log group within cloudwatch logs
AWS Control AWS Landing
Service or Feature
Tower Zone
New AWS Organization account ✅ yes ✅ yes
Existing AWS Organization account ❌ no ✅ yes
New AWS SSO environment ✅ yes ✅ yes
Existing AWS SSO environment ❌ no ✅ yes
New AWS Service Catalog
✅ yes ✅ yes
environment
Existing AWS Service Catalog
❌ no ✅ yes
environment
New or Existing Security Hub
✅ yes ❌ no
environment
Support for CI/CD ❌ no ✅ yes
Interactive APIs ❌ no ❌ no
CloudFormation template(s) ❌ no ✅ yes
Terrafom module(s) ❌ no ✅ yes
When the main file is deleted, delete marker is added and there will be no current version
Multipart Upload
- Min file size 100mb
- 10000 Max parts 5mb – 5 gb
S3 transfer acceleration
- Uses edge locations. Client Nearest edge location using public internet to S3 using
AWS network.
- Bucket Name cannot have periods and DNS compatible in naming
KMS
- Regional and Public Service(Occupies AWS Public Zone)
- Capable of working with both symmetric and Asummetric keys
- KMS keys are logical – ID, Date, Policy,desc and state
- Backed by physical key material (Can be generated by KMS or imported)
- Keys never leave the KMS
- Uses HSM(Hardware security modules) FIPS 140-2 (L2) Level 2 standard to create keys
- Can be used upto data of 4 KB. KMS keys can be used to generate DEK’s(Data encryption
keys) > 4kb
Levels
0 – No encryption
1 - Server side encryption with server having keys
2 – Server side encryption with client having keys
3 – Client side encryption
DEK:
- Created by KMS and is linked to KMS keys that generated using GenerateDataKey option
- KMS doesn’t store the DEK’s
-