From f9f7b497ac777a705e45082f47c8a8b05c1e1a99 Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Sun, 6 Jul 2025 23:40:53 +0200
Subject: [PATCH] chore(aws): expand notes

---
 knowledge base/acronyms and abbreviations.md |  1 +
 knowledge base/cloud computing/aws/README.md | 68 ++++++++++++++++++--
 knowledge base/cloud computing/aws/ecs.md    | 24 +++++++
 knowledge base/cloud computing/aws/iam.md    |  4 +-
 knowledge base/cloud computing/aws/s3.md     |  4 ++
 5 files changed, 95 insertions(+), 6 deletions(-)

diff --git a/knowledge base/acronyms and abbreviations.md b/knowledge base/acronyms and abbreviations.md
index db29534..755564e 100644
--- a/knowledge base/acronyms and abbreviations.md	
+++ b/knowledge base/acronyms and abbreviations.md	
@@ -25,6 +25,7 @@
 | CD      | Continuous Deployment                                  |                                                                                                     |
 | CDN     | Content Delivery Network                               |                                                                                                     |
 | CI      | Continuous Integration                                 |                                                                                                     |
+| CIDR    | Classless Inter-Domain Routing                         |                                                                                                     |
 | CLI     | Command Line Interface                                 |                                                                                                     |
 | CMS     | Content Management System                              |                                                                                                     |
 | CN      | Canonical Name                                         | In Active Directory, the full path of an object in a canonical format                               |
diff --git a/knowledge base/cloud computing/aws/README.md b/knowledge base/cloud computing/aws/README.md
index d938683..da6cb68 100644
--- a/knowledge base/cloud computing/aws/README.md	
+++ b/knowledge base/cloud computing/aws/README.md	
@@ -71,16 +71,30 @@ subsequent requests that API receives.
 VPCs define isolated virtual networking environments.<br/>
 AWS accounts include one default VPC for each AWS Region.
 
+Every VPC will have at least one CIDR block.<br/>
+Every new AWS account will have one default VPC in every region, all with the `172.31.0.0/16` CIDR block assigned.
+
 VPCs can be _peered_ to enable direct connectivity between them via private IP addresses.<br/>
 The peer connection also requires exchanging route table entries between the VPCs.
 
-Subnets are ranges of IP addresses in VPCs.<br/>
+Subnets are virtual networks, each of which carves out smaller range of IP addresses from their VPC's CIDR block.<br/>
 Each subnet resides in a single Availability Zone.<br/>
 _Public_ subnets have a direct route to an Internet gateway. Resources in public subnets **can** access the public
 Internet.<br/>
 _Private_ subnets do **not** have a direct route to an Internet gateway. Resources in private subnets **require** a NAT
 device to access the public internet.
 
+_Security groups_ control the traffic in and out of the resources associated with them, like firewalls would do.<br/>
+_Security group rules_ are **stateful**, meaning that connections initiated from the security group will allow the
+corresponding answers to come back in (but not new connections).<br/>
+The default value for Egress traffic is to allow all connections.
+
+_Network Access Control Lists_ also control the traffic in and out. However, they are associated with subnets, and
+affect all resources within that subnet.<br/>
+NACLs are **stateless**, meaning that both the Inbound and Outbound rules must match traffic patterns to allow
+communications in **any** direction.<br/>
+_NACL rules_ allow all traffic by default. They also have a priority.
+
 Gateways connect VPCs to other networks.<br/>
 [_Internet gateways_][connect to the internet using an internet gateway] connect VPCs to the Internet.<br/>
 [_NAT gateways_][nat gateways] allow resources in private subnets to connect to the Internet, other VPCs, or on-premises
@@ -88,6 +102,10 @@ networks. They can communicate with services outside the VPC, but cannot receive
 [_VPC endpoints_][access aws services through aws privatelink] connect VPCs to AWS services privately, without the need
 of Internet gateways or NAT devices.
 
+_Route tables_ control how traffic flows throughout, and in or out, a VPC.<br/>
+They are associated with subnets, and affect all resources within those subnets.<br/>
+By default, a VPC only comes with a single route table. It is referred to as the `Main` route table.
+
 By default, connections to AWS services use the services' **public** endpoint.
 
 Traffic from instances in **public** subnets is routed to the VPC's internet gateway, then forwarded to the requested
@@ -109,7 +127,7 @@ graph LR
   end
   ei --> ig
   ig --> i
-  ig --> as
+  i --> as
 ```
 
 </details>
@@ -138,14 +156,39 @@ graph LR
   ei --> ng
   ng --> ig
   ig --> i
-  ig --> as
+  i --> as
 ```
 
 </details>
 
 [PrivateLink] leverages VPC endpoints to create a private and direct connection between a VPC and an AWS service.<br/>
-[Gateway endpoints] do the same in a more convenient way that does not use Elastic Network Interfaces, but can be used
-only for some services ([S3] and DynamoDB).
+[Gateway endpoints] do the same in a more convenient way that does not use Elastic Network Interfaces, but are only
+supported by specific AWS services ([S3] and DynamoDB).
+
+<details style="padding: 0 0 1rem 1rem">
+
+```mermaid
+graph LR
+  i(Internet)
+  subgraph Region
+    direction LR
+    subgraph VPC
+      subgraph Public Network
+        ng(NAT Gateway)
+      end
+      subgraph Private Network
+        ei(Instance)
+      end
+      ge(Gateway<br/>Endpoint)
+      ig(Internet<br/>Gateway)
+    end
+    as(AWS Service)
+  end
+  ei --> ge
+  ge --> as
+```
+
+</details>
 
 [Direct Connect] creates a dedicated network connection between on-premises data centers or offices and AWS.
 
@@ -772,6 +815,8 @@ machine if not.
 - [Tools to Build on AWS]
 - [Boto3 documentation]
 - [More info about resource deprecation?]
+- [What Is OIDC and Why Do We Need It?]
+- [AWS Fundamentals Blog]
 
 ### Sources
 
@@ -803,6 +848,12 @@ machine if not.
 - [What is AWS Global Accelerator?]
 - [How AWS Global Accelerator works]
 - [Using Amazon CloudWatch with AWS Global Accelerator]
+- [Gateway Endpoints vs Internet Routing for S3]
+- Introduction to the AWS Virtual Private Cloud (VPC) -
+  [Part 1][Introduction to the AWS Virtual Private Cloud (VPC) - Part 1],
+  [Part 2][Introduction to the AWS Virtual Private Cloud (VPC) - Part 2],
+  [Part 3][Introduction to the AWS Virtual Private Cloud (VPC) - Part 3]
+- [VPC Endpoints: Secure and Direct Access to AWS Services]
 
 <!--
   Reference
@@ -894,5 +945,12 @@ machine if not.
 [aws savings plans vs. reserved instances: when to use each]: https://www.cloudzero.com/blog/savings-plans-vs-reserved-instances/
 [date & time policy conditions at aws - 1-minute iam lesson]: https://www.youtube.com/watch?v=4wpKP1HLEXg
 [difference in boto3 between resource, client, and session?]: https://stackoverflow.com/questions/42809096/difference-in-boto3-between-resource-client-and-session
+[Gateway Endpoints vs Internet Routing for S3]: https://awsfundamentals.com/blog/gateway-endpoints-vs-internet-routing-s3
+[Introduction to the AWS Virtual Private Cloud (VPC) - Part 1]: https://awsfundamentals.com/blog/amazon-vpc-introduction-part-1
+[Introduction to the AWS Virtual Private Cloud (VPC) - Part 2]: https://awsfundamentals.com/blog/introduction-to-the-aws-virtual-private-cloud-vpc-part-2
+[Introduction to the AWS Virtual Private Cloud (VPC) - Part 3]: https://awsfundamentals.com/blog/amazon-vpc-introduction-part-3
 [Learn AWS]: https://www.learnaws.org/
 [using aws kms via the cli with a symmetric key]: https://nsmith.net/aws-kms-cli
+[VPC Endpoints: Secure and Direct Access to AWS Services]: https://awsfundamentals.com/blog/vpc-endpoints
+[What Is OIDC and Why Do We Need It?]: https://awsfundamentals.com/blog/oidc-introduction
+[AWS Fundamentals Blog]: https://awsfundamentals.com/blog
diff --git a/knowledge base/cloud computing/aws/ecs.md b/knowledge base/cloud computing/aws/ecs.md
index 57732d4..c452826 100644
--- a/knowledge base/cloud computing/aws/ecs.md	
+++ b/knowledge base/cloud computing/aws/ecs.md	
@@ -7,6 +7,7 @@
 1. [Launch type](#launch-type)
    1. [EC2 launch type](#ec2-launch-type)
    1. [Fargate launch type](#fargate-launch-type)
+   1. [External launch type](#external-launch-type)
 1. [Capacity providers](#capacity-providers)
    1. [EC2 capacity providers](#ec2-capacity-providers)
    1. [Fargate for ECS](#fargate-for-ecs)
@@ -227,6 +228,8 @@ Available service scheduler strategies:
 
 ## Launch type
 
+Defines the underlying infrastructure effectively running containers within ECS.
+
 ### EC2 launch type
 
 Starts tasks onto _registered_ EC2 instances.
@@ -243,6 +246,11 @@ Starts tasks on dedicated, managed EC2 instances that are **not** reachable by t
 Instances are automatically provisioned, configured, and registered to scale one's cluster capacity.<br/>
 The service takes care itself of all the infrastructure management for the tasks.
 
+### External launch type
+
+Manages containers running **outside** the ECS ecosystem, e.g., on-premises servers, other cloud providers, or hybrid
+deployments.
+
 ## Capacity providers
 
 Refer [Capacity providers][upstream  capacity providers].
@@ -674,12 +682,26 @@ Refer [Use Docker volumes with Amazon ECS].
 
 TODO
 
+Only supported by EC2 or external instances.
+
 ### Bind mounts
 
 Refer [Use bind mounts with Amazon ECS].
 
 TODO
 
+Mount files or directories from a host into a container.
+
+Supported for tasks on both Fargate and EC2 instances.
+
+Bind mounts are tied to the lifecycle of the container that uses them.<br/>
+After all the containers using a specific bind mount stop, that data is removed.<br/>
+The data can be tied to the lifecycle of an EC2 instance by specifying a `host` value in the task's definition.
+
+Tasks running on Fargate receive a minimum of 20 GiB of ephemeral storage for bind mounts.<br/>
+This can be increased up to a maximum of 200 GiB by specifying the `ephemeralStorage` parameter in the task's
+definition.
+
 ## Execute commands in tasks' containers
 
 Refer [Using Amazon ECS Exec to access your containers on AWS Fargate and Amazon EC2],
@@ -1570,6 +1592,7 @@ Specify a supported value for the task CPU and memory in your task definition.
 - [Interconnect Amazon ECS services]
 - [Amazon ECS Service Discovery]
 - [AWS Fargate Pricing Explained]
+- [The Ultimate Beginner's Guide to AWS ECS]
 
 <!--
   Reference
@@ -1654,3 +1677,4 @@ Specify a supported value for the task CPU and memory in your task definition.
 [guide to using amazon ebs with amazon ecs and aws fargate]: https://stackpioneers.com/2024/01/12/guide-to-using-amazon-ebs-with-amazon-ecs-and-aws-fargate/
 [prometheus service discovery for aws ecs]: https://tomgregory.com/aws/prometheus-service-discovery-for-aws-ecs/
 [Scraping Prometheus metrics from applications running in AWS ECS]: https://towardsaws.com/scraping-prometheus-metrics-from-aws-ecs-9c8d9a1ca1bd
+[The Ultimate Beginner's Guide to AWS ECS]: https://awsfundamentals.com/blog/aws-ecs-beginner-guide
diff --git a/knowledge base/cloud computing/aws/iam.md b/knowledge base/cloud computing/aws/iam.md
index 3327c04..827386d 100644
--- a/knowledge base/cloud computing/aws/iam.md	
+++ b/knowledge base/cloud computing/aws/iam.md	
@@ -428,6 +428,7 @@ UserId: AROA2HKHF74L72AABBCCDD:botocore-session-1234567890
 - [Get to Grips with AWS IAM Roles: Terms, Concepts, and Examples]
 - [What is exactly "Assume" a role in AWS?]
 - [Conditions with multiple context keys or values]
+- [AWS IAM Users: Understanding Identity Center, Organizations, and Federation]
 
 <!--
   Reference
@@ -466,9 +467,10 @@ UserId: AROA2HKHF74L72AABBCCDD:botocore-session-1234567890
 <!-- Others -->
 [avoid the 60 minutes timeout when using the aws cli with iam roles]: https://cloudonaut.io/avoid-the-60-minutes-timeout-when-using-the-aws-cli-with-iam-roles/
 [aws iam roles - everything you need to know & examples]: https://spacelift.io/blog/aws-iam-roles
+[AWS IAM Users: Understanding Identity Center, Organizations, and Federation]: https://awsfundamentals.com/blog/aws-iam-users
 [aws.permissions.cloud]: https://aws.permissions.cloud/
 [get to grips with aws iam roles: terms, concepts, and examples]: https://blog.awsfundamentals.com/aws-iam-roles-terms-concepts-and-examples
 [introduction to aws iam assumerole]: https://aws.plainenglish.io/introduction-to-aws-iam-assumerole-fbef3ce8e90b
 [using aws cli securely with iam roles and mfa]: https://dev.to/albac/using-aws-cli-securely-with-iam-roles-and-mfa-56c3
-[you might be clueless as to why aws assume role isn't working, despite being correctly set up]: https://medium.com/@kamal.maiti/you-might-be-clueless-as-to-why-aws-assume-role-isnt-working-despite-being-correctly-set-up-1b3138519c07
 [what is exactly "assume" a role in aws?]: https://stackoverflow.com/questions/50082732/what-is-exactly-assume-a-role-in-aws
+[you might be clueless as to why aws assume role isn't working, despite being correctly set up]: https://medium.com/@kamal.maiti/you-might-be-clueless-as-to-why-aws-assume-role-isnt-working-despite-being-correctly-set-up-1b3138519c07
diff --git a/knowledge base/cloud computing/aws/s3.md b/knowledge base/cloud computing/aws/s3.md
index 05283c2..0ef0c26 100644
--- a/knowledge base/cloud computing/aws/s3.md	
+++ b/knowledge base/cloud computing/aws/s3.md	
@@ -224,6 +224,7 @@ Examples: [1][lifecycle  configuration examples], [2][s3 lifecycle rules example
 - [Understanding and managing Amazon S3 storage classes]
 - [Using S3 Intelligent-Tiering]
 - [Amazon S3 cost optimization for predictable and dynamic access patterns]
+- [Gateway Endpoints vs Internet Routing for S3]
 
 ### Sources
 
@@ -233,6 +234,7 @@ Examples: [1][lifecycle  configuration examples], [2][s3 lifecycle rules example
 - [CLI subcommand reference]
 - [Find out the size of your Amazon S3 buckets]
 - [How S3 Intelligent-Tiering works]
+- [Amazon S3 Intelligent Tiering]
 
 <!--
   Reference
@@ -261,3 +263,5 @@ Examples: [1][lifecycle  configuration examples], [2][s3 lifecycle rules example
 [Using S3 Intelligent-Tiering]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-intelligent-tiering.html
 
 <!-- Others -->
+[Amazon S3 Intelligent Tiering]: https://awsfundamentals.com/blog/amazon-s3-intelligent-tiering
+[Gateway Endpoints vs Internet Routing for S3]: https://awsfundamentals.com/blog/gateway-endpoints-vs-internet-routing-s3