Amazon Web Services
Networking
VPCs define isolated virtual networking environments.
AWS accounts include one default VPC for each AWS Region. These allow for immediate launch and connection to EC2
instances.
Subnets are ranges of IP addresses in VPCs.
Each subnet resides in a single Availability Zone.
Public subnets have a direct route to an Internet gateway. Resources in public subnets can access the public
Internet.
Private subnets do not have a direct route to an Internet gateway. Resources in private subnets require a NAT
device to access the public internet.
Gateways connect VPCs to other networks.
Internet gateways connect VPCs to the Internet.
NAT gateways allow resources in private subnets to connect to the Internet, other VPCs, or on-premises
networks. They can communicate with services outside the VPC, but cannot receive unsolicited connection requests.
VPC endpoints connect VPCs to AWS services privately, without the need of Internet gateways or NAT devices.
Services
| Service | Description |
|---|---|
| CloudWatch | Observability (logging, monitoring, alerting) |
| Config | FIXME |
| EC2 | Virtual machines |
| ECR | Container registry |
| EKS | Kubernetes clusters |
| S3 | Storage |
| Sagemaker | Machine learning |
CloudWatch
Observability service. with functions for logging, monitoring and alerting.
Metrics are whatever needs to be monitored (e.g. CPU usage). Data points are the values of a metric over time. Namespaces are containers for metrics.
Metrics only exist in the region in which they are created.
Many AWS services offer basic monitoring by publishing a default set of
metrics to CloudWatch with no charge.
This feature is automatically enabled by default when one starts using one of these services.
Config
Compliance service for assessing and auditing AWS resources.
Records and monitors resource configurations.
Uses rules to evaluate whether the resources comply. Marks them with the evaluation result (compliant, non-compliant).
Custom rules can be used to evaluate for uncommon requirements.
Custom rules leverage lambda functions.
Allows for automatic remediation for non-compliant resources by leveraging Systems Manager Automation documents.
Conformance packs are set of rules bundled together as a deployable single entity.
Defined as YAML templates.
Immutable: users cannot make changes without updating the whole rule package.
Sample templates for compliance standards and benchmarks are available.
Resource constraints
| Data type | Component | Summary | Description | Type | Length | Pattern | Required |
|---|---|---|---|---|---|---|---|
| Tag | Key | Required name of the tag | The string value can be Unicode characters and cannot be prefixed with "aws:". The string can contain only the set of Unicode letters, digits, white-space, _,' ., /, =, +, -, :, @ (Java regex: ^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$) |
String | 1 to 128 | ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$ |
Yes |
| Tag | Value | The optional value of the tag | The string value can be Unicode characters. The string can contain only the set of Unicode letters, digits, white-space, _, ., /, =, +, -, :, @ (Java regex: ^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$", [\p{L}\p{Z}\p{N}_.:\/=+\-@]* on AWS) |
String | 0 to 256 | ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$ |
Yes |
Access control
| Entity | Description | Notes |
|---|---|---|
| User | Represents a human or a workload. Defined by its name and credentials. |
No permissions by default, need to be assigned to it |
| Role | Defines a set of permissions for making requests to AWS services. Defines what actions can be performed on which resources. |
Can be assumed by AWS services, applications and users |
To be able to assume roles:
- Users, roles or services must have the permissions to assume the role they want to assume.
- The role's trust relationship should allow the users, roles or services to assume it.
From Using service-linked roles:
A service role is an IAM role that a service assumes to perform actions on your behalf.
An IAM administrator can create, modify, and delete a service role from within IAM.A service-linked role is a type of service role that is linked to an AWS service.
The service can assume the role to perform an action on your behalf.
Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.
Further readings
- EC2
- Services that publish CloudWatch metrics
- Using service-linked roles
- Best Practices for Tagging AWS Resources