VPCs define isolated virtual networking environments.
AWS accounts include one default VPC for each AWS Region. These allow for immediate launch and connection to EC2 instances.

Subnets are ranges of IP addresses in VPCs.
Each subnet resides in a single Availability Zone.
Public subnets have a direct route to an Internet gateway. Resources in public subnets can access the public Internet.
Private subnets do not have a direct route to an Internet gateway. Resources in private subnets require a NAT device to access the public internet.

Gateways connect VPCs to other networks.
Internet gateways connect VPCs to the Internet.
NAT gateways allow resources in private subnets to connect to the Internet, other VPCs, or on-premises networks. They can communicate with services outside the VPC, but cannot receive unsolicited connection requests.
VPC endpoints connect VPCs to AWS services privately, without the need of Internet gateways or NAT devices.

Elastic IP addresses

Refer Elastic IP addresses.

Static, public IPv4 addresses allocated to one's AWS account until one releases it.
One can can rapidly remapping addresses to other instances in one's account and use them as targets in DNS records.

Services

Service	Description
Billing and Cost Management	FIXME
CloudWatch	Observability (logging, monitoring, alerting)
Config	Compliance
Detective	FIXME
EC2	Virtual machines
ECR	Container registry
ECS	Containers as a service
EKS	Kubernetes clusters
EventBridge	FIXME
GuardDuty	Threat detection
Inspector	FIXME
OpenSearch	ELK, logging
RDS	Databases
S3	Storage
Sagemaker	Machine learning
Security Hub	Aggregator for security findings

Service icons are publicly available for diagrams and such.

Billing and Cost Management

Costs can be grouped by Tags applied on resources.
Tags to use for this kind of grouping need to be activated in the Cost allocation tags section.
New tags might take 24 or 48 hours to appear there.

CloudWatch

Observability service. with functions for logging, monitoring and alerting.

Metrics are whatever needs to be monitored (e.g. CPU usage). Data points are the values of a metric over time. Namespaces are containers for metrics.

Metrics only exist in the region in which they are created.

Many AWS services offer basic monitoring by publishing a default set of metrics to CloudWatch with no charge.
This feature is automatically enabled by default when one starts using one of these services.

Config

FIXME

Compliance service for assessing and auditing AWS resources.

Provides an inventory of resources.
Records and monitors resource configurations and their changes.
The data is stored in a bucket (default name config-bucket-{aws-account-number})
Changes can be streamed to 1 SNS topic for notification purposes.
Uses rules to evaluate whether the resources configurations comply.
Rule evaluation is done once every time a configuration changes, or periodically.
Resources are marked with the evaluation result (compliant, non-compliant).

Custom rules can be used to evaluate for uncommon requirements.
Custom rules leverage lambda functions.

Allows for automatic remediation for non-compliant resources by leveraging Systems Manager Automation documents.

Conformance packs are set of rules bundled together as a deployable single entity.
Defined as YAML templates.
Immutable: users cannot make changes without updating the whole rule package.
Sample templates for compliance standards and benchmarks are available.

Detective

FIXME

Uses ML and graphs to try and identify the root cause of security issues.
Creates visualizations with details and context by leveraging events from VPC Flow Logs, CloudTrail and GuardDuty.

GuardDuty

FIXME

Threat detection service.

It continuously monitors accounts and workloads for malicious activity and delivers security findings for visibility and remediation.
Done by pulling streams of data from CloudTrail, VPC Flow Logs or EKS.

Member accounts can administer GuardDuty by delegation if given the permissions to do so.

Findings are potential security issues for malicious events.
Those are also sent to EventBridge for notification (leveraging SNS).
Each is assigned a severity value (0.1 to 8+).

Trusted IP List is a whitelist of public IPs that will be ignored by the rules.
Threat IP List is a blacklist of public IPs and CIDRs that will be used by the rules.

EventBridge

FIXME

Inspector

FIXME

RDS

Read replicas can be promoted to standalone DB instances.
See Working with DB instance read replicas.

Disk free metrics are available in CloudWatch.

Automatic backups are enabled by default.
RDS will automatically create storage volume snapshots of the entire DB instances.
Backups occur during a daily user-configurable 30 minute period backup window and are kept for a configurable number of up to 35 days (backup retention period). One can recover DB instances to any point in time during the backup retention period.

DB instances must be in the available state for automated backups to occur.
Automated backups don't occur while DB instances are in other states (i.e., storage_full).

Automated backups don't occur while a DB snapshot copy is running in the same AWS Region for the same database.

Back up DB instances manually by creating DB snapshots.
The first snapshot contains the data for the full database. Subsequent snapshots of the same database are incremental.

One can copy both automatic and manual DB snapshots, but only share manual DB snapshots.

RDS backup storage for each Region is composed of both the automated backups and manual DB snapshots for that Region.
Moving snapshots to other Regions increases the backup storage in the destination Regions.

Backups are stored in S3.

Should one choose to retain automated backups when deleting DB instances, its automated backups are saved for the full retention period, otherwise all automated backups are deleted with the instance.
After they are deleted, automated backups can't be recovered.

Should one choose to have RDS create a final DB snapshot before deleting a DB instance, one can use that or previously created manual snapshots to recover it.

Manual snapshots are not deleted.

One can store up to 100 manual snapshots per Region.

One can choose any of the following retention periods for instances' Performance Insights data:

7 days (default, free tier).
n months, where n is a number from 1 to 24.
In CLI and IaC, this number must be n*31.

One can export DB snapshot data to S3 buckets.

The export process runs in the background and does not affect the performance of active DB instances.

RDS extracts data from snapshots and stores it in Apache Parquet format.
By default, all data in the snapshots is exported; one can export specific sets of databases, schemas, or tables.

After the export, one can analyze the data directly through Athena or Redshift Spectrum.

Security Hub

FIXME

Aggregator of findings for security auditing.

Uses Config to check resources' configuration by leveraging compliancy rules.

Security standards are offered as ret of rules for Config.

Data can be aggregated from different regions.
If the integration is enabled, findings from AWS services (GuardDuty) are used too within 5 minutes on average, while ones from 3rd parties can take longer.

Data can be imported from or exported to 3rd parties if the integration is enabled.
Kinda acts as a middle layer for AWS accounts.

Findings are consumed in AWS Security Finding Format (ASFF).
Those are automatically updated and deleted. Findings after 90 days are automatically deleted even if not resolved.

Can use custom insights.

Custom actions can be sent to EventBridge for automation.

Member accounts can administer Security Hub by delegation if given the permissions to do so.

Resource constraints

Data type	Component	Summary	Description	Type	Length	Pattern	Required
Statement ID	Value	Optional identifier for a policy statement	The element supports only ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).	String	FIXME	`[A-Za-z0-9]`	No
Tag	Key	Required name of the tag	The string value can be Unicode characters and cannot be prefixed with "aws:". The string can contain only the set of Unicode letters, digits, white-space, `_`,' `.`, `/`, `=`, `+`, `-`, `:`, `@` (Java regex: `^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-]*)$`)	String	1 to 128	`^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`	Yes
Tag	Value	The optional value of the tag	The string value can be Unicode characters. The string can contain only the set of Unicode letters, digits, white-space, `_`, `.`, `/`, `=`, `+`, `-`, `:`, `@` (Java regex: `^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-])$"`, `[\p{L}\p{Z}\p{N}_.:\/=+\-@]` on AWS)	String	0 to 256	`^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`	Yes

Access control

Entity	Description	Notes
User	Represents a human or a workload. Defined by its name and credentials.	No permissions by default, need to be assigned to it
Role	Defines a set of permissions for making requests to AWS services. Defines what actions can be performed on which resources.	Can be assumed by AWS services, applications and users

To be able to assume roles:

Users, roles or services must have the permissions to assume the role they want to assume.
The role's trust relationship should allow the users, roles or services to assume it.

From Using service-linked roles:

A service role is an IAM role that a service assumes to perform actions on your behalf.
An IAM administrator can create, modify, and delete a service role from within IAM.

A service-linked role is a type of service role that is linked to an AWS service.
The service can assume the role to perform an action on your behalf.
Service-linked roles appear in your AWS account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.

Check aws.permissions.cloud for a community-driven source of truth for AWS identity.

IAM policies

IAM does not expose policies' Sid element in the IAM API, so it can't be used to retrieve statements.

Examples:

Give a user temporary RO access to a bucket

Create the policy:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "AllowAttachedPrincipalsTemporaryROAccessToBucket",
    "Effect": "Allow",
    "Action": [
      "s3:GetObject",
      "s3:GetObjectAttributes",
      "s3:ListBucket",
      "s3:ListBucketVersions"
    ],
    "Resource": [
      "arn:aws:s3:::my-bucket",
      "arn:aws:s3:::my-bucket/*"
    ],
    "Condition": {
      "DateLessThan": {
        "aws:CurrentTime": "2024-03-01T00:00:00Z"
      }
    }
  }]
}

$ aws iam create-policy --output 'yaml' \
  --policy-name 'temp-ro-access-my-bucket' --policy-document 'file://policy.json'
- Policy:
    Arn: arn:aws:iam::012345678901:policy/temp-ro-access-my-bucket
    AttachmentCount: 0
    CreateDate: '2024-02-25T09:34:12+00:00'
    DefaultVersionId: v1
    IsAttachable: true
    Path: /
    PermissionsBoundaryUsageCount: 0
    PolicyId: ANPA2HKHE74L11PTJGB3V
    PolicyName: temp-ro-access-my-bucket
    UpdateDate: '2024-02-25T09:34:12+00:00'

Attach the newly created policy to the user:

aws iam attach-user-policy \
  --user-name 'my-user' --policy-arn 'arn:aws:iam::012345678901:policy/temp-ro-access-my-bucket'

README.md

Amazon Web Services

Networking

Elastic IP addresses

Services

Billing and Cost Management

CloudWatch

Config

Detective

GuardDuty

EventBridge

Inspector

RDS

Security Hub

Resource constraints

Access control

IAM policies

Further readings

Sources