Misc

avatar
Created by
Ivan

Cards (23)

  • Amazon S3 – Moving between Storage Classes
    • You can transition objects between storage classes.
    • For infrequently accessed object, move them to Standard IA.
    • For archive objects that you don’t need fast access to, move them to Glacier or Glacier Deep Archive.
    • Moving objects can be automated using a Lifecycle Rules.
  • Amazon S3 – Lifecycle Rules

    Transition Actions – configure objects to transition to another storage class

    • Move objects to Standard IA class 60 days after creation
    • Move to Glacier for archiving after 6 months

    Rules can be created for a certain prefix (example: s3://mybucket/mp3/*)

    Rules can be created for certain objectsTags (example:Department:Finance)
  • Amazon S3 – Lifecycle Rules
    Expiration actions – configure objects to expire (delete) after some time
    • Access log files can be set to delete after a 365 days
    • Can be used to delete old versions of files (if versioning is enabled)
    • Can be used to delete incomplete Multi-Part uploads
    Transition Actions are another Lifecycle Rules
  • Amazon S3 Analytics – Storage Class Analysis

    • Help you decide when to transition objects to the right storage class.

    • Recommendations for Standard and Standard IA (Does NOT work for One-Zone IA or Glacier).

    • Report is updated daily.

    24 to 48 hours to start seeing data analysis.

    • Good first step to put together Lifecycle Rules (or improve them)!
  • Amazon S3 – Replication (CRR [Cross-Region Replication] & SRR [Same-Region Replication])

    • Must enable Versioning in source and destination buckets.
    • Buckets can be in different AWS accounts.
    • Copying is asynchronous.
    • Must give proper IAM permissions to S3.

    Use cases:
    • CRR – compliance, lower latency access, replication across accounts.
    • SRR – log aggregation, live replication between production and test accounts.
  • Amazon S3 – Replication (Notes)

    • After you enable Replication, only new objects are replicated.
    • Optionally, you can replicate existing objects using S3 Batch
    Replication.
    • • Replicates existing objects and objects that failed replication.

    For DELETE operations.
    • Can replicate delete markers from source to target (optional setting).

    There is no “chaining” of replication.

    (see image for details)
  • AWS Certificate Manager (ACM)


    > To host public SSL certificates in AWS, you can:

    • • Buy your own and upload them using the CLI.
    • • Have ACM provision and renew public SSL certificates for you (free of cost).


    > ACM loads SSL certificates on the following integrations:

    • • Load Balancers (including the ones created by EB (Elastic Beanstalk)).
    • • CloudFront distributions.
    • • APIs on API Gateways.


    > SSL certificates is overall a pain to manually manage, so ACM is great to leverage in your AWS infrastructure!
  • AWS Private Certificate Authority (CA)

    Managed service allows you to create private Certificate Authorities (CA), including root and subordinaries CAs. (1).
    • Can issue and deploy end-entity X.509 certificates. (2).

    (1) Allows you to actually issue certificates privately and you manage the certificate authority.
    (2) These certificates can be used by your application. They're end-entities that these certificates cannot be used to issue more certificates.
  • AWS Private Certificate Authority (CA)

    • Certificates are trusted only by your Organisation (not the public Internet).
    • Integrates with Amazon EKS (Elastic Kubernetes Service) with and any AWS service that is integrated with ACM (AWS Certificate Manager).

    Use cases:

    • • Encrypted TLS communication, Cryptographically signing code
    • • Authenticate users (3), computers, API endpoints (4), and IoT devices
    • • Enterprise customers building a Public Key Infrastructure (PKI)

    (3) for users, e.g, for client VPN purposes.
    (4) that will expose a private URL
  • ACM – Validation Techniques

    • Before ACM issue a public certificate, you must prove that you own/control the domain.

    DNS Validation (recommended)

    • Leverages a CNAME record created in DNS config (e.g., Route 53).
    • Preferred for automatic renewal purposes.
    • Takes a few minutes to verify.

    Email Validation

    • a Validation Email is sent to contact addresses in the WHOIS database.
    • Takes a few minutes to verify.
  • ACM Validation is NOT required for what type of certificates?

    Imported certificates or certificates signed by a Private CA.
  • Before ACM issue a public certificate, you must prove that you own/control the domain. What are the two Validation Techniques?
    DNS (recommended), and Email Validation.
  • ACM – Automatic Renewal

    • ACM Fails to Renew a DNSValidated Certificate.
    • • Most likely due to missing or inaccurate CNAME records in your DNS config.
    • • You can try EmailValidation (requires action by the Domain owner).

    ACM sends renewal notices 45 days before expiration.
    • Renewal emails sent to the Domain’s WHOIS mailbox addresses.
    • Email contains a link that Domain owner can click for easy renewal.
    • ACM issues a renewed certificate with the same ARN.
  • ACM – Pending Validation – How to resolve?

    Resolution:

    • Confirm CNAME record is added to the correct DNS config (1)
    $ dig +short _a79865eb4cdla6ab990a45779b4e0b96.example.com.

    • Confirm CNAME record in your DNS config. contains no additional characters or has no missing characters.

    (1) use the CLI dig command, for e.g., to verify the value of the DNS config itself.
  • ACM – Pending Validation – How to resolve?
    Resolution:
    • If your DNS Provider automatically adds the bare domain to the end of its DNS records, remove the bare domain from the DNS record name.
    • • _a79865eb4cd1a6ab990a45779b4e0b96.[example.com.]example.com (that's common).
    • If there’re both CNAME and TXT records for the same domain name, then delete the TXT record. it may be a conflict for ACM, so test it out.
  • Process to Manually Create a Certificate.

    Instead of getting ACMs to issue certificates for you.

    • You can create a Certificate manually, then upload the Certificate to either ACM or IAM.

    The CA in this case is an external CA that will validate (externally from ACM. The ownership and issue of a certificate is down to you.

    Much easier if done everything within ACM, but still you have the capability of importing certificates in there.
  • ACM – Monitor Expired Imported Certificates

    1) ACM

    • Sends daily expiration events starting 45 days prior to expiration.
    • The # of days can be configured.
    • Events are appearing in EventBridge.

    2) AWS Config

    • Has a managed rule named acm-certificate-expiration-check to check for expiring certificates (configurable number of days).

    NOTE: If you do have a manually imported certificate, you will have to manually renew it outside and then the re-import it.
  • AWS Backup

    Fully managed service.
    Centrally manage and automate backups across AWS services.
    • No need to create custom scripts and manual processes.

    Supported services (no need to remember them individually, just the concept):

    • • Amazon EC2 / Amazon EBS
    • • Amazon S3
    • • Amazon RDS (all DBs engines) / Amazon Aurora / Amazon DynamoDB • • Amazon DocumentDB / Amazon Neptune
    • • Amazon EFS / Amazon FSx (Lustre & Windows File Server)
    • • AWS Storage Gateway (Volume Gateway).

    • Supports cross-region backups
    • Supports cross-account backups.
  • AWS Backup
    • Supports PITR (Point In Time Recovery) for supported services e.g. Aurora.
    On-Demand and Scheduled backups.
    Tag-based backup policies.
    • You create backup policies known as Backup Plans.
    • • Backup frequency (every 12 hours, daily, weekly, monthly, cron expression).
    • • Backup window.
    • • Transition to Cold Storage (Never, Days,Weeks, Months,Years).
    • • Retention Period (Always, Days,Weeks, Months,Years).
    Backed up to Amazon S3 in an internal bucket that is specific to AWS Backup.
  • AWS Backup Vault Lock

    • Enforce a WORM (Write Once Read Many) state for all the backups that you store in your AWS Backup Vault.

    • Additional layer of defence to protect your backups against:
    • • Inadvertent or malicious delete operations.
    • • Updates that shorten or alter retention periods.

    • Even the root user cannot delete backups when enabled.
  • Amazon DLM (Data Lifecycle Manager)

    • Automate the creation, retention, and deletion of EBS snapshots and EBS-backed AMIs.
    Schedule backups, cross-account snapshot copies, delete outdated backups, ...
    • Uses resource tags to identify the resources (EC2 instances, EBS volumes).
    • Can’t be used to manage snapshots/AMIs created outside DLM.
    • Can’t be used to manage instance-store backed AMIs.

    Diagram Example, top right:

    ...Or we can tag directly an EC2 instance with this environment prod. And then the instance itself, and its EBS volumes will be backed up.
  • AWS Nitro Enclaves

    Gives you a highest level amount of security on EC2. You just need to know this concept at a high level.

    • Process highly sensitive data in an isolated compute environment
    • • Personally Identifiable Information (PII), healthcare, financial, ...

    • Fully isolated virtual machines, hardened, and highly constrained
    • • Not a container, not persistent storage, no interactive access, no external networking.
  • AWS Nitro Enclaves
    Gives you a highest level amount of security on EC2. You just need to know this concept at a high level.
    • Helps reduce the attack surface for sensitive data processing apps
    • • Cryptographic Attestation – only authorised code can be running in your Enclave
    • • Only Enclaves can access sensitive data (integration with KMS)
    • Use cases: securing private keys, processing credit cards, secure multi-party computation...