ross-humphrey
/ aws-access-keys-best-practice.txt
Created
January 16, 2020 10:57
🔑 Best Practices for Managing AWS Access Keys
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Remove or do not generate account access keys | |
| > Best way to protect your account is not having one | |
| > Better to create one or more AWS Identity and Access Management users. | |
| Use temporary security credentials (IAM Roles) instead of Long-Term Access Keys | |
| > Create IAM roles and generate temporary security credentials | |
| > Security token associated with credentials has time to live | |
| Use an IAM role and temporary security credentials in the following scenarios: | |
| > AWS CLI scripts running on EC2 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| IAM Best Practices | |
| > Lock Away Your AWS Account Root User Access Keys | |
| > Create individual IAM Users | |
| > Use Groups to Assign Permissions to IAM Users | |
| > Grant Least Privilege | |
| > Get Started Using Permissions with AWS Managed Policies (useful link @ https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) | |
| > Use Customer Managed Policies Instead of Inline policies | |
| > Use Access Levels to review IAM permissions | |
| > Configure a Strong password policy for your users |
ross-humphrey
/ public-facing-load-balancer-ec2-private-ip.txt
Created
January 14, 2020 16:37
📢 Connect public facing load balancer to EC2 with private IP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Create public subnets in the same AZ's as the private subnets that are used by private instances. Associate the public subnets | |
| to the internet facing load balancer | |
| Public subnet: | |
| > Subnets default traffic is routed to an internet gateway | |
| > Subnet is known as a public subnet | |
| > Instance launched in subnet with elastic IP or public IP associated with it then it is publiclly accessible | |
| Private Subnet: | |
| > If subnets default traffic is routed to a NAT instance or gateway or lacks default route then private |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Cloudformation helps you model and set up your AWS resources. | |
| Template describes all the AWS resources | |
| > EC2 | |
| > RDs etc etc | |
| Cloud formation then takes care of provisioning and configuring those resources for you. | |
| AWS then handles dependencies etc. | |
| Simplify Infrastructure Management: | |
| > Create or modify an existing Cloudformation template. | |
| > Describe all the resources and their properties |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Amazon S3 | |
| > Object storage | |
| > Industry leading - scalability, availability, security, performance | |
| > Easy to use management features | |
| > Easy to organize data and configure finely tuned access controls | |
| > 11 9's of durability | |
| Amazon Elastic Block Store | |
| > Persistent block storage volumes for use with EC2 | |
| > Each EBS volume is automatically replicated within its AZ to protect from failure |
ross-humphrey
/ amazon-cloudfront-notes.txt
Last active
January 13, 2020 17:06
🌩 Amazon Cloudfront Notes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, .css .js and image files. | |
| Delivers content through a worldwide network of data centers called edge locations. | |
| When a user requests content served via Cloudfront, the user is routed to the edge location that provides the lowest latency. | |
| If the content is on the edge location - immediately delivered, if not Cloudfront retrieves it from an origin you have defined. | |
| > Speeds up the retrieval of content by routing through the AWS backbone to the edge location that can best serve your content. | |
| > This reduces the number of networks that the request must pass thru, increasing perofrmance, lowering latency. | |
| > As a byproduct you get better reliablity and avialbility because copies of your files are now cached in multiple edge locations |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Cloudtrail helps you enable governance, compliance and operational and risk auditing in your AWS account. | |
| Actions taken by a user,role or AWS service are recorded as events. | |
| Events include actions taken in the AWS management console, CLI, SDKs and APIs. | |
| Enabled by default. (Lasts 90 Days) | |
| Review the event history, for an ongoing record of activity and events - create a trail. | |
| Visibility into AWS account activity is a key aspect of security and operational best practices. | |
| Cloudtrail can be used to: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Highly available and scalable DNS service. | |
| Performs three main functions: | |
| > Register domain names | |
| > Route itnernet traffic to the resources on your domain | |
| > Check health of resources | |
| Route itnernet traffic to the resources on your domain | |
| > Makes the connection between domain name and the IP address. | |
ross-humphrey
/ s3-storage-classes.txt
Last active
January 11, 2020 21:52
💾 S3 Storage Classes Notes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| S3 Standard | |
| > General purpose storage of frequently accessed data | |
| Key Features: | |
| > Low latency, high throughput | |
| > 99.99% availability a year | |
| > Resilient against events that impact an entire AZ | |
| > Back with Amazon S3 SLA | |
| > Supports SSL for data in transit and rest | |
| > S3 Lifecycle management for automatic migration of objects to other S3 storage classes. |
ross-humphrey
/ overview-of-security-processes-whitepaper-notes.txt
Last active
January 11, 2020 21:53
🔐 Notes from 'Overview of Security Processes' Whitepaper by AWS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Shared security responsibility model. | |
| > Security shared between AWS and the customer. | |
| > AWS secures underlying infrastructure | |
| > Customer responsible for anything in the cloud | |
| Managed Services: | |
| > Resource without configuration work that can come with them. | |
| > Don't worry about guest OS or database or replicates | |
| > Just protect the AWS account using IAM | |