Fast review with day 1
Security Groups
- Rules are stateful
- 建立規則之後, 雙向就自動建立
- 可以使用另外一個 Security Group 來當來源建立 security group ( Chaining Diagram )( 這點很好用 )
Network ACLs
- Are stateless
- Inbound 與 outbound 規則都要寫, 否則可能不會通
- 有 allow 也有 deny, 所以要注意順序
- Rule 數字越小越優先
Lab 3 講完 Module 6 再做
Module 6
Virtual Private Gateway ( VGW )
- 會給兩個 end point ( 高可用性 )
AWS Direct Connect ( DX )
- 專線, 提供 1G or 10G
Extending On-Premises Network to AWS using DX
- 透過 DX 連接 VGW
Connecting VPCs
- 使用情境
- 跨 Region 使用
- 跨不同帳戶
- VPC Peering
- 點對點的關係
- Transitive peering relationships are not supported
- VPC-A 與 VPC-B 連, VPC-B與VPC-C連, 不代表 VPC-A 與 VPC-C 串接
- Use private IP addresses
- Intra and inter-region support
- IP spaces can not overlap
Connecting VPCs - Transit Gateway
VPC Endpoints
- Privately connect your EC2 instances to services outside your VPC without leaving AWS.
- Must be in the same region
- 在同一個 Region 直接連線 service, 不需要連到 internet
- Types of endpoints
- Interface endpoint
- Gateway endpoint
- Amazon S3
- Amazon DynamoDB
==== Class Break ====
ELB
- Region 等級服務
- ALB( Application Load Balancer )
- NLB( Network Load Balancer )
- CLB
Amazon Route 53
- HA and scalable cloud DNS service
Lab 3 Creating a Virtual Private Cloud
Module 7 IAM
Identity and Access Management
- Authentication
- Security Credentials
- User / Password ( Web )
- AccessKey ID & Secret AccessKey ( CLI, SDK )
- Authorization ( Policy )
The AWS Account Root User
- Full access to all AWS services and resources.
- Has extreme power and cannot be limited ( 不能降權限 )
A Safer Way to Administer
- Create IAM admin user
- Lock away the root user credentials
- Use IAM admin user
中午休息
==== Class Break ====
IAM Principals
- IAM user
- IAM users are not separate AWS accounts
- No default permissions
- Federated user
- IAM role
- Identity provider( IdP )
Granting Permission
- Policy
- A formal declaration of one or more permissions
- Evaluated at the time of request
- IAM policies ONLY control access to AWS services
- IAM has no visibility above the hypersior
- Resource-Based policy
- Attached to an AWS resource
- Attached to
- AWS resources
- Control
- Actions allow by specific principal
- What conditions are required
- Are always inline policies
- NO AWS-managed resource-based policies
- Identity-Based policy
- Attached to an IAM principal
- Attached to
- User
- Group
- Role
- Control
- Actions performed
- Which resources
- What conditions are required
Applying Permissions
- 可能會出現
- Principal
- Action
- Resource / NotResource
- Effect
- Allow 或是 Deny
Policy 優先順序
- Explicit Deny
- Explicit Allow
- Implicit Deny ( 沒有被上面定義到的 )
課本上的案例使用 NotResource + Deny 的方式來定義 Explicit Deny
- 這樣是比較嚴謹的方式
- 因為當 之後 policy 疊加的時候, 規範的 Explicit Deny 會蓋過其他 Policy 的 Explicit Allow
IAM Roles
- 用途
- 暫時提供權限的方式, 不想要給在 User or Group
- 跨帳號的情境 ( 例如別的帳號的 user 來存取自己帳號的 resource )
- Define a set of permissions to access the resources that a user or service needs.
- The permissions are not attached to an IAM user or group
- The permissions are attached to a role and the role is assumed by the user or the service. ( assumed - 切換過去 )
Policy 名稱
- 綁在 IAM 上面會叫 IAM Policy
- 綁在 resource 上面會叫 S3 Bucket Policy or SNS Policy ( by 服務名稱 )
- Role 上面上面的 Policy 名稱
- Trust Policy
- Access Policy
IAM Roles Use cases
- Provide AWS resources with access to AWS services
- Provide access to externally authenticated users ( 外部認證使用者 )
- Provide access to third parties
- Switch roles to access resources in
- Your AWS account
- Any other AWS account ( cross-account access )
Assume a Role
- AWS Management Console
- AWS CLI
- AssumeRole API call
- AWS Security Token Service ( AWS STS )(暫時性)
Amazon Cognito
休息到 14:30
==== Class Break ====
Module 8
High Availability Factors
- Fault tolerance ( 容錯 )
- The built-in redundancy of an application’s components
- Recoverability
- Scalability
Two types of Elasticity
- Time-Based
- Volume-Based
Monitoring Infrastructure with Amazon CloudWatch
- Metrics
- Logs
- Alarms
- Events
- Rules
- Targets
Using Auto Scaling to Provide Elasticity
Lab 4: Create HA environment
到 16:15
==== Class Break ====
Module 9
AWS CloudFormation
AWS Systems Manager
- Automated configuration and ongoing management of system at scale
AWS OpsWorks for Infrastructure and Deployment Automation
- 託管的 Chef 或是託管的puppet
AWS Elastic Beanstalk
Lab 5: Automating Infrastructure Deployment
沒有留言:
張貼留言