Please enable JavaScript.
Coggle requires JavaScript to display documents.
AWS - Coggle Diagram
AWS
-
S3 Security
Data at rest
S3
SSE-KMS
- S3 objects are encrypted with the key from KMS
SSE-C
- S3 objects are encrypted by user provided key
Client-side Encryption
- Data is pre-encrypted before posted to S3
- Nothing is done by AWS
SSE-S3
- S3 objects are encrypted with AWS managed key
Amazon Macie
- ML based pattern matching on S3 Bucket
- Identify sensitive data/PII stored in S3
Glacier
- AES-256 encrypted with AWS managed key
Data in transit
- S3 provides HTTPS endpoints along with HTTP endpoints
-
aws:SecureTransport bucket policy can enforce HTTPs
- Only HTTPS can be used if S3 is encrypted with SSE-C
Pre-signed URL
- URL can be generated to download/upload from/to S3 without authentication
- Download links can be generated with CLI
- Upload links can be generated with SDK
Retention
- Link valids for only certain amount of time
-
--expires-in to set the desired seconds, or default to 3600 seconds
Permission
- The permission of user who used the link inherits the permission of the user who generated the link
- Can be manually changed otherwise
RDS Security
Data at rest
Elastic Block Storage
- Volumes / Snapshots can be encrypted with KMS encryption
Transparent Data Encryption (TDE)
- Oracle and SQL servers can apply TDE to the file level
Data in transit
SSL Connection
- Available for any database
- Can be easily enabled by SSL option in the configuration
Server Name Indicator (SNI)
- Solves the problem where multiple domain name is used for a single RDS instance
- Host sends hostname to query in SNI extension, and if appropriate certificate is found, it is used, or default one is used
Authentication
- MySQL and PostgreSQL can authenticate users through IAM
- Authentication still happens in the RDS
CloudTrail Logs
- Queries to the RDS are not tracked by CloudTrail
-
-
-
AppSync
- Real time serverless pub/sub through GraphQL APIs
- Also supports websocket or MQTT (standard IoT messaging protocol)
Congito Integration
- JWT token generated from Cognito can be used directly on AppSync
AWS WaveLength
- Compute and storage services within 5G networks
- Various capabilities such as mobile edge computing
Storage Monitoring
Storage Class Analysis
- Analyze objects in S3 and suggest the best storage class
Storage Lens
- Default dashboard provides insights/trends of multi-region/multi-account data of storages
- Free Tier: 28 usage metrics and retention period of 14 days
- Advanced Tier: more metrics with retention period of 15 months
Database Monitoring
RDS Performance Insights
- Visual dashboard to see various database status
- SQL statements, users, waits, etc.
Aurora Logs
- Aurora logs can be published to CloudWatch
- General logs, error, slow query, audit, etc.
Database Caching
Amazon ElastiCache
- Redis/Memcached managed RDS cache
- May need the client to be modified
Memcached
- No native multi-AZ fail over
-
Cluster Mode
- Enables data sharding
- Each node horizontally scale by increasing # of shards
DynamoDB Accelerator
- Seamless cache for DynamoDB
- Simply a cache where application do not need any changes
SNS Security
Data at rest
Messages
- Messages can be encrypted with KMS keys
- Client may decide to encrypt the message before sent to SNS
Data in transit
Message
- Communication is encrypted with HTTPS API
Access Control
Resource-based Policy
- Access to SNS API can be retricted to designated roles/accounts by setting the resource-based policies
SNS Access Policy
- Cross-account access to SNS topics
- Allow other services to access SNS topics
Snapshots
- Incremental backups on a schedule
- Can be every 8 hours, every 5GB, or on a custom schedule
- Retention period can be set to delete the old data
KMS-Encrypted Copy
- Copy the encrypted Redshift Snapshot to Redshift in other region
- The source region must grant destination Redshift to access the root key
Redshift Spectrum
- Seamlessly query S3 without loading them to Redshift cluster beforehand
- The Cluster's Compute Nodes will automatically access the Spectrum Nodes to query the S3
Amazon Athena
- Severless service to make query on S3 buckets
- Can use SQL to query S3 without conversion
- Supports compression options like bzip2, gzip, etc. and Athena decompresses automatically after downloading them from S3 bucket
Cost
- $5/TB data scanned
- Use columnar data to reduce the scan
Partitioning
- Data can be put into subsets based on the filters configured by user
- Reduces scan by scanning only the portion of the bucket
Federated Query
- Using a Data Source Connector (Lambda), any data source can be analyzed by Athena
- ElastiCache, DocumentDB, DynamoDB, Redshift, Aurora, SQL, etc.
S3 Permission
IAM Policy Based
- Restrict certain actions on S3 bucket (
s3: PutObject, s3:GetObject, etc.)
- Require some conditions to access S3 (from specific IP address, using a specific AWS service, etc.)
Resource Based Policy
- Restrict specific IAM entity to access the bucket
Access Control List (ACL)
- Legacy option for object-level permissions
- More restrictive option take precedence: If bucket-level deny but object-level allow, access is denied. Likewise, if bucket-level allow but object-level deny, access is still denied
Types
Bucket-level ACL
- Permissions to access the entire bucket
Object-level ACL
- Permissions per object in a bucket
Bucket Ownership
- As soon as
Bucket Ownership is enabled, the bucket owner will own every uploaded objects
- However, objects uploaded before Bucket Ownership is enabled will still belong to the original owner
S3 Batch Operation
- With 'preserve ACLs' option, the ACL can be preserved
-
-
-
Regions
- Geographical location of resources
- us-east-1, us-east-2, us-west-1, etc. all separate regions
Availabiltiy Zones (AZs)
- Same region but datacenters physically isolated
- us-east-1a, us-east-1b, us-east-1c, us-east-1d, us-east-1e
-
-
-
-
-
-
-
-
-
-