Please enable JavaScript.
Coggle requires JavaScript to display documents.
MRTTLN SAP-C02, aws:PrincipalOrgId - Coggle Diagram
MRTTLN SAP-C02
Security & Networking
CloudTrail
3 type of events: Management Events, Data Events, CloudTrail Insights
-
Maybe take up 15min to deliver events, using EventBridge, CloudTraild Delivery in CloudWatch Logs, CloudTrail Delivery in S3 (5min) to react events the fastest
AWS Firewall Manager centrally configure, manage, monitor security policies across multiple account within an AWS Organization. WAF rules, Shield configuration, Security group, DNS Firewall rule
-
-
GuardDuty threat detection service, focuses on infrastructure & network level security. Analyze the fllowing datasource CloudTrail logs, VPC Flow Logs, DNS logs, K8s Audit Logs. NOT include WAF logs
-
-
-
Some stuff
OpsWorks with Chef & Puppet, doesnot cover all EC2 instance
PowerUserAccess (deny IAM management, security settings for Dev/ DevOps) < AdministratorAccess (all)
AWS Service Catalog control service/ resouce, managed IaC template
VPC
VPC Sharing allow multiple account in the same AWS Organization share subnet in a centrally managed VPC, no data transfer cost winthin the same AZ
VPC Peering create direct connect between 2 VPCs (even across regions/ accounts), data transfer cost when cross AZ/ region
Tp use Private host zones, DNS hostnames, DNS resolution should enabled
ABC
-
Hub-and-Spot Network: AWS Direct Connect & VPN, AWS transit gtw, VPC Peering
VPN
VPN CloudHub hub-and-spoke VPN technology: connecting multiple branch offices securely, providing centralized access, implement DR & backup solution, enable cross-region communication for international companies
XYZ
-
-
-
-
-
-
Direct Link
-
2 types: Dedicated Connection physical connection associated with a single customer, Hosted Connection ko ngon bằng thằng dedicated connection DX partner provision on behalf of a customer
-
-
-
Compute & LB
Host Affinity ensures that your instance always run on the same dedicated host after a reboot. Placement Group Cluster/ Partition/ Spread how EC2 are placement within the AWS infrastructure
LB cross-zone
NLB disabled by default, enabling it incurs additional charges
ALB enabled by default, doesnot incur additional charges
CLB disabled by default, enabling it incurs no charge
Auto Scaling Group
-
-
Lifecycle Hooks allow pause & perform action during key event: before an instance is launched (pending state), before an instance is terminated (terminating state)
-
Containers
-
-
-
AWS AppRunner fully managed service that allow developers to deploy & run containerized applications without needing to manage infrastructure
LB
-
-
Gateway Load Balancer layer 3 (network), redirecting traffic to security appliances (IDPS, firewall, DPI)
Classic Load Balancer LEGACY layer 4 & 7, support both TCP/UDP & HTTP/S
Lambda, Each AWS account has a default concurrent execution limit of 1000 AWS Lambda
-
-
EC2 Storage
-
-
Instance Storage/ Store or ephemeral storage provides temporary block-level storage for your instance. Physically attached to the host computer.
-
-
Design for New Solution
Aurora
Features
Aurora Auto Scaling for Aurora Replicas powerful feature that automatically adjusts the number of read replicas in Aurora db cluster based on workload demands
-
-
-
API Gateway
-
WebSocket APIs that adhere to the WebSocket protocol, statefull
HTTP Status Code
-
-
Retry NO: 400 bad request, 403 access denied, 409 conflict, 429 limit exceeded
-
Retry YES: 429 too many request, 502 bad gateway, 503 service unavailable, 504 endpoint request time-out
default limit is 10,000 requests/ second, burst of 5,000 requests
you can improve the latency by using edge-optimized endpoints, do not use API GTW Regional endpoints
-
Identity & Federation
-
AWS Control Tower single location to setup well-architected, multi-account environment
Guardrails re-packaged governance rules for security, compliance, operations
-
-
-
-
-
-
-
-
-