DEVELOPyo

[ AWS Resource Access Manager (RAM) ]

자신의 AWS 리소스를 타 AWS 계정과 공유

리소스 중복 생성 막을 수 있음

VPC Subnets/AWS Transit Gateway/Route 53 Resolver Rules/License Manager Configurations 등 공유 가능

- Share AWS resources that you own with other AWS accounts

- Share with any account or within your Organization

- Avoid resource duplication!

- VPC Subnets:

  -- allow to have all the resources launched in the same subnets

  -- must be from the same AWS Organizations

  -- Cannot share security groups and default VPC

  -- Participants can manage their own resources in there

  -- Participants can't view, modify, delete resources that belong to other participants or the owner

- AWS Transit Gateway

- Route53 Resolver Rules

- License Manager Configurations

* VPC : Virtual Private Cloud

[ Resource Access Manager - VPC example ]

각각의 계정은 다른 계정의 리소스를 읽고쓰고지우는 행위를 할 수 없음

네트워크가 공유되기 때문에 resource 간의 통신이 가능, 이때 private IP 사용.

Each account is responsible for its own resources.

Each account cannot view, modify/delete other resources in other accounts.

Network is shared so, anything deployed in the VPC can talk to other resources in the VPC.

Applications are accessed easily across accounts, using private IP.

Security groups from other accounts can be referenced for maximum security

[ IAM Conditions ]

명시한 두 아이피 대역을 제외한 모든 클라이언트 호출을 제한함

Deny everything(*) 

aws:SourceIP: restrict the client IP from which the API calls are being made

명시한 두개의 region 에게 ec2/rds/dynamodb 의 모든 액션을 허용

aws:RequestedRegion: restrict the region The API calls are made to

restrict based on tags

force MFA

[ IAM for S3 ]

ListBucket permission applies to 

arn:aws:s3:::test

=> bucket level permission

GetObject, PutObject, DeleteObject applies to

arn:aws:s3:::test/*

[ IAM Roles vs Resource Based Policies ]

Attach a policy to a resource (ex: S3 bucket policy) vs attaching of a using a role as a proxy

way1. Account A 가 Account B 의 S3 를 사용하려면 STS 를 사용하여 role assume 후 Account B 의 S3 접근

=> When you assume a role (user, application or service), you give up your original permissions and take the permissions assigned to the role

way2. S3 bucket policy 생성 후 Account A 의 액세스를 허용.

=> When using a resource based policy, the principal doesn't have to give up his permissions

way1의 role assume 을 사용할 때의 문제점 :

Account A 의 DynamoDB 테이블 스캔 후 타계정의 S3 bucket 에 저장할 때 Account B의 권한만 갖게 되므로 Account A 의 권한이 없어짐. 이와 같은 경우 Resource Based policy 를 사용해야함.

ex: User in account A needs to scan a DynamoDB table in Account A and dump it in an S3 bucket in AccountB

Resource Based policy Supported by : Amazon S3 buckets, SNS topics, SQS queues

[ IAM Permission Boundaries ]

IAM Permission Boundaries are supported for users, groups and roles

Advanced feature to use a managed policy to set the maximum permissions and IAM entity can get

IAM Policy 로 유저생성 권한을 주었지만 IAM Permission Boundary 로 S3, cloudwatch, ec2 에 대한 권한만 주었기 때문에 실제론 아무 권한이 없음.

=> IAM Policy 로 권한을 부여해도 IAM Permission Boundary 가 우선적으로 권한을 제어

[ IAM Permission Boundaries ] 

Can be used in combinations of AWS Organizations SCP

Organizagions SCP , Permissions boundary, Identity-based policy 를 조합하여 효율적인 권한제어 가능

특정 유저에게만 권한 제어 가능, 개발자들이 스스로 admin 권한을 주는 것을 막을 수 있음.. 등등

1. Delegate responsibilities to non administrators within their permission boundaries, for example create new IAM users

2. Allow developers to self-assign policies and manage their own permissions, while making sure they can't escalate their privileges (make themselves admin)

3. Useful to restrict one specific user (instead of a whole account using Organizations & SCP)

[ IAM Policy Evaluation Logic ]

[ Example IAM Policy ]

1.sqs:CreateQueue 권한 없음 : sqs:* 가 Deny 

2.sqs:DeleteQueue 권한 없음 : Deny on sqs:* 이로 다른블럭에 allow 로 명시되어 있어도 Deny.

3.ec2:DescribeInstance 권한 없음 : EC2에 대해 Allow 명시되어 있지 않으므로 (no explicit Allow) EC2 에 대한 권한 없음.

What is Microsoft Active Directory (AD)?

사용자가 공유된 자원의 위치와 해당 서버의 로컬 사용자 계정을 모두 알고있지 않아도 중앙에서 Admin 이 사용자 인증 및 권한 부여 처리가 가능하도록 하여 기업내 자원 및 권한 관리에 사용.

Windows 환경에서 사용하기 위해 개발된 LDAP 디렉토리 서비스

- Found on any Windows Server with AD Domain Services

- Database of objects : User Accounts, Computers, Printers, File Shares, Security Groups

- Centralized security management, create account, assign permissions

- Objects are organized in trees

- A group of trees is a forest

* AD(Active Directory) : https://mpain.tistory.com/153

* LDAP : https://yongho1037.tistory.com/796

[ AWS Directory Services ] 

- AWS Managed Microsoft AD

  Create your own AD in AWS, managed users locally, supports MFA

  Establish "trust" connections with your on-premise AD

- AD Connector

  Directory Gateway (proxy) to redirect to on-premise AD, supports MFA

  Users are managed on the on-premise AD

- Simple AD

  AD-compatible managed directory on AWS

  Cannot be joined with on-premise AD

[ AWS Organizations ]

- Global sevice

- Allows to manage multiple AWS accounts

- The main account is the master account - you cannot change it

- Other accounts are member accounts

- Member accounts can only be part of one organization

- Consolidated(병합된) Billing across all accounts - single payment method

- Pricing benefits from aggregated usage (volume discount for EC2, S3..)

- API is available to automate AWS account creation

[ Multi Account Strategies ] 

- Create accounts per department, per cost center, per dev/test/prod, based on regulatory restrictions (using SCP), for better resource isolation (ex:VPC), to have separate per-account service limits, isolated account for logging

- Multi Account vs One Account Multi VPC

- Use tagging standards for billing purposes

- Enable CloudTrail on all accounts, send logs to central S3 account

- Send CloudWatch Logs to central logging account

- Establish Cross Account Roles for Admin purposes

[ Organizational Units (OU) - Examples ] 

[ Service Control Policies (SCP) ]

IAM 작업에 대한 화이트/블랙 리스트

OU 혹은 계정에 적용

마스터 계정엔 적용되지 않음

ROOT 를 포함한 모든 계정 및 Role 에 적용

service-linked role 엔 적용되지 않음

SCP 는 명시적 허용이 있어야함 (default 는 모든 권한이 없음)

특정 서비스에 대한 액세스 제한 등 권한 제한용으로 사용 가능

- Whitelist or blacklist IAM actions

- Applied at the OU or Account level

- Does not apply to the Master Account

- SCP is applied to all the Users and Roles of the Account, including ROOT

- The SCP does not affect service-linked roles

  Service-linked roles enable other AWS services to integrate with AWS Organizations and can't be restricted by SCPs

- SCP must have an explicit Allow (does not allow anything by default)

- Use cases :

  Restrict access to certain services (for example : can't use EMR)

  Enforce PCI compliance by explicitly disabling services

[ SCP - Hierarchy ]

하위 계층의 OU는 상위 계층의 OU 의 Access/Deny 정책을 따름

ex: Account B 는 Lambda와 Redshift 액세스 불가, Account A 는 Redshift 액세스 불가

[ AWS Organization - Moving Accounts ]

다른 organization 으로 계정 옮길 땐 asis organization 에서 계정 제거 후 tobe organization 에 초대 및 초대 수락하여 옮김

[ AWS STS (Security Token Service) ]

AWS 리소스에 대한 임시 접근 권한 부여(임시토큰)

토큰은 최대 1시간 유효 (refresh 필요)

AssumeRole/AssumeRoleWithSAML/AssumeRoleWithWebIdentity/GetSessionToken

- Allows to grant limited and temporary access to AWS resources

- Token is valid for up to one hour (must be refreshed)

1. AssumeRole

  Within your own account: for enhanced security

  Cross Account Access : assume role in target account to perform actions there

2. AssumeRoleWithSAML

  return credentials for users logged with SAML

3. AssumeRoleWithWebIdentity

  return creds for users logged with an IDP(Identity Provider) (Facebook/Google Login..)

  AWS recommends against using this, and using Cognito instead

4. GetSessionToken

  for MFA(MultiFactorAthentication), from a user or AWS account root user

[ Using STS to Assume a Role ]

1. IAM Role 생성

2. IAM Role 에 대한 principal 생성

3. AWS STS 를 사용하여 자격 취득

4. 임시 자격은 15분에서 1시간 까지 유효

1. Define an IAM Role within your account or cross-account

2. Define which principals can access this IAM Role

3. Use AWS STS (Security Token Service) to retrieve credentials and impersonate(가장하다) the IAM Role you have access to (AsumeRole API)

4. Temporary credentials can be valid between 15 minutes to 1 hour

[ Identity Federation in AWS ]

Identity Federation 을 통해 외부 사용자가 AWS 자원에 대한 임시 접근 권한을 가질 수 있음

이를 사용하여 IAM 유저 생성 없이 AWS 접근 허용이 가능

- Federation lets users outside of AWS to assume temporary role for accessing AWS resources

- These users assume identity provided access role

- Federations can have many flavors

  -- SAML 2.0

  -- Custom Identity Broker

  -- Web Identity Federation with Amazon Cognito

  -- Web Identity Federation without Amazon Cognito

  -- Single Sign On

  -- Non-SAML with AWS Microsoft AD

- Using federation, you don't need to create IAM users (user management is outside of AWS)

[ SAML 2.0 Federation ] 

- To integrate Active Directory/ADFS with AWS (or any SAML 2.0)

- Provides access to AWS Console or CLI (through temporary creds)

- No need to create an IAM user for each of your employees

* SSO (Single Sign On) : 여러 AWS 계정 및 비지니스 앱에 대한 액세스를 중앙에서 관리 및 사용자에게 Single Sign-On 액세스 제공하여 할당된 모든 계정 및 앱을 한곳에서 액세스 가능케 하는 서비스

(AWS STS 사용하기(좌측) : https://gnidoc.tistory.com/entry/%EB%A7%A5%EC%97%90%EC%84%9C-AWS-STS-CodeCommit-%EC%82%AC%EC%9A%A9%ED%95%98%EA%B8%B0)

(SSO 사용 하기(우측 그림) : https://cloudest.tistory.com/62)

[ SAML 2.0 Federation - Active Directory FS ] 

Same process as with any SAML 2.0 compatible idp

[ SAML 2.0 Federation ]

IAM 과 SAML 간의 양방향 신뢰 설정 필요

SAML2.0 은 웹기반에서만 동작

AssumeRoleWithSAML STS API 사용

가급적 SSO 사용

- Needs to setup a trust between AWS IAM and SAML (both ways)

- SAML 2.0 enables web-based, cross domain SSO

- Uses the STS API : AssumeRoleWithSAML

- Note federation through SAML is the old way of doing things

- Amazon Single Sign On(SSO) Federation is the new managed and simpler way

[ Custom Identity Broker Application ]

SAML 2.0 사용 불가할 경우 사용

AssumeRole/GetFederation 토큰 등 STS API 사용

Use only if identity provider is not compatible with SAML 2.0

The identity broker must determine the appropriate IAM policy

Uses the STS API : AssumeRole or GetFederation Token

[ Web Identity Federation - AssumeRoleWithWebIdentity ]

Not recommended by AWS - use Cognito Instead (allows for anonymous users, data synchronization, MFA)

[ AWS Cognito ]

Goal :

- Provide direct access to AWS Resources from the Client Side(mobile/web app)

Example :

- provide (temporary) access to write to S3 bucket using Facebook Login

Problem :

- We don't want to create IAM users for our app users

How :

- Log in to federated identity provider - or remain anonymous

- Get temporary AWS credeantials back from the Federated Identity Pool

- These credentials come with a pre-defined IAM policy stating their permissions

[Security] SSO 개념 (SAML, OAuth, OIDC) - https://nyyang.tistory.com/m/142

[ AWS Config ]

AWS 리소스의 변화에 대한 로깅으로 Security group 에 제한된 SSH 접근이 있는지, S3 버킷이 퍼블릭 억세스 인지, ALB(Application Load Balancer) 설정이 어떻게 변했는지 등에 대한 로깅.

region 별 서비스, 변경시 SNS 알림 가능, region/계정에 대한 집계 가능, S3 에 저장하여 Athena를 통한 분석 가능

- Helps with auditing and recording compliance of your AWS resources

- Helps record configurations and changes over time

- Questions that can be solved by AWS Config:

  Is there unrestricted SSH access to my security groups?

  Do my buckets have any public access?

  How has my ALB configuration changed over time?

- You can receive alerts (SNS notifications) for any changes

- AWS Config is a per-region service

- Can be aggregated across regions and accounts

- Possibility of storing the configuration data into S3 (analyzed by Athena)

[ Config Rules ]

사전 정의된 룰 사용가능

각 EBS 디스크가 gp2 타입인지 확인, EC2 instance 가 t2.micro 타입인지 확인하는 등의 사용자 지정 룰 사용 가능(AWS Lambda 사용)

설정 변경시 트리거에의해 동작 혹은 스케쥴링에 의해 확인 가능.

Confg Rules 는 설정변경을 막진 않는다.

무료 아님.

- Can use AWS managed config rules (over 75 rules)

- Can make custom config rules (must be defined in AWS Lambda)

  ex1: evaluate if each EBS disk is of type gp2

  ex2: evaluate if each EC2 instance is t2.micro

- Rules can be evaluated/triggered For each config changes (+ at regular time intervals)

- AWS Config Rules does not prevent actions from happening (no deny)

- Pricing : no free tier, pay per configuration item recorded per region, pay per config rule evaluation per region

[ Config Rules - Remediations ]

SSM 자동화 문서를 사용하여 부적합 리소스에 대한 수정을 자동화

Lambda 함수 호출하는 사용자 지정 문서 생성 가능

자동 수정 후에도 리소스가 부적합한 경우 retry 가능

- Automate remediation of non-compliant resources using SSM Automation Documents

- Use AWS-Managed Automation Documents or create custom Automation Documents

  Tip: you can create custom Automation Documents that invokes Lambda function

- You can set Remediation Retries if the resource is still non-compliant after auto-remediation

[ Config Rules - Notifications ]

- Use EventBridge to trigger notifications when AWS resources are non-compliant

- Ability to send configuration changes and compliance state notifications to SNS (all events - use SNS Filtering or filter at client-side)

[ CloudWatch vs CloudTrail vs Config ]

CloudWatch

- Performance monitoring (metrics, CPU, network, etc..) & dashboards

- Events & Alerting

- Log Aggregation & analysis

CloudTrail

- Record API calls made within your Account by everyone

- Can define trails for specific resources

- Global Service

Config

- Record configuration changes

- Evaluate resources against compliance rules

- Get timeline of changes and compliance

[ For an Elastic Load Balancer ]

CloudWatch :

메트릭에 기반한 성능 모니터링

- Monitoring Incoming connections metric

- Visualize error codes as a % over time

- Make a dashboard to get an idea of your load balancer performance

Config :

설정 정합성 확인

- Track security group rules for the Load Balancer

- Track configuration changes for the Load Balancer

- Ensure an SSL certificate is always assigned to the Load Balancer(compliance)

CloudTrail :

어떤 사용자가 설정을 변경했는지 확인

- Track who made any changes to the Load Balancer with API calls

[ CloudTrail ]

CloudTrail 은 사용자 이벤트 로깅과 비슷한 기능으로 default 로 활성화 되어있으며 무료임.

콘솔/SDK/CLI/AWS Services 에서의 히스토리를 확인할 수 있음

- Provides governance, comliance and audit for your AWS Account

- CloudTrail is enabled by default

- Get an history of events / API calls made within your AWS Account by : 

  Console/SDK/CLI/AWS Services

- Can put logs from CloudTrail into CloudWatch Logs or S3

- A trail can be applied to All Regions (default) or a single Region

- If a resource is deleted in AWS, ingestigate CloudTrail first.

[ CloudTrail Events ]

관리이벤트와 데이터 이벤트 CloudTrail Insights 이벤트 등으로 나눌 수 있음

보안/라우팅 설정 등의 AWS 계정의 리소스에 대해 수행되는 작업들, S3 object 레벨의 작업, Lambda 함수 실행 기록 등 (데이터 이벤트는 용량문제로 default 가 비활성화 상태임)

1. Management Events :

- Operations that are performed on resources in your AWS account

- Examples :

  Configuring security (IAM AttachRolePolicy)

  Configuring rules for routing data (Amazon EC2 CreateSubnet)

  Setting up logging (AWS CloudTrail CreateTrail)

- By default, trails are configured to log management events

- Can separte Read Events (that don't modify resources) from Write Events (that may modify resources)

2. Data Events :

- By default, data events are not logged (because high volume operations)

- Amazon S3 object-level activity (ex: GetObject, DeleteObject, PutObject) : can seperate Read and Write Events

- AWS Lambda function execution activity (that Invoke API)

3. CloudTrail Insights Events :

CloudTrail Insights 를 활성화하여 계정의 비정상적인 활동 감지

부정확한 자원 할당/서비스 사용량 초과 등

* 일반 관리 이벤트를 분석하여 기준선 생성 후 쓰기 이벤트를 지속적으로 분석하여 비정상적 패턴 감지

- Enable CloudTrail Insights to detect unusual activity in your account

inaccurate resource provisioning

hitting service limits

Bursts of AWS IAM actions

Gaps in periodic maintenance activity

- CloudTrail Insights analyzes normal management events to create a baseline

- And then continuously analyzes write events to detect unusual patterns

Anomalies appear in the CloudTrail console

Event is sent to Amazon S3

An EventBridge event is generated (for automation needs)

[ CloudTrail Events Retention ]

이벤트 로깅은 90일간 CloudTrail에 보관되며, 90일 이상 저장하고 싶으면 S3 에 쌓아야함. S3 쌓을 경우 Athena 를 사용하여 쿼리 할 수 있음

- Events are stored for 90 days CloudTrail

- To keep events beyond this period, log them to S3 and use Athena

[ Amazon EventBridge ]

CloudWatch 다음에 나온 관제 기능. AWS service 를 기반한 이벤트 버스와 기타 소프트웨어 및 사용자 앱 기반 이벤트 버스 사용 가능. 타 AWS 계정에서 이벤트 버스 접근이 가능. 이벤트 버스로 보내지는 이벤트를 저장관리 할 수 있음.

(관제 알림 및 메시지를 보관 하는 느낌)

- EventBridge is the next evolution of CloudWatch Events

- Default Event Bus - generated by AWS services (CloudWatch Events)

- Partner Event Bus - receive events from SaaS service or applications (Zendesk, DataDog, Segment, Auth0)

- Custom Event Buses - for your own applications

- Event buses can be accessed by other AWS accounts

- You can archive events (all/filter) sent to an event bus (indefinitely or set period)

- Ability to replay archived events

- Rules : how to process the events (liake CloudWatch Events)

[ Amazon EventBridge - Schema Registry ] 

EventBridge 의 Schema registry 를 통해 코드를 생성하여 이벤트 버스에서 데이터가 어떻게 구조화 되어있는지 확인이 가능. 버전 관리 가능. (JSON 형태)

- EventBridge can analyze the events in your bus and infer the schema 

- The Schema Registry allows you to generate code for your application, that will know in advance how data is structured in the event bus

- Schema can be versioned

[ Amazon EventBridge - Resource-based Policy ] 

다른 AWS 계정 또는 AWS region 의 이벤트 버스 허용/거부 가능

- Manage permissions for a specific Event Bus

  Example : allow/deny events from another AWS account or AWS region

- Use case : aggregate all events from your AWS Organization in a single AWS account or AWS region

[ Amazon EventBridge vs CloudWatch Events ] 

CloudWatch 확장형이 Amazon EventBridge(최근엔 CloudWatch 메뉴자체가 없어진듯. Amazon EventBridge 로 명칭자체가 바뀌어서 노출되는 듯)

공통점 : 동일한 이벤트 버스 기능(관제)

차이점 : EventBridge는 Schema Registry 기능이 있으며, 사용자 앱 및 SaaS(소프트웨어) 용 이벤트 버스 사용 가능

- Amazon EventBridge builds upon and extends CloudWatch Events

- It uses the same service API and endpoint, and the same underlying service infrastructure

- EventBridge allows extension to add event buses for your custom applications and your third-party SaaS apps

- EventBridge has the Schema Registry capability

- EventBridge has a different name to mark the new capabilities

- Over time, the CloudWatch Events name will be replaced with EventBridge

자바 직렬화

https://devlog-wjdrbs96.tistory.com/268
https://findmypiece.tistory.com/m/166

1. sync vs async

2. block vs non-block

메소드를 호출하는 클라이언트 관점.

메소드 호출시 응답을 받을때 까지 기다린다 block

메소드 호출 후 다른 작업 수행이 가능, 메소드 내에서 callback 함수를 호출해주어 클라이언트에 결과 회신

https://brunch.co.kr/@springboot/267#comment

https://brunch.co.kr/@springboot/267#comment