DEVELOPyo

[ Serverless Website : Todo List ]

1. This website should scale globally

2. Blogs are rarely written, but often read

3. Some of the website is purely static files, the rest is a dynamic REST API

4. Caching must be implement where possible

5. Any new users that subscribes should receive a welcome email

6. Any photo uploaded to the blog should have a thumbnail generated

[ 1. Serving static content, globally ]

※ CloudFront 를 사용하여 Amazon S3(region)를 global 로 사용

[ 2. Serving static content, globally, securely ]

S3 Bucket policy 설정을 통해 OAI (Origin Access Identity) 만 권한(authorize) 부여

client 는 Amazon S3 에 직접 접근 불가하며 CloudFont 를 통해서만 S3 에 접근 가능

[ 2-2. Serving static content, globally, securely ]

[ Sending Email ]

DynamoDB Stream 을 통해 데이터 변화시 Lambda 를 호출,

(SES(Simple Email Service) 를 사용 할 수 있는 IAM Role을 가진) Lambda 는 Amazon SES를 사용하여 email 전송

[ Making Thumbnail on photo added ]

Client 가 S3 에 직접 혹은 CloudFront 를 통해 이미지 업로드시 Lambda 를 호출(trigger),

Lambda 가 thumbnail 을 생성하여 S3 에 업로드. (이때 S3 는 SQS/SNS 를 사용하여 부가적인 동작 가능)

[ AWS Hosted Website Summary ] 

- We've seen static content being distributed using CloudFront with S3

- The REST API was serverless, didn't need Cognito because public

- We leveraged a Global DynamoDB table to serve the data globally (could use Aurora Global Tables)

- We enabled DynamoDB streams to trigger a Lambda function 

- The lambda function had an IAM role which use SES(Simple Email Service)

- SES(Simple Email Service) was used to send emails in a serverless way

- S3 can trigger SQS/SNS/Lambda to notify of events

DynamoDB Stream 사용법 관련 포스팅

[ Mobile Application : My Todo List ]

1. We want to create a mobile application with the following requirements

2. Expose as REST API with HTTPS

3. Serverless architecture

4. Users should be able to directly interact with their own folder in S3

5. Users should authenticate through a managed serverless service

6. The users can write and read to-dos, but they mostly read them

7. The database should scale, and have some high read throughput

[ 1. Mobile App : REST API layer ]

[ 2. Mobile App : giving users access to S3 ]

※ Note : save credentials on S3 (not on your mobile client)

[ 3. Mobile app : high read throughput, static data ]

- Serverless REST API : HTTPS, API Gateway, Lambda, DynamoDB

- Using Cognito to generate temporary credentials with STS to access S3 bucket with restricted policy. App users can directly access AWS resources this way. Pattern can be applied to DynamoDB, Lambda

- Caching the reads on DynamoDB using DAX

- Caching the REST requests at the API Gateway level

- Security for authentication and authrization with Cognito, STS

[ AWS Cognito ]

We want to give our users an identity so that they can interact with our application

1. Cognito User Pools :

- Sign in functionality for app users

- Integrate with API Gateway

2. Cognito Identity Pools (Federated Identity) :

- Provide AWS credentials to users so they can access AWS resources directly

- Integrate with Cognito User Pools as an identity provider

3. Cognito Sync :

- Synchronize data from device to Cognito.

- May be deprecated and replaced by AppSync

[ 1. AWS Cognito User Pools (CUP) ]

- Create a serverless database of user for your mobile apps

- Simple login : Username(or email) / password combination

- Possibility to verify emails / phone numbers and add MFA

- Can enable Federated Identities (Facebook, Gogle, SAML...)

- Sends back a JSON Web Tokens (JWT)

- Can be integrated with API Gateway for authentication

[ 2. Federated Identity Pools ]

Goal :

- Provide direct access to AWS Resources from the Client Side

How :

- Log in to federated identity provider - or remain anonymous

- Get temporary AWS credentials back from the Federated Identity Pool

- These credentials come with a pre-defined IAM policy stating their permissions

Example :

- provide (temporary) access to write to S3 bucket using Facebook Login

[ 3. AWS Cognito Sync ]

Deprecated - use AWS AppSync now

- Store preferences, configuration, state of app

- Cross device synchronization (any platform - iOS, Android, etc )

- Offline capability (synchronization when back online)

- Requires Federated Identity Pool in Cognito (not User Pool)

- Store data in datasets (up to 1MB)

- Up to 20 datasets to synchronize

[ API Gateway ]

- AWS Lambda + API Gateway : No infrastructure to manage

- Support for the WebSocket Protocol

- Handle API versioning

- Handle different environments (dev/test/oper)

- Handle security (Authentication and Authorization)

- Create API keys, handle request throttling

- Swagger / Open API import to quickly define APIs 

- Transform and validate requests and responses

- Generate SDK and API specifications

- Cache API responses

[ API Gateway - Integrations High Level ]

1. Lambda Function

  - Invoke Lambda function

  - Easy way to expose REST API backed by AWS Lambda

2. HTTP

  - Expose HTTP endpoints in the backend

  eg. internal HTTP API on premise, ALB(Application Load Balancer)...

  Why? Add rate limiting, caching, user authentications, API Keys, etc...

3. AWS Service

  - Expose any AWS API through the API Gateway?

  eg. start an AWS Step Function workflow, post a message to SQS

  - Why? Add authentication, deploy publicly, rate control..

[ API Gateway - Endpoint Types ]

1. Edge-Optimized(default) : For global clients

  - Requests are routed through the CloudFront Edge locations (improves latency)

  - The API Gateway still lives in only one region

2. Regional :

  - For clients within the same region

  - Cloud manually combine with CloudFront (more control over the caching strategies and the distribution)

3. Private :

  - Can only be accessed from your VPC using an interface VPC endpoint (ENI)

  - Use a resource policy to define access

[ API Gateway - Hands on ]

1) API Lambda function 작성(언어별 코딩 지원)

2) Gate way 에서 API 종류 선택

3) context path 입력

4) deploy

[ API Gateway - Security ]

[ IAM Permissions ]

- Create an IAM policy authorization and attach to User/Role

- API Gateway verifies IAM permissions passed by the calling application

- Good to provide access within your own infrastructure

- Leverages "Sig v4" capability where IAM credential are in headers

- Great for users / roles already within your AWS account

- Handle authentication + authorization

- Leverage Sig v4

[ Lambda Authorizer (formerly Custom Authorizers) ] 

- Uses AWS Lambda to validate the token in header being passed

- Option to cache result of authentication

- Helps to use OAuth/SAML/3rd party type of authentication

- Lambda must return an IAM policy for the user

- Great for 3rd party tokens

- very flexible in terms of what IAM policy is returned

- Handle Authentication + Authorization

- Pay per Lambda invocation

[ Cognito User Pools ]

- Cognito fully manages user lifecycle

- API gateway verifies identity automatically from AWS Cognito

- No custom implementation required

- Cognito only helps with authentication, not authorization

- You manage your own user pool (can be backed by Facebook, Google login etc..)

- No need to write any custom code

- Must implement authorization in the backend

※ Authentication(인증) vs Authorization(인가)

Authentication(인증) : 사용자를 구분 및 확인 check who he is

Authorization(인가) : 사용자가 허가된 작업을 요청하는지 확인 check if he can access

cognito 관련 글

[ DynamoDB ]

- Fully Managed, Highly available with replication across 3 AZ

- NoSQL database - not a relational database

- Scales to massive workloads, distributed database

- Milions of requests per seconds, trillions of row, 100s of TB of storage

- Fast and consistent in performance (low latency on retrieval)

- Integrated with IAM for security, authorization and administration

- Enables event driven programming with DynamoDB Streams

- Low cost and auto scaling capabilities

[ DynamoDB Basic ]

DynamoDB is made of tables

- Each table has a PK (must be decided at creation time)

- Each table can have an infinite number of items

- Each item has attributes (can be added over time , can be null)

- Maximum size of a item is 400KB

- Supported data types 

  1) Scalar Types : String, Number, Binary, Boolean, Null

  2) Document Types : List, Map

  3) Set Types : String Set, Number Set, Binary Set

[ DynamoDB - Provisioned Throughput *** ]

- Table must have provisioned read and write capacity units

- RCU (Read Capacity Units) : throughput for reads ($0.00013 per RCU)

   1 RCU = 1 strongly consistent read of 4KB per second

   1 RCU = 2 eventually consistent read of 4 KB per second

- WCU (Write Capacity Unit) : throughput for writes ($0.00065 per WCU)

   1 WCU = 1 write of 1 KB per second

- Option to setup auto-scaling of throughput to meet demand

- Throughput can be exceeded temporarily using "burst credit"

- If burst credit are empty, you'll get a "ProvisionedThroughputException"

※ To prevent "ProvisionedThroughputException", use DAX

- It's then advised to do an exponential(기하급수적인) back-off retry

[ DynamoDB Advanced Features ]

[ DynamoDB - DAX ]

- DAX = DynamoDB Accelerator

- Seamless cache for DynamoDB, no application re-write

- Writes go through DAX to DynamoDB

- Micro second latency for cached reads & queries

- Solves the Hot Key problem (too many reads)

- 5 minutes TTL for caches by default

- Up to 10 nodes in the cluster

- Multi AZ (3 nodes minium recommended for production)

- Secure (encryption at rest with KMS, VPC, IAM, CloudTrail)

[ DynamoDB Streams ]

- Changes in DynamoDB (CUD) can end up in a DynamoDB Stream

- This stream can be read by AWS Lambda, and we can then do :

  1) React to changes in real time (eg. welcome email to new users)

  2) Analytics

  3) Create derivative(파생되는) tables / views

  4) Insert into Elastic Search

- Could implement cross region replication using Streams

- Stream has 24 hours of data retention

※ Before create a DynamoDB Global Table, DynamoDB Streams must be enabled first

: DynamoDB 를 글로벌로 사용하기 전에 DynamoDB Stream 을 활성화 시켜야 한다

[ DynamoDB - New Features ** ]

Transactions (new from Nov 2018)

- All or nothing type of operations

- Coordinated Insert, Update & Delete across multiple tables

- Include up to 10 unique items or up to 4 MB of data

On Demand (new from Nov 2018)

- No capacity planning needed (WCU/RCU) - scales automatically

- x2.5 more expensive than provisioned capacity (use with care)

- Helpful when spikes are un-predictable or the application is very low throughput

[ DynamoDB - Security & Other Features ]

- Security :

  1) VPC Endpoints available to access DynamoDB without internet

  2) Access fully controlled by IAM

  3) Encryption at rest using KMS

  4) Encryption in transit using SSL/TLS

- Backup and Restore feature available

  1) Point in time restore like RDS

  2) No performance impact

- Global Tables

  Multi region, fully replicated, high performance

- Amazon DMS can be used to migrate to DynamoDB (from Mongo, Oracle, MySQL, S3, etc..)

- You can launch a local DynamoDB on your computer for development purposes

- Global Tables (cross region replication)

  Active Active replication, many regions

  Must enable DynamoDB Streams

  Useful for low latency, DR purposes

- Capacity planning

  1) Planned capacity : provision WCU&RCU, can enable auto scaling

  2) On-demand capacity : get unlimited WCU & RCU, no throttle, more expensive

You have deployed a CDN using CloudFront

What if you wanted to run a global AWS Lambda alongside?

Or how to implement request filtering before reaching your application?

: you can use Lambda@Edge 

 deploy Lambda functions alongside your CloudFront CDN

   - build more responsive applications

   - don't manage servers, Lambda is deployed globally

   - Customize the CDN content

   - Pay only for what you use

You can use Lambda to change CloudFront requests and reponses :

After CloudFront receives a request from a viewer (viewer request)

Before CloudFront forwards the request to the origin (origin request)

After CloudFront receives the response from the origin (origin reponse)

Before CloudFront forwards the response to the viewer (viewer response)

Example of Lambda@Edge : Global application

Lambda@Egde : Use Cases

- Website Security and Privacy

- Dynamic Web Application at the Edge

- Search Engine Optimization (SEO)

- Intelligently Route Across Origins and Data Centers

- Bot Mitigation at the Edge

- Real-time Image Transformation

- A/B Testing

- User Authentication and Authorization

- User Prioritization

- User Tracking and Analytics

Serverless

- Serverless is a new paradigm in which the developers don't have to manage servers anymore

- just deploy code, just deploy functions

- Serverless == FaaS(Function as a Service)

- Serverless was pioneered by AWS Lambda but now also includes anything that's managed such as databases, messaging, storage, etc.

- Serverless doesn't mean there are no servers

Serverless in AWS 

: AWS Lambda, DynamoDB, AWS Cognito, AWS API Gateway, S3, Fargate...

[ Why use AWS Lambda (compare Amazon EC2 with AWS Lambda) ] 

Amazon EC2

- Virtual Servers in the Cloud

- Limited by RAM and CPU

- Continuously running

- Scaling means intervention to add /remove servers

AWS Lambda

- Virtual functions - no servers to manage

- Limited by time - short executions

- Run on-demand

- Scaling is automated

[ Benefits of AWS Lambda ]

-Easy Pricing

  Pay per request and compute time

  Free tier of 1,000,000 AWS Lambda requests and 400,000 GBs of compute time

- Integrated with the whole AWS suite of services

- Integrated with many programming languages 

- Easy monitoring through AWS CloudWatch

- Easy to get more resources per functions (up to 10GB of RAM)

- Increasing RAM will also improve CPU and network

[ AWS Lambda language support ]

- js

- Python

- Java

- C#

- Go

- Ruby

- Custom Runtime API 

- Lambda Container Image

  The container image must implement the Lambda Runtime API

  ECS / Fargate is preferred for running arbitrary(임의적인 멋대로인) Docker images

[ AWS Lambda Integrations Main ones ]

- API Gateway

- Kinesis

- Dynamo DB

- S3

- CloudFront

- CloudWatch Events Event Bridges

- CloudWatch Logs

- SNS

- SQS

- Cognito

[ Example : Serverless Thumbnail creation ]

[ Example : Serverless CRON job ]

[ AWS Lambda Pricing ]

- https://aws.amazon.com/lambda/pricing/ 

- Pay per calls 

  first 1,000,000 requests are free

  $0.20 per 1 million requests 

- Pay per duration : 

  400,000 GB seconds of compute time per month if FREE

  == 400,000 sec if function is 1GB RAM

  == 3,200,000 seconds if function is 128MB RAM

- After that $1.00 for 600,000 GB-sec

- It is usually very cheap to run AWS Lambda so it's very popular

[ AWS Lambda Limits to Know - per region ]

Execution :

1) Memory allocation 128mb-10GB (64mb increments)

2) Maximum execution time : 900 sec (15min)

3) Environment variables (4 KB)

4) Disk capacity in the function container (in /tmp) : 512MB

5) Concurrency executions : 1000 (can be increased)

Deployment :

1) Lambda function deployment size (compressed .zip) : 50MB

2) Size of uncompressed deployment (code + dependencies) : 250MB

3) Can use the /tmp directory to load other files at startup

4) Size of environment variables : 4 KB

[ Amazon S3 - Buckets ]

- Amazon S3 allows people to store objects (files) in "buckets" (directories)

- Buckets must have a globally unique name

- Buckets are defined at the region level

- Naming convention

 1) No uppercase

 2) No underscore

 3) 3-63 characters long

 4) Not an IP

 5) Must start with lowercase letter or number 

* bucket name must be globally unique

* global console, region service

[ Amazon S3 - Objects ]

- Objects (files) have a key

- The key is the FULL path :

  s3://my-bucket/my_forder1/my_file.txt

- The key is composed of prefix(my_forder1/)+object name(my_file.txt)

- There is no concept of directories within buckets

- Object values are the content of the body :

   Max Object Size is 5TB

   If uploading more than 5GB, must use "multi-part upload"

- Metadata (list of text key/value pairs - system or user metadata)

- Tags (Unicode key/value pair - up to 10) - useful for security/lifecycle

- Version ID (if versioning is enabled)

[ Amazon S3 - Versioning ]

- You can version your files in Amazion S3

- It is enabled at the bucket level

- Same key overwrite will increment the version : 1,2,3..

- It is best practice to version your buckets

  Protect against unintended deletes

  Easy roll back to previous version

- Any file that is not versioned prior to enabling versioning will have version null (버져닝을 활성화 하기전의 버전은 null)

- Suspending(보류) versioning does not delete the previous versions

[ S3 Encryption for Objects ]

There are 4 methods of encrypting objects in S3

1) SSE-S3 : encrypts S3 objects using keys handled & managed by AWS

  - Object is encrypted server side

  - AES-256 encryption type

  - Must set header : "x-amz-server-side-encryption":"AES256"

2) SSE-KMS : leverage AWS key Management Service to manage encryption keys

  - encryption using keys handled & managed by KMS

  - KMS Advantages : user control + audit trail

  - Object is encrypted server side

  - Must set header : "x-amz-server-side-encryption":"aws:kms"

3) SSE-C : when you want to manage your own encryption keys

  - server-side encryption using data keys fully manged by the customer outside of AWS

  - Amazon S3 does not store the encryption key you provide

  - HTTPS must be used

  - Encryption key must provided in HTTP headers, for every HTTP request made

4) Client Side Encryption

  - Client library such as the Amazone S3 Encryption Client

  - Clients must encrypt data temselves before sending to S3

  - Clients must encrypt data temselves when retrieving from S3

  - Customer fully manages the keys and encryption cycle

# Encryption in transit (SSL/TLS)

- Amazon S3 exposes :

  HTTP endpoint : non encrypted

  HTTPS endpoint : encryption in flight

- You are free to use the endpoint you want, but HTTPS is recommended

- Most clients would use the HTTPS endpoint by default

* HTTPS is mandatory for SSE-C

[ Route53 ]

- Route53 is a Managed DNS (Domain Name System)

- DNS is a collection of rules and records which helps clients understand how to reach a server through its domain name

* You pay 0.5$ per month per hosted zone

- In AWS, the most common records are :

  1) A : host name to IPv4

  2) AAAA : hostname to IPv6

  3) CNAME : hostname to hostname

  4) Alias : hostname to AWS resource

- Route 53 can use :

  public domain names you own (or buy)

  private domain names that can be resolved by your instances in your VPCs.

- Route 53 has advanced features such as :

  Load balancing (through DNS - also called client load balancing)

  Health checks (although limited..)

  Routing policy : simple, failover, geolocation, latency, weighted, multi value 

[ DNS Records TTL (Time to Live) ]

Web browser cache 가 살아있는 시간.

Web browser 는 Route 53 에 DNS 요청을 하고 도메인에 해당하는 IP와 함께 TTL을 받아 TTL 시간동안 DNS 를 캐싱한다. TTL이 다 지날 경우 다시 DNS 요청을 하여 IP를 다시 캐싱한다.

TTL 시간이 길 수록 DNS 트래픽은 줄어들고 웹브라우저가 옛날 아이피로 요청할 가능성이 높아진다. (DNS 의 A record설정을 수정할 경우)

TTL 값은 필수 DNS record

- High TTL (eg. 24 hour)

  Less traffic on DNS, Possibly outdated records

- Low TTL (eg. 60 seconds)

  More traffic on DNS, Records are outdated for less time, Easy to change records

* TTL is mandatory for each DNS record

[ CNAME vs Alias ]

CNAME 은 도메인(호스트) 호출시 다른 호스트명으로 리다이렉트, 유료, 도메인은 사용 불가, 유료

Alias 는 도메인(호스트) 호출시 AWS 리소스로 리다이렉트, root 도메인도 사용 가능, 무료

CNAME :

- Points a hostname to any other hostname (app.mydomain.com > blabla.anything.com)

- only for Non Root domain (eg. something.mydomain.com)

- not free

Alias :

- Points a hostname to an AWS Resource (app.mydomain.com > blabla.amazonaws.com)

- Works for Root domain and non root domain (eg. mydomain.com)

- Free of charge

- Native health check

[ Simple Routing Policy ]

1개의 CNAME/Alias 에 1개의 A record 지정한 1:1 관계. health check 사용 불가

1개의 CNAME/Alias 에 2개 이상의 A record 가 지정되있을 경우 client 가 랜덤으로 IP 선택

- Use when you need to redirect to a single resource

- You can't attach health checks to simple routing policy

* If multiple values are returned, a random one is chosen by the client

 (=client side load balancing)

[ Weighted Routing Policy ]

A record 마다 가중치를 다르게 주어 트래픽을 분산하는 정책

- Control the % of the requests that go to specific endpoint

- Helpful to test 1% of traffic on new app version for example

- Helpful to split traffic between two regions

- Can be associated with Health Checks

[ Latency Routing Policy ]

최저응답시간을 갖는 A record 로 리다이렉트 시키는 정책

(eg. 한국/미국/영국 region 의 인스턴스를 latency routing policy 를 적용하여 하나의 CNAME 의 A record 로 지정한 후 서울에서 DNS 요청시 한국 A record 의 인스턴스가 응답함)

- Redirect to the server that has the least latency close to us

- Super helpful when latency of users is a priority

- Latency is evaluated in terms of user(사용자 측면에서) to designated(지정된) AWS Region (유저마다 최저응답시간을 갖는 호스트로 라우팅됨)

- Germany may be directed to the US (if that's the lowest latency)

[ Health Checks ]

설정한 Check Interval 의 수만큼 연속으로 instance (IP) 에 ping 을 날려 instance 의 상태를 파악

- Have 3 (default value is 3) health checks failed => unhealthy

- After 3 (default value is 3) health checks passed => health

- Default Health Check Interval : 30s (can set to 10s - higher cost)

- About 15 health checkers will check the endpoint health

   => one request every 2 seconds on average

- Can have HTTP, TCP and HTTPS health checks (no SSL verification)

- Possibility of integrating the health check with CloudWatch 

* Health checks can be linked to Route53 DNS queries

[ Failover Routing Policy ]

1. Web browser 가 Route53 에 DNS 요청

2. Route 53 은 primary instance에 Health check

3. Primary instance 가 unhealthy 할 경우 secondary instance (DR(disaster recovery)) 에 요청

[ Geolocation Routing Policy ]

지역설정을 하여 해당 지역에서 오는 request 는 특정 A record 의 instance 가 처리

지정하지 않은 지역으로부터 요청이 올 경우 default 로 설정해놓은 A record 의 instance 가 처리

- Different from Latency based

- This is routing based on user location

- Here we specify : traffic from the UK should go to this specific IP

* Should create a "default" policy (in case there's no match on location)

[ Multi Value Routing Policy (=client side load balancing) ]

동일한 DNS 에 A record 를 최대 8개 까지 설정

client 에서 Route 53 에 DNS 요청시 healthy 한 instance 만 response

client 는 healthy 한 instance 중에서 하나의 instance에 random 하게 요청

- Use when routing traffic to multiple resources

- Want to associate a Route 53 health checks with records

- Up to 8 healthy records are returned for each Multi Value query

* Multi Value is not a substitute for having an ELB

[ # Hands-on : Route53 에 record, health check 설정 방법 ]

1. health check 생성 (instance IP or Domain 입력)

2. Route 53 의 record 생성

- Name : sample.testaws.com  (sample 이 Record set 의 name 이자 domain 이 됨)

- Type : A record ( IPv4 )

- TTL : IP 유효시간 설정

- Value : Type의 value 로, A record 선택시 인스턴스의 IPv4 입력

- Routing Policy : simple(단일 A record), failover, geolocation, latency, weighted, multi value.. 선택

3. 선택한 record 의 Routing Policy 에 따라 Associate with Health check 옵션 Yes 로 선택 및 Health Check 선택

: 위와 같이 설정시 client 는 DNS 요청을 Route53 에 하며 health check 를 통해 주기적으로 ping 을 하여 IP의 instance 가 healthy/unhealty 한지 파악. 인스턴스의 상태에 따라 선택한 Routing Policy 에 따라 다르게 동작

[ Route 53 as a Registrar ]

Rregistrar 는 예약된 Internet domain names을 관리하는 조직

- A domain name registrar is a organization that manages the reservation of Internet domain names

(eg. Google Domains, and also Route53(AWS))

* Domain Registrar != DNS (but each domain registrar usually comes with some DNS features)

# 3rd Party Registrar with AWS Route 53

3rd Party 에서 AWS Route53 의 DNS 서버 사용하기

1) 3rd Party (ex: Google) 가 제공하는 Name Server 대신 Custom Name Server 를 사용하도록 설정

2) 이때 Custom Name Server 는 Route53 에서 생성한 Hosted Zone 의 Name Server 로 설정 (Hosted Zone 생성 후 Hosted Zone 클릭시 노출되는 Details 정보 안에 Name Server 정보가 있음)

- If you buy your domain on 3rd party website, you can still use Route53

1) Create a Hosted Zone in Route53

2) Update NS Records on 3rd party website to use Route53 name servers

[ 1. AZ (Availability Zones) ]

AWS 의 물리적 자원은 지역적 제약조건이 있다

region 은 지역, Availability Zones 은 지역 밑에 물리적으로 분리되어있는 더 작은 지역의 개념.

AZ 밑의 각각의 데이터센터는 서로 떨어져 있으므로 재난으로부터 동시에 영향을 받지 않는다

EC2 인스턴스는 region 기반, IAM 은 global (region 제약이 없음)

each region has many availability zones ( min 2, max 6)

eg) ap-southeast-2 has following AZs.

ap-southeast-2a

ap-southeast-2b

ap-southeast-2c

1) Each AZ is one or more discrete data centers with redundant power, networking and connectivity

2) They're separate from each other, so that they're isolated from disasters

3) They're connected with high bandwith, ultra-low latency networking

* EC2 based on region

* IAM is global

* Some service is not offered in some regions

(can check at AWS > Regional Table)

[ 2. IAM (Identity and Access Management) ]

AWS 보안 관련 설정으로 Users/Groups/Roles/Policies 등의 설정이 있다

IAM 설정은 Global

Root 계정(AWS계정)의 직접 사용을 지양하고 IAM 으로 Admin 계정/그룹을 생성하여 Admin policies 를 부여, Admin 계정을 대신 사용한다

Your whole AWS security is there:

- Users : physical person

- Groups : contains users

- Roles : internal usage within AWS resources (for machine)

- Policies : AdministratorAccess, ... 등

Root account should never be used (and shared)

Users must be created with proper permissions

IAM is at the center of AWS

Policies are written in JSON

IAM has a global view(can be across all the regions)

Permissions are governed by Policies(JSON)

MFA(Multi Factor Authentication) can be setup (do not use root account)

IAM has predefined "managed policies"

It is best to give users the minimal amount of permissions thy need to perform their job (least privilege principles)

# IAM Federation (for big enterprise)

big enterprises usually integrate their own repository of users with IAM

this way, one can login into AWS using their company credentials

Identity Federation uses the SAML standard (Active Directory)

*

One IAM User per physical person

One IAM Role per application

IAM credentials should never be shared

never write IAM credentials in code. ever.

and even less, never commit your IAM credentials.

never use the root account except for initial setup.

never use ROOT IAM credentials

[ IAM 최초 Admin 설정 ]

1. activate MFA (multi factor authentication)

continue to security credentials 버튼 클릭

virtual MFA device 클릭

google OTP app download 

OTP app으로 QR 코드 인식 후 auth code 1, 2 입력

2. User 생성 (Admin)

access type programatic access 체크

AWS management console access 체크

Console password : autogenerated password

require password reset : user must create a new password at next login 체크

Attach existing policies > AdministratorAccess 체크

Create user without a permissions boundary 체크

* user 생성 완료 페이지에서 유저 정보가 있는 .csv 파일 다운로드

3. Group 생성 (Admin)

AdministratorAccess policy 체크

4. Group 에 2에서 생성한 Admin User 추가

5. User의 Admin policy 재설정

User 설정에서 User 에 직접 부여된(Attached directly) Admin 권한 제거 

6. IAM password policy 설정

enable password expiration 등등

7. IAM users sign-in link 커스터마이징

IAM users sign-in link 우측의 customize 버튼 클릭 후 link alias 입력

8. link 에 접속후 생성한 Admin User 아이디로 로그인 및 패스워드 변경(최초 로그인은 2에서 다운로드 받은 .csv 파일에 적혀있음)