Skip to content

태그: AWS

AWS Organization

AWS Organization는 AWS 계정 (accounts)을 단일 단위로 통합해 관리할 수 있는 개체이다. Organization 안의 모든 계정을 중앙에서 확인하고 관리할 수 있다. AWS Organizations는 비즈니스의 예산, 보안과 규정 준수 필요 충족에 도움이 되는 계정 관리 및 통합 결제 기능까지 함께 제공한다. 조직의 관리자로서 조직에서 계정을 생성하고 기존 계정을 조직에 초대할 수 있다. 1개의 관리자 계정(management account)과 0개 이상의 멤버 계정(member account)을 갖고 있다. 위 그림에 나타나 있듯이 tree 계층 구조로 OU를 생성할 수 있다. 각 계정(Each Account)을 OU에 포함하거나 루트에 포함할 수 있다. 루트 (Root) Orga

SAA 오답노트

The founder has provisioned an EC2 instance 1A which is running in region A. Later, he takes a snapshot of the instance 1A and then creates a new AMI in region A from this snapshot. This AMI is then copied into another region B. The founder provisions an instance 1B in region B using this new AMI in region B. At this point in time, what entities exist in region B? Keyword: AMI Answer: 1 EC2

API Gateway is a fully managed service for developers that makes it easy to build, publish, manage, and secure entire APIs. With a few clicks in the AWS Management Console, you can create an API that acts as a “front door” for applications to access data, business logic, or functionality from your back-end services, such as workloads running on EC2 code running on AWS Lambda, or any web applicatio

AWS cloud computing

In 2006, Amazon Web Services(AWS) began offering IT infrastructure services(cloud computing). Ont of the key benefits of cloud computing is the opportunity to replace upfront capital infrastructure expenses with low variable costs that scale with your business. With the cloud, businesses no longer need to plan for and procuure servers and other IT infrastructure weeks or month in advance. Instead,

Amazon Athena는 오픈 소스 프레임워크를 기반으로 구축된 서버리스 대화형 분석 서비스로, 오픈 테이블 및 파일 형식을 지원한다. 페타바이트 규모의 데이터를 분석할 수 있는 간단한 방법을 제공한다. Athena를 사용하면 SQL 또는 Python을 사용하여 Amazon Simple Storage Service(S3) 데이터 레이크와 온프레미스 데이터 소스나 다른 클라우드 시스템을 포함한 30개의 데이터 소스에서 데이터를 분석하거나 애플리케이션을 구축할 수 있다. 오픈 소스 Trino 및 Presto 엔진과 Apache Spark 프레임워크를 기반으로 구축되어 있으며, 프로비저닝이나 구성 작업 없이 사용할 수 있다. SQL용 Amazon Athena는 AWS Management Conso

Amazon EMR (previously called Amazon Elastic MapReduce) is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data. MapReduce is a programming model and an associated implementation for processing and generating big data sets with a parallel, distributed algorithm on a cluster, EMR is provide

Amazon Glue is a serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, machine learning, and application development. AWS Glue uses other AWS services to orchestrate your ETL (extract, transform, and load) jobs to build data warehouses and data lakes and generate output streams. AWS Glue calls API operations to transform your data, create runt

Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and reacy quickly to new information. With Amazon Kinesis, you can ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications. Amazon Kinesis enables you to process and analyze

AWS Lake Formation is fully managed service that helps you build, secure, and manage data lakes, and provide access control for data in the data lake. Granular access permissions Customers acress lines of business (LOBs) need a way to manage granular access permissions for different users at the table and column level. Lake Formation helps you manage fine-grained access for internal and external

ASG Lifecycle Hook

ASG를 통해 생성되는 인스턴스들은 아래와 같은 Lifecycle을 가지고 있다. ASG가 인스턴스를 증가시키는 이벤트는 Scale out 이벤트이며, 이 때는 Pending 상태가 된다. 인스턴스가 부트스트랩 과정을 마치고 나면 InService 상태가 된다. 인스턴스가 축소되는 이벤트는 Scale in 이벤트이며, Terminating 상태를 거쳐 Terminated 상태가 된다. ASG의 Lifecycle Hook은 이 과정 중 Scale in과 Scale out 과정에 설정할 수 있다. 먼저 Scale out 이벤트에 걸게 된다면 인스턴스는 Pending 이후에

AWS Auto Scaling lets you build scaling plans that automate how groups of different resources respond the changes in demand. You can optimize availability, costs, or a balance of both. AWS Auto Scaling automatically creates all of the scaling policies and sets targets for you based on your prefenence. componets Groups: These are logical components. A webserver group of EC2 instances, a database g

Auto Scaling termination policies

When Amazon EC2 Auto Scaling terminates instances, it attempts to maintain balance across the Availability Zones that are used by your Auto Scaling group. Maintaining balance across Availability Zones takes precedence over termination policies. If one Availability Zone has more instances than the other Availability Zones that are used by the group, Amazon EC2 Auto Scaling applies the termination p

Scaling cooldowns

After your Auto Scaling group launches or terminates instances, it waits for a cooldown period to end before any further scaling activities initiated by simple scaling policies can start. The intention of the cooldown period is to prevent your Auto Scaling group from launching or terminating additional instances before the effects of previous activities are visible. Suppose, for example, tha

State Change Event

Amazon EC2 sends an EC2 Instance State-change Notification event to Amazon EventBridge when the state of an instance changes. The following is example data for this evnet. In this example, the instance entered the pending state. { "id":"7bf73129-1428-4cd3-a780-95db273d1602", "detail-type":"EC2 Instance State-change Notification", "source":"aws.ec2", "account":"123456789012", "time":"2021

EC2 spins up resizable server instances that can sacle up an down quickly. An instance is a virtual server in the cloud. With Amazon EC2, you can set up and configure the operating system and appplications that run on your instance. Its configuration at launch is a live copy of Amazon Machine Image (AMI) that you specify when you launched the instance. EC2 has an extemely reduced time frame for pr

An EC2 Fleet contains the configuration information to launch a fleet—or group—of instances. In a single API call, a fleet can launch multiple instance types across multiple Availability Zones, using the On-Demand Instance, Reserved Instance, and Spot Instance purchasing options together. Using EC2 Fleet, you can: Define separate On-Demand and Spot capacity targets and the maximum amount you’re

Elastic Fabric Adapter

An Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications. EFA enables you to achieve the application performance of an on-premises HPC cluster, with the scalability, flexibility, and elasticity provided by the AWS Cloud. EFAs provide lower and more consistent latency and high

AWS Instance Store는 Amazon Elastic Compute Cloud (EC2)에서 제공하는 임시 블록 수준 스토리지 서비스이다. EC2 인스턴스에 직접 연결된 로컬 디스크로, EC2 인스턴스가 실행 중인 동안에만 데이터를 유지한다. Instance Store는 인스턴스와 함께 묶여 있어 저렴하면서도 빠른 I/O 처리량을 제공한다. 그러므로 인스턴스 스토어를 사용하여 저지연 및 높은 처리량 작업을 수행할 수 있다. (대규모 데이터베이스, 데이터 웨어하우스, 로그 분석, 캐싱 등) 하지만 Instance Store는 휘발성이므로, 인스턴스가 종료되거나 재부팅되면 데이터가 영구적으로 삭제된다. 그러므로 임시 데이터나 캐시와 같이 데이터의 지속성이 필요하지 않은 작업에 적합하다. AWS Inst

RI와 Saving plan

RI 예약 인스턴스(Reserved Instance)라고 한다. 1년 혹은 3년 동안 EC2 혹은 RDS 인스턴스의 특정 유형을 예약하여 사용하는 방법이다. 예를 들어, t2.micro 인스턴스 3개를 1년치 예약한다고 하자. 그럼 1년 동안은 실행 중인 t2.micro 인스턴스 3개에 대해 추가 비용 없이 사용할 수 있다(이미 비용을 지불했기 때문). 즉, 기존 t2.micro 인스턴스를 삭제하고 새로운 t2.micro 인스턴스를 생성해도 새로운 인스턴스는 자동으로 예약 인스턴스에 포함된다. 예약 인스턴스는 3가지 결제 방식을 지원한다. 전체 선결제(All Upfront) 비용을 모두 선결제, 가장 저렴하다. 부분 선결제(Partial Upfront) 일부는 선결제, 일부는 선결제 없음(No Upfro

Spot Instance A Spot Instance is a type of AWS EC2 instance that allows you to use spare Amazon EC2 computing capacity at a significantly reduced cost compared to on-demand instances. You bid for this unused capacity, and when your bid meets or exceeds the current Spot price, your instance runs. However, your Spot Instance can be interrupted and terminated if the Spot price goes higher than your

Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that helps you easily deploy, manage, and scale containerized applications. As a fully managed service, Amazon ECS comes with AWS configuration and operational best practices built-in. It’s integrated with both AWS and third-party tools, such as Amazon Elastic Container Registry and Docker. This integr

ECS Getting started on Fargate

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage your containers. You can host your containers on a serverless infrastructure that is managed by Amazon ECS by launching your services or tasks on AWS Fargate. Let’s start to build ECS using linux container on Fargate Step 1: Create the cluster Create a

Elastic Beanstalk

Elastic Beanstalk is another way to script out your provisioning process by deploying existing applications to the cloud. ElasticBeanstalk is aimed toward developers who know very little about the cloud and want the simplest way of deploying their code. Just upload your application and Elastic Beanstalk will take care of the underlying infrastructure. Elastic Beanstalk has capacity provisioni

Fargate is a servreless compute engine for containers. The Fargate launch type allows you to run your containerized applications without the need to procision and manage the backend infrastructure. Just register your task definition and Fargate launches the container for you. It works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS) Fargate makes

AWS LAmbda leys you run code without provisioning or managing servers. You pay only for the compute time you consume. With Lambda, you can run code for virtually any type of application or backend service all with zero administration. You upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to be automatically tri

Aurora is the AWS flagship DB known to combine the perfoemance and availability of traditional enterprise databases with the siplicity and cost-effectiveness of open source databases. It is a MySQL/PostgreSQL-compatible RDBMS that provides the security, availability, and reliability of commercial databases at 1/10th the cost of competitors. It is far more effective as an AWS database due to the 5x

Amazon DynamoDB is a key-balue and document database that delivers single-digit milisecond performance at any scal. It’s a fully managed, multiregion, millisecond performance at any scale. It’s a fully managed, multiregion, muultimaster, durable non-SQL database, It comes with build-in security, backup and restore, and in-memory caching for internet-scale applications. The main components of Dy

EFS provides a simple and fully managed elastic NFS file system for use within AWS. EFS automatically and instantly scales your file system storage capacity up or down as you add or remove files withour disrupting you application. In EFS, storage capacity is elastic (grows and shrinks automatically) and its size shanges based on adding or removing files. While EVS mounts one EBS volume to one

RDS is managed service that makes it easy to set up, operate and scale a relational database in AWS. It provides cost-efficient and resizable capacity while automating or outsourcing time-consuming adming administration tasks such as hardware provisioning, database setup, patching and backups. RDS comes in six different flavors: SQL Server Oracle MySQL Server PostgreSQL MariaDB Aurora Think

By using Amazon RDS Proxy, you can allow your applications to pool and share database connections to improve their ability to scale. RDS Proxy establishes a database connection pool and reuses connections in this pool. This approach avoids the memory and CPU overhead of opening a new database connection each time. Advantages RDS Proxy makes applications more resilient to database failures

Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. The Amazon Redshify service manages all of the work of setting up, operating, and scaling a data warehouse. These tasks include provisioning capacity, monitoring and backing up the cluster, and applying patches and upgrades to the Amazon Redshift engine. An Amazon Redshift cluster is a set of nodes which con

managementandgovernance

CloudFormation is an automated tool for provisioning entire cloud-based environments. It is similar to Terraform where you cofify the instructions for what you want to have inside your application setup (X many web servers of Y type with a Z type DB on the backend, etc). It makes it a lot easier to just describe what you want in markup and have AWS do the actual provisioning work involved. The

managementandgovernance

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With it, you can log, continously monitor, and retain account activity related to actions acress your AWS infrastructure. CloudTrail provieds event history of your AWS account activity including actions taken through the AWS Management Console, AWS SDKs, command line tools

managementandgovernance

Amazon CloudWatch is a monitoring and observablility service. It provides you with data and actionable insights to monitor your applications, respond to system-wide performmance changes, optimize resource utilization, and get a unified view of operational health. CloudWitch collects monitoring and operational data in the form of logs, metrics, and events. You can use CloudWatch to detext anom

AWS 리소스 구성 후 관리자는 VPC 외부에서 Private Subnet에 직접 접근할 수 없다. Private Subnet의 Private한 특성을 지키기 위해 Public Subnet인 인스턴스를 하나 만들어서 그 인스턴스를 통해 접근하는 방법을 많이 쓰는데, 이러한 host를 Bastion Host라고 부른다. 쉽게 말하면 내부와 외부 네트워크 사이에서 일종의 게이트 역할을 수행하는 호스트이다. 관리자가 Bastion Host으로 SSH 연결을 한 후 Bastion Host에서 Private Subnet의 Host에 SSH 연결을 하는 형태로 Private Subnet에 접근할 수 있다. SSH 연결을 수행해야 하기 때문에 Bastion Host 또한 Public Subnet에 위치하는 EC2 In

The AWS CDN service is called CloudFront. It serves up cached content and assets for the increased global performance of you application. The main components of ClouFront: adge locations: cache endpoint the origin: original sourve of truth to be cached such as an EC2 instance, an S3 bucket, an Elastic Load Balancer or a Route 53 config distribution: the arrangement of edge locations from the orig

Direct Connect Gateway

Use AWS Direct Connect gateway to connect your VPCs. You associate an AWS Direct Connect gateway with either of the following gateways: A transit gateway when you have multiple VPCs in the same Region A virtual private gateway You can also use a virtual private gateway to extend your Local Zone. This configuration allows the VPC associated with the Local Zone to connect to a Direct Connect gatew

EC2 Instance Connect Endpoint

Imagine trying to connect to an EC2 instance within your VPC over the Internet. Typically, you’d first have to connect to a bastion host with a public IP address that your administrator set up over an IGW in your VPC, and then use port forwarding to reach your destination. EC2 Instance Connect (EIC) Endpoint is allows you to connect securely to you instances and other VPC resources from the Intern

An elastic network interface is a networking component that represents a virtual network card. It can include the following attributes: A primary private IPv4 address from the IPv4 address range of your VPC One or more secondary private IPv4 addresses from the IPv4 address range of your VPC One Elastic IP address (IPv4) per private IPv4 address One public IPv4 address One or more IPv6 addresses O

Global Accelerator

AWS Global Accelerator is a networking service that helps you improve the availability and performance of the applications that you offer to your global users. AWS Global Accelerator is easy to set up, configure, and manage. It provides static IP addresses that provide a fixed entry point to your applications and eliminate the complexity of managing specific IP addresses for different AWS Regions

NAT gateway & NAT instance

속성NAT 게이트웨이NAT 인스턴스가용성고가용성. 각 가용 영역의 NAT 게이트웨이는 중복적으로 구현됩니다. 각 가용 영역에 하나의 NAT 게이트웨이를 만들어 아키텍처가 영역에 종속되지 않도록 한다.스크립트를 사용하여 인스턴스 간의 장애 조치를 관리한다.대역폭최대 100Gbps까지 확장한다.인스턴스 유형의 대역폭에 따라 다르다.유지 관리AWS에서 관리한다. 유지 관리 작업을 수행할 필요가 없다.사용자가 관리한다(예: 인스턴스에 소프트웨어 업데이트 또는 운영 체제 패치 설치).성능소프트웨어가 NAT 트래픽 처리에 최적화되어 있다.NAT를 수행하도록 구

Amazon Route 53 is a highly available and scalable Domain Name System(DNS) service. You can use Route 53 to perform three main functions in any combination: domain registration, DNS routing, and health checking. DNS is used to map human-readable domain names into an internet protocol address similarly to how phone books map company names with phone numbers. When you buy a domain name, every D

Transit Gateway

AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This connection simplifies your network and puts an end to complex peering relationships. Transit Gateway acts as a highly scalable cloud router—each new connection is made only once. Use cases Deliver applications around the world: Build, deploy, and manage applications across

가상 프라이빗 클라우드(VPC)는 퍼블릭 클라우드 내에서 호스팅되는 안전하고 격리된 프라이빗 클라우드이다. VPC를 사용하면 정의한 논리적으로 격리된 가상 네트워크에서 AWS 리소스를 효율적으로 관리할 수 있다. VPC별로 네트워크를 구성하거나 각각의 VPC에 따라 다르게 네트워크 설정을 줄 수 있다. 또한 각각의 VPC는 완전히 독립된 네트워크처럼 작동한다. 아래 그림은 VPC의 예시이다. VPC에는 리전의 각 가용성 영역에 하나의 서브넷이 있고, 각 서브넷에 EC2 인스턴스가 있고, VPC의 리소스와 인터넷 간의 통신을 허용하는 인터넷 게이트웨이가 있는 구조이다. 쉽게 예시를 들자면, 퍼블릭 클라우드를 붐비는 레스토랑으로, 가상 프라이빗 클라우드를 붐비는 레스토랑의 예약된 테이블로 생각해볼 수 있다.

VPC Mapping Service

AWS VPC를 이용해서 가상 네트워크를 만들면 아래와 같은 구성이 된다. 물리 Host 내에 다수의 VPC가 존재할 수 있고, 각 VPC 간에는 독립적인 구성이 가능하다. 각 VPC는 서로 다른 IP 대역(CIDR)를 사용하는 것 뿐 아니라, 내부 IP를 같은 값으로 지정할 수도 있다. 하나의 VPC는 여러 물리 Host로 나뉘어 위치하기도 한다. 서로 다른 Host에 위치한 ZIGI-VM1과 ZIGI-VM3은 논리적으로 같은 네트워크이기 때문에 서로 간의 통신이 가능하다. 근데 물리적으로 서로 다른 ZIGI-VPC1과 ZIGI-VM3은 어떻게 통신이 가능할까? 바로 아래과 같이 VPC에 대한 정보는 Encapsulation하고, 통신하고자 하는 물리 Host IP 정보를 같이 담아 전송하게 된다. 그

A VPC endpoint enables customers to privately connect to supported AWS services and VPC endpoint services powered by AWS PrivateLink. Amazon VPC instances do not require public IP addresses to communicate with resources of the service. Traffic between an Amazon VPC and a service does not leave the Amazon network. VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highl

VPCs can also serve as a bridge between your corporate data center and the WAS cloud. With a VPC Virtual Private Network (VPN), your NPC bocomes an extension of your ono-prem environment. Naturally, your instances that you launch in your VPC can’t communicate with your own on-premise servers. You can allow the access by first: attaching a virtual private gateway to the VPC. creating a custom

AWS Site-to-Site VPN You can create an IPsec VPN connection between your VPC and your remote network. On the AWS side of the Site-to-Site VPN connection, a virtual private gateway or transit gateway provides two VPN endpoints (tunnels) for automatic failover. You configure your customer gateway device on the remote side of the Site-to-Site VPN connection. For more information, see the AWS Site-to

Application LoadBalancer components

A load balancer serves as the single point of contact for clients. The load balancer distributes incoming application traffic across multiple targets, such as EC2 instances, in multiple Availability Zones. This increases the availability of your application. You add one or more listeners to your load balancer. A listener checks for connection requests from clients, using the protocol and port that

Connection Draining

Connection Draining is a feature provided by Elastic Load Balancer that allows in-flight requests to complete before terminating an unhealthy instance. When an instance becomes unhealthy, the ELB stops sending new requests to that instance but allows existing requests to complete within a specified timeout period. This helps prevent the loss of in-flight requests and provides a smooth transition w

Elastic Load Balancing automatically distributes incoming application traffic acress multiple targets, such as Amazon EC2 instances, Docker containers, IP addresses, and Lambda functions. It can handel the varying load of your application traffic in a single Availability Zone or acress multiple Availability Zones. Elastic Load Balancing offers three types of load balancers that all feature the hig

A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level. You can use the default network ACL for your VPC, or you can create a custom network ACL for your VPC with rules that are similar to the rules for your security groups in order to add an additional layer of security to your VPC. The following diagram shows a VPC with two subnets. Each sub

Security Groups

Security Groups are used to control access (SSH, HTTP, RDP, ect.) with EC2. They act as a virtual firewall for your instances to control inbound and outbound traffic When you launch an instance in a VPC, you can assign up to five security groups to the instance an security groups act at the instance level, not the subnet level. Security Groups control inbound and outbound traffic for your insta

AWS WAF is a web application thet let you allow or block the HTTP(s) requests that are bound for CloudFront, API Gateway, Application Load Balancers, EC2, and other Layer 7 entry points into you AWS Environment. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripti

AWS resouce는 전세계의 여러 위치에서 호스팅되고 있다. 그리고 내부적으로도 여러 영역으로 나뉘어있다. 그 중 Availability Zone, Local Zone, Wavelength Zones에 대해 알아보자. Availability Zone 각 Region에는 Availability Zone이라고 하는 여러 개의 격리된 위치가 있다. Availability Zone은 Region 내의 서버를 분리 시켜놔서, 일부분이 피해를 입어도 동작시키기 위해 구분해놓은 IDC라고 생각할 수 있다. ELB를 이용해서 서로 다른 AZ에서도 같은 서비스를 사용가능하게끔 트래픽을 분배시켜준다. 이러한 특징을 가용성이 높다고 표현한다. AZ IDs 리소스가 Availability Zone에 분산되도록 하기 위해,

Analytics QuickSight: Visualization Compute EC2: Elastic Compute Cloud 종류 On-Demand instances: 서버 대여, 시간 당 지불 Reserved instance: 1~3년간 대여 Spot instances: 사용자 제시 가격(입찰가격)을 정해놓고 저렴할 때 이용 placement default partition: 대규모 분산 및 복제 워크로드 cluster: HPC API Gateway: REST 및 Websocker API를 생성, 유지, 관리 Database EFS: File System DynamoDB: NoSQL RDS: RDBMS Aurora: 안정성과 고가용성을 겸비한 RDBMS (Serverless 가능

AWS Managed Microsoft AD

AWS offers AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, to provide a highly available and resilient Active Directory service. Starting with Kerberos Kerberos is a subject that, on the surface, is simple enough, but can quickly become much more complex. If you wish to look further into the topic, see the Microsoft Kerberos documentation. In this post

Amazon Cognito is an identity platform for web and mobile apps. It’s a user directory, an authentication server, and an authorization service for OAuth 2.0 access tokens and AWS credentials. With Amazon Cognito, you can authenticate and authorize users from the built-in user directory, from your enterprise directory, and from consumer identity providers like Google and Facebook. User pools Crea

Conformance Packs & Security Hub

Conformance Packs A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations. Conformance packs are created by authoring a YAML template that contains the list of AWS Config managed or custom rules and remediation actions. You can also use AWS Systems Manager

IAM enables you to securely control access to AWS services and resources for your AWS users, groups, and roles. Using IAM, you can create and manage fine-grained access controls with permissions, specify who can access which services and resources, and under which conditions. IAM allows you to do the following: terms Users any individual end user such as an employee, system architect, CTO, etc. Gr

KMS는 Key Management Service의 약자로, 데이터를 암호화 할떄 사용되는 암호화 Key를 안전하게 관리하는데 목적을 둔 AWS의 서비스이다. KMS는 크게 세가지 방식으로 key 관리 서비스를 제공한다. AWS managed key AWS 서비스들이 내부적으로 발급받는 Key로, 내부적으로 자동으로 일어나게 되며 사용자가 직접적으로 제어가 불가능하다. 자신의 AWS 계정에 들어가면 만들어진 Key의 목록을 확인하는건 가능하다. (참고) 모든 AWS managed keys는 1년마다 rotate된다. 이 주기는 사용자가 변경할 수 없다. Customer managed key(CMK) 사용자가 직접 key를 생성하고 관리하는 것이다. CMK에 대해서는 IAM을 통해 권한을 부여받아 제

1. Intro IAM and KMS are easily one of the most 2 important services in terms of AWS security. KMS is used extensively for cryptographic operations not only within the AWS universe itself, but also in various hybrid architectures. It is a solid service which offers a wide variety of cryptographic services and possibilities. In this article, we will compare from a security point of view, the usage

MalformedPolicyDocument

Terminal windowaws_iam_policy.codebuild: Modifying... [id=arn:aws:iam::&x3C;AWS Account ID>:policy/bot-dev-CodeBuild-policy]Error: Error updating IAM policy arn:aws:iam::&x3C;AWS Account ID>:policy/bot-dev-CodeBuild-policy: MalformedPolicyDocument: Policy document should not specify a principal. status code: 400, request id: ...:policy/bot-dev-CodeBuild-policy]Error: Error updating IAM policy arn

Microsoft Active Directory

In 2017, AWS introduced AWS Directory Service for Microsoft Active Directory, also known as AWS Microsoft AS, which is managed Microsotf Active Directory (AD) that is performance optimized for small and midsize businesses. AWS Microsoft AD offers you a highly available and cost-effective primary directory in the AWS Cloud that you can use to manage users, groups, and computers. It enables you

WAF & Firewall Manager & Shield Advanced

You can use AWS WAF, AWS Shield, and AWS Firewall Manager together to create a comprehensive security solution. AWS WAF: A web application firewall that you can use to monitor web requests that your end users send to your applications and to control access to your content. AWS Shield: It provides protection against distributed denial of service (DDoS) attacks for AWS resources, at the network

AppSync는 AWS에서 제공하는 Managed GraphQL 서비스이다. 즉, 서버리스의 형태로 GraphQL 백엔드를 개발할 수 있는 서비스이다. AppSyn 를 사용하지 않고도 AWS Lambda 등을 활용하여 GraphQL 백엔드를 구축하는 것이 가능했으나, 이 경우에는 Lambda 메모리 사이즈, 콜드스타트, DataSource와의 통신, 인증된 유저 토큰 처리 등등 고민해야하고 직접 개발해야하는 것들이 더 많았다. 그러나 AppSync 를 활용하면 GraphQL 스키마를 작성하고 스키마의 각각의 필드에 대한 resolvers 를 작성하는 것만으로도 GraphQL 엔드포인트를 생성할 수 있다. Resolver AppSync에서는 resolver를 VTL이라는 자바 기반 템플릿 언어으로 작성한다.

AWS DataSync is a secure, online service that automates and accelerates moving data between on premises and AWS Storage services. DataSync can copy data between belows: Network File System (NFS) Server Message Block (SMB) Hadoop Distributed File Systems (HDFS) self-managed object storage AWS Snowcone Amazon Simple Storage Service (Amazon S3) buckets Amazon Elastic File System (Amazon EFS) file sy

Elastic Block Store (EBS) An Amazon EBS volume is a durable, block-level storage device that you can attach to a single EC2 instance. You can think of EBS as a cloud-based virtual hard dist. You can use EBS volumes as primary storage for data that requires frequent updates, such as the system drive for an instance or storage for a database application. You can also use them for throughput-intensiv

The main difference between gp2 and gp3, however, is gp3’s decoupling of IOPS, throughput, and volume size. This flexibility – the ability to configure each piece independently – is where the savings come in. On the opposite end of the spectrum, gp2 is quite inflexible. Sizing a gp2 volume involves considering both the storage and throughput requirements simultaneously, as volume performance h

EBS vs Instance Store

Characteristics Instance Store: Ephemeral storage: Data stored in Instance Store volumes is tied to the lifecycle of the EC2 instance. If the instance is stopped, terminated, or experiences a failure, the data is lost. High I/O performance: Instance Store provides high I/O performance and low latency since the storage is directly attached to the physical host of the EC2 instance. Instance-depen

EFS provides a simple and fully managed elastic NFS file system for use within AWS. EFS automatically and instantly scales you file system storage capacity up or down as you add or remove files without disrupting your application. In EFS, storage capacity is elastic (grows and shrinks automatically) and its size changes based on adding or removing files. While EBS mounts on EBS volume to one

Amazon FSx for windows File Server provides a fully managed native Microsoft File System. With FSx for Windows, you can easily move your Windows-based applications that require file storage in AWS. It is built on Windows Server and exists solely for Microsoft-based applications so if you need SMB-based file storage then choose FSx. FSx for Windows also permits connectivity between on-premise

S3 provides developers and IT teams with secure, durable, and highly-scalable object storage. Object storage, as opposed to block storage, is a general term that refers to data composed of three things: the data that you want to store an expandable amount of metadata a unique identifier so that the data can be retrieved This makes it a perfect candidate to host files or directories and a poor ca

S3 Glacier Vault Lock

S3 Glacier Vault Lock helps you to easily deploy and enforce compliance controls for individual S3 Glacier vaults with a Valut Lock policy. You can specify controls such as “write once read many” (WORM) in a Vault Lock policy and lock the policy from future edits. After a Vault Lock policy is locked, the policy can no longer be changed or deleted. S3 Glacier enforces the controls set in

Snowcone is the smallest AWS Snow family data transfer device. It can delivery 8TB Storage. Send data offline via device delivery or to AWS via AWS DataSync over the Internet Snowball Snowball is a giant physical disk that is used for migrating high quantities of data into AWS. It is a peta-byte scale data transport solution. Using a large disk like Snowball helps to circumvent common large scale

Storage Gateway

Storage Gateway is a service that connects on-premise environments with cloud-based storage in order to seamlessly and securely intergrate an on-prem application with a cloud storage backend. Storage Gateway comes in three flavors: File Gateway, Volume Gateway and Tape Gateway. Storage Gateway Key Details: The Storage Gateway service can either be a physical device or a VM image downloaded onto

Well Architected

AWS provide Well-Architecture Framework to build a secure, high-performance, resilient and efficient infrastructure for a wide variety of applications and workloads. AWS Well-Architected provides a consistent approach to helping customers and partners evaluate architectures and implement scalable designs. The framework is based on six pillars: Operational Excellence Security Reliability Performan