Stephane Maarek의 「Ultimate AWS Certified Developer Associate 2021 - NEW!」 강의 내용 정리
Each region has many availability zones.
Each availability zone is one or more discrete data centers with redundant power, networking and connectivity.
They’re separate from each other, so that they’re isolated from disasters.
They’re connected with high bandwidth, ultra-low latency networking.
Users: usually a physical person
Groups: Functions(admins, devops), teams(engineering, design,,,) → containing users!
Roles: internal usage within AWS resources
➡︎ policies(JSON documents) define what each of the above can and cannot do
IAM has a global view.
Permissions are governed by Policies.
MFA(Multi factor authentication) can be setup.
IAM has predefined “managed policies”.
It’s best to give users the minimal amount of permissions they need to perform their job(don’t over power).
Big enterprises usually integrate their own repository of users with IAM.
This way, one can login into AWS using their company credentials.
Identity federation uses the SAML standard.
One IAM user per physical person
One IAM role per application
IAM credentials should never be shared
Never ever ever write IAM credentials in code, ever
Never ever ever commit your IAM credentials
Never use the ROOT account except for initial setup
Never use ROOT IAM Credentials
EC2 is one of most popular of AWS offering
It mainly consists in the capability of:
SSH is one of the most important function. It allows you to control a remote machine, all using the command line.
Security groups are the fundamental of network security in AWS.
They control how traffic is allowed into or out of our EC2 machines.
Security groups are acting as a ‘firewall’ on EC2 instances.
Can be attached to multiple instances
Locked down to a region /vpc combination
Does live ‘outside’ the EC2 - if traffic is blocked the EC2 instance won’t see it
It’s good to maintain one separate security group for SSH access
If your application is not accessible, then it’s a security group issue
If your application gives a ‘connection refused’ error, then it’s an application error or it’s not launched
All inbound traffic is blocked by default
All outbound traffic is authorized by default
Public ip means the machine can be identified on the internet(www)
Must be unique across the whole web(not two machines can have the same public IP)
Can be geo-located easily
Private IP means the machine can only be identified on a private network only
The ip must be unique across the private network
But two different private networks(two companies) can have the same IPs
Machines connect to www using a NAT + internet gateway(a proxy)
Only a specified range of IPs can be used as private IP
When you stop and then start an EC2 instance, it can change its public IP
It is possible to bootstrap our instances using an EC2 User data script.
Bootstrapping means launching commands when a machine starts.
The script runs only once when the instance starts.
EC2 user data is used to automate boot tasks such as:
On demand instances → short workload, predictable pricing
Pay for what you use
Up to 75% discount compared to on-demand
Can get a discount of up to 90% compared to on-demand
Physical dedicated EC2 server for your use
Instances running on hardware that’s dedicated to you
Logical component in a VPC that represents a virtual network card
The ENI can have the following attributes: