[AWS] 1. IAM + EC2

Nina·2021년 2월 12일


목록 보기

Stephane Maarek의 「Ultimate AWS Certified Developer Associate 2021 - NEW!」 강의 내용 정리

1. AWS regions and availability zones

AWS Availability Zones

Each region has many availability zones.
Each availability zone is one or more discrete data centers with redundant power, networking and connectivity.
They’re separate from each other, so that they’re isolated from disasters.
They’re connected with high bandwidth, ultra-low latency networking.


  • EC2 → regional service
  • IAM → global service

2. IAM Introduction

Users: usually a physical person
Groups: Functions(admins, devops), teams(engineering, design,,,) → containing users!
Roles: internal usage within AWS resources

➡︎ policies(JSON documents) define what each of the above can and cannot do

IAM has a global view.
Permissions are governed by Policies.
MFA(Multi factor authentication) can be setup.
IAM has predefined “managed policies”.
It’s best to give users the minimal amount of permissions they need to perform their job(don’t over power).

IAM Federation

Big enterprises usually integrate their own repository of users with IAM.
This way, one can login into AWS using their company credentials.
Identity federation uses the SAML standard.

IAM 101

One IAM user per physical person
One IAM role per application
IAM credentials should never be shared
Never ever ever write IAM credentials in code, ever

Never ever ever commit your IAM credentials
Never use the ROOT account except for initial setup
Never use ROOT IAM Credentials

3. EC2

EC2 is one of most popular of AWS offering
It mainly consists in the capability of:

  • Renting virtual machines
  • Storing data on virtual drives
  • Distributing load across machines
  • Scaling the services using an auto-scaling group
Knowing EC2 is fundamental to understand how the Cloud works

4. SSH

SSH is one of the most important function. It allows you to control a remote machine, all using the command line.

5. Security Groups

Security groups are the fundamental of network security in AWS.
They control how traffic is allowed into or out of our EC2 machines.

Security groups are acting as a ‘firewall’ on EC2 instances.
They regulate

  • access to ports
  • authorized IP ranges -IPv4 and IPv6
  • control of inbound network(from other to the instance)
  • control of outbound network(from the instance to other)

Can be attached to multiple instances
Locked down to a region /vpc combination
Does live ‘outside’ the EC2 - if traffic is blocked the EC2 instance won’t see it
It’s good to maintain one separate security group for SSH access
If your application is not accessible, then it’s a security group issue
If your application gives a ‘connection refused’ error, then it’s an application error or it’s not launched
All inbound traffic is blocked by default
All outbound traffic is authorized by default

6.Private vs Public vs Elastic IP

Public IP

Public ip means the machine can be identified on the internet(www)
Must be unique across the whole web(not two machines can have the same public IP)
Can be geo-located easily

Private IP

Private IP means the machine can only be identified on a private network only
The ip must be unique across the private network
But two different private networks(two companies) can have the same IPs
Machines connect to www using a NAT + internet gateway(a proxy)
Only a specified range of IPs can be used as private IP

Elastic IP

When you stop and then start an EC2 instance, it can change its public IP

  • If you need to have a fixed public IP for your instance, you need an elastic IP
  • An elastic IP is a public IPv4 IP you own as long as you don’t delete it
  • You can attach it to one instance at a time
  • With an elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account
  • You can only have 5 elastic IP in your account
  • Overall, try to avoid using elastic IP: They often reflect poor architectural decisions → instead, use a random public IP and register a DNS(Domain Name System) name to it → or use a load balancer


  • ssh -i EC2Tutorial.pem ec2-user@ (Public IP)
  • [ec2-user@ip-172-31-43-43 ~]$ (Private IP)

7. Install Apache on EC2

8. EC2 User Data

It is possible to bootstrap our instances using an EC2 User data script.
Bootstrapping means launching commands when a machine starts.
The script runs only once when the instance starts.
EC2 user data is used to automate boot tasks such as:

  • installing updates
  • installing software
  • downloading common files from the internet
  • anything you can think of
The EC2 user date scripts runs with the root user

9. EC2 Instance Launch Types

On demand instances → short workload, predictable pricing
Reserved(minimum 1year):

  • reserved instances → long workloads
  • convertible reserved instances → long workloads with flexible instances
  • scheduled reserved instances → example: every Thursday between 3 and 6 pm
Spot instances → short workloads, for cheap, can lose instances(less reliable)
Dedicated instances → no other customers will share you hardware
Dedicated hosts → book and entire physical server, control instance placement

EC2 On Demand

Pay for what you use

  • has the highest cost but no upfront payment no long term commitment
  • recommended for short-term and un-interrupted workloads, where you can’t predict how the application will behave

EC2 Reversed Instances

Up to 75% discount compared to on-demand

  • pay upfront for what you use with long term commitment
  • reservation period can be 1 or 3 years
  • reserve a specific instance type
  • recommended for steady state usage applications
  • convertible reserved instance / scheduled reserved instance

EC2 Spot Instances

Can get a discount of up to 90% compared to on-demand

  • instances that you can lose at any point of time if your max price is less than the current spot price
  • most cost-efficient instances in AWS
  • useful for workloads that are resilient to failure
  • not great for critical jobs or databases
  • great combo: reserved instances for baseline + on-demand & spot for peaks

EC2 Dedicated Hosts

Physical dedicated EC2 server for your use

  • full control of EC2 instance placement
  • visibility into the underlying sockets/physical cores of the hardware
  • allocated for your account for a 3 year period reservation
  • more expensive
  • useful for software that have complicated licensing model

EC2 Dedicated Instances

Instances running on hardware that’s dedicated to you

  • may share hardware with other instances in same account
  • no control over instance placement

10. Elastic Network Interfaces(ENI)

Logical component in a VPC that represents a virtual network card
The ENI can have the following attributes:

  • primary private IPv4, one or more secondary IPv4
  • one elastic IP per private IPv4
  • on public IPv4
  • one or more security groups
  • a MAC address
You can create ENI independently and attach them on the fly on EC2 instances for filter Bound to a specific availability zone

0개의 댓글