




























































































Prepara tus exámenes y mejora tus resultados gracias a la gran cantidad de recursos disponibles en Docsity
Gana puntos ayudando a otros estudiantes o consíguelos activando un Plan Premium
Prepara tus exámenes
Prepara tus exámenes y mejora tus resultados gracias a la gran cantidad de recursos disponibles en Docsity
Prepara tus exámenes con los documentos que comparten otros estudiantes como tú en Docsity
Encuentra los documentos específicos para los exámenes de tu universidad
Estudia con lecciones y exámenes resueltos basados en los programas académicos de las mejores universidades
Responde a preguntas de exámenes reales y pon a prueba tu preparación
Consigue puntos base para descargar
Gana puntos ayudando a otros estudiantes o consíguelos activando un Plan Premium
Comunidad
Pide ayuda a la comunidad y resuelve tus dudas de estudio
Ebooks gratuitos
Descarga nuestras guías gratuitas sobre técnicas de estudio, métodos para controlar la ansiedad y consejos para la tesis preparadas por los tutores de Docsity
AWS COMMAND CHEAT SHEET. Amazon
Tipo: Diapositivas
1 / 124
Esta página no es visible en la vista previa
¡No te pierdas las partes importantes!





























































































Table of Contents
1.1. Cloud Computing Fundamentals 1.2. AWS-Fundamentals 1.3. IAM-Accounts-AWS-Organizations 1.4. Simple-Storage-Service-(S3) 1.5. Virtual-Private-Cloud-VPC 1.6. Elastic-Cloud-Compute-EC 1.7. Containers-and-ECS 1.8. Advanced-EC 1.9. Route- 53 1.10. Relational-Database-Service-RDS 1.11. Network-Storage-EFS 1.12. HA-and-Scaling 1.13. Serverless-and-App-Services 1.14. CDN-and-Optimization 1.15. Advanced-VPC 1.16. Hybrid-and-Migration 1.17. Security-Deployment-Operations 1.18. NoSQL-and-DynamoDB
Cloud computing provides
Public Cloud: using 1 public cloud such as AWS, Azure, Google Cloud. Private Cloud: using on-premises real cloud. Must meet 5 requirements. Multi-Cloud: using more than 1 public cloud in one deployment. Hybrid Cloud: using public and private clouds in one environment o This is NOT using Public Cloud and Legacy on-premises hardware.
The Infrastructure Stack or Application Stack contains multiple components that make up the total service. There are parts that you manage as well as portions the vendor manages. The portions the vendor manages and you are charged for is the unit of consumption
There are additional services such as Function as a Service , Container as a Service , and DataBase as a Service which be explained later.
1.2. AWS-Fundamentals
Basic (free) Developer (one user, general guidance) Business (multiple users, personal guidance) Enterprise (Technical account manager)
Geographical Separation o Useful for natural disasters o Provide isolated fault domain o Regions are 100% isolated Geopolitical Separation o Different laws change how things are accessed o Stability from political events Location Control o Tune architecture for performance o Duplicate infrastructure at closer points to customers
Region Name: Asia Pacific (Sydney) Region Code: ap-southeast- 2
AWS will provide between 2 and 6 AZs per region. AZs are isolated compute, storage, networking, power, and facilities. Components are allowed to distribute load and resilience by using multiple zones.
AZs are connected to each other with high speed redundant networks.
1.2.3.1. Service Resilience
VPC is a virtual network inside of AWS. A VPC is within 1 account and 1 region which makes it regionally resilient. A VPC is private and isolated until decided otherwise.
One default VPC per region. Can have many custom VPCs which are all private by default.
1.2.4.1. Default VPC Facts
VPC CIDR - defines start and end ranges of the VPC. IP CIDR of a default VPC is always: 172.31.0.0/
Configured to have one subnet in each AZ in the region by default.
Subnets are given one section of the IP ranges for the default service. They are configured to provide anything that is deployed inside those subnets with public IPv4 addresses.
In general do not use the Default VPC in a region because it is not flexible.
Default VPC is large because it uses the /16 range. A subnet is smaller such as /20 The higher the / number is, the smaller the grouping.
Two /17's will fit into a /16, sixteen /20 subnets can fit into one /16.
Default compute service. Provides access to virtual machines called instances.
1.2.5.1. Infrastructure as as Service (IaaS)
The unit of consumption is an instance. An EC2 instance is configured to launch into a single VPC subnet. Private service by default, public access must be configured. The VPC needs to support public access. If you use a custom VPC then you must handle the networking on your own.
EC2 deploys into one AZ. If it fails, the instance fails.
Different sizes and capabilities. All use On-Demand Billing - Per second. Only pay for what you consume.
Local on-host storage or Elastic Block Storage
Pricing based on:
CPU Memory Storage Networking
Extra cost for any commercial software the instance deploys with.
1.2.5.2. Running State
Charged for all four categories.
Running on a physical host using CPU. Using memory even with no processing. OS and its data are stored on disk, which is allocated to you. Networking is always ready to transfer information.
1.2.5.3. Stopped State
Login to the instance using an SSH key pair. Private Key - Stored on local machine to initiate connection. Public Key - AWS places this key on the instance.
Global Storage platform. Runs from all regions and is a public service. Can be accessed anywhere from the internet with an unlimited amount of users.
This should be the default storage platform
S3 is an object storage, not file, or block storage. You can't mount an S3 Bucket.
1.2.6.1. Objects
Can be thought of a file. Two main components:
Object Key: File name in a bucket Value: Data or contents of the object o Zero bytes to 5 TB
Other components:
Version ID Metadata Access Control Sub resources
1.2.6.2. Buckets
Created in a specific AWS Region. Data has a primary home region. Will not leave this region unless told. Blast Radius = Region Unlimited number of Objects Name is globally unique All objects are stored within the bucket at the same level.
If the objects name starts with a slash such as /old/Koala1.jpg the UI will present this as a folder. In actuality this is not true, there are no folders.
CloudFormation templates can be used to create, update, modify, and delete infrastructure.
They can be written in YAML or JSON. An example is provided below.
AWSTemplateFormatVersion: "version date"
Description: A sample template
Metadata: template metadata
Parameters: set of parameters
Mappings: set of mappings
Conditions: set of conditions
Transform: set of transforms
Resources: set of resources
Outputs: set of outputs
An example which creates an EC2 instance
Resources: Instance: ## Logical Resource Type: 'AWS::EC2::Instance' ## This is what will be created Properties: ## Configure the resources in a particular way ImageId: !Ref LatestAmiId Instance Type: !Ref Instance Type KeyName: !Ref Keyname
Once a template is created, AWS will make a stack. This is a living and active representation of a template. One template can create infinite amount of stacks.
Has two states ok or alarm. A notification could be sent to an SNS topic or an action could be performed based on an alarm state. Third state can be insufficient data state. Not a problem, just wait.
AWS: Responsible for security OF the cloud
Customer: Responsible for security IN the cloud
1.2.11.1. High Availability (HA)
Aims to ensure an agreed level of operational performance , usually uptime , for a higher than normal period Instead of diagnosing the issue, if you have a process ready to replace it, it can be fixed quickly and probably in an automated way. Spare infrastructure ready to switch customers over to in the event of a disaster to minimize downtime User disruption is not ideal, but is allowed o The user might have a small disruption or might need to log back in. Maximizing a system's uptime o 99.9% (Three 9's) = 8.7 hours downtime per year. o 99.999 (Five 9's) = 5.26 minutes downtime per year.
1.2.11.2. Fault-Tolerance (FT)
System can continue operating properly in the event of the failure of some (one or more faults within) of its components Fault tolerance is much more complicated than high availability and more expensive. Outages must be minimized and the system needs levels of redundancy. An airplane is an example of system that needs Fault Tolerance. It has more engines than it needs so it can operate through failure.
Example: A patient is waiting for a life saving surgery and is under anesthetic. While being monitored, the life support system is dosing medicine. This type of system cannot only be highly available, even a movement of interruption is deadly.
1.2.11.3. Disaster Recovery (DR)
Set of policies, tools and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. DR can largely be automated to eliminate the time for recovery and errors.
This involves:
Pre-planning o Ensure plans are in place for extra hardware o Do not store backups at the same site as the system DR Processes o Cloud machines ready when needed
This is designed to keep the crucial and non replaceable parts of the system in place.
Used when HA and FT don't work.
DNS is a discovery service. Translates machines into humans and vice-versa. It is a huge database and has to be distributed.
Parts of the DNS system
DNS Client: Piece of software running on the OS for a device you're using. Resolver: Software on your device or server which queries DNS on your behalf. Zone: A part of the DNS database. o This would be amazon.com o What the data is, its substance Zone file: physical database for a zone o How physically that data is stored Nameserver: where zone files are hosted
Steps:
Find the Nameserver which hosts a particular zone file. Query that Nameserver for a record that is in that zone file. It then passes the information back to the DNS client.
1.2.12.1. DNS Root
The starting point of DNS. DNS names are read right to left with multiple parts separated by periods.
www.netflix.com. The last period is assumed to be there in a browser when it's not present. The DNS Root is hosted on DNS Root Servers (13). These are hosted by 12 major companies.
Route 53 will check with the top level domain to see if the name is available Route 53 creates a zone file for the domain to be registered Allocates nameservers for that zone o Generally four of these for one individual zone o This is a hosted zone o The zone file will be put on these four managed nameservers Route 53 will communicate with the .org registry and add the nameserver records into the zone file for that top level domain. o This is done with a nameserver record (NS).
1.2.13.2. Route53 Details
Zone files in AWS Hosted on four managed name servers
Can be public or private (linked to one or more VPCs)
Nameserver (NS): Allows delegation to occur in the DNS. A and AAAA Records: Maps the host to a v4 or v6 host type respectively. Most of the time you will make both types of record, A and AAAA. CNAME Record Type: Allows DNS shortcuts to reduce admin overhead. CNAMES cannot point directly to an IP address, only another name. MX records: How emails are sent. They have two main parts: o Priority: Lower values for the priority field are higher priority. o Value If it is just a host, it will not have a dot on the right. It is assumed to be part of the same zone as the host. If you include a dot on the right, it is a fully qualified domain name TXT Record: Allows you to add arbitrary text to a domain. One common usage is to prove domain ownership.
1.2.14.1. TTL - Time To Live
This is a numeric setting on DNS records in seconds. Allows the admin to specify how long the query can be stored at the resolver server. If you need to upgrade the records, it is smart to lower the TTL value first.
Getting the answer from an Authoritative Source is known as an Authoritative Answer.
If another client queries the same thing, they will get back a Non-Authoritative response.
1.3. IAM-Accounts-AWS-Organizations
Identity Policies are attached to AWS Identities which are IAM users, IAM groups, and IAM roles. These are a set of security statements that ALLOW or DENY access to AWS resources.
When an identity attempts to access AWS resources, that identity needs to prove who it is to AWS, a process known as Authentication. Once authenticated, that identity is known as an authenticated identity
1.3.1.1. Statement Components
Statement ID (SID): Optional field that should help describe o The resource you're interacting o The actions you're trying to perform Effect: is either allow or deny. o It is possible to be allowed and denied at the same time Action are formatted service:operation. There are three options: o specific individual action o wildcard as an action o list of multiple independent actions Resource: similar to action except for format arn:aws:s3:::catgifs
1.3.1.2. Priority Level
Explicit Deny: Denies access to a particular resource cannot be overruled. Explicit Allow: Allows access so long there is not an explicit deny. Default Deny (Implicit): IAM identities start off with no resource access.
1.3.1.3. Inline Policies and Managed Policies
Inline Policy: grants access and assigned on each accounts individually. Managed Policy (best practice): one policy is applied to all users at once.
Identity used for anything requiring long-term AWS access
Humans Applications Service Accounts
If you can name a thing to use the AWS account, this is an IAM user.
Containers for users. You cannot login to IAM groups They have no credentials of their own. Used solely for management of IAM users.
Groups bring two benefits
AWS merges all of the policies from all groups the user is in together.
The 5000 IAM user limit applies to groups. There is no all users IAM group. o You can create a group and add all users into that group, but it needs to be created and managed on your own. No Nesting: You cannot have groups within groups. 300 Group Limit per account. This can be fixed with a support ticket.
Resource Policy A bucket can have a policy associated with that bucket. It does so by referencing the identity using an ARN (Amazon Reference Name). A policy on a resource can reference IAM users and IAM roles by the ARN. A bucket can give access to one or more users or one or more roles.
GROUPS ARE NOT A TRUE IDENTITY THEY CAN'T BE REFERENCED AS A PRINCIPAL IN A POLICY
An S3 Resource cannot grant access to a group, it is not an identity. Groups are used to allow permissions to be assigned to IAM users.
A single thing that uses an identity is an IAM User.
IAM Roles are also identities that are used by large groups of individuals. If have more than 500 0 principals, it could be a candidate for an IAM Role.
IAM Roles are assumed you become that role.
This can be used short term by other identities.
IAM Users can have inline or managed policies which control which permissions the identity gets within AWS
Policies which grant, allow or deny, permissions based on their associations.
IAM Roles have two types of roles can be attached.
Trust Policy: Specifies which identities are allowed to assume the role. Permissions Policy: Specifies what the role is allowed to do.
If an identity is allowed on the Trust Policy , it is given a set of Temporary Security Credentials. Similar to access keys except they are time limited to expire. The identity will need to renew them by reassuming the role.
Every time the Temporary Security Credentials are used, the access is checked against the Permissions Policy. If you change the policy, the permissions of the temp credentials also change.
Roles are real identities and can be referenced within resource policies.
Secure Token Service (sts:AssumeRole) this is what generates the temporary security credentials (TSC).
Lambda Execution Role. For a given lambda function, you cannot determine the number of principals which suggested a Role might be the ideal identity to use.
Trust Policy: to trust the Lambda Service Permission Policy: to grant access to AWS services.
When this is run, it uses the sts:AssumeRole to generate keys to CloudWatch and S3.
It is better when possible to use an IAM Role versus attaching a policy.
1.3.5.1. Emergency or out of the usual situations
Break Glass Situation - There is a key for something the team does not normally have access to. When you break the glass, you must have a reason to do. A role can have an Emergency Role which will allow further access if its really needed.
1.3.5.2. Adding AWS into existing corp environment
You may have an existing identity provider you are trying to allow access to. This may offer SSO (Single Sign On) or over 5000 identities. This is useful to reuse your existing identities for AWS. External accounts can't be used to access AWS directly. To solve this, you allow an IAM role in the AWS account to be assumed by one of the active directories. ID Federation allowing an external service the ability to assume a role.
1.3.5.3. Making an app with 1,000,000 users
Web Identity Federation uses IAM roles to allow broader access. These allow you to use an existing web identity such as google, facebook, or twitter to grant access to the app. We can trust these web identities and allow those identities to assume an IAM role to access web resources such as DynamoDB. No AWS Credentials are stored on the application. Can scale quickly and beyond.
A specific Organizational Unit A specific member only.
The master account cannot be restricted by SCPs which means this should not be used because it is a security risk.
SCPs limit what the account, including root can do inside that account. They don't grant permissions themselves, just act as a barrier.
1.3.7.1. Allow List vs Deny List
Deny list is the default.
When you enable SCP on your org, AWS applies FullAWSAccess. This means SCPs have no effect because nothing is restricted. It has zero influence by themselves. { "Version": "2012- 10 - 17", "Statement": { "Effect": "Allow", "Action": "", "Resource": "" } }
SCPs by themselves don't grant permissions. When SCPs are enabled, there is an implicit deny.
You must then add any services you want to Deny such as DenyS { "Version": "2012- 10 - 17", "Statement": { "Effect": "Deny", "Action": "s3:", "Resource": "" } }
Deny List is a good default because it allows for the use of growing services offered by AWS. A lot less admin overhead.
Allow List allows you to be conscience of your costs.
To begin, you must remove the FullAWSAccess list Then, specify which services need to be allowed access. Example AllowS3EC2 is below
{ "Version": "2012- 10 - 17", "Statement": [ { "Effect": "Allow", "Action": [
"s3:", "ec2:" ], "Resource": "*" } ] }
This is a public service, this can be used from AWS VPC or on premise environment.
This allows to store , monitor and access logging data.
This is a piece of information data and a timestamp Can be more fields, but at least these two
Comes with some AWS Integrations. Security is provided with IAM roles or Service roles Can generate metrics based on logs metric filter
1.3.8.1. Architecture of CloudWatch Logs
It is a regional service us-east- 1 Need logging sources such as external APIs or databases. This sends information as log events. These are stored in log streams. This is a sequence of log events from the same source.
Log Groups are containers for multiple logs streams of the same type of logging. This also stores configuration settings such as retention settings and permissions.
Once the settings are defined on a log group, they apply to all log streams in that log group. Metric filters are also applied on the log groups.
Concerned with who did what.
Logs API calls or activities as CloudTrail Event
Stores the last 90 days of events in the Event History. This is enabled by default and is no additional cost.
To customize the service you need to create a new trail. Two types of events. Default only logs Management Events
Management Events: Provide information about management operations performed on resources in the AWS account. Create an EC2 instance or terminating one.