AWS CloudTrail: for AWS account related action.Actions taken by User, Role and aws services are recorded as events in CloudTrail. For governance and complaince.
-Can be configured to log Data events and management events.
- CloudWatch Logs: to monitor, store accesslog from EC2, lcoudTrail, Rote 53 and other logs.
- CloudWatch Logs: to monitor, store accesslog from EC2, lcoudTrail, Rote 53 and other logs.
Custom Metrics. Metric Resolution Standard 1 min, best upto 1 sec. API: putMetricData.
CloudWatch Dashboard: Are global. Can includes graph from different regions.
- By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE).
- You can also choose to encrypt your log files with an AWS Key Management Service (AWS KMS) key.
-Management and Data Events Logs. Management events is enabled by default.
- Past 90 days history by default.
- Adds checks for Amazon S3, Amazon Redshift, EC2 Reserved Instances, security, and service limits
You cannot configure global service event logging from the CloudTrail console.
CloudWatch is for capturing performance metrics , monitoring application logs wherein CuoldTrail for tracking user activity.
- By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE).
- You can also choose to encrypt your log files with an AWS Key Management Service (AWS KMS) key.
-Management and Data Events Logs. Management events is enabled by default.
- Past 90 days history by default.
- Adds checks for Amazon S3, Amazon Redshift, EC2 Reserved Instances, security, and service limits
You cannot configure global service event logging from the CloudTrail console.
CloudWatch is for capturing performance metrics , monitoring application logs wherein CuoldTrail for tracking user activity.
CloudWatch Log Insights- To query logs and add queries to CloudWatch.
CloudWatch Agent && Unified Agent (lot more capabilities).
CloudWatch Alarm: Alarm state OK/Insufficient data/alarm. status check instance/system status check will have action 'Ec2 Instance Recovery' if configured.
CloudWatch Events:add rules and target.
AWS Config:
- Possibility of storing the configuration into S3 and analysed by Athena.
-View compliance.configuration/CloudTrail API calls
Support for Encryption using SSE-KMS –
CloudTrail will encrypt the log files using the KMS key you specify.
Log File Integrity Validation –
validate the integrity of the CloudTrail log files stored in your S3 bucket and detect whether
they were deleted or modified after CloudTrail delivered them to your S3 bucket as part of security and auditing discipline.
Trusted Advisor : (Customized cloud expert)
AWS Trusted Advisor offers a rich set of best practice checks and recommendations across five categories: cost optimization; security; fault tolerance; performance; cost optimization and service limits.
VM Import/Export:
-To easily import virtual machine images from your existing environment to Amazon EC2 instances
and export them back to your on-premises environment.
AWS OpsWorks Stacks :
you can model your application as a stack containing different layers, such as load balancing, database, and application server.
A common practice is to have multiple stacks that represent different environments.
CloudHSM:
- To processes cryptographic operations and provides secure storage for cryptographic keys.
- To encrypt its data, the HSM uses a unique, ephemeral encryption key known as the ephemeral backup key (EBK). It stores the encerypted data key to S3 in the same region as HSM cluster.
Amazon Polly:
- Text-to-Speech (TTS) cloud service that converts text into lifelike speech
- If single word repeated multiple times t have different speeches, there needs to have multiple Lexicons created.
- Using SSML tag, speech is controlled. commas converted into Period and tag words and Paragraphs as "strong" will help to control the speech speed.
AWS Cloud Support contract:
Response time : critical < 15m enterprise a/c , urgent < 1 hour business a/c. normal <12 hr developer, basic -n/a
AWS Storage Gateway
To seamlessly links your on-premises environment to Amazon cloud storage.
It offers local storage with highly optimized connectivity to AWS Cloud storage, and helps with migration, bursting and storage tiering use cases.
AWS Pilot Light:
Run a minimal version of the environment in cloud.
r. A small part of your infrastructure is always running simultaneously syncing mutable data (as databases or documents), while other parts of your infrastructure are switched off and used only during testing. RDS/ EC2, AMI,ELB.
WARM Standby:
Apps server already running.Always running the critical system. RTO low/medium, RPO: Low. Only need to simply reroute live traffic using Route 53 .
Multi-Site: (Active-active configuration)
50% weighted routing using Route 53
AWS Direct Connect:
Alternative to using Internet betwer on-premise data and AWS resources.
Elastic Transcoder:
Media transcoding service in cloud. Media can be converted into anoher format as per device or users.
Amazon Workspaces:
-desktop as a service/virtual desktop. data backup every 12 hours
AWS WorkDocs:
- To Share contants. Only Power users can share publicly
Amazon FPS: Amazon Flexible Payments Service, developers can accept payments on websites. It has several innovative features, including support for micropayments.
Amazon DevPay: supports applications built on Amazon S3 or Amazon EC2 by allowing you to resell applications built on top of one of these services.
AWS Organizations: Have Managed Service Control Policies.
-Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management.
Support for Encryption using SSE-KMS –
CloudTrail will encrypt the log files using the KMS key you specify.
Log File Integrity Validation –
validate the integrity of the CloudTrail log files stored in your S3 bucket and detect whether
they were deleted or modified after CloudTrail delivered them to your S3 bucket as part of security and auditing discipline.
AWS Trusted Advisor offers a rich set of best practice checks and recommendations across five categories: cost optimization; security; fault tolerance; performance; cost optimization and service limits.
VM Import/Export:
-To easily import virtual machine images from your existing environment to Amazon EC2 instances
and export them back to your on-premises environment.
AWS OpsWorks Stacks :
you can model your application as a stack containing different layers, such as load balancing, database, and application server.
A common practice is to have multiple stacks that represent different environments.
CloudHSM:
- To processes cryptographic operations and provides secure storage for cryptographic keys.
- To encrypt its data, the HSM uses a unique, ephemeral encryption key known as the ephemeral backup key (EBK). It stores the encerypted data key to S3 in the same region as HSM cluster.
Amazon Polly:
- Text-to-Speech (TTS) cloud service that converts text into lifelike speech
- If single word repeated multiple times t have different speeches, there needs to have multiple Lexicons created.
- Using SSML tag, speech is controlled. commas converted into Period and tag words and Paragraphs as "strong" will help to control the speech speed.
AWS Cloud Support contract:
Response time : critical < 15m enterprise a/c , urgent < 1 hour business a/c. normal <12 hr developer, basic -n/a
AWS Storage Gateway
To seamlessly links your on-premises environment to Amazon cloud storage.
It offers local storage with highly optimized connectivity to AWS Cloud storage, and helps with migration, bursting and storage tiering use cases.
AWS Pilot Light:
Run a minimal version of the environment in cloud.
r. A small part of your infrastructure is always running simultaneously syncing mutable data (as databases or documents), while other parts of your infrastructure are switched off and used only during testing. RDS/ EC2, AMI,ELB.
WARM Standby:
Apps server already running.Always running the critical system. RTO low/medium, RPO: Low. Only need to simply reroute live traffic using Route 53 .
Multi-Site: (Active-active configuration)
50% weighted routing using Route 53
AWS Direct Connect:
Alternative to using Internet betwer on-premise data and AWS resources.
Elastic Transcoder:
Media transcoding service in cloud. Media can be converted into anoher format as per device or users.
Amazon Workspaces:
-desktop as a service/virtual desktop. data backup every 12 hours
AWS WorkDocs:
- To Share contants. Only Power users can share publicly
AWS KMS
Customer managed CMK will generate plain text Data Key & encrypted Data Keys. documents will be encrypted using these plain text Data Keys. After encryption , plain text Data keys needs to be deleted to avoid any inappropriate use & encrypted Data Keys along with encrypted Data is stored in S3 buckets.
Amazon Deploy:
Amazon Deploy is the simplest way for developers to get paid for Amazon EC2 machine images (AMIs) or applications they build on top of Amazon S3.
Developers use the simple Amazon Deploy web interface to register their application or AMI with Amazon Deploy and configure their desired pricing.
AWS CloudFormer:
- A template creation tool and it creates AWS CloudFormation template from our existing resources in AWS account.
- We can select any supported AWS resources that are running in our account, and CloudFormer creates a template in an Amazon S3 bucket.
Customer managed CMK will generate plain text Data Key & encrypted Data Keys. documents will be encrypted using these plain text Data Keys. After encryption , plain text Data keys needs to be deleted to avoid any inappropriate use & encrypted Data Keys along with encrypted Data is stored in S3 buckets.
Amazon Deploy:
Amazon Deploy is the simplest way for developers to get paid for Amazon EC2 machine images (AMIs) or applications they build on top of Amazon S3.
Developers use the simple Amazon Deploy web interface to register their application or AMI with Amazon Deploy and configure their desired pricing.
AWS CloudFormer:
- A template creation tool and it creates AWS CloudFormation template from our existing resources in AWS account.
- We can select any supported AWS resources that are running in our account, and CloudFormer creates a template in an Amazon S3 bucket.
Amazon FPS: Amazon Flexible Payments Service, developers can accept payments on websites. It has several innovative features, including support for micropayments.
Amazon DevPay: supports applications built on Amazon S3 or Amazon EC2 by allowing you to resell applications built on top of one of these services.
AWS Organizations: Have Managed Service Control Policies.
AWS Pipeline:
Source repository or S3 - console created t, CodePipeline creates an Amazon CloudWatch Events rule that starts your pipeline when the source changes.
GitHub repository,: console created , CodePipeline creates a webhook that starts your pipeline when the source changes.
CICD Pilpleline: CICD orchastration service to deliver all teh way to Elastic ebanstock.
If created through CLI, disable periodically checking the resources
AWS codecommit: AWS in-house code repositiry: Will be useful when build size is lesser.
AWS code deploy : It is for existing deployment infrastucture. If a new resource needs to be deployed then Elastic Beanstock is a better option.
-Dploying our code directly onto EC2 instance or on premise server. We can define strategy how fast the rollout of ew code should be.
AWS Glue: ETL, serverless, have integration with Spark etc. Arora,RDS --> S3, Redshift.
EMR : Big Data Processing.
Consolidated Billing: When other accounts have launched unused instances from same A.Z. and should not be part of same VPC.
AWS SSO:
-To centrally manage SSO access to all of your AWS accounts and cloud application
- Users in your on-premises Active Directory can also have SSO access to AWS accounts and cloud applications in the AWS SSO user portal
Following two options available:
1. Create a two-way trust relationship
2. Create an AD Connector, A directory gateway that can redirect directory requests to your on-premises Active Directory without caching any information in the cloud.
If you are connecting AWS SSO to an AD Connector directory, any future user password resets must be done from within Active Directory. This means that users will not be able to reset their passwords from the user portal.
Source repository or S3 - console created t, CodePipeline creates an Amazon CloudWatch Events rule that starts your pipeline when the source changes.
GitHub repository,: console created , CodePipeline creates a webhook that starts your pipeline when the source changes.
CICD Pilpleline: CICD orchastration service to deliver all teh way to Elastic ebanstock.
If created through CLI, disable periodically checking the resources
AWS codecommit: AWS in-house code repositiry: Will be useful when build size is lesser.
AWS code deploy : It is for existing deployment infrastucture. If a new resource needs to be deployed then Elastic Beanstock is a better option.
-Dploying our code directly onto EC2 instance or on premise server. We can define strategy how fast the rollout of ew code should be.
AWS Glue: ETL, serverless, have integration with Spark etc. Arora,RDS --> S3, Redshift.
EMR : Big Data Processing.
Consolidated Billing: When other accounts have launched unused instances from same A.Z. and should not be part of same VPC.
AWS SSO:
-To centrally manage SSO access to all of your AWS accounts and cloud application
- Users in your on-premises Active Directory can also have SSO access to AWS accounts and cloud applications in the AWS SSO user portal
Following two options available:
1. Create a two-way trust relationship
2. Create an AD Connector, A directory gateway that can redirect directory requests to your on-premises Active Directory without caching any information in the cloud.
If you are connecting AWS SSO to an AD Connector directory, any future user password resets must be done from within Active Directory. This means that users will not be able to reset their passwords from the user portal.
EFS:
Can be connected across AZ. Encryption at rest duering ceration time. Across VPC, peering required. Port 2049 NFS needed to acess it.At transit encrypt using mount helper.
Can be connected across AZ. Encryption at rest duering ceration time. Across VPC, peering required. Port 2049 NFS needed to acess it.At transit encrypt using mount helper.
Enabling encryption of data in transit for your Amazon EFS file system is done by enabling Transport Layer Security (TLS) when you mount your file system using the Amazon EFS mount helper.
Perfomrmance :
-Max I/O mode when too many EC2s (100s, 1000s )are connected. Slight latency cost.
-General Purpose: recommended for low latency.
-Procvisioned : throughput mode =provisioned, it can be incereaed irrespective of file size.
AWS STS:
Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user.
Perfomrmance :
-Max I/O mode when too many EC2s (100s, 1000s )are connected. Slight latency cost.
-General Purpose: recommended for low latency.
-Procvisioned : throughput mode =provisioned, it can be incereaed irrespective of file size.
AWS STS:
Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user.
Amazon FSx for
1)Windows File Server
-supports DFSN and is the most suitable storage solution for Microsoft filesystems. AWS DataSync supports migrating to the Amazon FSx and automates the process.
--FSx for Windows File Server provides fully managed, highly reliable, and scalable file storage that is accessible over the industry-standard Server Message Block (SMB) protocol
II) for Lustre is a fully managed shigh performance computing (HPC),
Amazon FSx
When an EBS volume is encrypted with a custom key you must share the custom key with the PROD account. You also need to modify the permissions on the snapshot to share it with the PROD account.
No comments:
Post a Comment