"AWS General Reference" summarized
Endpoint is URL, normally default for the region is used by SDK & CLI but can be customized. Endpoint may or may not has region, depending on the specific service.
Region:
- Has multiple AZs
- Isolated & completely independent with each other (unless explicit replication etc.)
- Some services are beyond region (IAM), some supports cross region replication
- Enable a region - takes some time (minutes to hours) to, for example, replicate IAM policies, etc.
- Disable a region - after removal of all resources can disable a region
Availability Zone:
- Isolated location within region
- AZs in same region connected with low latency network
- Engineered to isolate failure from other AZ
- AZ name is per account basis (with mapping) - so 'us-east-1a' for one account may be different than the same name for another account
- AZ ID is consistent, like 'use1-az1'
Local Zone:
- Is infrastructure places SELECTED services close to end user
- Extension (but not within) region
- Only available after Opt In
Edge Servers
In most cases, API call requires credential to identify user. (exception such as, download S3 public accessible resource)
Root User: all power to account resources, not able to restrict. (though, account power can be limited with AWS Organization Service Control Policy (SCP)). Recommend: DELETE root user access keys and not involve root user in day to day tasks.
IAM Users:
- recommended for daily use
- not recommended to share credentials
Types of credentials
- email / password (Root)
- IAM username / password
- access key - for API calls or CLI - key ID + secret key (one opportunity to view and download), limited 2 for each IAM user
- temporary access key / temporary credential (for role, for cross account, for federation), includes key (ID+secret key) & token (include when to expire etc.)
- key pairs (public/private key, can be created by user or AWS)
- Creation:
- ssh-keygen (from OpenSSH)
- AWS CLI
- Use console (AWS don't store private key)
- Usage
- for EC2, SSH
- for CloudFront, create signed URLs for private content, such as when you want to distribute restricted content that someone paid for
- MFA
Account ID:
- Account ID - 12 digit number, used in ARN etc.
- canonical user ID - very long string, only in S3 user policy for cross account access, viewable in S3
Best practice:
- Root user:
- Not for day to day tasks
- Remove access key - not to generate one
- Use role and temporary credential
- For application / CLI script on EC2 instance: define role, assign role to EC2, SDK & CLI can get temporary credential for the role automatically
- For cross account access, use IAM role to establish trust
- App - use Cognito & federation
- SAML 2.0 - use federation
- On-premises integration (federation into AWS), grant authenticated enterprise users access to console
- Access Key
- Don't embed in code
- Put in AWS environment file, or environment variable
- Use different key for different applications
- Rotate periodically
- Remove unused keys
- MFA is necessary
Security Audit:
Unique identification of resources. Format may be different according to resource, but generally:
arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id
Partition: such as 'aws', 'aws-cn'
Some ARN can include path, and '*' can be used as wildcard.
To lookup: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
Can be obtained as JSON
SDK implements retry logic, and can be configured.
If self implement, you should retry original requests that receive server (5xx) or throttling errors. However, client errors (4xx) indicate that you need to revise the request to correct the problem before trying again. Also, use exponential backoff algorithm with jitter.
SDK & CLI automatically sign requests - no need to implement. Otherwise, see reference.
Support for Amazon S3 Client-Side Encryption
Supported in console in certain fields
Key/value