AWS Cloud (2) Storage, Databases, Security
Module 5. Storage and Databases
28. Instance Stores and Amazond Elastic Block Store (Amazon EBS)
Block-Level storage
- block으로 저장된 파일들의 저장소
- databases, enterprise sw, file systems...
EC2 instance에서는
- Instance Store Volumes AWS : host에(hypervisore 아래의 AWS host) attach되어있는 저장소. instance를 terminate하면 안의 데이터도 같이 사라짐.
근데 EC2 종료한다고 데이터가 사라지지는 말았으면좋겠어요!! ->> Amazon EBS.
Amazon EBS
- EBS volumes(virtual hardware임)를 인스턴스에 attach. 이는 host에 묶여있지 않음
- all different sizes and types, configurations : you can define
- EC2가 종료되어도 데이터는 volume에 remain
- Snapshots: Incremental backups - restore data 가능
Q. Which of the following are characteristics of the Amazon EBS service? (Select TWO.)
A. Best for data that requires retention / Separate drives from the host computer of an EC2 instance
29. Amazon Simple Storage Service (Amazon S3)
Amazon S3 : Store and retrieve an unlimited amount of data
- Store data as objects (object: data + metadata + key)
- Store objects in buckets
- Maximum object size : 5TB
- Version objects
- Create multiple buckets
1) Amazon S3 Standard
- 99.999...% of durability
- multiple copies across location
- 최소 3개의 AZ에 datat를 store
- static website hosting : HTML files같은 physical page를 가진 static website에 유용
2) S2 Standard-Infrequent Access (Standard-IA)
- store backups, recovery files
- long-term storage
3) S3 Glacier Flexible Retrieval
- archives. 오래 저장하고 자주 접근 안 하는 데이터
- lock policy 가능
* Write once/read many(WORM) policy
* S3 lifecycle management: Move data automatically between tiers
-- 일정 시간이 지나면 다른 티어로 데이터 자동 이동
EBS vs S3
1) Amazon EBS
- up to 16 TiB
- Survive termination of their EC2 instance
- Solid state by default
- HDD options
- Block Storage: 데이터를 block단위로 저장. change가 발생 시 그 blocks만 update하면 됨 -> 용량이 큰 파일이 변경되거나 할 때 효율적
2) Amazon S3
- Unlimited storage
- Invdividual objects up to 5TBs
- Write once/read many
- 99.999....% durability
- Web enabled
- Regionally distributed
- Offers cost savings
- Serverless
- Object storage : 모든 file을 complete, discreet object로 취급. object가변경될 시 entire file을 다시 upload. complete object를 사용할 때 좋음
Q. You want to store data that is infrequently accessed but must be immediately available when needed. Which Amazon S3 storage class should you use?
A. S3 Standard-IA
30. Amazon Elastic File System (Amazon EFS)
- manage File systems
- Shared file storage
- Multiple instances can access the data in EFS at the same time
- scaling은 automatically.
- stores data in and across multiple AZs.
EBS vs EFS
1) EBS
- volumes attach to EC2 instances
- AZ level resource
-> need to be in the same AZ to attach EC2 instances
- auto scaling XX
2) EFS
- multiple instances reading/writing simultaneously
- Linux file system
- Regional resource
- Auto scale OO
31. Amazon Relational Database Service (Amazon RDS)
mySQL, postgreSQL, ....
- Lift-and-shift migration
RDS
- Automated patching
- Backups
- Redundancy
- Failover
- Disaster recovery
Amazon Aurora
- MySQL / PostgreSQL
- 1/10th the cost of commercial dbs
- Data replication : 6 copies and given time
- Up to 15 read replicas
- Continous backup to Amazon S3
- Point-in-time recovery
32. Amazon DynamoDB
- A serverless database
- key-value pair
- create dynamodb table - store, query data
- data는 item으로 이루어져 있고, item은 attribute를 가짐
- store data redundantly across multiple AZs, drives
- high performance
- scalability(Auto Scaling), reliable, quick response time
- SQL같은 데이터베이스는 rigid schema를 사용하여 query하지만, dynamoDB는 non-relational (NoSQL)DB임
-- simple schema. table의 item들이 모두 같은 attribute를 갖지 않음.
- purpose built
- fully managed
RDS vs DynamoDB
1) Amazon RDS
- Automatic high availability, recovery provided
- Customer ownership of data / schema / control of network
2) DynamoDB
- use key-value pair
- massive throughput capabilities
- PB size potential
- Granular API access
Q. What are the scenarios in which you should use Amazon Relational Database Service (Amazon RDS)? (Select TWO.)
A. Using SQL to organize data / Storing data in an Amazon Aurora database
33. Amazon Redshift
- Data warehousing as a service
- massive data.
- directly run a single SQL in exabyte data (larg data set)
- higher performance
- single API call로 큰 data를 manage
34. AWS Database Migration Service
on-promise / cloud에 이미 있는 데이터는?
->> Amazon Database migration service (DMS).
- Source db remains fully operational during the migration
- Downtime is minimized for applications that rely on that database
- Source and target dbs don't have to be of the same type
- development/test db migrations, combining several dbs into a single db, continousr replication에도 사용
Homogeneous DBs
- source(on-premises, EC2, RDS...)와 target(EC2, RDS...) db의 type가 동일
- schema structures, data types, db code 고대로 사용
- src와 target 사이에 AWS DMS
Heterogeneous databases
- 2-step processes 필요 : schema, type, code가 서로다름
1) AWS Schema Conversion Tool로 src schema와 code를 match
2) DMS로 데이터 migration
35. Additional Database Services
Amazon DocumentDB (with MongoDB compatibility)
Amazon Neptune : for social networking. graph db
Amazon Managed Blockchain : banking, financial - immunity
Amazon Quantum Ledger Database (QLDB)
Database accelerators
- adding caching layers on the top of dbs: Amazon ElastiCache
- for non-relational: Amazon DynamoDB Accelerator(DAX)
Module 5 Quiz
Q. Which Amazon S3 storage classes are optimized for archival data? (Select TWO.)
A. Amazon S3 Glacier Flexible Retrieval / Amazon S3 Glacier Deep Archive
Q. Which statement or statements are TRUE about Amazon EBS volumes and Amazon EFS file systems?
A. EBS volumes store data within a single Availability Zone. Amazon EFS file systems store data across multiple Availability Zones.
EBS volume은 attach될 EC2 인스턴스와 같은 AZ에 locate해야 하지만,
EFS는 파일시스템이 locate된 all AZ in the Region에서 접근 가능.
Q. You want to store data in an object storage service. Which AWS service is best for this type of storage?
A. Amazon Simple Storage Service (Amazon S3)
Q. Which statement best describes Amazon DynamoDB?
A. A serverless key-value database service
다른 선지 풀이
A service that enables you to run relational databases in the AWS Cloud >> Amazon RDS
A service that you can use to migrate relational databases, nonrelational databases, and other types of data stores >> AWS DMS
An enterprise-class relational database >> Amazon Aurora
Q. Which service is used to query and analyze data across a data warehouse?
A. Amazon Redshift
Module 6. Security
39. AWS Shared Responsibility Model
security의 responsibility는 누구에게? : customer & AWS 모두에게
ex) AWS: Responsible for security "of" the cloud. Hypervisor, network, physical layer...Customer: Responsible for security "in" the cloud. OS, Application, data...customer의 책임에 대해서는 AWS도 못 건드림
Q. Which tasks are the responsibilities of customers? (Select TWO.)
A. Patching software on Amazon EC2 instances / Setting permissions for Amazon S3 objects
40. User Permissions and Access
AWS account root user : owner of the AWS account. 계정의 모든 권한을 가짐. access, control any resource
- MFA(Multi-factor authentication) : 토큰을 통한 로그인 2차인증.
AWS Identity and Access Management (AWS IAM)- create IAM user - default: no permission- explicitly allow user permission- Principle of least privilege: A user is granted access only to what they need.
IAM policy : JSON document
- effect(allow / deny) / action(any AWS API call) / resource(which AWS resource the API call) ...
- user에게 attach -> user은 명시된 권한만을 갖게 됨
IAM groups : grouping of users. attach policy시 그룹안의 모든 users는 그 권한 부여
IAM Roles
- associated permissions : allow or deny
- assumed for temporary amounts of time
- no username or password : instead, identity
- access to temporary permissions
41. AWS Organizations
- A central location to manage multiple AWS accounts
- manage biling control, access, compliacne, security, share resources across your AWS accounts
- Centralized management : 여러 account를 organization으로 combine해 centrally manage
- Consolidated biling : you can use primary account to pay
- Hierarchical groupings of accounts : group accounts into organization units(OU)
- AWS service and API actions access control (* Service control policies(SCPs) : you can restirict - 어떤 member가 어떤 리소스에 접근할지)
Q. You are configuring service control policies (SCPs) in AWS Organizations. Which identities and resources can SCPs be applied to? (Select TWO.) A. An individual member account / An organizational unit (OU)
42. Compliance
* Yout need to collect documents to check compliance regulations
AWS Artifact
- gain access to compliance access done by third parties
Q. Which tasks can you complete in AWS Artifact? (Select TWO.)
A. Access AWS compliance reports on-demand. / Review, accept, and manage agreements with AWS.
43. Denial-of-Service Attacks
Distributed denial-of-service (DDoS)DDos Attack: bad actor tries to overwhelm the capacity of the application- UDP Flood (attacker의 request에 대한 response의 return address를 특정 서버에 집중시켜 부하) -->> Security groups로 proper traffic만 allow하도록 설정- Slowloris attack (처리량이 큰 요청을 보내서 이후 customer의 요청을 지연/받지 못하게 부하) -->> Elastic Load Balancer로 handle http traffic request* AWS Shield with AWS WAF(WEB application Firewall)- protect applications against DDoS attacks
44. Additional Security Services
Encryption at rest : data is idle. just being stored and not moving- DynamoDB에서 encryption at rest: AWS Key Management Service(AWS KMS)로 managing encryption key
Encryption at transit: data traveling beteen service and client/another service- Amazon Redshift에서 SQL에 연결하고자 할 때 : Secure Sockets Layer(SSL) 사용
Amazon Inspector- security issue 확인 가능- Network configuration reachability piece / Amazon agent /Security assessment service
Amazon GuardDuty- provides intelligent threat detection for your AWS resources- runs independently to other resources
Module 6 Quiz
Q. Which statement best describes an IAM policy? A. A document that grants or denies permissions to AWS services and resources 다른 선지 풀이
An authentication process that provides an extra layer of protection for your AWS account >> MFA
An identity that you can assume to gain temporary access to permissions >> IAM Role
The identity that is established when you first create an AWS account >> root user identity
Q. An employee requires temporary access to create several Amazon S3 buckets. Which option would be the best choice for this task?
A. IAM role
Q. Which statement best describes the principle of least privilege?
A. Granting only the permissions that are needed to perform specific tasks
Q. Which service helps protect your applications against distributed denial-of-service (DDoS) attacks?
A. AWS Shield
Q. Which task can AWS Key Management Service (AWS KMS) perform?
A. Create cryptographic keys.
다른 선지 풀이
Configure multi-factor authentication (MFA). >> AWS IAM
Update the AWS account root user password. >> AWS Management Console (뜬금없이뭐지...)
Assign permissions to users and groups. >> AWS IAM