Amazon AWS Concepts: Difference between revisions
(43 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=External= | |||
* AWS Glossary: https://docs.aws.amazon.com/general/latest/gr/glos-chap.html | |||
=Internal= | =Internal= | ||
* [[Amazon AWS#Subjects|Amazon AWS]] | * [[Amazon AWS#Subjects|Amazon AWS]] | ||
= | =AWS Security Concepts= | ||
{{Internal|Amazon AWS Security Concepts |AWS Security Concepts}} | |||
=Region= | =Region= | ||
Line 11: | Line 15: | ||
AWS has data centers in different areas of the world. | AWS has data centers in different areas of the world. | ||
Amazon regions | Amazon regions: | ||
ap-southeast-2, EU (Frankfurt) eu-central-1 | * Asia Pacific (Tokyo) ap-northeast-1 | ||
* Asia Pacific (Singapore) ap-southeast-1 | |||
* Asia Pacific (Sydney) ap-southeast-2, | |||
* EU (Frankfurt) eu-central-1 | |||
* EU (Ireland) eu-west-1 | |||
* South America (Sao Paulo) sa-east-1 | |||
* US East (N. Virginia) us-east-1 | |||
* US West (N. California) us-west-1 | |||
* US West (Oregon) us-west-2 | |||
==Region Operations== | |||
{{Internal|AWS Region Operations|Region Operations}} | |||
=Profile= | |||
An AWS named profile is a collection of configuration elements, settings and credentials that apply to an AWS CLI command. For more details see: | |||
{{Internal|AWS_CLI#Named_Profile|AWS CLI | Named AWS Profile}} | |||
=Availability Zones= | Also see: | ||
* [[AWS_CLI#AWS_PROFILE_Environment_Variable|AWS_PROFILE Environment Variable]] | |||
* [[Amazon Profile Operations|AWS profile operations]] | |||
=<span id='Availability_Zone'></span>Availability Zones= | |||
An ''availability zone'' is a distinct location within a [[#Region|region]] engineered to be isolated from failures in other availability zones. Think about it as ''location'': by placing resources in different availability zones you can protect the application from the failure of a single location. Each region provides low-latency network connectivity with other zones within the same region. Example of availability zones within a region: us-west-2b. | An ''availability zone'' is a distinct location within a [[#Region|region]] engineered to be isolated from failures in other availability zones. Think about it as ''location'': by placing resources in different availability zones you can protect the application from the failure of a single location. Each region provides low-latency network connectivity with other zones within the same region. Example of availability zones within a region: us-west-2b. | ||
The | Availability zones play an essential role in how subnets are used in a [[Amazon_VPC_Concepts#Availability_Zone|VPC]]. | ||
An [[Amazon_EC2_Auto-Scaling_Concepts#Auto-Scaling_Groups_and_Availability_Zones|auto-scaling group]] can span multiple availability zones. | |||
==Availability Zone Operations== | |||
* [[ec2-describe-instances#Availability_Zone|ec2-describe-instances]] | |||
* [[Amazon_EC2_Operations#Get_Availability_Zones_in_a_Region|Get availability zones in a region]] | |||
=<span id='ARN'></span>Amazon Resource Name (ARN)= | |||
{{External|https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html}} | |||
=<span id='Tag'></span>Tags= | |||
{{Internal|AWS Tags|AWS Tags}} | |||
=AWS Management Console= | |||
The AWS management console interacts over backend via [[Amazon_AWS_Concepts#API|API calls]]. | |||
=AWS Service= | |||
As part of a service configuration, the user may be in the situation to [[Amazon_AWS_Security_Concepts#Granting_a_User_Permissions_to_Pass_a_Role_to_an_AWS_Service|pass]] an [[Amazon_AWS_Security_Concepts#IAM_Role|IAM role]] to the service. | |||
Services: | |||
* [[AWS_CloudFormation_Concepts#CloudFormation_as_AWS_Service|CloudFormation Service]] | |||
* [[AWS_CodeBuild_Concepts#CodeBuild_as_AWS_Service|CodeBuild Service]] | |||
* [[AWS_CodePipeline_Concepts#CodePipeline_as_AWS_Service|CodePipeline Service]] | |||
* [[AWS_Lambda_Concepts#Lambda_as_AWS_Service|Lambda Service]] | |||
=AWS Types= | |||
Example: AWS::EC2::KeyPair::KeyName. | |||
=API= | |||
The only way to access AWS resources is via API calls: the [[#AWS_Management_Console|AWS management console]], [[AWS_CLI#Overview|AWS CLI]] and custom applications that are using various [[Amazon_AWS#SDKs|SDKs]] all interact via resources in the same way. | |||
==Signing API Calls== | |||
{{External|[https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests]}} | |||
Most API calls are signed for authentication and authorization with a user's [[Amazon_AWS_Security_Concepts#API_Access_Keys|API access key]], which consists of an [[Amazon AWS Security Concepts#Access_Key_ID|access key ID]] and a [[Amazon AWS Security Concepts#Secret_Access_Key|secret access key]]. Some requests do not need to be signed, such as anonymous requests to Amazon S3 and some API operations in AWS Security Token Service (AWS STS). [[AWS CLI]] and various [[Amazon_AWS#SDKs|SDKs]] sign requests automatically, provided that they have access to the key. If requests are created "manually", with [[Amazon_API_Access_with_curl|curl or similar]], the users must sign the requests themselves. | |||
The requests are signed because this verifies the identity of the requester and it protects data in transit, as the data is hashed and the hash included in the request, so the data cannot be tampered with. In most cases, a request must reach AWS within five minutes of the time stamp in the request, otherwise AWS denies the request. | |||
Latest revision as of 23:37, 19 April 2023
External
Internal
AWS Security Concepts
Region
AWS has data centers in different areas of the world.
Amazon regions:
- Asia Pacific (Tokyo) ap-northeast-1
- Asia Pacific (Singapore) ap-southeast-1
- Asia Pacific (Sydney) ap-southeast-2,
- EU (Frankfurt) eu-central-1
- EU (Ireland) eu-west-1
- South America (Sao Paulo) sa-east-1
- US East (N. Virginia) us-east-1
- US West (N. California) us-west-1
- US West (Oregon) us-west-2
Region Operations
Profile
An AWS named profile is a collection of configuration elements, settings and credentials that apply to an AWS CLI command. For more details see:
Also see:
Availability Zones
An availability zone is a distinct location within a region engineered to be isolated from failures in other availability zones. Think about it as location: by placing resources in different availability zones you can protect the application from the failure of a single location. Each region provides low-latency network connectivity with other zones within the same region. Example of availability zones within a region: us-west-2b.
Availability zones play an essential role in how subnets are used in a VPC.
An auto-scaling group can span multiple availability zones.
Availability Zone Operations
Amazon Resource Name (ARN)
Tags
AWS Management Console
The AWS management console interacts over backend via API calls.
AWS Service
As part of a service configuration, the user may be in the situation to pass an IAM role to the service.
Services:
AWS Types
Example: AWS::EC2::KeyPair::KeyName.
API
The only way to access AWS resources is via API calls: the AWS management console, AWS CLI and custom applications that are using various SDKs all interact via resources in the same way.
Signing API Calls
Most API calls are signed for authentication and authorization with a user's API access key, which consists of an access key ID and a secret access key. Some requests do not need to be signed, such as anonymous requests to Amazon S3 and some API operations in AWS Security Token Service (AWS STS). AWS CLI and various SDKs sign requests automatically, provided that they have access to the key. If requests are created "manually", with curl or similar, the users must sign the requests themselves.
The requests are signed because this verifies the identity of the requester and it protects data in transit, as the data is hashed and the hash included in the request, so the data cannot be tampered with. In most cases, a request must reach AWS within five minutes of the time stamp in the request, otherwise AWS denies the request.