The Security Design of the AWS Nitro System
https://docs.aws.amazon.com/whitepapers/latest/security-design-of-aws-nitro-system/the-nitro-system-journey.html
The AWS Nitro System is a combination of purpose-built server designs, data processors, system management components, and specialized firmware which provide the underlying platform for all Amazon EC2 instances launched since the beginning of 2018.
Three key components of the Nitro System achieve these goals:
◻️ Purpose-built Nitro Cards — Hardware devices designed by AWS that provide overall system control and input/output (I/O) virtualization independent of the main system board with its CPUs and memory.
◻️ The Nitro Security Chip — Enables a secure boot process for the overall system based on a hardware root of trust, the ability to offer bare metal instances, as well as defense in depth that offers protection to the server from unauthorized modification of system firmware.
◻️ The Nitro Hypervisor — A deliberately minimized and firmware-like hypervisor designed to provide strong resource isolation, and performance that is nearly indistinguishable from a bare metal server.
This paper provides a high-level introduction to virtualization and the fundamental architectural change introduced by the Nitro System.
#Nitro #security
https://docs.aws.amazon.com/whitepapers/latest/security-design-of-aws-nitro-system/the-nitro-system-journey.html
The AWS Nitro System is a combination of purpose-built server designs, data processors, system management components, and specialized firmware which provide the underlying platform for all Amazon EC2 instances launched since the beginning of 2018.
Three key components of the Nitro System achieve these goals:
◻️ Purpose-built Nitro Cards — Hardware devices designed by AWS that provide overall system control and input/output (I/O) virtualization independent of the main system board with its CPUs and memory.
◻️ The Nitro Security Chip — Enables a secure boot process for the overall system based on a hardware root of trust, the ability to offer bare metal instances, as well as defense in depth that offers protection to the server from unauthorized modification of system firmware.
◻️ The Nitro Hypervisor — A deliberately minimized and firmware-like hypervisor designed to provide strong resource isolation, and performance that is nearly indistinguishable from a bare metal server.
This paper provides a high-level introduction to virtualization and the fundamental architectural change introduced by the Nitro System.
#Nitro #security
👍3
AWS Container Day — KubeCon, October 25, 2022:
https://www.youtube.com/playlist?list=PLehXSATXjcQFD6ZUH4o0hwoH6gmGHvqQe
1️⃣ Keynote
2️⃣ Behind the curtain - How AWS operates Kubernetes workloads at cloud scale
3️⃣ Reduce your pager pain: How to design for failure
4️⃣ Well architected and secure Kubernetes manifests with cdk8s
5️⃣ Cut your cluster costs - How to monitor and reduce your compute costs
6️⃣ EKS keynote
7️⃣ EKS everywhere - Demystifying EKS deployment options
8️⃣ Multi-cluster management
9️⃣ Running compute-intensive, high-scale batch workloads on EKS
🔟 Building an incident response plan for your Amazon EKS workloads
#Kubernetes #EKS #video
https://www.youtube.com/playlist?list=PLehXSATXjcQFD6ZUH4o0hwoH6gmGHvqQe
1️⃣ Keynote
2️⃣ Behind the curtain - How AWS operates Kubernetes workloads at cloud scale
3️⃣ Reduce your pager pain: How to design for failure
4️⃣ Well architected and secure Kubernetes manifests with cdk8s
5️⃣ Cut your cluster costs - How to monitor and reduce your compute costs
6️⃣ EKS keynote
7️⃣ EKS everywhere - Demystifying EKS deployment options
8️⃣ Multi-cluster management
9️⃣ Running compute-intensive, high-scale batch workloads on EKS
🔟 Building an incident response plan for your Amazon EKS workloads
#Kubernetes #EKS #video
🔥4
Twitter architecture 2012 vs 2022 — what has changed in the last 10 years?
#design
2012 — https://www.infoq.com/presentations/Real-Time-Delivery-Twitter/2022 — https://twitter.com/elonmusk/status/1593899029531803649#design
🔥4🤡3😁2👍1🤔1
Forwarded from DevOps&SRE Library
How We Use Terraform At Slack
At Slack, we use Terraform for managing our Infrastructure, which runs on AWS, DigitalOcean, NS1, and GCP. Even though most of our infrastructure is running on AWS, we have chosen to use Terraform as opposed to using an AWS-native service such as CloudFormation so that we can use a single tool across all of our infrastructure service providers. This keeps the infrastructure-as-code syntax and deployment mechanism universal. In this post, we’ll have a look at how we deploy our infrastructure using Terraform at Slack.https://slack.engineering/how-we-use-terraform-at-slack
🔥7👍1
Forwarded from AWS Weekly
Issue #46 | 14 November – 20 November 2022
🔖
▪️ Amplify Flutter Web and Desktop support for API, Analytics, Storage |
▪️ Amplify In-app messaging notifications for React and React Native |
▪️ AppFlow Glue Data Catalog integration
▪️ Application Load Balancers turning off cross zone load balancing per target group
▪️ AppSync JavaScript support for GraphQL API resolvers
▪️ Athena
| Apache Iceberg table operations and file format support
| IBM Db2 connector
| Lake Formation fine-grained access control
▪️ Audit Manager search-based filtering and grouping
▪️ AWS re:Post community leaderboard
▪️ AWS SDK SAP ABAP |
▪️ Billing Conductor billing entity pricing rules
▪️ Catalog API Tag-Based Authorization of resources
▪️ Chatbot command aliases
▪️ Chime SDK Alexa skill calling | new console experience
▪️ CloudFormation AWS Organization resource management
▪️ CloudFormation StackSets event notifications via EventBridge
▪️ CloudFront JA3 fingerprint headers
▪️ CloudWatch Application Insights SAP NetWeaver apps
▪️ CloudWatch RUM custom events
▪️ Connect
| multiple search terms through the profile search API
| manage saved reports
| monitoring live contacts API
▪️ Console Home new Applications widget
▪️ Contact Lens real-time email notifications
▪️ Database Migration Service IPv6 support
▪️ EC2
| Controllers for Kubernetes (ACK) is GA
| increases size limit for AMI store and restore operations 1TB->5TB
| preserve customer created tags during image copy
▪️ ECS/EKS centralized logging support for Windows containers
▪️ EKS Blueprints App2Container Support
▪️ EKS/EKS Distro Kubernetes version 1.24
▪️ ElastiCache
| IAM Authentication for Redis clusters
| simplifies password rotations with Secrets Manager
▪️ Elemental MediaConnect high-fidelity color workloads
▪️ EMR on EKS Controllers for Kubernetes (ACK) controller |
▪️ EventBridge enhanced filtering capabilities
▪️ Fargate storage utilization monitoring
▪️ FinSpace
| access data from other AWS Analytics Services
| connections to customer networks
▪️ Forecast predictions for products with no historical data
▪️ HealthLake enhanced analytics feature
▪️ IAM multiple MFA devices
▪️ Incident Manager
| incident coordination
| PagerDuty
▪️ Interactive Video Service Stream Chat logging
▪️ IoT Device Defender Security Hub integration
🔖
Part #1▪️ Amplify Flutter Web and Desktop support for API, Analytics, Storage |
Preview▪️ Amplify In-app messaging notifications for React and React Native |
GA▪️ AppFlow Glue Data Catalog integration
▪️ Application Load Balancers turning off cross zone load balancing per target group
▪️ AppSync JavaScript support for GraphQL API resolvers
▪️ Athena
| Apache Iceberg table operations and file format support
| IBM Db2 connector
| Lake Formation fine-grained access control
▪️ Audit Manager search-based filtering and grouping
▪️ AWS re:Post community leaderboard
▪️ AWS SDK SAP ABAP |
Preview▪️ Billing Conductor billing entity pricing rules
▪️ Catalog API Tag-Based Authorization of resources
▪️ Chatbot command aliases
▪️ Chime SDK Alexa skill calling | new console experience
▪️ CloudFormation AWS Organization resource management
▪️ CloudFormation StackSets event notifications via EventBridge
▪️ CloudFront JA3 fingerprint headers
▪️ CloudWatch Application Insights SAP NetWeaver apps
▪️ CloudWatch RUM custom events
▪️ Connect
| multiple search terms through the profile search API
| manage saved reports
| monitoring live contacts API
▪️ Console Home new Applications widget
▪️ Contact Lens real-time email notifications
▪️ Database Migration Service IPv6 support
▪️ EC2
| Controllers for Kubernetes (ACK) is GA
| increases size limit for AMI store and restore operations 1TB->5TB
| preserve customer created tags during image copy
▪️ ECS/EKS centralized logging support for Windows containers
▪️ EKS Blueprints App2Container Support
▪️ EKS/EKS Distro Kubernetes version 1.24
▪️ ElastiCache
| IAM Authentication for Redis clusters
| simplifies password rotations with Secrets Manager
▪️ Elemental MediaConnect high-fidelity color workloads
▪️ EMR on EKS Controllers for Kubernetes (ACK) controller |
GA▪️ EventBridge enhanced filtering capabilities
▪️ Fargate storage utilization monitoring
▪️ FinSpace
| access data from other AWS Analytics Services
| connections to customer networks
▪️ Forecast predictions for products with no historical data
▪️ HealthLake enhanced analytics feature
▪️ IAM multiple MFA devices
▪️ Incident Manager
| incident coordination
| PagerDuty
▪️ Interactive Video Service Stream Chat logging
▪️ IoT Device Defender Security Hub integration
👍4
Forwarded from AWS Weekly
Issue #46 | 14 November – 20 November 2022
🔖
▪️ IoT Device Management
| browser-based SSH via Secure Tunneling
| up to 12 query terms for more granular search and monitoring
▪️ IoT ExpressLink Technical Specification v1.1 released
▪️ IoT TwinMaker
| Athena data connector
| camera view and sub-model selection
| Knowledge Graph | GA
▪️ Lake Formation cross-account sharing to direct IAM principals
▪️ Lambda
| native AOT tooling support for .NET apps
| Node.js 18 support
▪️ Lex DTMF slot settings
▪️ Managed Service for Prometheus 200M active metrics per workspace
▪️ Managed Workflow
| container, queue, and database metrics
| Apache Airflow (MWAA) is now HIPAA eligible
▪️ MemoryDB for Redis is now System and Organization Controls (SOC) compliant
▪️ Microservice Extractor for .NET
| AI-powered automated refactoring recommendations
| Web Forms, WCF to .NET on Linux
▪️ Migration Hub
| Refactor Spaces is now integrated with CloudHedge OmniDeq
| Refactor Spaces now automatically handles DNS changes
▪️ NAT Gateway select Private IP for Network Address Translation
▪️ Nitro System now supports previous generation of instances
▪️ OpenSearch Service OpenSearch version 2.3
▪️ Personalize measure the recommendations impact
▪️ Polly Polish and Arabic TTS
▪️ Pricing Calculator modernization cost estimates for Microsoft workloads
▪️ Proton
| CDK through CodeBuild provisioning
| launches dashboard
▪️ QuickSight
| launches Textbox
| line and marker customization options for line charts
| Small Multiples for line, bar and pie charts
▪️ RDS Custom for Oracle Oracle Multitenant
▪️ RDS events now include attributes for filtering with SNS
| RDS for Oracle EFS integration
| RDS for SQL Server Cross Region Read Replica
| RDS for SQL Server linked server to Oracle
▪️ Redshift
|
| concurrency scaling for write workloads |
▪️ Resilience Hub integration with SNS & Trusted Advisor
▪️ S3 ACLs usage (at the request-level) coming to S3 server access logs and CloudTrail
▪️ S3 Glacier 10x restore throughput when retrieving large data volumes
▪️ S3 Storage Lens organization-wide visibility with 34 new metrics
▪️ SageMaker Autopilot SageMaker Studio batch inference
▪️ SageMaker JumpStart AlexaTM 20B model
▪️ SAM CLI Terraform support for Lambda local testing and debugging
🔖
Part #2▪️ IoT Device Management
| browser-based SSH via Secure Tunneling
| up to 12 query terms for more granular search and monitoring
▪️ IoT ExpressLink Technical Specification v1.1 released
▪️ IoT TwinMaker
| Athena data connector
| camera view and sub-model selection
| Knowledge Graph | GA
▪️ Lake Formation cross-account sharing to direct IAM principals
▪️ Lambda
| native AOT tooling support for .NET apps
| Node.js 18 support
▪️ Lex DTMF slot settings
▪️ Managed Service for Prometheus 200M active metrics per workspace
▪️ Managed Workflow
| container, queue, and database metrics
| Apache Airflow (MWAA) is now HIPAA eligible
▪️ MemoryDB for Redis is now System and Organization Controls (SOC) compliant
▪️ Microservice Extractor for .NET
| AI-powered automated refactoring recommendations
| Web Forms, WCF to .NET on Linux
▪️ Migration Hub
| Refactor Spaces is now integrated with CloudHedge OmniDeq
| Refactor Spaces now automatically handles DNS changes
▪️ NAT Gateway select Private IP for Network Address Translation
▪️ Nitro System now supports previous generation of instances
▪️ OpenSearch Service OpenSearch version 2.3
▪️ Personalize measure the recommendations impact
▪️ Polly Polish and Arabic TTS
▪️ Pricing Calculator modernization cost estimates for Microsoft workloads
▪️ Proton
| CDK through CodeBuild provisioning
| launches dashboard
▪️ QuickSight
| launches Textbox
| line and marker customization options for line charts
| Small Multiples for line, bar and pie charts
▪️ RDS Custom for Oracle Oracle Multitenant
▪️ RDS events now include attributes for filtering with SNS
| RDS for Oracle EFS integration
| RDS for SQL Server Cross Region Read Replica
| RDS for SQL Server linked server to Oracle
▪️ Redshift
|
CONNECT BY SQL construct| concurrency scaling for write workloads |
GA▪️ Resilience Hub integration with SNS & Trusted Advisor
▪️ S3 ACLs usage (at the request-level) coming to S3 server access logs and CloudTrail
▪️ S3 Glacier 10x restore throughput when retrieving large data volumes
▪️ S3 Storage Lens organization-wide visibility with 34 new metrics
▪️ SageMaker Autopilot SageMaker Studio batch inference
▪️ SageMaker JumpStart AlexaTM 20B model
▪️ SAM CLI Terraform support for Lambda local testing and debugging
👍2
Forwarded from AWS Weekly
Issue #46 | 14 November – 20 November 2022
🔖
▪️ Service Catalog
| AppRegistry support for automatic associations based on tags
| sharing of principal names
▪️ Service Management Connector
| Incident Manager with JSMC Incidents
| provisioning Service Catalog products in JSMC
| Security Hub bidirectional integration JSMC
▪️ SQS attribute-based access control
▪️ Step Functions simplify cross-account access
▪️ Systems Manager OpsCenter managing OpsItems across accounts
▪️ Transcribe Thai and Hindi languages for streaming audio
▪️ Transfer Family Drummond Group AS 2 Pre-Certification
▪️ Translate Tagging Support for Parallel Data and Custom Terminology
▪️ Trusted Advisor Resilience Hub new checks
▪️ WorkDocs Delete Previous Versions
▪️ WorkSpaces
| certificate-based authentication
| Integration with SAML 2.0 |
| Multi-Region Resilience
| WorkSpaces Streaming Protocol 2.0
| Zoom Meeting Media Plugin for Windows |
🔖
Part #3▪️ Service Catalog
| AppRegistry support for automatic associations based on tags
| sharing of principal names
▪️ Service Management Connector
| Incident Manager with JSMC Incidents
| provisioning Service Catalog products in JSMC
| Security Hub bidirectional integration JSMC
▪️ SQS attribute-based access control
▪️ Step Functions simplify cross-account access
▪️ Systems Manager OpsCenter managing OpsItems across accounts
▪️ Transcribe Thai and Hindi languages for streaming audio
▪️ Transfer Family Drummond Group AS 2 Pre-Certification
▪️ Translate Tagging Support for Parallel Data and Custom Terminology
▪️ Trusted Advisor Resilience Hub new checks
▪️ WorkDocs Delete Previous Versions
▪️ WorkSpaces
| certificate-based authentication
| Integration with SAML 2.0 |
GA| Multi-Region Resilience
| WorkSpaces Streaming Protocol 2.0
| Zoom Meeting Media Plugin for Windows |
GA👍4
В AWS Support завезли чат и теперь можно получить достаточно быструю реакцию (пару минут) онлайн — сразу после создания тикета (и даже на Basic Support plan).
Примитивный и не совсем очевидный чат (приходится писать первый раз в окошке с присланным сообщением), но то, что можно получить быстро отклик - отлично.
#support
Примитивный и не совсем очевидный чат (приходится писать первый раз в окошке с присланным сообщением), но то, что можно получить быстро отклик - отлично.
#support
🔥21👍3👎1
Новый AWS Region — Хайдерабад, Индия: 🎉
https://aws.amazon.com/blogs/aws/now-open-the-30th-aws-region-asia-pacific-hyderabad-region-in-india/
Девятый на текущий момент в регионе Asia Pacific, идентификатор
✅ Итого на теперь всего — 30 регионов.
#AWS_Regions
https://aws.amazon.com/blogs/aws/now-open-the-30th-aws-region-asia-pacific-hyderabad-region-in-india/
Девятый на текущий момент в регионе Asia Pacific, идентификатор
ap-south-2. Как и в подавляющем большинстве других регионов, имеет 3 AZ.✅ Итого на теперь всего — 30 регионов.
#AWS_Regions
Amazon
Now Open the 30th AWS Region – Asia Pacific (Hyderabad) Region in India | Amazon Web Services
In November 2020, Jeff announced the upcoming AWS Asia Pacific (Hyderabad) as the second Region in India. Yes! Today we are announcing the general availability of the 30th AWS Region, Asia Pacific (Hyderabad) Region, with three Availability Zones and the…
🎉9👍4
Forwarded from Slava
На правах самопиара. Начал новую серию блогов.
https://neurons-lab.com/blog/aws-ai-to-advance-business-part-one/
https://neurons-lab.com/blog/aws-ai-to-advance-business-part-one/
👍2
🍎 Open source client for container development — Finch:
https://aws.amazon.com/blogs/opensource/introducing-finch-an-open-source-client-for-container-development/
#containers #delopment
https://aws.amazon.com/blogs/opensource/introducing-finch-an-open-source-client-for-container-development/
At launch, Finch is a new project in its early days with basic functionality, initially only supporting macOS (on all Mac CPU architectures). Once you have installed Finch from the project repository, you can get started building and running containers.The core Finch client will always be a curated distribution composed entirely of open source, vendor-neutral projects.#containers #delopment
👍7🔥3
Уже меньше недели осталось до re:Invent 2022! В течение недели будет длиться одна из самых больших cloud конференций в мире и это самая горячая пора анонсов в AWS! Совместно с командой архитекторов мы проведем 3 стрима после каждого большого keynote.
- Часть 1 – Обзор анонсов от Adam Selipsky (CEO of Amazon Web Services). Ссылка на стрим https://www.youtube.com/watch?v=dZyDPAZZ_CY
- Часть 2 – Обзор анонсов от Swami Sivasubramanian (Vice President of AWS Data and Machine Learning). Ссылка на стрим: https://www.youtube.com/watch?v=cbxNxHIkd8M
- Часть 3 – Обзор анонсов от, Dr. Werner Vogels (Amazon.com Vice President and Chief Technology Officer). Ссылка на стрим: https://www.youtube.com/watch?v=pNL_uvH_BFU
Будем рады ответить на ваши вопросы во время трансляции, а также совместно обсудить все новинки
#reinvent2022. Также вы можете самостоятельно посмотреть многие сессии онлайн
- Часть 1 – Обзор анонсов от Adam Selipsky (CEO of Amazon Web Services). Ссылка на стрим https://www.youtube.com/watch?v=dZyDPAZZ_CY
- Часть 2 – Обзор анонсов от Swami Sivasubramanian (Vice President of AWS Data and Machine Learning). Ссылка на стрим: https://www.youtube.com/watch?v=cbxNxHIkd8M
- Часть 3 – Обзор анонсов от, Dr. Werner Vogels (Amazon.com Vice President and Chief Technology Officer). Ссылка на стрим: https://www.youtube.com/watch?v=pNL_uvH_BFU
Будем рады ответить на ваши вопросы во время трансляции, а также совместно обсудить все новинки
#reinvent2022. Также вы можете самостоятельно посмотреть многие сессии онлайн
👍8
📓 AWS Fault Isolation Boundaries:
https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/abstract-and-introduction.html
Очень полезный для понимания работы AWS на глобальном уровне документ. Важный при проектировании архитектуры и принципиально важный при построении Disaster Recovery схемы.
Основная мысль такая. Если падает
В переводе на сервисы это означает следующее.
🔹 Route 53
Route 53 задействован под капотом самого AWS при создании многих сервисов, которым он должен сделать DNS собственные записи, в том числе хелсчеки, поэтому при проблемах в
▪️ API Gateway
▪️ CloudFront
▪️ DynamoDB Accelerator (DAX)
▪️ Global Accelerator
▪️ ECS with DNS-based Service Discovery
▪️ EKS Kubernetes control plane
▪️ ElastiCache
▪️ ELB load balancers
▪️ Lambda URLs
▪️ MemoryDB for Redis
▪️ Neptune
▪️ OpenSearch
▪️ PrivateLink VPC endpoints
▪️ RDS/Aurora
👉 Рекомендация: для критичных Disaster Recovery схем нужно создавать ресурсы заранее. Не получится во время проблем в
🔸 S3
S3 региональный сервис, но из-за того, что у S3 все имена должны быть уникальные, то не получится создать или удалить бакет во время проблем в
👉 Рекомендация: для критичных DR схем создавать S3 бакеты заранее. Не получится во время проблем в
🔹 CloudFront
CloudFront используется для API Gateway with edge-optimized endpoints.
👉 Рекомендация: создавать заранее все нужные API Gateway with edge-optimized endpoints.
🔸 AWS STS
IAM сервис глобальный, получить временные credentials через STS можно из любого региона. Если у вас захардкожен
👉 Рекомендация: изменить в AWS CLI / AWS SDK захардкоженный
🔹 IAM Identity Center (AWS SSO) / Federated SAML
SSO может пострадать, если в том регионе, где он настроен, проблемы.
👉 Рекомендация: создайте IAM юзеров на случай, если вы, как я, слишком уж стараетесь соблюдать security best practices. По-другому зайти в систему во время проблем с SSO не получится, потому для критических случаев нужно создать рабочекрестьянского IAM user-а.
Ужас какой. Короче, типа — WiFi это конечно очень круто, но бухту кабеля и обжим всё-таки пока не выбрасывайте.
🔸 S3 Storage Lens
Дефолтная борда и её метрики располагаются в
👉 Рекомендация: если для вас критичны S3 Storage Lens, то нужно создать свои собственные дашборды, указав при создании свой регион.
#design
https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/abstract-and-introduction.html
Очень полезный для понимания работы AWS на глобальном уровне документ. Важный при проектировании архитектуры и принципиально важный при построении Disaster Recovery схемы.
Основная мысль такая. Если падает
us-east-1, где располагается control plane большинства глобальных сервисов, то операции по их созданию, изменению, удалению перестанут работать (могут перестать, полагаться на это нельзя). При этом сервисы в регионах с нагрузками будут работать. Поэтому нужно планировать Disaster Recovery схему так, чтобы она не зависела от control plane.В переводе на сервисы это означает следующее.
🔹 Route 53
Route 53 задействован под капотом самого AWS при создании многих сервисов, которым он должен сделать DNS собственные записи, в том числе хелсчеки, поэтому при проблемах в
us-east-1 у Route 53 может не быть возможности создать нужные записи и потому запросы на создание большинства популярных ресурсов вернут ошибку. Это верно как минимум для следующего списка (список не полный):▪️ API Gateway
▪️ CloudFront
▪️ DynamoDB Accelerator (DAX)
▪️ Global Accelerator
▪️ ECS with DNS-based Service Discovery
▪️ EKS Kubernetes control plane
▪️ ElastiCache
▪️ ELB load balancers
▪️ Lambda URLs
▪️ MemoryDB for Redis
▪️ Neptune
▪️ OpenSearch
▪️ PrivateLink VPC endpoints
▪️ RDS/Aurora
👉 Рекомендация: для критичных Disaster Recovery схем нужно создавать ресурсы заранее. Не получится во время проблем в
us-east-1 поднять RDS базу данных из бэкапа. Не получится создать балансеры, Redis или CloudFront.🔸 S3
S3 региональный сервис, но из-за того, что у S3 все имена должны быть уникальные, то не получится создать или удалить бакет во время проблем в
us-east-1. Кроме того все операции по изменению конфигурации бакета (bucket policy, настройки CORS, ACL, шифрования, репликации, логирования и др.) тоже зависят от us-east-1.👉 Рекомендация: для критичных DR схем создавать S3 бакеты заранее. Не получится во время проблем в
us-east-1 создать новый S3 бакет или срочно прикрутить к нему репликацию.🔹 CloudFront
CloudFront используется для API Gateway with edge-optimized endpoints.
👉 Рекомендация: создавать заранее все нужные API Gateway with edge-optimized endpoints.
🔸 AWS STS
IAM сервис глобальный, получить временные credentials через STS можно из любого региона. Если у вас захардкожен
us-east-1, то когда у него проблемы, вы получите ошибки, в то время как региональный STS будет работать.👉 Рекомендация: изменить в AWS CLI / AWS SDK захардкоженный
us-east-1 на регион с нагрузкой.🔹 IAM Identity Center (AWS SSO) / Federated SAML
SSO может пострадать, если в том регионе, где он настроен, проблемы.
👉 Рекомендация: создайте IAM юзеров на случай, если вы, как я, слишком уж стараетесь соблюдать security best practices. По-другому зайти в систему во время проблем с SSO не получится, потому для критических случаев нужно создать рабочекрестьянского IAM user-а.
Ужас какой. Короче, типа — WiFi это конечно очень круто, но бухту кабеля и обжим всё-таки пока не выбрасывайте.
🔸 S3 Storage Lens
Дефолтная борда и её метрики располагаются в
us-east-1, поэтому при проблемах они могут быть не доступны.👉 Рекомендация: если для вас критичны S3 Storage Lens, то нужно создать свои собственные дашборды, указав при создании свой регион.
#design
👍20
От создателя AWS CDK:
https://www.winglang.io/
Ещё одна попыткапохоронить Terraform запилить настоящий devops по-настоящему облачный язык.
#multicloud #alpha
https://www.winglang.io/
Ещё одна попытка
🤮13😁5🤔3👍2👀2