AWS Cloud Practioner 官方课程笔记 - Part 3
AWS Security 方案和功能
Amazon Inspector
AWS Shield
Price and Support
Free Tier: Always Free, 12-month free(从注册AWS账号算起), trials
some Free Tier services: SageMaker, Comprehend Medical, DynamoDB, SNS, Cognito
Billing Dashboard
Consolidated billing - AWS Organizations 中的一个功能,是免费的
AWS Budgets - 防止超预算
AWS Cost Explorer - 可以分析12个月的数据
AWS Support Plan - Basic Support, Developer Support(Basic Support + Email), Business(Dev Support + All AWS Trusted Advisor checks+ phone call ), Enterprise Support (Biz Support + TAM)
AWS Marketplace - 第三方软件包
Authotication - 密码登录这种,或者 access key, secret key
Authorization - 有没有相应权限,比如delete, view, copy 权限 这些,上图的 policy docs 就是做authorization的
Security:
root user 有全部权限, root user 要尽量少用,一般用root user 通过 AWS IAM 服务创建 IAM user, IAM user 默认没有任何权限,需要明确指定权限,具体是通过IAM Policy(json格式)。 IAM group 通过聚合过个IAM user 进入一个group, 然后对Group用 IAM policy, 这样管理起来简单。 还有一个Role 的概念,用在一个人在不同时间段有不同的职能这个场景,可以给User赋予临时的Role,
MFA - Multi Factor authentication
AWS Organizations - 集中管理accounts, 合起来付费,还可以把一些account合成OU. You can use something called service control policies, or SCPs, to specify the maximum permissions for member accounts in the organization. In essence, with SCPs you can restrict which AWS services, resources, and individual API actions, the users and roles in each member account can access.
In AWS Organizations, you can apply service control policies (SCPs) to the organization root, an individual member account, or an OU. An SCP affects all IAM users, groups, and roles within an account, including the AWS account root user. 我的理解是SCPs 是针对account级别的概念,account下面有很多IAM users, groups, roles.
You can apply IAM policies to IAM users, groups, or roles. You cannot apply an IAM policy to the AWS account root user.
AWS Artifact: AWS Artifact Agreements and AWS Artifact Reports. 我理解就是一个下载资料的地方
Customer Compliance Center - contains resources to help you learn more about AWS compliance.
AWS Shield - 防范 DDOS攻击的,AWS Shield Standard , AWS Shield Advanced,
AWS KMS - Key Management Service, 用于数据加密
AWS Inspector - Inspector helps to improve security, and compliance of your AWS deployed applications by running an automated security assessment against your infrastructure, 我的理解是静态扫描已有问题
Amazon GaurdDuty - provides intelligent threat detection for your AWS infrastructure and resources, analyzes continuous streams of metadata generated from your account, and network activity found on AWS CloudTrail events, Amazon VPC Flow Logs, and DNS logs,我的理解是动态检测实时问题
MIgration and Innovation:
AWS CAF - Cloud Adoption Framework, 提供了6个维度来指导migration, Business, People,Governance(这3个从business角度来),Platform,Security,Operations(这3个是技术角度)
AWS CAF Action Plan - guide your organization for cloud migration
Q:Which Perspective of the AWS Cloud Adoption Framework helps you design, implement, and optimize your AWS infrastructure based on your business goals and perspectives?
A: Platform
Migration strategies - 6 Rs:
Rehosting: lift adn shift, 没有任何改动
Replatforming: lift, tinker, shift, 没有code改动,可能有一些云方面的优化
Retire: 直接去掉一些不用的功能和应用
Retain: 暂时没法migrate的就放一放,后者一些在不久的将来要被淘汰的应用,干脆留在那里
Repurchase: 直接用新技术替换掉旧技术
Refactoring: 重构架构
Snow Family - AWS 从on-premises 环境快速拷贝到cloud用到的硬件
Snowcone: 能装8T数据,有edge computing,
Snowball Edge: Compute Optimized(42T, 52vCPU), Storage Optimized (80T, 40vCPU)
SnowMobile: 一个大货车, 100P的数据量
Innovations:
VMWare Cloud on AWS
Amazon SageMaker
Amazon Augmented AI (Amazon A2I)
ready-to-go AI solution likes Lex(对话), Textract (extracts text and data from scanned document)
Transcribe : speech to text
Comprehend: Discover patterns in text
AWS DeepRacer(强化学习)
AWS Groud Station:可以用卫星信息
