AWS Notes

CNCF Kubernetes and Cloud Native Associate Certification Course (KCNA) from Andrew Brown: https://www.youtube.com/watch?v=AplluksKvzI ⭐️ Course Contents ⭐️ ☁️ 0:00:00 Introduction ☁️ 0:22:31 Cloud Native Kubernetes Concepts ☁️ 1:36:41 Selectors ☁️ 1:42:33 Kubelet ☁️ 1:50:15 KubeCTL ☁️ 1:59:20 Distrubutions ☁️ 2:26:25 Runtimes ☁️ 2:37:04 Storage ☁️ 2:51:34 Service ☁️ 3:06:52 Networking ☁️ 3:33:05 Cluster Networking ☁️ 3:50:50 Security ☁️ 4:23:51 Autoscaling ☁️ 4:28:23 Open Standards ☁️ 4:31:17 Goverance ☁️ 5:01:37 Serverless ☁️ 5:10:29 Observability ☁️ 5:24:45 Cloud Native Application Delivery ☁️ 5:44:03 Deployment Strategies ☁️ 5:58:59 Follow Along 🎤 5:58:59 Review of Light Weight Containers 🎤 6:05:14 Building an App Using Docker 🎤 6:29:29 Minkube 🎤 6:55:36 Kind 🎤 7:03:41 Microk8s 🎤 7:27:10 Kubectl Fix 🎤 7:28:38 Pod Communication via IP 🎤 7:36:44 Service ClusterIP 🎤 7:51:20 Service NodePort 🎤 7:59:14 Service LoadBalancer 🎤 8:09:19 Service Externalname 🎤 8:24:53 Ingress 🎤 8:38:51 Jobs 🎤 8:46:35 ReplicaSets 🎤 8:50:56 Scale and Autoscale 🎤 9:00:39 Configmap 🎤 9:23:29 Secrets 🎤 9:34:08 PV and PVC 🎤 9:56:30 NetPolicy 🎤 10:20:29 Knative 🎤 10:34:30 OpenFaaS 🎤 10:46:11 Helm 🎤 10:55:19 LinkerD 🎤 11:32:49 Google Kubernetes Engine 🎤 11:47:25 Azure Kubernetes Service 🎤 12:03:09 AWS Elastic Kuberenetes Service 🎤 12:35:47 IBM Cloud 🎤 12:48:18 Digital Ocean 🎤 13:10:22 CIVO 🎤 13:26:14 Namespaces 🎤 13:30:59 RBAC 🎤 13:58:00 KubeCTL Extra Commands #Kubernetes

Network Infrastructure Security Guidance: https://media.defense.gov/2022/Mar/01/2002947139/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDANCE_20220301.PDF Contents 1. Introduction 2. Network architecture and design 3. Security maintenance 4. Authentication, authorization, and accounting 5. Administrator accounts and passwords 6. Remote logging and monitoring 7. Remote administration and network services 8. Routing 9. Interface ports 10. Notification banners 11. Conclusion #security #network #design

Пояснение по новым ограничениям со стороны AWS: 1) Ограничения, которые AWS объявили относятся к работе напрямую и оплаты счетов с карты (они и так не могут т.к. карточки не работают). 2) На данный момент для клиентов из РФ и РБ отсутствует возможность создание новых аккаунтов AWS и привязки карт местных банков Для клиентов, использующих сервисы AWS из РФ и РБ остаётся возможность оплаты сервисов AWS через партнёра. Также, возможна локализация контракта за пределами РФ и РБ и оплата счетов в валюте. Если у вас остались вопросы и вам требуется помощь в оплате счетов от AWS, напишите в лс или на email: svyatoslav.ustyugov@softline.com

Fix CVE-2022-0847 for Amazon Linux: https://alas.aws.amazon.com/cve/html/CVE-2022-0847.html #security #AmazonLinux

​​There are some problems - Spotify, Discord, AWS, Cloudflare etc. https://downdetector.com/

'Dirty Pipe' Linux vulnerability that allows an attacker to overwrite data in arbitrary read-only files: https://www.zdnet.com/article/dirty-pipe-linux-vulnerability-discovered-fixed/ The vulnerability CVE-2022-0847: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847 #security #linux

​​Weekly Summary on AWS (February 27 - March 5) 🔸 Aurora PostgreSQL + cipher suites 🔸 AWS Health Dashboard 🔸 Billing ➖ Customer Carbon Footprint Tool ➖ Chinese yuan payments 🔸 CloudFormation + AWS::MSK::BatchScramSecret 🔸 CloudWatch Container Insights + Helm chart using ADOT 🔸 Detective + wildcard & CIDR 🔸 FinSpace + AWS SDK and CLI 🔸 FIS (Fault Injection Simulator) ➖ Stop ECS tasks ➖ Sending logs to CloudWatch Logs or S3 🔸 FSx for OpenZFS ➖ LZ4 compression ➖ Record size 🔸 GameLift + three updates to FlexMatch 🔸 IoT SiteWise + IoT Application Kit 🔸 Kendra + spell checker for queries 🔸 Keyspaces (Cassandra) + AWS SDK 🔸 PrivateLink + AWS Backup 🔸 RDS for MySQL & PostgreSQL + Multi-AZ Deployment Option With Two Readable Standby Instances 🔸 RDS for Oracle + ALLOW_WEAK_CRYPTO* parameters 🔸 SageMaker Serverless and Asynchronous Inference + SageMaker Python SDK 🔸 Trusted Advisor Priority 🔹 Aurora PostgreSQL 13.5, 12.9, 11.14, and 10.19 🔹 AWS JDBC Driver for MySQL v1.0.0 🔹 AWS QnABot version 5.1.1 🔹 Data Provider for SAP + 4.1 (JDK11 & r6i/m6i instances) 🔹 MGN (AWS Application Migration Service) + Windows Server 2003, 2008, 2022, and Windows 10 🔹 MQ for RabbitMQ + 3.8.27 🔹 RDS for MariaDB + 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 🔹 RDS for Oracle + October 2021 PSU #AWS_week

#машины_aws Я продолжаю издеваться на Code* сервисами… Хотя скорее они надо мной. В этой части разбираюсь с поведением CodeDeploy в Blue/Green развертываниях, а так же с тем, что не умеет CodePipeline и CDK. Ваше прокрастинационное чтиво.

​​SCP Best Practices 🔹 Deny list strategy 🔹 Allow list strategy 🔹 https://aws.amazon.com/blogs/mt/codify-your-best-practices-using-service-control-policies-part-1/ 🔸 Organizational Units 🔸 https://aws.amazon.com/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/ ▪️ Deny Changes to CloudWatch monitors ▪️ Deny Changes to CloudWatch Logs ▪️ Deny Changes to Config ▪️ Deny accounts from leaving the organization ▪️ Deny all actions ▪️ Deny access to IAM with role exception ▪️ Deny actions outside approved regions ▪️ Deny ability to pass IAM roles ▪️ Deny changes to GuardDuty ▪️ Deny changes to AWS Budget Actions ▪️ Limit changes to Cost Anomaly Detection, except when using a specific IAM Role ▪️ https://aws.amazon.com/blogs/mt/codify-your-best-practices-using-service-control-policies-part-2/ ☮️ #SCP #security #best_practices

Ждём всех желающих погрузиться в AI сервисы AWS. Сделаем небольшой обзор на каждый из семейства AI сервис и научимся решать практические задачи в онлайне вместе с нашими архитекторами. Какие AI сервисы мы изучим на AWS Интенсиве?  ✅Amazon Rekognition ✅Amazon Comprehend ✅Amazon Forecast  ✅Amazon Translate и другие Ждём! https://softline.ru/events/sem_2022_ai_servisy_220301?tab=program&utm_source=emailBDM&utm_medium=mail&utm_campaign=5821-AI

​​Weekly Summary on AWS (February 20-26) 🔸 Amplify + The Authenticator UI Library for Flutter 🔸 AppSync + custom response headers 🔸 App Mesh + Agent for Envoy 🔸 App Runner + Java 🔸 Billing + Payment Profiles 🔸 CloudWatch Agent ➖ Configurable Log Group Retention ➖ NVIDIA GPU Metrics 🔸 Connect Customer Profiles + high-volume ingestion of customer data 🔸 EC2 Auto Scaling Warm Pools + hibernating and returning instances to Warm Pools on scale-in 🔸 Firewall Manager + AWS Network Firewall Centralized Deployment Model 🔸 Glue Job Run Insights 🔸 Glue DataBrew + choose single or multiple output files 🔸 Glue Schema Registry + Protobuf 🔸 Lambda + .NET 6 🔸 QuickSight’s new community hub 🔸 RDS for MariaDB + IAM authentication 🔸 Redshift + PIVOT and UNPIVOT SQL operators 🔸 S3 + additional checksum algorithms 🔸 SageMaker + 322 popular ML models 🔸 SAM CLI + TypeScript 🔸 Transfer Family + enhancements to workflows 🔹 NICE DCV version 2022.0 and Web Client SDK version 1.1.0 #AWS_week

🔶 Top 2021 AWS Security service launches security professionals should review - Part 1 An overview of some of the most important 2021 AWS Security launches that security professionals should be aware of. https://aws.amazon.com/ru/blogs/security/top-2021-aws-security-service-launches-part-1 #aws

Тримайтеся! 🇺🇦 Все буде гаразд.

AWS SAM CLI + TypeScript: https://aws.amazon.com/blogs/compute/building-typescript-projects-with-aws-sam-cli/ This post reviews several new features that can improve the development experience for TypeScript developers. I show how to create a sample TypeScript project using sam init. I build and deploy a TypeScript project using the AWS SAM CLI. I show how to use AWS SAM Accelerate with your TypeScript project. Last, I measure the impact of bundling, tree shaking, and minification on a sample project. #SAM #TypeScript

AWS WAF Account Takeover Prevention На прошлой неделе было несколько анонсов без официальных блогов, но при этом весьма интересные фичи, одна из них ATP (AWS WAF Account Takeover Prevention). Детальное видео о том, что это и как пользоваться: https://www.youtube.com/watch?v=adpT3ir_bUY Ссылка на документацию: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-atp.html #WAF

​​Weekly Summary on AWS (February 13-19) 🔸 Backup for S3 + general availability 💪 🔸 Braket + 80-qubit 🔸 Budgets + Auto-adjusting 👍 🔸 CloudWatch Container Insights + EKS Fargate using ADOT 🔸 CodeGuru Reviewer ➖ Detector Library ➖ Security detectors for Log-Injection Flaws ⚠️ ➖ Example repositories for Java and Python 🔸 EC2 C6a instances 🎉 🔸 EFS + sub-millisecond read latencies 💥 🔸 Firewall Manager + versioning for WAF managed rule group 🔸 MQ for RabbitMQ version 3.9.13 🔸 OpsWorks for Chef Automate version 20220103112354 🔸 RDS for MariaDB + delayed replication 🔸 Redshift ➖ Concurrency Scaling + automatic WLM ➖ UNLOAD command for JSON ➖ Cross-regions data sharing 🔸 Security Hub + 13 new controls 🔸 Transfer Family + banners 🔸 WAF Fraud Control + Account Takeover Prevention 🔥 🔹 s2n-quic 👀 #AWS_week

AWS Backup for S3: https://aws.amazon.com/blogs/storage/automate-and-centrally-manage-data-protection-for-amazon-s3-with-aws-backup/ AWS Backup for Amazon S3 is now generally available in all commercial AWS Regions where AWS Backup is available. #Backup #S3

​​Multiple applications on EKS using a single ALB: https://aws.amazon.com/blogs/containers/how-to-expose-multiple-applications-on-amazon-eks-using-a-single-application-load-balancer/ ▫️ In this blog post, we demonstrated, in a step-by-step procedure, how to implement a microservices architecture in a simple and cost-effective way using EKS with a single ALB. ▫️ If you wish, you could also achieve the same results by using several Ingress objects pointing to the same ALB using the annotation “alb.ingress.kubernetes.io/group.name”. In this case, you would create individual Ingresses and add a common name to this annotation. ▫️ By using this approach, different teams can be completely independent from each other because they can deploy and manage their own services and ingresses while relying on the ALB. #EKS #ALB

CloudWatch Container Insights for EKS Fargate using ADOT (AWS Distro for OpenTelemetry): https://aws.amazon.com/blogs/containers/introducing-amazon-cloudwatch-container-insights-for-amazon-eks-fargate-using-aws-distro-for-opentelemetry/ ▫️ This blog presented an overview of the design of the ADOT Collector for EKS Fargate with support for CloudWatch Container Insights and demonstrated its deployment and metrics collection from workloads on an EKS Fargate cluster. ▫️ A single collector instance is able to discover all the worker nodes in an EKS cluster through the use of Kubernetes service discovery and collect metrics from them by using the Kubernetes API server as a proxy for the kubelet on worker nodes. ▫️ EKS customers will now be able to collect system metrics such as CPU, memory, disk, and network usage from workloads that are deployed to an EKS Fargate cluster and visualize them in CloudWatch dashboards, providing the same experience as CloudWatch agent. #CloudWatch