Cloudwatch related API requests are signed with HMAC-SHA1signature from the request and the the user’s private key Cloudwatch’s (sdk) API is only accessible via https, not http, i.e. it is encrypted with ssl An IAM user can only access cloudwatch if they are given access via IAM You can configure […]

CloudHSM (Hardware Security Module): This is essentially the name of a dedicated physical machine that is seperate from all the other AWS hardware, and it is used to store encryption keys. If an outside party gains access to these keys, then your AWS infrastructure is compromised. Hence even AWS employees […]

In route53 you have multiple entries with the same url (aka url). In fact you have to create multiple entries with the same name in order to take advantage of the various routing policies. Here are the available routing policies: Simple Weighted Latency Failover Geolocation We have already covered Failover. […]

Some Internet Service Providers can connect your on premise devices directly to aws AZ without being rerouted via the rest of the internet. this results in faster connection more stable connection reduced latency No need to go via the public internet better security No need to have any special hardware […]

Cloudfront is a (Content Delivery Network) CDN that delivers content to Edge Locations around the world. Origin: This term means the location where the content can originate from. There are a few places: EC2 ELB, with ec2 instances behind it S3 bucket route53 – e.g. if actual source is an […]

You can set up active and passive entries for the same url in route 53. So when route 53 discovers that the active (primary) source has become unhealthy it will failover to the passive (secondary) entry. For example, we have a static website running on an EC2 instance. This EC2 […]

For security reasons you should not have your aws resources (e.g. ec2 instances) directly accessible via the internet unless it is necessary, i.e. keep your aws resources internal. However you still want to be able to access your VPCs, there’s a few ways to achieve this: Setup bastion hosts setup […]

Launch Configurations – let’s you specify a template for automatically create new instance, based on this presets. Therefore when creating a Launch Configuration resource you specify things like: – AMI id – Instance type – Which vpc to build instances in – IAM role – default storage requirements. E.g. number […]

Note: AMIs created in one region cannot be used to create instances in another region. However you can get round this by copying the AMI to another region first.   You can also modify access permissions of the AMI, in the following ways: Make the AMI public, so anyone can […]

A VPN is essentially a subnet where it’s members are a combination of AWS resources and on premise devices. I.e. a a VPN is a subnet that extends to an on premise site. There are 2 ways to set up VPN: Hardware based VPN Tunnelling (OpenVPN)   Hardware based VPN […]