Others
When do you need the secret access key or access key ID to sign the AWS API requests?
When you send HTTP requests to an AWS service - When you send HTTP requests to AWS, you sign the requests so that AWS can identify who sent them. You sign requests with your AWS access key, which consists of an access key ID and secret access key.
When you write custom code to send HTTP requests to AWS, you need to include code to sign the requests. You might do this for the following reasons:
- You are working with a programming language for which there is no AWS SDK.
- You want complete control over how a request is sent to AWS.
*You don’t need to sign when using AWS CLI / AWS SDK *, these tools automatically sign the requests for you with the access key that you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself.
Cognito Authentication via Cognito User Pools
You can use Cognito Authentication via Cognito User Pools for your Application Load Balancer
You can’t use Cognito Authentication with CloudFront distribution
Security group
A security group acts as a virtual firewall that controls the traffic for one or more instances.
Integrated services
Security Groups are not just bound to EC2 instances, in fact any resource with an ENI can have a security group attached with examples such as:
- AWS Lambda
- AWS Elastic load balancing
- Databases (Amazon RDS, Amazon Redshift)
- Other (ElastiCache, CloudSearch, Elastic Beanstalk, Elastic MapReduce)
- Container and Kubernetes services (ECS and EKS)
Behaviour
The following are the default rules for a default security group:
- Allow inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group.
- Allows all outbound traffic
The following are the default rules for a security group that you create:
- Allows no inbound traffic
- Allows all outbound traffic
Security Group and ENI
TL;DR - When specifying a security group to a EC2 instance, its ENI specified the security group under the hood
EC2
Security Groups are attached to Elastic Network Interfaces (ENIs). That's why the console shows it under the Networking tab. not an instance. When you start an instance, it receives a default network interface (eth0). The security group will be attached to that default network interface.
This design allows different security settings if there are multiple ENIs. For example, one ENI could be used for external traffic and a different ENI could be used for internal traffic.
Most Amazon EC2 instances only have one ENI, so it is easier to think of the Security Group as being associated with the instance.
Further reading: When specifying a security group to an instance, is its ENI specified the security group under the hood?
Other AWS services
Don't get fooled, every time you specify a security group for an AWS service, behind there is a network interface.
Let's take for example AWS Elastic File System. When you create a File System, you are going to specify security groups. Does that mean that the security group control the access to the File System? Well, in some sense yes. But technically the security group are going to be attached to a Elastic Network Interface (ENI) that EFS creates on your behalf.
Further reading: AWS Networking cheat-sheet - EIP, ENI, VPC, etc
Amazon Certificate Manager(ACM)
When you buy a dowmain from other domain registry(e.g. GoDaddy) and you want to use a public certificate genereated by ACM. You need to do the following steps:
- Request or import a TLS/SSL certificate you would like to use into your AWS account.
- Validate domain ownership for your requested certificate using Domain Name System (DNS) or email validation to complete certificate issuance. Ref: Validating domain ownership
- Use your newly issued or imported certificates in various AWS services like Elastic Load Balancing (ELB), Amazon CloudFront etc.
Exam notes:
- The ACM certificate must be requested or imported in the same AWS Region as your load balancer or CloudFront distribution.
- ACM-issued certificates can’t be installed on an EC2 instance. These certificates are intended to be used with AWS services like Elastic Load Balancing, CloudFront, and API Gateway.To enable end-to-end encryption between load balancer and an EC2 instance, you must use a third-party SSL certificate
Certificate renewal
AWS Certificate Manager manages the renewal process for the certificates managed in ACM. *You can import your own certificates into ACM, however you have to manually renew these certificates *.
A certificate is eligible for automatic renewal subject to the following considerations:
- ELIGIBLE if associated with another AWS service, such as Elastic Load Balancing or CloudFront.
- ELIGIBLE if exported since being issued or last renewed.
- ELIGIBLE if it is a private certificate issued by calling the ACM RequestCertificate API and then exported or associated with another AWS service.
- ELIGIBLE if it is a private certificate issued through the management console and then exported or associated with another AWS service.
- NOT ELIGIBLE if it is a private certificate issued by calling the ACM Private CA IssueCertificate API.
- NOT ELIGIBLE if imported.
- NOT ELIGIBLE if already expired.
AWS Private CA
AWS Private CA—This service is for enterprise customers building a public key infrastructure (PKI) inside the AWS cloud and intended for private use within an organization. With AWS Private CA, you can create your own CA hierarchy and issue certificates with it for authenticating internal users, computers, applications, services, servers, and other devices, and for signing computer code. Certificates issued by a private CA are trusted only within your organization, not on the internet.