Storage gateway, transit gateway, Nat gateway internet gateway API gateway, file gateway, tape gateway, volume gateway, you gateway, me gateway, us gateway, all these damn gateways, how do you tell the difference?
1. Storage Gateway
In the simplest terms possible, Storage Gateway is a Suite of tools that give companies the ability to extend their already existent on premise databases into the cloud without a full migration.
1a. File gateway - extends your on premise file systems ( windows SMB/NFS) into amazon FSx or s3
1b. Tape Gateway - extends your backup servers (ISCSI VTL) into an s3 tape library or s3 glacier tape archive
1c. Volume Gateway - extends your block storage iscsi into aws s3, which then makes a copy via EBS
2. VPC Gateways -
VPC gateways are the main three tools that help items within your VPC connect with the outside world
2a. Internet Gateway - The internet gateway is the logical connection your VPC has to the internet. Everything connecting to the internet in your subnet is going through that gateway to get access.
2b. NAT Gateway - is a tool through which instances in a private subnet can access the internet, but external resources cannot connect with your instances
2c. Transit Gateway - A "cloud router" to connect multiple VPCs
together.
3. Endpoints:
The Endpoints are AWS services that connect your EC2 instances to AWS services through a private link
3a. VPC Interface Endpoint - A privatelink secure connection from your VPC to most AWS services (SNS, system manager, cloudtrail, cloudwatch, KMS, STS, and more)
3b. VPC Gateway Endpoint - A special privatelink secure connection from your VPC to S3 and Dynamodb
They both can manage secrets, they both allow KMS encryption, and they both are giving me headaches while studying for the security specialty exam, so how do i differentiate them?
1. AWS System Manager Parameter Store
Parameter store is a feature of AWS System Manager that provides storage for not only credentials, but also configuration files, licenses codes and more in one secure place.
This is how it works:
- Your application sends a parameter request to SSM Parameter
Store.
- If this is a plaintext
parameter request, Parameter Store checks with IAM if the user/role is
allowed to retrieve the parameter.
- If this is an encrypted
parameter request, Parameter Store checks with IAM if the user/role is
allowed to both retrieve and decrypt the parameter with AWS KMS.
- Decryption requires that the IAM has KMS Decrypt permission.
If IAM verification is
successful, Parameter Store sends back the parameter value to the
application.
2. AWS Secrets Manager -enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Can do everything that parameter store can do, and more, including rotating keys, cross account access and generating passwords. it also costs more coming in at .40 per secret.
Secrets manager works just like parameter store in practice with more features and abilities.
Watch the videos below for cool overviews and walkthroughs of secrets manager:
- Statement is the main element of the policy, it is where it indicates the start of the actual commands of the policy
Learn More- Effect tells the policy whether you are allowing something to happen or denying it.
- It is a required element, the only values are "Allow" or "Deny"
- Action describes what specific actions you want to be denied or allowed
- - Every AWS service has its own set of spefic actions that can be placed inside this element
- Below there will be a list of the most important actions to look out for in policies
- Example: "Action": "ec2:StartInstances"
- Resource specifies the object (IAM account/service/file/other) that the statement covers
Examples:
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*/test/*"
"Resource": "arn:aws:iam::account-ID-without-hyphens:user/Bob"
"Resource": [
"arn:aws:dynamodb:us-east-2:account-ID-without-hyphens:table/books_table", "arn:aws:dynamodb:us-east-2:account-ID-without-hyphens:table/magazines_table"
]
- The Principal elementis only used for Resource Based Policies
- Is used to specify which principals are allowed or denied access to a service.
- Principal: an AWS term for an IAM user/account/role/ AWS Service,
- Condition lets you specify conditions to when a policy is in effect.
- You can specify cool things like:
- IP address
- usernames
- MFA has to be activated and much more
The Two main types of policies:
1. Identity Based Policy
Policies that are attached to an IAM user, group or role. These policies specify what that identity is allowed to do.
The red-text policy is an example of an Identity Based Policy
- in this policy, it is giving a IAM user, group or role the ability to detach and attach volumes to the specified ec2 instances.
2. Resource Based Policy -
Policies that are attached to a resource, for example bucket policies, Key policies and other.
The policy with the green spine is an example of a Resource based policy.
In this policy access is being given to "Putobject" (place things inside the bucket) and "GetObject" (download things from the bucket) from the awssecurity bucket. if coming from the ip address listed. and stuarts account
Notice that it has a "Principal" tag which are found primarily in resource based policies
created with
WYSIWYG Web Builder .