- Most of the AWS services are region specific.
- Services like IAM are available global. They are not related to any specific region.
- In AWS regional services page, you can check the services as per region. AWS Regional Services (amazon.com)
- AWS Role name can contain alphanumeric characters, or any of the following: _+=,.@-
- Even though admin permissions are given to a user, still he cant access billing dashboard.
- When creating instance if you create a tag called Name and give it a name, that name will be set as the instance name automatically. You don’t have to set a name to your instance again.
- When restricting using security groups, you can specify the source ip address or ip address range so that someone who is connecting from that ip address range can connect. Others cannot connect to the instance. If you set source as 0.0.0.0/0 it means you are allowing or denying a port access to the instance on all the networks.
- A single SG can be attached to multiple instances. You can also attach multiple SG to a single EC2 instance.
- SGs are restricted to a region or VPC. They are present outside your EC2 instance. So, if something is blocked, your instance might not record anything in the logs.
- If there is a timeout when accessing the application then it might be a security group issue but if you get a connection refused error, then it might be application issue.
- All inbound traffic is blocked in SG by default and all outbound traffic is allowed.
- In the SGs, you can allow or deny ports from different networks and also allow or block ports to other security groups.
- Using EC2 instance connect, you can connect to linux machines from browser.
- When you’re using pem file, in linux, use chmod command and change permissions and then use command line directly. In windows, if you are using putty, you have to convert pem to ppk and use it in putty. If you are using powershell and ssh, add yourself as owner in the pem file, remove other permissions if you have any, and launch it with ssh over powershell.
- If you want to add a volume to an EC2 instance, both instance and volume should be in same availability zone. Similarly, If you want to add an elastic network interface to an EC2 instance, both the network interface and EC2 instance should be in same AZ.
- Number of network interfaces that you can attach to the instances depends on the instance type. Example, t3 micro allows only 2 network interfaces, t3 micro allows only 3 network interfaces etc…
How should you choose an AWS region while deploying AWS service?
It depends on factors like compliance (some countries does not allow their data to be stored outside their countries infrastructure), latency (deploy close to your end users), regions that have your service and pricing. Pricing varies from region to region.
How many ways can you access AWS ?
IAM best practices:
- Use root account only when creating your first admin id. From thereon, use the admin id for all the activities.
- Setup a strong password policy and MFA.
- Try to use roles for giving permissions to AWS services.
- Do not share your AWS security keys.
- Instead of assigning permissions to users, add users to groups and assign policies to those groups.