AWS Community Day Poland 2024
Today I participated in AWS Community Day Poland 2024. It was great opportunity to learn, to meet people, to discuss interesting topics around AWS and clouds. Below there are my key takeaways from presentations, which I watched today:
- Streamlining Compliance: Leveraging Open-Source Terraform AWS modules:
- Links:
- Notes:
- Compliance framework: CIS, PCI DSS, GPDR, SOC2
- General tools: AWS Security Hub, Prowler, CloudQuery, Steampipe
- Auto-remedation tools: checkov, trivy, Terrascan
- Make your Terraform modules compliance-ready
- AWS Cost Optimization for a busy developer:
- Links:
- Notes:
- Slides
- Cost alarms:
- create budget set alarms
- free tier alerts
- enable cost anomaly detection
- AWS Cost Optimization Hub
- Classification of cost optimization techniques:
- quick win vs. high effort
- types:
- waste (idle or overuse):
- stop
- misconfiguration:
- rightsize
- upgrade e.g. disk from GP2 to GP3
- architecture:
- graviton
- organization level:
- saving plans
- reserved instances
- waste (idle or overuse):
- AWS Trusted Advisor
- 28 cost checks (paid)
- support minimum business
- cost optimization techniques for self-checking:
- EBS - unattached disk drives (do snapshots before delete)
- EC2 & RDS - scheduler for DEV & TEST environments
- stop machines at night
- AWS Instance Scheduler (not for ASG)
- RDS - destroy idle instances (no connections in last 14 days)
- NAT Gateway - destroy idle
- Glue Crawlers - duplicated schedule
- S3 bucket - no lifecycle policies -> too much outdated versions
- S3 bucket - intellignet tiering -> use it from the beginning
- Lambda on Graviton
- Build verifiable and effective application authorization in 30 minutes:
- Links:
- Notes:
- challenge - permissions implemented in the code
- policy-based authorization e.g. AWS IAM
- authorization as a service
- Amazon Verified Permissions
- Cedar:
- policy language
- policy evaluation and authorization engine
- Every policy statement must include an effect and a scope:
- The effect specifies whether this a permit or a forbid policy
- The scope specifies the principal[s], the action[s], and the resource[s] to which the effect applies
- Optionally, the statement may also include one or more conditions in the form of when or unless clauses
- Proper RBAC - deny by default
- ABAC - attributes based access control
- AVP vs. self-hosted Cedar
- Sky is the limit - Ryanair’s story of customer notifications solution
- Designing and building a scale hybrid network:
- Links:
- Notes:
- Hybrid connectivity:
- TGW
- Cloud WAN
- Network Manager
- Network Firewall
- Direct Connect
- Site-to-site VPN
- TGW - connection to remote:
- VPN IPSec
- VPN GRE
- TGW peering
- TGW sharing
- 1 TGW per region
- Direct Connect:
- direct connection
- hosted connection
- VIF (Virtual Interface)
- private
- public
- transit
- P2P encryption for AWS Direct Connect Link:
- IPSec
- MACSec
- use ECMP on TGW to increase throughput
- Site Link
- Direct Connect Gateway
- redundancy:
- second Direct Connect
- VPN
- BGP session goes down if routes limit exceeded
- network segmentation - multiple TGW route tables
- AWS Network Firewall + GWLB
- TGW is good, Cloud WAN is better
- multi-region deployment
- multi-layer security
- Hybrid connectivity:
- Supercharge Lambda functions with AWS Powertools: