요약
**CloudFront는 S3를 OAI로 설정하여 static file 제공에 특화되어있음. 문제에서 글로벌/Static 파일에 대한 지문이 주어지는 경우 반드시 CloudFront/S3조합을 떠올릴 것
**업로드의 경우 1GB미만의 파일은 CloudFront에 업로드하여 S3로 보냄, 1GB를 초과할 경우 Multi-Part upload와 Transfer Acceleration 을 사용하여 직접 S3로 보내는 것이 좋음
** 글로벌/Dynamic File 처리는 CRR을 통해 (consistently syncronized) 여러 region에 복사를 하고 Global Accelerator를 사용
** S3에 업로드된 데이터의 후속작업이 필요한 경우 S3 event를 사용 Lambda/SNS/SQS 사용 가능
** S3의 Security를 위해서 직접적인 외부접근은 Bucket policy로 제한. 외부사용자의 접근이 필요한 경우 Pre-signed URL사용. CloudFront를 사용한 경우 CloudFront Signed URL/Cookie사용 및 CloudFront를 WAF(웹, IP rules), Shield(DDoS) 통해서 제어
S3 : Objects & Buckets
- Buckets : Need globally unique name, Defined at the region level
- Objects : a key which is the FULL path(= prefix + object name), Max size is 5tb, To upload more than 5GB, must use multi-part upload
Versioning : Enabled at the bucket level, Protect against unintended deletes, Easy rollback
- Any file that is not versioned prior to enabling versioning will hae version 'null'
** Versioning이 필요한 기능 MFA-delete, S3 replication, Lifecycle Configuration
Encryption
- SSE-S3 : Encryption using keys handeled & managed by AmazonS3 / object is encrypted server side / AES-256 encryption / Must set header: “x-amz-server-side-encryption": "AES256"
- SSE-KMS : encryption using keys handled & managed by KMS(other AWS service, full control over the rotation policy of the encryption key) / object is encrypted server side / Must set header “x-amz-server-side-encryption": ”aws:kms"
- SSE-C : server-side encryption using data keys fully managed by the customer outside of AWS / HTTPS must be used
- Client Side encryption : client must encrypt/decrypt data themselves before sending to S3 / when retrieving from S3
Encryption in transit(SSL/TLS) HTTPS is recommended
** SSE 는 ServerSide Encryption 으로 암호화를 하는 키가 다름
CSE는 클라이언트 사이드에서 암호화를 하기 때문에 클라이언트가 직접 암호화/복호화가 필요함
S3 Security
- User based : IAM policies
- Resource Based : Bucket Policies
Block public and cross-account access to buckets and objects through any public bucket or access point policies
- Networking : VPC endpoints
- Logging and Audit : S3 Access logs -> other S3 bucket / API calls -> AWS CloudTrail
- User Security :
• MFA-delete(need to enable Versioning on the S3 bucket)- permanently delete an object version, suspend versioning on the bucket, only the bucket owner(root account) can enable/disable MFA-delete by CLI
• Pre-Signed URLs - can generate pre-signed URLs using SDK or CLI for up/download, valid for a default of 3600 secs(can change timeout with TIME_BY_SECONDS argument)
S3 Websites : host static websites can be accessbile on the www , 403 error(forbidden) -> check bucket policy
CORS : Request to other S3 buckets contents / need to enable correct CORS headers
S3 Replication :
- CRR / SRR must enable versioning, can be in different accounts, need proper IAM permissions
- After activating, only new objects are replicated
- Can replicate delete markers from source to target(optional)
- Deletions with a version ID are not replicated
- No chaining
Storage Class
S3 Standard / Intelligent Tiering / S3 standard-IA / S3 One Zone-IA / S3 glacier / S3 Glacier Deep archive
S3 Standard, Intelligent Tiering : No retrieval fee, No minimum capacity charge per object
S3 One Zone-IA : Lowest availability
Glacier : Expedited 1~5mins /standard >12hours /bulk >48hours <-> Deep Archive : Standard >12hours / Bulk >48hours
** S3 Standard, Intelligent Tiering / S3 standard-IA, S3 One Zone-IA / S3 glacier, S3 Glacier Deep archive 으로 묶어서 비슷한 특징이 있지만 세부 내용의 차이를 알아둘 필요가 있음
Lifecycle Configuration rule : trasit objects between storage class
- Transision Actions : defines when objects are transitioned to another storage
ex) Move objects to Standard IA class 60 days after creation
Move to Glacier for archiving after 6 months
- Expiration Actions : configure objects to expire after some time
ex) Access log files can be set to delete after a 365 days
Can be used to delete old versions of files (if versioning is enabled)
Can be used to delete incomplete multi-part uploads
- S3 analytics : help to determine when to trasition objects from Standard to Standard_IA (*NOT WORK FOR ONEZONE_IA or GLACIER )
** Object의 접근빈도에 따라서 자동으로 다른 클래스의 Bucket으로 이동시킬 수 있음.
Standard -> IA -> Intelligent Tiering -> One-zone IA -> Glacier -> Deep Archive
S3 Select & Glacier Select : retrieve less data using SQL by performing SERVER SIDE FILERTING *Rows&Columns
S3 Event Notifications : Can create as many S3 events as desired -> trigger SNS/SQS/LAMBDA
ex) Generate thumbnails of images uploaded to S3
Amazon Athena: Serverless query service to perform analytics against S3 objects
S3 Baseline Performance : your app can achieve at least 3,500 PUT/COPY/POST/DELETEs, 5,500 get/head requests per second per prefix in a bucket
S3 Byte-Range Fetches : parallelize GETs by requesting specific byte ranges
AWS CloudFront : Content Delivery Network (CDN)
- Improves read performance, content is cached at the edge
- DDoS protection, integration with Shield, AWS Web Application Firewall
- You can reduce the number of edge locations for cost reduction , Price Class All/Price Class 200/Price Class 100
**Origin으로 부터 데이터를 미리 Edge location에 캐싱하여 지연을 낮춘다.
CloudFront Origins
- S3 Bucket : enhanced security with CloudFront OAI , CloudFront can be used as an ingress(to upload files to S3)
- Custom Origin(HTTP) : ALB, EC2, S3 website (Allow Public IP of Edge Locations)
- Multiple Origin : To route to different kind of origins based on the content type (ex. S3 & EC2)
Request Based on path patterns like /images/* , /api/*, /*
– Origin Groups : To increase high-availability and do failover, Group two same type of origins (ex. S3 & S3, one primary and one secondary origin)
CloudFront Geo Restriction : restrict who can access your distribution, The “country” is determined using a 3rd party Geo-IP database
CloudFront : Global Edge network / Great for static content that must be available everywhere
vs
S3 CRR : Must be setup for each region you want replication to happen / Great for dynamic content that needs to be available at low-latency in few regions
CloudFront Signed URL / Cookie : distribute paid shared content(private content) to premium users over the world
- Signed URL : access to individual files (one signed URL per file)
- Signed Cookies : access to multiple files (one signed cookie for many files)
AWS Global Accelerator : 2 Anycast IP are created for your application,
- The Anycast IP send traffic directly to Edge Locations / The Edge locations send the traffic to your application
- Works with Elastic IP, EC2 instances, ALB, NLB, public or private
- Consistent Performance / Health Checks / Security
**Anycast IP를 사용하여 요청이 들어왔을 때 지연이 낮은 서버를 통해 어플리케이션에 접근을 빠르게 한다.
AWS CloudFront : Improves performance for both cacheable content / Dynamic content / Content is served at the edge
vs
Global Accelerator : Improves performance for a wide range of applications over TCP or UDP / Good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, Good for HTTP use cases that require static IP addresses
출처 : Udemy Ultimate AWS Certified Solution Architecture Associate 2022
'Computer > AWS' 카테고리의 다른 글
[AWS Certified Solutions Architect] VPC (0) | 2022.03.21 |
---|---|
[AWS Certified Solutions Architect] Database, Storage (0) | 2022.03.20 |
[AWS Certified Solutions Architect] EC2, EBS, EFS, ELB (0) | 2022.03.11 |
AWS Certified Cloud Practitioner 합격후기+공부법 (0) | 2022.03.04 |
[AWS Certified Cloud Practitioner] 08. Other compute services (0) | 2022.02.04 |