[AWS] AWS WAF (Web Application Firewall)

WAF (Web Application Firewall) is a firewall service to protect web applications from common web exploit attacks.

  • It is an OSI Layer 7 firewall.
  • It monitors HTTP or HTTPS requests to ELB, CloudFront, or API Gateway.
  • Blocked traffic returns HTTP 403 (Forbidden) error status.
Continue reading “[AWS] AWS WAF (Web Application Firewall)”

[AWS] Key Management Service (KMS)

Key Management Service (KMS) is a regional secure key management service (FIPS 140-2 level 2 validated) that provides encryption and decryption. KMS is integrated with most of other AWS services.

  • KMS is a regional service, not a global one.
  • KMS is NOT an ideal place to save database passwords and API keys. They are stored in Systems Manager Parameter Store.
  • You are charged per API call.
  • KMS has the audit capability using CloudTrail to provide encryption key usage logs, which are saved in S3.
Continue reading “[AWS] Key Management Service (KMS)”

[AWS] IDF, Cognito, and SSO

IDF (Identity Federation) is an architecture where the identities of an external identity provider (IDP) are recognized.

Types of IDF

  • Cross-account roles: A remote account is allowed to assume a role and access your account’s resources,
  • SAML 2.0 IDF: It allows users of SAMAL compatible system such as Active Directory (AD) to log in to the AWS services.
  • Web Identity Federation: External web-based IDPs (Google, Facebook) are allowed to assume roles.
Continue reading “[AWS] IDF, Cognito, and SSO”

[AWS] AWS Organizations

AWS Organizations is a centralized global management service of AWS accounts (up to 20) and billings.

  • All accounts within an AWS Organization can consolidate bills into a single account.
    • A paying account should be used for billing purposes only.
    • Economy of scale – by using more, you can save more. (Volume pricing discount)
Continue reading “[AWS] AWS Organizations”