IAM

• Signature Version 4

Policy evaluation logic

• When an IAM entity (user or role) requests access to a resource within the same account, AWS evaluates all the permissions granted by the identity-based and resource-based policies.
  • An explicit deny in either of these policies overrides the allow.
    • Explicit deny: policy with DENY statement
    • Inplicit deny: there is no applicable DENY and ALLOW statements

Permissions boundaries

• Within the same account, resource-based policies that grant permissions to an IAM user ARN are not limited by an implicit deny in an identity-based policy or permissions boundary.
• Resource-based policies that grant permissions to an IAM role ARN are limited by an implicit deny in a permissions boundary or session policy.

Cross account resource access

• To share the resource directly, the resource that you want to share must support resource-based policies.
  • Unlike an identity-based policy for a role, a resource-based policy specifies who (which principal) can access that resource.
  • In cross account access, a principal needs an Allow in the identity policy and the resource-based policy.
• Use a role as a proxy when you want to access resources in another account that do not support resource-based policies.

IAM Access Analyzer helps to identify the resources shared with an external entity.

Links

• AWS services that work with IAM

EC2

Instance Metadata

Get credentials of instance profile IAM role

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${role-name}

• Retrieve security credentials from instance metadata

Get region

curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r '.region'

• Instance identity documents

Get user data

INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
sudo cat /var/lib/cloud/instances/$INSTANCE_ID/user-data.txt

or

curl http://169.254.169.254/2021-03-23/user-data

Data transfer bandwidth between S3

Traffic between Amazon EC2 and Amazon S3 can leverage up to 100 Gbps of bandwidth to VPC endpoints and public IPs in the same Region.

From What’s the maximum transfer speed between Amazon EC2 and Amazon S3?

Links

• How can I improve the transfer speeds for copying data between my S3 bucket and EC2 instance?
• Network performance of EC2 instance

EBS

Provisioned IOPS SSD volumes

Provisioned IOPS is calculated with IO size = 16KiB (reference).

S3

Range get

Using the Range HTTP header in a GET Object request, you can fetch a byte-range from an object, transferring only the specified portion

From Use Byte-Range Fetches

Concurrency on CLI

Change max_concurrent_requests.

aws configure set default.s3.max_concurrent_requests 20

Mounting S3 bucket as a local file system

• Mountpoint for Amazon S3
• The inside story on Mountpoint for Amazon S3, a high-performance open source file client

RDS

Aurora

DB cluster parameter group vs DB parameter group

The values in the DB parameter group can override default values from the cluster parameter group.

from: Amazon Aurora DB cluster and DB instance parameters

Enhanced monitoring

• OS metrics in Enhanced Monitoring

Performance insights

• Tuning with wait events for RDS for PostgreSQL

SDK

Retry behavior

• General retry behavior of SDKs
• Retry behavior of SDK for Java v2

CLI

Export credentials

retrieve AWS credentials using credential resolution process, e.g. assume role

$ aws configure export-credentials --profile engineering
{
  "Version": 1,
  "AccessKeyId": ...,
  "SecretAccessKey": ...,
  "SessionToken": ...,
  "Expiration": ...
}

Links

• AWS Latency Monitoring