EN_AWS - somaz94/DevOps-Engineer GitHub Wiki

AWS

A summary of AWS concepts for DevOps engineers. Click each link for full details.


Glossary

IAM & Authentication

  • Assume Role: Obtain temporary security credentials to access resources in another account or assume different permissions within the same account
  • sts:AssumeRole: IAM credential-based role delegation — used for cross-account access
  • sts:AssumeRoleWithWebIdentity: OIDC/SAML token-based role delegation — integrates with GitHub Actions, Kubernetes SA, and other external identity providers
  • Temporary Credentials: Composed of access key + secret access key + session token, with configurable expiration

ALB Ingress Annotations

  • Ingress Group: Consolidates multiple Ingresses into a single ALB (alb.ingress.kubernetes.io/group.name)
  • group.order: Sets Ingress rule priority — lower numbers apply first
  • listen-ports: Specifies the ports the ALB listens on (HTTP/HTTPS)
  • ssl-redirect: Configures HTTP → HTTPS redirect port
  • target-type: instance (via NodePort) or ip (direct Pod routing) mode
  • scheme: internet-facing (public) or internal (VPC-only) ALB access type
  • inbound-cidrs: Restricts the IP ranges allowed to access the ALB
  • security-groups: Specifies the security groups to attach to the load balancer

Network Security

  • Security Group (Stateful): Per-instance security — supports allow rules only, automatically allows outbound responses
  • Network ACL (Stateless): Per-subnet security — supports both allow and deny rules, evaluated in order by rule number
  • VPC: Isolated virtual network — composed of subnets, route tables, and internet gateway

Q&A List

Q1: IAM Assume Role

Covers cross-account access using AWS STS sts:AssumeRole in 4 steps (create IAM role → attach policy → assume role → use temporary credentials), and compares it with OIDC/SAML-based sts:AssumeRoleWithWebIdentity.

Details

Q2-Q5: ALB Ingress Configuration

Covers IngressGroup configuration for consolidating multiple Ingresses into a single ALB, listen-ports and SSL redirect settings, instance/ip mode traffic routing annotations, and access control using scheme, inbound-cidrs, and security-groups.

Details

Q6: Network ACL vs Security Group

Explains the differences between Stateful Security Groups (per-instance, allow-only) and Stateless Network ACLs (per-subnet, allow/deny, evaluated by rule number order), with a mermaid diagram illustrating VPC traffic flow (IGW → Router → Route Table → ACL → Subnet → SG → EC2).

Details


Reference

⚠️ **GitHub.com Fallback** ⚠️